First a quick introduction - of myself, and of the product. I'm Jason Arrington, Product Manager for Sentinel, and I've been at Novell since 1999 in a bunch of different jobs - Tech support, engineering, and Product Management. A little over two years ago I moved from Provo to Vienna, Virginia to work with the former e-Security engineering team. Since then we've been tirelessly working to realize the promise of adding true Identity context to enterprise security monitoring. Adding IAM to SIEM is a real 1+1=3 kind of equation, where the whole is greater than the sum of its parts. And Sentinel 6.1 really brings out that value. So without further ado, Sentinel 6.1 gives you:
Identity Event Enrichment: If you're at all familiar with SIEM solutions, you know that they collect logs from a whole bunch of systems, slice and dice them, and provide dashboards, analysis, and reports so you can keep track of what's going on. Sort of a dashboard of dashboards. But typically a log doesn't have much information about the user that did something - maybe a user name, but that's about it. And a log from one system doesn't know anything about the other accounts that user might have. Sentinel 6.1 includes a new framework to enrich events with detailed user information. That may include attributes on their account like a workforce ID, full name, or phone number, as well as the other accounts that are assigned to this user. This feature is generic enough to work with any Identity Management system, but works best (of course!) with Novell IDM 3.6, due to the out-of-the-box driver and policies we provide to feed data from IDM 3.6 to Sentinel 6.1. This Identity data provides the foundation of much of the new functionality in 6.1.
Identity Browser: The first place we use this data in the Sentinel system is in the new Identity Browser interface. This lets an analyst see information about the users involved in an event with a simple right click. Here's a screenshot:
The Identity Browser shows user details, recent activity across all their accounts, and a list of all accounts associated with this user.
Really, Really Cool Reports: Another benefit of the identity context is the our ability to create some really, really cool reports. I was pushing to use that name in our marketing collateral but was shot down - we're calling it the "Identity Tracking Solution Pack" instead. The Pointy Haired Bosses and Auditors of the world want to see simple, clear reports about who did what. But as mentioned above, the "whos" in the different systems that are being monitored by Sentinel aren't typically connected. Our Identity Enrichment now lets us show reports that aren't all broken up by all the different user account names and different systems. Here's an example of a nice, high level dashboard report:
Of course, this also adds lots of good information to the kinds of reports you traditionally find in a SIEM tool. So, instead of seeing a list of user IDs you also see full names in the reports. Here's another example:
These reports look simple, but there's a lot of work that has gone into making them so clear and straightforward.
There's much more in 6.1, but I'm tired of writing and you're probably tired of reading (flattering myself that anyone is actually reading this). We're very excited about this release - if you have any questions about it let me know.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.