Traditional security tools focus on solving specific, individual problems; firewalls control the flow of information into and out of your network; intrusion prevention & detection systems keep outsiders out and determine when someone's trying to get in; identity & access management systems allow the right people access to the right information at the right time. Each of these systems produces a log with valuable data about what's happening on the network—but who has time to read them all? And what do you do with the information once you have it?
Early security information management (SIM) solutions eased the burden of monitoring all of these "point tools" by providing a single collection point for security data from across the network. As SIMs evolved, they added data analysis and correlation to the mix, further reducing the burden on administrators by recognizing patterns in the data and notifying administrators when an "event" such as a security breach occurred.
The most recent evolution of these tools is now called a "security information and event manager" (SIEM) for its ability to not only notify security staff about an event, but also to manage the response to the event, and in some cases automatically take steps to remedy it.
For organizations concerned about passing a compliance audit for Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), or the Gramm-Leach-Bliley Act (GLBA), simply gathering the data necessary to prove compliance can be an overwhelming task. Sentinel simplifies the task by allowing IT security staff to monitor and report on the required IT controls with the same tools they're using to monitor the enterprise's security health.
Sentinel's automated capabilities eliminate and replace the previously labor-intensive, error-prone manual processes for gathering, analyzing and reporting on compliance data. And real-time data streams mean that you're delivering an up-to-date view every time you generate a new report.
Forrester analyst Khalid Kark, in a recent report on projected IT security spending, said, "As security professionals grow from purely IT-centric and technology-focused roles into information-centric and risk-focused roles, they need a new set of tools and processes to fulfill their responsibilities."
Novell® Sentinel™ simplifies the task of monitoring and managing both security devices and trusted-insider activities on critical company resources. Picking up where other log-management and SIM solutions leave off, it delivers security management and compliance monitoring with real-time views of your organization's overall security and compliance health to reduce complexity, streamline compliance auditing and improve your organization's overall security.
You know what's happening, where it's happening and whether you need to worry about it or not. Most important, when you do need to worry about something, you can resolve the problem in minutes or hours rather than days. It's not just a "cool technology", it's the first in a new breed of tools designed to deliver actionable information, reduce operational risk and control costs.
> What's New in Sentinel 6?
Sentinel 6 is a security information and event manager that helps you manage the overwhelming flood of security data from devices, applications and systems across your networks. On the front end, Sentinel collects log data, correlates it against data flows from other sources to identify patterns of activity, applies rules for business relevance and event classification, and notifies administrators when there's a problem that needs correcting. On the back end, Sentinel uses automated workflow tools to manage event-related activities and provides critical compliance and security reporting to help you understand what's happened in your environment over a period of time, how it was resolved and where you're vulnerable.
Sentinel 5.1.3, the first release of Sentinel as part of the Novell family, extended the product's capabilities with a collector for Novell Audit—the first link between Sentinel and the Novell identity and access management product suite. Scheduled to ship in April 2007, Sentinel 6 offers even tighter integration and a host of "new and improved" features around cross-platform support, flexibility, ease-of-use, connectivity, workflow, correlation and content.
"As security professionals grow from purely IT-centric and technology-focused roles into information-centric and risk-focused roles, they need a new set of tools and processes to fulfill their responsibilities."
Let Business Decisions Drive IT Decisions
Sentinel is dependent on several technology platforms to run correctly—operating system, database, Java Virtual Machine and the message bus. Sentinel 6.0 adds support for Solaris 10 and SUSE Linux Enterprise Server 10. Because new SUSE Linux Enterprise Server 10 environments are expected to run almost exclusively on 64- bit hardware, Novell will only offer support for it in the 64-bit version. Other upgrades include 64-bit support for Red Hat Linux 3 and SUSE Linux Enterprise Server 9.
Novell will also add database support for Oracle 10g in 64-bit mode and for Java Virtual Machine 1.5 based on customer requests to support these products. Sentinel 6 will also update its message bus to provide the high availability offered by Sonic 7, the provider of this important and unique Sentinel component.
Connectivity and Enhanced Collector Management
Sentinel 6 offers an enhanced interface that allows administrators to view the architecture of their installed system, pinpoint any system health issues and quickly add new event sources to the system. Several new pieces of architecture are included in this enhancement: the Sentinel server can now act as a central repository of collectors, and there's a new proxy architecture in place to allow placement of collector engines that do not publish directly to the message bus, but rather send the events via SSL to a traditional collector manager.
Deploying, managing and monitoring Collectors can be complex, especially in large, heterogeneous environments. In Sentinel 6, the Collectors are centralized into the Sentinel Command Center and can now be configured from this single point. And you can now manage multiple independent event sources from the collection point. New tools facilitate the deployment of Collectors and provide real-time visibility into Collector "health" and the flow of data from Collectors to the message bus. (See Figure 1.)
Additional new event source management features include an easy-to-use Wizard for configuring new event sources, a new UI in the Command Center for event source management, the ability to define filters on data from a single source, and the ability to test a connection to a data source right from the Command Center.
These enhancements greatly streamline the administration and day-to-day use of the system, allowing you to focus your efforts on identifying and resolving incidents faster and more effectively. Right click to see context-sensitive options that let you take specific actions or get details about a certain device right from the graphical view.
Sentinel 6 also includes the ability to use SSL connections for gathering data from remote event sources not directly connected to your network, and updates to existing collectors to support new versions of and upgrades to many commonly installed devices.
Implementing the suite will save you money in licensing fees, give you peace of mind knowing that your workgroup services are running on a platform that is more open and cost effective than what proprietary solutions offer. Best of all, you can easily implement the Novell Open Workgroup Suite, including SUSE Linux Enterprise Desktop 10 on the desktop, over time as it makes sense in your environment.
Incident Tracking and Remediation
Building on the exceptional incident handling provided by the iTRAC module within Sentinel 5.x, Sentinel 6 provides extended capabilities for tracking the progress of incident resolution. Sentinel 5.x offered templates with incident-handling workflows based on the SANS guidelines for incident resolution. Sentinel 6 extends the templates by allowing full workflow customization to accommodate specific policy- or process-based requirements unique to the organization. Levels of customization include:
- the ability to add and remove steps in the resolution process
- support for multiple and/or branching transitions between steps
- variable support to pass information between workflow steps
- conditional and time-based escalation of resolution steps to ensure nothing "falls through the cracks" if someone is away or otherwise occupied
Other enhancements to the incident-response module include improved worklist handling (who does what and when?), including support for specific incident deadlines (supporting the time-based escalation noted above); note-taking capabilities to ensure the system captures all details about the incident and what's being done to resolve it; the ability to release or reassign a task to another staff member; and additional Administrator (rather than system) control of incident resolution. (See Figure 2.)
Using correlation rules, you can compare data from one source against data from another source to determine if a problem really exists. They also reduce the number of "false alarms" you might receive if you only paid attention to the information delivered from a single event source. In-memory correlation has been a major competitive advantage of Sentinel since the release of Sentinel 5.0, allowing for rapid assessment of data without the database bottleneck seen in other SIEM tools.
Sentinel 6 provides enhanced correlation rules including:
- Negative correlation: You probably have a policy in place at your organization that requires a particular system (an employee desktop, for example) to be disabled after three unsuccessful logins. But what happens if the expected sequence of events (two unsuccessful logins followed by either a successful login or a third unsuccessful login within a specified time frame) doesn't happen? Should the absence of an event trigger the creation of an incident? Negative correlation rules
allow for the creation of incidents based on a lack of information in the presence of other information that normally wouldn't trigger an alert.
- Nested correlation: A nested rule is simply a single rule consisting of multiple sub-rules. You can set conditions for nested rules that allow the main rule to fire if specific criteria are met. For example, if three of five sub-rules fire, then the main rule fires.
- Sequenced events: If event A is followed by a specific event B, then Rule C fires.
- Negative sequenced events: If event A is not followed by specific event B, then Rule D fires.
- Cause/effect rules: This type of correlation recognizes cause & effect scenarios using different event attributes.
Other enhancements to Sentinel's correlation capabilities include a wizard-based UI for building new rules quickly and easily when your environment or policies change. Sentinel now also includes the ability to correlate against a dynamic list of correlation criteria, a new framework for deploying rules out to the system and the ability to test new correlation rules without affecting the health of the overall system.
Sentinel 6 provides other new features such as offline query and event analysis that allow administrators to more easily review and analyze activities and historical trends on the system without affecting the real-time collection and analysis of current data. Figure 3 shows the user interface for an offline query used to analyze a specific group of events that occurred during a certain time frame. (See Figure 3.)
> Sentinel 6: One View, Many Sources
Sentinel 6 represents the next generation of software for the open enterprise: a truly cross-platform solution to an ongoing challenge for many organizations. Who's doing what, where, and does this represent a threat to the organization's overall security and compliance status? The consequences of a security breach are costly and welldocumented: from Enron to MCI to businesses around the world spending untold numbers of previously productive work hours restoring compromised desktops and servers after a worm or virus attack. You've created policies and established processes for responding to attacks, spent hundreds of thousands of dollars on security devices like firewalls, intrusion detection systems, and routers. The list goes on, but the real question remains: how do you ensure that all of these protective measures actually work?
The answer is Sentinel 6 from Novell.