Sentinel 6.1 is part of the Novell Compliance Management Platform, and includes exciting new features to integrate Identity data into security monitoring.
Sentinel™ is a Security Information and Event Management solution that provides a real-time, holistic view of security and compliance activities, while helping customers monitor, report, and respond automatically to network events across the enterprise. Sentinel automates log collection, analysis and reporting processes to ensure that IT controls are effective in supporting threat detection and audit requirements. Sentinel replaces these labor-intensive manual processes with automated, continuous monitoring of security and compliance events and IT controls. Sentinel gathers information and correlates security and non-security information from across an organization's networked infrastructure, as well as third-party systems, devices and applications. Sentinel presents the collected data in an intuitive GUI and quickly identifies security or compliance issues and tracks remediation activities, streamlining previously error-prone processes and building a more rigorous and secure monitoring program.With Sentinel, you get:
Sentinel is composed of multiple components:
Sentinel Server is made up of several components that perform the core event-processing services. This includes receiving events from the Collector Managers, storing them in the database, filtering, processing ActiveView displays, performing database queries and processing results, and managing administrative tasks such as user authentication and authorization.
The iSCALE Message Bus is capable of moving thousands of message packets in a second between the components of Sentinel. This allows independent scaling of components and standards-based integration with external applications.
Correlation adds intelligence to security event management by automating analysis of the incoming event stream to find patterns of interest. Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response.
Sentinel provides an iTRAC workflow management system to define and automate processes for incident response. Incidents that are identified in Sentinel, either by a correlation rule or manually, can be associated with an iTRAC workflow.
The Sentinel product is built around a back-end database that stores security events and all of the Sentinel metadata. The events are stored in normalized form, along with asset and vulnerability data, identity information, incident and workflow status, and many other types of data.
Collector Manager manages the Collectors, monitors system status messages and performs event filtering as needed. Main functions of the Collector Manager include transforming events, adding business relevance to events via taxonomy, performing global filtering on events, routing events and sending health messages to the Sentinel server.
The Sentinel Collector Manager can connect directly to the message bus or use an SSL proxy.
Sentinel collects data from source devices and delivers a richer event stream by injecting user identity, taxonomy, exploit detection and business relevance into the data stream before events are correlated and analyzed and sent to the database. A richer event stream means that data is correlated with the required business context to identify and remediate internal or external threats and policy violations.
You may download existing device-specific Collectors from the Novell Sentinel Content Site. You will need a Novell Login for the user that is associated with your Sentinel purchase in the Novell Customer Care Portal to access the Sentinel Content pages. Contact your Novell representative or the Novell Customer Response Center at (888) 321-4272 if you have any problems accessing the Novell Sentinel Content Site. Collectors can be built or modified using Collector Builder, a standalone application included with the Sentinel system.
Collectors are written in JavaScript or a proprietary Sentinel scripting language. JavaScript Collectors can be built or modified using a standard JavaScript development environment; proprietary Collectors can be built or modified using Collector Builder, a standalone application included with the Sentinel system.
The Sentinel Control Center provides an integrated security management dashboard that enables analysts to quickly identify new trends or attacks, manipulate and interact with real-time graphical information, and respond to incidents. Key features of Sentinel Control Center include:
The Sentinel Collector Builder enables you to build or edit Collectors using the legacy, proprietary Sentinel Collector language. You can create and customize the templates so that the Collector can parse the data. JavaScript based Collectors are built and modified using standard JavaScript editing tools. Novell provides an SDK and sample scripts to assist with creating and editing these Collectors. The JavaScript Collector engine is more powerful, full-featured, and performant than the legacy Collector engine and Novell recommends that new Collectors be built using this SDK.
The Sentinel Data Manager (SDM) allows you to manage the Sentinel Database. You may perform the following operations in SDM:
Comprehensive reporting services within the Sentinel Control Center are powered by Crystal Enterprise Server by SAP (formerly Business Objects™). Sentinel comes with predefined reports geared toward the most common reporting requests by organizations monitoring their security and compliance posture. These reports have been enhanced to include user-specific detail that tie account information from multiple systems into the same report. Using the Crystal Report Developer, new customized reports can also be developed against Sentinel’s published report view schema.
Sentinel Advisor is an optional add-on module that cross-references the latest known attack signatures and vulnerability information. This information feed allows Sentinel to prioritize alerts based on whether or not the targeted device is known to be vulnerable to a particular attack.
The Sentinel Solution Designer is a tool for organizing Sentinel content into policy focused packages. It connects to a running Sentinel system and allows users to drag and drop selected content into the package while maintaining dependencies between the content. It allows users to:
The Sentinel Solution Manager is the interface within Sentinel for managing sets of content delivered as Solution Packs. These can be either Novell created Solution Packs, such as the PCI-DSS and Identity Tracking Solution Packs, or Solution Packs developed by a customer or consultant using the Solution Designer tool.:
Sentinel uses plug-ins to integrate with the following systems:
More details about System Requirements as well as the most up-to-date platforms can be found at the Sentinel documentation site. The supported platforms as of the Sentinel 6.1 product release date (July 31, 2008) are listed below.
Sentinel Server components (Sentinel Database, Communication Server, Correlation Engine, Data Access Server, Advisor Data Service, and Collector Manager) are certified to run on the following operating systems:
The Sentinel user applications (Sentinel Control Center, Solution Designer, and Sentinel Data Manager) are also supported on the following additional platforms:
Collector Builder is only supported on the following platforms:
Sentinel is certified to run with the following databases:
NOTE: All databases should be installed on an operating system that is certified by the database vendor and also by Novell for use with Sentinel components. Oracle must run on Linux or Solaris (not Windows).
The supported reporting server is Crystal Enterprise Server XI R2, which can be run on any of the following platforms in the Sentinel environment:
Sentinel components have been localized for the following languages:
There are several exceptions:
The latest Sentinel 6.1 manuals are available online at the Sentinel documentation site.