Product Description

For IT Security professionals overwhelmed with the challenges and complexity of monitoring and managing security events, Sentinel is a powerfully simple Security Information and Event Management solution that simplifies threat detection and speeds analysis and response, helping security personnel to safeguard sensitive data and assets, ease demonstration of compliance, and strengthen security operations.

Sentinel makes it easier to identify threats to sensitive data and assets by providing actionable security intelligence, enriching security events with environmental context, and enabling rapid response and remediation. With integrated, one-click search and reporting, Sentinel lowers the time, cost, and effort of complying with data access regulations while delivering improved, real-time visibility into your overall strength of security and state of compliance.

Delivered as a virtual software appliance, you can rapidly deploy Sentinel to compress time to value while efficiently growing your security management coverage.

Key Features

• Security Management and Compliance Monitoring
  Sentinel provides integrated, automated real-time security management and compliance monitoring across all systems and networks while allowing you to demonstrate and monitor compliance with internal policies and government regulations such as PCI, Sarbanes-Oxley, HIPAA, GLBA, FISMA, and others.
• Anomaly Detection
  Sentinel allows you to identify anomalies in their environment by establishing specific baselines respective to your unique IT environment to deliver better intelligence and faster detection of anomalous activities. Baselining and trending allows you to view patterns of historical activities and to develop models of typical IT activities to spot new, potentially harmful trends. You can tune your environment's baselines to detect anomalous events, as well as see how your security and compliance posture changes over a period of time.
• High Performance Two-Tiered Storage
  Sentinel implements an efficient, file-based event storage tier optimized for long-term archival of events. The event store provides 10:1 compression, fully supports indexed searches, and speeds up relevant reporting tasks, while providing you the flexibility to store some or all of your events in a back-end traditional relational database store.
• Graphical Rule-Builder
  Sentinel allows you to quickly build event correlation rules directly from the events collected in your environment. Additionally, you can test rules prior to deployment to reduce false-positive alerting, improve event correlation capabilities, and ultimately deliver improved exploit detection capabilities.
• Distributed Search
  Sentinel enables organizations that have deployed several instances of Sentinel or Sentinel Log Manager in different locations to search events not only on their local Sentinel servers but also on the existing Sentinel and Sentinel Log Manager servers from a single, centralized console.
• Ready-to-run Software Appliance
  Delivered as a VMWare, Xen, or ISO image, and certified to run on all major hypervisors, Sentinel appliance installations enable you to deploy a cost-effective and simple to use SIEM solution by reducing product deployment complexity and cost.
• Agent-Based or Agentless Data Collection
  Sentinel provides you the flexibility to use either agent-based or agentless data collection for your Windows, UNIX, and iSeries event sources. You can determine which method to use for each event source based on the needs of your environment.

System Requirements

For the most recent information about system requirements, see the Sentinel Installation and Configuration Guide on the Sentinel Documentation Web site.

Downloading and Installing Sentinel

The Sentinel 7.1.2 release offers several different packages to work with your environment. The simplest installation consists of a single all-in-one soft appliance (available for VMware, Xen, or other physical/virtual hardware); more complex deployments may add additional servers for data collection, agent management, and/or analytics.

1. Download the image file for the appropriate appliance type for your environment.
   • Sentinel Xen appliance (sentinel_server_*.xen.tar.gz) - contains a pre-built virtual machine for Xen-enabled Linux systems
   • Sentinel VMware appliance (sentinel_server_*.vmx.tar.gz) - contains a pre-built virtual machine for VMware ESX
   • Sentinel ISO appliance - contains an installation image that can deploy the Sentinel soft appliance to physical (bare metal) or virtual (Hyper-V supported) hardware
2. Load the image in your virtualization platform or boot the ISO Live CD and follow the prompts to configure the appliance. For more information, see the Sentinel Installation Guide on the Sentinel Documentation Web site.
3. Identify the set of sources from which you want to collect event data, and configure them to deliver events to Sentinel. Sentinel supports data collection from many sources using Collector and Connector plug-ins. It also supports specialized agent-based data collection for Windows and UNIX-type data sources. Many of the plug-ins to support data collection are bundled with Sentinel, but you can download additional options and updates from the Sentinel Plug-ins website or create your own using the Sentinel Plug-in SDK.
   1. To use Sentinel plug-ins for any supported device, deploy the associated Collector and Connector from the Sentinel Plug-ins website. Each supported product has an associated Collector that understands the data format generated by that source. See the documentation provided with each Collector for details on how to configure the associated product and Sentinel data collection components to deliver events to Sentinel.
   2. To use agent-based event collection for Windows, UNIX, or IBM i sources, deploy Sentinel Agent Manager to act as a proxy for those agents. You can download the Sentinel Agent Manager from within the Sentinel Web console, or from this page (file Agent_Manager*). For more information about installing Sentinel Agent Manager, see the Agent Manager Installation Guide on the Sentinel Documentation Web site.
      1. Windows Agents are included in the Sentinel Agent Manager download and are managed by Sentinel Agent Manager itself, so no additional components are necessary.
      2. UNIX Agents are delivered separately, and require a separate NetIQ UNIX Agent Manager to manage the configuration of the UNIX Agents. Download the UNIX Agent Trial, unpack it into a directory, then unpack the compressed ISO file. Either mount the ISO or write it to a CD, then look in the Documentation folder and open the SM_UNIX_Agent_Guide.pdf. Follow the instructions for configuring the UNIX Agent to send events to Security Manager, but replace 'Security Manager' with 'Sentinel Agent Manager' wherever it appears.
      3. IBM i Agents come as part of the NetIQ Security Solutions for iSeries - the Agent portion does not require a separate license. For more information, see the Auditing iSeries Log Data section of the Installation Guide; you will need to configure the Agent Communication Subsystem (PSECONFIG) and start the ZPSE subsystem, but replace 'Security Manager' with 'Sentinel Agent Manager' in the instructions.
4. To scale data collection, consider deploying one or more additional Collector Managers. Installers for additional Collector Managers can be downloaded from directly within the product, or you can use the pre-built soft appliance Collector Manager images (sentinel_collector_manager* from this page).
   
5. Perform additional configuration using information from the Sentinel Documentation Web site for details.
   1. Configure the event routing rules and data retention policies to define where data is stored (or sent) and for how long.
   2. Deploy analytic rules to automatically detect activity of interest in the enterprise. Attach automated actions to those rules as needed.
   3. Customize the environment by creating filters, refining reports, adding contextual data, and so on.
6. To scale real-time correlation analytics, consider deploying one or more additional Correlation Engines. You can download installers for additional Correlation Engines from directly within the Sentinel Web console, or you can use the pre-built soft appliance Correlation Engine images (sentinel_correlation_engine* from this page).
   

Known Issues

For a list of known issues, see the Sentinel 7.1.2 Release Notes on the Sentinel Documentation Web site.

Legal Notice

For trademark and copyright information, see Legal Notices.