Sentinel iTRAC transforms traditional security information management from a passive "alerting and viewing" role to an "actionable incident response" role by enabling organizations to define and document incident resolution processes and then guide, enforce and track resolution processes once an incident or violation has been detected.
Sentinel comes with "out-of-the-box" process templates that use the SANS Institute's guidelines for incident handling. Users can start with these pre-defined processes and configure specific activities to reflect their organization's best practices. iTRAC processes can be automatically triggered from incident creation or correlation rules or manually engaged by an authorized security or audit professional. iTRAC keeps an audit trail of all actions to support compliance reporting and historical analysis.
A worklist provides the user with all tasks that have been assigned to the user and a process monitor provides real-time visibility into process status during a resolution process lifecycle.
iTRAC's activity framework enables users to customize automated or manual tasks for specific incident-resolution processes. The iTRAC process templates can be configured using the activity framework to match the template with an organization's best practices. Activities are executed directly from the Sentinel Control Center.
iTRAC's automation framework works using two key components:
Activity container
It automates the activities execution for the specified set of steps based on input rules
Workflow container
It automates the workflow execution based on activities through a work-list.
The input rules are based on the XPDL (XML Processing Description Language) standard and provide a formal model for expressing executable processes in a business enterprise. This standards-based approach to the implementation of business-specific rules and rule sets ensures future-proofing of process definitions for customers.
The iTRAC system uses three Sentinel 6 objects that may be defined outside the iTRAC framework:
Incident: Incidents within Sentinel 6 are groups of events that represent an actionable security incident, associated state and meta-information. Incidents are created manually or through correlation rules, and can be associated with a workflow process. They can be viewed on the Incidents tab.
Activity: An Activity is a pre-defined automatic unit of work, with defined inputs, command-driven activity and outputs, such as automatic attachment of asset data to the incident or generation of an e-mail. Activities can be used within workflow templates, triggered by a correlation rule, or executed by a right-click when viewing events.
Role: Users can be assigned to one or more Roles for example, Analyst, Admin and so on. Manual steps in the workflow processes may be assigned to a Role.
Sentinel 6 workflows have four major components that are unique to iTRAC:
Step: A Step is an individual unit of work within a workflow; there are manual steps, decision steps, command steps, mail steps, and activity-based steps. Each step appears as an icon within a given workflow template.
Transition: A Transition defines how the workflow will move from one state (Activity) to another and can be determined by an analyst action, by the value of a variable or by the amount of time elapsed.
Templates: A Template is a design for a workflow that controls the execution of a process in Sentinel iTRAC. The template consists of a network of manual and automated steps, activities and criteria for transition between them. Workflow templates define how to respond to an incident once a process based on that template is instantiated. A template may be associated with many incidents.
Processes: A process is a specific instance of a workflow template that is actively being tracked by the workflow system. It includes all the relevant information relating to the instance, including the current step in the workflow, the associated incident, and the results of the steps, attachments and notes. Each workflow process is associated with one and only one incident.