Wikis - Page

Get ready for Sentinel 6.1!

0 Likes
First a quick introduction - of myself, and of the product. I'm Jason Arrington, Product Manager for Sentinel, and I've been at Novell since 1999 in a bunch of different jobs - Tech support, engineering, and Product Management. A little over two years ago I moved from Provo to Vienna, Virginia to work with the former e-Security engineering team. Since then we've been tirelessly working to realize the promise of adding true Identity context to enterprise security monitoring. Adding IAM to SIEM is a real 1 1=3 kind of equation, where the whole is greater than the sum of its parts. And Sentinel 6.1 really brings out that value. So without further ado, Sentinel 6.1 gives you:

Identity Event Enrichment: If you're at all familiar with SIEM solutions, you know that they collect logs from a whole bunch of systems, slice and dice them, and provide dashboards, analysis, and reports so you can keep track of what's going on. Sort of a dashboard of dashboards. But typically a log doesn't have much information about the user that did something - maybe a user name, but that's about it. And a log from one system doesn't know anything about the other accounts that user might have. Sentinel 6.1 includes a new framework to enrich events with detailed user information. That may include attributes on their account like a workforce ID, full name, or phone number, as well as the other accounts that are assigned to this user. This feature is generic enough to work with any Identity Management system, but works best (of course!) with Novell IDM 3.6, due to the out-of-the-box driver and policies we provide to feed data from IDM 3.6 to Sentinel 6.1. This Identity data provides the foundation of much of the new functionality in 6.1.

Identity Browser: The first place we use this data in the Sentinel system is in the new Identity Browser interface. This lets an analyst see information about the users involved in an event with a simple right click. Here's a screenshot:
Identity-User-Profile_png.jpeg
The Identity Browser shows user details, recent activity across all their accounts, and a list of all accounts associated with this user.

Really, Really Cool Reports: Another benefit of the identity context is the our ability to create some really, really cool reports. I was pushing to use that name in our marketing collateral but was shot down - we're calling it the "Identity Tracking Solution Pack" instead. The Pointy Haired Bosses and Auditors of the world want to see simple, clear reports about who did what. But as mentioned above, the "whos" in the different systems that are being monitored by Sentinel aren't typically connected. Our Identity Enrichment now lets us show reports that aren't all broken up by all the different user account names and different systems. Here's an example of a nice, high level dashboard report:Report-Identity-Violations.png
Of course, this also adds lots of good information to the kinds of reports you traditionally find in a SIEM tool. So, instead of seeing a list of user IDs you also see full names in the reports. Here's another example: Report-Account-Provisioning.png
These reports look simple, but there's a lot of work that has gone into making them so clear and straightforward.

New Action Framework with Built-in IDM actions Sentinel 6.1 introduces the concept of Integrators, which are stored configurations to connect to external systems as part of incident remediation / correlation actions. 6.1 includes Integrators for SOAP, LDAP, and SMTP. We include actions to call those integrators to lock an eDirectory account and to create a workflow action in IDM, but this framework can be used for any kind of action you can think of using our JavaScript based action SDK. If it speaks SOAP, SMTP, or LDAP, we can talk to it. And we will be adding additional types of Integrators in future releases.

There's much more in 6.1, but I'm tired of writing and you're probably tired of reading (flattering myself that anyone is actually reading this). We're very excited about this release - if you have any questions about it let me know.

-Jason

Labels:

How To-Best Practice
Comment List
Related
Recommended