Novell, which acquired Sentinel, its entry into the SIEM market, from e-Security last year, offers a robust product that is getting better with each revision.
In a large environment, Novell recommends each component be installed on a separate machine for maximum performance. Setting up collectors, which gather data from devices and convert it to the Sentinel event log format, takes some work, but it pays off in the end in the breadth of device support.
For test purposes, we installed them on the same machine. Sentinel supports a variety of platforms, such as Linux, Solaris, Windows and databases, including Oracle and Microsoft SQL Server.
Nonetheless, Sentinel's interface can be somewhat intimidating at first, because you have to deal with so many pieces and so much data. It's tab-based, with a navigation toolbar on the left that changes depending on the tab you are in.
| For example, Active Views looks at and investigates events in real time; Correlation is where you create rules that tie together event triggers, adding intelligence to event flows; Incidents displays events entered by analysts or alerts triggered by correlation rules.
The iTRAC tab is a workflow tool, tracking incident response processes through event resolution. The Analysis tab handles historical reporting, and the Adivsor tab takes data from VA scanners and IDSes. In addition, this is where you can pick up guidance for remediation.
All of these parts worked quite effectively together, allowing us to see events come in, identify those that appeared to be suspicious and then track and investigate them as the case requires.
The correlation tool was surprisingly easy to use, with a built-in wizard to allow the creation of rules, including more complex chains of triggers. For example, we would set up a simple rule that triggered when there were four failed logins in two minutes. Then we created more interesting combinations reflecting things like IDS events and root login attempts.
We built a simple workflow to track incidents, but be cautioned that workflows can be very complex in the large IT environments in which tools like this are employed. Depending on your organization's requirements, you can integrate Sentinel with external scripts to interact with third-party systems, such as Remedy and HP OpenView.
A major enhancement since the e-Security acquisition is the ability to track users as well as devices, an important trend in enterprise SIEMs for security and compliance auditing.
Testing methodology: For lab purposes, all of the components were installed on one machine. Windows Server 2003 was used, as well as SQL Server 2005 standard edition.