SIEM Sentinel 6.0 REVIEWED BY BRENT HUSTON Novell Price: Starts at $65,000 Novell, which acquired Sentinel, its entry into the SIEM market, from e-Security last year, offers a robust product that is getting better with each revision. Setup B   Sentinel has many parts, and could take quite a bit of work to set up in a large environment. The setup isn't necessarily pain-ful, but there are steep system requirements, which may not be an issue for enterprises. In a large environment, Novell recommends each component be installed on a separate machine for maximum performance. Setting up collectors, which gather data from devices and convert it to the Sentinel event log format, takes some work, but it pays off in the end in the breadth of device support. For test purposes, we installed them on the same machine. Sentinel supports a variety of platforms, such as Linux, Solaris, Windows and databases, including Oracle and Microsoft SQL Server. Management/Monitoring B+   Control Center is the front end to the brains of the operation, and where most of the time will be spent analyzing data and events. Sentinel manages to display copious data in a logical GUI. Nonetheless, Sentinel's interface can be somewhat intimidating at first, because you have to deal with so many pieces and so much data. It's tab-based, with a navigation toolbar on the left that changes depending on the tab you are in.

For example, Active Views looks at and investigates events in real time; Correlation is where you create rules that tie together event triggers, adding intelligence to event flows; Incidents displays events entered by analysts or alerts triggered by correlation rules. The iTRAC tab is a workflow tool, tracking incident response processes through event resolution. The Analysis tab handles historical reporting, and the Adivsor tab takes data from VA scanners and IDSes. In addition, this is where you can pick up guidance for remediation. All of these parts worked quite effectively together, allowing us to see events come in, identify those that appeared to be suspicious and then track and investigate them as the case requires. The correlation tool was surprisingly easy to use, with a built-in wizard to allow the creation of rules, including more complex chains of triggers. For example, we would set up a simple rule that triggered when there were four failed logins in two minutes. Then we created more interesting combinations reflecting things like IDS events and root login attempts. We built a simple workflow to track incidents, but be cautioned that workflows can be very complex in the large IT environments in which tools like this are employed. Depending on your organization's requirements, you can integrate Sentinel with external scripts to interact with third-party systems, such as Remedy and HP OpenView. A major enhancement since the e-Security acquisition is the ability to track users as well as devices, an important trend in enterprise SIEMs for security and compliance auditing. Reporting B   Reports are handled by Crystal Reports, a powerful and popular tool. Sentinel comes with Crystal Server as well as Developer, so you can modify and create your own reports. Sentinel's reporting leaves no event data unseen, and is highly configurable. Verdict Sentinel is aimed at very large enterprises, and this is where it is best suited. It can be an extremely powerful tool, if used to its potential, with many features to help automate and analyze all of your enterprise's logs and events. Testing methodology: For lab purposes, all of the components were installed on one machine. Windows Server 2003 was used, as well as SQL Server 2005 standard edition.