Image by the-tml via Flickr

2 colleagues from Identropy and I started a training class for Novell’s Sentinel 6.  Which is mainly a reporting tool which is being billed as being government compliant for various industries i.e. PCI DSS. The training so far has revolved around being able to setup “Active Views” and “Incidents”. You can see a screenshot here in case you are wondering what it looks like. Sentinel runs on Windows Server (VMs are recommended to shops that just do linux) UPDATE: see tech specs and is written in Java. One of the key selling points is event tracking happens in “real time” (by real time, they mean in memory). There are filters that are applied against events before hitting the “message bus” and also before being stored in a database repository for historical purposes). These filters on events can be setup as incidents which can be assigned to responsible individuals to follow up on or can be escalated over time. An email can be kicked out when an incident takes place.

There are connectors which support LDAP and SOAP which have become available with Sentinel 6.1. javascript is also now supported, so you can write your own custom collectors. There is a list of collectors which have been written for Sentinel to connect to various sources. Sentinel takes sys logs and translates them to make the data more usable. Then an integrator would help write filters to look for events i.e. failed login attempts as administrator or root and right correlation rules to generate incidents.

There is definitely a learning curve here. Aside from the learning curve, It does seem that the most work that will need to go into implementing sentinel will be setting up the correlation rules and filters. The good news is Novell has “solution packs” that have preconfigured filters. They have a solution pack for PCI DSS for example. We were told that we could create solution packs of our own with the help of a solution builder and could deploy them across our clients. This would probably work when focusing a solution pack towards a specific industry. Aside from getting all of these correlation rules setup, there is some level of system administrator involvement that should be there to fully leverage its potential. This product will only be as good as the rules that are written and the ammount of attention a sys admin will give to looking for patterns of problematic events.

I will write more tomorrow