To conclude my thoughts on the training. I thought I would include some screenshots so you can see Sentinel in action for yourself!

To sum up, the way Sentinel works is:

1. Logs are pulled into Sentinel and each line is seperated into events with severity levels ranging from 1 to 5
2. You define filters to look for events of interest. For example a filter might look like:
   filter(((e.DeviceCategory = “IDS”) and (e.Severity >= 4)))
3. Multiple Events can be groups together and marked as incidents. Each incident can be assigned a category and can be assigned to a person for further investigation
4. Utilizing Filters a correlated event can kick of an action (or trigger) such as sending an e-mail, appending a list, appending an ldap attribute or kicking off a javascript file (for further flexibility)
5. ProcessWork Flows can be designed to dictate the logic behind how an event is handled. The chain of command can be worked into the work flow. I.e. when a correlated event takes place ad Analyst can be prompted to check out the incident. Once the analyst attempts to rectify the problem and closes it out. It then can go to an Administrator who can further investigate or close out the incident.

This is the process in a nutshell, if you follow the screens after reading the explanation it might make more sense.

read more from "Novell Sentinel Training Day 4"

Image via Wikipedia

Alright Day 3 of Sentinel training was pretty good. We reviewed performing actions when a correlation rule is met on an event filter.  We also learned about “solution packs”.  A little bit about how they are structured, but mainly how to import, edit and redeloy them. We were shown the PCI DSS solution pack. I must say it was pretty comprehensive, which is sold for $30K by itself. We also were given a sales presentation breaking down the scope of Novell’s ISM (Identity and Security Management) products. It was explained to us that ISM is now one of Novell’s 3 focuses. Any supported products will fall under their main areas of focus. They also mentioned that they did very well this final quarter which is about to end for them. That’s really good news for Identity Management, especially at a time when the economy is not doing well. We also heard from some attendees in the training course that IBM is also doing very well. And of course IBM has its own Identity Management suite. So even more good news for Identity Management. The sales rep explained that Identity Management was initially seen as a sub-area of focus for IT departments and was not seen as being under security. But now Identity Management is seen more as being under security rather than traditional IT because of the specialization that goes into it.

read more from "Novell Sentinel Training Day 3"

What a day! I have a headache, not because of the material or anything. Before I talk about what we did today I was thinking of sharing some usecases with you on where Sentinel would be highly beneficial to have. Imagine someone who is not an Administrator attempts to login as administrator, wouldn’t you want to know? If there were repeated login failures on a very important server or someone was trying to access a port which was designated for something important. Or Imagine an administrator assigns a non-administrator certain rights which are out of the oridnary you might want to know. An example that came up in class is: Someone who logs in at a Bank, withdraws or transfers a large amount of cash, and then changes their password. If a combination of such an event happened, imagine having a rule in place where an alert was triggered. All of these use cases were mentioned in the training so far.

Today we spent alot of time on writing correlation rules, learning the syntax (expressions and other things) which are unique to the sentinel product. We also spent a large ammount of time learning the administrative tools.

Due to my headache, Ill be more detailed in the next post.

Image by the-tml via Flickr

2 colleagues from Identropy and I started a training class for Novell’s Sentinel 6.  Which is mainly a reporting tool which is being billed as being government compliant for various industries i.e. PCI DSS. The training so far has revolved around being able to setup “Active Views” and “Incidents”. You can see a screenshot here in case you are wondering what it looks like. Sentinel runs on Windows Server (VMs are recommended to shops that just do linux) UPDATE: see tech specs and is written in Java. One of the key selling points is event tracking happens in “real time” (by real time, they mean in memory). There are filters that are applied against events before hitting the “message bus” and also before being stored in a database repository for historical purposes). These filters on events can be setup as incidents which can be assigned to responsible individuals to follow up on or can be escalated over time. An email can be kicked out when an incident takes place.

There are connectors which support LDAP and SOAP which have become available with Sentinel 6.1. javascript is also now supported, so you can write your own custom collectors. There is a list of collectors which have been written for Sentinel to connect to various sources. Sentinel takes sys logs and translates them to make the data more usable. Then an integrator would help write filters to look for events i.e. failed login attempts as administrator or root and right correlation rules to generate incidents.

There is definitely a learning curve here. Aside from the learning curve, It does seem that the most work that will need to go into implementing sentinel will be setting up the correlation rules and filters. The good news is Novell has “solution packs” that have preconfigured filters. They have a solution pack for PCI DSS for example. We were told that we could create solution packs of our own with the help of a solution builder and could deploy them across our clients. This would probably work when focusing a solution pack towards a specific industry. Aside from getting all of these correlation rules setup, there is some level of system administrator involvement that should be there to fully leverage its potential. This product will only be as good as the rules that are written and the ammount of attention a sys admin will give to looking for patterns of problematic events.

I will write more tomorrow