Solution profile: Novell Sentinel

Compelled by a business need to create new products, new customer value and/or a single view of their customers, many Financial Services organisations across Europe have connected together disparate enterprise systems and blurred the perimeters of their corporate network and business ecosystems in search of competitive advantage.

However, an unanticipated consequence of this has been unearthed in the shape of a regulatory ‘Pandora's Box’. Deperimeterisation of networks and applications has made conventional audit and compliance very difficult. Common hurdles are encountered during the audit process of basic regulations, such as Basel II Access Controls/Authentication and Incident Response Plan, EU Data Protection Inappropriate Data Migration, and Sarbanes Oxley Internal Controls (404) and Real-time Reporting (409).

IT departments are finding it increasingly complicated and expensive to pass audits due to their inability to monitor a certain control. What they lack is a common corporate governance infrastructure to continuously monitor network resources such as routers, firewalls and applications. Novell has tools that allow Financial Services organisations to model and automate this exact control, which significantly decreases the cost and complexity of today's audits. We are able to help companies handle this almost uncontrollable volume of vital cross-sections of data required to pass these basic audits.

Using traditional logging methods, applications and components submit free-form text messages to logging facilities such as system or application event logs. These text messages usually contain information only assumed to be security-relevant by the application developer, who is often not a security or audit expert.

The fundamental problem with the traditional approach is that each application developer individually determines what information should be included in an audit event record, and the overall format in which that record should be presented to the audit log. This variance in formatting among thousands of instrumented applications makes the job of understanding the information error-prone.

Furthermore, not only is it nearly impossible to understand the data, the set of actions required to remediate incidents are either absent or insufficient, primarily due to the absence of a continuous resource/application monitoring infrastructure that ties in to a well defined incident response framework.

From our research we have concluded the following:

1. The best way to handle an incident is to stop it from happening. A preventative approach is necessary to reduce the number of threats and breaches to manageable levels. This can be achieved by establishing security policies, configuring systems wisely, scanning and eliminating vulnerabilities regularly and establishing well-defined access control policies.
   
2. Assessing risk associated with every incident is a fundamental step of the Incident Response (IR) process. This plays an important role in determining behaviour and service requirements. A risk model should be used to identify potential risk and the probability and impact of the compromise to each area.
3. The incidence response process should exhibit predictive and adaptive behaviour to be able to handle different types of incidents. This may be achieved by having the right mix of automation, delegation and escalation models in the process definitions.
4. An analytical component-level model of an incidence response can be created by applying queue network modelling techniques. This analytical model provides some insight into the "what if" scenarios and response times on an incidence response process.
5. Collection, normalisation, and correlation of events across disparate systems through rigorous monitoring enables individual events to be understood within a wider context, and allows organisations to observe patterns of behaviour across the enterprise and take proactive action accordingly.
6. Qualitative and quantitative requirements of compliance and security IR processes are similar at the macro phase level - however they are very different at the micro activity level. Data and metrics from the incidence response processes should be used to handle similar threats in the future. This feedback is essential for the success of the incidence response process.

If you want to integrate systems and create new products and solutions but keep the lid on Pandora's Box, then you need Novell. Our Sentinel solution (previously from eSecurity) is a comprehensive security event and information management platform that allows you to monitor and control the security of all systems within your network. Novell Sentinel provides a broad range of out-of-the-box collectors, robust event correlation, intuitive remediation tools and easy-to-use, real-time dashboard and report generation tools. It can be deployed independently, or as part of an installed identity and access management solution, or as part of Novell's identity and access management solution.

Novell offers an end-to-end security and compliance management solution that allows you to address the front-office and back-office issues that stand between failure and success. Novell security, identity and compliance solutions are made up of a comprehensive, modular set of products and technologies that connect with any application, data store, directory or security system in your IT environment - without modification to those business resources. The solution components are completely cross-platform, running on Microsoft Windows, Linux, Solaris, and NetWare. Best of all, the solution components position you for the future by giving you the security, identity and compliance foundation that supports other security- and identity-based business initiatives, like secure employee and customer portals, business workflows and software-as-a-service.

For more information or to arrange a visit from one of Novell's Identity Management consultants please phone 01344 724000 or visit www.novell.com