Novell Sentinel 6.1 provides an integration framework for identity management systems. This integration provides functionality on several levels:
Identity Browser provides the ability to look up the following information about a user:
Contact information
Accounts associated with that user
Most recent authentication events
Most recent access events
Most recent permissions changes
Identity Browser lookup from events
Reports and correlation rules provide an integrated view of a user's true identity, even across multiple system on which that user has separate accounts. For example, accounts like NOVELL\testuser; > cn=testuser,ou=engineering,o=novell, and TUser@novell.com can be mapped to the actual person who owns the accounts.
By displaying information about the people initiating a given action or people affected by an action, incident response times are improved and behavior-based analysis is enabled.
Novell provides an optional integration with Novell Identity Manager. The screenshots and descriptions in this section are based on Novell Identity Manager.
Sentinel 6.1 synchronizes Identity information with major Identity Management systems and stores local copies of key information about each Identity. The following table summarizes the commonly-used information provided:
The Identities stored by Sentinel are then linked with accounts created on endpoint systems by the Identity Management system. This helps Sentinel associate the correct Identity information with the native events from those endpoint system. Some Identity information is injected directly into the inbound event by using the mapping service. The remaining identity information, such as photograph and contact information, is accessible through the Identity Browser.
Figure 18-1 Accessing the Identity Browser
The Identity information injected into the event can be used for correlation and for performing actions on the Identities that are associated with detected activity. For example, Sentinel is able to see multiple failed logins from a given person and not just an account. A detected violation could trigger disabling activities for all accounts associated with an Identity.
Figure 18-2 Identity Details
Integration with Novell Identity Manager is available as part of the Novell Compliance Management Platform, which includes the following components:
Sentinel 6.1
Identity Manager 3.6
Access Manager 3.0.3
Identity Tracking Solution Pack for Sentinel 1.0
Analyzer for Identity Manager 1.0
Identity Manager Resource Kit 1.2
Identity Manager Driver for Sentinel 3.6
The Solution also requires “identity-enabled” Collectors, which are available for download at the Sentinel Content Web site.
After Sentinel and Identity Manager are installed, the Sentinel Driver for Identity Manager sends identity and account information from the Identity Vault to the Sentinel Identity Vault Collector, which populates the Sentinel database. The information is inserted into two new tables in Sentinel 6.1. These two tables are the Identity table (USR_IDENTITY) and the Account table (USR_ACCOUNT ). For more information, see Sentinel Database Views for Oracle
and Sentinel Database Views for Microsoft SQL Server
in Sentinel 6.1 Reference Guide.
The time required to initially populate the Sentinel database will depend on the amount of data in the Identity Vault; identity information including photographs will require significantly more time to load.
The Sentinel Driver for Identity Manager and Identity Vault Collector also keep the identity information synchronized as information is updated in the Identity Vault during normal Identity Manager operations.
After the identity information and account information are loaded in their respective tables with a link between them, a map named IdentityAccount is generated automatically in the location ESEC_HOME/DATA/MAP_DATA. The map contains the following information:
Account Name
Authority
Customer Name
Identity GUID
Full Name
Department
Job Title
Manager GUID
Account Status
IMPORTANT:An identity can have multiple accounts but one account cannot be assigned to multiple identities.
The identity map is automatically applied to all events from Collectors to look for an identical match between the information in the event and key fields in the map. The table below shows the fields that are populated if all of the map key fields and event data exactly match. These mappings are automatically configured and are not editable.
NOTE:To find a match, the event fields and map key fields must match exactly. This may require modifications to existing Collectors to “identity enable” them to parse or concatenate data to make these fields match the data from the Identity Vault.
Once added to the event by the mapping service, these fields are used by correlation rules, remediation actions, and reports in the Identity Tracking Solution Pack. In addition to using the content included in the Solution Pack, users can also perform the following actions:
Create correlation rules based on identity in addition to account name. This allows you to look for similar events from a single user, which provides a more comprehensive view than looking at events from a single account
Create reports that show identity, including all accounts associated with a user
Use the Identity Browser to get more information about a user and their activity
NOTE:For other identity systems, similar integration can be achieved by writing an identity synchronization collector that uses the Identity API.