Users in an IT environment have multiple accounts and sometimes multiple account identifiers per user. Normally, if a user has multiple account identifiers, Sentinel treats each identifier as a unique account.
This means a user could log in to Active Directory and an LDAP directory and Sentinel tracks these events, but Sentinel does not realize these events are related to the same user account.
In order to overcome this issues, Sentinel provides an integration framework to identity management systems to track the identities of for each user account and what events those identities have performed.
This integration provides functionality on several levels:
The Identity Browser provides the ability to look up the following information about a user:
Contact information
Accounts associated with that user
Most recent authentication events
Most recent access events
Most recent permissions changes
The Identity Browser lets you do a lookup from events
Reports and Correlation rules provide an integrated view of a user's true identity, even across multiple systems on which the user has separate accounts. For example, accounts like COMPANY\testuser; > cn=testuser,ou=engineering,o=company, and TUser@company.com can be mapped to the actual person who owns the accounts.
By displaying information about the people initiating a given action or people affected by an action, incident response times are improved and behavior-based analysis is enabled.
Sentinel provides an optional integration with Novell Identity Manager. The figures and descriptions in this section are based on Identity Manager.
Sentinel synchronizes identity information with major identity management systems and stores local copies of key information about each identity. The following table summarizes the commonly used information provided:
|
Name |
Description |
|---|---|
|
AccountGUID |
Auto-generated internal ID |
|
Name |
Username that references the account, generally provided by the user to log in. |
|
ID |
The numeric or other identifier that represents the account in the event source. This ID is used for resolution when the username is not available. |
|
Authority |
The realm within which this account is unique. Collectors calculate the realm based on event information. |
|
Status |
The status of the account |
|
IdentityGUID |
A reference to the identity that owns this account |
The identities stored by Sentinel are then linked with accounts created on endpoint systems by the identity management system. This helps Sentinel associate the correct identity information with the native events from those endpoint system. Some identity information is injected directly into the inbound event by using the mapping service. The remaining identity information, such as photograph and contact information, is accessible through the Identity Browser.
The identity information injected into the event can be used for correlation and for performing actions on the identities that are associated with detected activity. For example, Sentinel is able to see multiple failed logins from a given person and not just an account. A detected violation could trigger disabling activities for all accounts associated with an identity.