E-Security stops data loss

When you look at e-Security’s marketing materials, their message is all about compliance. The company, recently acquired by Novell, has a product that can help organizations comply with federal regulations such as the Health Insurance Portability and Accountability Act, among others. That’s nice to know if you’re a federal manager, but not necessarily relevant, because all federal agencies aren’t subject to the same compliance requirements.

However, Sentinel 5.1 is a broadly based security event manager that can play a significant role in protecting against data loss, intrusion, attack or even plain old stupidity. For example, had the Department of Veterans Affairs been running Sentinel, the product could have alerted information technology managers to repeated downloads of private information as part of a pattern of abuse. And that’s just the tip of the iceberg.

Sentinel monitors all security events on a network. Those events can include router and firewall activity, server requests, log-ins, locations, times, intrusion-detection system and intrusion-prevention system outputs, and nearly any other kind even remotely related to the security of a network.

Many products collect events, but Sentinel provides correlation. It can alert you when a particular employee logs on at odd hours, for example, and transfers large volumes of data.

You can also see when Internet attacks are taking place, when a firewall notices wormlike activity or when an employee tries to access a part of the network that’s off-limits.

You can load the system with your network policies and other security rules and then look for exceptions. The list of available functions is lengthy, but one that’s worth mentioning is its ease of use.

Unlike some other security event managers, Sentinel is highly interactive. You can get a series of graphical displays that show events in real time, for example, and click anywhere on the display to drill into the data being shown. If you notice a lot of suspicious activity on a switch port, clicking on the display showing that traffic will let you know everything about the traffic and its potential for harm.

Sentinel’s iScale correlation engine is the powerhouse for making sense of potentially millions of events. The engine looks for patterns in events and uses those patterns to alert managers to risks.

Sentinel’s interactive interface makes management easy, even for someone with little training. A click on a graphical element shows the numbers or events behind the element. Reports are easy to design, and users can establish them to show whatever information a manager is likely to want. The product can support nearly anything that can be monitored, although in a few cases e-Security engineers will have to custom-build a data interface.

The product is also easy to implement. Sentinel was operating in just a few minutes in the Federal Computer Week lab. However, implementing your security and management policies can be complex and may require some time with company engineers. On the other hand, e-Security can work with nearly any type of resource, from mainframes to routers. Testing included gathering devices never before used with e-Security, only to find that the process of monitoring them was surprisingly easy.

Although Sentinel does have a big role to play in the compliance space, it has an even bigger role in tracking the security on your network and providing a detailed, auditable listing of events, in real time and during long periods of time. Once it’s operating, you’re unlikely to have your security policy violated without your knowledge.

General Services Administration pricing starts at about $80,000, plus maintenance and a per-device fee.

Rash is a freelance journalist based in Washington, D.C., who has been covering technology since the late 1970s. He can be reached at wayne@rash.org.