NetIQ Sentinel 7
Strengths: Easy to deploy, scale and use.
Weaknesses: Radical change in licensing model may be off-putting to traditionalists and can become expensive quickly.
Verdict: An impressive SIEM that is feature rich, quick to deploy and easy to use.
SummarySentinel from NetIQ is one of those security products that is supposed to make administrators feel assured about network events that can indicate trouble. Using the SIEM methodologies, NetIQ's Sentinel 7 looks deep into Syslogs, simple network management protocol (SNMP) incidents and other event-driven reporting mechanisms to sum up the security health of a network.
Probably one of the newest releases of a SIEM product covered here, Sentinel 7 was announced on February 28 at the RSA Conference. That means Sentinel should have the latest and most mature features of the lot and should impress most anyone that is looking for the latest in SIEM products.
However, just because something is the newest doesn't always make it the best. That said, Sentinel 7 does a bang-up job of taming the SIEM beast. NetIQ went for a common thread with Sentinel 7 - ease of use. Indeed, great strides were taken to make the product one of the easiest-to-use SIEM solutions on the market.
One of the first elements of confusion that NetIQ chose to tackle was licensing. The company takes the unique approach of licensing the product based on events per second. In other words, low traffic networks, even those that sport a lot of different components, may be able to get by with a license that just supports 500 monitored events per second. High-value, busy networks may need to go with a license that supports 50,000 events per second. It all comes down to traffic and not physical components.
Other elements that suggest simplicity include plug-and-play deployment, as well as auto-configuration wizards. Sentinel is delivered as a virtual appliance, which can run on virtualized hardware, making it easy to scale the product by just throwing more resources at it. What's more, the virtual appliance approach makes it easier to backup or transfer Sentinel. It even seems to fit better into a failover or quick-disaster recovery scenario, as well.
The offering comes pre-equipped with packaged intelligence to detect many threats out of the box without time-consuming rule-writing and configuration. Built-in anomaly detection automatically establishes baselines of normal activity and detects changes that can represent emerging threats. New or custom rules can be created easily by business users through an intuitive and easy-to-navigate GUI.
The product is able to gather events from a multitude of sources and quickly analyze those events to present alerts to administrators in a fashion that is both easy to understand and actionable.
Also, Sentinel gathers as much information as physically possible when following an event. Information such as the who, what, when and where is readily preserved for future analysis, making the product suitable for dealing with both insider and outsider threats.
Extensive reporting capabilities are driven by NetIQ Sentinel's ability to capture rich data, instead of just the ordinary, or basic events, allowing administrators to look at "what-ifs," as well as "what-happened" in an intelligent fashion.