Its search feature is powerful and can span many security events to get an entire picture of what happened. Searches can be saved in a “favorites” queue for quick reference. The search screen is probably where you will spend most of your time, as you uncover network events and try to remediate them. Remediation includes being able to quarantine various offending endpoints, terminate specific processes, deny network access to a particular endpoint, or set up whitelists to exclude any known and benign processes from further observation.
Almost everything about Sentinel is customizable. The bad news is that you will have to learn the Cyber Observable Expression (Cybox) XML open-source scripting language. This is used by a variety of vendors to help in the automated exchange of threat data and managed by the US government contractor MITRE Corp., so as you might imagine it has widespread support in that community.
For example, you can characterize a series of security events in an email that can contain a hash file or a description of a Windows Registry key that has been tampered with. These events can then be shared across a variety of threat management systems. All of Sentinel’s detection profiles are written in this language, and several sample ones are included by default. You can add your own oddball behaviors and SIEM and feed integrations using these scripts.
There are two different sensors: the basic one is less than 2MB, a more advanced one is smaller, more comprehensive and stealthier. Neither of them show up on the running Programs list in the Windows Control Panel, nor have any user-accessible controls or any other desktop icons.
The basic one supports a wider collection of OS’s because it uses the Windows API rather than the Sentinel API set. Both communicate by default on SSL Port 443 to the collection server. The server can be installed on a physical PC or via an OVA file on a VMware ESX hypervisor.
Sentinel has a number of integrations available. It has an option to automatically query VirusTotal with hash data collected from your endpoints and report the number of antivirus engines that consider the associated file to be malicious. You can also export its data to various SIEM tools for further analysis. And their analytics can integrate with Blue Coat’s security analysis tools. Finally, you can export various on-screen reports to CSV files.
Pricing for Sentinel is relatively simple: there is a starter pack for up to 250 endpoints. Beyond that, collection prices will vary depending on a regular endpoint for $50 per year or a server at $100 to $125 per year. There are quantity discounts and specials for management service providers who want to deploy their solution.
Sign up for CIO Asia eNewsletters.