456 Sentinel 6.1 User Guidenovdocx (en) 7 January 2010Business Relevance:Sentinel injects business-relevant contextual data directly into the event stream. It includes up to 135customizable fields where users can add in asset specific information such as business unit, owner,asset value, geography. After this information is added into the system, all other components cantake advantage of the additional context.Figure A-11 Injecting Business RelevanceExploit Detection: Exploit Detection enables immediate, actionable notification of attacks onvulnerable systems. It provides a real-time link between IDS signatures and vulnerability scanresults, notifying users automatically and immediately when an attack attempt to exploit avulnerable system. This dramatically improves the efficiency and effectiveness of incident response.Exploit Detection provides users with updates of mappings between IDS and vulnerability scannerproduct signatures. The mappings include a comprehensive list of IDS and vulnerability scanners,Users simply upload vulnerability scan results into Sentinel. Exploit Detection automatically parsesthem and updates the appropriate IDS Collectors. It uses the embedded knowledge of vulnerabilitystatus to efficiently and effectively prioritize responses to security threats in real time.When an attack is launched against a vulnerable asset, Exploit Detection alerts users with thecorresponding severity level of the exploited vulnerability. Users can then take immediate action onhigh-priority events. This takes the guesswork out of alert monitoring and increases incidentresponse efficiency by focusing reaction on known attacks against vulnerable assets.Exploit Detection also enables users to map or “un-map” signatures and vulnerabilities to tune outfalse positives and negatives and to leverage custom signatures or vulnerability scans.A.4.2 Business Logic LayerThe kernel of the Sentinel platform consists of a set of loosely-coupled services that can run in astandalone configuration or in a distributed topology. This service-oriented architecture (SOA) iscalled iSCALE. Specifically, Sentinel’s SOA comprises a set of engines, services and APIs workingtogether for linear scaling of the solution against increasing data load and/or processing workload.Sentinel services run in specialized containers and allow unparalleled processing and scalingbecause they are optimized for message-based transport and computation. The key services thatmake up the Sentinel Server include: