Cyberattacks are a 24/7 reality. The complexity and growth of the enterprise estate – Infrastructure, Applications, VM’s, Cloud, Endpoints and IoT means the attack surface grows exponentially. Coupled with a skills shortage, and resource constraints, security becomes everybody’s problem but visibility, event correlation and remediation are other people’s responsibility. Effective security requires visibility – all the devices, all the infrastructure in real time – but also with context – what devices represent a threat, what is their capability, so you manage the threat the business faces, not the noise multiple security tools create.
Security management only gets more complex. Endpoints, IoT, Infrastructure, Security Tools, Applications, VM’s and Cloud – the number of things you need to secure, and monitor grows constantly. FortiSIEM – Fortinet’s Multivendor Security Incident and Events Management solution brings it all together. Visibility, Correlation, Automated Response and Remediation in a single, scalable solution. Using a Business Services view, the complexity of managing network and security operations is reduced, freeing resources, improving breach detection. Worldwide 80% of breaches go undetected because of skills shortage and event information ‘noise’. FortiSIEM provides the cross correlation, applies machine learning and UEBA to improve response, to stop breaches before they occur.
Uptime is a mandate for today’s digital business and end-users do not care if their application’s problems are performance or security-related. That’s where FortiSIEM comes in.
Unified NOC and SOC Analytics (Patented)
Fortinet has developed an architecture that enables unified data collection and analytics from diverse information sources including logs, performance metrics, SNMP Traps, security alerts and configuration changes. FortiSIEM essentially takes the analytics traditionally monitored in separate silos — SOC and NOC — and brings that data together for a comprehensive view of the security and availability of the business. Every piece of information is converted into an event which is first parsed and then fed into an event-based analytics engine for monitoring real-time searches, rules, dashboards and ad-hoc queries.
Distributed Real-Time Event Correlation
Distributed event correlation is a difficult problem, as multiple nodes have to share their partial states in real time to trigger a rule. While many SIEM vendors have distributed data collection and distributed search capabilities, Fortinet is the only vendor with a distributed real-time event correlation engine. Complex event patterns can be detected in real time. This patented algorithm enables FortiSIEM to handle a large number of rules in real time at high event rates for accelerated detection timeframes.
Flexible and Fast Custom Log Parsing Framework (Patented)
Effective log parsing requires custom scripts but those can be slow to execute, especially for high volume logs like Active Directory, firewall logs, etc. Compiled code on the other hand, is fast to execute but is not flexible since it needs new software releases. Fortinet has developed an XML-based event parsing language that is functional like high level programming languages and easy to modify yet can be compiled during run-time to be highly efficient. All FortiSIEM parsers go beyond most competitor’s offerings using this patented solution and can be parsed at beyond 10K EPS per node.
Dynamic User Identity Mapping
Crucial context for log analysis is connecting network identity (IP address, MAC Address) to user identity (log name, full name, organization role). This information is constantly changing as users obtain new addresses via DHCP or VPN.
Fortinet has developed a dynamic user identity mapping methodology. Users and their roles are discovered from on-premises or Cloud SSO repositories. Network identity is identified from important network events. Then geo-identity is added to form a dynamic user identity audit trail. This makes it possible to create policies or perform investigations based on user identity instead of IP addresses — allowing for rapid problem resolution.
FortiSIEM uses Machine Learning to detect unusual user and entity behavior (UEBA) without requiring the Administrator to write complex rules. FortiSIEM helps identify insider and incoming threats that would pass traditional defenses. High fidelity alerts help prioritize which threats need immediate attention.
User and Device Risk Scoring
FortiSIEM build a risk scores of Users and Devices that can augment UEBA rules and other analysis. Risk scores are calculated by combining several datapoints regarding the user and device. The User and Device risk scores are displayed in a unified entity risk dashboard.
Automated Incident Mitigation
When an Incident is triggered, an automated script can be run to mitigate or eliminate the threat. Built-in scripts support a variety of devices including Fortinet, Cisco, Palo Alto and Window/Linux servers. Built-in scripts can execute a wide range of actions including disabling a user’s Active Directory account, disabling a switch port, blocking an IP address on a Firewall, deauthenticating a user on a WLAN Access Point, and more. Scripts leverage the credentials FortiSIEM already has in the CMDB. Administrators can easily extend the actions available by creating their own scripts.