Overview

FortiSIEM is an advanced Security Information and Event Management (SIEM) solution that combines advanced log and traffic analysis with performance/availability monitoring, change analysis and accurate knowledge of the infrastructure to provide accurate threat detection, remediation, incident response and compliance reporting.

FortiSIEM can be deployed as a hardware appliance, a virtual appliance or as a cluster of virtual appliances to scale-out to large infrastructure deployments.

Scale-Out Architecture

FortiSIEM scales seamlessly from small enterprises to large and geographically distributed enterprises and service providers.

For smaller deployments, FortiSIEM can be deployed a single all-in-one hardware or virtual appliance that contains full functionality of the product. The virtual appliance can run on most common hypervisors including VMware ESX, Microsoft Hyper-V, and RedHat KVM and can be deployed on premise or in Amazon AWS Cloud. For larger environments needing greater event handling throughput and storage, FortiSIEM can be deployed in cluster mode. There are three types of FortiSIEM nodes – Collector, Worker and Supervisor

Collectors are used to scale data collection from various geo-separated network environments potentially behind a firewall. Collectors communicate to the devices, collect the data, parse the data and then send to the Worker nodes over a compressed secure HTTP(S) channel. Supervisor and Worker nodes reside inside the data center and perform data analysis functions using distributed co-operative algorithms. For scalable event storage, FortiSIEM provides two solutions – FortiSIEM NoSQL event database with data residing on a NFS Server and Elasticsearch.

As the compute or storage needs grow, you can add Collector nodes, Worker nodes, disks on the NFS server and Elasticsearch Data Nodes.

FortiSIEM also provides Windows Agents that enable log collection from a large number of Windows Servers. Windows Agents can be configured to send events to Collectors in a highly available load balanced manner.

Multi-tenancy

FortiSIEM allows you to manage multiple groups of devices and users (Organizations) within a single FortiSIEM installation. Devices and IP addresses can overlap between Organizations. FortiSIEM provides strict logical separation between organizations at an application layer. Users of one Organization cannot see another Organization’s data including devices, users and logs. But users belonging to Manage Service Provider Organization can only see all Organizations.

Infrastructure Discovery and Automated CMDB

For complete situational awareness, user needs to know the network and server infrastructure in depth. FortiSIEM’s inbuilt discovery engine can explore an IT infrastructure (on premise and cloud, physical and virtual), discover and categorize network devices, servers, users and applications in depth. A wide range of information is discovered including hardware information, serial numbers and licenses, installed software, running applications and services, and device configurations. Some special topological relationships can be discovered, for example - WLAN Access Points to WLAN Controllers, VMware guests to physical hosts. This rich information populates an integrated configuration management database (CMDB), which is kept up to date through scheduled re-discoveries.

A novel aspect of FortiSIEM discovery is that the system automatically discovers what can be monitored and which log can be pulled using the provided credentials. This approach reduces human error, since FortiSIEM learns the true network configuration state.

High Performance Log Collection and Flexible Parsing

FortiSIEM has flexible distributed log collection and parsing architecture. For logs pushed to FortiSIEM (such as Syslog), the devices can load balance the logs across various Workers or Collectors. For logs pulled by FortiSIEM (such as Windows WMI or Cloud services via REST API), the pulling functionality is automatically load balanced across Workers and Collectors. Logs are immediately parsed at the point at which they are received – this distributed processing speeds up log collection and analysis.

FortiSIEM has a patented XML based log parsing language that is both flexible and computationally efficient. Flexibility comes from the fact that users can easily write their own parsers (XML files) or edit system provided ones using the FortiSIEM GUI. The parser XML files are compiled at run-time and executed as an efficient code – this makes log parsing very efficient almost as efficient as writing code in native programming languages.

Performance and Availability Monitoring

Zero-day malware can create performance issues on a server - a malware can take up large memory, a ransomware scanning and encrypting files can slow the performance of other applications. By shutting down certain services and creating excessive network traffic, a malware can cause availability issues. To properly detect and remediate security issues, an investigator needs to know the performance and availability trends of critical infrastructure services. Powered by its discovery capabilities, FortiSIEM can seamlessly collect a rich variety of performance and availability metrics to help the investigator hunt for threats. FortiSIEM can also alert when the metrics are outside of normal profile and can correlate such violations with security issues to create high fidelity alerts.

Network Configuration and File Integrity Monitoring

Unauthorized or inadvertent changes to key system configuration files (such as httpd.conf) or router/firewall configuration can lead to security issues. Malware can modify key system files. Bad actors (for example, insider threats) can steal forbidden files. It is important to maintain control of key files and directories.

FortiSIEM provides mechanisms for tracking and detecting key file changes. It can monitor start-up and running configuration of network devices via SSH. It can monitor configuration files on servers. FortiSIEM agents can efficiently monitor large server infrastructures. An alert is created when the file changes from one version to another or deviates from a blessed hardened configuration.

Custom Device and Application Support

While FortiSIEM provides turnkey support for a large number of devices and applications, users can build their own full-fledged support from the GUI. System log parsers, performance monitors and configuration change detectors can be modified. New device and application types can be defined and new log parsers; performance monitors and configuration change detectors can be defined.

User Identity and Location Tracking

By combining DHCP logs, VPN logs, WLAN logs, Domain Controller logon events, FortiSIEM is able to maintain an audit trail for IP address to user and geo-location mappings over time. While IP address to User mapping is important for look-up purposes by its own right, this feature enables FortiSIEM to detect stolen credentials as they tend to get used from distant locations over a short period of time.

External Threat Intelligence Integration

External websites can provide cyber threat information in terms of:

  • Malware IP
  • Malware Domain
  • Malware hash
  • Malware URL
  • Anonymity Networks

FortiSIEM has a flexible framework to connect to a wide variety of threat sources (both free and paid), efficiently download this information and find matches in real-time in the environment it is running. Some threat sources can have a large number (millions) of bad IPs and URLs. FortiSIEM’s distributed search and rule engines finds matches with such large sets of data at a very high event rate.

Distributed Event Correlation and Threat Detection – the Rule Engine

FortiSIEM has a distributed event correlation engine that can detect complex threats in near real-time. Threats are users or machine behavioral anomalies and can be specified in terms of event patterns sequenced over time. A threat can be alternatively looked at as a SQL query evaluated in a streaming mode. FortiSIEM has an inbuilt profiling engine that can handle threats defined using statistical thresholds - mean and standard deviation.

What makes FortiSIEM rule engine powerful is (a) the ability to include any data in a rule, for example: performance and change metrics along with security logs, (b) distributed in-memory computation (patent-pending) involving Supervisor and Worker nodes for near real-time performance with high event rates, (c) the ability for the rule to generate a dynamic watch list which can be use recursively in a new rule to create a nested rule hierarchy, (d) use of CMDB Objects in Rule definition, and (e) unified XML based language for rules and reports which makes it easy to convert a report into a rule and vice-versa.

Several machine learning based UEBA models are part of FortiSIEM inbuilt rule library – (a) detect simultaneous logins from two different countries, (b) detect simultaneous logins from two improbable geo-locations, (c) login behavior anomaly – log on to servers and at times that one does not typically log on etc., (d) detecting traffic to dynamically generated domains.

FortiSIEM has a large number of in-built behavioral anomaly rules that work out of the box but can be adapted by the user to their own environment. A framework is provided where the user can write new rules via GUI, test them with real events and then deploy in the system.

Device and User Risk Scoring

By combining with asset criticality, user role and importance, incident severity, frequency of occurrence and vulnerabilities found, FortiSIEM assigns a risk score to users and machines. This score is displayed in a dashboard with drill-down capabilities to identify the underlying factors.

Incident Response and Mitigation

FortiSIEM provides a number of mitigation scripts that can run an action when an incident happens. The scripts can be invoked automatically when an incident happens or can be invoked on-demand. Some examples are blocking an IP or a MAC, deactivating a user from active directory, removing an infected file, putting a user into a watch list, restarting a process or rebooting a server and so on. You can also write own mitigation scripts and deploy on a running system.

Search, Threat Hunting, Compliance Reports and Dashboards

FortiSIEM provides a flexible and unified search framework. User can search data based on keywords or in a structured way using FortiSIEM parsed attributes. In real-time mode, the matched data streaming in from devices is displayed. In Historical mode, events in event database are searched. Supervisor and Worker nodes perform search in a distributed manner.

A large number of inbuilt reports (search templates) are provided, based on the device type, and functionality such as availability, performance, change and security.

Two novel aspects of FortiSIEM search are event unification and drill-down or threat hunting capabilities. With event unification, all data is analyzed and presented the same way, whether it is presentation aspects (real-time search, reports, rules) or context (performance and availability metrics, change events or security logs). Using drill-down, you can start from a specific context, such as Top Authentication Failed Users, and select attributes to further analyze data and iteratively, get to the root cause of a problem. As an example, the investigation of 'Top Authentication Failed users' could be followed by picking a specific user from the list and selecting Destination IP, Ports to see which machines the user communicated with, followed by selecting the raw logs for real evidence.

FortiSIEM contains a wide selection of compliance reports out of the box – PCI, COBIT, SOX, ISO, ISO 27001, HIPAA, GLBA, FISMA, NERC, GPG13, SANS Critical Control, NIST800-53, NIST800-171.

FortiSIEM provides a wide variety of dashboards for user to visualize the data it collects and the incidents that have triggered - Summary dashboards, Widget dashboards, Business Service dashboard, Incident dashboard, Identity and Location dashboard.

Internal Ticketing System and Two-way Third-party Ticketing Integration

FortiSIEM has a built-in ticketing system for managing incidents via tickets. It supports the full ticket life cycle of opening, escalating, closing, reopening and creating cases with attachments for evidence.

FortiSIEM can also integrates with third-party ticketing systems. When an incident occurs in FortiSIEM, a ticket can be created in the external ticketing system and linked to an existing device or a new device can be created in the external system. You can customize various FortiSIEM incident fields to external ticketing system field. When the ticket is closed in the external ticketing system, the ticket is closed in FortiSIEM.

Several third-party external ticketing systems are supported out of the box, for example, ServiceNow, Salesforce, ConnectWise and Remedy. An API is provided so that other integrations can be built.

Business Service Analytics

A Business Service enables you to prioritize incidents and view performance/availability metrics and from a business service perspective. A business service is defined within FortiSIEM as a smart container of relevant devices and applications serving a common business purpose. Once defined, all monitoring and analysis are presented from a business service perspective.

FortiSIEM enables you to easily define and maintain a business service. Since FortiSIEM automatically discovers the applications running on the servers as well as the network connectivity and the traffic flow, you can easily choose the applications and respective servers and be intelligently guided to choose the rest of components of the business service.