Breaches cause customers to take their business elsewhere, resulting in material and substantially negative impacts to an organization's bottom line. Attracting new customers is estimated at seven times more costly than keeping existing customers. Fines and legal fees can quickly add up. Publicly traded organizations can see negative and lasting impacts to their stock value, supplier relationships and shareholder perceptions. All these add up to explain why more boards are getting involved in security decisions. FortiSIEM provides organizations with a comprehensive, holistic and scalable solution, from IoT to the Cloud, with patented analytics that are actionable to tightly manage network security, performance and compliance standards, all delivered through a single pane of glass view of the organization.
Fortinet has developed an architecture that enables unified and cross-correlated analytics from diverse information sources including logs, performance metrics, SNMP Traps, security alerts and configuration changes. FortiSIEM essentially takes the analytics traditionally monitored in separate silos from - SOC and NOC - and brings that data together for a more holistic view of the threat data available in the organization. Every piece of information is converted into an event which is first parsed and then fed into an event-based analytics engine for handling real-time searches, rules, dashboards and ad-hoc queries.
Distributed event correlation is a difficult problem, as multiple nodes have to share their partial states in real time to trigger a rule. While many SIEM vendors have distributed data collection and distributed search capabilities, Fortinet is the only vendor with a distributed real-time event correlation engine. Complex event patterns can be detected in real time. This patented algorithm enables FortiSIEM to handle a large number of rules in real time at high event rates for accelerated detection timeframes.
Security and compliance made easy
Breaches cause customers to take their business elsewhere, resulting in material and substantially negative impacts to an organization's bottom line. Attracting new customers is estimated at seven times more costly than keeping existing customers. Fines and legal fees can quickly add up. Publicly traded organizations can see negative and lasting impacts to their stock value, supplier relationships and shareholder perceptions. All these add up to explain why more boards are getting involved in security decisions. FortiSIEM provides organizations with a comprehensive, holistic and scalable solution, from IoT to the Cloud, with patented analytics that are actionable to tightly manage network security, performance and compliance standards, all delivered through a single pane of glass view of the organization.
Unified NOC and SOC analytics
Fortinet has developed an architecture that enables unified and cross-correlated analytics from diverse information sources including logs, performance metrics, SNMP Traps, security alerts and configuration changes. FortiSIEM essentially takes the analytics traditionally monitored in separate silos from - SOC and NOC - and brings that data together for a more holistic view of the threat data available in the organization. Every piece of information is converted into an event which is first parsed and then fed into an event-based analytics engine for handling real-time searches, rules, dashboards and ad-hoc queries.
Distributed real-time event correlation
Distributed event correlation is a difficult problem, as multiple nodes have to share their partial states in real time to trigger a rule. While many SIEM vendors have distributed data collection and distributed search capabilities, Fortinet is the only vendor with a distributed real-time event correlation engine. Complex event patterns can be detected in real time. This patented algorithm enables FortiSIEM to handle a large number of rules in real time at high event rates for accelerated detection timeframes.
Real-time, automated infrastructure discovery and application discovery engine (CMDB)
Rapid problem resolution requires infrastructure context. Most log analysis and SIEM vendors require administrators to provide the context manually, which quickly becomes stale, and is highly prone to human error. Fortinet has developed an intelligent infrastructure and application discovery engine that is able to discover and map the topology of both physical and virtual infrastructure, on-premises and in public/private clouds simply using credentials without any prior knowledge of what the devices or application is. Discovery is both wide (covering a large number of Tier 1/2/3 vendors) and deep (covering system, hardware, software, running services, applications, storage, users, network configuration, topology and device relationships). Discovery can run on-demand or on schedule to detect (in real time) infrastructure changes and report on any new devices and applications detected. This is an essential part of compliance requirement management that FortiSIEM is uniquely able to meet. An up-to-date CMDB (Centralized Management Database) enables sophisticated context aware event analytics using CMDB Objects in search conditions.
Dynamic user identity mapping
Crucial context for log analysis is connecting network identity (IP address, MAC Address) to user identity (log name, full name, organization role). This information is constantly changing as users obtain new addresses via DHCP or VPN. Fortinet has developed a dynamic user identity mapping methodology. First, users and their roles are discovered from on-premises repositories such as Microsoft Active Directory and Open LDAP, or from Cloud SSO repositories such as OKTA. This can be run on-demand or on a schedule to detect new users. Simultaneously, network identity is identified from important network events such as firewall network translation events, Active Directory logons, VPN logons, WLAN logons, Host Agent registration logs, etc. Finally, by combining user identity, network identity and geo-identity in a real-time, distributed in-memory database, FortiSIEM is able to form a dynamic user identity audit trail. This makes it possible to create policies or perform investigations based on user identity instead of IP addresses - allowing for rapid problem resolution.
Flexible and fast custom log parsing framework
Effective log parsing requires custom scripts but those can be slow to execute, especially for high volume logs like Active Directory, firewall logs, etc. Compiled code on the other hand, is fast to execute but is not flexible since it needs new releases. Fortinet has developed an XML-based event parsing language that is functional like high level programming languages and easy to modify yet can be compiled during run-time to be highly efficient. All FortiSIEM parsers go beyond most competitor's offerings using this patented solution and can be parsed at beyond 10K EPS per node.
Hybrid database architecture - leveraging structured and unstructured data feeds
FortiSIEM takes advantage of two diverse sources of information - discovered information is structured data suitable for a traditional relational database, while logs, performance metrics etc. are unstructured data which need a NoSQL-type database. Fortinet has developed a hybrid approach where the data is stored in optimized databases with unique business layer logic providing a comprehensive, single database abstraction layer. The user is able to search for events (stored in NoSQL database) using CMDB objects (stored in a relational database). This approach harnesses the power and benefits of both databases.
Large scale threat feed integration
In addition to FortiGuard Labs Threat Intelligence service offerings, there are many sources available for customers to subscribe to external threat feeds in managing potential threats in their network. However, threat feed information can be very large, often reaching millions of IP addresses, malware domains, hashes and URLs, and the information can also quickly become stale as malware websites and domain are taken down and brought up. This provides a significant computational challenge to the consumers of threat intelligence data. Fortinet has developed proprietary algorithms that enable this large amount of information to be quickly obtained from the source, then effectively distributed to various FortiSIEM nodes and evaluated in real time at higher rates than other providers (exceeding 10K EPS per node).
Large enterprise and managed service provider ready - "multi-tenant architecture"
Fortinet has developed a highly customizable, multi-tenant architecture that enables enterprises and service providers to manage a large number of physical/logical domains and overlapping systems and networks from a single console. In this environment it is very easy to cross-correlate information across physical and logical domains, and individual customer networks. Unique reports, rules and dashboards can easily be built for each, with the ability to deploy them across a wide set of reporting domains, and customers. Event archiving policies can also be deployed on a per domain or customer basis.
