Today's digital business is increasingly driven on IoT, cloud services and more to stay closer to customers than ever. This reliance makes uptime critical to growth and profitability. As such, an end user doesn't care if their application service problems are performance or security-related.
Unified NOC and SOC analytics
Fortinet has developed an architecture that enables unified data collection and analytics from diverse information sources including logs, performance metrics, SNMP Traps, security alerts and configuration changes. FortiSIEM essentially takes the analytics traditionally monitored in separate silos from - SOC and NOC - and brings that data together for a more holistic view of the security and availability of the business. Every piece of information is converted into an event which is first parsed and then fed into an event-based analytics engine for monitoring real-time searches, rules, dashboards and ad-hoc queries.
Distributed real-time event correlation
Distributed event correlation is a difficult problem, as multiple nodes have to share their partial states in real time to trigger a rule. While many SIEM vendors have distributed data collection and distributed search capabilities, Fortinet is the only vendor with a distributed real-time event correlation engine. Complex event patterns can be detected in real time. This patented algorithm enables FortiSIEM to handle a large number of rules in real time at high event rates for accelerated detection timeframes.
Real-Time, Automated Infrastructure Discovery and Application Discovery Engine (CMDB)
Rapid problem resolution requires infrastructure context. Most log analysis and SIEM vendors require administrators to provide the context manually, which quickly becomes stale, and is highly prone to human error. Fortinet has developed an intelligent infrastructure and application discovery engine that is able to discover and map the topology of both physical and virtual infrastructure, on-premises and in public/private clouds, simply using credentials without any prior knowledge of what the devices or applications are. An up-to-date CMDB (Centralized Management Database) enables sophisticated context aware event analytics using CMDB Objects in search conditions.
Dynamic user identity mapping
Crucial context for log analysis is connecting network identity (IP address, MAC Address) to user identity (log name, full name, organization role). This information is constantly changing as users obtain new addresses via DHCP or VPN. Fortinet has developed a dynamic user identity mapping methodology. Users and their roles are discovered from on-premises or Cloud SSO repositories. Network identity is identified from important network events. Then geo-identity is added to form a dynamic user identity audit trail. This makes it possible to create policies or perform investigations based on user identity instead of IP addresses - allowing for rapid problem resolution.
Flexible and fast custom log parsing framework
Effective log parsing requires custom scripts but those can be slow to execute, especially for high volume logs like Active Directory, firewall logs, etc. Compiled code on the other hand, is fast to execute but is not flexible since it needs new software releases. Fortinet has developed an XML-based event parsing language that is functional like high level programming languages and easy to modify yet can be compiled during run-time to be highly efficient. All FortiSIEM parsers go beyond most competitors' offerings using this patented solution and can be parsed at beyond 10K EPS per node.
Business services dashboard - transforms system to service views
Traditionally, SIEMS monitor individual components - servers, applications, databases and so forth - but what most organizations really care about is the services those systems power. FortiSIEM now offers the ability to associate individual components with the end user experience that they deliver together providing a powerful view into the true availability of the business.
