FortiSIEM Overview

I work with Security Information and Event Management (SIEM) systems since I started at Ariadnex 9 years ago where I’ve been deploying virtual SIEM and I’ve understood the importance of event correlation. I’ve worked with USM and OSSIM before Alienvault moved to the EEUU. It was a spanish company. I’ve also worked with ArcSight before it was merged with Micro Focus. It was an HP solution. In addition, I’ve attended to some webinar about LogRhythm. However, I’m going to write about another SIEM solution today. It is called FortiSIEM.

FortiSIEM Dashboard

 

The first time I heard about FortiSIEM was in 2016 when Fortinet acquired AccelOps, which was an IT security, monitoring and analytics software vendor. However, AccelOps had already bought Cisco Security Monitoring, Analysis, and Response System (MARS) in 2007, and Cisco Systems bought the founding company Protego Networks in 2004. This means FortiSIEM software has more than 16 years of expertise in the security information and event management. Thanks to FortiXpert 2016, I could know about this product for the first time.

FortiSIEM History

 

FortiSIEM has several components, which can be bought as an All-in-one appliance or as a distributed architecture. In addition, it can be deployed as a Virtual Appliance or Hardware Appliance. Mainly, there are four components. Collectors are the probes which receive events from devices and there is usually one Collector for each datacenter, customer or remote office. Workers are the processes for event correlation and we can install as many as we need. Supervisor is a single pane of glass for NOC & SOC analytics and log management. Windows Agents and Managers are installed into Windows Operating Systems for maximum visibility to collect system, application and security event logs, file integrity monitoring, registry change detection, etc. Therefore, we’ll have four components for rapid detection and remediation of security events.

FortiSIEM Architecture

 

One of the features I really like of FortiSIEM is Business Services which let us view metrics and alerts from a business service perspective. A business service is a smart container of relevant devices and applications serving a business purpose. Once defined, all monitoring and analysis can be presented from a business service perspective. Therefore, it is possible to track service level metrics, efficiently respond to incidents on a prioritized basis, record business impact, and provide business intelligence on IT best practices, compliance reporting, and IT service improvement.

Dashboard of a Business Service

 

If we want to deploy a FortiSIEM monitoring solution, we have to take into account how many devices we are going to monitor and how many events per second (eps) these devices are going to send to FortiSIEM because it’s licensed by devices and eps. We also need to know how many datacenters or remote offices we are going to monitor because we’ll install a collector for each remote network. In addition, we have to know if we are going to install Windows Advanced Agents to gather endpoint information because each device with advanced agent consumes two device licenses. One for the device and another for the advanced agent.

Windows Agents

From my point of view, FortiSIEM is another SIEM solution like Alienvault, ArcSight or LogRhythm which are complex to install, configure and manage because they have to be integrated with many systems to receive events. What’s more, security engineers have to know how to define security policies properly to take advantage of these monitoring solutions.

Are you willing to manage a Security Information and Event Management solution? Let me know!!

Working with SDN ecosystems

Networks were easy to understand when IT engineers worked with physical servers with physical network interfaces and unique IP addresses. This was easy to understand and configure. We saw it and we touched it. However, there are increasingly applications and servers, which are hosted in virtual platforms or into the Cloud, where these applications and servers are available from anywhere at any time, and they have virtual network interfaces with virtual IP addresses. This is difficult to understand for those who have always been working with physical infrastructures. However, applications and servers are no longer physical. If we want to take advantage of new technology, we should learn, understand and study how this new virtual world works.

Lately, I’ve been writing about Public Clouds, such as AWS Cloud or Microsoft Azure, where everything is virtual and we even don’t know exactly where our applications are hosted. However, if we create our virtual Data Center or deploy a Private Cloud, we can use Software-Defined Networking (SDN) and Security solutions, such as VMware vCloud Networking and Security (vCNS), which are useful for creating virtualized networks as well as protecting our applications. For instance, these solutions, based on SDN, help us to deploy virtual firewalls and load balancers into our own platform.

Software-Defined Networking and Security

 

VMware NSX is the next generation of vCNS and it’s more than a Software-Defined Networking (SDN) and Security solution but it’s a Software-Defined Data Center (SDDC) solution which help us to create virtual distributed firewalls and load balancers as well as enabling micro-segmentation or configuring VxLAN. This is a solution to build network architectures in software which also enhances security into the virtual ecosystem. Nothing about physical network interfaces and nothing about hardware appliances. Everything is virtual and everything is software.

Software-Defined Data Center (SDDC)

 

One of the greatest change in this new virtual world is, from my point of view, firewalling. Today, there are security engineers who still think about the traditional firewall model, which allows or denies traffic into the perimeter network. However, you have to throw away your firewalls because this is not enough, and applications should also be protected from inside the datacenter. For instance, Amazon Security Groups and VMware NSX help us to configure firewall rules for each virtual machine, protecting applications from inside the datacenter.

Intuitive Firewall Rules with VMware NSX

Once we choose to deploy Software-Defined Networks (SDN), it seems more difficult to deploy security platforms such as IDS/IPS systems but it’s not impossible. Most virtual and cloud platforms have also networking and security features for log analysis and traffic analysis, which are useful for troubleshooting as well as for integrating with IDS/IPS virtual appliances. Thanks to port-mirroring features into virtual switches, we can keep analysing traffic of virtual machines.

VMware Port-Mirroring

 

I think, Software-Defined Networks (SDN) are just the beginning. We’ll increasingly see Software-Defined Data Center (SDDC) where we’ll enable micro-segmentation and workflows for virtual machines and we’ll forget buying lots of hardware servers.

This is the new ecosystem. The virtual ecosystem. Are you ready?

Amazon CloudFront

There are companies who would like to deliver their information such as web pages, video, documents, audio, etc to the greatest number of user as possible into a high resilience architecture thus content delivery networks are increasingly important for these companies. Today, thanks to cloud service providers and content delivery networks, users can watch streaming videos or listen live music easily and without disruptions from anywhere and, meanwhile, companies can pay as they go to the cloud where cloud providers charge based on usage.

A Content Delivery Network or CDN is a network of computers hosted in different regions around the world which store a copy of data that can be delivered to users based mainly on proximity. For instance, if we were a spanish company who deliver video in EMEA and LATAM, we could upload our video to the CDN to be delivered quickly to end users based on geography. We shouldn’t confuse CDN with Global Server Load Balancing (GSLB) because GSLB provides load balancing between data centers thus load balancing our services, while CDN is based on GSLB architecture.

AWS Regions

There are many companies who offer CDN services like Amazon, Akamai or Cloudflare. All of them have data centers available on five continents to deliver content quickly. For instance, Amazon has more than 11 data centers where we can create our virtual Data Center with AWS Elastic Load Balancing for high availability, we can protect our services with AWS Shield & AWS WAF, and we can also accelerate our web applications with Amazon CloudFront. On the other hand, Cloudflare is well known by his powerful network which is able to reach high throughputs and protect our services against DDoS attacks. However, Akamai has always been, from my point of view, a content delivery provider.

High Availability and Scalability Architecture

Amazon CloudFront is a global content delivery network integrated with AWS services which help us to deliver highly available and scalable applications with high performance and it’s also able to secure content at the edge. In addition, it’s cost effective because we pay only for the data transfer and requests used to deliver content to our customers. Amazon CloudFront is easy to use and deploy from AWS Management Console, where we have to choose the viewer protocol policy and allowed HTTP methods as well as caching and encryption configuration. What’s more, distribution settings like price class, security protection and HTTP/2 support can be chosen as well as logging and IPv6 compatibility.

Amazon CloudFront Distribution Settings

As IT engineers, when we have to design high available, scalable and reliable architectures, we have to take into account many things. First, we have to design our services thinking about failures thus we should design avoiding single point of failures. Multiple servers with a load balancer help us to meet this requirement. Second, one data center may not be enough thus we’ll need multiple data centers balanced with GSLB in different regions and databases should also be replicated and synchronized. Finally, monitoring is a must for dynamic scalability. Many requests, more servers. Few requests, less servers. On the other hand, we can use content delivery network services like Amazon CloudFront, Akamai or Cloudflare to deliver our web pages, video or audio easily without thinking about networking or load balancing.

What are you thinking about? Are your services highly scalable and available?

AWS Shield & AWS WAF

I’ve already written about AWS Key Management Service and AWS Security Best Practices as well as how to create your virtual Data Center into AWS Cloud with firewalls, load balancers, WAF, etc. I’ve also written about Web Application Vulnerabilities and Web Application Firewall (WAF). Therefore, I want to write today about AWS WAF & AWS Shield, which are useful to protect our Web Services and WebSockets.

There are increasingly types of threats. They are increasingly sophisticated. They are increasingly difficult to detect with traditional security tools like network layer firewalls. Instead, we should deploy and install advanced security tools like SIEM and WAF to detect and protect our services of DDoS Attacks, application attacks and bad bots like HTTP floods attacks, Amplification DDoS Attacks, Social Engineering Attacks, application exploits, crawlers, Web Scraping Attacks, etc. Most of them are advanced attacks difficult to detect by traditional firewalls.

Types of Threats

 

AWS Shield is useful if we’re hosting services into AWS Cloud and we want DDoS protection without infrastructure changes. In addition, AWS Shield also minimizes impact on application latency and we can customize protections for our applications as well. There are two types of AWS Shield into AWS Cloud. The Standard Protection which is available to all AWS customers at no additional cost for protecting our services from most common attacks like SYN/UDP floods, reflection attacks, etc. The Advanced Protection where we pay for additional protections, features and benefits like protecting against large DDoS attacks as well as cost protection to absorb DDoS scaling cost. Therefore, if we want DDoS protection for our applications, we should read, study and test AWS Shield to know which one suit into our requirements.

AWS Shield Dashboard

 

I’ve already written about Web Application Firewalls (WAF), and AWS WAF is one of them where we can filter web traffic with custom rules, we can block malicious requests and we can also monitor and tune our web applications. AWS WAF is able to block HTTP floods attacks, SQLi attacks, XSS attacks, scanners and probes, bots and scrapers, brute force attacks as well as it’s able to check against IP reputation lists, blacklists and whitelists. In addition, we can configure AWS WAF to import rulesets of commercial signatures to detect general and known exploits.

Fortinet Managed Rules for AWS WAF - General and Known Exploits

 

We can configure AWS WAF easily and automatically thanks to AWS CloudFormation Templates. On the other hand, If we can also configure AWS WAF manually. Conditions like XSS, SQLi or IPs addresses are assigned to rules, then rules are applied to Web ACLs to protect our web applications. AWS WAF can protect web applications deployed with AWS CloudFront as well as deployed with AWS ELB. It’s important to highlight we’ll pay for rules and Web ACLs created into the AWS WAF.

Common Attack Protection SQLi Rule for AWS WAF

 

It’s up to you what you need and how much you can afford. AWS Shield with Advanced Protection along with AWS WAF with Managed Rules through AWS CloudFront is one of the best security solution but, maybe, it’s too expensive and too much protection for your web applications. This is the real cloud, we’ll pay as we go.

Regards my friends.