FortiSIEM Overview
I
work
with Security
Information and Event Management
(SIEM) systems since I started at Ariadnex 9 years ago where
I’ve been deploying
virtual SIEM
and I’ve
understood
the importance of event
correlation.
I’ve
worked with USM
and OSSIM
before Alienvault
moved to the
EEUU.
It was a spanish company. I’ve also worked with ArcSight
before
it was merged with Micro Focus. It
was an HP solution. In addition,
I’ve attended to some webinar about LogRhythm.
However,
I’m going to write about another SIEM solution today. It is called
FortiSIEM.
 |
| FortiSIEM Dashboard |
The
first time I heard about FortiSIEM was in 2016 when Fortinet acquired
AccelOps,
which
was an IT security, monitoring and analytics software vendor.
However,
AccelOps had
already bought
Cisco Security Monitoring,
Analysis, and Response System (MARS)
in
2007, and Cisco Systems
bought
the founding company Protego
Networks
in 2004. This
means FortiSIEM software has more than 16 years of expertise in the
security information and event management. Thanks
to FortiXpert
2016,
I could know about
this
product for the first time.
 |
| FortiSIEM History |
FortiSIEM
has several components, which can be bought as an All-in-one
appliance or as a distributed architecture. In
addition, it
can be deployed as a Virtual Appliance or Hardware Appliance. Mainly,
there are four components. Collectors
are the probes which receive events from devices and there is usually
one Collector for each datacenter, customer or remote office. Workers
are the processes for event correlation and we can install as many as
we need. Supervisor
is a single pane of glass for NOC & SOC analytics and log
management. Windows Agents and
Managers
are installed
into Windows Operating Systems for maximum visibility to collect
system, application and security event logs, file
integrity monitoring, registry change detection, etc. Therefore,
we’ll have four components for rapid detection and remediation of
security events.
 |
| FortiSIEM Architecture |
One
of the features I really like of FortiSIEM is Business
Services
which let us view metrics and alerts from a business service
perspective. A
business service is a smart container of relevant devices and
applications serving a business purpose. Once
defined, all monitoring and analysis can be presented from a business
service perspective. Therefore,
it is possible to track service level metrics, efficiently respond to
incidents on a prioritized basis, record business impact, and provide
business intelligence on IT best practices, compliance reporting, and
IT service improvement.
 |
| Dashboard of a Business Service |
If
we want to deploy a FortiSIEM monitoring solution, we have to take
into account how many devices we are going to monitor and how many
events per second (eps)
these devices are going to send to FortiSIEM because
it’s licensed by devices and eps. We
also need to know how many datacenters or remote offices we are going
to monitor because
we’ll install a collector for each remote network. In addition, we
have to know if we are going to install Windows Advanced Agents to
gather endpoint information because each device with advanced agent
consumes two device licenses. One for the device and another for the
advanced agent.
 |
| Windows Agents |
From
my point of view, FortiSIEM is another SIEM solution like
Alienvault, ArcSight or LogRhythm which
are
complex to install, configure and manage because
they have to be integrated with many systems to receive events.
What’s
more, security
engineers have to know how to define security policies properly to
take advantage of these monitoring solutions.
Commentaires
Enregistrer un commentaire