FortiSIEM Overview

I work with Security Information and Event Management (SIEM) systems since I started at Ariadnex 9 years ago where I’ve been deploying virtual SIEM and I’ve understood the importance of event correlation. I’ve worked with USM and OSSIM before Alienvault moved to the EEUU. It was a spanish company. I’ve also worked with ArcSight before it was merged with Micro Focus. It was an HP solution. In addition, I’ve attended to some webinar about LogRhythm. However, I’m going to write about another SIEM solution today. It is called FortiSIEM.

FortiSIEM Dashboard
The first time I heard about FortiSIEM was in 2016 when Fortinet acquired AccelOps, which was an IT security, monitoring and analytics software vendor. However, AccelOps had already bought Cisco Security Monitoring, Analysis, and Response System (MARS) in 2007, and Cisco Systems bought the founding company Protego Networks in 2004. This means FortiSIEM software has more than 16 years of expertise in the security information and event management. Thanks to FortiXpert 2016, I could know about this product for the first time.

FortiSIEM History
FortiSIEM has several components, which can be bought as an All-in-one appliance or as a distributed architecture. In addition, it can be deployed as a Virtual Appliance or Hardware Appliance. Mainly, there are four components. Collectors are the probes which receive events from devices and there is usually one Collector for each datacenter, customer or remote office. Workers are the processes for event correlation and we can install as many as we need. Supervisor is a single pane of glass for NOC & SOC analytics and log management. Windows Agents and Managers are installed into Windows Operating Systems for maximum visibility to collect system, application and security event logs, file integrity monitoring, registry change detection, etc. Therefore, we’ll have four components for rapid detection and remediation of security events.

FortiSIEM Architecture
One of the features I really like of FortiSIEM is Business Services which let us view metrics and alerts from a business service perspective. A business service is a smart container of relevant devices and applications serving a business purpose. Once defined, all monitoring and analysis can be presented from a business service perspective. Therefore, it is possible to track service level metrics, efficiently respond to incidents on a prioritized basis, record business impact, and provide business intelligence on IT best practices, compliance reporting, and IT service improvement.

Dashboard of a Business Service
If we want to deploy a FortiSIEM monitoring solution, we have to take into account how many devices we are going to monitor and how many events per second (eps) these devices are going to send to FortiSIEM because it’s licensed by devices and eps. We also need to know how many datacenters or remote offices we are going to monitor because we’ll install a collector for each remote network. In addition, we have to know if we are going to install Windows Advanced Agents to gather endpoint information because each device with advanced agent consumes two device licenses. One for the device and another for the advanced agent.

Windows Agents

From my point of view, FortiSIEM is another SIEM solution like Alienvault, ArcSight or LogRhythm which are complex to install, configure and manage because they have to be integrated with many systems to receive events. What’s more, security engineers have to know how to define security policies properly to take advantage of these monitoring solutions.

Are you willing to manage a Security Information and Event Management solution? Let me know!!