FortiSIEM

1
Business Drivers
Market Trends
Trend: Device Growth Continues
More devices and newer device types are entering the network

 33 Billion endpoints projected to be

connected by 2020 – Gartner
 New device types entering the
network
» ‘headless’ IoT, wireless sensor
nodes, beacons, wearables

3
Business Drivers for Better Visibility & Control

47% 256 81%

Suffered a Material Breach Average Days Breaches Discovered
to Network or Systems to Detect Attack by 3rd Party

“Breaches & Attacks are Inevitable”

4
5
Impacts Go Beyond “IT”
Impacts of a Breach

 Lost Revenues
 Brand/Reputation
 Law Suits/Fines
 Lost Customers
 Lost Suppliers
 Unproductive Workers
 Impacts on Competitive Positioning
 Impacts on Valuation
 C-Level/Board Involvement

6
Selling Selling Situations

 Compliance
 Security Breach
 Incident Management
 Network Management
 Bigger FortiAnalyzer
 More…

7
FortiSIEM
Fortinet Security Fabric
The “NEW” SECURITY FABRIC
Protects the Entire Attack Surface

FortiManager FortiCare FortiCloud

IoT FortiManager
Policy Management FortiAnalyser
Threat Analytics FortiCloud
SIEM Inetgration Applications

Orchestration

FortiClient FortiAP FortiGate FortiWeb Cloud Security

FortiSwitch FortiMail

Switching and Routing

Embedded Physical Virtual Cloud

Users Data
FortiASIC FortiOS FortiGuard

9
 Fortinet Security Fabric – Protecting from IoT to Cloud

Global Intelligence

Scale Client Security Alliance Partners

Awareness
IoT Cloud Security

Security
Actionable
Open
Fortinet
+ Operational Security Fabric

with FortiSIEM Secure LAN Access

Application
Security

Local
Intelligence

Secure WLAN Access

Network Security

FortiSIEM

10
FortiSIEM
Core Platform
FortiSIEM Overview

GAed in 2008, acquired 2016

3rd Generation SIEM

Security, Performance & Compliance

Patented Unified Analytics Platform

Wide range of deployments and scale

Extensible API’s

Virtual Appliance = Faster Time to Value

1212
FortiSIEM Customers & Partners

MSPS / SI’S / VARS TECHNOLOGY ALLIANCE PARTNERS CUSTOMERS

FortiSIEM

13
Current Market – IT Network Challenges

Physical
Infrastructure Cloud
Infrastructure
Thousands of Devices
Hundreds of Apps
Physical Physical
Switches Servers
Public Private
Cloud Cloud
Deployed
Virtual
Infrastructure
Generating Billions of Events Hybrid

per day and PBs of Data

Cloud

Moblility/BYOD
Virtual Virtual
Networks Servers

14
Important Security Use cases
 Access Control Violations
» Excessive logon failure
» Anomalous logon attempt
» Brute force logon success
» Default password usage
» Password scanning
» VPN logon from outside home
» Concurrent logon from multiple cities/countries
 Exploits
» Excessive /Anomalous DNS, Email
» DoS/DDoS attack
» Compromised host
» Unusual scanning activity
» Reconnaissance -> Exploit -> Outbound or
Anomaly
» Malformed traffic, Baseline violations
» Important service stopped
» Traffic to Bogon networks
» Excessive Wireless IDS signature violations
» Excessive distinct IPS signatures from same host
 Vulnerabilities
» DNS traffic to malware domain
» Outbound traffic to malware IP
» Malware hash match
» Malware found but not cleaned
» Mail attachment/Spyware found not cleaned
» Backdoor/Rootkit/IOC found
» Scanner found exploitable vulnerability -> external
traffic
» Malware outbreak
 Policy Violations
» Blacklist user agent match
» Traffic to Tor networks, VPN proxies
» Inappropriate website access
» Inbound clear password usage
» Blocked file execution
» Host IPS/Bit9 Agent disabled
» Log cleared, Logging disabled
» Long lasting VPN session
» Unapproved/Blocked file execution
» Tunneled traffic
» Large Outbound Transfer
» Unauthorized file change
15
 SIEM vs. FortiSIEM
Single Pane of Glass

Only NOC & SOC Analytics

Infrastructure

Rapid & Flexible Integrations

Secure Devices
Multi-Tenant Architecture Policy
Sandboxing

Rapid Scale Architecture

Real-Time Asset/Config. Discovery

Real-Time Analytics (patented) Secure WLAN Network Secure LAN

Access
Access
Analytics
Application Log Analysis FortiSIEM
Behavior Profiling Secure Cloud

Gartner Data & User Monitoring Email Web

SIEM Criteria Deployment/Support Simplicity
Security Security

Threat Partner
Log Management Intelligence Integrations
Security Fabric
Real-Time Monitoring
Threat Intelligence

16
FortiSIEM Key Differentiators

 Only NOC & SOC solution in a “Single Pane of Glass”

Holistic view of events across the entire organization

 Real-Time Correlation of Security & Network Threats

Rapid identification, triage and future prevention

 Powerful Automated Device Discovery Engine

Self-Learning, Real-Time CMBD

 Builtin Content – Ready to Go!

600+ Corrolation Rules, 2000+ Reports, 200+ log parsing templates, 150K normalized event types

 Multi-Tenant Architecture
Segment network views into physical, logical dashboards

© 2016 AccelOps

1717
Compliance Reporting Built-in

 Hundreds of Pre-Built Reports

 Compliance Reports
» PCI – HIPAA – FERPA - FISMA
» SOX, NERC, COBIT, ITIL,
» ISO, GLBA, GPG13
» SANS Critical Controls

 2,000+ Customizable Fields

18
 Windows Agent
Key features

• File Integrity Monitoring (FIM)

• Registry monitoring
• Windows Event Logs & Log file monitoring
• High event rate handling
• USB activity detection
• Multiple monitoring templates
• Usability – Template Assignment in fewer clicks
• Monitored file - Directory exclude
• Multiple power shells, WMI per template
• Monitor any log file in Windows Event tree

19
Rapid Flexible Integrations
Context from Hundreds of Sources

 Antivirus  Remote Desktop

 Cloud Services
 Databases
 Directories
 DNS/DHCP Servers
 Email
 Environmentals - HVAC
 External Monitoring
 File Monitoring
 Firewalls
 Hardware Monitoring
 Host OS
 Internet Security Gateways
 IPS/IDS
 Load Balancers
 Network Flow
 Routers/Switches
 Servers
» App Server
» Authentication Servers
» Blade Servers
» Terminal Servers
» VoIP Servers
» Web Server
 Storage
 Synthetic Transaction Monitoring
 Unified Threat Management (UTM)
 Virtualization
 VPN Gateway
 Vulnerability Scanners
 WAN Accelerators
 Wireless

20
20
 Rapid & Flexible Integrations – Cont’d

EXTERNAL THREAT TICKETING/WORKFLOW CLOUD APP

INTELLIGENCE /CMDB INTEGRATION INTEGRATION

 Malware Domain, IP, File hash,  2-way integration  Okta – SSO

User Agent, URL  Configurable parameter translation  Kafka – Big Data
 Real-time/Historical query  API / GUI based integration  Box – Document sharing
 Out-of-the-box support  ServiceNow, ConnectWise, Remedy  Salesforce – CRM Activity

21
 FortiSIEM

Holistic Threat Intelligence

Configuration, Policy & Visualization Performance, Compliance & Security Analytics & Security Operations

FNDN FortiView FortiManager FortiCloud FortiAnalyser

Sandbox

API FortiSIEM

Fortinet Devices

Cloud

Non Fortinet Devices

Cloud

22
Deployment Scenarios
Inputs to FortiSIEM

 Syslog
 SNMP
 WMI for Windows
 JDBC
 HTTP/HTTPS
 TCP/UDP
 TLS
 Windows Agents – Basic and Advance
 Netflow/slfow
 Active Directory/LDAP
 Geolocation

© 2016 AccelOps

2424
FortiSIEM Architecture
(SMB DEPLOYMENT)
Remote/Segregated Networks FortiSIEM Cluster
Public / Private / Hybrid Public / Private Deployments

Firewalls, Routers,
Storage, Servers, Apps

Event
Storage
Local
Firewalls, Routers, Virtual Disk
Storage, Servers, Apps
Collector
TCP 443 (HTTPS)
Supervisor
Hypervisor

Firewalls, Routers, Collector

Storage, Servers, Apps

25
FORTI-SIEM Service Provider
Architecture Benefits

All customers into the same Rules and reports can be deployed
solution and deployment to one, multiple or all customers.

Your customers can have

MSP can cross-correlate data
duplicate/overlapping IP
across all organizations
addresses between each other

Data is segregated MSP can view one or all

by organization organizations from a single
dashboard.
Role based access limits admins or
customers visibilities, features and
functionality.

26
FortiSIEM Architecture
(ENTERPRISE/MSP)
Remote/Segregated Networks FortiSIEM Cluster
Public / Private / Hybrid Public / Private Deployments

Customer X

Firewalls, Routers,
Storage, Servers, Apps Collector

Customer Y
TCP 443 (HTTPS)
Firewalls, Routers,
Storage, Servers, Apps Supervisor Worker 1 Worker N
Collector
Hypervisor NFS
Big Data Event Storage
Customer Z

Firewalls, Routers,
Storage, Servers, Apps
Collector

27
Competitive Landscape
Competitive Analysis
Competitor Competitive Positioning Notable Customer Wins
12 Diverse Open Source Products; low control over product destiny
Lacks deep analytics capabilities that unite multiple sources of
intelligence

Database scalability limited due to Oracle database stack, plus the fact
that a separate log management appliance is required
Extremely expensive to buy and maintain

Scalability – unable to handle high log volume

Clunky hierarchical log collection architecture – cannot analyze all logs
from one place
Windows appliance – not cloud ready

Low end standalone SIEM product offering built through acquisition

Purchase of many add-on products required for same level of
functionality

Blank canvas – on your own or professional services

No true real-time analytics – must index first
Expensive – pay for storage over time
© Copyright 2015 AccelOps, Inc. All rights reserved. ‹#›
Licensing and Sizing
Licensing

 Key areas to determine license size

» Number of devices being monitoring
 Core Datacenter
 End-Points/IOT reduced cost
» 10 EPS per device or add EPS to equal total number of EPS
» Windows Agents (SIEM) – Basic and Advanced
» IOC (Incident of Compromise) Threat Feed
» License
 Service Provider (SP) Multi-Tenant version or
 Enterprise Virtual Appliance version

© 2016 AccelOps

3232
 Sizing Guide
Device HW Rate
Super 24GB RAM, 8CPU, 200GB Disk >10K Events Per Second (EPS) – Flow or
Syslog
~100 Windows Devices agentless
~300 Device SNMP
Worker 16GB RAM, 8CPU, 200GB Disk >10K Events Per Second (EPS) – Flow or
Syslog
~100 Windows Devices agentless
~300 Device SNMP
Collector 8GB RAM, 4CPU, 40GB Disk >10K Events Per Second (EPS) – Flow or
Syslog
~100 Windows Devices agentless
~300 Device SNMP
Windows Agent Manager >= Windows 2008, SQL Express, .Net4.5, ~500 Agent per Manager Support
PowerShell 2.0, IIS ~5K EPS

4GB RAM, 10GB Disk Free, Dual Core,

Windows Agent >= XP SP3 ~500 EPS

1GB XP, >= 2GB Vista and above memory, 10GB
Disk

Event Storage is not included in the above disk requirements. 750 EPS = 1.5 TB/year. 100 PAM = 100 GB/year

33
Making Visibility & Control Easy – Today & Into the Future

1. Real-Time Analytics Policy

Secure Devices
Sandboxing 4. Multi-Tenant Architecture
2. Asset/Config Discovery (CMDB) 5. Rapid Integrations
3. Rapid Scale Out Architecture
FortiSIEM
Secure WLAN
Access
6. SOC/NOC Analytics
Network

Secure Cloud
Secure LAN
Access

Email Web
Security Security

Security Fabric

7. Single Pane of Glass

34