fortisiem (accelops opportunity) · 2018-02-03 · powerful automated device discovery engine...
TRANSCRIPT
1
FortiSIEM
Business Drivers
Market Trends
3
Trend: Device Growth Continues More devices and newer device types are entering the network
33 Billion endpoints projected to be
connected by 2020 – Gartner
New device types entering the
network
» ‘headless’ IoT, wireless sensor
nodes, beacons, wearables
4
Business Drivers for Better Visibility & Control
47%
Suffered a Material Breach
to Network or Systems
256
Average Days
to Detect Attack
81%
Breaches Discovered
by 3rd Party
“Breaches & Attacks are Inevitable”
5
6
Impacts Go Beyond “IT” Impacts of a Breach
Lost Revenues
Brand/Reputation
Law Suits/Fines
Lost Customers
Lost Suppliers
Unproductive Workers
Impacts on Competitive Positioning
Impacts on Valuation
C-Level/Board Involvement
7
Selling Selling Situations
Compliance
Security Breach
Incident Management
Network Management
Bigger FortiAnalyzer
More…
FortiSIEM
Fortinet Security Fabric
9
The “NEW” SECURITY FABRIC
FortiAP
FortiSwitch
FortiGate FortiWeb
FortiMail
FortiClient Cloud Security
Users Data
IoT Applications
Switching and Routing
Policy Management Threat Analytics SIEM Inetgration
FortiCare
Orchestration
FortiManager FortiAnalyser FortiCloud
FortiManager FortiCloud
Protects the Entire Attack Surface
FortiGuard FortiASIC FortiOS
Embedded Physical Virtual Cloud
10
Fortinet Security Fabric – Protecting from IoT to Cloud
Scale
Awareness
Security
Actionable
Open
Client Security
Network Security
Application
Security
Cloud Security
Secure WLAN Access
Alliance Partners
Secure LAN Access
IoT
Fortinet
Security Fabric
Global Intelligence
Local
Intelligence
FortiSIEM
+ Operational
with FortiSIEM
FortiSIEM
Core Platform
12
GAed in 2008, acquired 2016
3rd Generation SIEM
Patented Unified Analytics Platform
Extensible API’s
Security, Performance & Compliance
Wide range of deployments and scale
Virtual Appliance = Faster Time to Value
FortiSIEM Overview
12
13
FortiSIEM Customers & Partners
TECHNOLOGY ALLIANCE PARTNERS MSPS / SI’S / VARS CUSTOMERS
FortiSIEM
14
Virtual
Networks
Virtual
Infrastructure
Cloud
Infrastructure
Physical
Infrastructure
Physical
Switches
Virtual
Servers
Physical
Servers Public
Cloud
Private
Cloud
Thousands of Devices
Hundreds of Apps
Deployed
Generating Billions of Events
per day and PBs of Data
Moblility/BYOD
Current Market – IT Network Challenges
Hybrid
Cloud
15
Important Security Use cases
Access Control Violations » Excessive logon failure
» Anomalous logon attempt
» Brute force logon success
» Default password usage
» Password scanning
» VPN logon from outside home
» Concurrent logon from multiple cities/countries
Exploits » Excessive /Anomalous DNS, Email
» DoS/DDoS attack
» Compromised host
» Unusual scanning activity
» Reconnaissance -> Exploit -> Outbound or
Anomaly
» Malformed traffic, Baseline violations
» Important service stopped
» Traffic to Bogon networks
» Excessive Wireless IDS signature violations
» Excessive distinct IPS signatures from same host
Vulnerabilities » DNS traffic to malware domain
» Outbound traffic to malware IP
» Malware hash match
» Malware found but not cleaned
» Mail attachment/Spyware found not cleaned
» Backdoor/Rootkit/IOC found
» Scanner found exploitable vulnerability -> external traffic
» Malware outbreak
Policy Violations » Blacklist user agent match
» Traffic to Tor networks, VPN proxies
» Inappropriate website access
» Inbound clear password usage
» Blocked file execution
» Host IPS/Bit9 Agent disabled
» Log cleared, Logging disabled
» Long lasting VPN session
» Unapproved/Blocked file execution
» Tunneled traffic
» Large Outbound Transfer
» Unauthorized file change
16
Threat Intelligence
Real-Time Monitoring
Log Management
Deployment/Support Simplicity
Data & User Monitoring
Behavior Profiling
Application Log Analysis
Analytics
Gartner
SIEM Criteria
SIEM vs. FortiSIEM
Network Secure LAN
Access
Secure WLAN
Access
Secure Cloud
Secure Devices
Sandboxing Policy
Security Web
Security
Threat
Intelligence
Partner
Integrations
FortiSIEM
Infrastructure Only NOC & SOC Analytics
Rapid & Flexible Integrations
Single Pane of Glass
Multi-Tenant Architecture
Rapid Scale Architecture
Real-Time Asset/Config. Discovery
Real-Time Analytics (patented)
Security Fabric
17
© 2016 AccelOps
FortiSIEM Key Differentiators
Only NOC & SOC solution in a “Single Pane of Glass” Holistic view of events across the entire organization
Real-Time Correlation of Security & Network Threats Rapid identification, triage and future prevention
Powerful Automated Device Discovery Engine Self-Learning, Real-Time CMBD
Builtin Content – Ready to Go! 600+ Corrolation Rules, 2000+ Reports, 200+ log parsing templates, 150K normalized event types
Multi-Tenant Architecture Segment network views into physical, logical dashboards
17
18
Compliance Reporting Built-in
Hundreds of Pre-Built Reports
Compliance Reports » PCI – HIPAA – FERPA - FISMA
» SOX, NERC, COBIT, ITIL,
» ISO, GLBA, GPG13
» SANS Critical Controls
2,000+ Customizable Fields
19
Windows Agent
Key features
• File Integrity Monitoring (FIM)
• Registry monitoring
• Windows Event Logs & Log file monitoring
• High event rate handling
• USB activity detection
• Multiple monitoring templates
• Usability – Template Assignment in fewer clicks
• Monitored file - Directory exclude
• Multiple power shells, WMI per template
• Monitor any log file in Windows Event tree
20
Rapid Flexible Integrations Context from Hundreds of Sources
20
Remote Desktop
Routers/Switches
Servers » App Server
» Authentication Servers
» Blade Servers
» Terminal Servers
» VoIP Servers
» Web Server
Storage
Synthetic Transaction Monitoring
Unified Threat Management (UTM)
Virtualization
VPN Gateway
Vulnerability Scanners
WAN Accelerators
Wireless
Antivirus
Cloud Services
Databases
Directories
DNS/DHCP Servers
Environmentals - HVAC
External Monitoring
File Monitoring
Firewalls
Hardware Monitoring
Host OS
Internet Security Gateways
IPS/IDS
Load Balancers
Network Flow
21
Rapid & Flexible Integrations – Cont’d
EXTERNAL THREAT INTELLIGENCE
TICKETING/WORKFLOW /CMDB INTEGRATION
CLOUD APP INTEGRATION
2-way integration
Configurable parameter translation
API / GUI based integration
ServiceNow, ConnectWise, Remedy
Okta – SSO
Kafka – Big Data
Box – Document sharing
Salesforce – CRM Activity
Malware Domain, IP, File hash,
User Agent, URL
Real-time/Historical query
Out-of-the-box support
22
Fortinet Devices
Configuration, Policy & Visualization
Non Fortinet Devices
FortiAnalyser FortiCloud FortiManager FNDN
API
Sandbox
Performance, Compliance & Security Analytics Holistic Threat Intelligence
& Security Operations
Cloud
Cloud
FortiView
FortiSIEM
FortiSIEM
Deployment Scenarios
24
© 2016 AccelOps
Inputs to FortiSIEM
Syslog
SNMP
WMI for Windows
JDBC
HTTP/HTTPS
TCP/UDP
TLS
Windows Agents – Basic and Advance
Netflow/slfow
Active Directory/LDAP
Geolocation
24
25
Firewalls, Routers,
Storage, Servers, Apps Collector
Firewalls, Routers,
Storage, Servers, Apps
Firewalls, Routers,
Storage, Servers, Apps
Event
Storage
Local
Virtual Disk
TCP 443 (HTTPS)
FortiSIEM Architecture
FortiSIEM Cluster Public / Private Deployments
Remote/Segregated Networks Public / Private / Hybrid
Collector
Supervisor
(SMB DEPLOYMENT)
Hypervisor
26
FORTI-SIEM Service Provider Architecture Benefits
All customers into the same
solution and deployment
Your customers can have
duplicate/overlapping IP
addresses between each other
Data is segregated
by organization
Role based access limits admins or
customers visibilities, features and
functionality.
Rules and reports can be deployed
to one, multiple or all customers.
MSP can cross-correlate data
across all organizations
MSP can view one or all
organizations from a single
dashboard.
27
Remote/Segregated Networks Public / Private / Hybrid
Collector
Collector
Collector
(ENTERPRISE/MSP)
NFS
Big Data Event Storage
FortiSIEM Cluster Public / Private Deployments
Customer Y
Customer Z
Customer X
TCP 443 (HTTPS)
Firewalls, Routers,
Storage, Servers, Apps
Firewalls, Routers,
Storage, Servers, Apps
Firewalls, Routers,
Storage, Servers, Apps
FortiSIEM Architecture
Supervisor Worker 1
Hypervisor
Worker N
Competitive Landscape
‹#› © Copyright 2015 AccelOps, Inc. All rights reserved.
Competitive Analysis Competitor Competitive Positioning Notable Customer Wins
12 Diverse Open Source Products; low control over product destiny
Lacks deep analytics capabilities that unite multiple sources of
intelligence
Database scalability limited due to Oracle database stack, plus the fact that a separate log management appliance is required
Extremely expensive to buy and maintain
Scalability – unable to handle high log volume
Clunky hierarchical log collection architecture – cannot analyze all logs from one place
Windows appliance – not cloud ready
Low end standalone SIEM product offering built through acquisition
Purchase of many add-on products required for same level of
functionality
Blank canvas – on your own or professional services
No true real-time analytics – must index first
Expensive – pay for storage over time
Licensing and Sizing
32
© 2016 AccelOps
Licensing
Key areas to determine license size » Number of devices being monitoring
Core Datacenter
End-Points/IOT reduced cost
» 10 EPS per device or add EPS to equal total number of EPS
» Windows Agents (SIEM) – Basic and Advanced
» IOC (Incident of Compromise) Threat Feed
» License Service Provider (SP) Multi-Tenant version or
Enterprise Virtual Appliance version
32
33
Sizing Guide Device HW Rate
Super 24GB RAM, 8CPU, 200GB Disk >10K Events Per Second (EPS) – Flow or
Syslog
~100 Windows Devices agentless
~300 Device SNMP
Worker 16GB RAM, 8CPU, 200GB Disk >10K Events Per Second (EPS) – Flow or
Syslog
~100 Windows Devices agentless
~300 Device SNMP
Collector 8GB RAM, 4CPU, 40GB Disk >10K Events Per Second (EPS) – Flow or
Syslog
~100 Windows Devices agentless
~300 Device SNMP
Windows Agent Manager >= Windows 2008, SQL Express, .Net4.5,
PowerShell 2.0, IIS
4GB RAM, 10GB Disk Free, Dual Core,
~500 Agent per Manager Support
~5K EPS
Windows Agent >= XP SP3
1GB XP, >= 2GB Vista and above memory, 10GB
Disk
~500 EPS
Event Storage is not included in the above disk requirements. 750 EPS = 1.5 TB/year. 100 PAM = 100 GB/year
34
2. Asset/Config Discovery (CMDB)
3. Rapid Scale Out Architecture
1. Real-Time Analytics
7. Single Pane of Glass
Making Visibility & Control Easy – Today & Into the Future
6. SOC/NOC Analytics
5. Rapid Integrations
4. Multi-Tenant Architecture
Network Secure LAN
Access
Secure WLAN
Access
Secure Cloud
Secure Devices
Sandboxing Policy
Security Web
Security
Security Fabric
FortiSIEM
