Features and Architecture

FortiSIEM provides an all-in-one, seamlessly integrated and service-oriented IT infrastructure monitoring solution that covers performance, availability, change, and security monitoring aspects of network devices, servers, and applications. It is offered in two versions:

A VMware based virtual appliance, which you can deploy as a single appliance or a cluster of virtual appliances in a highly available, scaled-out grid architecture. This is what we refer to as FortiSIEM Enterprise.

Software-as-a-Service (SaaS), where you deploy a Collector virtual on-premises for a customer, and all of the customer data is transmitted to an FortiSIEM data center. This is what we refer to as FortiSIEM Multi-Tenant, since collector deployments are commonly used by organizations such as Managed Service Providers to monitor the services of their customers.

Some of the features of the FortiSIEM monitoring solution include:

Intelligent Device Discovery

Analytics

Business Services

Architecture

Intelligent Device Discovery

The first step in the monitoring process is IT infrastructure discovery. FortiSIEM has a fast and intelligent discovery engine that can automatically crawl an IT infrastructure and discover network devices, servers, and applications in depth. The user needs to provide appropriate credentials, a discovery IP address range, and optionally a starting router IP address for faster discovery.

A wide range of information is discovered including hardware information, serial numbers and licenses, installed software, running applications and services, and router configuration. The discovered devices are automatically categorized into detailed functional groups, such as Routers/Switches, Firewalls, and Network IPS, and this information is maintained within an integrated configuration management database (CMDB). Some special relationships are also discovered, for example WLAN Access Points to WLAN Controllers, VMware guests to physical hosts, etc. The CMDB is kept up to date through user-defined scheduled discoveries and FortiSIEM listening to changes as part of performance monitoring.

A novel aspect of FortiSIEM discovery is that those aspects of a device that can be monitored are also discovered at the same time. For example, given SNMP, WMI, and JDBC credentials for a Windows server, FortiSIEM might discover the following:

System performance metrics that can be collected by SNMP, for example CPU, memory utilization, and disk space utilization

System performance metrics that can be collected by WMI, for example Disk I/O utilization, memory swap rates, and process utilization Application specific metrics that can be collected by WMI, for example IIS, DNS, DHCP, and Exchange metrics Event logs that can be collected by WMI

Database logs that can be pulled from the server by JDBC

You simply approve the discovered results and monitoring begins. This approach reduces human error, since FortiSIEM learns from the true device configuration state.

Analytics

FortiSIEM uses a unified event-based framework to analyze all data including logs, performance monitoring data. Logs can either be sent to FortiSIEM via Syslog, SNMP traps, or other common log shipping methods, or FortiSIEM can periodically access the system and collect the logs. Performance monitoring data is collected by periodically probing the system. The data is parsed, indexed, and stored in a proprietary flat-file based database. In contrast, the CMDB information is stored in a PostgreSQL relational database. FortiSIEM unified data management architecture combines the two databases and presents a single view to the user.

FortiSIEM provides a broad range of metrics. First, it is possible to search all data based on keywords or in a structured way using the attributes parsed by AcceOps. The search can be done in real time, in which the data streaming in from devices is displayed, or the search can be based on historical data. Historical data is referred to as Reports in FortiSIEM, and can be scheduled to run at intervals you set. A large number of reports are provided in a categorized fashion, based on device type, and also based on functionality such as availability, performance, change and security. Two novel aspects of FortiSIEM metrics include unification and drill-down capabilities. With unification, all the data is analyzed and presented the same way, whether it be real time search, reports, rules or performance, availability, or change or security data. By using drill-down you can start from a specific context, such as Top Authentication Failed Users, and iteratively select attributes to further analyze data and get to the root cause of a problem. As an example, the investigation of Top Authentication Failed users could follow a drill-down of pick user and time range -> Top Destination IP, Ports for specific user and time range -> pick destination IP and port -> Query all raw messages.

FortiSIEM also uses rules for real-time alerting – a real-time event correlation engine analyzes all data and triggers alerts based on these rules. FortiSIEM ships with 500+ broad rules that cover a broad range of inter-related performance, availability, change and security scenarios. Rules can vary from simple text search and threshold conditions, to comprehensive logic supporting full Boolean operators and nested sub-patterns referencing multiple elements including thresholds and defined services. Thresholds can be static or dynamically derived from profiled network, system resource and user activity. You can add new rules, and customize existing ones, as described in Creating Rules using GUI. Business Services

A business service lets you view FortiSIEM metrics and prioritize alerts from a business service perspective. A business service is defined within FortiSIEM as a smart container of relevant devices and applications serving a business purpose. Once defined, all monitoring and analysis can be presented from a business service perspective. It is possible to track service level metrics, efficiently respond to incidents on a prioritized basis, record business impact, and provide business intelligence on IT best practices, compliance reporting, and IT service improvement. What is also novel about FortiSIEM is how easily a business service can be defined and maintained. Because FortiSIEM automatically discovers the applications running on the servers as well as the network connectivity and the traffic flow, you can simply choose the applications and respective servers and be intelligently guided to choose the rest of components of the business service. This business service discovery and definition capability in FortiSIEM completely automates a process that would normally take many people and considerable effort to complete and maintain.

Architecture

The FortiSIEM virtual appliance solution operates as a turnkey, guest host application running within the most popular hypervisors with the option of using NFS or local storage. The implementation process is flexible and can be accomplished in phases to support a variety of distributed and hybrid-cloud implementations The FortiSIEM virtual appliance is placed on a network where it can obtain operational data, as well as establish sessions with the infrastructure. Remote sites can use the FortiSIEM Collector client to locally discover, collect, compress and securely transmit of operation data back to the FortiSIEM virtual appliance. FortiSIEM’ scale-out architecture allows for virtual appliance clustering to increase processing capacity and availability. Additional virtual appliances can be added on-the-fly with nominal configuration, which will automatically distribute workload across cluster members to extend event analysis throughput and to reduce query response time.

Page 91