Business & Technology

Achieving Complete Visibility in AWS with FortiSIEM Security Incident and Event Management

By Partha Bhattacharya | November 27, 2017

One of the biggest challenges facing organizations moving to the cloud is maintaining single pane of glass visibility across the entire distributed network, from the core to the multi-cloud. Partha Bhattacharya, Fortinet’s SVP of Product Engineering, has been on the cutting edge of developing SIEM technologies for over 15 years. We recently sat down with him to get his insights on how organizations can best address this challenge.

As you know, visibility is a major concern for organizations migrating to the cloud. One solution many organizations are looking at is SIEM technology. You’ve developed several different SIEM tools during your career. What is unique about FortiSIEM?

Bhattacharya: FortiSIEM is the only integrated solution designed to monitor security, performance, availability, and change for large networks across public/private clouds as well as traditional on premise data centers. By simultaneously monitoring every aspect of the compute infrastructure within a single application, FortiSIEM is able to provide service level availability and actionable intelligence that enables IT teams to proactively defend against cyberattacks.

What are FortiSIEM’s core differentiators?

Bhattacharya: FortiSIEM provides a unified framework that enables it to collect, normalize, and correlate security logs, flow data, availability statistics, and performance metrics. This data allows IT teams to quickly identify the root cause behind any infrastructure or application issue, regardless of its location, from a single pane of glass. By offering continuous IT infrastructure monitoring across an organization’s entire distributed infrastructure, FortiSIEM goes far beyond traditional SIEM solutions.

The task of correlating event and log information across different network ecosystems is not easily parallelizable. To accomplish this, we use patented technology that allows FortiSIEM to be scaled out across the distributed network by, for example, adding AWS instances or simply generic virtual machines. In addition, FortiSIEM uses in-memory streaming analytics to speed up many monitoring tasks.

FortiSIEM also includes a rich discovery engine that can be used to populate an inbuilt CMDB – which serves as the ground truth in all analytics tasks. As AWS instances are spun up and down, CMDB is continuously updated to maintain and provide an accurate picture of the current infrastructure.

FortiSIEM also provides a Business Service function that allows administrators to dynamically group devices and applications serving a common business purpose. By tracking availability, performance, and security issues using Business Services groups, organizations can prioritize workloads to keep critical business functions running.

FortiSIEM’s range of advanced analytics – from basic thresholding to complex event rule correlation and statistical anomaly detection –  enhance its ability to detect even the most sophisticated security and performance issues. FortiSIEM can also be easily tweaked to add custom device and application support.

How is FortiSIEM deployed in a multi-cloud or hybrid cloud setting?

Bhattacharya: FortiSIEM deployment consists of Supervisor, Worker, and Collector AMIs or Virtual Machines. A user typically deploys a Supervisor and Worker AMIs in one AWS VPC, and Collector AMIs or VMs to collect data from other locations (other clouds or another AWS VPC or on premise data center.) This unique configuration allows FortiSIEM to span across highly distributed environments while continuously monitoring even the most elastic infrastructures.

How does FortiSIEM integrate with AWS technologies?

Bhattacharya: FortiSIEM is designed to discover all network and security gear, servers, and applications deployed in AWS AMIs. As applications scale up and down, FortiSIEM keeps track of all active AMI instances in its CMDB.

FortiSIEM monitors basic system metrics using AWS CloudWatch API. But FortiSIEM can also use advanced protocols like WMI, SNMP, JMX, SOAP, SSH to monitor application health and changes. And FortiSIEM also monitors AWS RDS and ELB applications.

By deploying Windows Agents on AWS Windows instances, FortiSIEM is able to detect file integrity issues and generic malware issues on Windows AMIs.

FortiSIEM also uses AWS CloudTrail to monitor AWS infrastructure changes for abnormal activities – e.g. unexpected logins from unusual locations, excessive server spin ups, etc.

FortiSIEM also integrates with many cloud apps typically deployed in AWS, like OKTA, Box, Google Apps, and Office 365 to uncover security issues such credential stealing and data leakage within a cloud infrastructure.

What value does FortiSIEM provides for AWS Customers?

Bhattacharya: FortiSIEM can provide a single pane of glass for monitoring all aspects of an AWS network. Various data sources can be combined to provide quick answers to health and security status issues within their infrastructure, and provide details at to whether they are in compliance with various security regulations, such as SOX, PCI, HIPAA etc.

In addition, FortiSIEM allows IT administrators to seamlessly connect and correlate data collected from their AWS environment with other public or private cloud infrastructure as well as with on-premise and remote physical networks for a single, unified view across the entire network.

How can FortiSIEM integrate to AWS monitoring and AWS QuickSight?

Bhattacharya: FortiSIEM today integrates with AWS monitoring data sources such as CloudWatch, CloudTrail and VPC Flows, RDS, and ELB metrics. By combining this data with other vendor and application specific data, FortiSIEM enriches AWS data with more context.

FortiSIEM has also built integration into the Tableau BI tool set. FortiSIEM can export its summary data to a Report Server, which is a FortiSIEM component. Tableau tools can then execute against the Report Server using public SQL schema. Similarly, AWS QuickSight can interface with the FortiSIEM Report Server and create Business dashboards for AWS Customers.

For more information on FortiSIEM.

For further Fortinet AWS solution portfolio information.

Fortinet at AWS re:Invent: AWS Promotional Credits & Visa Gift Cards

During AWS re:invent 2017, Fortinet is offering $250 AWS Promotional Credit in conjunction with Fortinet’s 15-Day Free Trial offerings. Visitors will scan a QR code at Fortinet Booth #1340 to receive the AWS promotional credits.

Also, get all your Fortinet product questions answered by the experts and test-drive FortiGate, FortiWeb, FortiSandbox, and FortiAnalyzer through our 15-Day Free Trial offers. Upon finishing the product review at the AWS Marketplace, you will receive $50 Visa gift card at the Fortinet Booth #1340.

See how customers are already leveraging Fortinet and AWS: Security7 Networksicare, and Coopenae