We all know the expression “a picture is worth a thousand words”. But those of us who have experienced the power of dynamic visualizations in big data analytics tools know that a good visualization can take countless words and huge datasets and condense them into images that we can explore and absorb in seconds.
Security professionals are catching on to the value of visualizations as well. As they scale from a few appliances to multiple firewalls and virtual appliances spread throughout a data center or across multiple geographies, being able to visualize threats, performance measures, and security events becomes essential. Security appliances, whether physical or virtual, crank out extraordinary amounts of data in their logs – The challenge has always been turning the data into “operational intelligence”.
Operational intelligence is more than an industry buzz word. In the security space, it’s the key to rapidly identifying problems and moving to mitigate threats faster than the bad guys can steal data from your network. This is driving the rapid evolution of Security Information and Event Management (SIEM) into big data- and analytics-driven security.
This is also why Fortinet developed the FortiGate App for Splunk. Splunk is a leading provider of machine data analytics, providing a platform for harnessing everything from real-time IoT data in industrial settings to log and event data from security infrastructure.
Imagine that you have 40 firewalls spread across two data centers and three office buildings. Potentially malicious activity on one or two of these firewalls might not reach a threshold that would trigger an investigation by IT or a security team, but automatically analyzing patterns of behavior across these devices and correlating them with threat intelligence or other contextual data could potentially identify and stop an attack before it even begins. Splunk’s solution brief on how they can address enterprise security includes a number of interesting scenarios where analytics meets security. We saw this in action at Black Hat USA this year and it was impressive, to say the least.
The FortiGate App for Splunk, then synchronizes the syslogs in real-time with all FortiGate appliances in your datacenter and presents the NGFW security, UTM, traffic, and compliance dashboards using pre-built templates. It helps pinpoint vulnerabilities and enables administrators to respond to breaches in minutes instead of days or months. The FortiGate App for Splunk relies on the FortiGate Add-On for Splunk to feed data from the firewalls into the Common Information Model; the two components work together with Splunk to support everything from deduplication to extensive visualization of threat and performance data.
Seeing vulnerabilities, threats, and attacks is only half the battle, though. Being able to remediate in real time is critical to stopping data loss and improving security in truly meaningful ways. Thus, Fortinet provides a rich set of APIs that allow administrators to track and reset firewall rules directly through Splunk and modify the FortiGate rules on command via XML, JSON, or other scripting integration like Python.
In the enterprise, this is the future of security – an integrated ecosystem of hardware, software, and analytics that can drive agile approaches to securing the network. More importantly, organizations can now visually interact with the big security picture, drill down into the details, and rapidly remediate threats in real time.