security information & event management siem by …5 fortinet facts #1 unit share worldwide...
TRANSCRIPT
© Copyright Fortinet Inc. All rights reserved.
Security Information & Event ManagementSIEM by FortinetThomas Hans06.10.2017
2
Vorstellung
Anforderungen
FortiSIEM
Referenz
Live
Zusammenfassung
Agenda
Fortinet
4
VorstellungThomas Hans
Thomas Hans
Bielefeld
Systems Engineer
Enhanced Technologies
5
Fortinet Facts
#1UNIT SHAREWORLDWIDE
In Network Security (IDC)
$1.46BCASH
FOUNDED
2000 OVER
3,3MILLIONDEVICES SHIPPED
40%GROWTH
EMPLOYEES
4,800+
320,000+CUSTOMERS
MARKET LEADING
TECHNOLOGY
395 PATENTS
316 PENDING
100+OFFICESWORLDWIDE
SUNNYVALE, CA
HQ
IPO
2009
6
Fortinet: Gaining Share in a Growing Market
7
Fortinet: Global Network Security Leader
8
Fortinet: Global Network Security Leader
HQ & Development Center
Dev. & Escalation Center
Support Center
FDN server sites
Sales Office
In-country Sales/Support
9
THE FORTINET SECURITY FABRIC
The Fortinet Security Fabric is the vision that delivers on the promise of Security
without Compromise: Broad, Powerful and Automated
Advanced Threat
Intelligence
Access
Client Cloud
Partner API
NOC/SOC
Network
Application
Anforderungen
11
12
Managing Security Continues to be Difficult
81%
Breaches
Discovered by
3rd Party
47%
Material Breach
to Network or
Systems
256
Average Days
to Detect Attack
Gartner – “Breaches & Attacks Inevitable”
13
84%of confirmed Data
Breaches
were vident
In Logs
14
68%of confirmed Data
Breaches
were Ignored
in Logs for 7 months
15
Sony
16
Impacts Beyond “IT”
Impacts of a Breach• Lost Revenues/Dollars
• Brand/Reputation
• SLA’s /MTTR
• Law Suits/Fines
• Unhappy Customers/Suppliers
• Unproductive Workers
• C-Level/Board
17
Business Drivers
#1 74% 82%
Internet of Things (IoT)
Genug Security Personal?”“Größte Bedenken?”“% Geschäftsführung
Besorgt / sehr Besorgt
Weltweit bis zu 90%
18
1. Trend – Es gibt nicht genügend Cyber-Sicherheitsexperten
Unternehmen haben
Schwierigkeiten die gestellten
Sicherheitsaufgaben zu
bewältigen
ESG: Am schwersten ist es
Cyber-Sicherheitsspezialisten zu
finden
» Der weltweite Managed Security
Service Markt (MSS) wird auf 29.9
Milliarden USD wachsen* AMR
19
Cyber Skills Shortage
20
Die Entwicklung geht immer weiter...
GreenGoogle’s 13
Rechenzentren
verbrauchen 0.01% der
weltweiten Energie
SDN/NFVSoftware-definierte
Infrastrukturen und
Netzwerke
SaaSIm Durchschnitt nutzen
Unternehmen mehr als
10 Cloud Applikationen
IaaSSicherheit ist die
größte Hürde
IoT35 Milliarden Geräte,
oft konzeptlos
angeschlossen
Virtualisierung80% der
Rechenzentren-
anwendungen sind
virtualisiert
MobileKeine Kontrolle der
Endgeräte (BYOD)
Soziale NetzwerkeBandbreite wächst und
wächst
BandwidthWi-Fi Geschwindigkeit steht
im Wettbewerb mit LANs.
100G Netzwerke sind möglich
AnalyticsBig Data
Internet 2100 Gbps und
UHDTV
5GKontaktlos
Zukunft
100G
21
2. Trend - IoT 6.4 Milliarden Connected Devices in 2016
Bis 2020 werden es 50 Milliarden
Geräte sein
Ein Großteil wird über kontaktlose
Technologien verbunden sein
Vieles wird konzeptlos passieren
und keine Sicherheit beinhalten
* Gartner
22
Mirai IoT Botnet
23
Einfach!
24
3. Trend - Die Bedeutung von Cloud Services nimmt zu
Gartner rechnet bis 2019 mit
einen Public Cloud Markt von
$318 Milliarden USD
Fehlende Sicherheit in der
Cloud wird derzeit noch als
Hinderungsgrund bei der
Umsetzung angesehen
* Gartner
25
Situational Awareness across the SOC & NOCHolistic view of events across the entire organization
Improved Situational Awareness
25
26
Typical NOC/SOC Environment
SOCTICKETING
SYSTEMSNOC
NOC Team SOC Team Help Desk Datacenter
Director
Systems,
Admin
27
Typical NOC/SOC Resolution Process
Reactive vs. Proactive
Post Issue Forensics
All Hands on Deck!
Multiple Data Sources
No Single Source of Analytics
Manual Correlation of Data
Historical vs. Real-Time
Potential for Additional Risks
NOC Team SOC Team Help Desk Datacenter
Director
Systems,
Admin
FortiSIEMSecurity Information & Event Management
SIEM vs. FortiSIEM
Threat Intelligence
Real-Time Monitoring
Log Management
Deployment/Support Simplicity
Data & User Monitoring
Behavior Profiling
Application Log Analysis
Analytics
Rapid Scale Architecture (patented)
Real-time Asset/Config. & Discovery
Only NOC & SOC Analytics
Multi-Tenant Architecture
Real-Time Analytics (patented)
Rapid & Flexible Integrations
Single Pane of Glass
Less Complexity – Greater Visibility
Skill
ed P
ers
onnel
Gartner SIEM Capabilities
30
Context Available from Hundreds of Sources
30
• IPS/IDS
• Load Balancers
• Network Flow
• Remote Desktop
• Router/Switch
• Storage
• Synthetic Transaction Monitoring
• Syslog
• Terminal Servers
• Unified Threat Management (UTM)
• Virtualization
• VoIP Servers
• VPN Gateway
• Vulnerability Scanners
• WAN Accelerators
• Web Server
• Wireless
• Antivirus
• App Server
• Authentication Servers
• Backup
• Blade Servers
• Cloud Services
• Databases
• Directories
• DNS/DHCP Servers
• Environmentals
• External Monitoring
• File Monitoring
• Firewalls
• Hardware Monitoring
• Host OS
• Internet Security Gateways
31
FortiSIEM Technology Integrations
32
Real-Time Analytics + Rapid Scale Architecture
Virtual Appliance(VA)
» Deployable On Site - Data Center - Cloud
» Real-Time Analytics
Log/Event Parsing Framework (patented)
Distributed “In-Memory” Streaming Analytics
Distributed Real-Time Event Correlation (patented)
1Million EPS Tested
» Hybrid Database Architecture (NOC/SOC)
Structured Data – Logs/Events (SOC)
Unstructured Data – Performance metrics (NOC)
Collector(s)
Workers
Supervisors
Windows Agent(s) and Manager(s)
VA
Collector(s)
VA
VA
NFS Mount
CMDB
Event Storage
Supervisors
Cloud
Windows Agents
Agent Manger
TCP 443
(HTTPS)
Workers
33
Windows Agent Options
Key features• File Integrity Monitoring (FIM)
• Registry monitoring
• Windows Event Logs & Log file monitoring
• High event rate handling
• USB activity detection
• Multiple monitoring templates
• Usability – Template Assignment in fewer clicks
• Monitored file - Directory exclude
• Multiple power shells, WMI per template
• Monitor any log file in Windows Event tree
34
StandortePublic / Private / Hybrid
Collector
Collector
Collector
FortiSIEM ClusterPublic / Private Installationen
Standort Y
Standort Z
Standort X
Firewalls, Routers,
Storage, Servers, Apps
Firewalls, Routers,
Storage, Servers, Apps
Firewalls, Routers,
Storage, Servers, Apps
Supervisor
Hypervisor
FortiSIEM Architektur
35
Compliance Reporting Built-in
• Hundreds of Pre-Built Reports
• Compliance Reports
• PCI – HIPAA – FERPA
• SOX, NERC, COBIT, ITIL,
• ISO, GLBA, GPG13
• SANS Critical Controls
• 2,000+ Customizable Fields
36
BSI ISO 27001 IT-Grundschutz
Bis Ende Januar 2018 haben Strom- und
Gasnetzbetreiber Zeit, einen angemessenen
IT-Schutz „gemäß dem aktuellen Stand der
Technik“ zu implementieren.
Auch für andere Betreiber “kritischer
Infrastrukturen” wird die Zeit knapp!
37
Licencing
FortiSIEM ist lizenziert pro Gerät und EPS
» Wir gehen durchschnittlich von 10 Events pro Sekunde pro Gerät aus
» EPS Enforcement
» Zusätzliche EPS können einfach als Lizenz eingespielt werden
Lizenzen gibt es als Kauf oder Abonnement Option
Referenz
39
• 30,000 devices distributed globally
• 2,000 locations
• Required a global view of all stores
• Global PCI compliance requirement
• Already had a security breach the previous
SIEM solution was unable to notify of.
SCALE OUT EXAMPLEEnterprise
6 Continents
28 Countries
40
• Out of the Box PCI Compliance
• Global deployment and adoption
• Simplified and standardised reporting
• Extended data and information to improve
Situational Awareness
• Single plain of glass view into Staples
worldwide
SCALE OUT EXAMPLEEnterprise
6 Continents
28 Countries
Live Demo
Zusammenfassung
43
FortiSIEM Key Differentiators
Only NOC & SOC solution in a “Single Pane of Glass”Holistic view of events across the entire organization
Real-Time Correlation of Security & Network ThreatsRapid identification, triage and future prevention
Powerful CMDB & Automated Device Discovery EngineSelf-Learning, Real-Time CMDB
Built-in Content – Ready to Go!600+ Correlation Rules, 2000+ Reports, 200+ log parsing templates, 150K normalized event types
Multi-Tenant and scalable ArchitectureSegment network views into physical, logical dashboards
43
Q&A
