Scribd
Upload
56 views25 pages

FortiAnalyzer 6.2: SOC Automation Insights

Uploaded by

Mos Chang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
56 views25 pages

FortiAnalyzer 6.2: SOC Automation Insights

Uploaded by

Mos Chang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

FortiAnalyzer 6.

2
Incident Response & SOC Automation

Ling Lu, VP of Product Management


In this session you will learn

1 6.2 Highlights

2 FortiAnalyzer-Cloud & Licensing

3 FAZ Positioning, Sizing & Deployment Use Cases

© Fortinet Inc. All Rights Reserved. 2


Enterprise Operations
Implement + Monitor Analyze Decide Act

Point Products Analytics Context Doing something

Firewall Firewall

IPS Tier 1 IPS


SIEM
Endpoint Endpoint

Threat Intel Platform


WAF WAF
Tier 2
EDR/EPP
Advanced Malware Advanced Malware

Sandbox
Forensics Forensics
Tier 3
Malware Detonation Malware Detonation

Many Tools
Delayed Action
Many Alerts
Manual Steps
© Fortinet Inc. All Rights Reserved. 3
Incident Response & Automation

INCIDENT RESPONSE
Enabling quick detection, automated correlation and connected remediation

SOC AUTOMATION
Automating manual, time-consuming processes (end-to-end) to offload SOC

© Fortinet Inc. All Rights Reserved. 4


Incident Response Process

Detection Eradication Post-


Preparation & Containment & Incident
Analysis Recovery Activity

Analytics & context Do something Do something

Incident Response Process (NIST 800-61r2)

© Fortinet Inc. All Rights Reserved. 5


What’s New In 6.2?

Detection Rules SOC Activities

Event Correlation Situational Awareness

Incident Analysis App Risks, Mail Risks

SOC Monitoring Fabric ADOM

Interactive Dashboards FortiNAC

Data Visualization Search & Filtering

© Fortinet Inc. All Rights Reserved. 6


Find out more: Go to FNDN FortiDemo: [Link]
Incident Detection & Analysis

© Fortinet Inc. All Rights Reserved. 7


Incident Detection & Analysis – IOC History Scan

© Fortinet Inc. All Rights Reserved. 8


Find out more about IOC: [Link]
Incident Analysis – Threat Intel Lookup

© Fortinet Inc. All Rights Reserved. 9


Incident Analysis – Timeline and Life Cycle

© Fortinet Inc. All Rights Reserved. 10


Automate Incident Containment (FAZ <-> FOS)

Incident

Automation
Framework

FGT

© Fortinet Inc. All Rights Reserved. 11


Automate Incident Management End-to-End with ITSM

ServiceNow ServiceNow
Action on FMG
FMG App Business Rules
Incident SOC Incident

Run FMG Script

FGT FGT FGT FGT FGT FGT

© Fortinet Inc. All Rights Reserved. 12


Incident Eradication & Recovery

© Fortinet Inc. All Rights Reserved. 13


Automate Incident Eradication &
Recovery

© Fortinet Inc. All Rights Reserved. 14


Single-Pane Visibility – SOC & NOC

© Fortinet Inc. All Rights Reserved. 15


Form Factors & Flexible Deployment Architecture

VM OR Appliances ?

Standalone OR HA?

Collector vs Analyzer

Analyzer OR
Collector -> Analyzer

© Fortinet Inc. All Rights Reserved. 16


FortiAnalyzer Cloud
FAZ VM in [Link] CLOUD
Integrated with
FortinetOne
Summary
1. Simplified licensing &
deployment
Base License Simplified Licensing
2. Base License for critical
device event monitoring &
reporting ONLY
3. Upgradable in future for full
Analytic capabilities

4. Available as an A La Carte
SKU or FortiCare 360
Protection Bundle
5. Charge per FGT
Upgradable in Future Easy to Deploy

© Fortinet Inc. All Rights Reserved. 17


FortiAnalyzer Cloud Licensing SKU Example

Unit SKU Description Price 1Yr Contract

14 x GE RJ45 ports (including 1 x DMZ port, 1 x Mgmt


FG-80E $1,000
port, 1 x HA port, 12 x switch ports) …

One year central log and analytics subscription to


FC-10-00E80-188–02-DD FortiAnalyzer-cloud (BASE License)
$150

FortiGate-80E
360 Protection (24x7 FortiCare plus Application
Control, IPS, AV, Web Filtering, Antispam, FortiSandbox
Cloud, FortiCASB, Industrial Security, Security Rating,
FG-10-00E80-988-02-DD SD-WAN Cloud Assisted Monitoring, One-Click VPN
$1000
Overlay Service, FortiConverter Service, FortiManager
Cloud, and FortiAnalyzer Cloud)

© Fortinet Inc. All Rights Reserved. 18


So far so good …but
When should I mention FAZ to
customers?
What if they only have a couple of
FGTs ?
What if have a SIEM already?

FortiAnalyzer
OR FortiSIEM FAZ-Cloud OR FortiCloud

? ?

© Fortinet Inc. All Rights Reserved. 19


Size It Properly
It hurts when you undersize!

Best Estimate & Keep it Simple

Sizing Ask Questions


Tool
Size of Pipe != Log Rates

PMDB Sizing Tool: [Link]

© Fortinet Inc. All Rights Reserved. 20


Sizing - ADOMs
Too many ADOMs kill performance!

Max # Max #
Appliances Comments VM Comments
ADOMs ADOMs

FAZ-VM-
Place holder 1
Desktop BASE
1
models
<= 200
25 SMB
200F/300F/ GB/Day
25 SMB
400F
<= 500
50 Small Enterprise
800F/ 1000E 50 Small Enterprise GB/Day

Starting platform <= 1000 Starting platform for


2000 Series 250 250
for MSSP GB/Day MSSP

<= 5000
3000 Series 500 500
GB/Day

3700F & > 5000


800 800
higher GB/Day
© Fortinet Inc. All Rights Reserved. 21
Deployment Example for SD-WAN Use Case

SD-WAN Branch

SD-WAN Branch

SD-WAN Branch

© Fortinet Inc. All Rights Reserved. 22


Recap

In this session, we looked at


• 6.2 Incident Response & SOC automation features
• FortiAnalyzer-cloud Licensing
• Sizing & deployment use case

© Fortinet Inc. All Rights Reserved. 23


Q&A

© Fortinet Inc. All Rights Reserved. 24


© Fortinet Inc. All Rights Reserved. 25

You might also like