FortiSIEM is a solution that supports real-time threat detection by cross-linking network operations center (NOC) and security operations center (SOC) analytics. All of this can be managed and monitored through its unified console, reducing the time it takes to detect threats. FortiSIEM’s scalable design ensures that organizations using it can process increasing volumes of event and alert data without disruption.

FortiSIEM meets the broad and complex requirements of the modern enterprise for the security analytics required to realize the architecture’s vision. The solution has also become a breakthrough in the convergence of IT and OT environments, and recent enhancements include:

  • Expand FortiSIEM’s OT asset detection and management capabilities,
  • New methods for building an integrated IT/OT CMDB,
  • MITRE’s ATT&CK dashboards have been expanded to include ATT&CK for industrial control systems
  • Threat Intelligence support has been expanded with Dragos WorldView Industrial Threat Intelligence, adding an OT-focused layer to the already rich FortiGuard Indicators of Compromise (IOC) Threat Intelligence service

FortiSIEM is available as:

  • High-performance hardware appliances that meet even the most stringent regulatory requirements,
  • virtual appliances that can be deployed in virtual and cloud environments for maximum scalability and flexibility,
  • a cloud-hosted service that provides the capabilities and features of the desktop version, but without the administrative overhead.

The solution comes in the form of both dedicated appliances and a virtual machine (just download and run the finished image – supported virtualizer versions are: Hyper-V, VMWare ESX(i), KVM, AWS):

  • It is a 64bit upgraded version of CentOS and includes pre-installed and pre-configured FortiSIEM packages.
  • A very important advantage of the virtual machine version of the solution is scalability – the user can allocate more resources such as processors, memory or additional disk space at any time. The manufacturer does not impose any restrictions here. In addition, more machines can be added to increase performance: collectors and workers. There are no limits on the size of the Events DataBase or data retention.
  • Minimum requirements for a supervisor:
    • 4 Core, 3GHz,
    • 64bit, 16 GB of RAM (24 GB is recommended), 200GB (80GB OS/App, 60GB CMDB, 60GB SVN/Config),
    • Additional storage for the Events Database (500 EPS ~= 1TB/year)
    • Performance data – PAN (500Devices ~=100GB/year)