A Security Operations Center (SOC) helps improve security and compliance by consolidating key security personnel as well as event data into a centralized location. Incident detection and response can be greatly accelerated and enhanced as a result. To accomplish this, organizations are embracing Splunk® Enterprise Security (Splunk ES) for improving SOC visibility, analytics, and operational effectiveness.
As an early member of the Splunk Adaptive Response Initiative, Fortinet’s integration with Splunk enables Splunk ES to invoke actions based on analytics-driven decisions back into the Fortinet Security Fabric, these actions can be approval triggered or automated.
Today, Fortinet has two applications listed on Splunkbase. One is a standalone app – FortiGate App for Splunk that leverages Splunk Enterprise. The second is FortiGate Add-On for Splunk, which uses the Splunk Common Information Model (CIM). It contains a collection of pre-configured data models that you can apply to your data at search time. The Fortinet FortiGate Add-On for Splunk leverages the Splunk platform to provide users CIM knowledge, advanced “saved search”, indexers and macros to use with other Splunk Enterprise apps such as Splunk App for Enterprise Security.
For the latest iteration of Splunk’s Adaptive Response Framework, FortiGate next-generation firewall logs are collected and fed into CIM data models. DevOps administrators can then search for multiple security incidents, define their correlations among them, and then turn them into notable events.
The full security policy cycle is highly effective, and combines the best of both worlds for threat intelligence and security operations. From the time a security incident is identified to the time a firewall policy is amended or revised, the entire process involves very minimal manual processing or human intervention.
The solution enables businesses to make instantaneous security decisions based on data visibility provided by Fortinet’s physical or virtualized firewalls, along with Splunk software’s extensive correlation, search and visualization capabilities to deliver advanced security reporting.
To see a demonstration of how Fortinet and Splunk’s technology works together in real time, please visit Fortinet at booth #G16 at Splunk .conf2016 on September 26 – 29!