Celebrating our Community: Thank You for an Incredible Month
Blogs
Recently active
Due to staffing and technical challenges, organizations are turning to Managed Security Service Providers (MSSPs) for IT security management, and one of the biggest trends is to use MSSPs to deploy and Endpoint Detection and Response (EDR) solutions on their endpoints. EDR offers an MSSP the highest level of security for an endpoint while avoiding the level of administrative complexity and nuance of traditional endpoint protection solutions. Additionally, as MSSPs turn up EDR Managed Detection and Response (MDR) services to help reduce the risks users and vulnerabilities introduce, there are key capabilities that service organizations need to consider, especially in a multitenant environment. One core capability an MSSP needs to look at is how multiple customers are managed. A solution that lacks true multitenancy adds administrative burden by forcing one to turn up individual console instances that need to be administered separately or develop custom portals to integrate into their SO
Exception Manager FortiEDR offers behavioral detection capabilities to detect living-of-the-land, file-less (memory-based), and script-based attacks. FortiEDR behavioral detection provides real-time containment capabilities by blocking external communication or access to the file system. FortiEDR surgically stops data breaches and ransomware damage in real-time, automatically allowing business continuity even on already compromised devices. FortiEDR Exception Manger offers comprehensive feature set to create granular exception rules based on multiple attributes and even create automatic exceptions if Fortinet Cloud Services (FCS) classifies an event as safe. FortiEDR allows exceptions based on collector groups, external destinations, and users. Further security admins can add exceptions based on security rules that triggered the event in which case admin can specify following options: Specify “exact” path to the application or “any path” to allow an application to run Create an except
FortiEDR offers a single unified endpoint agent with machine learning Next Generation Anti-Virus (NGAV), application communication control, automated EDR, and XDR capabilities. All these features are configured and managed via an easy-to-use single unified management console. FortiEDR is the only solution in the market to offer real-time post-execution prevention, helping security analysts to perform forensic investigations at their own pace without racing with time. The solution offers comprehensive protection against advanced persistent threats and massively reduces mean time to detection (MTTD) and mean time to remediate (MTTR). The FortiEDR management console has multiple tabs controlling different features. But the event viewer tab is the one that holds the most relevance for security analysts since each investigation begins from the event viewer tab which lists all the unhandled events in the default view. Users can filter events based on multiple criteria like unread, applicatio
As one of the most valuable tools of EDR, Threat Hunting helps identify bad actors that have otherwise circumvented the first line of defence. It achieves this by proactively identifying threat indicators and vulnerabilities that lurk undetected. FortiEDR’s Threat Hunting is a powerful tool that provides benefits earlier and later in the cyber kill chain. This blog will cover how FortiEDR eliminates attacks before execution. It will cover scanning for metadata, behavior correlation (MITRE ATT&CK), and scheduled queries while a secondary blog will cover post-execution. Threat Hunting While FortiEDR’s pre and post-infection engines offer protection at multiple stages of the cyber kill chain, how can you proactively scan endpoints for Tactics, Techniques and Procedures (TTPs) which could indicate a potential attack? How can you search for threats that may have otherwise slipped through the net? Figure 1.1 – Cyber Kill Chain Threat Hunting enables the SOC analyst to proactive
Our previous blog covered how FortiEDR eliminates malware and attacks early in the cyber kill chain and the benefits of proactive security. We know nothing in this life is guaranteed and no form of security is perfect. As stated before, Threat Hunting helps identify what circumvented the first line of defence. This blog will cover post-attack threat hunting. Post-attack, Threat Hunting can assist in ‘following the breadcrumbs’ and identifying patient zero, peering back days, weeks or even months. While FortiEDR’s Forensics suite provides much of the answer with patented code-tracing technology, Threat Hunting is also an essential component. While investigating an event, FortiEDR provides an intuitive experience with contextualised Threat Hunting hyperlinks enabling the SOC analyst to quickly retrieve the information required. Figure 1.1 – Contextualized Threat Hunting – Events View Figure 1.2 – Contextualized Threat Hunting – Forensics View It is also possible to scan all (or
Time to time, threat hunters are alerted to a new threat and will run a query within FortiEDR to see if it is present on any of their devices. They can simply add a title, a description, add applicable tags, and select the organization to apply this search. Further on they can select which category and devices to search, and input the search in Lucene syntax. They can also choose to share this search with the community before they create a schedule for that query. Along the way, they will select the classification they would like it to fall under along with when they would like to have it repeat the search (e.g. Daily, every hour, etc.). Fig 1. Creating a custom and scheduled query Now that this custom search is created it will alert the team by placing the alert in the event viewer when it sees a hit. It will inform the threat hunting team that the alert was generated from a “Scheduled Threat Hunting Query” in the “Triggered Rules” box on the right of the screen. These same threat
We are pleased to announce the 5.1 release of FortiEDR. It keeps our Linux capability in lock step with Windows, both of which now offer even more robust threat hunting. Enhancements include Event Tracing for Windows (ETW), which enriches threat hunting telemetry collection by identifying behaviors. This provides FortiEDR users a fast, reliable, and versatile set of event tracing and logging features that are raised by user-mode applications and kernel-mode drivers. Outside of threat hunting, we made quality of life improvements for our administrators. We added application deny enhancements with Application Control. Now administrators have further flexibility when adding applications to deny/blocklists, along with tightly configuring communication rules on specific applications. It can also be used selectively on end-user systems with sensitive information or higher threat exposure. Lastly, we supplemented this release with further granularity to exclude files and folders from being in
By: Moshe Ben Simon & Julian Petersohn Summary Every SAP customer has a minimum of one SAPRouter Instance running within the infrastructure. In addition, these instances are often directly accessible through the Internet. Figure 1: Overview of Countries where the SAP Router was found[1] What is SAPRouter SAPRouter is a standalone program that protects your SAP network against unauthorized access. SAPRouter is an application gateway that acts as a network connection proxy between SAP systems or between SAP systems and external networks. The SAPRouter port serves as a gateway, and you can specify the connections you want to allow in a route permission table. SAPRouter can control and log incoming connections to the SAP system. SAPRouter can improve network security by applying a password and a layer of encryption across any network access Connections and SAP data. Customers need to set up and configure access to SAPRouter for SAP to receive technical Support from SAP Engineers. A
Lately I have been doing some AWS. I am looking to get certified in the short-term. I was struggling with a customer after I deployed a FortiGate in AWS and could not figure out how to allocate Elastic IPs to be used by the FortiGate to perform NATs for different internal instances. Here is an article showing what I did. On AWS Log into you AWS Console and choose you VPC Then choose the Instances and choose your Fortigate instance. Then you will need to (1) Choose the Instance, (2) Click Actions (3) Choose Networking then choose (4) Manage IP Addresses Once in Manage IP Addresses you will see your interfaces that you have assigned to your Fortigate instance. Choose the interface that represents the outside of the Fortigate and click Assign new IP. You can see that my subnet is 172.31.254.0/24 and I have .5 assigned to my Public Facing IP address. Enter another IP in that same range (I believe AWS reserves the first 4 IP addresses) and then click Yes, Update
Network Functions Virtualization (NFV) offers unprecedented opportunities for service providers to adopt new business models, radically lower costs, and increase the speed of innovation and delivery of next-generation services. While the potential benefits of NFV are enormous, ensuring effective security is a key consideration for service providers. Protecting these highly dynamic environments requires a Security Fabric with tightly integrated security and network technologies that share intelligence and collaborate to detect, isolate, and respond to threats in real time. Fortinet recognizes the importance of having an open system that supports and secures as many NFV solutions in the industry as needed in order to meet the requirements of service provider customers. The openness of the Fortinet Security Fabric enables deep integrations with industry partner products and platforms. Fortinet achieved VMware’s highest level of endorsement, VMware Ready™ Status for Network Functions
Team,Veterans bring valuable skills and experience from their military service to your workforce. This toolkit is designed to help you better understand how Veterans can be valuable assets to your company. You can also learn more about how hiring Veterans may benefit your organization, its mission, and bottom line. Why Veterans Make Good Employees: https://www.va.gov/VETSINWORKPLACE/docs/em_goodemployees.asp The Work Opportunity Tax Credit (WOTC) is a Federal tax credit available to employers for hiring individuals from certain targeted groups who have consistently faced significant barriers to employment: https://www.irs.gov/businesses/small-businesses-self-employed/work-opportunity-tax-credit The Employer Guide to Hire Veterans is designed to assist employers find, hire and retain veterans: https://www.dol.gov/sites/dolgov/files/VETS/files/Employer-Guide-to-Hiring-Veterans.pdf Veterans leave military service with a wealth of skills and professiona
Protecting business-critical data is becoming increasingly complex—and by extension, increasingly relevant for today's organizations. One critical element of this evolution is their increasing reliance on, and hyperconnectivity across foundational technologies such as data centers, cloud platforms, SaaS applications, and broadly adopted software vendors like Microsoft and SAP. What is SAP Security Software? SAP is among the world's largest software companies. Some 92% of the Forbes Global 2000 use at least some of their enterprise application solutions, and most of those companies deploy SAP S/4HANA in their cloud, whether public or private. And By 2027, even more, SAP customers will need to migrate to SAP S/4HANA as they have announced the end-of-life of older versions of their integrated application solutions (the SAP Business Suite). In addition, with SAP FIORI being used as the new user interface, SAP Systems are also increasingly exposed to the internet to provide se
Log4shell or Log4j2 or more simply CVE-2021-44228 is being called the greatest vulnerability to hit the interest... ever. Log4j2 impact touches anything that uses Apache’s opensource logging service Log4j prior to version 2.15.0. And that’s a lot of systems. In fact, it’s said to impact most of the web services attached to the Internet at the time of the exploit’s announcement on December 9th, 2021. That’s a lot of systems to patch. How does a cyber team work through all of the known and shadow IT inventory? Further, what if those systems are the heart of the company running critical financial and management functions, such as a SAP or other ERP system? Patching of these systems must be prioritized, but it will take time. More immediately, cyber teams should be looking to their security partners to implement network-wide mitigation that can be broadly and swiftly deployed. Fortinet has rolled out several countermeasures to stop 4422
Fortinet is pleased to announce the availability of a brand-new data switch model and a refresh to one of its most popular data center switch models. The FortiSwitch T1024E is our first fixed copper 10GE switch offering 24 ports of 10G base T in a 1 RU form factor with 2 100GE capable QSFP28/QSFP+ slots for uplinks. This new FortiSwitch compliments our popular 1024 which has been updated to the 1024E offering 24 10GE capable slots in a 1 RU form factor with 2 100GE capable QSFP28/QSFP+ slots for uplink. While both of these switches are designed for high performance 10GE switching the T1024E is capable of negotiating Multi Gig Ethernet speeds including 5GE , 2.5GE and 1GE. These new switches build on our FortiSwitch data center series while maintaining integration into the Fortinet Security Fabric through FortiLink, a hallmark of our FortiSwitch product line. For more information on the 1024E and our FortiSwitch Data Center Series please refer to our datasheet.
Let's talk about three important areas of SIEM deployments: functionality, scalability, and flexibility. Functionality What does a SIEM do? Wikipedia [1] suggests: Data aggregation; Correlation; Alerting; Dashboards; Retention, and; Forensic Analysis - a good list of foundational features, but these are taken-for-granted in a modern SIEM. What else does a SIEM do for you,? What makes your SIEM a winner in your environment? FortiSIEM brings a raft of functionality that provides a winning solution for modern enterprise and service provider environments: Feature Description Benefit Combined NOC&SOC Analytics Performance and availability monitoring via active device discovery Greater ROI Greater security vantage Greater ease of use Reduced MTTR Greater functionality & flexibility Integrated CMDB Asset list of discovered devices, plus device monitoring Integrated UEBA Visibility of client activity. AI driven anomaly detection.
By: Aidan Walden, Director, Public Cloud Architecture & Engineering at Fortinet It’s no coincidence that SD-WAN adoption has grown rapidly with increasing cloud consumption by enterprises. After all, the primary use case for SD-WAN is to provide fast and resilient connectivity to cloud services. While the SD-WAN migration has been driven by cost savings, faster time to provision, and more application control, there have been some trade-offs. MPLS provides granular control of routing domains and segmentation, and centralized Internet breakout for consistent egress security and partner interconnection. MPLS’s traffic-engineered paths provide end-to-end low network latency and a high quality of service. The launch of AWS’s Cloud WAN provides, for the first time in the AWS cloud, the opportunity to realize the benefits of an MPLS-like core network with the advantages of SD-WAN cloud on-ramps from many on-premises locations. AWS Cloud WAN builds on Transit Gateway Connect by allowing us
Fortinet Integrates with Azure Gateway Load Balancer to Enable Seamless Deployment of FortiGate Next-Generation Firewall By: Ali Bidibadi Many customers use third-party network virtual appliances (NVA) offerings from Azure Marketplace, including Fortinet FortiGate Next-Generation Firewall (NGFW), to secure their Azure cloud deployments. Specifically, Fortinet offers several design patterns to address each customer’s unique deployment requirements. Those include Active-Passive with Unicast HA and Active-Active with and without autoscaling support. Both external and internal load balancers are utilized in some of those architectures to help with scalability and resiliency of the security solutions. Now, with the public preview launch of the Azure Gateway Load Balancer (GWLB) service, we are excited to announce the availability of the Fortinet FortiGate VM integrated with this service as a launch partner. Equipped with full NGFW capabilities, as well as VXLAN encapsulation and decap
Does your SIEM deliver effective value to the widest part of the organization in an efficient and easy to use manner? I hope so - SIEMs can benefit many parts of the organization outside of the SOC, such as compliance, network operations and general business functions. Ease of use is key to enabling this important business asset, empowering users of the system, and delivering business value. The business value delivered by a SIEM extends beyond the technical features of the platform. Many organizations are currently struggling to recruit and retain employees in cybersecurity roles such as security administrators, and NOC and SOC specialists [1]. Easier to use tools can create a more attractive workplace and help to reduce the amount of training required to onboard new hires - an easier to use tool becomes an enabler, rather than a barrier. Easier to use tools can also empower junior employees, increasing their effectiveness, motivation, and ability to deliver results for
A FortiGate Automation Stitch brings together a Trigger and an Action. The Trigger can be internal or external to the FortiGate, when a trigger occurs one of more Actions can be initiated. The Action, like the Trigger can be internal or external to the FortiGate.The code in the repository fortigate-automation-stitches, is an example of a FortiGate SDN Event Log being the Trigger to initiate the Action of updating an Azure Route Table to enforce VM Micro Segmentation. The SDN event log entry generated when a FortiGate Dynamic Address is updated, triggers the action of sending a Webhook to Azure. The webhook contains the information required to update the Azure route table. The Azure route table update is either the addition of a route or the removal of a route from an Azure route table.The FortiGate Automation Stitch Azure route table updates are made to support Micro Segmentation of VMs in FortiGate protected networks. In Azure, VMs on the same subnet and
By: Peter Nas & Ronen Shpirer FortiOS v7.0.1 introduced support for the Packet Forwarding Control Protocol or PFCP. This is an essential enhancement to an already rich set of features and capabilities that FortiOS and the FortiGate provide to 4G and 5G mobile operators worldwide. To understand why this is a valuable enhancement, you need to know what PFCP is, why it’s important, and what security use cases are made possible with FortiGate’s support for PFCP. PFCP was first made available with 3GPP Release 14’s introduction of Control and User Plane Separation, or CUPS. CUPS enabled a new network architecture that allows Service Providers to independently scale and evolve their network for Control Plane resources without modifying their User Plane resources. PFCP is used between the control plane and the user plane function in 4G CUPS-based EPC. While CUPS and PFCP are not mandatory in 4G, they are required in 5G Stand Alone (SA) networks, where the Session Management Fu
Today we're looking at the new FortiSIEM JSON Incident API. Need to extract some incident data from your FortiSIEM? This API's for you!Let's explore one of the API functions by building a simple Bash script that pulls recent incidents and summarizes the target IP. Disclaimer This is a basic, stripped back 'Proof of Concept' script. It's provided as is and for informational purposes only. Some features, such as hard-coded credentials, are not considered best practice and you probably have a better approach. Be sure to check, fix, validate data, handle errors, improve, customize and secure to meet your own requirements before use. Formatting Some of the longer commands may be word-wrapped on your screen, which could prevent them working if you copy/ paste the script without fixing this. Preparation Assuming you are using a CentOS based distribution run the following command to check and install required packages if needed: yum -y install curl jq sed grep API Endpoint The API details a
Fortinet is extending FortiGuard security to the wireless edge by offering UTP services running on our Wi-Fi 6 FortiAP-U models. With this new service, customers can enable the following security features on the AP: Web Filtering IPS Anti Botnet App Control Anti Virus Device Identification F-series FortiAP-U models and later can offer these FortiGuard services when managed by the FortiGate or when managed by our new FortiLAN Cloud management platform. Want to learn more technical details? Our Product Manager Sumanth Gorajala recently talked about this topic at Mobility Field Day, you can watch his presentation on youTube here.
JAN’s Workplace Accommodation Toolkit is a free, comprehensive online resource for employers seeking to move beyond basic compliance with the Americans with Disabilities Act (ADA) in order to create more disability-inclusive workplaces. The Toolkit provides guidance and resources for developing or updating accommodation policies and processes while leveraging the best proven practices available to date. The Toolkit contains actionable accommodation policies and processes from leading U.S. businesses, a suite of accommodation forms, training presentations, and role play videos modeling inclusive behaviors. The Toolkit also includes best and emerging practices for creating an inclusive workplace for people with disabilities during all phases of the employment life cycle. Within the Toolkit, one can find specific resource drawers for: Recruiters and Hiring Managers, Supervisors and Managers, Internal Reasonable Accommodation Subject Matter Experts (SME)/Consultants, Information Tech
The SHRM Foundation Veterans at Work Certificate program is completely free and open to all. You do not need to be a SHRM member, and you do not need to hold a SHRM credential to engage with the content, take the course and earn the Veterans at Work Certificate.This course leverages critical insights from subject matter experts and the latest research to equip you with the knowledge and actionable tools necessary to confidently adapt your workplace into one that attracts, hires, and retains both veterans and members of the military community.SHRM Foundation Veterans at Work Certificate Program
An organization's workforce is its most valuable asset. And when an employee can't work due to illness or injury, it impacts not only an organization's productivity, but also its morale. This toolkit helps both employers and employees understand the return-to-work process and provides resources to assist in getting employees back on the job quickly and smoothly. Effective return-to-work approaches can help employees work while still recuperating, protecting their earning power and boosting an organization's output. Furthermore, in many instances, work itself plays an important role in the recovery process.Learn more: https://www.dol.gov/odep/return-to-work/
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.