Blogs

Did you know that FortiSIEM can ingest NetFlow traffic? Send NetFlow traffic to FortiSIEM and it will be ingested, parsed, written to our common database, and made available for analysis, dashboards, correlation and reports!NetFlow is processed by our Rapid Scale Architecture. A FortiSIEM collector node will process flow traffic alongside regular log traffic - no need for complex architecture or special node types. The parsed flow data is written into our common event database, alongside log and performance events.Our combined NOC & SOC architecture makes NetFlow data available directly in our analytics engine alongside log and performance data. This common interface simplifies NetFlow analysis, there is no need to learn different interfaces to analyze flow, performance and log traffic. Of course this also means the NetFlow reports use the same structure as other FortiSIEM reports, providing a common reporting interface too.Our widget based dashboards have a range of visualizations

A pair of wireless headphones makes it easier to make and attend calls, although a phone can work standalone without them. Similarly, security tools can work fine on their own, but complementing them with external help makes their job easier and provides more convenience. It is well established that a single security tool cannot provide a complete solution to protect the network. Securing a network often requires a combination of multiple tools to do different jobs in order to provide a complete solution. Gigamon Inline solution with Fortinet Generally, the network stack and security stack go hand in hand, meaning if your network is 10G, your security tools should be as well, and if security tools are inline with the network, then any change required on those security tools would impact the network as well. What if network and security stacks could be segregated by introducing a layer between them? Let’s call this layer a visibility layer, a layer that sees everything in your network

Hello everyone, thank you for joining our first community roundtable event on May 19th and making it a big success. I really appreciate all those who took the time to join the event, and all those who could not join due to technical limitations. Hence, here is the replay of the Ransomware discussion for your reference.  Please make sure to post your questions or thoughts in the comments section below.  Hope you enjoy it! 

Here are the responses from our expert panelists for all of the questions asked by our audience during the recent community roundtable event regarding 'What to do during a ransomware breach'. Hope you find this helpful. And don't forget to watch the replay here. Have more questions? Please post in the comments section below. Is there a place where people make decoding tools for files available? Various outlets and github sites are available but many times decrypting is just not an option without getting the keys. One site (https://www.nomoreransom.org/en/index.html) is a very popular one to visit as it has various decoding tools for ransomware.  What are some things you can do to detect this activity early before damage is done? This is a very broad question and has a lot of answers but in general you need to understand and identify the tactics and techniques being used. (We discussed some of them today) Then test your security controls against those techniques. Use the Mit

Wi-Fi tunnel concentrators are a new wrinkle in wireless networking, driven by cloud vendors realizing there are, in fact, advantages to controller-based architectures. Fortunately for Fortinet customers, our Wi-Fi architecture already combines the best cloud and controller architectures while being most straightforward and, unsurprisingly, most secure. When it comes to Wi-Fi traffic, I’m pretty sure the Bard said, “To tunnel or not to tunnel, that is the question.” Or was that General Chang? Regardless, there are two basic options to consider with Wi-Fi: 1) tunnel traffic into a controller or other traffic concentrator or 2) don’t tunnel and have network traffic breakout locally and be handled in the same way as direct/traditional traffic. Up to date Enterprise Wi-Fi systems, including Fortinet Wi-Fi, can be expected to support hybrid options, tunneling some SSIDs while others go directly onto to the local network. A quick look at the evolution of these options will put things in cont

Traditionally changes like digital transformation in an organization were undertaken after thorough assessment of known risks and time-tested methodologies to scope resources, time and cost to adopt to such changes. We all are in the midst of global uncertainty and the demand for change and sustenance are both rapid as well as spread over uncertain timeframe. Largely organizations have now stabilized their network and access to resources, however the impact of the changes as well as the need to grow the business through transformation will top the agenda at the executive meetings. How does sudden change jeopardize your comprehensive plans? Throughout the period of uncertainty, it is challenging to maintain the critical balancing act between supporting growth and managing voluminous changes with an objective of a secure and compliant infrastructure. Let us take a look at certain scenarios that affect the security and compliance posture of your organization due to the current global scen

Today, Ordr and Fortinet announced an expanded partnership with rich integrations with FortiManager, FortiGate, and FortiNAC via the Fortinet Security Fabric. These integrations bring automated visibility and protection of ALL connected devices to Fortinet customers and the channel partners who support them. I’m thrilled with the opportunity to introduce Ordr—and these joint solutions—here on the Fortinet blog. Gain a Comprehensive Understanding of Every Device (IT, IoT and OT) on Your Network “What is connected to my network?” While one of the easiest questions to ask, it’s also one of the hardest to answer. Eliminating blind spots has long been a core security tenet, but overburdened IT, Network, and Security teams often struggle to maintain a comprehensive device inventory. After all, you can’t secure what you can’t see, and malicious actors constantly search for under-protected systems to exploit. These blind spots have increased dramatically as organizations expand their use of Io

Global demand for commercial virtual private networks (VPN) is surging following work-from-home mandates in the battle against the coronavirus pandemic. GlobalWebTKIndex finds that more than 400 million businesses and consumers globally are currently using encrypted connections including VPNs and other technology and that number is set to grow.  With increased VPN demand comes increased security risk. The US Cybersecurity and Infrastructure Security Agency issued guidance in early March, noting the increased potential risk during a pandemic-spurred lockdown, and urged companies to take measures to reinforce their corporate VPNs to fend off expected attacks on vulnerabilities. In July, the U.S. National Security Agency (NSA) published guidance on how to properly secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks. NSA's VPN guidance also highlights the importance of using strong cryptography to

One of the responsibilities of a SOC team is to ensure that all incidents are tracked and resolved in a timely manner as well as making sure security processes are consistent. To that end, a Security Orchestration, Automation, and Response (SOAR) solution can be utilized to help the SOC team streamline their security processes. So, let’s learn how mid-sized enterprises can utilize FortiSOAR with the help of a service provider to help augment their SOC environment.  Along with the mid-sized / large SOC teams, smaller IT/SOC teams can also enjoy the FortiSOAR add-on within FortiAnalyzer to help with streamlining incident response. While a service provider isn’t required to use FortiSOAR, SOC teams with constraint resources or compliance requirements might want to use a service provider to help fill these gaps. The benefits of using FortiSOAR with a managed security service provider include: Augmenting SOC (reducing time to resolution, 24/7 monitoring, etc.) Technical collaboration

Extended detection and response for SAP SAP security expert SecurityBridge and Fortinet, the leading network security provider, announced a strategic Fabric-Ready alliance to deliver SAP security intelligence to the FortiGate platform. The partnership has been formed to help organizations reduce lapse time, where threats exist in stealth mode until an attack or malicious activity targeting SAP is detected. Additionally, SecurityBridge provides full insight into the complex world of SAP security. The SecurityBridge platform empowers customers to optimize their SAP security posture.According to research from the Ponemon Institute, (on behalf of IBM) the average time required to identify a data breach is currently 197 days, with an additional 69 days on average to contain a data breach. Webinar Ivan Mans (CTO, SecurityBridge) and Matthias Czwikla (Head of global SAP sales at Fortinet) will discuss in more detail and showcase the integration in a public webinar. Join the webinar on 6

FortiPenTest, Fortinet pentest-as-a-service cloud-based service has just been updated to version 21.2.This new version brings some improvements to the portal and also new exciting features, that we will be discussing below. Enhancements to asset scansThe general scan process has been updated to allow more fine grained setup for power users. For example, HTTP authentication schemes have been enhanced to now support Digest and NTLM methods.Moreover, the UI is now letting you configure which vulnerability categories and subcategories you want to enable or disable for the scan. If you have some specific paths you want to exclude or some hidden paths you absolutely want to be covered by the scan you can now specify those via the Inclusion/Exclusion lists. As a matter of fact, you would want to exclude all the paths that can break the automatic scan to perform properly or could harm your web application integrity. For example, you should set exceptions for all /logout URL endpoints or endpoi

Security is evolving due to new regulations, new threats, and changes to how services get deployed.  Today’s cyber-attack methods demonstrate increased sophistication and scale, and cloud deployments can be more vulnerable than on-premises deployments.   As customers become more privacy-conscious, requirements for encrypting communications are growing and making proper security enforcement more difficult.  The introduction of 5G and the increased implementations of IoT further increase the demand for scale and performance.  A new direction in cyber security is needed to deliver the scale and performance required without compromising on the security functionality deployed. Fortinet and NVIDIA are collaborating to create these scalable, adaptive solutions by combining the Fortinet FortiGate® Next Generation Firewall with NVIDIA BlueField DPUs. The advent of virtualized infrastructures (virtual machines and containers) and modern data center architectures increase

FortiSIEM 6.2.0 Release HighlightsHere we take a look at some of the new features in FortiSIEM 6.2. This release further enhances our scalable, easy to use SIEM solution.We're focusing on the following key new features:- MITRE ATT&CK® framework support- Pre-compute query support- Scale-out UEBAThe 6.2.0 release has more new features and enhancements. For a full breakdown, head to the release notes at http://docs.fortinet.com/document/fortisiem/6.2.0/release-notes/315116/introductionMITRE ATT&CK® Framework SupportThe revolutionary MITRE ATT&CK framework (https://attack.mitre.org/) is employed by increasing numbers of organizations. FortiSIEM 6.2.0 implements the ATT&CK framework down to the technique level, and provides significant ATT&CK coverage with out of the box rules. This provides a powerful tool to assist with attack detection and classification. In FortiSIEM 6.2.0 you can:- Benefit from over 950 ATT&CK focused rules, and over 1,400 rules in total- Associ

AppleTV, AirPlay and AWDL protocol with Wi-Fi – hard to diagnose, easy to fix Summary Apple devices support peer-peer communications that bypass Wi-Fi. Unfortunately, they use Wi-Fi channels to do this, which can interfere with the Wi-Fi network and be torture to chase down for network admins who is not already familiar with the problem. The good news is that Apple only uses a few specific channels and the simple solution is to blacklist channel 149 in the US, ch 44 in the EU and other regulatory domains.   AWDL AirDrop, AirPlay and who knows what else use a wireless networking protocol, Apple Wireless Direct Link (AWDL) as their underlying mechanism. It is a peer-to-peer protocol, meaning the devices talk directly to each other when sharing a file, as opposed to the typical Wi-Fi setup, where client devices connect to an AP to access the network. The Wi-Fi protocols also support a peer-to-peer option, ad hoc mode, but that is not very relevant at the moment. What we are concerned

Enterprise brick-and-mortar organizations need a way to understand customer and visitor behavior, demographics, and psychographics as well as the business operations as a whole inside a space to stay competitive. There are several hurdles for physical venues to overcome, however, that range from privacy and security concerns to data collection and processing.The Aislelabs platform is used by enterprise customers to offer scalable and agile business intelligence solutions with Fortinet infrastructure. Aislelabs collects over 12 billion data points a day, processing and storing over a million data points per second for interactive queries of both historical and real-time data streaming. There are two distinct, scalable flagship use cases the software addresses: Aislelabs Flow for location behavioral intelligence and Aislelabs Connect for demographic/psychographic data capture and marketing automation designed to unify online and offline marketing.Aiselabs is a Fortinet Fabric-Ready techn

What server processes have recently been active? Have any previously unseen new processes started? These are questions that may be asked by security analysts or server administrators - a new process could indicate the execution of unapproved and potentially malicious software.  FortiSIEM can gather Windows new process creation event logs, either Event ID 4688 or Sysmon, and build a watchlist of observed process names. FortiSIEM can then check future new process creation events against the watchlist and generate an incident if a new process name is not in the watchlist, indicating it hasn’t been seen before.  This blog examines how FortiSIEM does this. Note that this example is provided for informational purposes only, always perform your own evaluation and testing before deploying in a live environment. Windows Process Logging in FortiSIEM   Windows provides two mechanisms for logging process creation on servers. Both event types can be collected by the FortiSIEM Window

Hi Team.Please find attached the link to our Fortinet Centro América GotoStage Channel were you will the videos (SPANISH/ESPAÑOL) of our Central America Engineering Series.https://www.gotostage.com/channel/fortinet-central-ses-tech-seriesEach session is a discourse of a topic related to different Cybersecurity and IT  needs including a presentation and it's related Demo.  Below the current list of available videos and their direct links: Como acceder a un Laboratorio de "Fortinet Fasttrack" https://www.gotostage.com/channel/04e6c6cee4544dd6a03a666ce5c09070/recording/ab8a6edf412b42178fce4a39dc33307f/watch Como acceder al Laboratorio de "Fasttrack - Attack & Defense" en la plataforma Cloudshare https://www.gotostage.com/channel/04e6c6cee4544dd6a03a666ce5c09070/recording/52201849105843b9afda19228d41364a/watch Conozca su postura de Seguridad con Fortinet CTAP https://www.gotostage.com/channel/04e6c6cee4544dd6a03a666ce5c09070/recording/abfa8163920944a3b20b55

Fortinet’s Network Security Expert (NSE) Certification Program is in the running for two Cybersecurity Excellence Awards. Voting is open until January 31, 2021. Voting is easy and fast. Click on the thumbs up icon on the right-hand side of each nomination page, register and confirm your email address, to cast your vote for Fortinet. Vote for Fortinet for Best Cybersecurity Education Provider Vote for Fortinet for Best Cybersecurity TrainingThank you for your support!

See the original Discussion

Hi, I've been working with a FortiGSLB PoC for a customer, where we have GoDaddy as DNS registrar/DNS server. The customer, had several teams involved having different points of contact: GoDaddy DNS management peer, Endpoint (FortiClient) management peers, and FortiGate management peers. So in this case they needed a detailed step-by-step guide to follow and complete the PoC scope, which turn out in this doc posted.LATAM CES Oscar Cifuentes provided great guidance to build on the setup and decided to documented as well.https://fortinet.egnyte.com/dl/OtByU3fW5S/?

In today’s complex multi-vendor network environments, security teams often struggle to gain the visibility and control they need across their networks in order to maintain a strong security posture. Many are left managing workloads that exist not just on-premise, but also in the cloud which security often isn’t aware of. In 2019, 90% of companies were using cloud services, with experts reporting that 60% of workloads were running on a hosted cloud service in 2019 versus 45% in 2018. All of this expands the organization’s attack surface, requiring threat prevention across multiple devices, networks, and applications – which in turn demands making and managing frequent security policy change requests. And this complexity is causing security headaches. In 2019, an AlgoSec survey examined the issues involved with managing security in native, hybrid and multi-cloud environments, and the 700 respondents stated that their biggest challenges in managing their hybrid environments was detecting

We are continuously the data disclosed by FireEye on the “Sunburst”/UNC2452 operation and working with customers ensure their protection, detect and mitigate this issue. All published and subsequent discovered IOCs were immediately added to our FortiGuard threat intelligence network will be leveraged by solutions including FortiGate, FortiAnalyzer, FortiEDR, FortiSandBox, FortiSIEM and FortiClient.  As new IOCs are uncovered, they will also be immediately added to our databases.   Here is a summary of resources and how to stay current with the Fortinet products and solutions you have to ensure your protection and on-going detection.   FortiGuard Threat Signal – Supply Chain Attack on SolarWinds Orion Affecting Multiple organizations https://www.fortiguard.com/threat-signal-report/3770/supply-chain-attack-on-solarwinds-orion-platform-affecting-multiple-organizations-worldwide-apt29 The latest research on this attack is summarized in this blog https://www.fortinet.com/blo

FortiPenTest, Fortinet pentest-as-a-service cloud-based service has been recently updated to version 20.4. This new version brings improvements to all parts of the portal and also new features, that we will be highlighting below.  If you are already accustomed to FortiPenTest web user interface, you will be able to notice new changes here and there.  The easiest one to spot, will be the threat level score, which is a numeric value ranging from 0 to 10. It is computed from the CVSS scores of each OWASP Top 10 categories. Figure 1: Top right, threat score is displayed, 5.8/10 in the example The threat score is also listed in the inventory asset page. It can give operators a quick glance to prioritize and choose an asset for vulnerability remediation.  With our new big feature – schedule and recurring scans, there is no need for you to be in front of the interface to run a scan. You can plan your scan strategy way ahead of time. Schedule it for daily, weekly, monthly o

A more updated version of this blog is now available:  https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack By now you may have read from various media coverage regarding a state-sponsored campaign that has compromised SolarWinds “SunBurst/ UNC2452” that lead to the breach of multiple government agencies.  We are currently analyzing all of the data disclosed on the “Sunburst”/UNC2452 operation and are taking proactive steps to ensure the security of our customers.  What we know so far:   Based on our research and details disclosed to this point, this was a highly evasive and carefully planned attack that was orchestrated by a nation-state. The campaign was based on a supply-chain attack that leveraged backdoored SolarWinds update packages to.SolarWinds’s Orion IT monitoring and management software (affected versions are 2019.4 through 2020.2.1 HF1) in order to infiltrate into the target organizations. &nb

Endpoints are a critical and growing part of a corporate infrastructure.  Especially now in changing times with a growing teleworker force, endpoints need to be protected vigilantly. Cybersecurity attacks often start at the endpoint and then pivot to critical data sources. Thus, it is critical to bring endpoint detection data into a central view and orchestrate protection and remediation by utilizing multiple security controls and processes. Trend Micro has been proudly protecting customers from cyber-threats for over three decades, allowing them to consistently respond quickly to threats and protect their businesses from attack with high confidence. A partnership with Fortinet, which shares our commitment to open approach and putting customers first, enables us to offer best of breed solutions to mutual customers who can extract maximum value from security data shared between our solutions and ensure their security posture is optimized. Fortinet FortiSOAR™ | Trend Micro ApexOne