FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
sra
Staff
Staff
Article Id 252772
Description This article describes how to use FortiWeb's Threat Analytics in the SOC Analyst Workflow.
Scope FortiWeb Cloud, FortiWeb.
Solution

All organizations have similar responsibilities assigned to the Security Operations Center', also commonly known as a SOC team.

 

SOC teams face countless challenges and are usually understaffed to deal with and investigate into the most important threats, often leading to alert fatigue. It takes numerous hours to sift through these alerts, determine suspicious activities, and to find a possible fix.

SOC teams employ SOC analysts/security analysts – the frontliners to fight against threats.

 

Here are few of their responsibilities:

 

- Detecting and hunting threats.

- Operating and maintaining various monitoring and threat intelligence tools.

- Auditing and compliance reporting.

- Managing alerts and delegating responsibilities.

 

Fortinet’s FortiWeb Cloud WAF-as-a-Service can help these analysts bring efficiencies to these responsibilities for their web app and API security.

 

Threat Hunting:

Threat intelligence and analytics platforms assist SOC analysts by centralizing information generated by various tools and aggregating them based on a common attack source. However, with FortiWeb Cloud, it is possible to tp leverage the Threat Analytics feature to help to identify and focus on the most significant threats.

 

Threat Analytics uses a powerful AI engine to combine and identify the most important threats across an entire application.

It then alerts the analysts based on common attack vectors.

For example, attacks based on Geo IP, same-source IP, and OWASP, are aggregated and then displayed on the Threat Analytics dashboard.

 
 

soc1.png

 soc2.png

 

In-depth Detail of Suspicious Activity:

It is possible to get more in-depth information about each of these attacks by application name, attack type, attacker IP geolocation, CVE ID’s, URLs, OWASP Top 10, and more.

It is also possible to view the number of targeted threats on the web browsers and the number of threats blocked by FortiWeb vs. the multitude of attacks displayed.

This information can help SOC analysts to filter and review WAF policies to make sure there are no misconfigurations and to protect web servers as intended.

 

soc3.png

 

The Insights view on the FortiWeb Threat Analytics dashboard adds an additional layer of configuration analysis that can help to understand if the web servers are directly exposed. Exposing the web app directly can allow a bad actor to bypass a WAF and target the web app’s IP address to perform an undetected attack.

It is a best practice to only limit access to FortiWeb’s management and scrub center traffic on the firewall while restricting the rest of the traffic directly to the origin servers.

 

soc4.png

 

Managing Alerts and Delegation:

Alert fatigue is a constant struggle for security teams.

Processing the alerts and acting in a timely manner can enable an organization to quickly detect and minimize the damage by halting the attack or preventing similar attacks in the future.

SOC teams use incident tracking tools to find, assess, and delegate the plethora of alerts that come in each day.

Even with these tools, alert fatigue can happen, which is why analysts need solutions that can also help them know which alerts to focus on first. Threat Analytics can help.

 

It is possible to integrate FortiWeb Cloud’s Threat Analytics into workflows that then alert SOC teams of high-priority alerts through email, or by opening incidents on tracking tools like Jira.

 

soc6.png

 

To leverage these options, start by creating a notification template and choosing between an email or a Jira alert.

Next, customize the log to show the notifications, and then choose the preferred risk level (low or medium, or high). 

 

sco7.png

 

For a Jira integration, a Jira account URL is needed from the organization, and an API token generated on the Jira account for FortiWeb to create an incident notification in theworkspace.

 

soc8.png

 

Whenever an alert is generated because of aggregated security incidents by the Threat Analytics algorithm, Fortiweb creates a notification on the Jira work page. Similarly, if an email notification template is created, an email notification will be sent as well.

 

Below is the image of a Jira workspace and open incidents notification generated by FortiWeb:

 

soc9.png

 

Based on the log format customized earlier, it is possible to see more details by selecting one of those events.

It is also possible to delegate by assigning this ticket to the responsible stakeholder for immediate action.

 

soc10.png

 

FortiWeb Cloud Threat Analytics is now available as a core part of the solution and does not require any configuration changes.

To take a free trial of FortiWeb Cloud or learn more, go to: fortiweb-cloud.com

 

To have these actionable insights for web applications protected by FortiWeb VM or on-prem appliances, purchase a Threat Analytics license separately.

Contributors