Managing security in a large, complex, multi-site environment with thousands of users and end-point devices is hard. Security teams can easily be assigned hundreds if not thousands of incidents per day. As the size of your network grows and the attack surface increases via more users, more IoT devices, more touch-points, adding additional security staff to handle the workflow does not scale well. Adding additional security tools also doesn’t scale very well, since more tools mean more complexity and more manpower.
Hence the development of security orchestration, automation, and response tools such as FortiSOAR.
FortiSOAR ties into Fortinet’s Security Fabric to receive alerts and alarms, plus respond to security events in an automated fashion. Yet FortiSOAR is not limited to just a Fortinet environment. It can communicate with over 280 third-party applications via “connectors”, which allows automated incident responses to security events.
Below is a high-level overview of FortiSOAR.
FortiSOAR uses what is known as playbooks to respond to security events and alerts. Security teams can use many of the built-in security playbooks to automate a response to an incident, plus they can create their own playbooks to fit their unique environment. The video below provides an overview of FortiSOAR playbooks and a typical use case.
Below are two videos that provide a demonstration of how FortiSOAR can to automate the response to a malicious email. When the end-user receives a suspicious email, they forward the email to a SOC mailbox. This mailbox receives the mail, isolates the attachment, sends the attachment to two locations for testing, and based on the results, notifies the end-user if the email attachment is valid or not. The demo shows how a security analyst would program this automated response using a drag-and-drop GUI interface.
Unified Incident Response Management
FortiSOAR allows SOC teams to automate the response to incidents and utilize all their existing tools instantaneously. This shortens response times to machine speeds.
As an example, the first time a new threat alert arrives, an analyst can view the threat, do research and enrich the data (by running scans or sending to a sandbox or searching for similar threats), remediate the problem, and create a new playbook entry based on this new threat. The playbook can then be automated so that the next time this threat is seen, the response is automated at machine speed.
SOC Team Collaboration
FortiSOAR allows security specialists to work together as a team to respond to incidents. Analysts can hand off cases, record notes on their findings, updated automated playbooks, etc. FortiSOAR offers enterprise-class role-based access, so for example you could give a junior analyst read-only capabilities to playbooks, while allowing a more seasoned and trusted analyst to modify playbooks. Queues allow analysts to work on incidents and pass particularly complex or challenging incidents to senior analysts, along with notes on their findings. This results in enhanced team collaboration, reducing workloads and stress, while allows teams to expand their security efforts without additional labor expense.