The pricing model is based on a license per device, or network element to be monitored. Customers have two licence type options, and each is available as either a subscription or perpetual service. All-in-one license starts at £12 per month, 10 events per second, one-year agreement. Endpoint licence starts at £5.5 per month, two events per second, one-year agreement.
Strengths: Huge feature set, some of which are not at all what you’d expect in a SIEM but, nonetheless, are extremely useful giving “single pane of glass” a new meaning.
Weaknesses: Glimmers of immaturity, such as install difficulties.
Verdict: There is a lot to getting this one up and running, but once it’s up and you have the things you want to monitor plugged in, this one of the most complete SIEMs we’ve seen.
This is a new product for Fortinet and we have mixed emotions about it. To start, we had difficulties installing that we did not think were excusable. We received the tool as a virtual appliance provided as an .ova file. That means that the entire device is present - operating environment, applications, etc. All we should need to do was configure it to the network after we installed it on our VMware ESXi 5.5 host. Everything went fine until it wanted a mount point for storage. We were given two choices: a predefined directory or an external array.
We avoid using one of our storage arrays unless we are dealing with a lot of data, so we opted for the default. When we selected it, we received a message that the directory didn't exit - this is a Linux install, so no problem. It said "select another directory," so we chose the .mnt directory, a normal mount-point. But it didn't like that. It insisted on the default - which didn't exist on their image for some reason. So, we created the directory and gave it world read/write/execute. No joy there either. This time the message was "wrong permissions," so we gave up and diverted to Fortinet and got an opportunity for a solid analysis.
The tool is very good with the exception that we found the installation problems unacceptable, given that the entire tool is supposed to be on the image. The documentation wasn't much help either. But, support was excellent and we saw FortiSIEM at its best. This is a SIEM with overtones of a UTM and it is packed with analytic features. For example, it constantly performs auto-discovery of devices on the enterprise. It comes complete with a suite of compliance reporting tools. It is a next-generation product with advanced analytics and threat analysis feeds. One of its more unusual capabilities is its ability to monitor elements, such as CPU utilisation, usually left to other tools in the NOC.
It also can follow IoT products such as HVAC devices. On top of the unusual features, FortiSIEM does all of the things you would expect a competent SIEM to do, such as cross-log correlation, event correlation and network monitoring. With all of its capabilities one might think that it would be difficult to operate but, in fact, we found that we could take a slice of the types of functions we wanted to keep an eye on and set them up for easy reference. If something started to look a bit hinky, we could simply drill down as we would expect with any similar device and get exactly what we needed.
If we could not get what we wanted from the supplied functionality, no problem. The FortiSIEM is provided on a CentOS platform and has the tools to run Python, Bash, Perl and other types of scripts and programs. Reporting is extensive and incident management is fairly complete. Automated remediation is available and the scripting can be used to extend the automation specifically to the particular enterprise.
The list of devices and applications that FortiSIEM supports is considerable. Besides the usual firewalls, gateways, IPS, load balancers and host operating systems, it also collects data from such tools as Nagios; environmental devices, such as UPS and HVAC; and hardware, such as Dell and HP servers.
Support is fee-based without basic support included. We believe that, at least during the deployment and tuning phase of implementation, basic level support should be included. The website is good with a useful support portal. Documentation is extensive and, although we found it less than complete in the case of our installation issue, that seems to be the exception.