Add Fortinet to the long list of cybersecurity vendors jumping into the rapidly changing cross-layered detection and response (XDR) waters. The company says its new FortiXDR solution can handle complex tasks in seconds, reduce the number of alerts across products by 77% and significantly reduce human error. And it is the only XDR solution that can autonomously manage cyber-incidents from start to finish, Fortinet claims.
While Fortinet is far from the first to introduce an XDR solution, its FortiXDR tool may have been worth the wait, said Dave Gruber, senior security analyst at ESG. It took some time, he said, to integrate its FortiEDR, originally acquired from enSilo in October of 2019. The analytics capabilities in that endpoint detection and response (EDR) solution are very strong and powerful—better than many of the existing EDR solutions out there—he said.
“Because they built on top of those great EDR analytics, Fortinet is able to go into the market with some heavyweight analytics capabilities, and the XDR game is really an analytics game,” Gruber said. “It helps address both parts of XDR—the need to aggregate massive amounts of data from many different security controls, and then analyze and make sense of that data.”
FortiXDR is an automated, artificial intelligence (AI)-based extended detection and recovery solution, intended to aid security operations teams in finding and responding to advanced threats by automating the entire process, from detection to event investigation to remediating security incidents.
Like other XDR solutions, FortiXDR enables different security solutions to see, share and analyze data so they can more effectively detect threats and deliver a coordinated response that covers the entire attack surface. And like other XDR solutions, it makes liberal use of AI.
However, Fortinet uses AI in a different way than most. In addition to using AI to collect and analyze security information in a central data repository, FortiXDR also uses it to replicate the way security analysts investigate and classify incidents, which is typically a fairly manual process. Early FortiXDR users have been able to investigate incidents in 30 seconds or less—a process that would traditionally take security professionals 30 minutes or more, said David Finger, Fortinet’s senior director of products.
There are three parts to FortiXDR’s capabilities: extended detection (collecting information from a variety of sources); extended investigation (investigating detected threats using AI); and extended response (the ability to gather required resources from the rest of its security fabric to mount an automated and coordinated response).
For example, a customer that has deployed other products in Fortinet’s security fabric—in this case, FortiGate and FortiMail)—would benefit from each of these parts this way:
- Extended detection: Analyzing the alerts from both products and identifying emails containing and network requests including the same malicious URL. Even if blocked by these products, they indicate a potential phishing incident and trigger the AI engine to investigate.
- Extended investigation: This investigation includes visiting the URL to download files, running those files through static and dynamic analysis to determine maliciousness, identifying IP addresses related to the initial URL and subsequent downloads, searching the customer environment for these indicators and more.
- Extended response: Devices showing these indicators can be quarantined until malicious files are removed, IP addresses placed on a block list and so forth to remediate the incident and return the device to operation.
Integration with Fortinet’s Security Fabric is a real differentiator, Gruber said. The Security Fabric, essentially an integration strategy to make all the security tools and products work together and share insight, is a valuable way to connect data in a meaningful way. Fortinet also has been very careful about exposing APIs to allow other third-party data to also connect to the infrastructure, he noted.
“Most organizations run more than one security vendor’s tools, and they don't necessarily want to rip them all out and replace them all with one vendor's tools, so they are going to want their existing security tools to work together,” Gruber said.
Automating Security Operations Processes
Fortinet also is stressing the degree of automation in the solution. Finger said the solution can fully automate security operations processes typically handled by experienced security analysts to mitigate threats faster across the broad attack surface. For example, an automatable response framework can be preconfigured to trigger response activity based on the type, severity, scope and other aspects of each incident.
Smaller organizations without dedicated security resources may be drawn to the degree of automation in the solution, Gruber noted. “Think of it like a dial you can turn for the XDR that allows you to determine the degree of automation you want,” he said. “Do you want it to take actions on your behalf, or do you want it to get all the way to that point, but leave it up to you to agree or confirm an action before it takes place?”
Over time, XDR products such as FortiXDR might actually replace security information and event management (SIEM) tools, Gruber said. Recent ESG research shows that many organizations would be willing to replace their SIEM with XDR if the XDR tool does everything vendors say it can do.
“For the last four or five years, it’s been a race to capture more data, and the means to do that has been the SIEM—the data aggregation mechanism,” he said. It may shake out differently with different types of organizations, Gruber said. Large organizations that have invested a lot in SIEM might consider adding XDR, while a smaller company with budget set aside to invest in SIEM might change course and go with an XDR.
