FortiXDR - Automated threat detection, investigation and response
Fortinet
Digital innovation has transformed businesses and the networks they use to run critical applications, conduct online transactions, connect remote workers and capture and process important data. And, as in the past, these advances have brought new security challenges that have led to new security solutions to address these challenges. However, the speed of transformation has left little time for companies to consider the broader security infrastructure when implementing these solutions. The result is that today, more than ever, security teams must try to manage a vast collection of security tools from multiple vendors and achieve some kind of visibility and consistent orchestration and enforcement of policies across the enterprise. Among other challenges, security teams are struggling to detect and respond to an increasing number - and increasingly damaging - cyberattacks across a complex and largely isolated security toolset.
In conversations with clients, usually via online executive briefings, most understand the logistical and technological challenges of this complexity and are keen to move from dozens of different security vendors and products to a handful or fewer security platforms, supplemented by standalone products as needed. So I'm not surprised that, according to Gartner, 80% of organisations are currently consolidating or planning to consolidate security vendors. But the question that arises is, "How do I decide which vendor(s) to choose as part of the consolidation?"
In addition to pragmatic considerations such as satisfaction with the vendor, the scope of controls available in its platform, the effectiveness and features of each control, and much more, an organising principle has emerged that simplifies and integrates this process - XDR, or eXtended Detection and Response. Defined by Gartner as "a security incident detection and response platform that automatically collects and correlates data from multiple security products", XDR enables an essential integration principle that leverages existing technologies to create a unified view and control over complex, distributed environments. This is a much more sensible consolidation principle than procurement-driven decision making ("the vendor gave us a great deal on a suite of products"). XDR allows different security solutions to see, share and analyse data so they can more effectively detect threats and deliver a coordinated response that covers the entire attack surface.
While this sounds like a great idea - and it is - it is much more complicated than it might first appear. Some XDR solutions come from large security vendors that can integrate multiple products into their portfolio, and others from smaller start-ups that try to create a normalisation layer across components from different vendors. Each approach has its advantages and disadvantages. In the first case (single solution provider), one should expect a unified vision, common policy experience, close product relationships and other advantages. The biggest disadvantage is probably the limited choice within that vendor's portfolio. Choosing an 'open' XDR approach, on the other hand, loosens the constraint of a single vendor, but is likely to fall short in other areas such as integration, analytics or automation. In our experience, the effort required to centrally manage across many products (and multiple versions of them) is significant. Multiply this effort exponentially across the diverse vendor landscape, not to mention the huge task of analysis and automation beyond management, and the result is a huge overhead for those vendors and a multitude of limitations for the end user.
FortiXDR - The only XDR solution to autonomously manage cyber incidents from start to finish.
At Fortinet, we have developed integrated, multi-product solutions that work as a single, cohesive system; first with the Advanced Threat Protection Framework and more recently with the Fortinet Security Fabric. The Security Fabric is a comprehensive, integrated and automated cybersecurity platform powered by FortiGuard Labs security services that protects the digital enterprise from the endpoint and IoT through the network and cloud. FortiXDR is designed to extend the Fortinet Security Fabric, reduce complexity, accelerate detection, automate alert investigation and coordinate cyberattack response. As part of the Fortinet Security Fabric, FortiXDR is able to leverage the common data fabric, correlated telemetry, unified visibility, native integration and seamless interoperation of Fortinet's portfolio of fabric-enabled solutions. Building on this, automated analytics, incident investigations and predefined responses are performed directly out of the box. FortiXDR provides these advanced capabilities for all three steps of security incident detection and remediation:
- Advanced detection: FortiXDR begins by leveraging the wealth of security information shared across the Fortinet Security Fabric for correlation and analysis. And because it can gather intelligence across the industry's broadest portfolio, the more threat telemetries can be used to find an active threat - especially those designed to avoid detection
- Advanced investigation: FortiXDR is the first XDR solution to use artificial intelligence (AI) to investigate detected threats - a process that every other XDR solution hands off to an overworked human security analyst, slowing down the process and leaving systems vulnerable to human error. And given the volume of alerts most networks generate, many security teams simply do not have the resources to investigate every potential threat.
Traditionally, once detection is initiated, a security analyst must look at the potential incident, decide how to investigate and verify it, assess the scope and associated components to determine if it indicates a deeper threat that may not be readily apparent at first glance, and then determine the proper response - whether to classify the alert as a false positive or trigger the XDR solution to respond.
- Advanced response: Because FortiXDR is fully integrated into the Security Fabric, it is inherently capable of mobilising all available resources needed for an effective, automated and coordinated response. And because its response capabilities are more unified than most security information formats, customers can also use connectors to incorporate even many third-party solutions into their response.
Key benefits of FortiXDR
FortiXDR not only speeds detection, investigation and response, but also provides a compelling case for organisations to consolidate independent security products.
Early adopters show that, on average, the number of alerts requiring investigation is reduced by 77% or more. And as mentioned earlier, FortiXDR is the only XDR solution that is augmented with AI across all elements of the detection, investigation and response process. This reduces the burden on security teams by completing complex tasks in seconds that would take experts with specialised tools 30 minutes or more. And it does so without human error.
And with its broad portfolio of independently best-rated controls that can be deployed to address the cyber kill chain from end to end, there are many opportunities to consolidate more and more vendors over time.
All of this enables organisations to reduce mean time to detection (MTTD) and mean time to response (MTTR), reducing the impact of cyber incidents while improving the efficiency of security operations and the overall security posture. It frees up experienced security professionals for higher-value contributions to the organisation's security and helps the organisation itself continue to compete effectively, while addressing security and vendor proliferation through strategic solution consolidation and automated threat detection and response across the distributed network.