Extended Detection and Response (XDR) solutions are designed to help organizations federate their distributed security technologies to better identify and respond to active threats. While XDR is a new technology concept, its roots are in Endpoint Detection and Response (EDR) systems, which were designed to continually monitor system activity, identify risky behavior, and collect artifacts for investigation and response. The challenge is that many EDR solutions, and by extension their XDR counterparts, still fall short of the automated investigation, rapid containment and broader response that today’s threat landscape requires.
FortiEDR was developed to fill the gap between the immediate (but fallible) security provided by legacy and even self-proclaimed “next generation” AV and the ambitious (but time-consuming) approaches provided by emerging endpoint detection and response tools. Our vision was a behavior-based endpoint protection, detection, investigation, and response system that could not only block a much higher percentage of attacks (accurately) both pre- and post-execution (addressing not only prevention but also protection), but also continue assessing and more importantly classifying suspicious behavior over time while automating the entire process. We took that same set of principles and extended them to XDR, including an even greater investment in that middle step—investigation—that most XDR solutions punt back to the security team. It’s why we applied cloud-native investigation and remediation across the breadth of the Fortinet Security Fabric or other third-party tools.
Given the speed of most modern attacks, automation plays a critical role in providing effective detection, investigation and response services. To accelerate and refine the automation process, we turned to artificial intelligence with the goal of fully replicating the investigation process traditionally handled by expert SOC analysts—the piece that requires highly specialized skills/tools/process and often takes the most time in crafting an effective response to an active threat. Ultimately, we selected a deep learning technology (a patented decision control flow engine, for those interested) for the FortiEDR solution, using five separate but integrated deep neural network models, each emulating a different aspect of the investigation and response process.
- Layer 1 ingests suspicious endpoint behavior and log files, along with associated artifacts needed for investigation.
- Layer 2 represents investigation microservices that provide additional enrichment.
- Layer 3 combines investigation results to generate classification information for the incident.
- Layer 4 identifies all the attack artifacts that would be required for remediation.
- Layer 5 combines the incident classification and remediation artifacts into an orchestrated recipe that can return endpoints to safe operation.
Having achieved great success with FortiEDR, it was a natural decision to expand this cloud-native investigation framework to seek out abnormal behaviors beyond the endpoint, allowing us to enable detection and response automation all across the Fortinet Security Fabric. To accomplish this, we expanded the training of the deep learning engine, enabling it to conduct a much more diverse set of investigations and coordinate a wide range of orchestrated response recipes.
Examples of AI Investigation at Work
Here are just a couple of representative examples of suspicious behaviors that trigger an AI-led investigation. In many cases, these are behaviors that may have been blocked by existing security controls and could be buried among other security information in logs, dashboards, or alerts.
Failed login attempts. Users periodically forget or mistype credentials, making repeated login failures a common occurrence. However, repeated login attempts can also be associated with brute force attacks and bear further investigation. FortiXDR has been trained to notice failed login attempts reported by FortiGate, authentication tools, or monitored endpoints. It then checks the number and characteristics associated with the failures, along with the originating IP addresses, and then correlates successful connections against an identity service such as Active Directory to detect anomalies, such as impossible travel (time zone-related inconsistencies). If, based on that correlation, there is reason to suspect a threat actor has successfully identified credentials based on a brute force attack, a pre-defined response—ranging from simple notification all the way to credential expiry, forced logout, and user reset—is activated.
Potential Phishing attack. Email remains the top attack vector, with web-based attacks just a step behind. And just one successful attack can have a major impact on an organization. Ideally, security teams should be looking at each email attack (including those that have been blocked.) But they usually can’t, given the volume of attacks that a typical organization receives on any given day. FortiXDR, on the other hand, is able to apply extended analytics to every email and to web security logs to identify those that include malicious URLs. The system is then able to follow those URLs, analyze the files hosted on the site, follow them to linked pages, identify additional elements of a cyber campaign targeting employees, and then extract related artifacts, such as hashes, IP address, and behavioral indicators. With that information, FortiXDR then searches for indicators that any (extended) element of the campaign has impacted the organization. Pre-defined response actions include the quarantining of the devices that installed malicious files or have communicated with malicious sites, updating threat intelligence for malicious files and web sites, and more.
Rogue device detection. Another common attack vector used by threat actors is to infiltrate an edge IoT device. FortiXDR provides deep visibility into the organization’s IoT devices and correlates relevant data originating from the Fortinet Fabric. This information is used to detect potentially compromised IoT devices and orchestrate an appropriate response utilizing the tools deployed across the Security Fabric or third party deployed tools. For example, FortiEDR code tracing technology might detect a lateral movement involving an endpoint device monitored by FortiEDR. By then unwinding the extended, Fabric-originated communications, FortiXDR can identify the activity source to be, for example, an IoT device within the network. Further correlation with FortiGate data may reveal a suspicious device at a remote IP address accessing this IoT device. Then, utilizing FortiNAC, FortiXDR can automatically isolate the IoT device from the network and then issue a comprehensive alert.
Not all XDR Solutions are Alike. AI-based Investigation is Essential
The concept of XDR is all the rage. Unfortunately, most solutions only provide front-end extended detection—correlating, enriching, and analyzing security information. While those elements are crucial, they are insufficient given the scarcity of skilled cybersecurity analysts capable of providing the crucial middle step of investigation. A purpose-built AI system, however, can reveal and handle incidents faster and more accurately—not only improving an organization’s security posture and operations, but also freeing up your limited security professionals to focus on higher order tasks. Which cyberthreats pose the greatest risk? Where is your organization most vulnerable? How do you improve employee behavior? What investments will most effectively strengthen your security posture?
We believe that it’s time for your security pros to stop reactively chasing security incidents and start making proactive changes to security postures and strategies. FortiXDR helps make that happen.
Learn more about Fortinet’s AI-powered XDR solution—FortiXDR.
Find out how Fortinet integrates AI and machine learning capabilities across our Security Fabric to detect, identify, and respond to threats at machine speed.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.