Recently, analyst firm IDC produced their MarketScape Report on Endpoint Detection and Response (EDR) technology; one for the Enterprise1 and one for SMB2. Fortinet’s FortiEDR was named a major player in the report, along with several others, but my attention was drawn to eight key facets that they recommend buyers to consider when evaluating EDR technology. I believe the criteria in the guide was fairly spot on so I placed those below and placed a few thoughts around each one. The order below is as it was placed in the MarketScape guide and doesn’t reflect an order of importance.
- Protection efficacy – This is where it should always begin. I have seen many people use older EPP or AV solutions that don’t make the grade, primarily because they either don’t want to go through the exercise of replacing it to proactively stop a future attack or are just waiting for an incident to motivate themselves into action. When it comes to Fortinet’s protection scores for FortiEDR, it landed a 99.7% for protection rate in AV Comparatives with zero false positives for common business software and 100% in the latest MITRE ATT&CK Framework test.
- EDR automation – This is where EDR excels and separates from the old AV and EPP platforms. This is what will turn an overburdened SOC or IT staff from ignoring alerts to one that focuses fine tuning an EDR solution to do the work for them so more time can be spent on EDR management and threat hunting when the need arises. On the subject of FortiEDR, one Gartner Peer Insights customer said “This is the first tool in my 15-year career that makes me feel I have a chance.”
- Device support – Windows Defender seems like a good option since it comes native with Windows, but it will only cover currently supported Windows OS versions. Do you have macOS devices, Linux, or even older versions like Windows 7 or XP in your environment? A strength of FortiEDR is its support of macOS, Linux, and Windows legacy and current operating systems which extends far beyond what many EDR vendors cover.
- Cross-functional integration (patch management) – FortiEDR’s technology leverages something we call virtual patch management within Communication Control. This is designed to create granular policies to behave according to your internal policies regarding application reputation and vulnerability scores. For instance, what do you want to do with applications that have a low reputation but a moderate vulnerability or one that has a moderate reputation yet has a critical vulnerability? Some may choose to block the application from communicating with the network or Internet. The user in that case can still use that application but it can’t communicate with the outside world for instance.
- XDR frameworks – Some point players like CrowdStrike have to create an artificial XDR play through the telemetry from other 3rd party sources and vendors which is called an “Open XDR” play by Gartner and not a true XDR. Fortinet and its many products create a lot of telemetry to be consumed by FortiXDR. Additionally, FortiEDR can already take in data from FortiGate and FortiNAC and other sources, and thereby already creating an XDR-like play as an EDR. Additionally, IDC further recommends that FortiEDR is “a natural consideration for existing Fortinet customers, especially those strategizing their eventual move to XDR.”
- Ransomware defense and recovery – If I had to order these by importance, this would certainly rank #2 after Protection Efficacy. FortiEDR takes out ransomware period! An endpoint protected by ForitEDR that is in protection mode has never been compromised by this form of an attack. Even if it is, remediation steps and automatic rollback can repair damage caused by this attack method which makes FortiEDR the best friend of any IT security person.
- Built-in device security capabilities – IDC states that “while not yet mainstream, attackers compromising the device’s firmware is a possibility” and would want buyers to see how they protect the device from such an attack. Actually, this type of attack is common in ransomware attacks using a malicious bootloader, also called a bootlocker. FortiEDR exists as a firewall for the kernel level of the system and protects the system even against attacks that attempt to breach this layer.
- Managed service options – FortiEDR’s Managed Detection and Response (MDR) offering allows for customers to rely on Fortinet’s team to handle the alerts and incidents that result from the course of encountering elements of the threat landscape. MDR services are recommended for all customers, especially in the first year to help fine tune the EDR technology to the environment.
Although not mentioned I would add a couple of other criteria for anyone evaluating an EDR solution. First of all, how lightweight in the agent, as in what percent of your system resources does it take to run? Secondly, can it integrate with other parts of your security ecosystem to support other things outside of an XDR concept.
In closing, I want you to know that EDR from any vendor is a very different solution than your typical AV or EPP solution. It takes training, it takes time to program for your environment (e.g. allow listing of your internal applications etc.), and it does generate some false positives you will have to create exceptions for. The largest benefit is the automation components of FortiEDR. I invite you to read this solution brief Boosting Endpoint Security with Real-time, Automated Incident Response to see for yourself if this is the right step for you if you are not currently using an EDR platform. If you are using an EDR platform that is generating too many alerts or not working for you anymore either talk to us or read this ESG brief on second generation EDR.
1 IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment, IDC #US48306021, November 2021
2 IDC MarketScape: Worldwide Modern Endpoint Security for Small and Midsize Businesses 2021 Vendor Assessment, IDC #US48304721, November 2021