NSE3 FortiEDR Combined LiteUpdate 20210305
NSE3 FortiEDR Combined LiteUpdate 20210305
NSE3 FortiEDR Combined LiteUpdate 20210305
These are the topics we will explore in this lesson, beginning with a product overview.
NSE3 FortiEDR
• Identify the business drivers and security challenges customers currently face
• Describe the FortiEDR product key features, and
• Identify the sales strategies for, and competitive advantages of, FortiEDR
4
When you talk to your customer about their problems, ensure that you solicit their feedback. The
following pain points are what we’ve been hearing from the field, but understanding the nuances of the
customer’s pain will ensure that you provide the appropriate solution.
Ask your audience how often they see endpoint compromise. A typical range is between 2 and 4%.
Talk to the problem of resource scarcity, especially with customers who have experienced a first
generation EDR solution. The sheer number of alerts in these first generation EDRs that need to be
triaged further exacerbates the skills shortage problem and causes alert fatigue.
Another pain point that we hear of often is the complexity of the security ecosystem. One reason for
this is the expanded attack surface. Another is that many customers have too many point solutions that
don’t completely integrate or may not integrate at all.
Last, the cost of incident response is a pain that most customers experience but rarely recognize. While
we are all cognizant that breaches cost money and disrupt business, few recognize that incident
response also has a cost.
5
The Endpoint Protection Platform market has experienced disruption and reinvention over its
development.
The traditional EPP solution focussed on prevention using signature-based AV. This was followed by
next generation AV that touted machine learning and signature-less technology. The next wave in the
evolution of endpoint protection introduced the Endpoint Detection and Response (EDR) technology.
Most organizations came to realize that prevention alone was not enough and that some malware
could exist for months undetected in their networks. In addition to protection, they required detection
and response.
Recognizing each others deficiencies, EPP vendors began adding detection and response capabilities,
while EDR vendors added prevention. Also, most vendors added an optional managed detection
and response (MDR) service.
Increasingly, today’s customers are demanding endpoint hardening and attack surface
reduction capabilities.
According to Gartner, a contemporary EPP solution must have the following capabilities:
• Prevention of file-based malware
• Detection through the monitoring of malicious behavior and activities, and last
• Response and remediation
FortiEDR is the only EPP + EDR solution in the market that provides pre-infection and post-infection protection. This unique
combination is more effective at stopping breaches and preventing ransomware encryption attacks.
It blocks, detects, and defuses threats automatically. This is in stark contrast to other EDR vendors who rely on manual responses
to breaches, which can take anywhere from 30 minutes to several hours to contain. The ‘detect and defuse’ step is preemptive by
blocking external communications of malware, and by denying it access to file systems. This, in effect, prevents file exfiltration and
ransomware encryption in real time.
You might hear a skeptic ask, “Won’t this block legitimate applications and cause downtime for endpoints?” FortiEDR defuses
threats without terminating the process or quarantining the endpoint. During the critical stage of investigating suspicious behavior,
FortiEDR temporarily blocks the software while it queries the cloud backend for an analysis of the potential threat. If the suspicious
code turns out to be benign, then the block is lifted without disturbing users or disrupting business. The whole process takes mere
seconds. This feature is particularly important to an OT environment where machine uptime is essential.
The customer can customize the playbook that defines the automated response and remediation procedures. The prescribed
actions are based on threat categorizations and endpoint groups.
The FortiEDR interface provides help to SOC analysts by an interactive guide that prescribes actions and provides additional
information when investigating potential breaches or hunting malware.
The defuse step in the post-infection process is particularly noteworthy because it differentiates FortiEDR from other EPP vendors.
In addition to the fact that FortiEDR is the only EPP solution with pre-infection and post-compromise protection, FortiEDR also
automates the defusing of any threat as soon as detected. The real-time action ensures that the breach is neutralized
expeditiously and without the requirement of manual intervention. The blocking of outbound communication prevents data
exfiltration, data tampering, and ransomware encryption.
9
Now let’s talk about another differentiator—our automated incident response and remediation.
As we have mentioned before, FortiEDR automates event classification. Once it reaches a verdict, it initiates a response that can
be automated using a customizable playbook.
Available response and remediation actions include: Notify users, terminate process, isolate
device, remove files, roll back malicious changes (included files encrypted by ransomware), and
clean up persistency.
At this stage, since the threat is already blocked in the defuse stage, security analysts can
investigate and hunt for the threat without working on a “live wire”.
NSE3 FortiEDR
The security team can customize the automated incident response playbook based on the attack target user group, the who,
cSuite or HR, or general users. The same malicious event can trigger different responses based on the playbook.
NSE3 FortiEDR
Alternatively, you can manually perform remote manual remediation. Again, because of the defuse stage, the malicious actions
are blocked. This gives the security team breathing room.
12
This screenshot gives you some insight on how intuitive it is to configure the playbook. Response action integrates with FortiGate
and FortiNAC.
13
This slide gives you further insight into how the defuse process works. The events page lists potential threats that have been
analyzed or are undergoing analysis. As the object undergoes the defuse process, at various stages they are earmarked
malicious, suspicious, inconclusive, or safe.
At the lower right, a potential threat was first rendered ‘inconclusive’, but after further analysis it was changed to ‘safe’. How long
did this process take? Four seconds. And there wasn’t any disruption to business. Events like this are automatically archived to
reduce clutter and to provide an audit trail.
14
As mentioned earlier, FortiEDR contains a guided interface. By selecting one of the malicious events, a
pop-up is invoked that explains the technique—in this case process hollowing.
The interface maps the event to Mitre and the red text provides a helpful prescription of what actions
should be taken. It’s like having a mentor guiding you through a serious situation. This can be
advantageous in light of the endemic skills shortage.
NSE3 FortiEDR
Here are some questions and answers that will give you greater insight into FortiEDR features. The first question is: If ransomware
encrypted some files before it was blocked, can the encryption be rolled back? It can, provided that FortiEDR was deployed prior
to the event.
Does FortiEDR have AV and other prevention capabilities? Yes. FortiEDR has a machine learning AV engine in addition to
behavior-based detection that allows real-time detection and defusing. What’s more, it proactively discovers rogue devices,
applications, and vulnerabilities, and proactively reduces the attack surface by way of virtual patching.
What platform does FortiEDR support? FortiEDR supports Windows, Mac, and Linux. However, it also supports legacy Windows
platforms, such as XP, Server 2003, as well as Windows embedded and Core.
What does cloud-native infrastructure mean? Fortinet hosts and manages the backend infrastructure in the cloud. The only
situation where this would not be true is an on-premise deployment in an air-gapped environment.
What does a hybrid deployment mean, and what are its benefits? A hybrid deployment means that a FortiEDR core is deployed
locally in the customer’s environment. The local core serves the endpoints when they operate on-premise. However, when an
endpoint leaves the corporate network, it automatically connects to the nearest FortiEDR core in the cloud. This flexible solution
ensures that remote endpoints continue to enjoy FortiEDR protection.
16
Many partners are in search for a strategic partner to fill the void left by Symantec. FortiEDR is well positioned to fill this void.
One, as previous slides gave witness, FortiEDR is a differentiated and competitive solution.
Two, FortiEDR is integrated with the Fortinet Security Fabric, FortiSIEM, and FortiSandbox, and will soon be integrated with
FortiGate and FortiNAC. This allows partners and sellers to land and expand.
Three, many resellers are interested in adding managed services. FortiEDR provides an excellent opportunity to resell the Fortinet
MDR service. The Fortinet MSSP team can set up the partner to deliver managed security service offerings on their own and
become a Fortinet authorized MSSP partner.
17
What are the benefits of reselling FortiEDR’s managed detection and response (MDR) service?
By automating many standard procedures, we optimize the partner SOC so you can serve more customers.
FortiEDR’s real-time protection allows you to offer a better SLA than a competitor whose service is based on manual tools.
The FortiResponder team will shadow you for three months and will take all escalation cases.
We have a number of customer references who would be happy to talk about their experiences. Reading from the Gartner peer
insights, one customer wrote, “Ensilo is the first product in my fifteen year career that makes me think we have a chance.” That’s
quite a commendation.
19
FortiEDR offers an MDR service, which is branded FortiResponder MDR. It provides organizations with 24/7 continuous threat
monitoring, alert triage, and incident handling by experienced analysts. The FortiResponder team monitors alerts generated by
FortiEDR on customer sites. They review and analyze every alert, proactively hunt threats, and take action on behalf of customers
in accordance with their risk profile. Additionally, the FortiResponder team provides guidance to incident responders and IT
administrators.
Click the service tab from the FortiEDR page on fortinet.com for more information about FortiResponder.
NSE3 FortiEDR
Good job! You now understand FortiEDR, and its features and benefits.
Now, let’s examine specific sales strategies and other FortiEDR-related sales enablement topics.
Now that you have completed the FortiEDR product overview, let’s examine specific sales strategies and other FortiEDR-related
sales enablement topics.
23
EPP is the second largest security market valued close to $9 Billion and growing at about 9%. With the Broadcom takeover, many
Symantec customers are looking for a replacement and many channel partners are still searching for a strategic partner that they
can recommend to their customers.
Unlike the six year refresh cycle for firewalls, most organizations only sign annual contracts for their EPP solution. This is what
Gartner recommends as well.
While traditional EPP has penetrated the market, over 60% of organizations are still missing EDR functionalities in their endpoint
security. And the upgrading from traditional prevention-focused (AV-centric) EPP to the EPP + EDR contemporary solution is
what is fueling the growth.
24
Many of those organizations that are still using earlier versions of EPP, have made it their priority in 2020 to acquire EDR
capabilities. We want to focus on these main-stream organizations in financial services, healthcare, government, and hospitality
verticals, as well as manufacturing, OT, critical infrastructures, oil & gas, retail, and hospitality. It’s really this latter group on whom
we want to double-down. Why? These main-stream organizations are not early adopters and these organizations are ripe for
upgrading their endpoint protection systems. What’s more, manufacturing and OT environments place a premium on system
availability. This plays to our strength. Plus, support for legacy systems and on-premise deployments have already won many
deals in this vertical. We have also seen success in the financial, healthcare, and government verticals.
The decision-maker for choosing the next EPP solution is decidedly the CISO, with the SOC leader, endpoint security team lead,
and the security architect as influencers.
The sweet spot for FortiEDR is an enterprise customer with 1000 plus employees. A secondary, but still acceptable sized
company, would be mid-size organizations with 500 endpoints.
NSE3 FortiEDR
The security team is the right group to pitch FortiEDR. Endpoint security is an important function within that team, and they have
budget set aside.
A trend in many companies is consolidation of products and vendors. Some organizations are running multiple endpoint security
solutions and are looking to consolidate.
Most EPP contracts are one year. There is a three to six month research window prior to expiration.
This innovative manufacturing enterprise sought to protect their endpoints from external cyber attackers. Their concerns included
ransomware, sabotage, and anything that could cause production down time and harm to the bottom line. Their requirements for
high availability and security, plus the need to accommodate many legacy Windows systems, made FortiEDR a logical choice.
This financial services company with about 9,000 endpoints had been breached by file-less malware, which existed undetected
within their network for extended periods of time. Ransomware attacks disrupted and threatened its business. They realized that
the traditional perimeter defence and prevention-focus was inadequate. The deployment of enSilo, now FortiEDR, gave their
security team complete visibility of attacks and they regained control of their network.
NSE3 FortiEDR
During the discovery phase of the sales cycle ask the customer if they have a security team or SOC.
Ask them, how many endpoints they need to protect. Remember, ideally we are looking for a customer with over 1,000 endpoints.
You might ask them what solution they are currently using to protect their endpoints. It’s likely that they will respond with
Symantec, McAfee, Sophos, Crowdstrike, or Sentinel One. Don’t be surprised if the customer is using more than one solution. For
example, we’ve seen Crowdstrike deployed to augment Symantec. Moreover, in large enterprises you may see one division using
one solution and another division deploying a different endpoint security solution.
We want to know if the prospect has an EDR solution currently, or if they are running a traditional prevention solution.
Other questions you can ask are: Where are you in your renewal cycle? Do you have legacy Windows systems that need
protection? What percentage of your end-user devices or systems need to be re-imaged on a regular basis? Are you concerned
that remediation may take a toll on your production environment? For retail ask, what platform is your current Point of Sale system
running? In the manufacturing and OT ask, are you concerned about availability for your production environment? Can your
current solution block a threat both before and after infection in real-time? Is business disruption from threats and solutions an
issue?
NSE3 FortiEDR
Here are some questions that you can use to qualify the opportunity.
How many endpoints do you need to protect? Preferably the number is 500 or greater.
How happy are you with your current endpoint protection solution? You might follow up with the question, does it have EDR
capabilities?
When is your renewal date with your current endpoint protection solution? And, lastly,
When you meet a prospect they might offer some objections to FortiEDR. Here are several that we’ve heard, together with a
considered response.
Fortinet acquired enSilo at the end of 2019. enSilo received an honorable mention in Gartner EPP MQ due to its robust
capabilities. It wasn’t included because of its installation base. Check out Gartner Peer Insight and you will see that enSilo, now
FortiEDR, received an average of 4.8 stars. We are happy to arrange for you to speak with reference customers.
NSE3 FortiEDR
We are looking for comprehensive solution with prevention, detection, and response, not just EDR.
Despite its name, FortiEDR is exactly what you described. We provide visibility devices and vulnerabilities on the network, and
reduce the attack surface. FortiEDR has machine learning signature-less anti-malware to prevent file-based infection, and a
code tracing technology to detect malicious activities or unusual behavior. Together, this allows FortiEDR the unique ability to
protect endpoint post infection. We also allow you to customize the playbook for response and remediation. With our ability to
code trace and record endpoint activities, we can provide detailed information for forensic investigation and threat hunting.
Unlike a lot of our competitors, we stop ransomware pre-execution and post-infection by continuously monitoring the processes
and their communications. In order to encrypt, the ransomware needs to communicate with the system files to read and write.
Once FortiEDR detects a ransomware attack, it will sever communications and isolate the process.
This is more effective than the typical shadow copy approach (a la SentinelOne and Sophos), because we can prevent
ransomware from communicating with non-local files, such as mapped network drives, while SentinelOne and Sophos only work
where the agent resides.
FortiEDR competes very well against all EDR vendors, including traditional EPP vendors, such as CrowdStrike, CarbonBlack,
SentinelOne, Symantec’s SEP and ATP, and Microsoft Defender ATP. FortiEDR has successfully displaced Sophos, TrendMicro,
and other EPP vendors.
What about FortiResponder? How does it compare with other MDR services? The FortiResponder MDR service is comparable to
the premium services, such as CrowdStrike Felcon Overwatch Premium. FortiResponder currently does not offer a service
comparable to Overwatch Standard, for example. The Overwatch Standard service typically costs about $10 per seat. The
standard service essentially notifies a customer of a breach by email. Presently, we don’t find this level of service helpful to
customers, but we will continue to evaluate the market requirements and customer feedback.
For a thorough competitive Q & A, please see the recorded Webinar found under the Resource section of this course.
NSE3 FortiEDR
It offers real-time protection from pre-infection ‘prevention’ to post-infection ‘detection and response’. The automated detection
and response is behaviour based and is customizable. The code tracing technology and other data retained from a breach can be
leveraged for a thorough forensic investigation. FortiEDR actively reduces the attack surface by discovering rogue devices,
unauthorized applications, and vulnerabilities, which can be proactively remedied.
On the operational efficiency side of the balance sheet, FortiEDR is light and nimble, so it doesn’t burden network machines or
traffic. It remediates infected machines without taking them offline and with the minimum of disruption. It supports a variety of
platforms, including legacy Windows systems. And lastly, FortiEDR has flexible deployment options from cloud to air-gapped to
hybrid model.
The pricing is simplified. There is no difference between server or work stations.
The product is sold in packs of 25, 500, and 10,000. Most have a minimum quantity of 500 endpoints. If you need to protect 600
endpoints, order one of the 500 pack SKUs plus four of the 25 pack SKUs. If you had 1200 endpoints, then order two 500 packs
and eight 25 packs.
We now offer 24x7 Managed Detection and Response (MDR) service. You can order it and add it on as another SKU. Quantity
must match the totally number of endpoints ordered.
The default deployment options are cloud or hybrid. We do offer on-premise deployment for air-gapped environments, but there is
a special SKU for that.
NSE3 FortiEDR
For calculating an estimate for the customer, you must first determine the number of endpoints, which includes both workstations
and servers. If the customer has between 250 and 500 endpoints, then direct the customer to the complete plus MDR service. All
other SKUs have a minimum quantity of 500. You can use a combination of the packs to reach the total quantity.
Add the mandatory deployment service. There are five different SKUs that are based on deployment size. Make sure to use the
correct one.
While there is some overlap in malware prevention and sandbox integration, FortiClient and FortiEDR address two different buying
centers. The FortiClient pertains to the network security team, who maintain the FortiGate firewalls and are concerned with Fabric
visibility, endpoint access control, secure remote access (VPN), and web filtering.
The team interested in FortiEDR is the security team, where the CISO is the primary decision maker.
In the past, we have paired FortiClient with Fabric-Ready partners, such as SentinelOne or CarbonBlack, so there is nothing
preventing you from pairing FortiClient and FortiEDR.
NSE3 FortiEDR
My customer has a FortiSandbox appliance in their datacenter and would like to leverage their “local” enterprise threat intelligence
into FortiEDR. Do we support that?
FortiEDR can integrate FortiSandbox with FortiEDR Cloud Services (FCS) to further extend its reclassification capabilities.
My customer subscribes to a third party threat intelligence service, not FortiGuard. Can they leverage this threat intelligence, and
have it feed into FortiEDR?
A request like this will need to be evaluated on a case-by-case basis. In general, third party threat intelligence data could be
integrated into FCS provided that it follows industry standard formats or provides an API for integration, such as OpenIOC, STIX,
JSON, and XML. The integration and configuration will require professional services.
NSE3 FortiEDR
Congratulations!
After you’ve studied both lessons, don’t forget to take the quiz. To earn your course completion certificate, you must pass the quiz.