 Routing

Welcome to the FortiEDR product overview training.

  Routing

These are the topics we will explore in this lesson, beginning with a product overview.
  Routing

By the end of this lesson, we expect you will be able to:

• Identify the business drivers and security challenges customers currently face
• Describe the FortiEDR product key features, and
• Identify the sales strategies for, and competitive advantages of, FortiEDR
4

When you talk to your customer about their problems, ensure that you solicit their feedback. The
following pain points are what we’ve been hearing from the field, but understanding the nuances of the
customer’s pain will ensure that you provide the appropriate solution.

Ask your audience how often they see endpoint compromise. A typical range is between 2 and 4%.

Talk to the problem of resource scarcity, especially with customers who have experienced a first
generation EDR solution. The sheer number of alerts in these first generation EDRs that need to be
triaged further exacerbates the skills shortage problem and causes alert fatigue.

Another pain point that we hear of often is the complexity of the security ecosystem. One reason for
this is the expanded attack surface. Another is that many customers have too many point solutions that
don’t completely integrate or may not integrate at all.

Last, the cost of incident response is a pain that most customers experience but rarely recognize. While
we are all cognizant that breaches cost money and disrupt business, few recognize that incident
response also has a cost.
5

The Endpoint Protection Platform market has experienced disruption and reinvention over its
development.

The traditional EPP solution focussed on prevention using signature-based AV. This was followed by
next generation AV that touted machine learning and signature-less technology. The next wave in the
evolution of endpoint protection introduced the Endpoint Detection and Response (EDR) technology.
Most organizations came to realize that prevention alone was not enough and that some malware
could exist for months undetected in their networks. In addition to protection, they required detection
and response.

Recognizing each others deficiencies, EPP vendors began adding detection and response capabilities,
while EDR vendors added prevention. Also, most vendors added an optional managed detection
and response (MDR) service.

Increasingly, today’s customers are demanding endpoint hardening and attack surface
reduction capabilities.
According to Gartner, a contemporary EPP solution must have the following capabilities:
• Prevention of file-based malware
• Detection through the monitoring of malicious behavior and activities, and last
• Response and remediation

FortiEDR does these plus has these advanced capabilities:

• Predicts and prevents attacks through attack surface reduction and malware prevention
• Detects and defuses threats with real-time detection & disarmament, and
• Responds, investigates, and hunts with the help of orchestrated remediation and forensic
investigation
  Routing

FortiEDR is the only EPP + EDR solution in the market that provides pre-infection and post-infection protection. This unique
combination is more effective at stopping breaches and preventing ransomware encryption attacks.

It blocks, detects, and defuses threats automatically. This is in stark contrast to other EDR vendors who rely on manual responses
to breaches, which can take anywhere from 30 minutes to several hours to contain. The ‘detect and defuse’ step is preemptive by
blocking external communications of malware, and by denying it access to file systems. This, in effect, prevents file exfiltration and
ransomware encryption in real time.

You might hear a skeptic ask, “Won’t this block legitimate applications and cause downtime for endpoints?” FortiEDR defuses
threats without terminating the process or quarantining the endpoint. During the critical stage of investigating suspicious behavior,
FortiEDR temporarily blocks the software while it queries the cloud backend for an analysis of the potential threat. If the suspicious
code turns out to be benign, then the block is lifted without disturbing users or disrupting business. The whole process takes mere
seconds. This feature is particularly important to an OT environment where machine uptime is essential.

The customer can customize the playbook that defines the automated response and remediation procedures. The prescribed
actions are based on threat categorizations and endpoint groups.

The FortiEDR interface provides help to SOC analysts by an interactive guide that prescribes actions and provides additional
information when investigating potential breaches or hunting malware.

Last, FortiEDR supports legacy Windows’ systems and air-gapped deployments.

8

The defuse step in the post-infection process is particularly noteworthy because it differentiates FortiEDR from other EPP vendors.
In addition to the fact that FortiEDR is the only EPP solution with pre-infection and post-compromise protection, FortiEDR also
automates the defusing of any threat as soon as detected. The real-time action ensures that the breach is neutralized
expeditiously and without the requirement of manual intervention. The blocking of outbound communication prevents data
exfiltration, data tampering, and ransomware encryption.
9

This slide gives you further insight into how the defuse process works. The events page lists potential threats that have been
analyzed or are undergoing analysis. As the object undergoes the defuse process, at various stages they are earmarked
malicious, suspicious, inconclusive, or safe.

At the lower right, a potential threat was first rendered ‘inconclusive’, but after further analysis it was changed to ‘safe’. How long
did this process take? Four seconds. And there wasn’t any disruption to business. Events like this are automatically archived to
reduce clutter and to provide an audit trail.
10

As mentioned earlier, FortiEDR contains a guided interface. By selecting one of the malicious events, a
pop-up is invoked that explains the technique—in this case process hollowing.

The interface maps the event to Mitre and the red text provides a helpful prescription of what actions
should be taken. It’s like having a mentor guiding you through a serious situation. This can be
advantageous in light of the endemic skills shortage.
  Routing

Here are some questions and answers that will give you greater insight into FortiEDR features. The first question is: If ransomware
encrypted some files before it was blocked, can the encryption be rolled back? It can, provided that FortiEDR was deployed prior
to the event.

Does FortiEDR have AV and other prevention capabilities? Yes. FortiEDR has a machine learning AV engine in addition to
behavior-based detection that allows real-time detection and defusing. What’s more, it proactively discovers rogue devices,
applications, and vulnerabilities, and proactively reduces the attack surface by way of virtual patching.

What platform does FortiEDR support? FortiEDR supports Windows, Mac, and Linux. However, it also supports legacy Windows
platforms, such as XP, Server 2003, as well as Windows embedded and Core.

What does cloud-native infrastructure mean? Fortinet hosts and manages the backend infrastructure in the cloud. The only
situation where this would not be true is an on-premise deployment in an air-gapped environment, or in a hybrid mode. A corollary
question might be: Given that you are a cloud-based solution, does FortiEDR provide off-line protection? The answer is yes.

What does a hybrid deployment mean, and what are its benefits? A hybrid deployment means that a FortiEDR core is deployed
locally in the customer’s environment. The local core serves the endpoints when they operate on-premise. However, when an
endpoint leaves the corporate network, it automatically connects to the nearest FortiEDR core in the cloud. This flexible solution
ensures that remote endpoints continue to enjoy FortiEDR protection.
12

Many partners are in search for a strategic partner to fill the void left by Symantec. FortiEDR is well positioned to fill this void.

One, as previous slides gave witness, FortiEDR is a differentiated and competitive solution.

Two, FortiEDR is integrated with the Fortinet Security Fabric, FortiSIEM, and FortiSandbox, and will soon be integrated with
FortiGate and FortiNAC. This allows partners and sellers to land and expand.

Three, many resellers are interested in adding managed services. FortiEDR provides an excellent opportunity to resell the Fortinet
MDR service. The Fortinet MSSP team can set up the partner to deliver managed security service offerings on their own and
become a Fortinet authorized MSSP partner.
13

What are the benefits of reselling FortiEDR’s managed detection and response (MDR) service?

By automating many standard procedures, we optimize the partner SOC so you can serve more customers.

FortiEDR’s real-time protection allows you to offer a better SLA than a competitor whose service is based on manual tools.

The FortiResponder team will shadow you for three months and will take all escalation cases.

Lastly, the native cloud infrastructure provides multi-tenancy for MSSP.

14

We have a number of customer references who would be happy to talk about their experiences. Reading from the Gartner peer
insights, one customer wrote, “Ensilo is the first product in my fifteen year career that makes me think we have a chance.” That’s
quite a commendation.
15

FortiEDR offers an MDR service, which is branded FortiResponder MDR. It provides organizations with 24/7 continuous threat
monitoring, alert triage, and incident handling by experienced analysts. The FortiResponder team monitors alerts generated by
FortiEDR on customer sites. They review and analyze every alert, proactively hunt threats, and take action on behalf of customers
in accordance with their risk profile. Additionally, the FortiResponder team provides guidance to incident responders and IT
administrators.

Click the service tab from the FortiEDR page on fortinet.com for more information about FortiResponder.
  Routing

Good job! You now understand FortiEDR, and its features and benefits.

Now, let’s examine specific sales strategies and other FortiEDR-related sales enablement topics.

Please continue to the next lesson.