Digital innovation has transformed businesses and the networks they use to run critical applications, perform online transactions, connect remote workers, and collect and process critical data. These advances raised new security challenges, giving rise to new security solutions designed to address those challenges.
However, the speed of transformation left organizations with little time to consider the broader security infrastructure when implementing those solutions. As a result, today’s security teams are left trying to manage a vast collection of security tools from various vendors and establish some visibility and consistent policy orchestration and enforcement across their organization. Among other challenges, security teams struggle to detect and respond to more—and more damaging—cyberattacks across a complex and largely isolated security toolset.
For instance, according to Fortinet, its customers mostly understand the logistical and technological challenges. They are interested in moving from dozens of different security vendors and products to a handful or less of security platforms, complemented by point products where necessary. Citing a Gartner study, it also said that 80% of organizations are either currently or planning to consolidate security vendors. But the question at hand is, “how do you decide which vendor(s) to choose as we consolidate?”
While there are pragmatic considerations, such as satisfaction with the vendor, breadth of controls available in their platform, effectiveness, and features of each control, and more, an organizing principle has emerged to simplify and integrate that process—XDR, or eXtended Detection and Response.
Defined by Gartner as “a security incident detection and response platform that automatically collects and correlates data from multiple security products,” XDR enables an essential integration principle that leverages existing technologies to create unified vision and control over complex, distributed environments. It is a much-preferred consolidating principle than procurement-driven decision-making. XDR enables different security solutions to see, share, and analyze data to detect threats more effectively and deliver a coordinated response that covers the entire attack surface.
While this sounds like a great idea—and it is—it is much more complicated than it may appear on the surface. Some XDR solutions come from large security vendors that can integrate multiple products within their portfolio. Others come from smaller start-ups that seek to provide a normalization layer above components from different vendors. There are pros and cons to each approach. In the first case (single-solution vendor), one should expect a unified vision, common policy experience, tight product inter-relationship, and other benefits.
The biggest downside is likely to be the limited choice within that vendor’s portfolio. By contrast, choosing an “open” XDR approach eases that single-vendor constraint but is expected to fall short in other areas such as integration, analytics, or automation. The effort to ensure central management across many products, and multiple versions thereof, is substantial. Multiplying that exponentially across the diverse vendor landscape, not to mention the tall task of analytics and automation on top of management, results in a massive effort for such vendors and various limitations for the end customer.
XDR solution that autonomously manages cyber incidents
At Fortinet, security experts have been building integrated, multiple product solutions designed to operate as a single cohesive system, first with our Advanced Threat Protection Framework, a personal trip down memory lane, and more recently, the Fortinet Security Fabric.
The Security Fabric is a broad, integrated and automated cybersecurity platform powered by FortiGuard Labs security services that protect the digital enterprise from endpoint and IoT through network and cloud. FortiXDR is designed to extend the Fortinet Security Fabric, reducing complexity, accelerating detection, automating alert investigations, and coordinating responses to cyberattacks.
“FortiXDR leverages the standard data structure, correlated telemetry, unified visibility, native integration, and seamless interoperation of Fortinet’s portfolio of Fabric-enabled solutions. It also layers on automated analytics, incident investigation, and pre-defined responses out of the box,” said Louie Castaneda, country manager of Fortinet Philippines.
FortiXDR brings these advanced capabilities to all three steps of finding and mitigating a security incident:
Extended Detection. FortiXDR begins by leveraging the diverse security information shared across the Fortinet Security Fabric for correlation and analysis. And because it can collect data across the industry’s broadest portfolio, the more threat telemetry can be used to find an active threat—especially those designed to avoid detection.
Extended Investigation. FortiXDR is the first XDR solution to apply artificial intelligence (AI) to investigate detected threats—a process every other XDR solution hands off to an overburdened human security analyst, slowing down the process and leaving systems vulnerable to human error. Given the volume of alerts most networks generate, many security teams are not resourced to chase down every potential threat.
Traditionally, once initiated detection is made, a security analyst must look at the potential incident, decide how to investigate and verify it, assess its scope and associated components, see if it indicates a deeper threat not easily detected at first glance, and determine the right response—whether to classify the alert as a false positive or trigger the XDR solution to respond.
FortiXDR’s first-of-its-kind, AI-based XDR solution fully automates incident investigation rather than relying on scarce human resources. A patent-pending Dynamic Control Flow Engine powers it. It is also continually trained using the threat data, and research feeds provided by FortiGuard Labs and its incident responders’ frontline expertise. It establishes the context of an alert, performs a thorough investigation to determine if the threat is real, and then identifies the attack’s nature and scope. Hence, the response system knows how to proceed. Unlike a security analyst, FortiXDR performs this function in a matter of seconds, effectively closing the exposure gap created by other XDR solutions.
Extended Response. Because FortiXDR is fully integrated into the Security Fabric, it is natively able to marshal every available resource needed to mount an effective, automated, and coordinated response. Since its response functions are more uniform than most security information formats, customers can also leverage connectors to even tie in many third-party solutions in their response.
Key Benefits of FortiXDR
In addition to speeding detection, investigation, and response, FortiXDR also gives organizations a compelling case to consolidate independent security products. Early adopters show that it dramatically reduces the number of alerts to be investigated by 77% or more on average, helping ensure that cyberattacks do not get “lost in the noise.”
FortiXDR is also the only XDR solution augmented with AI across all elements of the detection, investigation, and response process. It eases the operational burden on security teams handling complicated tasks in seconds requiring experts with specialized tools 30 minutes or more to accomplish, without human error. And with its broad portfolio of independently top-rated controls that can be deployed to address the cyber kill chain from end-to-end, there are plenty of opportunities to consolidate more and more vendors over time.
All of this enables organizations to reduce mean time to detection (MTTD) and mean time to response (MTTR), thereby decreasing cyber incidents’ impact while improving security operations efficiency and overall security posture. It frees up seasoned security professionals for higher-value contributions to the security of the organization. It helps the organization itself continue to effectively compete while addressing the crush of security and vendor sprawl through strategic solution consolidation and automated threat detection and response across the entire distributed network.