Fortified with FortiEDR: Fortinet's EDR solution

In the ever-evolving landscape of cybersecurity, endpoints remain a prime and lucrative target. As a green security engineer, I have always been intrigued by how the war on the cyber-attacks constantly change and evolve security postures and the practice of cybersecurity. As my knowledge, exposure and career grows, I am increasingly becoming more expose to advanced techniques and implementation that move away from traditional defence mechanism that were once held high in the cybersecurity space.

If we do not innovate and consistently push the boundaries of our data being secure, we may fall behind with the ever evolving and dynamic space that is the war on data security, integrity, availability, confidentiality, and protection.

Enter Fortinet’s solution to dynamic, proactive, next generation and innovative approach that provides up to the minute and real time protection of endpoints without compromising system performance and availability. Let us unpack what makes Fortinet’s EDR solution, dubbed “FortiEDR,” tick and how it stands out in the crowded EDR market.

What is FortiEDR?

Fortinet’s advanced solution for endpoint protection. Designed to detect, prevent, and respond to cyber threats in real time before any damage happens. It is not just antivirus, its next-level endpoint security. FortiEDR operates at the kernel level of the operating system it is running on (WINDOWS, MAC, or LINUX), thus providing a “meat and bones” look into what is going on and passing through your device and your network. Being at the kernel level allows FortiEDR to observe processes, threads, and system operations like file access and registry changes so it can be fully prepared to tackle almost all sophisticated attacks that may be thrown at it and that includes attacks that are not even invented yet!

FortiEDR components

FortiEDR Collector

The Collector agent is installed on endpoint devices (WINDOWS, MAC, or LINUX) and monitors system behaviour in real time. It also prevents and detects threats before execution (we will talk about execution policies and other policies soon). Remember when we were going over FortiEDR operating at the Kernel level? I am referring to the collector. By default, the Collector runs in autonomous mode. Upon every attempt made by the communicating device to establish a network connection or change a file, the Collector collects all required metadata and analyses it to determine whether the process performing the action is legitimate. You can configure the Collector to use a Core for the metadata analysis, in which case the Collector holds the establishment of the connection until authorization is received from the Core.

Core

The Core is the heart of FortiEDR, responsible for that almost instant response time you will see when FortiEDR blocks a malicious software. The FortiEDR Core is the security policy enforcer and decision-maker. It determines whether a connection establishment request is legitimate or represents a malicious exfiltration attempt that must therefore be blocked.

FortiEDR Central Manager

The Command Centre manages all agents (end devices) apart of FortiEDR. It is usually a single pane of glass that provides a structured view of the dashboard, and it is software only. It is also the only component that has a graphical user interface (G.U.I). It hosts policies, incident views, threat hunting, administration, security, and communication policies.

FortiEDR Aggregation Server

The Aggregation Server collects data from endpoints also known as collectors and then passes it along to the Central Manager. It is also software only and acts as a proxy for the FortiEDR Central Manager and provides processing load handling services. All FortiEDR Collectors and FortiEDR Cores interact with the Aggregator for registration, configuration, and monitoring purposes. The FortiEDR Aggregator aggregates this information for the FortiEDR Central Manager and distributes the configurations defined in the FortiEDR Central Manager (such as exceptions, policies, and rules) to the FortiEDR Collectors and FortiEDR Cores. The configuration update latency is usually around 60-120 seconds but can take up to 20 minutes in edge cases.

FortiEDR Cloud Service

FortiEDR Cloud services or Fortinet Cloud Services (FCS) is basically an extra layer of protection by reviewing classifications that were made by the Core. FCS is consistently updating its database, it performs deeper event analysis, and fine tunes classifications as mentioned earlier. FCS is a cloud-based, GDPR-compliant, software-only service that determines the exact classification of security events and acts accordingly based on that classification – all with a high degree of accuracy.

FortiEDR Cloud Service is the SaaS (Software-as-a-Service) version of FortiEDR. Instead of hosting all the backend stuff yourself (aggregator, central manager, backend server, etc.), Fortinet manages that in the cloud.

You just install the Collector on your endpoints, and boom—instant access to FortiEDR's full real-time protection suite without needing to rack a single server.

FortiEDR Policy Structure: The Three Pillars of Endpoint Defence (and more)

FortiEDR comes out of the box with a multitude of predefined policies that really cement its commitment to tackle many types of malicious sophisticated software.

Pre-Infection Policy/Execution Prevention Policy & NGAV

1. FortiEDR exercises its AI or Machine Learning models to score files based on behaviour and structure. A score that is between 0 to 5 determines the level of severity and classification that a particular file or software receives and how it is handled. This is the policy ALL software MUST go through before moving up the FortiEDR stack. This policy blocks the execution of any file that is identified as malicious or suspected to be malicious. After analyzation, one of the following rules gets triggered based on the analysis result.

   • Most Likely a Malicious File: A Malicious File Execution rule is triggered with a critical severity. By default, the file is blocked.

   • Probably a Malicious File: A Suspicious File Execution rule is triggered with a high severity. By default, the file is blocked.

   • Show Evidence of Malicious File: An Unresolved file rule is triggered with a medium severity. By default, the file is logged but is not blocked.

2. Post-Infection Policy/Exfiltration & Ransomware Prevention Policy

The post-infection has two policies under its umbrella. Ransomware Prevention Policy and as the title mentioned, Exfiltration Prevention Policy. If a program, file, or any other type of executable manages to get past the Execution Prevention Policy, it either means that the virus or malware is sophisticated enough to bypass the NGAV, or it is legitimate software. But even legitimate software can sometimes trigger policy rules unintentionally. This policy enables FortiEDR to do its best to distinguish which connection establishment requests are malicious ones and which are legitimate.

Ransomware Prevention Policy: If a software attempts to modify or lock a file, it is almost immediately blocked if determined by FortiEDR to be any of the classifications it deems worthy of being blocked.

Exfiltration Prevention Policy: If a software attempts to establish an outgoing connection, again it is almost immediately blocked if determined by FortiEDR to be any of the classifications it deems worthy of being blocked.

3. Communication Control Policy

If a file, executable or any other piece of software manages to get through to the communication policy, it is at this level, deemed most likely safe. However, if somehow malicious code, file, or software were to make it through to the communication policy engine and tried to establish an external connection. It again, would almost be immediately blocked if determined by FortiEDR to be any of the classifications it deems worthy of being blocked.

Security Policy Assignments

Collectors are placed in logical groups known as collector groups which is then assigned to a policy. It is of best practice to assign each group to one of the policies mentioned above. Execution, Exfiltration and Ransomware policies. Being assigned to one of each of the policies control how FortiEDR responds to threats. These policies are stacked and modular-like layered armour.

Policy Modes:

Each policy can operate in one of three modes:

• Prevention – Actively enforcing the policies and stopping threats dead in their tracks.

• Simulate – Log actions, but do not stop anything (great for testing and troubleshooting)

• Disabled – Does not monitor, log, and enforce policies.

What Does the typical flow of the FortiEDR process looks like?

The Collector sends data to the Core. The Core sends a hashed file to the Reputation Service which manages how a software or file is scored. The Reputation Service returns a score back to the Core after consulting the Common Vulnerabilities and Exposure (CVE) database. The Core then returns this data to the Collector which then makes a decision based on the verdict it received from the Core.

As you have read so far, FortiEDR does a fantastic job of leveraging emerging, evolving techniques and technologies to combat the ever-changing war on cyber-attacks. There is a lot more that goes into how Fortinet’s EDR solution works as this was just an introduction as to how it is layered and a small in-depth view of what it is all about.

For more information on Fortinet’s FortiEDR, please visit the link below to Fortinet’s official documentation page that goes in great detail about everything that is FortiEDR: