Working through ambiguity is an undeniable part of cybersecurity. With cyber attackers constantly changing their tactics, security teams must constantly adapt to fight off new threats. This includes examining emerging problems, building hypotheses on how to best address them, and implementing early detection strategies. Fortinet FortiNDR with FortiNDR Cloud is both the culmination of such an effort and the commencement of enterprises leveling the playing field against low and slow attacks. It can be delivered as cloud-based, Guided-SaaS, or on-premises, and it provides solutions to five critical problems security operations teams face today, including:

1. Extended Attacker Dwell Time--

For over a decade, adversary dwell time has continued to exceed well beyond acceptable ranges. According to IBM, it took an average of 277 days in 2022 to identify and contain a breach. This provides adversaries ample opportunity after intrusion to find and steal an organization's most sensitive data, often aiming to hold it for ransom.

Security teams often turn to network detection and response (NDR) to solve this, as NDR often compliments EDR and SIEM tools by analyzing network metadata to provide much-needed context around network activity. Metadata can provide information like username, hostname, domain, and status of any given network transaction. NDR pairs metadata with artificial intelligence (AI) and machine learning (ML) to allow SOC teams to analyze vast amounts of data quickly. It is also recommended, as illustrated by the SUNBURST incident, for security operations teams to retain data for nine to 12 months to accurately identify initial access and understand the full scope of a breach.

In today's modern age, disk storage, and cloud infrastructure allow us to retain data intelligently, so why are NDR tools still only retaining data for such short periods? FortiNDR is disrupting the norm by providing rich network metadata for up to 365 days, so security teams have more data for in-depth analysis, addressing extended dwell times exhibited by today's advanced attackers.

2. Lack of "R" in NDR

Of course, making the initial detection from rich metadata is just the start. Despite record spending on security technology, 52% of SOC analysts report the need to access more out-of-the-box content (such as playbooks and rules) to alleviate common pain points, as they are spending increasingly more time on threat investigations while complexity, alert fatigue, and workloads grow. Most NDR solutions often defer to other tools to perform detection triage, hunting, or investigations because they lack built-in, out-of-the-box capabilities.

Out-of-the-box content like guided playbooks and rules should make work easier for SOC teams. FortiNDR guided playbooks, for example, assist investigators to take the right steps to identify attackers based on real-world behaviors. An investigator can simply select the "Log4j Hunting" playbook and instantly create an investigation using pre-built queries that incorporate the latest threat intel and detections. FortiGuard Applied Threat Research continuously updates, maintains, and creates new playbooks based on recent attacker tactics to ensure playbooks are up to date with the latest threat detection capabilities.

Developed and built by advanced threat researchers, combined with AI/ML triggered events, FortiNDR provides rich triage, hunting, and investigation tools that speed detection andresponse. Features like entity and faceted search, observations based on a correlation of multiple events, and MITRE ATT&CK mapping help security teams respond faster, and more comprehensively, to threats.

3. Limited Expertise

The third challenge stems from the global cybersecurity skills gap and talent shortage. While security teams are in a race against time to protect their organizations, they don't always have the skills, time, or knowledge on how to defend against the latest cyber tactics and techniques. FortiNDR supports security teams challenged by the skills gap by complimenting AI/ML analysis capabilities with virtual or in-person expertise to ensure they are best equipped to detect and stop sophisticated attacks.

Virtual expertise, provided by the Virtual Security Analyst (VSA), analyzes and investigates new and emerging attacks, while the in-person expertise is conducted by a team of technical success managers (TSMs) who answer questions about findings, tune configurations, and optimize deployments. In addition, FortiNDR is maintained by advanced threat researchers who manage machine-learning models and provide out-of-the-box playbooks for recommended investigations.

4. Collaborative Investigations

While security teams benefit from the ability to investigate and hunt for threats using advanced queries against retained enriched network metadata, they can accelerate response even further by running queries in parallel and allowing global SOC members to work together to analyze the results.

FortiNDR with parallel hunting enables security professionals to coordinate threat-hunting and investigation efforts across their global SOC teams. For example, a SOC analyst based in the United States can create an investigation while a colleague in Europe can concurrently duplicate that investigation and alter or add variables and queries. These results are shared through the UI where each analyst can continue to pivot and expand on findings based on their own assessment. This is a collaborative approach to investigations that is unmatched by other NDR vendors.

5. Increased Complexity from a Siloed Approach

Given the complex, multi-vendor security infrastructure of many organizations, most security teams find it difficult to respond quickly and comprehensively to cyber-attacks, even after they are identified. To reduce this complexity, consolidation and integration are key.

The FortiNDR offering integrates seamlessly with several components of the Fortinet Security Fabric and third-party solutions by utilizing the power of AI and ML to improve the detection, response, and containment of threats. Integrated with FortiGate, FortiNDR alerts on anomalous activity while initiating an internal IP block on the FortiGate. In addition, FortiNDR ingests files traversing firewalls for deep learning analysis to prevent the download of malicious components by users. Furthermore, FortiNDR integrates with FortiSOAR for a coordinated, cross-product response and faster remediation.

Considerations for a Successful NDR Deployment

These five challenges are just a few examples of what security professionals face daily, but when looking to purchase an NDR solution here are some additional considerations:

1. Visibility into cloud environments

The power of NDR is to provide visibility and AI/ML analysis across the network, regardless of the underlying infrastructure. Your solution should be able to analyze network traffic in public and private cloud and IoT/OT environments. Vendors should support any configuration of these environments and provide your security team with the tools to investigate and respond to malicious behavior across the hybrid network.

2. AI/ML is NOT the only answer

While AI/ML capabilities are a big part of NDR's appeal, tools that rely solely on AI/ML tend to generate white noise. NDR vendors should balance their AI/ML approach with human and pragmatic analysis to help reduce false positives.

3. Integrations to reduce complexity

NDR is often used as a complementary technology to EDR and SIEM and should bi-directionally share detections and observations with these solutions, enabling early detection and orchestrated response to known and unknown network threats.

See how Fortinet leverages AI/ML, behavioral and human analysis to enable faster incident detection and response with a FortiNDR demo.