Business & Technology

Executive Insights: The Evolution of Threat Intelligence

By Michael Xie | December 07, 2017

The entire security arms race between IT professionals and cybercriminals is really about one side constantly trying to outsmart the other. Security isn’t just about tools. It’s also about the intelligence that powers them. Which is why when we started Fortinet 16 years ago we were every bit as committed to developing security intelligence and research solutions that were as innovative as the technology we were developing.

As we prepare to expand our security research facility in Vancouver, this is a good time review the history of this evolution. First, reviewing the development of threat intelligence provides an interesting insight into the minds of the cybercriminals we are defending ourselves against. Second, seeing where we came from helps us predict the trajectory of how to stay ahead of the criminal community going forward. And finally, it can provide organizations with a baseline with which to evaluate the long-term efficacy of the solutions they have deployed. Because security, as it turns out, is about much more than speeds and feeds.

For the first several decades of network security, efforts had been primarily focused on protecting connections to and from the network. Firewalls acted as gateway sentinels monitoring those connections. But then threats began to shift. When Fortinet was founded in 2000, the rise of applications had led to a need to secure the content inside those connections. We call this change the second generation of security.

These new threats required traditionally separate security tools to work together to inspect and secure transactions. We quickly understood that developing the first UTM and NGFW security devices required threat intelligence tools that could see and correlate information from a number of different threat vectors. Our initial efforts were primarily focused on antivirus, antispam, web filtering, and IPS signatures that allowed us to see and identify the threats hidden inside network traffic.

Our FortiGuard Labs team started with a group of 10-15 people doing AV analysis. This was a fledgling industry, and we had a small set of less than 500,000 threats that we kept on a handful of machines needed to process data. We primarily researched threats by hand and pushed out about two updates per day. Engineers worked graveyard shifts in order to cover the world.

For the next nine years, this process grew organically. We opened new labs in Europe and Asia, and we soon had over a hundred full-time security researchers. But the cybercriminals were relentless in developing their capabilities as well. It soon became apparent that playing cat and mouse was not an effective approach to addressing cybercrime. To get in front of the problem and stay there, we needed to be able to out innovate the cybercrime community.

In 2009 Fortinet went public, and we used our initial IPO funding to build out the resources for hyperscale. This involved not only accumulating new hardware, but also engineering tools that would allow us to correlate threat intelligence on an unprecedented scale. By 2010 we upgraded to our first hyperscale threat intelligence data center designed to fully leverage and correlate the rich intelligence being gathered from the hundreds of thousands of (now nearly 3.5 million) sensors that we had begun deploying around the world from day one.

At the same time, as our UTM and NGFW solutions evolved into an entire family of security solutions, we intentionally continued to engineer them with a common operating system, unified management and controls, and open standards so they could be integrated together. This allowed security updates to be shared simultaneously across all deployed security devices, while enabling them to share and correlate intelligence to provide a unified response to threats.

By 2015, and hundreds of patents later, we had developed our Self-Evolving Detection System built around billions of nodes interconnected through machine learning and cutting edge artificial intelligence. We now train machines to teach machines, allowing them to effectively replace many of day-to-day tasks that our analysts have traditionally had to do. This centaur model allows those analysts to now focus almost exclusively on more complex tasks, and is a necessary approach if we are to effectively tackle today’s explosive threat landscape.

This is just the beginning. Our cutting edge research on training machines with AI will continue to increase the autonomy of our detection and defense systems, enabling to perform increasingly complex detection, correlation, and analysis. We are also actively expanding our footprint to cover future attack surfaces, including IoT, connected cars, smart cities, drones, and critical infrastructure.

This approach lays the foundation for the next generation of protection: Intent-Based Network Security. IBNS will shift security from being reactive to proactive. It will baseline network behavior, analyze vulnerabilities, and anticipate attacks before they occur. Advanced behavioral analytics will be able to determine intent before a threat actor or malware launches an attack. To do this, threat sharing, real-time correlation, and autonomous remediation needs to be integrated together and distributed throughout the kill chain. To make this work, the foundation of IBNS needs to be based on complete confidence and trust in the threat intelligence underlying it.


To achieve this, Fortinet has had to develop a wide range of interconnected threat intelligence skills and strategies. These include:

  • Infrastructure maturity: The key to seeing and stopping threats is kill chain visibility. Shared intelligence and integrated solutions need to work together behind each layer of the attack surface. As more and more components of our society become IP-enabled this will necessarily have to extend from cyber to physical security.
  • A culture of innovation: Fortinet has been issued nearly 450 patents, with another nearly 300 pending – more than any other security vendor in the world. Many of these patents are coming out of our R&D focused on threat intelligence.
  • Specialization: Our FortiGuard Labs team is very modular by design. Each technology we offer has a fully staffed threat intelligence team behind it: AV, IPS, Zero-day, Sandbox, DDoS, Web Filtering, etc. We have had to develop proactive security solutions behind that intelligence. For example, our web filtering solution uses an advanced algorithm to deconstruct malicious URLs and enable auto classification. Our AV engine combines an automated content pattern recognition language (CPRL) with machines teaching machines to dynamically build AV signatures and find new malware variants based on shared code, something we refer to as a ‘Real Time Sandbox.’ Our Advanced Threat Protection (ATP) Framework is unique in the industry, leveraging integrated solutions to make autonomous decisions based on threat intelligence.
  • Artificial Intelligence: Developing a threat intelligence system built around AI, such as our Self Evolving Detection System, requires processing power, massive amounts of data, and time. Highly supervised incubators can spend years carefully cultivating an artificial intelligence to perform specific tasks in a predictable way. Once trained, these systems are then integrated into a Centaur Model where humans work alongside automation and AI. This approach frees up researchers to focus on the advanced or more complex things that AI is not yet able to address.
  • Sharing Intelligence: No single organization can be expected to collect and correlate all relevant threat intelligence. Which is also why we drove the foundation of the Cyber Threat Alliance, which now operates as a fully independent organization bringing together real-time threat information from a variety of security vendors. In addition, we subscribe to hundreds of threat feeds from government and law enforcement, security vendors, and a wide range of industries in order to ensure that we can see and respond to threats regardless of their size, origin, or impact. The key is to make all of this intelligence actionable, which is something we are achieving through the ongoing development of the security fabric.
  • Security Training: The other significant challenge facing organizations is the worldwide shortage of cybersecurity professionals. One approach is to simplify security and augment it through automation. The other is to train people to fill this critical job market. Fortinet is committed to both.

Fortinet Network Security Expert (NSE) is an eight-level certification program that provides self-paced and instructor-led cybersecurity courses combined with practical, experiential exercises and independently proctored exams to ensure and certify the mastery of complex network security concepts. To date, over 50,000 individuals have received NSE certifications.

We have also created the Fortinet Network Security Academy for secondary and post-secondary students. This program leverages the NSE curriculum and currently provides cybersecurity courses at hundreds of schools in 46 countries. And our FortiVets program provides cybersecurity and jobs skills training to help military veterans transition to civilian life as a security professional.


We are at a complicated inflection point. As society shifts towards a digital economy, technology is shaping virtually every part of our lives. Organizations are dealing with digital transformation challenges that are driving networks into the cloud, interconnecting everything and everyone, and making real-time access to data the measure of success. At the same time, cybercriminals are looking for new ways to profit from this economy. They are developing new tools and techniques to exploit the digital landscape, and their attacks are becoming increasingly sophisticated and effective, and advances in artificial intelligence and machine learning are enabling attacks to become autonomous. Soon, the time required between the detection and response to a breach will be measured in milliseconds.

Security tools that can effectively defend against this new threat paradigm are only as effective as the threat intelligence behind them. Take that away, and things like firewalls and other isolated security platforms become really expensive welcome mats.

Sign up for our weekly FortiGuard Labs intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.

This byline originally appeared in CSO.