Business & Technology

Fortinet Acquires ZoneFox

By Fortinet | October 23, 2018

Insider threats are at the forefront of every sophisticated CISO’s mind when it comes to risk management. Today, Fortinet announced the acquisition of ZoneFox, a cloud-based solution that identifies insider threats, with the ability to distill billions of events into useful insights using machine learning and big data analytics, and to stop the threat before it spreads.

According to the 2018 Verizon Breach Detection and Investigation Report, 30 percent of breaches involved insiders, and abuse of stolen credentials and privileged access were among the top five activities in such breaches.

Insider Threats – A Bigger Problem Than You Think

With the dramatic growth in the number of users and devices accessing data and cloud resources, enterprises face a number of security challenges, but none greater than threat from insiders. An insider can be an employee, former employee, contractor, business associate, or sophisticated attacker pretending to be an employee. Insiders may have legitimate access to computer systems, but what may appear to be authorized access could actually be a user accidentally or intentionally misusing credentials to harm the organization. A negligent insider could give improper access to others simply due to lack of training or coercion, and a malicious insider could attempt to steal information for financial gain, to benefit another organization or country, or to exact revenge through malicious software left running by an ex-employee. This is not theoretical and, whether known or unknown, is exposing many businesses right now.

Enter ZoneFox - No More Blind Spots

The insider threat is not an easy problem to solve mainly due to the unknown unknowns, i.e. blind spots, that requires the right type of data to be collected at the endpoint. Existing solutions that rely on log files or network traffic are simply unable to provide the right level of “fidelity” or detailed insights in activities to allow your SecOps team to know what is happening. Enter ZoneFox - an agent-based solution that can provide continuous endpoint monitoring even when not connected to an enterprise network. ZoneFox’s super-lightweight agent is easy to install and provides context and high-fidelity granular visibility on user, file, device, process and behavior that is unrivaled in an agentless solution that may be more prone to false positives

The agent securely streams continuous sequences of activities from monitored endpoints (desktops, laptops, servers) or cloud services to the ZoneFox AI engine without impacting user productivity or privacy. Run the solution for at least 30 days in your network to gather enough data so ZoneFox automatically learns “normal” user behavior. Its unsupervised anomaly-detection algorithm (based on Bayesian mathematics) identifies events that don’t fit the pattern of users’ everyday activities, and these anomalies are also checked for known risk factors such as ransomware, use of hacking tools, or access policy violations. A risk score is then attributed to the anomaly, and if the activity is deemed risky, a real-time alert is triggered so you can take rapid action. This machine learning and big data-aided technology to enable rapid detection of and response to even the unknown unknowns is what ZoneFox calls “Augmented Intelligence.”

ZoneFox also provides a full forensic record including timeline, with a great visualization layer so you can quickly identify and answer key questions around an incident: Who was the perpetrator? What did they take? Where did the data go? When did this happen – and how? This not only provides the answers behind risky behavior or attack, but also empowers you to fine-tune your policies to your organizational concerns and existing behaviors.

Tightly Knit with the Fortinet Security Fabric

The ZoneFox acquisition is strategic to Fortinet as it fits in the Fortinet Security Fabric, most notably with FortiClient, Fortinet’s next-gen endpoint protection platform (EPP), and with FortiSIEM.

With FortiClient and ZoneFox integration, Fortinet has a unique opportunity to offer enterprise customers and service providers a powerful combination of a signature-based advanced endpoint protection platform (EPP), and cloud-based, machine learning-aided endpoint detection and response (EDR) capabilities, especially around insider threats, data exfiltration and leakage.

The real-time ZoneFox alerts naturally then become a data source to FortiSIEM, which, through this acquisition, will add significant new features to its user entity behavior analytics capabilities beyond those that are rules-based. Today, most SIEM vendors have at least some UEBA features. However, the ease of deployment and onboarding of ZoneFox, combined with FortiSIEM’s own scale-out multi-tenant architecture, should help further differentiate FortiSIEM from its competitors.  

ZoneFox and FortiSIEM also have a more customer-friendly pricing structure than many on the market who may not scale and/or may be priced based on data volume ingested or actions taken resulting in high price surprises to CISOs and CFOs relative to value derived in stopping threats.

Like enterprises, service providers can also take advantage of ZoneFox integration with the Fabric, and provide the skills and resources that their customers may not have.

Protect Your Data

With the integration of ZoneFox technology and the Fortinet Security Fabric, we will offer both EDR and UEBA capabilities to allow enterprises to bolster their security posture and quickly spot the expected and unexpected emerging threats before they become major incidents and compromise the entire organization. 

Read the news release for more information on this news.