Business & Technology

FortiXDR—Fully Automated Threat Detection, Investigation, and Response

By David Finger | January 26, 2021

Digital innovation has transformed businesses and the networks they use to run critical applications, perform online transactions, connect remote workers, and collect and process critical data. And as in the past, these advances raised new security challenges, giving rise to new security solutions designed to address those challenges. However, the speed of transformation left organizations with little time to consider the broader security infrastructure when implementing those solutions. And as a result, now more than ever, today’s security teams are left trying to manage a vast collection of security tools from a variety of vendors and establish some sort of visibility and consistent policy orchestration and enforcement across their organization. Among other challenges, security teams struggle to detect and respond to more—and more damaging—cyberattacks across a complex and largely isolated security toolset. 

In talking to our customers, typically through online executive briefings, most understand the logistical and technological challenges of this complexity and are interested in moving from dozens of different security vendors and products to a handful or less of security platforms, complemented by point products where necessary. So it’s not surprising to me that, according to Gartner, 80% of organizations are either currently or planning to consolidate security vendors. But the question at hand is, “how do I decide which vendor(s) to choose as we consolidate?” 

While there are pragmatic considerations like satisfaction with the vendor, breadth of controls available in their platform, effectiveness and features of each control, and more, an organizing principle has emerged to simplify and integrate that process—XDR, or eXtended Detection and Response. Defined by Gartner as “a security incident detection and response platform that automatically collects and correlates data from multiple security products,” XDR enables an essential integration principle that leverages existing technologies to create unified vision and control over complex, distributed environments. This is a much preferred consolidating principle than procurement-driven decision making (“the vendor has offered us a great deal on a suite of products.”) XDR enables different security solutions to see, share, and analyze data so they can more effectively detect threats and deliver a coordinated response that covers the entire attack surface. 

While this sounds like a great idea—and it is—it is much more complicated than it may appear on the surface. Some XDR solutions come from large security vendors that can integrate multiple products within their portfolio, and others come from smaller start-ups that seek to provide a normalization layer above components from different vendors. There are pros and cons to each approach. In the first case (single-solution vendor), one should expect a unified vision, common policy experience, tight product inter-relationship, and other benefits. The biggest downside is likely to be the limited choice within that vendor’s portfolio. By contrast, choosing an “open” XDR approach eases that single-vendor constraint, but is likely to fall short in other areas such as integration, analytics, or automation. In my experience, the effort to ensure central management across many products (and multiple versions thereof) is substantial. Multiplying that exponentially across the diverse vendor landscape, not to mention the tall task of analytics and automation on top of management, results in a huge effort for such vendors and a variety of limitations for the end customer.

Engineered for AI-driven Security Operations

FortiXDR - The Only XDR Solution to Autonomously Manage Cyber Incidents From Start to Finish

At Fortinet, we have been building integrated, multiple product solutions designed to operate as a single cohesive system; first with our Advanced Threat Protection Framework (a personal trip down memory lane) and more recently the Fortinet Security Fabric. The Security Fabric is a broad, integrated and automated cybersecurity platform powered by FortiGuard Labs security services that protects the digital enterprise from endpoint and IoT through network and cloud. FortiXDR is designed to extend the Fortinet Security Fabric, reducing complexity, accelerating detection, automating alert investigations, and coordinating responses to cyberattacks. As part of the Fortinet Security Fabric, FortiXDR is able to leverage the common data structure, correlated telemetry, unified visibility, native integration, and seamless interoperation of Fortinet’s portfolio of Fabric-enabled solutions. It then layers on automated analytics, incident investigation, and pre-defined responses out of the box. FortiXDR brings these advanced capabilities to all three steps of finding and mitigating a security incident:

1. Extended Detection: FortiXDR begins by leveraging the diverse security information shared across the Fortinet Security Fabric for correlation and analysis. And because it can collect information across the industry’s broadest portfolio, the more threat telemetry that can be used to find an active threat—especially those designed to avoid detection. 

2. Extended Investigation: FortiXDR is the first XDR solution to apply artificial intelligence (AI) to the investigation of detected threats—a process every other XDR solution hands off to an overburdened human security analyst, slowing down the process and leaving systems vulnerable to human error. And given the volume of alerts most networks generate, many security teams are simply not resourced to chase down every potential threat.

Traditionally, once initiated detection is made, a security analyst must look at the potential incident, decide how to investigate and verify it, assess its scope and associated components, see if it indicates a deeper threat not easily detected at first glance, and then determine the right response—whether to classify the alert as a false positive or to trigger the XDR solution to respond. 

FortiXDR’s first-of-its-kind, AI-based XDR solution fully automates incident investigation rather than relying on scarce human resources. It is powered by a patent-pending Dynamic Control Flow Engine and is continually trained using the threat data and research feeds provided by FortiGuard Labs as well as the frontline expertise of its incident responders. It establishes the context of an alert, performs a thorough investigation to determine if the threat is real, and then identifies the nature and scope of the attack so the response system knows how to proceed. And unlike a security analyst, FortiXDR performs this function in a matter of seconds, effectively closing the exposure gap created by other XDR solutions. 

3. Extended Response: Because FortiXDR is fully integrated into the Security Fabric, it is natively able to marshal every available resource needed to mount an effective,     automated, and coordinated response. And because its response functions are more uniform than most security information formats, customers are also able to leverage connectors to even tie in many third party solutions in their response.

Key Benefits of FortiXDR

In addition to speeding detection, investigation, and response, FortiXDR also gives organizations a compelling case to consolidate independent security products. 

Early adopters show that it dramatically reduces the number of alerts to be investigated by 77% or more on average, helping ensure that cyberattacks don’t get “lost in the noise.” And as mentioned, FortiXDR is the only XDR solution augmented with AI across all elements of the detection, investigation, and response process. This eases the operational burden on security teams, handling complex tasks in seconds that would take experts with specialized tools 30 minutes or more to accomplish. And without human error. 

And with its broad portfolio of independently top-rated controls, that can be deployed to address the cyber kill chain from end-to-end, there are plenty of opportunities to consolidate more and more vendors over time.

All of this enables organizations to reduce mean time to detection (MTTD) and mean time to response (MTTR), thereby reducing the impact of cyber incidents while improving security operations efficiency and overall security posture. It frees up seasoned security professionals for higher value contributions to the security of the organization, and helps the organization itself continue to compete effectively while addressing the crush of security and vendor sprawl through strategic solution consolidation and automated threat detection and response across the entire distributed network.


Learn more about Fortinet's AI-powered XDR solution—FortiXDR.

Find out how Fortinet integrates AI and machine learning capabilities across our Security Fabric to detect, identify, and respond to threats at machine speed.