Business & Technology

How SecOps Teams Can Combat Threats with the Fortinet Security Fabric

By Damien Lim | August 31, 2021

Ransomware is a problem for security operations (SecOps) teams everywhere. They're facing increased volume, velocity, and sophistication of threats. According to the latest Global Threat Landscape report from FortiGuard Labs, ransomware has increased more than tenfold in the last year. Many SecOps teams are already exhausted from dealing with an overwhelming number of alerts, but attacks are not letting up anytime soon.

Cybercriminals are focused and relentless, targeting companies in every industry and market including the operational technology (OT) segment. And it’s not just a rise in the number of attacks. The severity of the impact that attacks like EKANS, DearCry, and Darkside have had on organizations has increased as well. Threats can come from multiple vectors. The three top ways ransomware can get into the network are:

  • Stolen credentials: Acquiring credentials on the dark web and using remote desktop protocol for access
  • Email: Taking advantage of phishing and social engineering to entice users to follow links or run code that allows entry 
  • Vulnerabilities: Using often previously unknown security holes and zero-day vulnerabilities to gain unauthorized access

Networks are more complicated and dynamic than ever before and it's not like people are going to stop using services like email. For overworked, overwhelmed security operations teams, the key to fighting ransomware is to tackle the problem on multiple fronts and take advantage of tools powered by artificial intelligence (AI) instead of relying on traditional and manual tools. Several Fortinet technologies that are part of the Fortinet Security Fabric provide comprehensive protection, detection, and blocking against ransomware and other advanced threats, including sandboxing, virtual security analyst, and endpoint detection and response (EDR) solutions.

Sandboxing - Combating Threats with Fortinet's Security Fabric

The increase in ransomware sophistication has led to more exploits like spoofing legitimate patches so malware appears to be originating from a trusted source. These "zero-day" threats are impossible for antivirus tools to detect because those prevention solutions only work against known malware signatures. One way to deal with unknown exploits is to use sandboxing, which analyzes an object's behavior. If it finds anything questionable, the object is confined in an isolated virtual environment for further analysis and validation.

Recently, the Colonial Pipeline was struck by Darkside ransomware and it successfully disrupted gas distribution on the East Coast, which caused shortages that had an impact on quality of life. FortiSandbox working in conjunction with existing security controls intercepts the ransomware and unpacks it for further analysis. When it came to the Darkside threat, for example, sandboxing allowed organizations to uncover behaviors such as launching and deleting system files and connecting to malicious websites, underscoring the capabilities of sandboxing to prevent threats from infiltrating. More details are available in the FortiSandbox report from the FortiGuard Labs Darkside outbreak alert.

Fortinet recently released its third generation of FortiSandbox, which is designed to uncover zero-day and sophisticated ransomware techniques earlier using a combination of machine learning and deep learning AI models. It improves overall security effectiveness by up to 25% over traditional sandbox detection and can be integrated with any existing security infrastructure, whether on-premises or in the cloud. FortiSandbox enables automated protection across both IT and OT environments. 

Virtual Security Analyst

For organizations that have limited security staff and have to investigate a large volume of alerts, a virtual security analyst can help with the investigation and related tasks.

The FortiAI Virtual Security Analyst uses a sophisticated deep learning model known as deep neural networks to identify and classify file and fileless malware with sub-second detection. The deep neural networks scientifically analyze millions of malware characteristics to accurately determine the type of threat such as malware or ransomware such as DearCry, which was reported in this outbreak alert from FortiGuard Labs. FortiAI is used to proactively investigates threats, whereas FortiSandbox provides sandbox analysis and tools for further investigation.

The latest release of FortiAI integrates with FortiGates to block threats inline and in real-time, which effectively disrupts the source of the attack (patient zero) within the network. FortiAI also provides sub-second protection of web applications using FortiWeb or third-party security either through API or ICAP. It also can provide sub-second triggers to playbooks using FortiSOAR and supports larger threat investigation efforts afforded by FortiSIEM and others using syslog. FortiAI integrates with FortiSandbox, which improves detection by combining all of these technologies.

Leveraging Part of the Fortinet Security Fabric Through Endpoint Detection and Response

AI is also built into Fortinet's endpoint protection solution. FortiEDR is part of the Fortinet Security Fabric and unlike traditional endpoint protection which blocks threats pre-execution based on known signatures, the machine learning models in FortiEDR are used to monitor system behavior pre- and post-execution to detect and defuse even sophisticated attacks in real-time.

The detection technologies in FortiEDR can be applied from the early reconnaissance stages of cybercriminal activity through delivery, exploitation, installation, and delivery of the objectives. FortiEDR provides visibility and communication control to identify vulnerable applications and shield them from the exploit. Its machine-learning-based capabilities block even previously unknown malware.

For example in a recent, Threat Research Report about the Kaseya Ransomware attack, FortiGuard Labs reported that FortiEDR detects and blocks the DLL side-loading event when the ransomware executes the valid application, while it loads the malicious payload. As a result, Fortinet customers weren't able to see related indicators of compromise because the malware was prevented from running.

If ransomware does get a foothold, FortiEDR can roll back changes, such as changes to the registry. Its ability to make precision roll backs to remediate the endpoint means you don't have to reimage the entire endpoint. This ability to roll back to a good state prevents data loss and delays associated with reimaging.

Put the Power of AI in the Fortinet Security Fabric to Work

Threats come from all directions, but putting AI to work in your security operations center can help manage the deluge. The AI built into Fortinet technologies can help address the different threat vectors, and because they are part of the integrated Fortinet Security Fabric, they all share threat intelligence to facilitate response to sophisticated malware including ransomware and zero-day attack.

Powered by FortiOS, the Fortinet Security Fabric is a cybersecurity platform that is designed to simplify the management of your security architecture with single console management, analytics, and workflow automation. These capabilities are also supported by a number of API-based integrations with Fortinet Fabric-Ready Partners. Additionally, the research team at FortiGuard Labs continues to develop new AI to process and analyze ever-increasing global threat data. The team shares new protections as actionable real-time threat intelligence and develops sophisticated AI engines that power Fortinet security solutions.

Even if an organizations’ security operations team is small and overwhelmed, the impact of adding AI and the power of the Security Fabric to one’s operations can improve your security posture significantly while reducing mitigation costs.

Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.