Fortinet FortiEDR delivers advanced, real-time threat protection to endpoints pre- and post-infection, proactively reducing attack surfaces and preventing malware infection. FortiEDR combines endpoint protection with automated detection and response to guard against file-based malware, protect malicious execution from trusted and untrusted applications, and offer the investigation and remediation capabilities necessary to prevent attackers from achieving their goals.
Traditional EDR solutions typically require significant manual work from analysts to identify ransomware. As everyone in the cyber security industry knows, there’s a substantial skill shortage. This shortage and the alert fatigue that analysts often face lead to burnout and increased dwell time between detection and response. FortiEDR makes great strides in addressing these common issues. It immediately blocks any file or process flagged as malicious while it continues to learn more about these attacks, providing non-stop event classification and validation. It also uses behavioral-based detection to uncover information in suspicious processes or fileless attacks.
Policies provide a baseline for the FortiEDR solution and dictate the ways that the agent perceives threats. There are four sets of policies: device control, ransomware, execution prevention, and post-execution. The execution prevention and post-execution policies are particularly noteworthy. The execution prevention policies implement machine learning-based rules that inspect every file prior to execution. They use in-house machine learning to make decisions at the kernel level, leaving a smaller footprint on the endpoint.
Post-execution policies are the foundation of many FortiEDR automation capabilities and rely on exfiltration and ransomware prevention. These dynamic and fluid policies cover any attacks that make it through to execution without constantly adjusting or fine-tuning the configurations. Unlike several other solutions that rely on indicators of compromise, this post-execution protection uses static rules to judge every execution inline and in real-time as the suspicious process executes.
The user-friendly dashboard shows an overview of flagged events. Policy configurations classify events as likely safe, inconclusive, PUP (potentially unwanted program), suspicious, or malicious. There are several ways to view event information, including a useful attack chain that highlights detections and provides context about them such as the rules they have triggered and their classification details. A forensic view displays events side-by-side and facilitates a deep dive into investigation.
Overall, we were impressed with Fortinet FortiEDR, especially considering it’s a relatively new Fortinet solution. The endpoint protection, detection, and response capabilities reduce the attack surface with execution prevention and precise post-execution protection. Automation capabilities exist throughout the platform. FortiEDR fills a gap in Fortinet’s already impressive suite of products and will likely benefit all environments. Once integration with the rest of the Fortinet Security Fabric is in place and FortiEDR security pros can seamlessly deploy alongside all other Fortinet products, look out.
Pricing starts at $29 per endpoint, per year and includes 24/7 phone and email support. Organizations have access to a knowledgebase and FAQ list. However, we have mixed feelings about the documentation. It has effective installation documentation, but the supplemental documentation only covers a limited number of topics. We anticipate the support sections will mature alongside FortiEDR.
Written by Katelyn Dunn
Tested by Tom Weil