Endpoint Detection and

Response Architecture
Joe Martins, CISSP
Solutions Architect
Global Products & Solutions
January, 2020
Fortinet Endpoint Detection & Response Architecture
FortiEDR
Detecting sophisticated malware attacks. Standalone: FortiEDR is an essential
edition to the Security Operations
FortiEDR is cloud native and enterprise ready, with the ability to easily organization with built in playbooks for
scale to tens of thousands of endpoints. FortiEDR differentiates itself automated response.
from other products in the market with features that include:
Fortinet Security Fabric: FortiEDR is also
• Pre-execution prevention via kernel-level Next Generation AntiVirus (NGAV) engine with machine learning features
that prevents infection from known and unknown threats. integrated into the Fortinet Security Fabric,
and can interact with the FortiOS
• Forensics with process & memory capture as well as process tree analysis and control.
Automation Framework using automation
• Threat Hunting by searching across the recorded environment for processes or hash values.
stiches to respond to indications of attack or
• Contextual playbooks can be created to automate response by subject host and incident classification. The compromise at the network layer. Through
playbooks enable different notification, isolation and remediation options.
the Fabric integration, FortiEDR can also
• Attack surface reduction and Virtual Patching achieved via mapping known vulnerability CVEs to discovered respond to 3rd party security devices
applications on the endpoint. A pre-canned policy can be implemented to isolate vulnerable applications until they
through integration with FortiSIEM enabling
can be patched. This is critical in an OT environment.
control of over 400 other manufacturers’
• Post-infection defusing mechanism that allows to surgically isolate processes from communicating or modifying files
products. This same integration can make
as a data exfiltration and tampering prevention so that the server or workstation continues to be productive
use of FortiNAC to control device access to
• IOT and rogue devices discover and control. This intelligence can be used in the Security Fabric to prevent a
over 2500 device types.
vulnerable or unpermitted devices from communicating and if compromised attacking.
Fortinet Endpoint Detection & Response Architecture
FortiInsight FortiInsight provides:
Detecting Insider Threats • An endpoint collector for visibility into files being moved to or from cloud storage
applications, instant messaging, and other applications moving data. In addition,
it tracks file names being moved via encrypted means.
Where FortiEDR focuses on sophisticated malware • UEBA, powered by rule sets and augmented with AI, detects known and unknown
attacks, FortiInsight focuses on the end user via threats ranging from malicious insider activity to compromised accounts.
User & Entity Behavior Analytics (UEBA). • Recordings of user, machine, application, file, behavior, and network
destinations/source activities for a complete forensic level of detail to support
investigation and compliance purposes.
FortiInsight uses machine learning analytics to monitor
• A big data storage architecture for endpoint meta-data allows for retroactive rules and
endpoints, data movement, and other user activities. Using a
the ability to see past events in the current context.
lightweight collector on the endpoint, FortiInsight detects
• The endpoint collector has a store-and-forward capability that reports on potentially
unusual behavior that may be malicious or in violation of suspicious activity when offline, eliminating network blind spots.
policy. When integrated with FortiSIEM, FortiInsight provides • FortiInsight uses big data technology to collect billions of events that are collated,
organizations with complete visibility into their data activity, analyzed, and presented to your security team, providing near instant access to the
information collected. For example, teams can see: who downloaded a payroll
enabling them to reduce the risks of insider threats that can database, why someone uploaded a customer list to certain IP addresses, and how
lead to breaches or compliance events. many people used unapproved cloud storage applications.
These components of FortiInsight enhance visibility, delivering the information
that security teams need to respond quickly and efficiently before risky or
malicious behavior turn into a data breach.
 Fortinet Endpoint Detection & Response Architecture
Playbooks – Automated Response A.I. Powered Cloud Consoles Playbooks – Automated Response
Contextual Playbooks by: Granular Response by Classification:
• Process • Application • Host • Incident Classification • Notification • Isolation • Remediation
• Threat Hunting • Automated
• Guided Response Response

FortiGuard
Cloud Services FortiSandbox

FortiGate FortiSIEM FortiNAC FortiEDR FortiInsight • Zero Day Detection

• Malware Classification
• Fabric Integration

FortiSwitch 3rd Party

FortiEDR FortiInsight FortiSIEM FortiNAC

FortiOS • NGAV / EDR • User & Entity

Behavior Analysis
• File Integrity Monitoring Endpoint Posture Check
• Endpoint AI / ML • File Intrusion Prevention • 3rd Party AV / FW Status
IOT / OT Automation • Vulnerability Virtual Patching • Insider Threat Detection • Endpoint Response Actions • 3rd Party AV Signature Status
Framework • Application Isolation • Process Monitoring • Scalable Log Collection • 3rd Party Response
• Process Control / Quarantine • File Movement • Audit Violations
• Automation Stitches • Policy Violation Alerting
• Air Gap Systems Support • 3rd Party Response
• Fabric Connectors
• IOT Device Discovery • A.I. Based Behavior
• Enforcement Violation Alerting
& Control
• Admission Control
• Dynamic Policy
Unified Collector