Virtual Graffiti, Inc - Your Source for Technology Solutions

VG Tuesday Tips: Every Second Counts in Endpoint Protection: Why Real Time Matters

  Virtual Graffiti

Follow us for your more blog posts today!


By Fortinet | February 18, 2020

When dealing with wildfire – such as the raging fires that have devastated large parts of Australia, or the chronic fires that have been plaguing both Southern and Northern California the past several years – every second counts.

Seasoned firefighters need to do much more than simply douse a fire with water. Essential firefighting resources need to be stockpiled in the areas of most risk and properly distributed. Firefighting teams need to coordinate information between weather experts and firefighters on the ground and in the air to predict the direction a fire will head and then cut it off with fire breaks and retardants. Extra efforts need to be made to protect valuable structures and critical infrastructure, and that can only happen of those landmarks are identified before a fire starts. And evacuation plans and escape routes need to be pre-designated and protected, with alternative routes in place, so victims can get clear of danger.

Of course, the best firefighting strategy always starts with prevention. Underbrush is cleared away, break lines are already in place, homes are mapped and separated from vulnerable areas by clear-cutting forests back from property lines. But in spite of the best preparations, high winds and dry tinder are simply always going to make some regions of the world more prone to wildfires.

From Wildfires to Endpoints – The Principles Remain the Same

The exact same principles apply to endpoint security. When a device is targeted with malware, especially ransomware, if you don’t react immediately the fight is over – and you will have lost. Consider that WannaCry takes a mere 3 seconds to encrypt a file. And NotPetya, the cyber weapon designed to spread automatically and rapidly, was the fastest moving attack to date. By the time its victims saw the warning on their screen, their data center was already gone.

And worse, such an attack can quickly spread to other devices, and without an intervention plan in place, you will lose the chance to stop those threats from spreading like wildfire through your organization.

Because of these and literally thousands of other high-profile endpoint attacks, everyone should already know that endpoints are just one of those places in the network loaded with dry tinder and high winds waiting for a spark to set it off. In fact, according to a report from IDC, 70% of all successful network breaches start on endpoint devices. The number of exploitable operating system and application vulnerabilities – most of them unpatched – simply make endpoints an irresistible target for cybercriminals.

And while most CISO’s would agree that prevention is important, 100% effectiveness is simply not realistic. Not only is patching is intermittent, but all security updates trail behind threat outbreaks, zero day attacks can slip past security systems, and there will always be those few folks in your organization who won’t be able to resist clicking on that malicious email attachment. As a result, security teams need to operate under the assumption that their endpoints will eventually be compromised. And that’s why, in addition to prevention, real time detection and containment is critical.

Lag Times in Detection and Response Keep Organizations at Risk

The first step is to understand the kinds of threats in play. From a timing standpoint, there are the wildfires, such as ransomware, that can ruin a system in seconds. And then there are the slow-burn threats designed to steal data slowly and over time. In spite of all the press that ransomware attacks get, most confirmed data breaches have a long dwell time. In fact, the average mean time to identify a threat is 197 days, and another 69 days to contain a breach

Unfortunately, this is the bench mark that first-generation Endpoint Detection and Response (EDR) tools were designed for. The assumption was that there was enough time to manually respond to a slow-burn threat. And, in fact, the endpoint security industry has made important progress on detection speed (mean time to detect or MTTD), reducing detection times from weeks to days or even hours. But that is hardly comforting for organizations staring a high-speed ransomware attack in the face. And even if an EDR tool is able to detect an attack in real time, what good is that if it then takes an hour or more to manually contain the threat? If the case of a ransomware attack, your data is already gone and you don’t need the EDR’s help with detection.

The Power of Fortinet’s Endpoint Detection and Response Solution

FortiEDR was designed with a single clear goal in mind - stopping attackers from achieving their goals, whether data exfiltration or sabotage, by stopping their attack. By understanding the nature of ransomware behavior and similar high-speed attacks, FortiEDR has the unique ability to defuse and disarm a threat in real time, even after an endpoint is already infected.

FortiEDR does this with its OS-centric code-tracing technology, enabling it to immediately detect suspicious processes and behaviors, including in-memory attacks. As soon as FortiEDR detects something suspicious, it doesn’t wait. It immediately moves to defuse a potential threat by blocking external communications to the command and control server (C&C) and denying access to the file system. These steps immediately prevent data exfiltration, lateral movement, and ransomware encryption, thereby protecting you from data loss.

Addressing False Positives

Of course, if you’re paying attention you are probably wondering about false positives. If FortiEDR has to react in real time, what happens to legitimate application activities that raise a flag that results in suspension? This is why FortiEDR deploys a block without terminating the process or quarantining the endpoint. At least not yet.

Blocking a potential threat enables a split-second thorough assessment of the event in question. The FortiEDR backend cloud service quickly gathers additional information to classify the event as a threat or a benign process. If benign, the block is released with no detectable end user impact. However, if the event is confirmed as malicious, FortiEDR can respond with an automated action, such as terminating processes, removing malicious or infected files, endpoint isolation, notifying users, and opening a Help Desk ticket. Which response FortiEDR uses is based on playbooks provided by Fortinet that your security team can customize. This allows them to tailor automated responses to the unique requirements of their environments as well as specify actions based on things like endpoint groups and threat categories.

Five Stages of FortiEDR Protection

To dig a little deeper into the process, FortiEDR protects endpoints in the following FIVE stages:

Discover and Predict – FortiEDR proactively discovers and mitigates the endpoint attack surface. It does this by providing visibility into rogue devices and applications, identifying vulnerabilities in systems or applications, and proactively mitigating risks with virtual patching.

Prevent – Kernel-based next-generation AV provides automated prevention of file-based malware. When combined continuously updated cloud-based threat intelligence feeds and machine learning, FortiEDR will also become smarter over time to more effectively identify threats.

Detect and Defuse – Using behavioral based detection, FortiEDR is the only solution that provides post-infection protection to stop breach and ransomware damage in real time.

Respond and Remediate – Using its playbooks, security teams can orchestrate incident response operations, streamline and automate incident response and remediation processes, and keep affected machines online to prevent interrupting users and disrupting business without exposing the network to risk.

Investigate and Hunt – FortiEDR provides detailed information on threats to support forensics investigation. Its unique guided interface provides helpful guidance, best practices and suggests the next logical steps for security analysts.

Elegant and Effective Protection of Devices and Productivity

FortiEDR provides a much more elegant and effective solution over traditional endpoint protection solutions, especially when compared to the draconian response of endpoint isolation. Any security team would hesitate to impose a blunt tool to automate a response process like endpoint isolation due to the impact in can have on a user or department – especially given the concern of false positive. They would quickly lose organizational support if they just turned computers into bricks every time they detected a suspicious event.

But with the ability to simply defuse an event by cutting off communications and access to files, FortiEDR is able to effectively disarm the threat so it can no longer do any harm – it can’t touch your files and it can’t phone home – so your production systems on the manufacturing floor remain on-line, and your users can continue to stay productive. And by comprehensively securing endpoints in real time – both pre- and post-infection – FortiEDR also eliminates alert fatigue and breach anxiety, standardizes your incident response procedures, and optimizes your security operation resources with advanced automation.

The impact that FortiEDR can have on an organization is hard to overstate. One customer lauded that “enSilo (the former name of FortiEDR) is the first product in my 15-year career that makes me thing we have a chance”.

Win the race against time! Watch the video to see how FortEDR protects against attacks in real time, and while you’re there, register for a test drive.