FortiEDR - Advanced Endpoint Protection with Automated Detection and Response | Endpoint Security

GCC
11 May 202010:14

Summary

TLDRAndrew Caldwell from Ford Annette in Canada introduces 40 EDR, a lightweight and GDPR-compliant endpoint detection and response solution. It offers kernel-based protection with visibility into all processes, memory, and network access, making it unique among EDR agents. The script showcases how 40 EDR detects and responds to malware, including WannaCry, and its automated response capabilities. It also highlights integration with Fortinet's security fabric and the ability to manage communication control and discover unmanaged endpoints and IoT devices.

Takeaways

  • ๐ŸŒ **Cloud and On-Premise Options**: 40 EDR can be hosted in the cloud, installed on-premise, or in a hybrid setup, ensuring flexibility in deployment.
  • ๐Ÿ”’ **GDPR Compliance**: The solution is fully GDPR compliant, which is crucial for businesses operating within or interacting with the European market.
  • ๐Ÿ’ป **Cross-Platform Support**: The lightweight agent supports Windows, Macintosh, and Linux, making it versatile for various operating systems.
  • ๐Ÿ“Š **Low Resource Usage**: The agent is designed to be lightweight, consuming approximately 60MB of disk space and averaging between 70-100MB of RAM.
  • ๐Ÿ›ก๏ธ **Kernel-Based Protection**: 40 EDR offers unique kernel visibility into all processes, applications, disk read/writes, memory read/writes, network access, and registry access, enhancing security.
  • ๐Ÿ“š **Patented Technology**: Acquired through the purchase of In Silo, 40 EDR utilizes patented kernel-based protection methods for endpoint security.
  • ๐Ÿ”Ž **Real-Time Detection**: The solution can detect malware simply by writing it to the disk, even without execution, showcasing proactive threat detection.
  • ๐Ÿ”„ **Event Monitoring**: It provides detailed event monitoring and analysis, allowing users to track and respond to security incidents effectively.
  • ๐Ÿ› ๏ธ **Automated Response Playbooks**: 40 EDR can automate responses to security events, such as terminating processes, deleting files, or isolating endpoints.
  • ๐Ÿ”— **Integration Capabilities**: The solution integrates with other Fortinet products like FortiGate for SIM and sandboxing, enhancing the overall security fabric.
  • ๐Ÿ“ก **Communication Control**: It offers visibility into application communications and the ability to control them, including the option to block vulnerable applications from communicating until they are updated.

Q & A

  • What is the name of the solution being discussed in the script?

    -The solution being discussed is 40 EDR.

  • What are the different deployment options available for 40 EDR?

    -40 EDR can be cloud hosted, fully GDPR compliant and hosted in your region, installed on premise, in your own cloud, or in a hybrid situation.

  • What are the supported operating systems for the lightweight agent of 40 EDR?

    -The lightweight agent is supported on Windows, Macintosh, and Linux endpoints.

  • How much hard disk space and RAM does the 40 EDR collector agent consume on a Windows 10 machine?

    -The collector agent consumes approximately 60 megabytes of hard disk space and averages between 70 to 100 megabytes of RAM.

  • What unique feature of 40 EDR is discussed in relation to security policies?

    -40 EDR has kernel visibility into all processes, applications, disk read/write operations, memory read/write operations, network access, registry access, etc., due to its kernel-based protection which is patented.

  • How does 40 EDR's kernel-based inspection differ from other endpoint solutions?

    -Unlike other endpoint solutions that inject DLLs around commonly exploited processes, 40 EDR's kernel-based inspection allows visibility into every single running process without performance issues or interference with the process.

  • What is an example of a simple use case demonstrated in the script?

    -An example of a simple use case is the detection of malware being written to the disk, such as a WannaCry variant, which triggers an event even without execution.

  • What happens when the execution prevention policy is turned off in 40 EDR?

    -When the execution prevention policy is turned off, the WannaCry file is allowed to run, but the data exfiltration and ransomware policies still function, preventing the malware from successfully executing its malicious actions.

  • How does 40 EDR handle a scenario with a weaponized Word document containing an embedded macro?

    -When the macro is enabled, 40 EDR detects and logs the events, showing the process flow and any triggered rules from the ransomware prevention and exfiltration prevention modules.

  • What are some of the response options available in 40 EDR for dealing with detected threats?

    -Response options include treating, copying memory, remediating, deleting files, cleaning the registry, terminating processes, isolating endpoints, and moving them to a different security group with stricter policies.

  • What is the significance of the automated playbooks in 40 EDR?

    -Automated playbooks allow for automatic responses to events, such as terminating processes, deleting files, cleaning persistent data, isolating devices, or moving them to different security groups, without manual intervention.

  • How does 40 EDR provide visibility into network devices?

    -40 EDR can discover unmanaged endpoints and IoT devices on the network, providing a list of devices and their communication status, and allowing for actions such as blocking communication from specific vulnerable applications.

  • What integrations does 40 EDR have with other security solutions?

    -40 EDR integrates with FortiGate for SIM, SandBlast for sandboxing, and its integration is growing as part of the Fortinet security fabric.

Outlines

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Mindmap

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Keywords

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Highlights

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Transcripts

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now
Rate This
โ˜…
โ˜…
โ˜…
โ˜…
โ˜…

5.0 / 5 (0 votes)

Related Tags
Endpoint SecurityKernel ProtectionEDR SolutionsMalware DetectionAutomated ResponseCloud ComplianceData ExfiltrationRansomware PreventionThreat IntelligenceSecurity Policies