FortiEDR offers behavioral detection capabilities to detect living-of-the-land, file-less (memory-based), and script-based attacks. FortiEDR behavioral detection provides real-time containment capabilities by blocking external communication or access to the file system. FortiEDR surgically stops data breaches and ransomware damage in real-time, automatically allowing business continuity even on already compromised devices.
FortiEDR Exception Manger offers comprehensive feature set to create granular exception rules based on multiple attributes and even create automatic exceptions if Fortinet Cloud Services (FCS) classifies an event as safe. FortiEDR allows exceptions based on collector groups, external destinations, and users. Further security admins can add exceptions based on security rules that triggered the event in which case admin can specify following options:
- Specify “exact” path to the application or “any path” to allow an application to run
- Create an exception to allow an application when invoked by a specific process
Figure 1: FortiEDR Exception Handling
FortiEDR Collector Capabilities
FortiEDR collector sits in the kernel space and has a local ML engine along with FortiGuard AV intelligence. Since FortiEDR runs in the kernel space, it has a complete view of all processes and activities taking place on an endpoint. As the ML engine and antivirus intelligence resides on the collector itself, the FortiEDR endpoint collector has the same intelligence as the FortiEDR core and can make block or allow decisions on its own. In the case of behavioral AI-based detections, FortiEDR collector blocks the suspicious process, file access attempts, and even external communications while waiting on a decision from FCS.
Since prevention and detection logic resides on the FortiEDR collector itself, FortiEDR offers comprehensive offline protection capabilities without requiring any cloud connectivity.
FortiEDR Static and Behavioral Analysis
FortiEDR offers customizable security policies (pre-execution prevention, exfiltration prevention, and ransomware prevention), which include multiple rules. All the rules inside these security policies are set to recommended default actions which can be modified by users at their own discretion.
The pre-execution prevention policies are based on static analysis and offer NGAV functionality. The exfiltration and ransomware prevention policies work based on the behavioral AI models running inside Fortinet Cloud Services (FCS). The FCS employs multiple detection techniques as shown in the diagram below.
Figure 2: Fortinet Cloud Service
Fortinet Cloud Services also powers the customizable built-in Automatic Incident Response (AIR) playbook policies. Once FCS classifies an event it will direct the FortiEDR manager to perform a preconfigured action based on event classification as part of automated incident response.