TECH LOCK provides managed security services, and we technically vet all the vendors we use in our portfolio. While there are several top-notch endpoint detection and response solutions, we partner with Fortinet to provide the technology behind a fundamental component of our end-to-end managed security service, 24x7x365 managed EDR solution. 

Recently, we were questioned about our vendor of choice from a prospect. They asked, “How do you know the efficacy of Fortinet EDR technology solution, and will it protect better than the other vendors?” We normally do not get these questions because we take on the security challenges of our clients and provide SLAs (Service Level Agreements), so they do not have to worry about these deep technical questions. TECH LOCK provides each customer with the right mix of security for their business, upgrading their endpoint technology is a desire, but gaining overall better security outcomes for their spend is their goal. Endpoint security, especially with working from home and even in post-COVID hybrid remote work models create the largest potential attack surface for a business. So, it is important to address this component and share why we partner with Fortinet.  

Third-party security testing organizations were the main source of comparative reviews. Scenarios were thrown together from a collection of malware and exploit kits curated by the testing organization. Vendors did not have any control of the test, nor configuration of their product, so the outcomes were often contested and discounted. These organizations have since faded into the sunset leaving companies without any comparative understanding of the various endpoint security technologies.  

It is impossible to have a proof of concept that is grounded in real-world experience because threats are continuously changing. When endpoint security technologies were mostly anti-virus based and using signature detection, as soon as a new virus or malware was in play or was outside of the vendor’s library, security was at risk. 

Detection is even more complicated today. To detect something means you must have a framework of experience, relate what is currently happening with something similar, build upon this experience and then take the appropriate action or response. The problem is that adversarial tactics many times look like legitimate user activities. High false positives arise when solutions rely heavily on known threat intelligence. User experience declines when there is restrictive blocking of scripts.  

TECH LOCK did research, tested internally, and found that FortiEDR worked differently, and it continues to be the right choice. Recently Fortinet participated in a MITRE ATT&CK evaluation (ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge) based on the real-world recreation of Carbanak and FIN7 ATP threat campaigns. What is different about this evaluation is that MITRE is an independent organization reporting on the outcomes, they are not stack ranking or selling the results for profit, a quite different scenario than the testing of the past.   

This evaluation breaks down the attack, in this case, there were more than 20 different steps in the attack lifecycle, encompassing more than 170 sub-steps in the detection category, and 10 tests in the protection category. Again, many of the 170 sub-steps could look like legitimate user activity, but it is the threat actor navigating the system.  

The question to ask, is it important that every step in the detection category be identified? FortiEDR by design looks at sequences of behaviors, building confidence and minimizing false positives. FortiEDR blocked 100% of the attacks, stopping the breach, and preventing any damage. (For the record it did detect ~70% of the adversarial behaviors, technics, and tactics.) There are other vendors out there that point to 100% detection, however, they did not score 100% in the blocking of these threats.  

Blocking threats must be the priority, but it’s all in the details and each vendor brings different levels of security efficiency as measured by false-positive rates, along with a variety of different user experiences. In the age of ransomware, this is critical. Endpoint security needs a new approach, leaving many companies wondering what they should do, especially if they don’t have the round-the-clock staff or time. We’ve done the research and we bring to our customers the best-in-breed security technologies delivered as an end-to-end solution.  

To protect business TECH LOCK continuously monitors the security at the endpoint, reviews firewall, and log data, and investigates all security alerts and incidents. Clients are notified within 15 minutes of detected malicious activity. Each incident is reviewed by a security engineer within our security operations automation and response (SOAR) platform. While it’s good to block events on the endpoint, there are other connected paths in which adversaries will attempt. Our solution and expertise are focused on blocking but also preventing any additional movement early on for any attack. Using the cyber kill chain, much like the MITRE ATT&CK concept, gives a framework to understand the cyber-attack lifecycle. Using the cyber kill chain approach keeps attackers from entering your network, resources/servers, and endpoints. It does require quite a bit of intelligence and visibility into what’s happening. Without experience, even with the right technology, the thief will take longer to detect. The closer to the beginning of the chain you can block or detect and respond to a threat, the less potential for damage and associated ramifications.  

If you are looking for a managed security vendor that does more than just MDR, and are concerned about the threat of ransomware we can help. Contact us, info@techlockinc.com, and we’ll walk you through a recent security incident where our security team successfully tracked and chased a threat actor out of an organization.