Fortinet black logo

Introduction

7.0.0
Copy Link
Copy Doc ID a583ca73-c193-11ec-9fd1-fa163e15d75b:493968
Download PDF

Introduction

FortiNDR (formerly FortiAI) is the first Fortinet Network Detection and Response product from Fortinet. Apart from the Virtual Security AnalystTM with malware detection technology based on neural networks, FortiNDR is built on FortiAI’s technology with extended and added features to detect Network Anomalies with auto and manual mitigation techniques. FortiNDR is renamed from FortiAI with additional Network Detection and Response functionality, with the original FortiAI malware analysis features.

FortiNDR is the next generation of Fortinet's malware detection technology, using Artificial Neural Networks (ANN) which can deliver sub-second malware detection and verdict. ANN is able to mimic human behavior using the Virtual Security Analyst (VSA)TM, which is capable of the following:

  • Detect encrypted attack (via JA3 hashes), look for presence of malicious web campaigns visited, weaker ciphers, vulnerable protocols, network and botnet-based attacks.
  • Profile ML traffic and identify anomalies with user feedback mechanism.
  • Detect malicious files in sub-seconds through neural network analysis including NFS file scan shares.
  • Analyze malware scientifically by classifying malware based on its detected features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.
  • OutBreak search can use the similarity engine to search for malware outbreaks with hashes and similar variants in the network.
  • Take advantage of Fortinet's Security Fabric with FortiGate(s) and other Fortinet Security Fabric solutions, along with 3rd party API calls, to quarantine infected hosts.

FortiNDR can operate in different modes:

Sniffer mode where it captures traffic on the network from SPAN port (or mirrored if deployed as VM), integrated mode with FortiGate devices and input from other Fortinet devices (See release notes for supported devices), with inline blocking with FortiOS (7.0.1 and higher) AV profiles.

You can also configure FortiNDR as an ICAP server to serve ICAP clients such as FortiProxy and Squid. All modes can operate simultaneously.

Key advantages of FortiNDR include the following:

  • Detect network anomalies with different techniques where traditional security solutions might fail.
  • Provide more context to attacks such as malware campaign name, web campaign devices and users participate in, intrusions and botnet attacks.
  • Tracing and correlate source of malware events such as worm based detection.
  • Manual and automatic mitigation (AKA Response) with Fortinet Security Fabric devices (such as FortiGate, FortiSwitch, FortiNAC), as well as 3rd Party solutions (via API calls).

Introduction

FortiNDR (formerly FortiAI) is the first Fortinet Network Detection and Response product from Fortinet. Apart from the Virtual Security AnalystTM with malware detection technology based on neural networks, FortiNDR is built on FortiAI’s technology with extended and added features to detect Network Anomalies with auto and manual mitigation techniques. FortiNDR is renamed from FortiAI with additional Network Detection and Response functionality, with the original FortiAI malware analysis features.

FortiNDR is the next generation of Fortinet's malware detection technology, using Artificial Neural Networks (ANN) which can deliver sub-second malware detection and verdict. ANN is able to mimic human behavior using the Virtual Security Analyst (VSA)TM, which is capable of the following:

  • Detect encrypted attack (via JA3 hashes), look for presence of malicious web campaigns visited, weaker ciphers, vulnerable protocols, network and botnet-based attacks.
  • Profile ML traffic and identify anomalies with user feedback mechanism.
  • Detect malicious files in sub-seconds through neural network analysis including NFS file scan shares.
  • Analyze malware scientifically by classifying malware based on its detected features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.
  • OutBreak search can use the similarity engine to search for malware outbreaks with hashes and similar variants in the network.
  • Take advantage of Fortinet's Security Fabric with FortiGate(s) and other Fortinet Security Fabric solutions, along with 3rd party API calls, to quarantine infected hosts.

FortiNDR can operate in different modes:

Sniffer mode where it captures traffic on the network from SPAN port (or mirrored if deployed as VM), integrated mode with FortiGate devices and input from other Fortinet devices (See release notes for supported devices), with inline blocking with FortiOS (7.0.1 and higher) AV profiles.

You can also configure FortiNDR as an ICAP server to serve ICAP clients such as FortiProxy and Squid. All modes can operate simultaneously.

Key advantages of FortiNDR include the following:

  • Detect network anomalies with different techniques where traditional security solutions might fail.
  • Provide more context to attacks such as malware campaign name, web campaign devices and users participate in, intrusions and botnet attacks.
  • Tracing and correlate source of malware events such as worm based detection.
  • Manual and automatic mitigation (AKA Response) with Fortinet Security Fabric devices (such as FortiGate, FortiSwitch, FortiNAC), as well as 3rd Party solutions (via API calls).