The recent Forrester Network Analysis and Visibility (NAV) Wave Report discussed how improved network visibility and network detection and response (NDR) tools "complement and integrate with security analytics platforms; security orchestration, automation, and response [SOAR] solutions; and extended detection and response [XDR] tools to provide complete visibility and analytics to enable zero trust and facilitate response." NDR tools are integral to a complete security operations program and critical to a proactive security posture.

What is NDR?

Security teams turn to NDR tools to spot and identify attacker behavior across the MITRE ATT&CK life cycle. By leveraging the power of artificial intelligence (AI) and machine learning (ML) to analyze network metadata, NDR solutions excel in detecting command and control, lateral movement, and data exfiltration techniques and sub-techniques.

In the report, Forrester states that network analysis and visibility (NAV) and NDR tools are critical to establishing an effective zero-trust framework. NDR tools provide "visibility into all network traffic-north, south, east, and west..." that Forrester notes is another "key zero-trust tenet." This visibility extends to inspecting payloads beyond contextual information contained in packet headers and providing deep packet inspection (DPI) to detect potential malicious payloads in a DNS request, for example.

Forrester notes several features that potential NDR customers should look for when evaluating NDR vendors:

1.  Have onboard or tightly integrated decryption capabilities: Decryption capabilities remove the ability for attackers to hide their activities in encrypted traffic and further extend visibility.

2.  An emphasis on the analyst experience: Forrester notes the security talent shortage. NDR vendors should address this situation by improving user interfaces to ensure analysts at any skill level can create effective investigations.

3.  Zero-trust network access (ZTNA) integrations: As the attack surface expands with an ever-increasing distributed workforce, it creates an additional visibility gap for tools focused on on-premises networks. NDR vendors must account for this issue by providing integrations with ZTNA vendors to ensure suspicious or malicious behavior can be detected regardless of location.

Fortinet NDR Solutions

With two flexible deployment options, FortiNDR for air-gapped environments and FortiNDR Cloud, Fortinet gives security teams the tools to detect, prioritize, investigate, hunt, and respond to attacks across the network.

FortiNDR Cloud is Fortinet's SaaS-based NDR offering. It leverages AI, ML, behavioral, and human analysis to inspect network traffic. FortiNDR Cloud sensors are deployed throughout the customer's network for metadata collection and sent to the cloud for analysis. The service also provides each customer with dedicated technical success managers who act as trusted advisors who share findings, tune configurations, and help organizations optimize NDR deployments. FortiNDR Cloud retains metadata for 365 days to enable retroactive hunting and analysis.

FortiNDR is the on-premises deployment option. It operates in an isolated environment, which ensures secure operations while providing deep insight into IT and operational technology (OT) network traffic. Sensors are deployed across the customer network, and analysis is conducted on-site.

Both solutions offer integrations with the Fortinet Security Fabric and numerous third-party solutions, such as EDR, SOAR, SIEM, and XDR. FortiNDR solutions ensure you can automate investigations and perform triage and remediation.

Fortinet Named a Strong Performer

Fortinet was named a Strong Performer in the Forrester Q2 2023 NAV Wave Report. In fact, Fortinet NDR solutions received the highest score possible in the threat detection and detection technologies criteria. Forrester noted that the "ThreatInsight acquisition will help deliver on Fortinet's superior vision of assisted threat hunting with virtual and automated assistance, which will help organizations experiencing a shortage of skilled personnel."

Fortinet NDR solutions enable effective response by:

Identifying sophisticated threats faster

NDR solutions that rely solely on AI/ML analysis tend to generate false positives as they learn the environment. By pairing human and machine-driven analysis, FortiNDR Cloud creates high-fidelity true-positive detections that are actionable by security analysts. Combining the power of these technologies ensures that anomalous and malicious behavior is detected and doesn't slip through the cracks.

For air-gapped deployments, FortiNDR uses a combination of artificial neural network and a Virtual Security Analyst to analyze and detect malicious files and network anomalies, such as encrypted attacks via JA3 hashes, malware-based behaviors like ransomware, downloaders, and coin miners, and attack origins like worm infections. FortiNDR also includes specialized signatures to detect and block malicious traffic targeting applications and devices in manufacturing, plant, safety, and other OT environments.

Both Fortinet NDR solutions provide decryption capabilities through tight integrations with the FortiGate Next-Generation Firewalls (NGFWs) and man-in-the-middle decryption devices.

Providing visibility across increasingly complex networks

Fortinet NDR solutions analyze network telemetry across on-premises, cloud, and hybrid network environments, detecting anomalous and malicious behavior without the need for endpoint agents.

In addition, FortiNDR Cloud integrates with FortiEDR and third-party EDR tools to provide unified visibility and extended response. By correlating endpoint detection data and network threat intel, analysts gain an end-to-end view of an attacker's actions, can identify unmonitored endpoints, and obtain contextual, enriched threat intel with endpoint data (such as device name, OS, MAC address, IP address), and isolate endpoints directly from the FortiNDR Cloud console to streamline response.

Regarding these integrations, Forrester commented that "Fortinet's integrations with the broader Fortinet portfolio provide exceptional visibility across disparate networks and the remote workforce."

FortiNDR Cloud also integrates with ZTNA providers to analyze traffic from remote office and work-from-home locations to ensure complete visibility across the organization regardless of location.

Helping overburdened SOC teams streamline response

Just detecting malicious or suspicious behavior is only the start. SOC analysts and threat hunters need tools that take their needs into account. In fact, the Forrester NAV Wave report states vendors are implementing "contextual UIs to help SOC analysts of all skill levels across the entirety of their workflows." Fortinet strongly believes that the analyst experience ensures the success of our NDR solutions.

For each detection, FortiNDR Cloud provides security analysts with detection severity scores and relevant threat intelligence to assist them in prioritizing response efforts. Detection severity is determined based on the potential impact on the confidentiality, integrity, or availability of the customer's system and resources if the activity is confirmed to be a true positive. These severity scores are listed as high, moderate, or low, where the high severity detections would cause the most damage. FortiNDR Cloud provides actionable next steps to aid with remediation and investigatory efforts.

Fortinet NDR solutions address attacker behavior across the full breadth of the MITRE ATT&CK life cycle, from the earliest stage of reconnaissance and weaponization all the way through to the cybercriminal's ultimate objective. Spotting evidence of attacker behavior early helps enable a more effective response. 

To learn more about network detection and response solutions, FortiNDR and FortiNDR Cloud, download the complete Forrester Network Analysis and Visibility (NAV) report.