We could start the store the same way a lot of blogs often do: “In an evolving world of advancing cyberthreats…”
It’s almost a meme that we spend a lot of time on “rapidly evolving” threats and hearing that the stakes could never be higher and on and on with doom-driven marketing. Meanwhile, some of the most effective threats come in seemingly unexcting ways. That is where having a methodology to handle the whole spectrum of attack vectors is needed.
Fortinet as a Portfolio of Resilient Options
The team at Fortnet are sharing a few of the portfolio products they have at Tech Field Day CFD22 which gave a real hands-on view of what a comprehensive security practice needs to look like. This is also the first chance I’ve had to see how the Lacework acquisition and integration has come together.
Modern Security for Modern Applications
Fortinet shared more on the integration of AI capabilities
- Acquire signal
- Enrich with additional context
- Analyize
- Corrent
Demo Time!
This is where the fun happens. Time to dive into how Fortinet with Lacework and the new FortiCNAPP platform work in the wild.
This is where we start to
The attack flow here is elegant in its simplicity:
- Discover Java application
- Exploit Log4j shell vulnerability
- Move laterally
- Open shell via discovered root access to the underlying cluster
- Use AWS CLI to build a new identity
- Wait…
Persistence and Patience: LOTL
Living of the Land (LOTL) is where the real problems we should fear are. Our first exploit isn’t the one that will be the largest problem. Now, we have a new resident inside our network. They are patiently waiting for the right opportunity to lauch the real attack.
What are the risks that we have to weigh at this point? It’s important to understand what the common issues are, and what the compensating controls are.
The application we are looking at in this case is an ecommerce application.
The video of the demo is the best place to look, but as we see what the composite alerts are to show lots of detail about the issue.
This helps to fully understand the issue, adding context, and also providing remediation actions and recommendations.
Next Stop: Network Intelligence
Ingesting network access data is the next layer as we marry what is happening with the agents inside different cloud elements to the lateral activity. The sheer amount of data to analyze is an obvious opportunity to leverage AI and ML for pattern recognition, anomaly detection, and advanced matching of behaviors to potential threats.
There are a few ways the
Detecting and stopping outbound requests to command and control endpoints as well. There are a lot of heuristics that Fortnet is able to identify as likely
There are really interesting ways that Fortinet is developing the end-to-end solution set including lots of patented methods which show their focus on innovating early with a lot of capabilities.
This is why we see the need for a “whole of environment” approach to monitoring and detection paired with as much automation for mitigation and remediation as possible.
Chat with Your Incident
There are some really great features added since the last time I saw Fortinet present. The full integration of FortiAI lets you do things like chat with your incidents to dive more into details about it, and how to mitigate.
Detect -> Do
There is a lot more to explore on what the remediation and mitigation side looks like. What I really like about the Fortnet session is that they showed a strong and broad set of capabilities to detect issues with a very high signal to noise ratio. Trusting the source is what is needed before you move to any remediation, especially when automation is involved.
There is a clear bias towards action with the Fortinet product set. There are 80 products in the entire portfolio which means there is a lot to look at. I appreciate the focus of the team on their goal of covering the entire attack surface.
There are a lot of great reasons to dig in more and I’ll have a follow up with a full deep dive into some of the tooling shared in the demo session.
Keep your eyes on Fortinet, and I’m really glad to see the Lacework platform and team land in a great place to keep innovating.