FortiEDR components
Overview
The FortiEDR platform is a distributed architecture that collects the connection establishment flow of your organization’s communicating devices directly from each device’s operating system internals. FortiEDR analyzes the flow of events that preceded the connection establishment and determines whether the connection establishment request was malicious. The system can enforce your organization’s policy by blocking the connection establishment request in order to prevent exfiltration.
The FortiEDR platform is comprised of the following components:
FortiEDR Collector
The FortiEDR Collector is an agent that resides on every communicating device in your enterprise, including desktops, laptops and servers.
By default, the Collector runs in autonomous mode. Upon every attempt made by the communicating device to establish a network connection or change a file, the Collector collects all required metadata and analyzes it to determine whether the process performing the action is legitimate. You can configure the Collector to use a Core for the metadata analysis, in which case the Collector holds the establishment of the connection until authorization is received from the Core.
- Pass: Legitimate requests are allowed with extremely negligible latency.
- Block: Malicious exfiltration and file changing attempts are blocked.
If third-party software attempts to stop the FortiEDR Collector service, the system prompts for the registration password. This is the same password used when installing the Collector. If an incorrect password is supplied at the prompt, the message Access Denied displays on the Collector device. In this case, the FortiEDR Collector service is not stopped. For more details about the required password to supply in this situation, you may refer to Component authentication. |
A FortiEDR Collector should be installed on each communicating device in your organization. The same FortiEDR Collector can be installed on all Windows, macOS, and Linux systems. The following are the connections established between the FortiEDR Collector and other FortiEDR components:
- To the FortiEDR Aggregator: The FortiEDR Collector initially sends registration information to the FortiEDR Aggregator via SSL and then it sends ongoing health, status information, and security events.
- From the FortiEDR Aggregator: The FortiEDR Collector receives its configuration from the FortiEDR Aggregator.
- To the FortiEDR Core: The FortiEDR Collector sends the following information:
- Compressed activity events that are later used for Threat Hunting
- Communication-related data to be used for the Communication Control
- (Non-autonomous mode only) Metadata for determining whether a specific action should be blocked or passed
When a Core is used for the metadata analysis, which means the Collector is not running in autonomous mode, if all Cores are unreachable due to connection issues or errors, the Collector switches to autonomous mode automatically after one minute where it continues to run and protect the device by analyzing the metadata locally. The Collector then keeps trying to establish a connection with the Core every few seconds to few minutes, depending on the number of errors in previous attempts.
- From the FortiEDR Core: The FortiEDR Collector receives connection establishment authorization or denial (blocking) from the FortiEDR Core.
Negligible footprint
The FortiEDR Collector retains only a limited amount of metadata on the device in order to keep CPU usage to virtually zero and the storage requirements to a minimum. FortiEDR’s traffic consumption requirements are low because the FortiEDR Collector sends to the Core its activity events, the size of which depends on the amount of activity, and sends to the Aggregator security events which are small in size. Additionally, FortiEDR uses message compression in order to further reduce the traffic sent to the network. You may refer to Before you start for the exact specifications of the system requirements.
Quick and easy installation
The FortiEDR Collector comes as a standard installer package that is easily installed via standard remote unattended deployment tools, such as Microsoft SCCM. No local configuration or reboot is required; however, a reboot of the system ensures that any malicious connections that were previously established before the installation are thwarted and tracked via FortiEDR after the reboot is complete. Upgrades can be performed remotely and are rarely needed, because all the brains of the FortiEDR system are in the FortiEDR Core.
Event Viewer
The Windows Event Viewer records whenever a FortiEDR Collector blocks communication from a device, as described in Event Viewer.
FortiEDR Core
The FortiEDR Core is the security policy enforcer and decision-maker. It determines whether a connection establishment request is legitimate or represents a malicious exfiltration attempt that must therefore be blocked.
FortiEDR collects OS stack data, thread and process-related data and conducts executable file analysis to determine the nature of every connection request, as follows.
- When working in prevention mode, all the connection establishment requests in your organization must be authorized by a FortiEDR Core, thus enabling it to block each outgoing connection establishment request that is malicious.
- When the FortiEDR Core receives a connection establishment request, it comes enriched with metadata collected by the FortiEDR Collector that describes the operating system activities that preceded it.
- The FortiEDR Core analyzes the flow of events that preceded the connection request and determines whether the connection request was malicious. The system then enforces your organization’s policy by blocking (or only logging) the connection request in order to prevent/log exfiltration.
- The collection of the flow of events that preceded the connection request enables FortiEDR to determine where the foul occurred.
One or more FortiEDR Cores are required, according to the size of your network based on deployment size (up to 50 FortiEDR Cores). The following are the connections established between the FortiEDR Core and other FortiEDR components:
- To the FortiEDR Aggregator: The FortiEDR Core sends registration information the first time it connects to the FortiEDR Aggregator and then sends events and ongoing health and status information.
- From the FortiEDR Aggregator: The FortiEDR Core receives its configuration from the FortiEDR Aggregator.
The FortiEDR Core is located on exit points from your organization. It only reviews FortiEDR Collector metadata; it does not see the outgoing traffic. It is a central Linux-based software-only entity that can run on any workstation or VM that is assigned with a static IP address.
FortiEDR Aggregator
The FortiEDR Aggregator is a software-only entity that acts as a proxy for the FortiEDR Central Manager and provides processing load handling services. All FortiEDR Collectors and FortiEDR Cores interact with the Aggregator for registration, configuration and monitoring purposes. The FortiEDR Aggregator aggregates this information for the FortiEDR Central Manager and distributes the configurations defined in the FortiEDR Central Manager to the FortiEDR Collectors and FortiEDR Cores.
Most deployments only require a single FortiEDR Aggregator that can be installed on the same server as the FortiEDR Central Manager. Additional FortiEDR Aggregators may be required for larger deployments of over 10,000 FortiEDR Collectors and can be installed on a different machine than the FortiEDR Central Manager.
FortiEDR Central Manager
The FortiEDR Central Manager is a software-only central web user interface and backend server for viewing and analyzing events and configuring the system. Chapters from Security Settings to Forensics describe the user interface of the FortiEDR Central Manager. The FortiEDR Central Manager is the only component that has a user interface. It enables you to:
- Control and configure FortiEDR system behavior
- Monitor and handle FortiEDR events
- Perform deep forensic analysis of security issues
- Monitor system status and health
FortiEDR Cloud Service
The FortiEDR Cloud Service (FCS) enriches and enhances system security by performing deep, thorough analysis and investigation about the classification of a security event. The FCS is a cloud-based, GDPR-compliant, software-only service that determines the exact classification of security events and acts accordingly based on that classification – all with a high degree of accuracy.
The FCS security event classification process is done via data enrichment and enhanced deep, thorough analysis and investigation, enabled by automated and manual processes. The enhanced processes may include (partial list) intelligence services, file analysis (static and dynamic), sandboxing, flow analysis via machine learning, commonalities analysis, crowdsourced data deduction and more.
Along with potential classification reassurance or reclassification, once connected, FCS can also enable several followed actions, which can be divided into two main activities:
- Tuning: Automated security event exception (allowlisting). After a triggered security event is reclassified as Safe, an automated cross-environment exception can be pushed downstream and expire the event, preventing it from triggering again. For more details, see Exception Manager
- Playbook Actions: All Playbook policy actions are based on the final determination of the FCS. For more details see Playbook policies.