NSE3 FortiAI

Welcome to the FortiAI product training.

NSE3 FortiAI

These are the topics we will explore in this course, beginning with a product overview.
NSE3 FortiAI

After completing this course, you should be able to:

• Identify the business drivers and security challenges customers currently face
• Describe the FortiAI product key features
• Identify the sales strategies for, and competitive advantages of, FortiAI
NSE3 FortiAI

All organizations, from small businesses to MSSPs, are targets of cyber attacks. The sad reality in today’s
world is that defending against every cyber threat is an impossible task, because
• Cybersecurity analysts are overwhelmed and
• There is a significant and growing shortage of personnel with cybersecurity skills
• Thus, most organizations are forced to recruit and train junior employees

4
NSE3 FortiAI

Artificial Intelligence (AI) has already impacted people, processes, and technologies across industries. Online shopping,
GPS-assisted travel, self-driving cars, online movie and TV-show recommendations, and automated car factories are a
few examples.

5
NSE3 FortiAI

Before we delve deeper into AI for security, let’s define what AI is. AI is the capability of a machine to imitate intelligent
human behavior. The three recognized AI model categories are Machine Learning, Artificial Neural Networks, and Deep
Neural Networks. As we move from left to right, the models become more sophisticated.

6
NSE3 FortiAI

Machine Learning uses data to refine how computers make predictions or perform tasks. In this example, we are
teaching the machine the letters of the alphabet so it is able to classify words like ‘bee’.

7
NSE3 FortiAI

Artificial Neural Network is more sophisticated than Machine Learning. It is defined as a system of hardware and/or
software patterned after the operation of neurons in the human brain. In this example, we teach the machine the
concept of bees and the various specimens within a category so it can recognize the differences.

8
NSE3 FortiAI

Deep Neural Networks (DNN) is the most sophisticated form of AI. It is defined as multiple Artificial Neural Network
layers that exist between the input and output layers to model complex non-linear relationships. In this example,
dedicated ANN layers learn about the various specimens of bees, the difference between day and night, and the
distinguishing characteristics of different physical environments. DNN uses the layers of ANN to fully describe the
picture on the right.

9
NSE3 FortiAI

We have introduced the three AI model categories to help you better position and describe FortiAI.

Fortinet was an early researcher into AI as an enabler of security. In 2012, FortiGuard Labs built a deep learning model
known as Self Evolving Detection Systems or SEDS based on Artificial Neural Networks to help its researchers analyze
the millions of malware samples and extract billions of malware features daily.

In 2016, Fortinet deployed SEDS as a means to empower anti-malware engines to apply threat intelligence more
quickly and effectively. Anti-malware engines are embedded in various Fortinet products, such as FortiGate.

In 2020, building on eight years of research, Fortinet released the most sophisticated AI-based product called FortiAI
using Deep Neural Networks, described as a Virtual Security Analyst, that not only self-learns but can be deployed on-
prem.

10
NSE3 FortiAI

FortiAI leverages Deep Neural Networks to identify and classify threats, and uncover malware outbreaks in less than a
second. Importantly, it works with existing security controls to block threats targeting IT and OT segments in real-time.

11
NSE3 FortiAI

The five key features of FortiAI are:

- An on-premise appliance that comes with pre-trained six plus million malware features
- Based on eight plus years of development and training by FortiGuard Labs
- Powered by a patent-pending self-learning AI model, based on DNN
- Detects and investigates threats in less than 100 milliseconds
- And handles 10G of network throughput

12
NSE3 FortiAI

FortiAI comes with a pre-trained AI that contains a database of a 6+ million malware feature set. When an object is
introduced to FortiAI,

• It is broken into code blocks as it is fed into multiple layers of nodes that determines if the feature is either
malicious or clean based on the malware feature database

• Each node represents a neuron in a human brain that provides a weight at the end of its analysis

• After the entire analysis is completed, a decision is made as to whether the object is a threat

• This entire process happens in a split second

If FortiAI discovers a new malware feature, it is written to a separate customer malware feature database and is
combined to the pre-existing malware feature database used during subsequent analysis of new objects.

13
NSE3 FortiAI

To build a robust deep learning model, FortiGuard Labs measures FortiAI’s security efficacy and number of false
positives as part of the pre-training goals. In the initial stage of training, it’s natural for the FortiAI detection efficacy to
be much lower than a FortiGuard analyst. With fine-tuning and constantly learning, FortiAI gains more experience on
identifying malware features, and it eventually surpasses human analysts. This self-learning capability allows FortiAI to
evolve even further, improving its detection and false positive rates and at speeds that humans cannot match.

14
NSE3 FortiAI

FortiAI can be deployed in campus, data center, air-gap or OT networks.

It works in stand-alone mode via SPAN traffic from a switch or via network TAPs. FortiAI also accepts external
submissions via JSON API and on-demand submissions for threat analysis, which returns verdicts in less than a second.

FortiAI integrates with FortiGate devices where FortiGate is required to decrypt or pass unencrypted objects to FortiAI.
And in response, FortiAI can trigger various actions on FortiGate, such as IPBan, to disrupt a live attack.

FortiAI is available as either a hardware or virtual appliance. For organizations who require the highest performance,
the hardware appliance comes with built-in GPUs that are designed to accelerate AI deep learning and can process up
to 100,000 files per hour. FortiAI VMs come in two flavors—the 16 vCPU and the 32 vCPU. These models can process
up to 14,000 files per hour and 22,000 files per hour respectively.

15
NSE3 FortiAI

Good job! You now understand FortiAI, and its features and benefits.

Now, let’s examine specific sales strategies and other FortiAI-related sales enablement topics.

Please continue to the next lesson.

NSE3 FortiAI

Welcome to the sales enablement lesson of the FortiAI sales product course.
NSE3 FortiAI

Now that you have completed the FortiAI product overview, let’s examine specific sales strategies and other FortiAI-
related sales enablement topics.
NSE3 FortiAI

Profoundly, FortiAI does not have a market yet, based on Gartner threat facing technology definitions. However,
Fortinet feels strongly it will impact the overall Threat Detection and Response market, which is $8.7 billion per IDC
estimates for 2020.

19
NSE3 FortiAI

From the vertical standpoint, we recommend starting with financial services, healthcare, and government as they are
often the first to adopt new security technology. However, any customer who is suffering from an InfoSec skills
shortage, is overwhelmed with cyberthreats, or is integrating AI as part of their security strategy, would also make
good candidates.

As for personas, we recommend targeting executives, such as the CISO, CIO, and CFO, since they manage resources
and they contend with the ongoing skills shortage pain point. But let’s not forget the folks who directly feel this pain on
a daily basis, and that includes the VP or Director for IT Security and the Security Architect.

20
NSE3 FortiAI

In order for your pitch to resonate with these personas, let’s break down how you should position FortiAI.

FortiAI leverages the Deep Neural Networks model to mimic a Security Analyst’s investigation into a cyber breach. This
distinctive ability entails identifying and classifying the threat and then investigating for lateral movement to neutralize
it.

The millisecond speed in which FortiAI identifies threats, disrupts the cyberattack playbook and stifles the attack.
Moreover, the self-learning ability of FortiAI allows it to immediately adapt to new threats. These distinctive
characteristics enable SecOps to confront the increased volume, velocity, and sophistication of threats.

21
NSE3 FortiAI

FortiAI uses Deep Neural Networks to scientifically analyze millions of malware characteristics to accurately classify the
type of threat, be it ransomware, trojan, backdoor, or some other method. This, in turn, reduces false positives.
Classification uncovers masquerading malware, which is malware disguised as legitimate objects or a different malware
type. Masquerading malware not only can evade security controls but prolongs mitigation efforts.

22
NSE3 FortiAI

FortiAI speeds investigation by analyzing the threat in a kill chain format, highlighting the tactics used for the attack. It
also analyzes threat movement and accurately identifies patient-zero and subsequent victims in real-time. This helps
eliminate manual investigation of a malware outbreak that overburdens security analysts today.

23
NSE3 FortiAI

Lastly, FortiAI automatically signals FortiGate to quarantine threats. This FortiAI and FortiGate integration reduces
manual mitigation efforts during a real-time attack or a malware outbreak scenario.

24
NSE3 FortiAI

Let’s look at how security analysts have traditionally responded to advanced, self-propagating ransomware, such as
WannaCry. The malware could be detected directly by an alert from an impacted user or from the SOC dashboard.
With respect to the dashboard, the challenge often is distinguishing between legitimate threats and the thousands of
false positives.

In the second phase of the response life cycle, an analyst may need to investigate into the various security solutions
and review the logs and alerts to understand the behavior of the malware. This may include researching external
resources. The analyst needs to assess if the incident is isolated to one device or if the malware has infected other
devices. Finally, armed with this information, the analyst must craft a mitigation plan.

In response to the threat, the analyst must quarantine the infected devices or network segment to curtail the spread of
the contagion. Then, remediation can begin. Thereafter, upon success, the ticket can be closed. All in all, it can take
more than seven hours to get the situation under control.

25
NSE3 FortiAI

Now let’s contrast the same example with the use of Neural Networks, such as FortiAI, to augment the Security
Operations team. In the detect phase, FortiAI classifies the threat as ransomware in under one second. Should the
ransomware exhibit never seen before features, FortiAI will learn about them and adapt.

In the investigate phase, FortiAI uses the WannaCry kill-chain with contextual threat intelligence to confirm the
malware’s identity. It also identifies any lateral movement by WannaCry and the infected devices. The security analyst
can use this information to build their mitigation plan.

In the response phase, FortiAI instructs a NGFW, such as FortiGate, to quarantine impacted devices automatically. The
analyst can then proceed to perform any necessary remediation and close the ticket. Since AI has done much of the
heavy lifting, the complete response life cycle would take minutes, not hours.

26
NSE3 FortiAI

Here are examples of how to get the prospect to discuss their pain points.

With the increasing volume, velocity, and sophistication of cyberattacks, how concerned are you that a missed security
alert may result in a data breach? Most organizations have overburdened SecOp teams because of limited staff and an
overwhelming number of alerts to respond to.

How long does it take your Security Operations team to fully investigate a threat? Based on Verizon’s BDIR 2019, 56%
of organizations take months to discover a threat. This has prompted organizations to either enhance security
resources or look at AI-based solutions to offload SecOps duties.
NSE3 FortiAI

To help qualify the opportunity, it’s good to understand the customer’s hiring plans for the next six months. The reality
is that due to the on-going cybersecurity workforce gap, hiring may take quite a bit longer than they expect.

Another valid consideration is the number of security analysts the customer is planning to hire. Based on [Link],
an experienced five-year SecOps analyst can demand an annual salary anywhere between 92 and 124 thousand dollars,
if you manage to find one. In all likelihood, junior hires are more feasible, but they need additional training and
support. To solve this quandary, consider FortiAI, which captures 20+ years of FortiGuard Labs in a box and which
mimics a SecOps analyst by detecting, classifying, and investigating sophisticated threats and at scale!
NSE3 FortiAI

In the course of your discussions with a prospect, you may be confronted with objections. Here are a few popular ones
that we’ve heard.

Almost every security vendor incorporates AI into their solutions, so how is yours different?

You many need to distinguish between the different AI learning models, in particular between machine learning and
deep learning, also known as neural networks. The application of ML is typically used to improve the security efficacy
of a product, for example, augmenting threat intelligence by sandboxing. In contrast, neural networks are used to solve
more complex problems. In the case of FortiAI, it mimics a security analyst by identifying and classifying threats by self-
learning. This self-learning posture allows FortiAI to adapt to new threats and methods. Most importantly, it can
investigate threats on its own and identify patient-zero and subsequent compromised systems in milliseconds.
Collectively, it impacts all three domains—technology, process, and people.
NSE3 FortiAI

Another common question is, can FortiAI replace my current sandbox or FortiSandbox solution? Or, is the AI found in
FortiSandbox the same as FortiAI?

You must emphasize that these devices are deployed for different use-cases and solve different problems.
FortiSandbox provides a zero-day defense and integrates with your inline security controls and forensics. However, it
cannot classify types of threats and it does not investigate them. In contrast, FortiAI is designed to detect, classify, and
investigate threats.

The FortiSandbox machine learning model is hosted in FortiGuard Labs, which is required to update FortiSandbox
deployments at regular intervals. While FortiAI can benefit from these updates, it is not necessary since the neural
network model is autonomous and continuously self-learns and adapts to the threat landscape.
NSE3 FortiAI

The last common objection or question you might come across is: FortiAI is much more expensive than FortiSandbox.
Why is that?

The deep neural networks built in FortiAI require Graphical Processor Units (GPUs) to accelerate intensive algorithmic
calculations and to correlate the various sets of data. FortiAI Virtual Security Analyst is akin to an on-site FortiGuard
analyst investigating and responding to threats locally to that specific organization. What’s more, it continuously
improves itself in terms of accuracy and reduction of false positives as it is exposed to new threats. Because of this, it is
equivalent to hiring an experienced security analyst, who can demand a salary between 92,000 and 124,000 dollars.
However, FortiAI emulates not one, but several experienced security analysts.
NSE3 FortiAI

In terms of AI security solutions in the industry, most are based on machine learning and not on more sophisticated AI,
such as the deep learning found in FortiAI. It is good to dig into marketing claims of other solutions and understand
their AI’s true purpose.

In general, many vendors recognize the huge processing needs for AI, thus they can choose to host their AI platform
either in the cloud or on-prem with dedicated hardware. Many have chosen the former, due to their existing AI
development stage or ease of AI application. FortiAI is revolutionary as it is the first of its kind—a customer premise
deep learning solution that adapts to the customer environment without the sole reliance of cloud updates or
assistance.

The training stage of a common AI deployment takes two weeks or longer to learn the environment before the AI can
be productive. In contrast, FortiAI is productive on the first day that it is deployed because it comes pre-trained with
more than six million malware features.

32
NSE3 FortiAI

FortiAI-3500F became available for sale in Q1 2020. The appliance is available with the FortiCare support bundle.

In Q3 2020, we’ve introduced a FortiAI VM form factor that is based on a subscription model and embeds FortiCare
support in the SKU. It comes in two flavors—16 CPU and 32 CPU.

33
NSE3 FortiAI

To recap,
• Organizations are turning to AI-based solutions because of pressure on an already overburdened SOC to investigate
every threat
• However, not all AI is the same. It is critical to differentiate between machine learning and deep learning, which is
designed to solve more complex problems
• FortiAI, which leverages the deep learning model, performs many duties of a SecOps analyst, such as identifying,
classifying, and investigating threats but with better performance and at larger scale

34
NSE3 FortiAI

You should now be able to:

• Identify the business drivers and security challenges that customers currently face
• Describe the FortiAI key features, and
• Identify the sales strategies for, and competitive advantages of, FortiAI
NSE3 FortiAI

Congratulations!

You’ve completed both lessons of the NSE 3 FortiAI course.

NSE3 FortiAI

After you’ve studied this course, don’t forget to take its quiz. To earn your NSE 3 certification, you must pass the quiz
for at least four courses.

Thank you for your time.