Fortinet Overview &Advanced Threat Protection Ecosystem 22/10/2015 VanRoey – Smals Supplier Event - Pullman Hotel Brussels Midi

Agenda Introduction Fortinet The Fortinet Security portfolio Why Next Generation Firewalling? The multiple firewalling personalities Advanced Malware Protection –The Fortinet Security Ecosystem Changes in the threat landscape 0 day threats The need for Sandboxing

A Global Leader and Innovator in Network Security Fortinet Quick Facts Global presence and customer base Customers: 225,000+ Units shipped: 1.9+ Million Offices: 80+ worldwide Revenue Platform Advantage built on key innovations FortiGuard: industry-leading threat research FortiOS: tightly integrated network + security OS FortiASIC: custom ASIC-based architecture Market-leading technology: 196 patents, 162 pending 2003 2014 Cash Founded November 2000, 1st product shipped 2002, IPO 2009 HQ: Sunnyvale, California Employees: 3000+ worldwide Consistent growth, gaining market share Strong positive cash flow, profitable Ken Xie and Michael Xie founded the company (in America) on the principle that to successfully fight future threats, customers and security solutions will need look deeper into the traffic (Deep Packet inspection)…. Combined with the fact that bandwidth requirements will always be increasing meant a new architectural design was needed for the Firewall. From the beginning Fortinet products have used ASIC (FortiASIC) design to give the best performance at the lowest cost. In addition home grown security talent has meant tighter coordination and integration of the technologies needed to fight threats, and a faster response to threats. According to IDC, Fortinet is now ranked as the 3rd largest Network Security Vendor. We are also one of the fastest growing vendors with 33% growth in Q2 2014 Fortinet has managed its finances conservatively making sure that while growing impressively there is plenty of resources available for future investments. 2003 2014 Based on Q4 and FY 2014 data

A Global Leader and Innovator in Network Security Balanced Revenue Across Product Segments 37% High-end Entry Level 26% Mid-range 9 of Top 10 Global 100 7 of Top 10 Global 100 Major Banks 7 of Top 10 Global 100 Computer Services 9 of Top 10 Global 100 Aerospace & Defense Billings by Product Segment Q1 2015

Fortinet’s Global Infrastructure Built To Support Enterprises Worldwide HQ & Development Center Dev. & Escalation Center Support Center FDN server sites Sales Office In-country Sales/Support 36% EMEA 43% Americas 21% APAC Built to serve truly global customers Follow-the-sun support Balanced revenue across regions proves it Revenue by Region, Q1 2015

#1 in Network Security Appliances Unit Share world wide Rethink Your Architecture

A Global Leader and Innovator in Network Security Fortinet’s Proven Advantages Accelerating your business  FAST Custom ASICs radically increase throughput 5 – 10X other solutions Security is no longer a bottleneck Your critical information flows quickly, your users are satisfied Protecting your business  SECURE Our own global threat research team + all in-house security technologies = rapid and coordinated response to threats Independently validated as highly effective vs. today’s advanced threats Simplifying your business  GLOBAL Unmatched coverage for all deployment scenarios Converged networking and security, consolidated security functions One scalable and versatile security platform + one management console Global presence and infrastructure to support customers everywhere Faster deployment, lower admin burden, fewer security gaps… worldwide

Customer Challenge – Security Stopping Today’s Advanced Threats Today’s sophisticated threats are causing more damage than ever, and a growing set of security technologies is needed to stop them. Most security vendors outsource or lack critical pieces of the puzzle Customers try to piece together a solution on their own THREAT 2000 2003 2005 2007 2011 Today TIMELINE Increasing Damage Increasing Performance Requirements Hackers Intrusions Worms Viruses Spyware Botnets Spam Malicious URLs Malicious Apps Advanced Persistent Threats “The Security Challenge - Stopping Today’s Advanced Threats” Today’s sophisticated threats are causing more damage than ever Most security vendors outsource or simply lack critical pieces needed to combat them Businesses must try to piece together a solution on their own (This slide/point is addressed by FortiGuard Advantage on a later slide) FIREWALL VPN IPS Anti Malware Anti- Spam Web Filter App Control Advanced Threat Protection Layer 1-2 Content & Application (Layer 3-7) 8

Fortinet Advantage – SECURE FortiGuard Labs Threat Research Large global threat research team located around the world Discovers new threats and delivers protective services across a rich array of in-house security technologies Updates are delivered instantly, 24x365 Independently validated as highly effective versus today’s threats Application Control Service Antivirus Service Intrusion Prevention Service Anti-spam Service Web Filtering Service Web Security Service Vulnerability Management Service Database Security Service The Fortinet Advantage Security – FortiGuard Labs Delivers Faster, More Effective Protection Our large global threat research team discovers new threats and delivers protective services across a rich array of in-house consolidated security technologies Updates are delivered instantly, 24x365 FortiGuard protection is independently validated as highly effective versus today’s threats IP Reputation Service + other threat intelligence sharing initiatives Global Fortinet Device Footprint

Fortinet Advantage – SECURE FortiGuard Labs Threat Research Per Minute 25,000 Spam emails intercepted 390,000 Network Intrusion Attempts resisted 83,000 Malware programs neutralized 160,000 Malicious Website accesses blocked 59,000 Botnet C&C attempts thwarted 39 million Website categorization requests Per Week 47 million New & updated spam rules 100 Intrusion prevention rules 2 million New & updated AV definitions 1.3 million New URL ratings 8,000 Hours of threat research globally Total Database 170 Terabytes of threat samples 17,500 Intrusion Prevention rules 5,800 Application Control rules 250 million Rated websites in 78 categories 173 Zero-day threats discovered Based on Q1 2015 data Image: threatmap.FortiGuard.com

Security is like an onion But proved most effective, when deployed in different layers It makes you cry, when not applied properly …

Fortinet security portfolio - Overview @ FortiClient FortiToken FortiWeb Web Servers FortiDB DB Servers FortiGate FortiDDoS FortiAuthenticator Public DMZ FortiAnalyzer FortiManager Admin FortiSandbox FortiMail Mail Servers LAN NOTE: change FortiDB for FortiADC!! FortiDDoS The first level of protection is FortiDDoS that acts as a shock absorber on-premise from the attacks coming from the Internet. FortiDDoS protects against every DDoS attack including Bulk Volumetric, Layer 7 Application, and SSL/HTTPS attacks. FortiDDoS is a Layer of defense at Layer 3, 4 and 7 vs other solutions that will look at layer 4 traffic. It is behavioural based and not signature based, which mean it will look for “unknown” vulnerabilities. How it works, you let the equipment run a week to “learn”, it creates a baseline for all the different protocols. Based on that FortiDDoS define some thresholds adding some buffer (300%), those thresholds will be evolve over time. E.g. if the system learns there is a pick every end of the month it will adapt the behaviour. FortiGate These technologies include firewall, VPN, intrusion prevention, application control, and web content filtering, all managed from a ‘single pane of glass’ management console. The FortiGate-1000C also includes additional security technologies such as antivirus/ antimalware, antispam, vulnerability management, and WAN optimization, allowing you to consolidate stand-alone devices. Our firewall combines VPN, intrusion prevention (IPS), antivirus in the inbound and does application control + web content filtering in the outbound. Application aware firewall: Enhancing visibility to application traffic these products are usually trying to provide the following: Allow traffic shaping to limit bandwidth to non-priority applications such as YouTube Control applications at a granular level, such as allowing Facebook Chat but blocking Facebook Video or disabling links in chat. Provide URL filtering regardless of IP, port, SSL encryption, proxies, TOR networks and other evasion techniques Scan application traffic for different threats such as viruses, malware, spyware and other exploits We can do both proxy & stream based. It depends what’s needed. Proxy is much more accurate because reconstruct the whole file, stream based is faster because look at “chuck” of packages according they pass, however is not that accurate. Proxy based vs Stream based (50% accurate, ½ of the stuff is not scanned) SSL inspection Our customer FortiASICS radically increase performance and scalability, critical netowrk and concent processing functions are offloaded from the CPI onto custom processors, eliminating security choke points VDOMs FortiWeb To protect specifically HTTP/HTTPS traffic. Web Application Firewalls are different as they protect internal web applications from sophisticated application layer external attacks. They provide both a positive and negative security model and protect against the major threats to applications today – SQL Injection, Cross Site Scripting, URL Access, CSRF, Injection attacks and more. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws. Only Web Application Firewalls, which are designed to compensate for insecure code practices and focus on security flaws in applications can protect against such attacks FortiDB FortiDB is the most comprehensive solution to secure, monitor and assess databases and applications such as ERP, CRM, SCM and custom applications. Organizations realize quick time-to-value with easy to install, out-of-the-box policies and regular updates from FortiGuard. It addresses the following requirements:  Assessment - discovers databases, discovers sensitive data, Automatically build usage baselines, scans databases for vulnerabilities and provides remediation advise  Database Activity Monitoring (DAM) - identifies suspicions database activities by privileged users or application users, alerts on data theft attempts  Data Loss Prevention - continuously monitors all access to Personally Identifiable Data (PID) residing in databases   Blocks transactions which violate the Alert Policies   Automation of Auditing and Compliance - automates reports for internal controls, SOX, PCI, and other regulations  Change control - keeps track of all changes related to database structures(Data Definition Language -DDL) and users (Data Control Language -DCL)  Virtualization - supports both virtualized and non-virtualized environments Dabases supported: The following DBs/versions are supported: DB2 UDB V8 (VA only), DB2 UDB V9.x (VA only), DB2 UDB V9.1/V9.5/V9.7; MS SQL Server 2000/2005/2008/2008R2, MS SQL Server 2012 (DAM only); MySQL 5.1/5.5; Oracle 9i/10gR1/10gR2/11g; Sybase ASE 12.5 (VA only), 15.x FortiMail FortiMail has a unique architecture which does not rely on mail queuing as with other solutions: If mail is received and the destination is available, the message is scanned in real time and proxied to the destination without any queuing Only if the destination mail server is unavailable does the message get queued This unique architecture delivers unprecedented performance and makes the solution scalable to ISP and Carrier levels FortiMail is designed to perform spam detection in both inbound and outbound direction Inbound spam detection protects users Outbound spam detection is critical to protect the reputation of the network and domain FortiSanbox Integrates with FortiMail & FortiGate “Sandboxing” to run objects in a contained environment and assess run-time, multi-stage activity to uncover previously unknown threats. The goal of sandboxing is to completely replicate the behavior of malicious code. Ideally, the output in the sandbox should be identical to the output of the code if it was run in an end-user’s environment. In practice, producing identical results is difficult because of the number of variables involved. It’s similar to trying to grow two identical plants from seeds; even slight variations in the amount of water, light, temperature and soil composition will produce different results. FortiSandbox allocates resources to Windows XP and Windows 7/8 virtual environments based on the current threat landscape. FortiAuthenticator Single sing on FortiAuthenticator is a centralised user authentication and management service providing various methods of validating the true identity of a user before allowing the access to the requested service. Authentication methods include local LDAP and RADIUS or integration with an existing directory service. These methods can be incremented with either time or certificate based two factor authentication. Development will see the FortiAuthenticator become the hub for user based access control and management for the Fortinet portfolio. FortiClient End point solution that includes AV suite and VPN Policies can be pushed to the client and event when the PC or laptop is offline you can still apply URL polices & anti-virus. FortiClient V5.0 offers: New platform support – Mac, iOS, Android Flexible control of central management (all settings, per-device, etc) Remote provisioning On-net / off-net protection FortiToken: FortiToken, for 2-factor authenticator. Maybe you want to reinforce that no only for remote users but also for Administrators using critical applications internally. FortiAP FortiGate acts as a wireless controller, you can implement the security in the AP and manage it centralized – for guess access for example FortiManager provides global management, analytics and provides orchestration connection to SDN platforms Administrators can deliver consistent policies across all security devices, creating a faster, more robust response to threats with a lower administrative burden Our integrated platform offers the flexibility to deply what you need, where ou need it, leader to a simpler, easier maintain infrastructure FortiClient FortiAP

Next Generation Firewalling Do more with less Reduce complexity Increase manageability Nowadays threats are complex, require an integrated approach Increase visibility Cost effective No miracle solution Consolidation is the answer

Customer Challenge – Complexity Too Many Point Solutions Over time, point solutions have been deployed in response to evolving threats Platforms vary across deployment scenarios Numerous management consoles Inconsistent policy and networking function Varying upgrade cycles Slow and porous response to threats Too many resources required to maintain Poor user experience, complaints Management SaaS Gateway Web Filtering WAN Acceleration VPN Application Control Firewall Advanced Threat Protection IPS “The Complexity Challenge – Security Has Become Too Complex” Over time, enterprises have deployed a mix of point solutions in response to evolving threats Platforms are different at the HQ edge, branch office, data center and cloud Numerous management consoles, inconsistent policies and functions, and varying upgrade cycles lead to a slow and porous response to new threats (This slide/point is addressed by FortiOS advantage on a later slide) Antivirus WiFi Controller

Customer Challenge – Added Complexity of Cloud/SDN Dynamic & Multi-vendor Network Environments Create More Security Gaps A large enterprise or service provider will support multiple hypervisor platforms No standard orchestration APIs for SDN implementations Enterprises are extending their infrastructure with the public cloud SaaS usage is up dramatically within enterprises Virtualization SDN Cloud (IaaS) Cloud (SaaS) XenServer NSX Hyper-V vSphere ACI

Carrier Class Firewall Distributed Enterprise Fortinet Advantage – GLOBAL Platform – multiple personalities FortiOS & Scalable High Performance Architecture Enable Deployment Across The Entire Enterprise Data Center/SDN Data Center Firewall (DCFW) 6 4 Carrier/MSSP/Cloud Cloud Firewall (CFW) Virtual Machine Firewall 5 Internal Network (Ultra Low Latency) Carrier Class Firewall (CCFW) 7 Internal Network Firewall (INFW) Boundary INTERNET 2 Mobile Users Client Firewall 8 1 Unmatched Coverage and Fit for All Deployment Scenarios FortiOS Enables Network & Security Convergence Next Gen Firewall + Advanced Threat Protection (NGFW + ATP) Distributed Enterprise & Small Business Enterprise Campus And Large Sites Unified Threat Management (UTM) 3

Fortinet Advantage - GLOBAL Platform FortiOS Enables Networking & Security Convergence, Security Consolidation Single management console Common platform across all size deployments Deploy what you need, where you need it Consistent, coordinated policy Consolidated infrastructure Faster and more robust response to threats, decreased risk exposure Lower admin burden, easier to maintain infrastructure Frees up IT resources to be reallocated to strategic projects Fewer user complaints Management Firewall VPN Application Control IPS Web Filtering Anti-malware WAN Acceleration Data Leakage Protection WiFi Controller Advanced Threat Protection SaaS Gateway The Fortinet Advantage Simplicity – FortiOS Enables Networking & Security Consolidation IT Managers can deliver consistent policies across all security devices, creating a faster, more robust response to threats with a lower administrative burden Our integrated platform offers the flexibility to deploy what you need, where you need it, leading to a simpler, easier to maintain infrastructure

Fortinet Advantage – GLOBAL Platform …continued Comprehensive Platform Extends to Cloud & SDN Four Key Pillars Scale-Out Elasticity for Hypervisors & Clouds Agile Platform Orchestration & Automation On-Demand, Utility-Based Security-as-a-Service Single Pane-of-Glass Across Hybrid Clouds

Unparalleled Independent 3rd Party Certification Description Fortinet Check Point Cisco Palo Alto Networks Juniper FireEye NSS - Firewall NGFW Recommended & Neutral Caution x NSS - Firewall DC NSS - Breach Detection NSS - WAF NSS – Next Gen IPS Neutral NSS - IPS (DC) ✔ BreakingPoint Resiliency Record High - 95 Poor - 53 ICSA Firewall ICSA IPS ICSA Antivirus ICSA WAF VB 100 AV Comparative Common Criteria FIPS Contains results from the latest published NSS Labs reports X = did not participate, not certified 19

NSS Labs Validates Our Advantage NGFW Fortinet is “Recommended” while top competitors are not X-axis = TCO per protected Mbps Y-axis = Security Effectiveness Upper right quadrant = “Recommended” Lower left quadrant = “Caution”

NSS Labs Validates Our Advantage NGIPS Fortinet is “Recommended” while top competitors are not X-axis = TCO per protected Mbps Y-axis = Security Effectiveness Upper right quadrant = “Recommended” Lower left quadrant = “Caution”

Advanced Threat Protection

Companies should be concerned FACT: Prevention techniques sometimes fail, so detection and response tools, processes, & teams must be added 229 days Average time attackers were on a network before detection 67% Victims were notified by an external entity You may have any number of excellent security technologies in place already in your organization – things such as firewalls, VPNs, authentication, antivirus, web filtering, IPS, and antispam. This is good and these solutions will prevent a lot of threats from ever impacting your organization. However, nothing is 100% and sometimes advanced attacks will find a way to get through these prevention techniques. You need to be ready to deal with these types of advanced targeted attacks. In recent breaches it took 229 days on average to detect an attack that’s gotten on the network if it has managed to slip past existing defenses. And in 67% of the time the victim organizations only learned about the breach from an external entity. Clearly no organization wants to be part of this statistic. The goal behind advanced threat detection is to prevent what attacks you can and then, accepting that some things will get through, to reduce the time to find and detect an attack. And once youv’e identified an attack, reduce the time it takes to investigate and analyze the threat. Finally, with this intelligence in hand you can more quickly remediate any impact on your organization. GOAL: Reduce time to Find/Detect incidents Reduce time to Investigate incidents Reduce time to Remediate incidents

Crimeware and Crime Services Bank Accounts Quality Assurance Crypters / Packers Scanners Hosting Infections / Drop Zones Management Botnet Rentals Installs / Spam / SEO / DDoS Money Mules Accounts Receivable Consulting Credentials & Data CRIME SERVICES ENABLERS Digital Real Estate Criminal Organizations COMPOUNDED CYBERCRIME Victims Affiliates Partnerships Sales, Licensing, Maintenance Affiliate Programs FakeAV Ransomware Botnets Copy & paste Exploits Special Platforms Source Code Junior Developers Senior Developers CRIMEWARE PRODUCERS Packers Mobile

Millions of Internet Connected Devices Affected Server-side Attacks HeartBleed 500,000 Web Servers Affected Time to Protect Critical Surge in attacks while fresh ShellShock Millions of Internet Connected Devices Affected Devices

Trends More attacks More victims More organisation Higher returns

Problem: Growing Attack Surface

Problem: Growing Attack Vectors An Extensive, Poisoned, Dark, Deep Web

FortiGuard Minute Trends

Problem: Growing Malware Sophistication As malware defences improve, malware sophistication increases to match Constant “arms race”

Malware Signatures – the problem Easy way: file hashes Create a hash for each malicious file Fast for small numbers of files Does not scale! Only works for known files!

Problem: Polymorphism Hash-based systems are very easy to bypass One byte change completely changes the hash Increases malware volume Increases search time Increases database volume Polymorphism Encryption NOPs Replacing lines of codes Useless Instructions 127ad2566845b2af57e2d2c72136dcd4 b4a7b23b5cb6909f7b38f24768d0e9f2 04a7affb86301095cc23deb9b014f2fd 5969671b9361aa0509e9989c780d14f5 55bda387b94e7256830a722da44bce1b 3d18ea8bb288e54e4ea3c129b40bf24b 1352033a8ded02ad3fb3de82d564216c f0f4a699f4eeab5ab944142abda39eff 9f48679d9c8fd3b1136fdec8e4e02d15 75b138a918f8a1301b53097138c05c7d d91b31d86b7e280718e26a13a27277a3 d769176ca8a81c252c5a6e08bf8b7fd3 302342ed08aaea7d353a85ff43ab2d3c cfac6385a0cdd5f09b2e38c833c93c9d 5ae8c55fbc7b8f5bafa1af1675478cba 1af8e09e41fc850e15ffc4ea0be68c21 ce1ff097a3f0afec3bd5c5f0fb57cfda 80f27e4d562dc4f55e38f4088251e83c bf6ba9baa2e0dcb8d175a4ff594dccd9 2d3003eac7e1b2bf70587f4a7531f927 32e982f6f82812e53f38a916c1721b30 127ad2566845b2af57e2d2c72136dcd4 b4a7b23b5cb6909f7b38f24768d0e9f2 04a7affb86301095cc23deb9b014f2fd 5969671b9361aa0509e9989c780d14f5 55bda387b94e7256830a722da44bce1b 3d18ea8bb288e54e4ea3c129b40bf24b 1352033a8ded02ad3fb3de82d564216c f0f4a699f4eeab5ab944142abda39eff 9f48679d9c8fd3b1136fdec8e4e02d15 75b138a918f8a1301b53097138c05c7d d91b31d86b7e280718e26a13a27277a3 d769176ca8a81c252c5a6e08bf8b7fd3 302342ed08aaea7d353a85ff43ab2d3c cfac6385a0cdd5f09b2e38c833c93c9d 5ae8c55fbc7b8f5bafa1af1675478cba 1af8e09e41fc850e15ffc4ea0be68c21 ce1ff097a3f0afec3bd5c5f0fb57cfda 80f27e4d562dc4f55e38f4088251e83c bf6ba9baa2e0dcb8d175a4ff594dccd9 2d3003eac7e1b2bf70587f4a7531f927 32e982f6f82812e53f38a916c1721b30

Content Pattern Recognition Language Patented Fortinet technology Week Ending New Samples Received Already detected by CPRL CPRL effectiveness 12/10/2014 2014166 851004 42% 12/3/2014 1821935 737431 40% 11/26/2014 1652524 993257 60% 11/19/2014 2090046 1193079 57% 50% of New Malware caught by CPRL

Malware? Goodware? I don’t knowware? The Continuum Known Good Probably Good Might be Good Completely Unknown Somewhat Suspicious Very Suspicious Known Bad Code Continuum Whitelists Reputation: File, IP, App, Email Signatures Digitally signed files Sandboxing Heuristics Reputation: File, IP, App, Email Generic Signatures Blacklists Signatures Security Technologies Here’s another way to look at how threats can get through security. Our industry has done a great job over the years to create new techniques to identify and classify code. We have tried and true techniques to identify code that is known to be good and that code known to be bad – whitelists and blacklist for example. We have good techniques to identify code that is probably good or probably bad – using heuristics, generic signatures, and file reputation. And depending on if you don’t mind the occasional false positive, these techniques can be used to identify code that might be good or is only somewhat suspicious. The area that’s been the biggest challenge for security is how to identify code that we know nothing about. In order for most security approaches to work, there must be something about the code that is already known. For years security research teams have used sandboxing in the lab to identify and analyze new threats. Its only in recent years that its become practical to put sandboxing into commercial use. So now, any organization can get the advantage of sandboxing to evaluate unknown code to see if it will reveal itself to be suspicious or malicious in a safe environment.

Break the kill chain of an Advanced Threat with Sandboxing Anti-spam Web Filtering Intrusion Prevention Antivirus App Control/ IP Reputation Spam Spam Malicious Email Malicious Link Malicious Link Exploit Exploit Malicious Web Site Malware Malware Command & Control Center Here’s how the addition of sandboxing changes the protection game in an enterprise. It’s still a very good idea to have all those traditional preventative techniques in place. They are the fastest, most efficient way to prevent attacks from ever getting into your organization. However, by adding sandbox to back up these techniques you now have the chance to catch all those threats that can slip by because it is unknown by your preventative techniques such as antispam, IPS, AV, etc. And once your sandbox has analyzed a threat, you get useful insights that can be used to mitigate the threat. Both by remediating any exposure to it you may have had and by using that new threat intelligence to improve the preventative technologies you have in place. Bot Commands & Stolen Data Bot Commands & Stolen Data

FortiSandbox – 5 Steps to Better Performance Call Back Detection Full Virtual Sandbox Code Emulation Cloud File Query AV Prefilter 5. Identify the ultimate aim, call back & exfiltration Mitigate w/ analytics & FortiGuard updates 4. Examine real-time, full lifecycle activity in the sandbox to get the threat to expose itself 3. Quickly simulate intended activity – Fortinet patented CPRL OS independent & immune to evasion – high catch rate 2. Check community intelligence & file reputation However, sandboxing is resource and time intensive. It takes time to let a file run so you can analyze its behavior. Fortinet’s FortiSandbox solution is architected to optimize both security effectiveness and speed to results. It is not simply a sandbox, it uses a multi step approach to evaluate and analyze objects, starting with the most efficient technologies and stepping up to more resource intensive approaches as needed. FortiSandbox goes through 5 steps. Step 1: objects are run though Fortinet’s top-rated AV engine. This AV prefilter uses a larger, more extended threat database from FortiGuard Labs in order to catch more variants and older variants of malware. Step 2: FortiSandbox performs a cloud query to see if this file has been previously identified (in some systems this is referred to as a file reputation check) Step 3: the code is put through a simulator and Fortinet’s patented Compact Pattern Recognition Language is used to analyze the code to see if any malicious or suspicious patterns can be identified Steps 1 through 3 are typically performed in just a few seconds. On average these three steps are able to identify over 60% of threats. Step 4: the code is placed in a full virtual sandbox environment and allowed to run. The behavior lifecycle of the code is observed and if the object is malicious, it will expose itself. Step 5: The activity in the sandbox is analyzed to identify if it is malicious or suspicious and the activity is documented. The object is assigned a risk rating and is then reported out. New findings from this analysis can be shared with FortiGuard Labs in order to create new security updates in order to improve the extended FortiGuard security ecosystem. 1. Apply top-rated anti-malware engine First 3 steps detect 80% of malware within 60 seconds!

Independent third-party tested & validated! Top Rated Sandbox Top-rated Breach Detection (NSS Labs Recommended) 99% detection Results delivered w/in 1 min most of the time Independent third-party tested & validated! Fortinet also participates in NSS Labs testing for NGFW and Breach Detection Systems. These are the results of the Breach Detection Systems industry tests in 2014. As you can see in the chart, Fortinet tested high for effectiveness and well for performance and value, detecting 99% of threats and delivering results in under 1 minute the majority of the time. The vertical axis shows the security effectiveness results from the test and the horizontal axis shows the performance/value results. Fortinet’s FortiSandbox fell into the upper right quadrant in results and thus earned a Recommended rating from NSS Labs.

New in FortiSandbox 2.0 - Detecting Even More Attacks Now includes full sandboxing w/ licenses for Windows, MS Office, IE Now follows URLs to scan objects Now inspects Network File Share locations Now exports to 3rd Party scan tools Integrated with FortiGate Provides SSL inspection Fewer sandboxes needed – 1 sandbox supports multiple FortiGates (Ingress/Egress points) FortiSandbox Cloud service integrated with FortiGate offers quarantine feature FortiSandbox Network Traffic Network Traffic FortiGate FortiSandbox Fortinet recently release FortiSandbox 2.0. This new release adds some additional detection capabilities including full licenses for Windows, IE, and MS Office with each sandbox. Most other sandbox solutions don’t come with licenses for the environments they run in the sandbox – they leave licensing up to the end customer, which can be legally tricky since most EULAs don’t give permission for software to be used in this way. FortiSandbox scans network traffic. It can do this as a standalone solution or as an integrated solution combined with FortiGate. It can also be used to do on-demand scanning. With 2.0 you can submit URLs to FortiSandbox to be scanned for malicious objects. And FortiSandbox 2.0 can be set up to scan network file share locations. It is also able to export objects so they can be submitted to another 3rd party scanning tool. FortiSandbox is even more efficient when deployed with Fortinet’s NSS Labs Recommended FortiGate Next Generation Firewall. The FortiGate performs SSL inspection and acts as a prefilter for FortiSandbox. Plus a single FortiSandbox can be connected to multiple FortiGates, making it possible to protect multiple ingress/egress points in your network with a single sandbox appliance. In addition to being an on-premise appliance, FortiSandbox can also be purchased as a cloud service integrated with the FortiGate firewall. The latest FortiSandbox Cloud integrated service in conjunction with FortiGate also includes the ability to quarantine devices that may have been impacted by identified threats – speeding up any remediation action necessary to contain those threats.

Stop Malicious Emails: FortiSandbox, FortiGate, FortiMail Clean emails delivered to mail servers. Outgoing email also inspected Reputation, behavior and other analysis performed by FortiMail. At risk messages held for additional FortiSandbox analysis. Internet Inspected Emails Network Traffic FortiMail for Email Inspection Blocks known threats Holds high risk messages for Sandbox rating Simplified deployment 1 sandbox supports multiple FortiMail FortiSandbox for Payload Analysis Detects unknown threats Provides threat intelligence for mitigation Ultimately results in updated FortiGuard Security Services Email Traffic Feedback to FortiMail Sandbox Inspection Feedback to FortiGuard Full NGFW inspection performed on FortiGate. At risk objects sent to FortiSandbox A FortiSandbox appliance integrates with FortiGate for more efficient processing of threats, to protect multiple ingress/egress points and for SSL inspection. It also integrates with FortiMail to provide preventative protection against email-borne threats. Unlike with network traffic, email traffic is a store and forward system so it is generally okay to introduce a small amount of latency into the system. Because of this, you can use FortiMail with FortiSandbox and FortiGate to prevent advanced threats in email from ever reaching the end user. With this simple integration, at risk email traffic is sent to FortiSandbox and held until it has been analyzed. If a suspicious or malicious item is found by FortiSandbox, that email can be blocked from ever being delivered. FortiSandbox prefilters, executes, analyzes and feeds back to FortiMail and FortiGuard.

The Details- New Advanced Threat Protection Framework Integrated Solutions for Better Protection Hand off : High risk items Known Threats Reduce Attack Surface Inspect & Block Known Threats Unknown Threats Identify Unknown Threats Assess Behavior & Identify Trends Response Identify scope Mitigate impact FortiGate, FortiMail & everything that can enforce a security policy Detect Prevent Mitigate FortiSandbox & everything that is behavior based There is no “silver bullet” to protect organizations against all advanced targeted attacks. There is too much rapid innovation happening in cyber crime for any single approach to be the solution. The most effective defense is through a cohesive, integrated solution. The Fortinet Advanced Threat Protection Framework provides a guide to building a more effective layer of protection – one that is continually improving. This cohesive ATP solution includes: technologies to prevent known threats from getting into an organization, technologies to detect that which is unknown and cannot be stopped by traditional preventative measures, and the ability to mitigate threats through remediation and security updates aimed at continually improving the preventative technologies already in play. It sounds simple but it can difficult to create this with just a collection of point solutions. In the case of the Fortinet solution, FortiGate NGFW and UTM technologies and FortiMail email security work to prevent threats from impacting an organization through IPS, web filtering, AV, IP reputation, antispam, application control and VPN functions. FortiAuthenticator also helps to control access to the network and FortiClient can help protect endpoints. FortiGate and FortiMail integrate with FortiSandbox to hand off high risk items for deeper analysis with the aim to detect advanced new and evasive threats. FortiSandbox identifies and analyzes threats and gathers information that then can be used to mitigate attacks – either through automated mitigation leveraging integration with FortiGate or FortiMail directly or through security updates from the FortiGuard Labs research team that feed back into the greater Fortinet security solution ecosystem. Hand off : Security updates Hand off : Ratings & results FortiGuard teams and automation

Detect to Mitigate to Prevent A continuous cycle of improvement Detect Prevent Mitigate Detection and analysis Sandbox object behavior analysis & details Suspicious activity: privilege modification, file creation, modification & deletion Malicious activity: initiated traffic, encrypted traffic, DNS query File names, URLs, IP addresses Updates to Preventative Security Updated IP sender reputations New web site ratings used for web filtering New IPS rules and botnet detection to block command and control traffic Updated anti-malware detection for this and similar attachments By implementing an Advanced Threat Protection Framework the process of learning, remediating and improving security follows a natural flow. In the Detection and Analysis phase the sandbox identifies suspicious threat activities such as privilege modification and file creation or deletion as well as known malicious behavior such as initiated network traffic or DNS queries. The sandbox can learn details from its analysis in form of file names, URLs, IP addresses and more that can be used in remediation and added to security updates. With the details of a threat attack, including its source and destination from FortiSandbox, it is much easier to instigate immediate remediation activities such as blocking an email sender IP from sending more messages to employees, preventing communications with known command & control addresses, and to quarantine compromised devices within the network to prevent the spread of malware. Finally, the threat information learned by the sandbox has multiple uses. Malicious IP addresses and URLs identified can be added to web filtering and IP reputation lists. File characteristics can be used to create new IPS rules and anti-malware signatures. All this feeds into security updates to improve the protection delivered by all the solutions in the framework. Immediate Remediation Block email sender IP from delivering any other messages to employees. Prevent communication with this command & control Quarantine recipient devices Confirm compromise and remove malicious files

FortiSandbox Platform Options VMs NA 2+ 8 28 Form Cloud service integrated with FortiGate Virtual appliance Physical appliance FortiSandbox 3000D FortiSandbox 1000D FortiSandbox VM FortiSandbox Cloud You have your choice of platform for FortiSandbox. It is available as a physical or virtual appliance. There are two physical appliance options, the 1000D with 8 VMs and the 3000D with 28 VMs, and the highly flexible virtual appliance that scales from a few as 2 VMs up to 56 VMs. For organization that may not want to manage an on-premise solution, there is the FortiSandbox Cloud service available as an integrated option on the FortiGate. There are pros and cons for both the cloud and appliance options. FortiSandbox Cloud may easier to add to an existing FortiGate installation. It can process an unlimited number of files/hour but because it is a cloud service it may introduce some latency. The cloud service is only available as an integrated solution with FortiGate. FortiSandbox Appliances may deliver results faster and they don’t send files to the cloud for analysis but they also require some additional hardware management and have limits on the number of files they can process per hour. Appliances can be deployed as standalone solutions, in a lab for on-demand analysis or as an integrated solution with FortiGate. Fortinet believes it benefits customers to give them the flexibility to choose the platform they want.

Flexible Appliance Deployment Modes Integrated Mode – Ideal for centralized gateway with inline protection Headquarters (Enterprise Core) Standalone Mode – Ideal for scalable requirements Data Center Distributed Mode – Ideal for protection in distributed environment Branch Offices (Distributed Enterprise) FortiSandbox appliances can be deployed in a number of ways. They can be placed in specific locations such as in a datacenter or in a security sensitive location in an organization in standalone mode where they can scan all files for threats. FortiSandbox can be integrated with FortiGate to provide central gateway protection. In this configuration, FortiGate can provide SSL inspection and prefiltering for FortiSandbox. In a distributed enterprise a single FortiSandbox can support multiple FortiGates so you do not need to install a FortiSandbox at every ingress/egress point to get advanced threat protection at the enterprise edge – making this a verycost effective architecture. Integrate FortiMail with FortiSandbox and FortiGate and you get the benefits of using sandboxing to identify email-based advanced threats and the ability to block those threats from ever being delivered. Flexible Deployment Options Offers most suitable implementation depends on requirements and infrastructure Allow protection of investment by allowing different deployment modes as requirement changes Full automatic Mitigation and blocking with the addition of FortiMail with FortiSandbox

FortiSandbox Top Three Things Better Protection Best Price/Performance Flexible Deployment NSS Labs Recommended 99% effective/ detection in 1 min Standalone or integrated deployment Fewer boxes needed SSL inspection with FortiGate Appliance, VM or cloud service Top rated VB RAP anti-malware prefilter Option to cover multiple Ingress/Egress with integrated FortiGate/FortiMail Key element of cohesive Advanced Threat Protection Framework AV scan, File reputation cloud query & code emulation speeds results With FortiSandbox you get better protection, flexible deployment, and the best price/performance solution. Fortinet is a security company first and foremost and has years invested in building security solutions that consistently receive top ratings from independent industry test houses. FortiSandbox is Recommended by NSS Labs and showed 99% effectiveness and delivered results in under 1 minute most of the time in their tests. The AV engine in Fortinet solutions consistently performs among the highest in the VB100 Reactive and Protective virus tests. And FortiSandbox uses a layered approach to detecting advanced threats to maximize both speed and effectiveness. Fortinet offers choice and flexibility so you get the platform you want in the deployment model you need with FortiSandbox. FortiSandbox integrates with FortiGate, FortiMail, and FortiGuard to perform a key function within the Fortinet Advanced Threat Protection framework. FortiSandbox appliances are flexible and can be used in multiple different deployment models and they can be changed if circumstances change. Integration with FortiGate delivers SSL inspection. And the ability to support multiple FortiGates enables FortiSandbox to protect multiple ingress/egress points in the network with a single appliance. Secure your organization against advanced targeted attacks by adding FortiSandbox. Learn more about FortiSandbox and try out the product demo online at www.fortinet.com or talk to your security partner about testing a FortiSandbox in your organization. FortiSandbox The Best Choice for Advanced Threat Protection