Hello, everyone. Welcome to the 2021 edition of Accelerate. This is our 2nd digital edition as we unfortunately still can't travel together and make in person. However, the number of recession and attendees today show that you continue to be highly engaged with us and I want to thank you all for that. Over the year, we have greatly accelerated our business momentum together.
And last year was no exception beside the major challenge we have all faced. We are in a situation to accelerate more than ever to enable together with our partner the massive digital transformation you are going through. 2021 is about capitalizing on the strength of our vision, platform, our investment and deliver an unprecedented level of growth and put all of us in a leadership. 2020 operated both as a catalyst and as an accelerator of the key trends that are reshaping the digital world. Let's take a look of the 4 key marker of these accelerations.
All sources of Information highlights a very strong acceleration of the digital transformation investment. As you can see, a 44% growth between 2019 2021, reaching EUR 426,000,000,000 spending. And we do see that the investment on transforming economy and corporate leveraging digital technology We'll continue to move forward beyond 2021. Let's take another look of the key market. Home working, the global pandemic gave a very serious boost of
the home
working. Before the pandemic, Forecast was about 30% working in 2023 as Fannie Mae brought home working income to norm in a couple of weeks. If you look at the Google search, the whole market world alone and search was about 200%. We do see as we move forward after pandemic that a portion of home worker will still stay, a higher portion than previous pandemic. So the transformation of our work practice will probably stay for the long term.
In 2020, the investment growth in 5 gs reached new level, 96% in terms of growth, reaching SEK8.1 billion, mostly in the service provider and telco space. But enterprise also, they're all being on speed, but they're also looking for the low latency value and the high flexibility that 5 gs will provide. We do see emergence of new applications, self driving car, remote surgery, immersive game changing application while you're on the go. Many, many more coming. It's just the beginning of this revolution where 5 gs will deliver high speed whatever you are.
Cloud computing market has also grown at a very nice rate, about 18% during 2020 and is planned to reach €436,000,000,000 this year. Definitely, adoption of those New approach on leveraging public cloud provider and cloud computing will stay and will represent a significant area of the digital transformation. It's also an area where we have to look about the security. Now All of this transformational domain come with their share of risk. The digital transformation increased the attack surface in 3 area.
New age are emerging. New application are making our world more exposed. New ecosystem are being defined. All creating new weak points for data links. Home working definitely save our economy during the pandemic, but consequently connected more non professional device, home router and family grade equipment for business critical application.
5 gs bring a new world application, but the high speed and the low latency make the security a new challenge. And cloud computing increased the risk of data leaks, privacy breaches and potential failure to comply. So all organization had to face this accelerated evolution of the additional business. And sometime we are put in a very reactive position looking for the right security solution to help solve those rising issue. And Fortinet was the right vendor to turn to, allowing us to deliver together another year of growth.
2020 was another very successful year, providing the confirmation that our vision and our execution was right. As you can see, we reached for the first time more than EUR 3,000,000,000 in billing. But while growing at double digit, We also been able to generate very healthy and profitable business, which allows us also to look for a future with all the necessary financial asset that is required. The operating margin was also generating at a high rate, which provides us, of course, the way to invest more. And we did during 2020 again.
We spent about €340,000,000 in R and D. Innovation will drive future success. So that's part of the DNA of Fortinet. We also invested on capacity, on people, both from an R and D, but support, but as well on the sales, as you can see, we added Iqamu sales capacity to better provide you value and services about 30%. We also as we have a very successful sales model leveraging the channel launched last year on a new program called Engage.
And I will be pleased to share some of the new initiatives coming today. And then Continue to, of course, solidify the technology and the expertise that we need to cover all aspects of your security challenges. We did acquire 2 nice companies that was completing, in fact, our strength in term of network security. But this would, in fact, both from a growth and from an investment perspective in a very strong position. As you can see, we serve all market segments.
So we are now fully aligned to really provide the best value for each of you, whatever the market segment you are based. And what is also very interesting as we are almost exiting from this pandemic with a bit more hope as we speak, The downturn of our GDP last year, which was about minus 3.5 worldwide, will come to a positive GDP growth of 5.5% in 2021. So this is a 9% shift and that will happen in the quarter over quarter. So be ready, as you can see, 2022 also is expecting to gain a high growth in terms of worldwide GDP. So be ready for acceleration.
Let's look at other key area of the investment, which are essential for the acceleration of China. Our sales strategy from day 1 rely on China, a trusted long term relationship. And last year, as I highlighted, we launched the new Fortinet partner program called Engage. And now is the Phase 2 of this program. The Phase 2 come with new specialization that address the market requirement such as OT specialization, 0 Trust architectures and the security operation.
It's also come with a much more easy way to do business with us. It also coming with a completely new revamped cloud channel program. So more to come during the breakout session, but I'm sure you'll be very excited as I am on launching this program. It's also about skill and knowledge. As you know, we are facing this global skill shortage.
So the successful LHC program that we launched has also helped on, of course, providing value and transferring value to you, our partner and to you our customer. With more than 5,000 certified engineer worldwide and during pandemic we had about 800,000 recession to acquire expertise leveraging our NEC certification. And as you know, we have been providing for free access to several level of this NSE certification. So part of the great program that we are providing and of course engagement with you, partner and customer. We are very happy with the evolution of this certification program.
Together with our partner, we are ready. And now let's take a look at what is coming to us. So first, look at about the success. Why We are altogether very successful answering all the challenge we are facing. Success do not happen by chance.
Let me share with you Few fundamental reasons of the massive adoption of our solution. It starts with the vision, 10 vision. The conversion of network and security, which was in the DNA of Fortinet from day 1. This conversion has become essential to secure data that are being accessed and then read from anywhere. It's about providing the freedom of choice when it's come to cloud journey.
We are the only security company that bring your freedom back when it's come to the security cloud journey. We offer the broadest cloud offering. We provide the choice to go for any cloud provider. We provide the timing. You can keep the pacing while leveraging your existing investment on prem and moving step by step on the cloud journey.
And it's about, of course, leveraging the choice from a financial, but also from a technology perspective, whatever you want to have full cloud, hybrid cloud or maintaining your existing on prem delivery solution. But it's always a consistent security posture everywhere from any source of the storage of the data. Your cloud strategy, your policy, your priorities still have to sit above any public cloud provider roadmap. And that's what we are. And then it's about the rise of the edge.
Can during The accelerated presentation 2 years ago has presented and predicted this. This trend has accelerated, boosted by 5 gs. A world of innovation at the edge and is coming. And you can see, as I highlighted, self driving car, remote surgery and more to come. But that's creating fact much more new age, which requires security to be delivered constantly across all edge, cloud edge, 1 edge, home edge, OTH and data center edge.
Those predictions are real, But let's talk about the number at least on how we have been able to tackle those new challenges during 2020. As you can see, we our secure SD WAN was a great example of the merge of networking and security. We came late on the market, but we have been looking about the demand and what was the key blocking point to deploy this new SD WAN technology across the world. That was by ID security, embedded security in this solution. And With our great secure SD WAN, we have been able to do a record year and we have been able to grow at 96 signed year over year from last year.
And we have been also enjoying the very nice question during the Gartner release in Q4 of the 1Edge Infra Magic Quadrant where we are number 2. The cloud, it's against Another example, we grew about 60% or 64% of people have cloud provider solution. Here again, the freedom of the choice and the same security posture that you have on prem and on the cloud as helping to deliver such a very high number. And last, it's about, of course, the covering all these different age and evolving on the Zero Trust network architecture. And here again, with our endpoint or EDR, we have been able to enjoy the 173% year ago.
So all of those numbers confirm the great vision, the great anticipation of the market trend and the great execution that we have been all together been able to do. To explain why we are In our vision of security, we have to understand the new security paradigm created by digital transformation. Digital transformation is driving a significant shift in the way all of us deliver technology and services to connect people and object to application. The infrastructure has been for the last 20 years centered around the data center. And as you can see, it was more data center centric where we had almost 80% on prem.
And it was the access to those data, which was mostly around the core networks, was accessing to all aging DMZ perimeter. And last was about the manual config. So in order to allow access and control, it was all manual, very limited in terms of automation. The transport layer was the link between the age and the data center. The digital transformation is forcing to shift toward an hybrid cloud centric world, where The data center is just another place where application are hosted.
The enterprise edge span many different domain, cloud edge, security applications on prem and third party on the wider antenna. You can see that there is most likely a shift from the on prem and off prem about 50%, 50%, hosted or SaaS. And security need to be delivered everywhere with an end to end automation. So simply connecting people and sales to applications, putting an end to end visibility, of policy enforcement and automation at the center of this new paradigm. This new paradigm effect in 4 dimension.
Architecture become distributed, application are delivered through SaaS and security need to be enforced everywhere. The management requires the total visibility across multiple vendors. Such a new pipeline demands an holistic approach of cybersecurity. In this context, Fortinet Security Fabric see its core attribute more crucial than ever. It's broader than ever, now embracing the rise of the edge in all of its dimension.
It's natively integrated and it's fully automated with an open ecosystem for third party application. Why all the set of solutions that cover this fabric are now in 3 main aspects: 0 Trust Network Access, security driving networking and adaptive cloud security, all started with what we call the Fabric Management Center, KnoxSoft Automations and the Fortigua Threat Intelligence. And in 2021, Fortinet brings the security fabrics to the next level. All building blocks are now integrated at the heart of the security fabric in one operating system, the 4 US, making this one platform able to In force, one policy consistent across all ages that sit above cloud diversity and that keeps all scenario open in an uncertain world. No vendor can claim their infrastructure security fabric value.
You will learn during Ken, especially John's presentation, how Fortinet and the FortiOS allow the fabric to cover multiple new case. So let's take a look of those these three elements that I consider very critical as we see a huge demand moving in 2021. Our one platform, the Sacred Fabric, allows us to secure the branch for the edge branch, which with our secure SD branch, it's a great, I will say, representation of the Fortinet strategy and success execution. SD WAN is the example where we started implemented with listening for new customer what is important and embedded within our 4 U. S.
All these networking features into a comprehensive security approach. And that has helped us to gain a huge market share, putting us, as highlighted here in my partner, in a leading position. And AZ1 isn't the only example. Our platform approach enabled us to offer an AI drive and Zero Trust access solution that is seen today as the safest path into a full XDR solution. An XDR with response across an extended scope, and automated user profiling and analytic behavior endpoint monitoring.
It's all about managing The user accessing to the data, the application and understanding their behavior and potentially anticipate any leakage. And this extension leveraging our 40 ways on the 0 cost network access, We are about to do the same with the SASE. Our platform allows us to develop the most complete SASE architecture, including NextGen firewall as a services, secure web gateway, CASB, 0.0 test for access. It integrates natively application security in the circular fabric and in our easy one. It also provides a very careful approach for the home or remote user, providing the choice for adjunct or agentless, looking about the best security or a compromise between easy to access and security.
And it's all about performance. It's important that while those new home worker Access to the application they have working, they need to maintain the high performance. So it's optimized as well the network access and scale performance. So here again, Fortinet will offer you the freedom of choice to secure home age with the best price performance ratio without compromising on security. Through our platform, the Fortinet Security Fabric, We are taking leadership on the various markets such as next generation firewall market and the 1 edge infrastructure.
What you can see here, we have done with many other and we expect to move on the same bidding position in the next 2 years. So now let's take a look at the benefit of this fabric and the one platform with 1 operating system. Look at first the business benefit. We are all engaged in rationalization, especially during this very complicated time. Many company are running short on cash investment and must need to rationalize why they are doing this digital transformation.
And security has no exception. They may have to spend less money or equal money, but to cover more aspects including this new trend. The native integration on our feature leveraging our Sotient fabric and the product landscape that we provide helped, of course, to leverage, in fact, this benefit from a TCO perspective, but from also a rationalization in terms of dealing with less venues. It also provides a separate benefit. The Fortinet solution provide fully third party validated platform, which no one can compare.
And it's the same security platform that excel, as I mentioned, multiple Gartner Magic Quadrant. It's not a suite of Ecommerce's general solution artificially grew it together on a sideway. It's a true real security platform that allow you to react or anticipate on any attack that you are facing. And last, it's about the channel benefits. Our channel, as you know, with long term relationship, we are we try to be the best vendor to deal with, enabling access to all market segments with our solution.
All size of company across all size of program, be able to deliver both on OpEx but on CapEx solution and making sure that you have the choice to add the services on top of the technology we provide. And it's about loyalty and long term vision. So again, here, quite happy with everything that we have built and of course, very excited of the future. To conclude, I would like to leave with you with 3 takeaways. First, the vision.
The year has been proven and it's true and it's unique. I think it's clearly disruptive, not following everything that is on the cloud. We have a much more broader, more hybrid view on what's going on in the future. And as you know here from Ken, the future is also to secure all new edge It's in fact the next major wave that we have to start today to anticipate, including home age, including OTH, including the cloud edge. And the platform is the advantage.
Having one platform that allow you to realize through One single operating system, all security requirement that you need to deploy and you need to manage on a daily basis to include your to improve your security posture. So let's, of course, look at 2021 And looking forward working with you both new partner that new end user and make very successful in your new record year. Thank you.
Thank you for attending 2021 Accelerate And thank you, our customer and partner, for their big support in the past year. From the very beginning, Fortinet founded 20 years ago. So with all your support and help, we continue to grow faster than the market. With the CAGR in the last 20 years, average 45% growth year over year. We outpaced the market growth about 10%.
And also our superior technology and long term investment all paid off making Fortinet today become one of the leader in the cybersecurity space. And more than 500,000 organization and government looking for Fortinet for the protection. So we have one of the biggest edition. Deployment of a cybersecurity appliance in the world with over 6,000,000 FortiGate deployed, we counted over 30% of total global deployment making Fortinet a leader in all this network security space. And also we bring a lot of value to the shareholder.
You can look and since IPO and fully net value grow over 2,000 percent. And also the 5 year and 2 year competitor, we're also the number one out Our competitors and I appreciate everyone supporting me, including all the investor analysts attending today. And we're keeping building the best broadest portfolio and leading by network security and also including the endpoint, including application, including the other infrastructure and Our organic internal develop and making working together from day 1 integrate automate together. And this also leading by the innovation we have with more than 700 patents we have, which more than doubled any other competitor. We continue to lead innovation.
We feel this is a key important part Keeping Fortinet growing going forward organically and outpace all the competitors. Plus, From the business model, we have the best business model in the industry, which has both the growth and also the profit Compared to some of our competitor only have a growth and some other only have the profitability, but we have both. As also result, Fortinet is the best credit region in the whole cybersecurity industry. And we are also the only cybersecurity security company in the S and P 500 list, which reflect all the team working together, making Fortinet is the best cybersecurity company in the space. Also you can see, so the cybersecurity industry keeping changing every year.
Our tech service is quite different compared to traditional firewall VPN market 10, 20 years ago when Fortinet started. So today, so we are see there's a 3 major focus we are doing. The first is a security driven networking, which is also the vision Fortinet has since very beginning. So we do believe security and networking need to be working together making the whole structure of our secure. The second today is also you need a cover called the Zero Trust Access.
And that's where the traditional parameter protection is no longer enough. You also need to protect all the mobile device. You also need to protect the application in the cloud. You also need to protect all the other part of infrastructure both expand To the WAN like SD WAN 5 gs and expand into internally like all the internal segmentation, switching and Wi Fi access. So that's where the Zero Trust based of protection is also very, very important.
That's making the whole infrastructure is very, very important, including leverage the cloud to secure all the application in the cloud. And with this real trust concept, You can see, we need to protect the whole infrastructure attack surface and also protect people who work from home, work from office and also the mobile when they travel. So this whole infrastructure security is the key for today's cybersecurity. So with all this, we also have the SASE, which is also we build different than compared to our competitors. So we have the SaaS built in OS level.
It's much better, deeper integration compared to other competitor has to use in different system or even different architecture to protect all different part of our SaaS solution. So that's where For Fortinet, even we take a little bit more long time, more effort to building OS level SASE, but the benefit to all the customer, to the partner and to the service provider, it's huge. I believe John Madison will give all the detail on the SASE architecture later. And we presented this slide before. You can see going forward, Gartner do suggest So the edge and the immersive technology will gradually replace the cloud and also mobile device.
So Fortinet has the best technology and innovation to cover both today's solution in the cloud and also going forward for the edge protection. And edge will become more and more important with all the computing power move to the edge to process the real time data and the traffic there. The key advantage Fortinet have over our competitor is Fortinet Security Fabric, which is a broad Integrate and automate. We have the broadest product including not only the network security part, but also endpoint side, the cloud side, application side with over 30 product family together. And all this product mostly come from internal development.
It's integrated together designed to working automatically from day 1, which is different than our competitor, mostly come from our acquisition, which is very difficult to integrate and almost impossible to automate together. Dance making Fortinet has huge advantage over our competitors. And today, we also want to introduce 4 gs OS 7.0, which is a major release and has a few first come to the whole industry. Edition. And the first this is the 1st OS level, Zero Trust level access.
And also So it's the first time have the SASE integrate in the OS level plus all the 5 gs feature. And Also there's other 300 new features included in this FortiOS 7.0. Now Fortinet become the leading cybersecurity vendor Has all this firewall based, OS level, 0 trust network access and also the SASE solution, Together with the 5 gs SD WAN making FortiOS the richest feature among the whole cybersecurity and also with the 486 accelerate performance and the computing power, also the best performed OS with all the feature together in the whole industry. You can see we continue to expand our total addressable market. So by 2024, Our total addressable market will be $93,000,000,000 Not only we're leading the network security, which is about RMB51 1,000,000,000, But we also have the Zero Trust endpoint solution.
We also cover the cloud security. We also have the secure app Including all the lot of new product we're keeping developing. So all these together will continue to drive fruitiness growth going forward. And also supporting the marketing and the sales investment. So the new headquarter where it will be open later this month.
At the same time, we continue to build a global infrastructure to support our global business going forward. And Fortinet also is a very social responsible company, so we care the environment a lot. So we want to make sure all the product we build is environment friendly and will be saving energy. At the same time, we also want to contribute to community with all the ASE training we have and also supporting education, supporting all the veteran program. At the same time, we want to make sure all the people within Fortinet and also our partner, our customer can leverage the resource initiative we have here and continue to grow in continue to kind of grow together with the industry and making Fortinet as the best company in the whole industry.
So with that, I go to the key takeaway. So first, we want to continue to expand our platform, continue the long term investment we have, including not only the technology, including ASIC, the OS and also the new function, the new feature, the new product. At the same time, including the facility, including all the infrastructure, you're also including the people, which is the number one more important. And that will help us to be the number one going forward in both SD WAN and also security driven networking. And growth is the keyword for 2021.
So with that, I want to thank you everyone to participate to this year's salary 2021. Thank you.
Digital innovation is accelerating across all industries and markets as companies invest to differentiate themselves. However, this also increases the company's risk. The digital attack surface is much broader across endpoints, network edges edition. Fortinet offers broad visibility across the entire attack surface, an integrated platform to reduce management complexity
Hello, everybody. Welcome to Fortinet Accelerate 2021. This is John Madison, CMO and EVP of Products. It'd be great to be in person, but unfortunately online maybe next time. Securing all network edges.
I want to talk about A lot of things here endpoint security, device, network, cloud application. But if I take one message away It's that the network is still very important, the security of the network. And what's happening in the network where all these edges are forming that need to be secured. Now our vision as a company Making possible a digital world you can always trust. One of the most recognizable symbols from Fortinet is the O in Fortinet.
Sometimes it's called the grid, sometimes the O. That represents the trust. And how are we going to provide that trust? Our mission is to secure people, devices and data everywhere. What we want to be able to do is make sure we protect that entire attack surface, which has been rapidly expanding due to digital innovation.
Now Patrice had this slide earlier on. It's the Gartner Magic Quadrants. We're in leadership spot for 2 Magic Quadrants. We're in 4 other Magic Quadrants were mentioned another 2. But also we're in 6 what we call market guides.
These are precursors to Magic Quadrants, New development marketplaces IPS, 0 Trust, e mail, operational technology, NAC and SOAR. And so, Gartner really recognizes the full breadth of the Fortinet portfolio. Again, we're leaders in the network firewall and WAN Edge sometimes called DST WAN. Often the leaders are very different companies. But even if they're the same company, They're completely different platforms.
For Fortinet, it's the same product, the same OS, the same API, the same management product. So best of breed functionality, but on a single platform. Now before I get into some of the product stuff, I wanted to talk about training. We have a huge investment in training. I think by now we're the number one cybersecurity training program out there.
You can just see some of the numbers here. I think in fact we're over 600,000. In fact half of those certifications are being done in the last 12 months. Edition. As a partner, as a customer, you should be familiar with what we call the Network Security Expert Program.
It starts with foundational and solution orientated. These are all public already all the way to our expert level NSE 8. We provide a lot of these materials and curriculum to top universities and colleges around the world. Also 2 important areas. 1 is what we call IT awareness.
That's now inside our NSE-one. It's free of charge. We have over 150 customers already using this, anti phishing, for example. Also for larger customers, we have our strategic partnerships where we export the entire curriculum into their programs IBM, Accenture, Salesforce dotcom. And by the way, we made all our training free of charge in 2020.
It's always been free to our partners and we're going to expand that program into 2021. Training is a very important investment for us. Okay. Let's switch gears now into product and product strategy. You heard Ken talk about our organic platform development.
And this is very important. It's been very easy for us to go and acquire A lot of different pieces and try and bolt them together. We don't do that. We develop the platform organically. Now if you cast your mind back, I can.
Between 2000, 2010, really a lot of the data was at the endpoint. And so endpoint security back then antivirus It was really, really important. Yes, there was firewalling, but it was more around stable firewalling. Over the last 10 years, A lot of the data has moved into the data center and the network has become very important. Sure, the endpoint has progressed and there's people off the network.
If you look at firewalling, it's progressed into next gen firewall, although it's a content. And of course, the data center became very important. Over the last few years and as we go forward over the next few years, of course, cloud has entered. The network has formed different edges and endpoints and devices will migrate to more of a 0 trust type architecture. What's really important though is a platform.
And it's not just a platform with endpoint, A platform in the network or a platform across the cloud is a platform across all three of those things that also includes identity and threat intelligence. The networking industry is very different from the cybersecurity industry. It's actually consolidated. And that's because Although things have got much faster in terms of speeds and feeds, the functionalities remain the same. It's just faster switching, faster routing, faster Wi Fi.
The only thing that's changed a lot probably in the last 2 years 3 years is the application routing has taken over from enterprise IP routing. But still it's a fees and speeds game. Yes, there's some new technologies coming along such as integrated security, AIOps, and high flexibility. The hub and spoke architecture of an enterprise has been here for probably 10 years. The idea was to get Everybody onto the network as quickly as possible to the data center and out into the Internet.
And so what's changed? Well, what's changed are all these edges. You now have a LAN edge. You have the LAN edge. You have off network, the home edge recently due to the pandemic.
You've got now different types of cloud, SaaS, infrastructure. We're seeing LTE and 5 gs as we go forward, operational technology edges. And so all these edges need to protect it. However, it's very complex to build a networking and then to build security on top. And so these edges will be protected by converged technology, security driven networking.
Same goes for the endpoint. If you look at the endpoint, as I said earlier, it's migrated from a signature based system into behavior. We just recently launched XDR, which is more of a platform. Network access started as VPN. We need to look at all the devices, how they get on the network.
That's migrating into a 0 trust network access. And of course, identity is a very important part of security and we've migrated from static passwords to multifactor to even passwordless as we go forward. All three of these technologies will come together under 0 trust access. And then of course cloud. And cloud has gone from what we call a centralized to a distributed to a more centralized.
And again, right now, it's going back to a more distributed. It's gone from mainframe to personal computer to data center to multi cloud to cross cloud and now back to edge compute. And Gartner actually saying by 2022, 50% of enterprise generated data will be outside of the data center. What's important here is to look at the shared responsibility model for security, whether it be the network, the platform, the applications Or the visibility. Depending on what type of cloud, you're going to need that shared responsibility model and make sure you have the tools and controls for that particular cloud.
And let's turn our attention away from infrastructure back to the cyber threat landscape. I think everybody in cybersecurity is familiar with the kill chain. The kill chain itself really hasn't changed a lot. There's some different models out there, but it really hasn't changed a lot over the last 5 to 7 years. It starts with reconnaissance.
It looks at weaponization, digital edition. Delivery, exploitation, installation, command and control, CC, action and objectives. I think probably the most scariest thing we've seen over the last few years is state sponsored, more advanced APTs. In actual fact, the kill chain hasn't changed too much in its own right, but there's been more focus on each part of the kill chain, more sophistication, more speed, more complexity. You need to be able to look at across the entire attack surface and be able to stop the kill chain at any one of these points.
Okay. This is the most important part of our strategy. It's called the Fabric Platform to Some, the Fortinet Security Fabric. The first thing it does is look across the entire attack surface, devices and users, applications, networks, IoT devices, 5 gs, it makes sure it can See has broad visibility and protection of the entire digital attack surface to better manage that risk. And it does that through these three pillars: the 0 trust for devices and users security driven networking for the network and adaptive cloud security for the cloud of data center and applications.
What's different about the security fabric is it's totally integrated. Because we've built it organically, Each one of the components can talk to each other in a peer to peer way. It can exchange policy and threat information. It has a single fabric management center to provide network operations and security operations. FortiGuard threat intelligence can be applied to Any part of the fabric whether it be endpoint, network or cloud.
But we also understand you've made investments in other parts of the infrastructure whether it be cloud or infrastructure or data endpoint. So it's an open ecosystem. We can integrate the fabric into the major orchestration systems and the major clouds. The end goal for the fabric is to allow automation, The ability to drive self healing networks and AI response instantly to any attack on your data, on your infrastructure for our new users. The end goal of the platform is automation.
So let's zoom in to one of the pillars. We Need to deliver enterprise protection and that user experience at any edge. We use security driven networking. What are the major technologies around security driven networking? Well, the first one is the ability to operate at any one of those edges LAN edge, WAN edge.
There's a lot of vendors who just work in the cloud or just work in their network or just work at endpoint. You need to be able to protect any one of those edges. In certain instances, you need to provide very high performance, especially if you're in the core of the network or the core of the data center. So performance is very important. Also things like SD WAN should be totally integrated inside the firewall itself.
So So now you have a secure SD WAN, not only a next gen firewall, but an enterprise class SD WAN. The same goes for SD WAN through Wi Fi and switching access. As we go forward, the digital experience is going to be very important. So monitoring it, measuring it, but also applying AI ops to the network end to end From users all the way into the applications and through the network, so they can self heal anything that happens inside that network. As I said, integrating everything as much as possible, integrated 5 gs and then making sure you can apply certified security.
There's There's a lot of people who say they've got security. It has to be enterprise class certified security. And what does that look like from a product portfolio, security fabric, security driven. Well, it's LAN edge, WAN edge, data center edge, cloud edge. As some of you may know, our products Have a very straightforward naming system, 40 whatever it does.
So it's our 40 AP, our 40 switch, our 40 gate, 40 extender, 40 a proxy 40 gate for SD WAN, 40 SASE, which is new and 40 Isolator. So let's go back to that edge diagram I talked about earlier. You can see how we cover all those edges. We cover the LAN edge, the LAN edge, 5 gs, SASE edge, cloud edge, data center and OT edge. And so our product portfolio inside security network is able to protect all those edges across your network.
Now if you in the industry, you know the acronym soup is always around. The latest one I think is Sassy. And I just wanted to go through what we think about Sassy, what's our vision around Sassy. The first thing we want to make sure is that we have a flexible edge access, Whether it comes from a client, whether it comes from a thin edge, such as a 5 gs connection through LTE, whether it comes to a more PureEdge through SD WAN. All those edges feed back into what we call our Forti SASE, which is our certified enterprise security, next gen firewall, secure web gateway and integrated 0 Trust network access.
Then as we connect 40 SASE into the different clouds through our peering systems or through our APIs such as 40 CASB, We make sure we monitor that digital experience. Again, for most companies who are developing their digital innovation, The digital experience is going to be the most important thing to their users and their customers. And let's not forget, there's still a lot of implementations of appliances in data centers, in campuses, in clouds. Footinet continues to push the boundaries of performance for our data center firewall. We're rolling out our Network Processor 7, our new SPU last year and this year and our content processor.
You can see some of the benefits here. Some of the Speed you get compared to CPU based systems is usually about 10x, whether it be throughput, whether it be specific applications. And actually very importantly, it's green. It actually is the most energy efficient consumption from a firewalling perspective you can get. In fact, 1 of our MP7s equals 10 of the high end CPUs in terms of performance.
Now imagine the savings in power and space. So we'll continue to invest in this area as we go forward. All right. Let's switch gears a bit here. Knowing and controlling everyone and everything on and off your network users and devices 0 trust access.
So a lot of our customers are using our VPN technology. And in fact during the pandemic, the start of pandemic, they had to go from maybe 5% work from home to almost 100%, 1,000 users to 50,000 users. VPN technology allows you onto the network. It gives you access to the entire network. It is a one time trust check.
And usually because of the scope has a generic rule set across all users. Our VPN needs to migrate forward. It needs to migrate forward to more of a 0 trust architecture both on and off the network, providing a continuous trust check for every session. Application specific access and user contextual rule sets are you on and off the network, what time, what applications are you accessing. This architecture from Fortinet is more of a migration than a rip and replace.
You migrate your client forward. You migrate FortiGate and Forti West forward to give you the Zero Trust network architecture. What are the products inside this portfolio? FortiClient, FortiNac, Forti Token, for the authenticator. And as I go through all these products, you'll be interested to know that most of them have different form factors agents, appliances, virtual machine, cloud native, SaaS.
But again, let's come back to this 0 Trust Vision, 0 Trust Architecture Vision. What it's saying is that all users have application specific access. You can provide session segmentation. They go through a flexible proxy for the OS. That proxy can be in your data center.
It can be in our cloud. It can be on your campus. That gives you great flexibility. You apply device and user identity through our systems or through additional or external systems that you already have. And then very importantly, you provide this continuous contextual based trust through our EMS system per application access.
From a product portfolio, in fact, there's 2 main products here, 40 client, 40 EDR, migrating to 40 XDR. So there's 2 migrations going here at Endpoint. 1 is the VPN migration to 0 trust, encryption on network, On and off network, network visibility and the migration point I think longer term is that proxy sits in a Sassy environment. The same is happening on endpoints, migrating from EPP to EDR, eventually XDR. If you look at both of our products, 4 d Client and 4 d EDR, you can see there's a bit of overlap for maybe midsized customers We just want antivirus or web filtering.
Long term, we're going to try and bring these agents together in a single 0 trust architecture. All right. 3rd pillar, secure any application on any cloud, cloud security, adaptive cloud security. Now I talked about the migration of applications from data centers to public cloud to SASE as we go forward onto the edge. So it's very important that any security or cloud security is available in a hybrid and cross cloud environment.
Then you break it down. You've got to get to the cloud, cloud on ramp, virtual networking, micro segmentation. You've got to protect the platform. It may be the different clouds, it may be the data center through workload protection, container security, native security. And then you got to protect the application, mail, web, ADC.
And then the third component of this is where are you inside the DevOps? Are you shifting left to protect more of a development environment? Or you're shifting right. This all comes together in our adaptive cloud security portfolio, hybrid and cross cloud, Consists of network components, 488 VM, cloud networking, DDoS, micro segmentation, our platform, 40 CASB or 40 CWP. One of the fastest growing areas are a set of rule sets that sits on top of native cloud security, such as IPS rules on firewalls or WAF rules on top of WAF firewalls And then of course application protection 40 web, 40 mail, 40 ADC.
And I'm not going to go through this side in a lot of detail. It just shows you the amount of coverage you need inside these clouds scaling from threat intelligence to the security centers. I talked about these rule sets sitting on top of native cloud security. So cloud security is very fragmented. You could use the existing cloud vendor.
You can use our solution. You can use both. But we have individual roadmaps of every one of the major clouds out there. Okay. Bringing everything together through our Fabric Management Center, starting with its SOC, Automate security operations across the security fabric.
Traditional types of SOC security are very isolated. You put in systems such as threat hunting, malware analysis, you put in situational awareness, insider risk, EPP, EDR. Long term, this is going to migrate to what we call an extended detection and response system, a platform approach where everything is integrated, everything can share intelligence and everything can use a cloud to make decisions very quickly. What does our portfolio look like for Fabric Management Center? Consists of endpoint breach, incident response.
So endpoint, you got 40 EDR, XDR, which was recently announced, a sandboxing, a receptor, a 40 AI and then incident response systems, Pfizer, SIMSOR and some new service offerings. Depending on the maturity of your organization, This can be very straightforward such as sandboxing or analyzer. As you get more sophisticated, more mature, you can make sure you can apply additional capabilities Whether that be deception or XDR or more sophisticated automation such as SOAR, we put our systems together such that A small business, a medium business or a very large business or some of our MSSP partners can scale The capabilities of their SOC to match their maturity. So what's new with the Fabric Management Center SOC with 7.0. The core of the security operations, we have a single pane for the software.
We have an extensive ecosystem. And then we have AI powered threat detection and response from sandboxing to EDR. On the analyzer side 7.0, we have this new service SOC as a service, a new best practices capability and a FortiGuard outbreak alert offering. And then on the SOAR side, an incident war room, a mobile app and some new AI based recommendations. The other part of Fabric Management Center is the network operations, Simplify network operations across the security fabric.
Obviously, management is very important. And the single management console across all the products inside the fabric is very important, but we started to add some additional capabilities. We started to add orchestration for things like SD WAN. We started to add monitoring for the digital experience. So the fabric management center NOC again can scale from a small business using something like FortiCloud, which provides a SaaS delivery of a lot of this functionality, all the way into a full blown FortiManager that provides policy management, orchestration and monitoring.
One of the most important areas of a fabric is the management center. Fabric management center, Two elements as we said. 1 is the SOC, 1 is the NOC. You really need to try and simplify network operations across the security fabric. Three areas inside the Fabric Management Center.
Obviously, policy and management configuration is very important, will always be very important. But we're starting to add orchestration inside there orchestration for example of SD WAN orchestration of Sassy and then monitoring Making sure you can look at that digital experience. And then coming together across everything will be some form of AI ops, which provides that self healing. So from a fabric management center, we have FortiManager. We also have FortiCloud, by the way, which is a SaaS delivered cloud management system.
A lot of the features and functionality of FortiManager are more in a SaaS implementation and then FortiMonitor, which is a recent acquisition. Now Similar to the SOC, you have this level of maturity. So again, for smaller customers, you may want to just use the SaaS management and configuration and policy management. As you go forward for larger customers, you may want to look at the monitoring capabilities. So you're measuring that digital user experience.
And then for larger customers, you definitely want to look at the orchestration. You want to make sure you're orchestrating across all those capabilities, across all those edges, both networking functionality as well as the security itself. Where is the Fabric Management Center going long term? It's going towards self healing network operations, The ability to heal and monitor and configure the LAN, the WAN, the data center and the cloud edges. What's new in 7.0, 40 Monitor, Panopta acquisition, 0 touch provisioning for SD branch, policy optimizer, best practice services and now includes management of 4 d Proxy.
Now I just mentioned a new product, 4 d Monitor. This is a SaaS based digital experience monitoring, also a network performance monitoring system. It's SaaS based. It measures endpoint, LAN, WAN, data center. It actually has a lot of capabilities inside the cloud.
As most customers drive towards that digital innovation, digital experience. This is going to be a very important part of the reporting structure to maintain that. It's very important to provide that threat intelligence to the platform. We refer to that as FortiGuard Security Services. Now there's quite a few of these individual services.
It can range from AV signatures to IPS to IoT detection to management, Security as a service, it can be applied to the endpoint, the network or the cloud and to any one of the form factors hardware, software as a service and API. We put these into these buckets of security. The first one It's content security. Looking at the content and providing security there. There is the web security, then obviously user security and device security.
And then as we go forward more advanced SOC and NOC. Also available are what we call bundles. These bundles bring together Some of these packages starting from ATP, advanced threat protection to unified threat protection to enterprise protection. Our most advanced bundle is the 360, which includes everything. We just added SOC as a service insight there as well.
And by the way, if you are a larger customer, When I say a larger customer with maybe 20, 30 devices, then you should look at our enterprise license agreement, which gives you a lot of flexibility and operational savings. Again, as I said earlier, although we have a very extensive portfolio of 30 plus products covering the entire attack surface. We also have a very large ecosystem in fact 400 plus integrations 200 plus Ecosystem partners and this is very important that you're able to put the fabric and connect the fabric, supply that automation outside of the fabric. Now with the Fabric integration, we have different types. 1 is what we call a Fabric Connect, where we build into a major orchestration system or a major cloud.
We have our own API with Fabric API. A lot of companies from different areas are built into that API. We have a thriving Fabric DevOps community across cloud. And then we have an extended ecosystem, not only sharing of threat intelligence, but some of our systems can extend well beyond like SIM for example or NAT can extend well beyond our fabric ecosystem to provide that coverage. It also breaks down into the different pillars.
So you've got a number of vendors who are really focused on the networking side. We've got obviously there's quite a few vendors on the cloud side, on the security operations side on the 0 Trust side. Some of these vendors may be competitors of ours, but we want to make sure that if you made a decision around a specific cybersecurity vendor or networking vendor, we can provide that integration. Now again, we don't Do a lot of huge acquisitions, but we do do acquisitions. And these acquisitions are really focused on specific technologies that we want to accelerate edition inside the fabric.
The goal is to bring them in and integrate them into the fabric as quickly as possible. These are acquisitions over the last few years. You can see it ranges from security operations for the EDR, HILO, SIM, EstellOps, So we'll focus around Insight and Uber and SAW. The most recent acquisitions are 4 d Sassy, which is opaque and 40 Monitor Panopto. A while ago, we also acquired some of NAC and some 40AP.
Again, The ones which we acquired 3 or 4 years ago, a lot of that technology has already been integrated inside the fabric. So I can't go through every product in a lot of detail in 30 minutes. This summarizes what I've just talked about in terms of the product portfolio across both the security driven networking, The Adaptive Cloud, 0 Trust, FortiGuard Security Services, again, a very extensive portfolio as well as being very open. Now we did announce a few weeks ago of FortiOS 7 with 300 plus new features across the fabric. That will be available at the end of this month.
Again, the features range across the network, across 0 Trust, across the cloud, management, NOC, advanced services, Etcetera. So do take a look at that. I think we're in beta 3 already, so you can download and take a look at some of the new features inside there. So I'm going to finish up. Thank you for listening in.
As I said right at the beginning, my main message here is that most customers driving towards a platform, but a platform that takes into account the network, the endpoints and devices and the cloud and applications end to end versus just one of those. Thank you.
The traditional network perimeter is now open, allowing applications and data to move freely across multiple network Rather than addressing the distributed network as a single environment, they can only focus on protecting one segment of the network at a time. The Fortinet vision for security It begins with the Fortinet security fabric powered by a single operating system, FortiOS. Of service. 0 Trust Access, ensuring controlled access to any resource from any device. Security driven network, enabling digital innovation by blending security with the network.
Adaptive cloud security, Providing consistent cloud native security across the multi cloud environment. The entire Fortinet security fabric is integrated to reduce complexity and share threat intelligence. FortiGuard gathers critical threat intelligence, which is then analyzed by our patented AI based threat analysis system and continuously share across the entire security fabric. To help organizations more effectively leverage their existing security investments, fabric connectors and APIs create an open edition. So existing solutions can be easily connected into the securing fabric.
A single fabric management center provides centralized control Every fabric element. It ensures that everything is integrated and communicated, orchestrates policies, Correlates and shares threat intelligence and automatically enables a coordinated response to detected security events. All of this driven by automated self healing networks with AI driven security for fast and efficient operations. The result is the 1st fully integrated endpoint network and cloud platform. Augmented with the industry's most advanced
Welcome to the VIP area of Virtual Accelerate 2020 My name is Ali Ghazabi, managing security operations in Fortinet SOC. In just a few moments, we'll enter the Fortinet virtual talk for a guided tour. Meanwhile, we have Robert May, Senior VP of product management here to provide a warm welcome.
Welcome to the Fortinet Virtual Security Operations Center. Now Just behind these stores here is the only SOC in the world powered by the Security Fabric Blueprint 7.0. And In just a minute, I'm going to turn this over to our SOC managers to give you a guided tour. But I know you're going to want to know where do I find more information. So let me take just a minute And show you exactly where to find all of this stuff in the Tech Expo.
Okay. So the first thing you're going to want to do is locate the Tech Expo. Now when you first logged in, you would have seen a menu on the left hand side. And one of the options in that menu is for the Tech Expo. So go ahead and click on that.
Now once you drill down into the Tech Expo area, You're going to first be presented with all of the different kiosks which exist in the Expo. And these kiosks are ordered and grouped around the security fabric pillars. So So let's go ahead and click on 1. Let's click on 0 Trust Access. Okay.
Now that we've drilled down, let's take a quick look around. 1st and foremost, you're going to notice a central video. This video is really just a brief introduction, 5 minutes or so just to walk through what are the different products and different solutions within the pillar. And it's Also going to walk through the different blueprint elements that are important to that security fabric pillar. On the left hand side, you're going to see a panel titled Meet the Experts.
And this really is your key to finding the most important latest demos for version 7. These are hands on demos in-depth It's done by product managers, CSCs and others. So it walks through typically an end to end use case demo of a very important feature. And then on the right side, you're going to see links to things like the partner portal or the corporate website. Basically, the most important links which are relevant to this pillar that would provide more information for version 7 itself.
And lastly, you'll be able to navigate between the different kiosks Using the hamburger menu in the top left, that's a simple way to just jump between the different kiosks and the different blueprint All right. Without Further ado, let's get this tour underway.
I bet you're excited to see the Tech Expo already. But first, let's turn it over to a couple of our operations specialists. Next generation network is the foundation of Fortinet Security Fabric. Jordan Towson, VP of Product Development is here to show you the latest updates on the network operations center.
Hi there. I'm excited to show you a sneak peek of the new Fortinet Virtual Security Operations Center. We have standardized our deployment on the Security Fabric Blueprint 7.0. Today, I'll demo some of the products that we have installed, starting with the latest version of Forti West. With Forti West 7.0, I can now log in using my FortiCloud account.
Granular access to all of my registered products and cloud services can optionally be controlled by the FortiCloud account owner using FortiCloud Identity and Access Management. One of the first things you'll notice is a variety of new dark themes like this Jade one. We are also getting back to our roots with a new retro theme. Let's check out which products have already been added to our Security Fabric. Okay.
We have a 40 analyzer, several 40 gates, some access layer devices. Looks like Security Fabric is now set up using virtual domains. The fabric route has been split up to support multiple tenants. There's new integration with Forti AI. Here we can see it has scanned more than 200 files and already blocked 29.
We've also expanded integration with 40 Deceptor, 40 Mail, 40 NAC, 40 Tester and 40 Voice. All of these products seamlessly integrate with the security rating and security fabric automation features. Let's take advantage of the new automation framework to keep an eye on what's happening in the network. I can now trigger alerts based on events that happen anywhere in the security fabric. Here, we will enable a new alert based on Forti Deceptor.
The insider threat event will trigger whenever 40 Deceptor detects an attack on one of its decoy VMs. Once the trigger is set up, we'll add a new action to block Any of the IPs reported by 40 Deceptor. So far, we've looked at some of the services running in our data center. Now we want to make sure that our internal applications are accessible for employees working remotely. ForteOS 7.0 supports ZTNA 0 Trust Network Access, allowing us to securely grant internal application access to trusted devices and deny access to all others without the need for complicated VPNs.
Let's enable access to our internal project tracking service. To grant access to this application, we first create a ZTNA server and link it to our internal application. In this case, projects. Fortinet.com. Next, I create a 0 Trust policy to allow access to this server for endpoints with a specific 0 Trust tag.
Here, I'll pick the project server and grant access to product managers. We're all set now on the data center side. Now you may be wondering how users will access these applications. Let's walk over to the next desk and take a look at FortiSASE Secure Internet Access launching this month. FortisSASE protects remote workers by inspecting all of their Internet traffic in the cloud, while still providing fast access to internal applications in the data center.
FortisSASE SIA provides seamless compatibility and integration with other Fortinet and services leveraging FortiOS behind the scenes. I've already logged into the management portal using my FortiCloud account. Here you can see all of the other cloud service portals that I have access to. On the FortiSASE dashboard, we have the default security inspection rules applied for all users. Antivirus protection is enabled, Word filter is blocking access to malicious categories and IPS is scanning for known threats.
I can also optionally enable SSL deep inspection, File filtering and data leak prevention. I've already linked Fortisasi with our LDAP services. Let's onboard our first user. Looks like an endpoint just came online. Let's see what they're up to.
They appear to be active on social media. Let's block that. While we're at it, let's also block access to Google Drive to prevent users from leaking company documents. Finally, let's allow them to directly access that trusted application we configured in the beginning. Here, we will prevent traffic to our corporate project server from being inspected by FortisASE SIA.
When it reaches the FortiGate, The corporate policy we configured earlier will verify that the user's device belongs to the projects group and immediately allow access As well as safe direct access to our corporate applications. Talk about productivity. Sounds like we have an alert on the network. I hope the SOC team can help from here.
Let's go back to the security operations center. We are in good hands as Leng Liu, VP of Product Management, Overseas the service, which is going to look into a security alert and show us the latest Fortinet has to offer for yourself.
Hello. Welcome. First, let's take a look at the alert that is just coming into the SOC. Here, I'm inside the 40 analyzer 40 SOC module, and I see a new alert pop up under Shadow IT. Click on alert.
I see a user is trying to upload a protected file to Dropbox and sanctioned a vacation using his corporate e mail account. The upload is blocked by FortiGate, so no action is needed. Shadow IT is a new feature to extend SOC Automation to the cloud via the edition. It allows the SOC to monitor cloud application usage such as business versus Personal apps and flag and sanctioned usage and any potential file exfiltration. FortiGuard outbreak alerts is a new service available to your FortiAnalyzer through the enterprise protection bundle.
This service is offered to protect you against the malware outbreaks such as the recent sunburst supply chain attacks. Here, we have collected all the resources you need to know about this outbreak and its detection. It consists of 4 pages. The first page is a summary That contains the background information about the SolarWinds outbreak. The second page shows details of the 40 gate coverage edition.
For this outbreak, along with IOCs, event handlers, reports and playbooks that help you to detect and hunt the threat. The 3rd page is a KLG mapping to show which stage each Fortinet solution covers. The last page contains the detection. All detected threats will be listed here. Click on each alert.
It takes you to the incident analysis page, So you can see the details of the detection and recommended remediation. As data and workloads are moving to the cloud, we see increasing demand for SOC as service, which we are now offering through 40 Analyzer Cloud. With this service, Fortinet SOC analysts Around the globe, monitor your network 20 fourseven to detect misconfigurations, Policy violations and security alerts and escalate them back to you. It's really simple To onboard this service from FortiAnalyzer Cloud, subscribe your FortiGate to FortiAnalyzer Cloud Premium Or if your FortiGate is already registered with the 360 bundle, it automatically entitles to this service. Log in to your FortiAnalyzer cloud instance and switch on managed SOC service.
You are now onboarded. The SOC portal is there for you to see all escalated alerts. We will notify you by phone for high severity alerts and by e mail for all other alerts. In many organizations today, NOG and SOC teams are still separated. Both teams are on the front line of defense And the line between them is increasingly blurred.
It's important to bring them together Given the overlapping scope and responsibilities of these teams, the Fortinet Fabric Management Center provides a Single pane of glass for NOG and SOC teams to operate on a single source of data. It allows the NOG team to easily visualize and monitor distributed networks and to quickly identify And fix any network connectivity issues, it gives SOD team a wealth of security analytics to automate tasks for rapid response. Here, we have a high severity SD WAN event From the dashboard and a single click will kick off a playbook to submit IT ticket For the NOG team to investigate. In FortiManager Version 7, templates are expanded To simplify SD WAN branch onboarding, they can be used to automate the onboarding process Across tens of thousands locations, templates now support metadata variables, So you can use regions, locations, store IDs and more to make the ZeroTouch provisioning More scalable and fully customizable. A new SD WAN branch can be provisioned and is up and running within minutes.
The visual device map provides a single view of all onboarded devices
I hope you enjoyed our quick tour of the Fortinet virtual talk. Let's head down this hallway where you can check out the Visual Tech
Hi, everyone. I want to first of all thank our partners, our customers for taking the time to attend the session. This session is around simplifying SOC automation with FortiAnalyzer. I'm Satish from the product marketing team and we have with us Ling Lu from the product management team as well. Many of you might have seen through the previous sessions the fabric diagram from Fortinet.
In particular, what we are going to be focused on today is around Fabric Management Center and in particular FortiAnalyzer, which is a core part of the stock offering that we have as part of the Fabric Management Center. The agenda for the day is first, We'll talk about some of the key challenges we've heard our customers face today around the security fabric. And then we talk through how are those challenges being addressed through our solution with 40 analyzer and then Ling comes on, talks about for the analyzer and in particular what's new as part of 7.0. And lastly, we leave you with a case study from a customer and then give you some next steps as well. So if you look at it, most Customers struggle with complexity of operations and that's no news for the SOC teams as well.
And in Particular, they're struggling with complexity because of 1 or many of these reasons that are listed here, either it's because They have too many vendors in the mix or they're struggling with too many alerts that are coming in or they have slow response or More importantly, I think the entire industry is struggling with lack of trained staff and We continue to have shortage of staff. Now all of these or a combination thereof are contributing to complexity of security operations for teams, small, medium or large. So how we address This is by simplifying the security operations based on a simple concept called stock maturity. Now, We define maturity based on the people, the process that they follow and the technology that they use. And we put them in either level 1 SOC maturity or level 2 SOC maturity or level 3 SOC maturity.
And now Fortinet offers a range of offerings that improve the efficiency of the security teams, Like I was mentioning across all maturity levels. Now this is an attempt to help you understand some of the offerings and how it Kind of fits in our framework of simplifying security operations based on your level of maturity. Now, All Fortinet Security Fabric customers are encouraged to establish an analytics and automation foundation with FortiAnalyzer as you can see here in the sketch as well. Building on this foundation, as organizations have growing concern about threat landscape and have limited security staff skills and processes, 40XTR enables automated incident detection and investigation and response across the fabric. For organizations who have more diverse Security environments, Fortisim as part a core part of our SIEM solution here as multi vendor visibility and automation across their multi vendor environment.
Now, this is just to help you understand how we think About simplifying operations based on the security maturity that your SOC team has. Now In the rest of this presentation, our focus is primarily going to be on that foundational layer, which is FortiAnalyzer, but we wanted to take this time And give you a sense of how we think about our offerings and how we can help you simplify security operations across the maturity level that you have with your SOC team. Now coming back to FortiAnalyzer and how FortiAnalyzer can help you Automate your security operations, we think of it as 3 core themes that go into 40 analyzer that enable you with automating in your security operations. The first is around security fabric threat detection and response, which is around automating advanced threat detection across the security fabric. In particular, we have Subscription service called indicator of compromise service that enables our customers to identify any anomalies within your environment through the subscription service that is powered by our FortiGuard Labs.
The second core theme is around security automation and whether your Team has a low maturity or medium maturity. We enable you to unlock the automation features Encryption security operation services that can be attached as you feel Kind of your stock maturity is improving. You want to add more services on top of it. As you would see in a bit, We have new services that are coming out as part of 7.0 that enable you to improve your visibility, improve your automation on top of The foundational layer, which is FortiAnalyzer as well that you have. So what are the core use cases 1st SOC automation with FortiAnalyzer.
The first core use case is around security fabric analytics. Now Whether customers have 3 Forti gates or they have 40 switches, so Forti AP is behind those 40 gates, at the end of the day, they want very Simple visualization and analytics that are happening within their environment and Forti analyzer immediately helps you With that single pane visibility with security fabric analytics. The second key use case is around advanced threat detection. In particular, like I was mentioning before, When you enable the indicator of compromise service on 40 analyzer, immediately we can enable you to identify anomalies within your environment very easily. Compliance is the 3rd key use case.
We have CAM reports for PCI DSS, situation awareness report, which is governed by NIST and so forth that enables you to accelerate compliance And improve your SecOps risk and compliance posture as well through the automation of SOC through 40 Analyzer as well. With that, I want to pass the ball to Ling to talk more around FortiAnalyzer and some of the key feature updates as part of 7.0 as well.
Thanks, Satish. Soft teams require multiple areas of And have to deal with many tools such as the SIM, sandboxes, threat intel systems, ticketing systems and so on. There are simply too many alerts for SOC to monitor, alerts are overloading and this leads to slow response and missed security incidents, increasing the chances of security breach that can have severe consequences. 40 Analyzer provides the SOC team with a wealth of security analytics and built in incident response frameworks to automate SOC processes for rapid response. Let's take a look at the Fortinet SOC solution as it stands today in 3 main areas.
First, threat detection and incident response. PortiAnalyzer provides fabric logging, Reporting and security analytics out of box for the SOC to monitor entire security fabric attack surface. It keeps things very simple to understand and simple to operate. There is very little extra configuration and rules tuning required. Today, it is integrated with the majority of our security fiber products such as 40 Gates, 40Web, 40 Mail, 40 Sandbox, 40 Guard, 40 Client and so on.
It also has built in SOC and UEBA for advanced threat detection. In 6.0 4, we added same database, so it can process security logs from Windows and Linux OS. 2nd, SOC Automation. We have an incident response framework that provides playbooks to automate soft tasks, built in event handlers, alert triage and threat hunting reports. 3rd, cloud services.
Along with all of this, we also provide cloud services for SOC. FortiAnalyzer platform as a service is available through FortiCloud and FortiGuard IOC service and SOC service available to for the analyzer for threat detection and rapid incident response. The upcoming ordering guides make ordering products and services much easier. They contain all the necessary information in the digestible format. The easiest way to buy 4 d analyzer is through hardware bundles or VM subscription bundle.
The hardware bundle includes the hardware, the 1st year enterprise protection bundle, which contains FortiQure support, IOC and SOC subscription. Renewal bundles are available. The VM subscription bundle It's an all in one bundle that contains VM subscription, 20 fourseven support, IOC and SOC service. It's worth noting that the new FortiGuard outbreak alert service will be included in the enterprise protection bundle. 40 analyzer licensing is based on gigabyte per day logs.
Sizing number of gigabyte per day for your customer Can be challenging, particularly when information such as log rates or new sessions per second are not available. Fortunately, we have a sizing tool that we have been using internally today and should be available from FNDN soon. If your customer needs cloud based logging analytics solution, they should go by FortiAnalyzer Cloud Platform as Service. The basic FortiAnalyzer Cloud Logging and Analytics is included today in the FortiGate 360 Protection Bundle. The FortiAnalyzer Cloud premium subscription supports advanced login and analytics and it includes the upcoming new 40 Analyzer Cloud SOC as service.
The innovations for version 740 analyzer fall into 3 areas. The first area is security fabric detection and response. In FortiAnalyzer version 7, the logs for new fabric devices such as 40 EDR, 40 Deceptor and 40AI are now supported for scalability and performance. We are adding a capability to 40 analyzer to horizontally scale up a 40 analyzer deployment for threat detection. Basically, you have the 40 analyzer orchestrator to oversee and coordinates all the 40 analyzer instances in the cluster.
Data are stored and processed in each 40 analyzer, but it's accessible from the single console of the orchestrator. UEBA is further enhanced for accurate detection and more coverage and Same correlation and analysis are expanded for more advanced threat detection use cases. The second area is SOC Automation. The FortiSOC module today is part of incident response framework on FortiAnalyzer. This build in module provides basic cell transformation within Fortinet security fabric core products with a minimal configuration and setup designed for customers to easily adopt the SOC.
Today, It has connectors to FortiUS, EMS, FortiGuard and FortiMail. So you can create SOC playbooks For automated incident response, as the SOG grows, it needs more advanced automation and incident management capabilities to scale up the operation. 40 analyzer 7 As a 40 store container to make this transition easier, it comes with 4 store capabilities to help accelerate your SOC maturity. Now connectors in version 7 extend This automation to cloud, the XDR connector allows a XDR cloud to query 40 analyzer data For extended endpoint detection and response, the 40 CASB connector allows 40 analyzer to automatically uncover shadow IT such as unsanctioned application usage. Some SIM vendors may provide similar capabilities.
However, 40 analyzer makes things super simple and they work out of the box. It does not require special tutoring and so it saves your security team Tons of time and effort to get things going in your SOC. The 3rd area is SOC Cloud Services. As data and workloads are moving to the cloud, we see increasing demand for Forti analyzer as a service. Today, we already have self managed 40E analyzer platform as service available for SOG.
Now we are expanding to a managed SOC service offering. With this service, Fortinet SOC analysts Monitor customer FortiGate logs for network and security events to detect misconfigurations, Policy violations and security alerts and escalate them back to the customer. 2 types Our FortiGate sends logs through our on premise FortiAnalyzer that forwards the logs to the cloud. The license model is very simple. You only need to add FortiAnalyzer Cloud Premium subscription for each FortiGate.
FortiGuard outbreak alerts is the service available to Our FortiAnalyzer customers through their enterprise protection subscription. This is the Downloadable content package from FortiGuard, including event handlers, reports and playbooks for malware outbreaks. To make things even easier for the SOC team, we now have FortiCare best practice services available. You don't have to figure things out yourself. And no matter if you have a new deployment or are upgrading an Existing system, this annual subscription service will have 14 experts available for consultation to ensure Your deployment or upgrade is successful.
Finally, I would like to mention there are plenty of resources available from the virtual tech expo on FNDN for SOC Solutions, including various demos and videos to showcase Forti analyzers, SOC automation and incident response capabilities. 40 US 7.0 will be GA ed at the end of Q1 and 40 Analyzer and 40 Manager 7 comes a few weeks later in April. This is all from me today. Satish, back to you. Thanks.
Thank you, Ling. With that, very quickly, I want to summarize through a case study and leave you with some next steps. This is a customer story about Kent ISD, which is a small school district with about 20 schools out of Michigan. By the way, this is again publicly available on our resources section as well. That enables And their primary objective was to have advanced threat protection against rising cyber attacks against K-twelve.
They had, as you can see, a very small IT security team and they want to minimize the resource involvement in terms of Either bringing up, either improving visibility or even resolving incidents. They wanted to implement that central single pane for the team for visibility and analytics and have the best price of performance. Net net, they went with a FortiGate Next Gen Firewall And behind that is also an analytics engine, which is 40 Analyzer to enable them to have that central visibility And more importantly, help them to automate their operations with a very small IT security team. I want you to take away 3 key things from today's session. The first is 40 analyzer enables The security fabric threat detection and response.
In particular, as you would see, like Ling mentioned as well, as part of 7.0, We have increased the indicator of compromise offering that we have. And more importantly, we've also brought in Behavior analytics to enable you to reduce risk and improve your behavior anomaly detection as well. And then Fabric event handlers to enable you with response and automating the response. We have also incorporated new fabric event handlers as part of the security fabric detection and response. The second key takeaway is around automation.
Now we Seriously consider 4 d analyzer as a platform. And based on the soft maturity, we want to give you a choice To incorporate advanced automation as part of adding new containers like Fortisor, Which is our security orchestration automation and response offering that can be easily attached to FortiAnalyzer as well to improve your SOC efficiency. We've also incorporated the connector into for the CASB so that you still have that single pane visibility, Though you have these breakouts that are happening into and accessing into your cloud, You can bring that intel back into your hybrid enterprise as well and leverage that to identify risks across your hybrid enterprise. Lastly, SOC cloud services is a 3rd key takeaway, which is We have SOC as a service to help you augment whether you have an MSSP or whether you are a customer Who has a SOC team? We want to augment your SOC team by providing you Fortinet Aware Intelligence and being your L1 into the security fabric to identify any anomalies in terms of what to do, what automation, what playbooks to apply and so forth.
And we have the service to enable you to take Full advantage of your Forti analyzer and automation features that are available as part of Forti analyzer as well. With that, I want to leave you with some next steps on the web, whether it is through you can search for FortiAnalyzer, whether it is As the Anteller or AI driven security ops trailer, you can find FortiAnalyzer as part of related products And we keep that up to date. The next thing is NSE Insider. We actually have an NSE 3 around 40 analyzer, which we Also keep up to date, so I urge you to please take that 40 analyzer lesson. And then lastly, there is a dedicated fast track around SOC Automation in addition to fabric management.
So we urge you to please take part in that. There's also going to be a hands on lab, so please take advantage of that. With that,
Hello. Welcome to Accelerate 2021. This session, we will discuss how to create a resilient endpoint security strategy My name is Salim Mehram. I am the Director of Product Marketing. Joining me is Roy Catmoor.
He is General Manager for our endpoint business and provide the and the visionary for our endpoint security strategy. I've been working at home for close to a year. And the pain point that facing the CISO has not changed, but rather exacerbated by remote work at scale and in a hurry. So the first thing is a lack of visibility. It just gets worse when people are Send home in a hurry and many company are letting employees having more latitude in terms of downloading applications, but at the same time, Feeling anxious about not having the visibility and control.
And this also lead to breach anxiety, Knowing that the hygiene can be better and also with the accelerated threat landscape, ransomware is scarce edition. And the associated business disruption. The last thing is, let's not forget the security teams are also sent home. And Facing the advanced threat landscape, they have to deal with a barrage of alert and causing fatigue and potentially burned out. So all this edition.
Pain point is it's getting worse and by the situation we are facing today. So we want to talk a little bit edition and give you a framework how to think about remote work security and how to establish endpoint resiliency. Essentially, shifting the mindset is like it may not be possible to prevent 100% of threat. And That's look at all the tools we have at our disposal to reduce the risk of getting attacked Or reduce the risk of the breach and the business disruption. So number 1, we talk about visibility is important.
So having visibility alone is not enough. It's essentially knowing what are potential threats, but do nothing about it is not very helpful. So the idea is you want to have the visibility. You also want to have the ability to take action, essentially preemptive controls. And then the next thing is and that essentially is prevention and hygiene and equivalent to doing all the right things.
And also have the mindset that endpoint compromise is going to happen and how do you protect the endpoint and what solution you put Put on the endpoint will allow the endpoint to self defend, not just to block malware, but also identify potential unwanted applications, [SPEAKER UNIDENTIFIED COMPANY REPRESENTATIVE:] Identify malicious processes and shut it down in order to self defend. And once you identify those malicious activities on the endpoint, How do you help the endpoint to self heal? Essentially, it's almost like giving endpoint immune system, right, to self heal, to roll back the malicious changes Because let's face it, when you have 80%, 90% of your workers working from home, the old way of Re image rebuild may not be realistic. So let's look for a way to have remote remediation as part of your strategy, So you can basically decide what type of incident you will use remote remediation and essentially roll back using the tool. And what you have when you have no choice, then you use the reimage and rebuild.
So when I talk to analysts, They have estimated about 55% of enterprise has adopted EDR and they're still in various stage. One thing I've noticed that the early adopters may have adopted EDR 5 years ago to augment the endpoint strategy. So they are sitting with 2 disparate solution, EPP and EDR, and they are looking to consolidate the endpoint security. And the later adopters, the mainstream buyers now are looking for a single unified solution For EPP plus EDR in one integrated solution with one integrated agent. And why are the security leader looking for things like that?
Because just thinking back to the strategy I was talking about, they want to strengthen security posture. They want to prevent as much as possible doing the right thing, have security hygiene across a wide range of endpoint and workloads. And the other thing is maintain business continuity. Understand the breach may happen. Understand your endpoint may get compromised.
The idea is how do you have the layer of tools to detect early, respond quickly And recover to get business back to normal as soon as possible without interrupting business continuity or minimize interruption of business continuity. And this means factory will continue to churn our goods. This also means retail sectors that their customers are not being Turned away. This means hospital can continue to help patients and this means school can continue to have remote Distance learning without being interrupted. And then the last thing is when you think about CISO, they are thinking about their employees, their security team.
And we also want to help them address the challenge and the EDR solution, combined EPP with EDR solution can help streamline security operations, Having better visibility and enhanced the SOC maturity when you select the right tools and with the automation. So essentially, addition. Get your SOC employee out of the business of doing mundane manual work, then do something that's more interesting and higher value. And if possible, you selectively use help of security services, so you can have a 20 fourseven SOC While allow your security team to actually have a good night sleep. So the use case for EPP and EDR combined solution edition.
We talked about today we're going to focus on remote work security, but we also know that a very front and center For people when they're adopting a combined solution is for ransomware protection because ransomware is not just file based malware. Some have file list, so you want to have behavior based detection, real time containment and essentially just shut down the malicious activity right away. And then the Security leaders are also looking for this type of robust endpoint solution with prevention, detection response to help optimize incident response process addition to accelerate the mitigation with playbook automation and incident response and also looking for the adjacent MDR service to help them essentially lend a helping hand to augment the security team. And another thing I also see is OT Security. OT traditionally has been lagging behind because they have legacy operating systems.
And almost those kind of systems, you touch it, it breaks. So they are really concerned about not doing something too intrusive. So looking for a solution that can safeguard those systems While maintaining business continuity because in the OT world, you have to make sure the system availability is extremely high, But we also know the adversaries are targeting them, knowing the systems are ancient. So this is another very important use case for a combined solution that have prevention and detection response. And next, I am going to invite Roy to join me.
And Roy will talk to you about for EDR, he will give you a product overview and his vision of building this wonderful solution and what's new, very exciting new feature coming up in 5.0. Take it away, Roy.
Thank you, Taneli. So on the 40 ADR product overview. First, a recap of The product end to end, including version 5. As a reminder, the product is split into 2 main areas, The pre infection, pre execution, where we have 2 segments there. The first one is the discovery and attack surface reduction, which allows us to discover applications, IoTs and rogue devices, enrich them with vulnerabilities, best practices and rating and allow to reduce the attack surface according to the best practices of the organization, namely The ability to filter vulnerabilities and restrict the access to applications or devices that have extended vulnerabilities that do not comply with the current policy.
On the prevention side, our machine learning AV has now extended to also include the FortiGuard threat intelligence, web filtering. We have a sandbox with 2 clicks integration, So you can actually integrate SandBox into the process. So new files that are being introduced and downloaded from the Internet, for example, Could be vetted within a sandbox and we support a Cloud 1 and on premises 1. And we added a host firewall And so you can actually restrict down the by applications, by networks, by domains and so on. On the post infection side of the house, we basically separated into the detection where our detection is spiced with co tracing.
So we do have the smoking gun, those memory infections, those beacons that are going and extracting in memory. And we correlate all the activities together while holding all the forensics, all the execution related stacks Together, so you can have the smoking gun and, of course, the very surgical remediation that is associated to this. All of that is done with a very tight classification. So we can take later on a very pre canned incident response. But it's not just a matter of auditing.
And of course, we introduced a very in-depth forensics within the new threat hunting that was added in version 5 and we'll talk more about it. It's also about protection. So we talked about prevention and attack surface reduction in the pre infection, but in the post infection, we are the only vendor that can stop malicious connections or File tampering in real time even though compromised. So we never assume that we are being deployed in a new and fresh environment, and we understand that there might be already infection. And therefore, we allow to diffuse those and create and micro containment and buying time for the team not to have the consequences of an attack.
When it comes to response, so It's very understood right now that we'll do our best to reduce the attack surface, prevent what we know, diffuse what was already in while auditing very extendably. But if we are already infected, we obviously need to introduce also a respond and investigation that allows us a better automation and orchestration around the different tools and version 5 holds in store an extended ability To activate according to the classification, different tools according to the different according to the context of the attack. And when it comes to remediation, so in the same way of the response, we also allow us to clean and roll back Even in cases of ransomware, we have a patent that allows us to do that and roll back in real time when we discover that there is a ransomware that is activated in action. But as long with that, we can have a full remediation, including isolation, including IoT with an extended response to a NAC or socialized ITs to the firewall, sending emails, opening tickets and all of those are Pre canned recipes that we allow to utilize. When it comes to what's new in Version 5, we separated it to 3 main areas.
The first one, we need to support more and the breadth of platform coverage is a key to our success with not leaving any version behind. And so far we supported the Windows from the XP service pack 2 and all the way to the newest and all the Mac OS and Linux flavors that are more associated with the Red Hat, CentOS, Fedora and Ubuntu. Moving forward, we removed the kernel dependency that we had before and that's in order to support the big SOAR or macOS 11 that was released late last year in 2020 and basically pushed out kernel vendors to the user space. And by doing so, by that support, we actually expanded our Linux outreach to be enabled to have an application based solution. So now we can support more operating system Even though we do not have the kernel extension for those with a full functionality and parity with what we had before And added more also, a platform as a service and infrastructure as a service related distribution as Oracle Linux and the AMI, the Amazon Machine Interface.
Within this, the coverage, we introduced the fabric telemetry analytics of the extended fabric, So we can actually digest our own fabric insights into the EDR platform in an XDR fashion, enrich those and again respond in an extended way. From a security efficacy, along with the asset control, discovery and control and the pre and Host infection we discussed before. We added the CPRL, the intelligence of UniGUARD into all of our platform, which means The machine learning based ADs now can actually have an enriched intelligence to it, which added us a web filtering or the idea to block requests that are going into known malicious or suspicious host IPs or domains And we added a host firewall that allows the user to basically control applications, domains and network related Just like any personal firewall, all controlled through a single pane of glass. And from a SOC efficiency, Along with the code tracing forensic that is unique to us to have the smoking gun and the fabric powered IR recipes or playbooks as we described before, We added a behavior based threat hunting. And the idea behind that was not to just look at an audit in its very native uncorrelated fashion, but to actually take the log as they're coming in from the endpoint and as I mentioned before, could be from an extended resource, correlate them together and try to identify behaviors within raw logs.
Along with those lines, we added to those behaviors also the MITRE tag. So you can now go into record and click and find what kind of MITRE technique are they associated with and we added a 3rd party integration to our fabric part playbook. So it's not only fabric on the response, but you can orchestrate beyond the fabric and activate other firewalls, other mails and other services within our pre canned recipes. A little overview about our new extended behavior based threat hunting. So as many other EDR, we are collecting a lot of data and a lot of activities.
We separated the activity into process related, file related, network related, registry related and also event logs. So which could be the raw logs that's coming as a feed or raw logs as exist on the host. So again, there is no need to jump From a host back to the system, the system control the host and allows us in many ways. You can Get any file from the threat hunting. You can view any running process in the current, in the past and filter those through.
But the one of the nicest features that we did here are the facets or the ability to actually have the heuristics And machine learning on top of the raw data that is called activity in order to identify behaviors That are already within the data or within the benign data that we assume that it's benign. And I will give an example here. The behaviors, for example, as you can see in this example, could be any kind of behavior that could be associated with benign, but Also known to be a technique or a known attack flow and we try to flag that for the user, so the user won't need to look at Millions or 100 of millions of roll up data, but actually look at it in a correlated fashion of behavior, For example, lateral movement, command and control, privilege escalation, first use of a protocol, executions, Log deletions and so on and so forth. And if you're going just to understand any SOC engineer that has a suspicious of, For example, a very common use case, do we have lateral movement benign or not? Do we have those or not within a code, within our environment?
You can now actually go in, filter out by lateral movement, by behavior, which we already flagged that exist within the data that you're currently filtering. See the MITRE technique that is associated with it. So we've completely guided a workflow that we created here And of course, get the data and try to validate whether this specific behavior that we're looking at, which is a very small portion of the entire row data, Is something that we are familiar with within the organization or not? And so we can actually start and initiate an investigation according to that beginning of a needle of the big haystack of all the raw data that is collected within threat hunting. As I mentioned before, 40 EDR Fabric integration was extended to also 3rd party.
So within our Free CAN playbooks you can find within the 40 gate, 40 NAC, 40 sandbox, of course, 40 SIM sending through a Syslog and 40 SOAR recipes. You can also integrate 3rd parties as other firewalls, Active Directory, other mail providers and other log collectors. And all of those, of course, allows us to respond faster and in a scalable way across the board. A little bit about the ordering guide and just a few things to know and I'll go quickly through a Q and A on this. The biggest changes that we introduced, we are selling in packs.
The packs are 25,500. We added a new pack group 2,000 and a 10,000 seats. EDR has an MOQ. All the different SKUs that I just mentioned under the different packs bundled with a 500 seat MOQ besides a single all in 1 MDR blended and product that can allow 100 seats and best practices. To choose the best 40 EDR bundle for a customer, it always something that you need to fill the budget of the customer, The need of the customer, of course, according to the RFP and RFQ in the competitors, we put a very detailed comparison between the different vendors that we can share and so you know what you're looking for, you know what where is your budget and I'm sure we can find the best bundle with the product from day 1.
And so it's an alternative to a jump start, but the idea is that when we leave the customer side, the customer is deployed, tuned and ready to go in the best security poster that we can have. And now we extended our MDR Services, I mentioned a little bit about XDR. We introduced a managed XDR from day 0 to help our customers to integrate our fabric together and take an extended response and triage across the different products. And of course, We have NSSPs and there are plans for NSSPs across the board that allows us to get closer to customers and go under the MOQ for customers who need that services and those partners are certified within the Fabric and Fortinet Certification made NSE. Back to you, Tarin.
Thank you. It's really exciting to see what's coming up in 5.0 And all this integration that your team has been busy putting together. And then next, I am going to talk to you about customer success And third party testing essentially give you some validation because by now you've been thinking this solution looks great. It's approved So I want to share this story with you. This is one of my favorite story because we talk a lot about early adapter that typically We'll start with EPP and separate EDR and move on to an endpoint security consolidation.
This is one of the such case. But one thing I like about this even more is because there's a sequel to it, so wait for it. So this customer is a well known Power Tool Manufacturing is one of the Fortune 500 manufacturer of industrial tools and household hardware. And the challenge is the CISO basic come to us and told us they're using 3 vendors. They start with a traditional endpoint edition.
And then he knows that prevention is not enough. It's going to be and he also is aware of it. File based detection is not enough. So he also acquired a EDR solution, what I personally call it a 1st generation EDR solution to augment edition. And knowing that the 1st generation EDR solution is operating under the assumption that endpoint will get Compromised and as a result, it's hypervigilant, churning out a lot of alert and potentially some of them are false positive.
So he knows for his small team, they are not able to triage all this barrage of alerts. So he hired a third party company, a managed security vendor to handle MDR service and that essentially is outsourced SOC. And this outsourced SOC has a SLA of 72 hours, which is not ideal, and he recognized that. So he is on a mission to look for a Consolidated solution because as you have seen, most of the enterprise is on the path to consolidate as much as possible Because when the systems are consolidated, especially our endpoint security, it just works so much better. And his requirement is vendor consolidation.
And he also want to work with a solution that has its own MDR service because when your EDR solution has its own MDR service, Essentially, you have your own team using the tool and this team is going the MDR team is going to demand The engineering to make sure the system and the solution designed is efficient to use by the security operations team. So that's his requirement. So when he reached out to you for the EDR back then that was in silo, these are his requirement edition. And he was very clear. He believed his company has a good security posture because all of this process he put in place.
His goal is to find a solution that can help him with consolidation while providing service And the efficacy should be equal to what he had. So that is his benchmark. And when we put in for the EDR as a POC, Right away, the team discovered there is a malware. It's a crypto mining malware that is running in, I believe, over 10,000 of endpoint is basically moving around his environment unimpeded. And you can imagine the CISO, He's dismayed.
He was very upset and he went and talked to the EPP. He's like, hey, this is a malware. This is a file based. This is pretty trivial. You guys should be able to block it.
The EPP vendor essentially just apologized and say, hey, you know we're not perfect. That's why you bought an EDR solution. Go talk to them. And he went and talked to this 1st generation EDR vendor. And the EDR vendor essentially pulled all the log and say, we detected it along with 14,000 other alerts that we just fired in the past 24 hours, but nonetheless, we detected it.
And if you are any CISO, whenever you hear things, this is an absolute nightmare because the problem is you have so many products that's firing alert And finding the relevant alert that's actually associated with real threat is so difficult. Then that's why he has the outsourced SOC. So the MDR vendor is like, hey, we filed the alert. You hired somebody to triage it. Go talk to them.
So he went and talked to the MDR vendor, and the MDR vendor reminded him, he's like, hey, our SLA is 72 hours. And as you have seen a lot, there's over 10,000 lots like a 15,000 or 14,000. We are working our way through and that's what you hired us for. And this thread That Forti EDR has discovered, it's less than 24 hours. So we have 2 more days.
And the trusses, by then, it is not Forti EDR. Edition. We would triage it, block it and life goes on. So needless to say, that wasn't a very good answer. Edition.
And as a result, this manufacturer has been our customer for a couple of years by now. And the idea is he reduce the risk Exposure having a combined solution and having a solution that essentially can self protect. Whenever we discovered A threat, it can automatically isolate the process specifically on the malicious action. So essentially, Laser focus on the malicious action and pause the attack. And also it's a single agent, so the machine learning is learning from The subsequent detection function, as Roy has mentioned earlier, and also we have better SLA because of MDR service edition.
And the SLA is within 24 hours, all the alerts are triaged. And another thing is, I can tell you, our MDR team is darn demanding. Addition. And our customer also benefit from that. And I mentioned this story has a sequel.
So as you remember, at the end of last year, there was a SolarWind hack that got a lot of coverage. And essentially, I believe about the assessment is about 18,000 SolarWind customer was infected. And this attack, this operation is highly manual. So once the customer are infected, essentially, there's a backdoor and this beacon out. And this allegedly, edition.
The nation state attackers then basically pick and choose which company they want to attack. So there's a twofold. The first onefold is Customer that has SolarWind Orion product are really concerned because they have a backdoor and that potentially make them vulnerable. Even if this nation The attacker doesn't utilize it because they are not their priority. Other attackers can take the advantage and be opportunistic.
The other thought is They are not sure if they are the target. And so the action what we have taken is this is right before Christmas. And as soon as the news broke, one thing our team has done is our MDR team started research and work with the engineering team [SPEAKER UNIDENTIFIED COMPANY REPRESENTATIVE:] To analyze the security incident, identify the IOCs based on the disclosure and start searching across our entire environment And notify all of our customers if they have this, what I call, poisoned DOL. Essentially, that is a backdoor. And we then work with the customer to determine are there subsequent level of compromise.
Is there because we know the Attackers their method and techniques. So beyond this DOL, this backdoor, are there any subsequent indicator of attack happening. So we work with our customer to identify the compromise, and we also develop tool to quickly Helping the non MDR customer to determine if they have a backdoor, if there's a subsequent compromise. And for the customer I mentioned earlier, we get on the phone They were really concerned. They were using SolarWind.
So we get on the phone, identify and reassure them how our solution can Protect the subsequent payload and help them ensure that we will continue monitoring for additional indicator of attack And also provide the guidance to the security team to close out the backdoor. So the result is We are using so any time this is part of our threat research team. Any time when we identify a potential Threat will identify an alert and later confirm it is an attack. 1 customer will use that knowledge addition to threat hunt across the entire environment and benefit all of our customer. We use that we have identified some Early strain of ransomware attack and we have helped several customers to identify early stage attack when And the 3rd party testing.
So we are participating in AD Comparative and AD comparative is an ongoing test. So essentially, we submit the product twice a year and the product It sits in their lab and they does continuous test. And AB Comparative has been upgrading their testing tools By in the past, they have a malware test, they have a real world test and now they have enhanced real world test. So we are participating in all these tests. Edition.
And you can see not all vendors that claim to have EDR capability are participating in this. And for now, you can see that we are working with them, and you can see we have very high detection rate and very low false positive, And these are important. And again, as you have known, with Ornette, we are committed to get 3rd party test Because a lot of time, our competitors or you may encounter vendors that come to talk to you about all these things, they need to prove it. And this is our way to continuously testing it to improve our product and also prove it. And watch This space, we are also participating in MITRE ATT and CK test.
And there is a new MITRE test That include the protection testing. And this one, I'm especially interested because the prior reminder is all about detection and Telemetry, but as you know, you can fire 14,000 alert. And if you don't have an accurate way to block it, it doesn't help many of the customers. So MITRE, we are very glad to see MITRE has a new protection test and we have participated in it. So Three key takeaway.
You have listened to Roy talking to you about 5.0, all these new features, and I'm going to net it out for you. So we are continuing and we are committed to have a broad security coverage across Windows, Mac, Linux and we'll continue to protect legacy And we also will have the user discovery capability to discover IoTs and other devices that you cannot Why? We want you because you are only as strong as your weakness. So we want to make sure we have a broad Security coverage, so there's no hole in your coverage, and we give you the visibility you need to cover your security. Then the next one is efficacy So this is I have always talked about having visibility alone without action is just going to induce anxiety.
So this can mean preemptive virtual patching when we discover vulnerability. This also means when we discover potentially Malicious activity, we can shut down that activity, essentially diffuse the attack and pause the attack. So your team can Take the time to investigate and we can also help you with our AI powered investigation engine to surface edition. The important event that your team needs to look at. Then the last one is all that is going to fuel into a more efficient SaaS.
Edition. Essentially, it's going to make your security team more satisfied at work. The mundane work can be automated and have a real time response. So in case they are taking a break or they have to go home or take care of personal business, knowing that if there is a threat, we can pause it and buy them edition. And we also have MDR service to help you to augment the existing team.
And moving forward, we are adding behavior based threat hunting to allow the SaaS team to do more proactive threat hunting. Edition. And because now they have the automation to take care of the mounting, borrowing things and now they can do things that's interesting and higher value like of practice threat hunting. And also with XDR, the fabric integration, now we have extended fabric response and also XDR. So there are the resources.
For public resources, I will recommend you to go to the Forti EDR page In click on resource, we have multiple recorded webinar. 1, I personally really recommend is if you have ransomware anxiety. There is a ransomware webinar. In that one, I talked about ransomware preparation, taking you through all the stage of how to Prepare against ransomware, just as simple as having a discussion. If this happened, do you want to pay ransom and give you tips on how to ensure your backup and recovery edition.
It's ready enough. So the discussion is beyond endpoint protection. And then for partner folks out there, we also have partner resources. So go head over to the partner portal. And I have mentioned that we are expanding Our coverage to the entire security fabric, starting with endpoint detection with extended And we just launched XDR.
And XDR means extended detection, AI powered investigation and extended response. So It's fully automatable across the security fabric and there is a session on XDR. So I highly recommend you to check it out. And that's all the time I have. Thank you very much for taking the time to listen to this session.
My name is Sailing Maurer, And thanks to Roy to share the road map with us. Have a great rest of your day.
Hello. Welcome to this Accelerate breakout session focused on leveraging SandBox and virtual security analysts to empower organizations to tackle the volume, My name is Damian Lim, part of the Fortinet product marketing team focused on our breach protection solution and products. And joining me is Brian, a Fortinet veteran and product manager for Fortinet Sandbox and Jack Chan, another veteran at Fortinet, who is the product manager for Forti.ai. To provide context, 40 Sandbox and 40AI is part of the breach protection solution that is under of our AI driven security operations and is part of the overall security fabric. In today's agenda, we'll cover cybersecurity challenges and the solution approaches.
And one of Such solution is the use of sandboxing for 0 day threat protection and the other is the concept of virtual security analysts to aid the investigation of these threats. We'll then dwell into the 40 Sandbox and 40 AI unique capabilities and the validation of these solutions and then wrap it up with a recap and next steps. For now, let's focus our discussion on how an organization can evolve their security To deal with the challenges that cyber attackers pose, most organizations adopt a security framework to plan their information security strategy. One such example is to leverage the 7 stages found in the Lockheed Martin Cyber Kill Chain as the context to help provide guidance. Foundationally, a security operations team should have a good baseline in securing all threat vectors as a method to protect against delivery of unknown and 0 day attacks.
And the next evolution of security ops maturity This is our 2nd digital edition. And finally, organizations should consider adopting sophisticated AI such as the virtual security analyst that can serve to automate the cumbersome task of investigating the many, many threats and really help with the objective To keep up with the evolving threat landscape, Organizations must grow beyond securing against known threats. By blocking 0 day threats and then later progressing through the other kill chain stages as a result of threat investigation. Azirity Threat is a piece of malware that embeds an exploit designed to bypass underlying security controls, increasing the success of that particular attack. An example of a sophisticated ransomware With its ability to self propagate throughout the network would be one of cry, at least that's something that comes to my mind.
Now it really gained its infamy due to the ability to infect entire networks by exploiting a Microsoft SMB vulnerability and was able to cripple quite a number of businesses. Worse yet, there are many variants created subsequently, including the Notepadya variant and other forms of malware. Now this led to the challenge for most security operations to investigate those volumes of threat alerts that has traditionally been manual and time consuming, especially when looking for patient 0 and underinfected systems for mitigation. To solve these challenges, we'll take a look at these breach protection technology use cases To block 0 date threats delivered to organizations, sandboxing is a critical component of their defenses. 40 Sandbox is designed to analyze and assess for 0 day threats and generate indicators of compromise in order to reduce risk by sharing the latest 0 day threat intelligence with existing security controls to protect against known threats.
Likewise, a security analyst is instrumental in investigating the delivery of those types of threats And then throughout the different stages for an MKO chain, ending with the actions on objectives. Now due to the shortage of experienced staff seen in many organizations, Forti AI with its deep learning Can help supplement security operations with a virtual security analyst to dynamically classify The malware and its lifecycle, including the identification of Patient 0. Now this greatly benefits Security operations with increased efficiency of the threat, lifecycle response and solving the operation skill issue. All of these solutions can be applied to an OT environment as 40AI and 40 Sandbox passively monitor for targeted attacks aimed at ICS and SCADA systems, thereby reducing the risk of OT based threats. Our AI driven breach protection solution consisting of FortiSandbox and Forti AI will help transform an organization's security posture by providing them powerful security that takes Security opts to the next level of that maturity through the use of AI powered security technologies that enables them to secure business continuity against sophisticated evolving malware.
While implementing powerful security is an important endeavor, that security needs to be applied to both IT and OT segments for holistic approach to defense, and this helps security ops close off any gaps and secure the dynamic attack surface. Now lastly, organizations can reap the benefits of SOC Automation through the integration of our Breach Protection solution with any Existing security controls, we have a Fortinet security fabric. Now this provides security operations the ability to scale and increase edition. And with that, let me turn it over to Jack and Brian.
Hi, guys. This is Jack from the FortiClient product management team. I'm representing Brian today also, our FortiSandbox Pierre, And I'm going to present both FortiSandbox and Forti AI to you. Let me start with FortiSandbox. FortiSandbox is a well proven technology for almost a decade now to be designed to detect 0 day exploits driven attacks.
What makes Forti Sandbox unique is its addition to analyze both IT and OT targeted malware in a safe virtual environment. In that virtual environment, it mimics the endpoint desktop and simulates OT services to discover the true intentions of objects. For example, a Word document that has the ability to download Trojan or ransomware, A PDF opening a port to communicate with Modbus. The result of analysis are put together in a comprehensive report that includes the indicator of compromise, of the IOCs and MITRE ATTACK Mapping. Also for the SandBoxes machine learning, 2 in fact.
One is to build in static analysis and the other into dynamic analysis to accelerate the discovery of unknown malware and improve detection. Lastly, the real secret of Fortisembles Live is its ability to share 0 day threat intelligence in real time with a few things. 1st, the FortiGate to block the threats in the network and any lateral movement as part of the threat response. Other and third party of security solutions to enforce 0 day threat protection for email, endpoints, applications and many more. SandBox community to share benefits from threats found by other SandBox devices as well.
Because of its proven 0 day detection capability, While array of features and broad integration, SandBox has been helping to automate bridge protection across the entire Apex service. And now let me step into FortiAI. Here are some infographics to show the strength for FortiAI. With a high detection rate, Fortinet can detect threats and provide Verdict in subsequent, is suitable for high performance demanding environments such as ISP, Like enterprises, managed service provider, where you will need line rate throughput, where Forti AI VSA, the virtual SKU analyst, is trained in the cloud and is exposed to 200,000,000,000 plus features and we take the highest quality around 6,000,000 features into the on prem hardware and VM solution. One of the biggest differentiator of Forti AI is the use of artificial neural networks, so that does not require to run the file itself for malware discovery.
Instead, it breaks the file down into thousands of features to go through the new networks for analysis and provide the verdict. Virtual Security Analyst itself can link and correlate infections and find the root cause of infection, such as worm based attacks and looks for malware outbreak as well as its variance. Combined with on prem learning, where Forti AI will learn from customers traffic, The goal here is to reduce the false positive and increase the catch rate further. It can identify what we call an attack scenario WebForti AI based on the feature analysis will reveal the true intention of the malware. Whether this is an info stealing trojan, Banking children, coin miner, ransomware and so forth.
Basically, this is your personal malware analyst. In terms of fabric integration, Forti AI will integrate with FortiGate for submissions. It has fixed and JSON output and also support third party iCAP clients. And also the latest, we've added a FortiSaw connector where you can submit files to FortiAI from FortiSaw. Let me share with you what's coming in the year for 2021 for both Forti sandbox and Forti AI.
What you see in the gray boxes are the existing features or coverage for the products. The aqua color boxes are what's coming in 2021. Like all roadmaps disclaimer applies here, roadmaps do change and prioritize often and it will be good for everyone to understand AI driven ops direction for today. Let's take a look with FortiSandbox first. While FortiSandbox is designed to identify serial data with static and dynamic analysis, The SandBox team's plans to introduce co emulation to emulate excludable files behavior.
This will be done after the pre scan and at the same time with the VM execution. Adaptive Scan with 40 Sandbox is about dynamically allocating resources like Windows VM and Office Instances to adapt the file types to be scanned. For example, you might have more office files at a particular time, So you don't need as much Windows VM. Forti sandbox will dynamically adjust the clones and resources to scan, hence making it more efficient. With Forti AI, the main focus for this year will be on network traffic analysis.
Some people call this network behavior analytics, which is to identify anomalies traditionally next gen firewall or IPS alone cannot pick up. This puts Forti.ai in part with other vendors like Darktrace or Network traffic analysis, NDA, will be released as a function under virtual security analyst around Q2, Q3. Basically, your virtual SKU analyst will help you identify the anomalies. In terms of board coverage, the 2 solutions already cover a wide range of verticals such as OT, MSP, government, etcetera. And Forti AI will have plans to move to public cloud space starting with AWS.
The last piece of the roadmap on the right hand side is the fabric integration. This has always been the strength with Fortinet, Allowing more customers to enjoy automation and integration within our own solution. One area is the Forti sandbox customer management. We are discussing Forti AI and Forti sandbox integration as well, taking leverage in the strength of both and the traditional logging and SAME integration with Forti AI. And more excitingly, we are looking also to do FortiGate and FortiGate inline blocking because to utilize the speed and the subsequent detection with Forti AI.
So now let's take a look at some of the ordering guide. So this guide on the screen here, you can see the different offerings and main features. There are 2 main offerings for FortisendBox, which is cloud based, that is SaaS, PaaS, public and private cloud and also the CapEx. Each offering will have different capabilities. So the easiest way to buy is based on the number of files.
We refer this as the file throughput, which range from 100 to several 1000. In any case, you may not have a way to calculate or estimate your files throughput and you can buy based on number of users. Lastly, if you need more capacity, 40 SandBox natively support clustering up to 140 SandBox node, which means 2 nodes will have double the capacity and 10 nodes will be 10x. This guide will be published very soon. With Forti AI, the ordering is actually much more simpler.
The easiest way to buy is similar to SandBoxes based on files per hour And you have to decide whether you're choosing a hardware or VM. So with hardware offering, we have a 40AI, 3500F with the GPU. The GPU pretty much worked like ASICs on FortiGate and makes the file scanning much faster with the neural networks acceleration and VMs are roughly 25% of the hardware power. You would also like to ask yourself what fabric integrations require. So as we mentioned before, FortiSandbox is a very mature product with lots of fabric product integration.
At the moment, FortiGate file submission via OFTP, FortiWeb via iCap And also FortiML, etcetera, are also in pending in the pipeline. And what if my customers' MSP? So 4 d AI has been designed with the MSP in mind. So when you look at logs, reports, etcetera, you can actually filter on the VDOM, devices, etcetera, which is k for MSD. And if you're thinking about ordering for the AI hardware with the GPUs, Think about whether you need extra SSDs.
As I've shown the product picture here, you can add multiple SSDs to mainly increase the log retention. Lastly, let me touch on the different FortiGuard services, the flexible offering and the assistance from our solutions, a range of services to ensure the success in the products. So first, everyone understands FortiGuard's provide the dynamic updates, the signatures, The lookups, the new networks updates, so that we keep the security updates at our pace and let the customers focus on their main goals. And of course, all the FortiGuard blocks on the malware research, like the latest SolarWinds attack, for example. And in the middle here, we've got security on demand.
Basically, we've talked about the different flexible offering that Forti sandbox offer, whether you want as a cloud service for lower end FortiGate Or whether you want to have a dedicated VM environment of your own, we call it platform as a service or different public cloud or private cloud installments. And of course, the reliable assistance from our tech centers, from our partners and Forten Professional Services. And you will see to more RMA options for both of the products. And lastly on the resources, Apart from what you can find on our websites, the demo centers, white papers, etcetera, we've touched on some of the release schedule here. Timing might change, But we're roughly looking at 47 box version 4 to be released around Q2 2021, 40AI with 2 versions this year, With 1.5 planning at around March, April time and then the NTA, the big sort of thing, next thing coming out for FortiR will be around Q2 and Q3 2021.
And don't forget, if you log on the partner website, you have a range of partner resource to help you with both solutions. So now let me hand over back to Damian to talk about the customer success stories.
Thank you, Jack.
Now let's take
a look at the customer and third party testimonials associated with these solutions. For the first customer success story related to FortiAI, let's take a look at the Identity and Citizenship Authority, which is a federal entity that provides identity services for their large population and they are tasked with centrally Authenticating these different IDs, if you will, with the various government services provided. For example, validating the ID of an air traveler during the purchase of an air ticket or when they are boarding a plane and for private businesses such as authorizing of bank transactions. Now this particular customer embarked on a project to protect their networks and services against state sponsored attacks as well as looking for a suitable security solution for the air gap environment that they are building. In the first use case, this involves that notion of self defending networks and web services And can be achieved with Forti AI's ability to apply self learning to sub second threat response for sophisticated and continuously evolving threats.
And with the FortiAI self learning ability, They're able to leverage a security solution that continues to evolve as it inspects for threats in their private internal networks that is completely air gapped. And then in terms of deployment, FortiAI specifically was integrated with FortiGate and FortiWeb through the iCAP protocol. So why did they choose Fortinet? Well, FortiAI's Detection, investigation, response performance, they were able to leverage that to save on CapEx spending on adding more malware detection addition on the existing solution as well as realizing savings on the OpEx side in terms of hiring Even more staff, if you will, to manage that ever growing solution. And due to FortiAI's sub second analysis, 48 was able to whip through the large volume of uploaded materials even faster, and this led to the increase in customer satisfaction score for the ID services that they provided.
And lastly, as a government entity, they are subjected to different audits And to ensure they meet all these different regulations for what they provide, M40 AI not only meets, but exceeds, Right, all these different requirements, thus, they are assured on the cybersecurity business impact and penalties. For FortisendWorks customers, many are adamant with the various benefits it brings to the use cases such as complementing edition. It with the next generation firewalls or secure email gateways as seen in this particular Gartner Insight example. This and many more can be found at the Gartner Peer Insights page that collects 40 SandBox reviews by various industry peers. Also, there are a number of published customer case studies available on fortinet.com, including the example here As a quote from National Benefit Services that simply state the fact that Fortis Sandbox efficacy by catching 16 unknown malware the moment it was deployed.
Furthermore, FortiSandbox efficacy and TCO by reputable third party test vendors such as NSS Labs that recommends 40 SandBox in the breach detection test and separately in the breach prevention test. Lastly, ICSC Labs, the testing arm of Verizon and joins NSS Labs with the certification of FortiSandbox in its advanced threat detection test. On a side note, Forti AI capabilities are unique in the market today, and we are actively exploring a collaboration with third party test vendors, So stay tuned. With that, let me provide a quick recap and next steps. Fortinet is driving towards a breach protection solution that provides powerful security by enhancing malware detection engines with machine learning and improving it further with new emulation engine that improves efficacy even further and improved ransomware detection and adaptive scan to push that performance of sandboxing much, much, much higher.
And also deep learning is the key for the future of cybersecurity. And by applying it in the form of a virtual security analyst found in Forti AI. It has the ability to investigate threats like their human counterparts, but in sub second And expanding those deep learning capabilities further is to investigate anomalies found in the network covered such as the network traffic analysis functionality. And all of these improvements elevate an organization's existing security posture and reduces the business disruption due to the sophistication, scale and volume of threats. Besides that, our Breach Protection solution can be applied to the IT segment of an organization to protect attacks aimed at Windows, Mac, of Linux and Android devices, but also in the OT segment, including ICS, SCADA, used in verticals such as manufacturing and utilities.
Now besides the devices themselves, our solution Supports a multitude of applications such as Office, PDF, HTML, Java and many more, including services such as SMB as well. Now all of this helps security operations close out the gaps with the comprehensive coverage of the dynamic attack surface. Lastly, our Breach Protection solution enables an organization to build automated defenses with security fabric. This is highlighted with the deeper interoperability with Fortinet's portfolio. Example FortiSandbox native integration with FortiGate, FortiMail, FortiClient or FortiAS inline blocking with FortiGate And also support of 3rd party security solutions through REST API, iCAP protocol support and STIX.
All of this combined really helps with automating the threat protection, thereby driving better efficiencies within the SOC processes and allows security operations to scale even further. For the next steps, I encourage you to take a look at the 40 sandbox of 40aiandfortynet.com, where you'll find data sheet and other pertinent information regarding these different solutions. Now if you like to sign up for training, you can do so via the NSE training, where we offer a number of modules from the NSE 2 to Level 7 covering these different topics or You could also participate in an upcoming fast track session on FortiSandbox, where you have the opportunity to speak to an expert and experience a hands on training. Keep in mind, 40.ai is coming really soon to Fast Try. And lastly, if you are interested in the other technologies I mentioned earlier, including Deception to evolve your security operations,
Hi, everyone. Thank you for joining us today. This session is around how you can rapidly respond with Fortisor. I'm Max Zweimer from the product marketing team. And today, I'm joined by Ling Lu, So I'm sure that Throughout sessions, you've seen this in one way or another.
And so before we dig in, I just would like to Touch on the Fortinet Security Fabric and how it provides visibility and protection to better manage risk while being integrated with our single fabric management center. And our focus now is automation, which is leveraging our AI driven security pillar for fast and efficient operations. And this is the pillar that Fortisor falls under and supports the extended efforts. Portisor has done extremely well in supporting mature SOC teams to rapidly respond while optimizing their SOC as being part of the fabric that differentiates us from SOAR only solutions on the market. And with our agenda, it's pretty straightforward.
We're going to discuss me personally, walk you through some of the cybersecurity challenges and solutions and a little bit of an intro to Fortisor and then Ling is going to dive into further detail on the product, its innovations and what's new. And from there, I'm going to touch into some customer stories and summarize a little bit of what we discussed about today. According to Gartner, SOCs are now ever increasing numbers, shifting investments, resources and time from threat prevention to threat detection and proactive response. They also state organizations are dealing with increasingly aggressive threats where rapid response, only minutes at best, is required. This forces organizations to reduce the time to respond, typically by delegating more tasks to machines.
So what are the complexities that some of you might be very familiar with that are Causing organizations and SOCs to shift to a proactive response and to delegate more tasks to machines. Well, the first one starts with too many vendors. And this is because A lot of products do not coordinate or integrate well with each other and that creates this difficulty because it adds Further context switching during, for example, an investigation or just to identify what tasks an analyst has to complete on that given day, ultimately reducing the visibility and creating a fragmented scenario. What further ties to this shift is the overwhelming amount of alerts that are coming in and how you deal with them. This directly develops alert fatigue.
We know they're time consuming and it creates opportunity to further miss alerts that might have had that common link and other developments. In particularly, when you're trying to identify the severity of an alert and how critical it might be or not Critical might be creating an additional posed risk of missing a key alert. The next complexity that helps Push these socks to shift to this research that Gartner has done or the fact is there are too many manual and slow response processes. And these repetitive and manual actions across those siloed tools takes too much precious analyst time And sometimes it can take days to understand incidents and investigate threats, which impede and slow down your overall response, Adding to the time and length of investigation as well as the amount of time you spend sifting through those endless alerts at the Start of a potential investigation. And then this last complexity, the cybersecurity talent shortage.
When you come back, compound or blend the first three complexities we just discussed, teams are often understaffed with an enormous task to face, turning a challenging situation to a more difficult one when you maxed out the working capacity of the talent you currently have. So these are the factors that are contributing to these shifts of resources and focuses that Gartner is stating. We want to at Fortinet Simplify your security operations by helping you choose an offering aligned to your SOC maturity and Fortinet offers a range of components that improve the operational efficiency of security teams of all sizes and maturity levels with 4 unique yet integrated offerings. And it starts with the Fortinet Security Fabric customers who are all encouraged to establish their foundation with Ford analyzers, analytics and automation. Building on that foundation in this framework As organizations have this continuous concern about the cyber threat landscape and have limited security staff as we previously discussed, Skills and processes are also impacted in this.
Forta XDR enables this automated incident detection, investigation, response across the security fabric as well. And as an organization or a team might become slightly more mature for organizations who have perhaps a more diverse security environment. Fortisim adds this multi vendor visibility and analytics. And then at the peak of that is Fortisor. And so while organizations with mature SOCs, sizable security stacks and well defined Security processes can utilize Fortisor to rapidly respond while improving efficiencies with advanced orchestration automation across our multi vendor environments.
They're enabled and at the peak of our framework. And this is truly designed to help customers, as we mentioned, at each stage of their maturity identify what product It's ideal for them at the current stage they're within. And so with that, we want to point out some of the Key fundamental focus areas, in particular for 2021 that Fortisor has, and it starts first with the rapid response. We enable organizations to accelerate their response and coordination through comprehensive case management, orchestration, Automation and cross collaboration, which supports teams that need a force multiplier, which is critical. The second key focus that we have is SOC Automation.
Over the last year, we have structured the products I just discussed in our portfolio To meet SOC teams at every level of their maturity and Fortisource serving as the peak of that framework, meeting enterprise teams that require full orchestration and automation of security processes across multi vendor environments. And this is because Forasor is a diagnostic offering. And lastly, one of our last key focus area, our cloud services. And this is essentially to help streamline deployment, management and onboarding with best practices. So Fortisor in the cloud will enable enterprise customers who want to move their SOC from on prem to the cloud where enterprises would no longer have to worry about managing, evolving infrastructures well supported by our best practice services, allowing for flexible deployments and seamless configuration.
And these best practice services are going to be our Fortisource experts that are going to really help jumpstart that configuration As you deploy, I want to take a moment to touch on fundamental use cases that Fortisor has. And when you take a look At the Unified Incident Management use case, it's designed to streamline and centralize visibility and control, which battles our product fragmentation SOC teams faced, which we discussed earlier, enabling teams to utilize existing security tools and increase their efficiency. The second use case is alert triage automation. Through Fortisource alerts are Automatically prioritized, assigned, correlated with other alerts, while providing recommended actions to the analyst. This risk driven prioritization allows teams to focus on the critical threats while removing false positives.
3rd use case would be SOC Optimization and Portisor provides jump start out of the box use cases, out of the box dashboards and out
of the box
reporting, but also retains flexibility and adaptation with all of the above. This allows teams to quickly optimize their overall processes and identify key SOC metrics that enable them to implement automation resulting in the reduction of manual processes. And lastly, our SOC collaboration use case. You can run a multifunction or distributed SOC with Fortisource dynamic team workspace. This is extremely valuable for cross collaboration amongst teams even beyond the SOC.
For example, real time communications during A crisis management scenario is crucial and Fortisor allows SOC teams and organizations to have communications with multiple departments such as legal, marketing, key executives And this results in accelerating response coordination, which is incredibly valuable. And now I'm going to pass it over to Lynn, who's going to dig further into the Fortisource product, its innovations and enhancements and much
more. Thanks, Max. Security teams are facing increasing challenges such as the scale shortage, manual processes and disparate tools. SOC teams require multiple areas of expertise and are dealing with the multiple consoles such as the SIEM, Sandboxes, threat intelligence systems, ticketing systems and so on. The SOC team has too many alerts to monitor, Alerts overloading and these all lead to slow response and missed security incidents.
Increasing the chances of a security breach can have severe consequences and break your business. Fortisor helps coordinate, execute and automate tasks for security operations, allowing the SOC team to respond quickly to cybersecurity attacks and to improve their overall security posture. Today, it is very successful in large SOC operations such as the banking, government, oil and gas industries. Let's take a look at the Fortinet SAW solution as it stands today in 3 main areas. The first area is the rapid response.
4 d saw today comes with built in capabilities such as alerts, incident management, ticket case management and team collaboration. From managing alerts, triage, incident investigation and escalation to remediation and response, all from a single unified console end to end. This makes life in the SOC so much easier and enables them to that respond quickly to security incidents. This platform is designed to allow larger security operations to eliminate alert fatigue and contact switching and to optimize their processes to accelerate incident response. The second area is SOC Automation.
Fortisor today has More than 3 50 plus integrations with 3rd party vendors and over 3,000 playbook actions for security orchestration and automation. The out of box content packs provide the SOC team with ready to use incident response playbooks. Playbooks can be customized to streamline complex processes and build consistent instant response workflows to improve SOC productivity and efficiency. The 3rd area is cloud services. Fortisort platform as the service today is only available from the public cloud.
In version 7, more cloud service are coming that will be available from FortiCloud. The new Fortisor ordering guide makes ordering for sales partners and distributors much easier. The easiest way to buy Fortisor for on premise deployment is through a VM subscription bundle. It comes with 2 additions: Enterprise edition for enterprise customers and the multi tenancy edition designed for MSSP customers. The multi tenancy edition has a couple of different deployment options.
The VM subscription bundle is all in one bundle. It contains the product subscription license plus FortiCare Support and FortiCare best practice service. It comes with 2 users by default and user add on license Sizing license capacity for Fortisor is relatively straightforward. You size based on number of users. If a customer needs a cloud based deployment, they should go with The Fortisource cloud option, which is coming in Q2 time frame.
For Fortisource container on Fortisanalyzer, You need to buy the FortiSaw enterprise license. There are 3 key areas that we have been working on for the Forti Soar 7 release. First things first, rapid incident response. FortiSAR today comes with building capabilities such as alerts, incidents management, tickets, case management and team collaboration. Now with the version 7, we have added the incident war room.
This allows SOC to easily Launch collaborative space to deal with the critical incident or crisis. Various stakeholders and teams Across the organization can be summoned together in a very short period of time for quick Mitigation and containment. The war room can be set up with just a few clicks from the incident or alert view. It consists of sections such as incident context, investigation arena and impact analysis. The In for center holds hot links to various collaboration integrations like the conference bridge, The group chat, the wiki and the hotline to responders.
The Fortisoul mobile app is available from FortiXplore. This puts SOC in the palm of your hand and team members can respond to alerts or incidents quickly When they are on the go, there are acquired number of new integrations with the security fabric such as 40AI, 40NAC, 40 Sandbox, 40 Guard to allow rapid response From analyzing and identifying threats to quarantine devices for remediation within minutes. Upon detection, playbooks are set off to ask fabric devices to take immediate action. I would say that this is one of the Fortisor differentiators. It can leverage security fabric for rapid response.
If your customers have security fabric products, tell them about Fortisor right now. It is super, super powerful when you know how to leverage these products together. The second key area is SOC Automation. SOAR is all about using orchestration and automation to streamline SOC processes and automate SOC tasks, Freeing the SOC team from manual repetitive and mundane tasks, let the machine handle the things it's good at it and let humans focus on more cognitive tasks such as threat hunting and forensic analysis. Today, 4 d Store has various incident response playbooks to handle different SOC use cases, 350 plus connectors 2 third party products, out of box content packs that contain various playbooks, the best practices and use cases for our SOC to jump start.
With the 7, Fortisoy is now available as a container on FortiAnalyzer. Anyone who has FortiAnalyzer can download the FortiSol app from Fortinet cloud and have it running on FortiAnalyzer all with a simple click. This automates the install and deployment process and seamlessly integrates with the FortiAnalyzer out of box content packs and playbooks available for SOG to use. Note that FortiAnalyzer VM or FortiAnalyzer high end appliance 3 1000 series and above are required to support Fortisoul container. For security fab, customers who are looking to establish a SOC or accelerate their existing SOC maturity, this is the most cost effective way to go.
The AI based recommendation engine is available from version 7, pushing intelligent automation to the next level. AI machine learning is leveraged for smart suggestions of large severity, threat type based on patent similarities and also learning from past human analyst triage results. False positive alerts can be automatically identified and then closed. So human analysts One waste time looking at them. Another thing we've added is the connector wizard To automate the connector creation process, a customer can quickly build their own custom connectors Within minutes and then publish it across platforms.
The third area is cloud services. We've seen growing demand for cloud hosted Fortisor. Today, we can set up Fortisor in AWS. And with version 7, Fortisor Cloud is available for our customers. You can easily spin up a Fortisor instance in Fortinet Cloud.
The FortiGuard outbreak alert service is also available for customers Fortisor deployed on premise. This service makes all resources such as playbooks and threat intel available To protect customers against malware and against outbreak situation such as the recent sunburst outbreak, the SolarWinds, helping customers to detect and also hunt the threat. To make things even easier for the SOG team, We now have FortiCare best practices service available for FortiStore. You don't have to figure out things yourself No matter if you have new deployment or are upgrading existing systems, this annual subscription service We'll have Fortinet experts available for consultation to ensure your deployment or upgrade is successful. Finally, I would like to mention there are resources available on FNDN Virtual Tech Expo.
40 OS 7 will be G8 at the end of Q1, 40 analyzer 7 and 40 SO 7 will come a few weeks later in April. That's all from me today. Max, back to you.
Thank you, Lin. Portasaur has had an amazing year, but how and who are driving that? I'd like to take a moment to walk you through some brief validation and customer success that highlights what is driving Fortisor. I'd like to quickly touch on that Fortisource has repeatedly been in Gartner's SOAR market guide as a vendor, including the most recent release supporting the validation of the product as it aligns with the convergence of 3 critical technologies that produce SOAR. Furthermore, I'd like to highlight a customer success story About an organization named Secure Cyber Defense, that's an MSSP that leveraged Fortisor not only to remedy the complexities we've discussed earlier, but actually to expand and increase their business and revenue streams.
Their challenges started off with battling alert fatigue. They wanted to enhance their threat response efficiencies. And another big one was that the cybersecurity skill shortage had an impact. They had a lot of very talented senior level talented analysts that were bogged down with Repetitive L1 analyst tasks that could be more focused on critical initiatives. So their goals were to increase productivity and the effectiveness of their SOC team, Also to have a differentiator from their competitors within the MSSP space and expand revenue streams.
And so what they were able to do was accelerate post implementation of Fortisor their response Perceived threats from 45 minutes manually to 2 minutes in some cases. But what's also really unique is that they were able to develop a new 7 figure revenue stream. And this is dedicated because Fortisor in combination with Fortisim SIM and Forte EDR enabled Secure Cyber Defense to pursue this new business opportunity That would have not been possible if the firm had still been reliant on manual investigations. Now that they're no longer reliant on those manual processes, they are providing a managed detection and response MDR also known as service and processing and responding to security events. All told, Fortisor has created its new 7 figure revenue stream for the firm as a result of implementing.
In addition to that, when we take a look at their SOC efficiencies, they were able to implement the Fortisource case management functionalities to seamlessly replace our ticketing system in just one day. Lastly, they created a new Fortisource use case where they used automation Beyond just investigation purposes, which is a differentiator for the product to track the national power grid and weather services To identify if there is a breach or power outage in one of their customer locations. And so this became a phenomenal customer expand their overall portfolio and business, the implementation of Fortisor and additional fabric products that I mentioned earlier. If you'd like to read the full case study, I provided a link here where you can really read the entire story and it's quite an incredible success story that they had that triggered with Fortisor. I'd like to take a moment to highlight some of the Three key takeaways and recap the enhancements and innovations And some of the information Ling had discussed with Fortisource 7.0 in particular.
So 3 key takeaways. 1st, start with rapid response. When we take a look at this, these enhancements, in particular, a Big takeaway is the instant response war room, which is also supported by the mobile app. And what this does is, it increases overall efficiency by enabling addition. Teams to have faster coordination between their departments in a crisis management scenario, for example, and Expand operational visibility through the mobile application by having the sock in the palm of their hand.
The next or second key takeaway from what we discussed earlier, the SOC Automation. You've heard Ling highlight when touching on our enhancement details, the Fortisort FaaS container. And this not only provides a trial experience to users, but it can accelerate the maturity of these users. And when you combine that as a big takeaway and then you combine that With our jump start content packs that provide out of the box use cases, it will enable these lower level maturity for the store within their environment, but then they can add the jump start content packs with those out of the box use cases to Lastly, our cloud services as our 3rd key takeaway, the Fortisor Cloud. And this really is designed to simplify deployment, reduce the management complexities.
And when you add in our best practice services, what you get is our Fortisource experts that will support All the overall configuration and apply their expertise and knowledge during these configurations, So you can quickly get started. And this is really critical for teams that want to move from on prem to the cloud. And so that is our last takeaway from what was discussed earlier. I'd like to take you through some next steps and resources depending where you are at in your journey with Fortisor. The first thing I recommend is going to our web page.
And on our web page, you will find our free trial, which is our Fortisor community edition. And you'll be able to See how it works to its fullest capacity and implement some of the efficiencies and See how it can help your team rapidly respond and really get in there and play around with the product to further your understanding. But I also recommend, as Ling mentioned earlier, to take a stop at our virtual expo. Under our AI driven security operations, you will find an incident response section and that's going to detail A lot of new information and deeper dives into Fortisor and what's edition. That will be of great benefit for your understanding on where the product is going.
Lastly, For resources, I've listed out our resources that are available on our website where you can find everything from data sheets, ebooks, solution guides, case studies, multiple webinars and our Fuse community where we share best practices amongst customers and our Fortisource experts, which is extremely valuable. I hope you've enjoyed today's session. And thank you again for joining us. And we look forward to you
Hello and welcome. I'm John Spear, Director of Product Marketing. My co presenter today is Dan Hanman, The Director of Product Management, thanks for joining our session, applying advanced threat analytics for earlier threat detection. This is a session focused primarily on Fortisem. And if you're confused by that, then you're in exactly the right place.
It's time to expand your understanding of what a SIEM can be and must be to get in front of today's threat environment. I'll spend a few minutes level setting on the customer pain points that we consistently see and focus our solutions on. Dan will then give a quick introduction to Fortisim and announce some exciting new features and capabilities that you'll find in the latest release. Then I'll wrap up with some real world validation and leave you with some key takeaways. Now before I move into the challenges that Fortisim focuses on, let's also take a moment to That's the unfair advantage that Fortisim has if you're already a Fortinet customer.
The Fortinet Security Fabric creates a SOC foundation that is so much more powerful than anything else available in the market. Broader with more products, more integrated within the fabric management center and security operations, more automated with more workflows across all elements. More fabric ready partners have joined the system. Fortinet's Open Fabric Ecosystem is a community of leading technology vendors and threat sharing organizations that are committed to delivering complementary solutions for stronger security posture and protection to customers. It's It's one of the most extensive cybersecurity ecosystems in the industry with over 400 technology integrations that are pre validated, documented and faster to deploy.
Customers gain a wide range of scalable and secure complementary ecosystem solutions for visibility and protection of entire digital infrastructure. Organizations face many security challenges, But across almost all organizations, whether based on size or verticals, these tend to be common to them all. Threats can be many and varied, looking for that single chink in the armor to compromise a system with the threat coming from phishing emails, vulnerable systems, Disconfigurations or lack of risk management. The external threat continues to evolve and we must be positioned to detect these evolving threats and the ability to collect information from multiple vendors and use that data to identify threats quickly and effectively. The inverse to external is the internal threats, which have been some of the most high profile compromises in the last decade.
The challenge of detecting insider threats is that users typically have been granted broad access to resources, allowing for large amounts of data to be accumulated and of nefarious actors. So how can we detect this anomalous activity by a negligent user or malevolent actor? Visibility is a broad challenge, but every organization should understand what assets they have, whether they are in service, Whether there is performance issues and of course any security incident affecting the asset, service or organization. Sounds simple enough, but getting this state of visibility is often not trivial and until understood, the management of organizational risk will remain a challenge. And lastly, compliance.
With penalties, reputational damage or the inability to process transactions, Compliance to a framework is common to organizations. Whether or not compliance is the main driver for SM, using a compliance framework or good practice will help focus an organization's cybersecurity maturity. Applying the appropriate people, products, processes to conquer these challenges has immense value to most organizations. Keeping up with digital transformation can be really challenging for a SOC,
and it's easy to end
up with blind spots as parts of the business But of course, the better option is to leverage technology to help you keep up. You will never have enough talented analysts, Perfectly documented processes or time to manually mitigate every incident and keep track of who did what and when. Leveraging technology to risk prioritize what gets worked on next to optimize investigations and provide preset remediation actions It's critical to scaling a small team to accomplish big things. Likewise, the ability to easily scale out is critical, whether it's Adding more locations, a bigger team working investigations in parallel or giving more horsepower to just crunching through higher event loads. The SOC must keep up with the business and go where the business goes.
Some use cases have been pretty consistent over time. They tend to be a little different in focus depending on the size of the organization, the type and level of regulatory compliance they're under and the maturity of the SOC capabilities. But like many areas of technology, what was once reserved only for the large, highly funded or highly regulated, eventually become achievable by smaller teams with smaller budgets. Advanced threat detection is one of those areas that was shifting towards mainstream SEM anyway, but got a pretty big recently from the SolarWinds situation. Teams that previously focused on how to best stay on top of alerts and work cases quickly are now also looking for ways to recognize more against threats such as watching for known indicators of activity earlier in the attack chain.
Insider risk Has always been a concern for security ops teams, but previous to the last couple of years has for many seemed like a threat that they just couldn't to take on. As compliance and risk management teams have responded to ramped up regulatory expectations for a more comprehensive Sider risk management program combined with the widespread availability of machine learning for behavioral analytics. This has now become a relatively lightweight In terms of overhead load to the team, but a big payoff in terms of earlier detection. Visibility has long been a cornerstone of SEM. Being able to monitor the infrastructure, see what you have and overlay events, Of course, Fortisense approach has always been to go significantly further in this area than the rest of the market, from discovery management, risk scoring, extending to the cloud, even monitoring remote worker endpoints.
Finally, optimized response is a fundamental use case for SIEM. The notion that the SOC can work much Faster with a deployed SEM than it would if, for instance, they just had a log aggregator product and a bunch security point products. Every part of the job should be enhanced and they should be able to handle a much larger workload. And when asked for proof of compliance rather than becoming a project, the SEM must do most of that work for them. Fortisun meets these challenges and use cases by accelerating threat detection with machine learning and other advanced analytics, delivering real time visibility of even the most complex multi vendor eco systems and always finding new ways to improve scale and operational efficiency for the architecture, the individual analysts in the organization overall.
So let's dig into the specifics with Fortisim's Head of Product Management, Dan Hanman.
So thank you, John. Now let's take a deeper look at some of the product and feature updates coming in FortiSim Version 6.2. Let's take a quick recap of some of the main solution components within FortiSim though. First of all, FortiSim uses a correlation engine to detect incidents in near real time with over 1300 rules out of the box, covering everything from security, of course, as well as change, but also performance and availability. And it supports multiple different vendors.
We have a user entity behavior and analytics capability, UEBA, to be able to profile user behavior and alert on anomalous activity. Forti SIM also provides a NOC and SOC capability, expanding the visibility from just security related events and incidents, but also allowing us to understand the devices within the environment by discovering those and collecting performance information. And finally around compliance, there's over 1200 reports out of the box, compliance reports, fully customizable, covering the common compliance frameworks. So as John mentioned, some of the customer challenges we see, we have different solution components within Forti Sim to meet those challenges. So looking at how we license Fortisim, It can either be purchased as a perpetual license, a subscription license, as a term license or an MSSP pay as you go program.
We can be deployed as either a virtual appliance or hardware appliance, where we have a collector appliance, which is the purpose of events and monitoring devices, or you have a mid range appliance, which is a 2000F or a higher end appliance, which is a 3,500 gs that provides the main FortiSim capabilities. Now when we're licensing FortiSim, it's really licensed on a number of devices. Some other aspects also come into this as well. Total number of events per second is 1. But if we are asking the question of our customers and organizations, How many devices, then how many workstations or endpoints are needed.
We can then ask another question about how many agents are needed. And why you would need an agent is if you're needing to collect a broader set of events, collecting events at much higher event rates that you cannot achieve using an agentless protocol or if you have file integrity monitoring requirements. The other question to ask is how many Users need monitoring for UEPA. And once you understand the number of devices, number of agents and number of UEPA, It's a very simple calculation to work out the service points. So once you have the service points, you can choose the correct FortiCare package and optionally choose the FortiGuard IOC package as well.
So it's pretty straightforward licensing, it's built off number of devices, Whether or not you need agents, whether or not you need UEBA. So let's delve a little bit deeper into what's new in 6.2. First of all, around accelerated threat detection. Analytic platforms and in And in particular, SIEM required 2 core fundamentals. 1 is the ability to scale to manage the demands of the organization will scale as an MSSP business grows and 2, be able to scale the correlation and detection engine as more events or logs are received, New use cases are identified and incorporated or still simply be able to perform real time correlation and alerting.
Whilst these two seem to be table stakes for SIEM, not all platforms can provide this level of scalability. And whilst one of the fundamentals should be the ability to scale, really the value that a SIEM provides an organization It's the ability to detect threats and help achieve compliance or reduce and manage risks where other controls may be lacking. As SIEM can provide organizations a Rent dealer value as part of their security strategy or simply a tactical solution to address a specific use case. And now that We can scale to means almost all demands. What have we done to improve detection?
Well, I've already mentioned that we've got and UEBA capability within Fortisim and that was added to the previous release at the end of last year. This incorporated core elements of of FortiInsight, our pure play UEB platform directly within FortiInsight in 2 main areas. 1 is around the FortiInsight agent capabilities Have now been embedded within the Forti Sim Agent. And this new UEBA capability on the agent creates events of user interactions between resources or files and these events are then sent up to 40 SIMS appliances. And within the 40 SIM, we now have the 40 Insight machine learning module embedded.
So now that we have the agent telemetry coming into 40 Sim to build up a user model of what is normal. And then if we see a normal activity, we're going to generate an alert. And one ideal use case for this is around insider threat, a notoriously difficult adversary to detect. Not only can this new UEBA agent telemetry be used for machine learning, but also as part of the Standard 40s and capabilities such as the correlation engine, reporting on user activity or adding information to dashboards. And in the 6.2 release, we've got some new EU EBA dashboards as well.
40 SIN's file integrity monitoring capabilities have been improved to help with Appliance and change management and also be able to pull in the files that are being monitored directly onto Forti Sim so that you can do a comparison between what's changed. And in this release, we've significantly increased the number of security rules within Forti Sim. We've added around 500 new rules and I'll go over those in a bit more detail in a moment. So let's move on to real time visibility and multi vendor ecosystem. And 40 SIM is a little bit different to other SIMs on the market as it does provide its knock and stock capability.
The first and foremost, FortiSim is a SIM, and it provides these 2 additional capabilities. The first is that it Discover the environment using standard operational protocols like SMNP or API integrations so that we understand what the device is. Is it a FortiGate or is it a switch? What's the firmware of this device? What's the configuration?
Let's start monitoring that configuration for any changes. And then once that discovery is complete, Fortisim then monitors device for performance such as CPU, memory, interface utilization. This is quite unique when coupling it with security incidents and events. It provides a wider set of context to the analysts. We have also added new integration with FortiGuard IOC service allowing customers to perform lookups directly into this service And get more context on the IP addresses, domains or URLs and then move directly into the FortiGuard IOC service and perform additional investigations on their indicators.
And this is granted as part of the 40 SIM IOC subscription. Efficiency is an important aspect within SIEM. We often call SIEM a force multiplier as one of the key value propositions is to multiply the efficiency of a user or an analyst, and that requires a positive user experience and ensures that there is the necessary context available. One of those areas is around 40 SOAR, where there's an out of the box integration for between 40 SIM and 40 SOAR available today. But we'll be looking to do much deeper integration between those.
If you are not already aware, Fortisim already has a remediation framework available to automate some of the more straightforward scenarios. And in 6.2, we've added a lightweight workflow so that when an analyst needs to perform a remediation, There can be an approval step before that action is executed. And as NSSP is our growing customer base for Fortisim, some of their requests have also filtered down into this release, such as SAML for single sign on, an important part of the user experience moving between an MSSP portal and into this Forti Sim instance. We've also optimized areas around agent management and the use of agents are becoming more significant in the deployment as we have more capabilities around file integrity monitoring, UEBA and event collection. We've also added some new fabric content and this includes new dashboards for the likes of 40 EDR, 40 ADC, Decepta, a new instant dashboard as well.
So now when you log into Fortisim, as long as you've integrated these devices, Then you'll see these new dashboards ready to go with new rules and reports as well. In 6.2 release, we've extended our support for OT and IoT use cases. We've added new third party integrations with OT vendors. We've added a new use case that allows organizations to model Their infrastructure using the Perdoo model within Fortisim. Alerts on activities such as traffic crossing multiple Perdoo levels enabled the baseline communication between OT devices.
And this can be represented in dashboards and of course within incidents. So So we'll have a new OT dashboard and new events and incidents that we'll be triggering if we see suspicious activity. The MITRE ATTACK Enterprise view provides organizations with an understanding of tactics and techniques adversaries are using. With the additional integration of this framework into FortiSim, it allows us to understand the rule coverage that the out of the box 40 sim rules provide against the ATTCK framework. And therefore, we can understand where we may need to improve coverage as well.
And in this release, we've added over 500 new rules to improve the coverage against the MITRE ATT and CK framework, and these can easily be understood by going to the coverage view. In addition to understanding the rule coverage, You can also understand the incidents that are occurring and plotted those on the same framework, but now we can see what tactics and techniques associated with our incidents. And as we progress in the investigation, we can simply click on one of the incidents We'll understand all of the different types of techniques which are being used, be able to click on the techniques and go to the MITRE website directly We'll bring up a summary of what that incident is, enable to quickly understand what the pattern was that detected that incident. We still have the attack view, but we renamed this the MITRE ATT and CK Instant Explorer that allows us to see on a per device basis the instance as they progress through the different tactics in the attack view. And you can click on any of these bubbles to drill down into more information about the instance and down into the actual triggering events themselves.
So where to get more information about 40 SIM, please visit the Virtual Tech Expo, Check out the Fuse community for Fortisim and also the resources on the Fortinet website.
Thanks, Dan. That's fantastic, really exciting stuff. Now I'd like to share some market success. But first, let's talk about the Gartner Magic Quadrant%. As many of you probably know, Gartner continues to update the Magic Quadrant for SEM about once a year.
This is the 2020 release here, and a strong recommendation for MSSPs. Nonetheless, they did keep us in a niche quadrant. 2 of the largest shifts in the SIEM Market over the last couple of years have been the focus on UEBA and the shift towards SIEM as a service, really a hosted or SaaS version of products. And of course, fully managed SOC services as well. Among many other enhancements, as you just learned, Fortisem does now have fully embedded UEBA that we think is quite competitive with the rest of the market and was included in Gartner's survey for the upcoming 2021 7Q report.
They have not been particularly generous regarding our decision to not provide a SaaS version of the product and instead using some of the top MSSP SP partners in the world is our delivery partners. It's not entirely clear yet how the 2021 rankings will come out, But we're actually optimistic that they are recognizing Fortisense many unique strengths and look forward to the new report. Of course, there are other reports in the market. And I'm excited to talk about one by the SIEM users themselves rather than just the analyst. Great example of one of these is the SEM data quadrant report from Software Reviews.
They're pretty selective about only showing those vendors to have enough customers that have come forward and take the surveys. So you can see that it's really Down to those that have quite a bit of product in the market, and others drop out. Obviously, Logpoint did a great job of rallying their install base to take survey, which tend to be smaller European businesses. But by their own calculations at software reviews, Fortisem came in 2nd overall What really stood out for me as well in this report is that when they segmented the survey data, 4 to 7 jumped way to the top for large enterprise customers with a net promoter score of 76 and 100% planning to renew. It's interesting to see that these customers had almost no consideration of Okay.
Let's wrap up and remember what we covered. First, we've been investing heavily in threat detection on a couple of fronts simultaneously, expanding the behavioral analytics that can profile what is normal in your environment And alert when suspicious anomalies occur, leveraging what the information security community is sharing in terms of effective Rules, correlation rules across whatever products they're using, making sure that all of them are available to use by 47 customers. 2nd, we are committed to the benefit and value that MITRE ATT and CK framework can deliver to Foresightm users. This latest release is a huge step forward and being able to leverage the framework to easily see what coverage you have. And of course, where you may not have coverage so that you can focus there.
Also, Fortinet is continuing to deepen the Fortisim integration with the security fabric and our fabric partners with more powerful and specialized dashboards, API hooks, overall tighter integrations to ensure that Fortisem is the most powerful and flexible SOC interface into this security fabric. And finally, there are several new integrations designed to enhance user experiences. 1st, to give the analysts an enhanced By leaking investigations that include indicators of compromise with the new FortiGuard IOC portal Where they can choose to drill in for more info, find out what related indicators they should keep an eye out for. You can submit requests and questions directly to the FortiGuard Threat researchers. And for our service providers, especially taking advantage of existing single sign on services So that they can provide their customers with a great segregated access to the 40 Sem UI and make their introduction into 40 Sem Just that much easier and smoother experience.
Well, thank you for attending our session.
Hello. Welcome to this Accelerate breakout session focused on using deception technology to raise the bar for the attackers, forcing them to abandon My name is Damian Lim, part of the Fortinet product marketing team focused on our breach protection solution and products. And joining me is Moshi, VP of Product Management, instrumental in driving success of Fortinetecenter. To provide context, 40 Deceptor into this discussion is part of the Breach Protection solution that is under the AI Driven Security Operations and is part of the overall security fabric. In today's agenda, we will cover the cybersecurity challenges and solution approaches.
One such approach involves the use of deception to defend against external and internal attackers. We'll then delve into the 4 d Deceptors' unique features and the validation of the solution, then wrap it up with a recap and next steps. Without further ado, let's discuss how an organization can evolve their security to deal with the challenges that cyber attackers post. Most organizations adopt a security framework such as NIST, MITRE ATTACK or the MITRE Shield framework of Lockheed Martin Cyber Kill Chain to plan their information security strategy. In our example, We will leverage the 7 stages found in the cyber kill chain as a guide to our discussion.
Foundationally, a security operations team should have a good baseline in securing all threat vectors or entry points against the delivery of known threats as a first stage, then move into adopting sandboxing as a method to protect against the delivery of unknown and 0 day attacks. In the next evolution of SecOps, maturity is the adoption of deception technology to detect attackers performing reconnaissance. And finally, organizations should consider adopting sophisticated AI such as the virtual security analyst that can serve to automate the cumbersome task of investigating threats and its objectives, so security operations teams can achieve peak edition. Now to improve an organization's security posture beyond malware protection. A defensive strategy should revolve in identifying the threat actor and their tactics in the early stage of the attack, such as those involved in the reconnaissance activities.
According to Verizon's data breach investigation report, the survey found 2 thirds of the breaches can attributed to the external threat actors, while the remaining 1 third attributed to internal threat actors. The other challenge organizations face is the rising cost of mitigation. Now this is based on the success of a security incident or breach and thus is an important focus for many organizations to avoid that as much as possible by detecting and responding to these attacks at the earliest opportunity in the kill chain. To solve these challenges, one should consider deploying deception to disrupt the reconnaissance activities as seen in the first stage of the Kyochain mentioned earlier. By leveraging Forti Deceptor, an organization can create a fabricated network of fake of IT assets and high value reals that facilitate the engagement with attackers through decoys that simulates real devices and applications with the intention to expose and then to respond to them.
Furthermore, an organization can extend this fake network to the OT segment by recreating the OT network with fake OT devices that respond to these protocol commands. Lastly, by complementing deception with in place SIM and SOAR, organizations can enrich their security incident response by taking advantage of intelligence generated by Forti Deceptor to accelerate threat hunting and perform pinpoint orchestrated response to threats. Forti Deceptor is designed to deceive, expose and eliminate external and internal threat actors. This provides security operations with powerful security that helps further improve their security posture through the use of disruption technology that enables them to secure business continuity against threat actors and their tactics. While implementing powerful security is an important endeavor that security needs to be applied to both IT and OT segments for a holistic approach to defense.
This helps security operations close off any gaps and secure the dynamic attack surface. Lastly, organizations can reap the benefits of SOC Automation through the integration of Forti Deceptor with existing security controls via Fortinet's security fabric. This provides security ops the ability to scale and increase SOC efficiency without increasing budgets. And with that, let me turn it over to Moshe.
Thanks, Damian. In the next several slides, we will cover the Forti Deceptor technology, and also the new ordering guide and knowledge resources to use. Frode Deceptor combined the notion of Honeypot with threat analytics and threat mitigation into one solution. Specifically, Forti Deceptor create decoys to lure attackers and inspect their behavior to generate accurate threat intelligence to block both external and internal attacks before any significant damage occur. Fortinet is the 1st major security vendor to offer deception technology beside a handful of deception startup.
The offering is available as a hardware appliance and a VM form factor. Forti Deceptors detect threats to assets that cannot provide their own telemetry such IoT sensors, scaler and medical devices and detect threats moving inside the network instead of detecting threats on egress and ingress traffic. Forti Descepter provides visibility inside the network while focusing on targeted threat detection of APT grade actors And also, APT mail were missed by other security tools. Furthermore, FortiDesertor is integrated with FortiGate and FortiNac as part of the automated threat response process and also Fortisim, Fortisir and Fortisanalyzer for broader visibility. Now that we understand Forti Deceptor technology, let's focus on the product long term roadmap.
In the next 12 months, We will release 3 major versions that will support our product vision and use cases. The Deception, Decoy and Lure are the bread and butter of the product, and we will expand our decoys LUT offering by adding more platform and IoT OT decoys and more deception LUTs like Active Directory And decoding files, in parallel to our decoy and LUR expansion, we will also improve the decoy and LUR authenticity By allowing features like MAC address changing, domain decoys and ensuring correlation between the deception lose and the Active Directory environment, Theception technology generates threat intelligence and attack attribution information to improve response effectiveness. Forti Deceptor will leverage Forti Sandbox and Forti AI to run more in-depth malware analysis to enrich the threat intelligence IOCs. Beside the threat intelligence creation, Fortineteceptor will share the IOC across the Fortinet Fabric and 3rd party security tools using the market standard like sticks and taxi. As part of our OT offering, we will release a rogue appliance with more features specifically for the OT environment.
The Fortinet Security Fabric is designed to simplify the management of organization entire security architecture. Forti Deceptor is already part of the fabric by integrating with FortiGate and FortiNUC for threat response isolation and Fortisync, Fortiserv and Fortisanalyzer for broader visibility. Forti Disruptor will expand the fabric integration focusing on FortiGate as part of the network topology map and FortiTheme with credential theft protection module. Besides, we will improve the scalability of our large distributed network and also will provide richer context and more useful telemetry To improve the SOC threat hunting capabilities, Forti Deceptor version 3.3 is a major release and the GA version will be released in the end of March 2021. As you can see, we expanded Decoy and LUL section dramatically By adding 5 new decoys and several deception rules, the new SCADA decoy will protect against OT attack and the new ERP decoy will protect against sensitive data exfiltration attacks.
The new point of sale decoy We'll protect against financial data exfiltration and test attacks. Under medical decoys, we will offer 2 different decoys, pack system decoy and infusion pump device decoy to protect against medical record exfiltration and medical devices attacks. The Git decoy will protect against supply chain attacks like the SolarWinds 1. To increase the decoy authenticity, We also add a feature that allow modifying the decoy MAC address. In addition, we add new deception laws such cash credentials and fake network connection, Lou, that protects from password dump attacks and detect attacker early in the keychain.
We had a new set of IPS signature against SCADA tags to expand our OT solution offering. In the Fabric Integration section, we had another FortiGate integration, where FortiGate Deceptor will be part of the topology map feature. FortiGate admin will have the option to see Forti Deceptor appliance status and the decoys that are up and running in real time. We also expanded tight integration between Forti Deceptor and Forti SOAR by adding more playbooks and also increased the integration level between Forti Deceptor and Fortisim as part of our SOC efficiency use case. The new central management as a single console will allow us to manage and deploy remote Forti Deceptor appliances, get their alerts and provide alert analysis from a single console.
We also improved the software license activation by moving to a new protocol over SSL and improved the SafeLid features to add more flexibility for the wireless capabilities. Now let's move to the ordering guide. Forti Deceptor license in Q1 will have no changes. Forti Deceptor license in Q2 will have a minor change regarding the new decoys. The new decoys ERP, POS, PAX and Git will be under the current SSL VPN SKU.
In mid Q3 2021, we will change the entire Forti Deceptor license model. The new license will be subscription bundle based on the number of network VLANs the customer is willing to cover. Of course, FortiCare, ARE and all the deception modules will be included in the bundle. Forti Deceptor ARE technology and the FDS engine are unique in the deception market. Forti Deceptor is the only deception technology with IPS, AV, web filter that monitors the threat activity in the decoy level.
Like other reception tools, our IPS engine provide more context to the attack by identifying the network attacks itself like exploit name Instead of presenting an alert, we just add decoy network connection description. Important to add that our IPS engine also contains SCADA Signature as part of our Deception OT capabilities. Another unique capability is the web filter engine It analyze the traffic from the decoy to the Internet to detect and analyze any vector and command and control connection Forti Deceptor's use page is maintained and updated weekly with content related to sales, marketing, proof of concept, best practice deployment and videos covering the core components of the product. We also have a very active teams group called DeceptorFDC that I highly recommend to join. For hands on labs, we have a fast track session for partners that allow us to deploy and test the product.
We will refresh this training session after the release of version 3.3. For SE training and demo, we will have a cloud platform that will allow the SE to deploy and test the product For training purpose, we are expecting to have this platform by the end of Q2. I will now hand it over to Damian for the remaining portion of this presentation.
Thank you, Moshe. We'll run off this presentation with a customer case study And lastly, a quick recap. On 40 Deceptors' customer success story, I'd like to discuss this large media conglomerate in Europe that was looking to bolster their security architecture to detect and respond to both external and internal threats via a layered approach to security. Edition technology since it allows them to redirect external and internal threats from their hosted media platforms as well as their sensitive data and provides them with an early warning to deescalate these threats. Since their IT security team is short handed, they have a strong need for automating their security solutions.
Currently, there are a handful of vendors offering deception with a majority of them being startups And that created concerns around regional support gaps and a disruption to product development due to the possibility of acquisitions. To overcome these concerns that they had, they went with Fortinet for this particular project because it came from a well established security vendor, offering a global Follow the Sun support as well as a commitment to the homegrown 4 d Deceptor investment. And most importantly, FortiDisceptor integrates with their in place FortiGate deployment, thus fully automating all threat responses. And the best part, they saw immediate value after the deployment of Deception as they caught an internal user performing port scans and attempting an unauthorized connection to one of their decoys. Now this really helps with eliminating the actual threat before it escalated even further.
With that, let's discuss the key takeaways of the 4 d Deceptors solution. Forti Deceptor is a powerful addition to any organization's security strategy by focusing on the attackers themselves. 40 Deceptor provides a time line driven threat campaign analytics that reveals the attacker's intention and tactics, including malware details from the integration with FortiSandbox and Forti AI. Forti Deceptor also automatically learns the types of endpoints, servers and services that is found in that particular organization, so it can recommend the appropriate interactive decoys, of the AUS and services to be provisioned. Now incorporating deception is part of the proactive defense And this really helps elevate an organization's existing security posture and reduces the business disruption due to the external all internal threat actors.
Besides that, 40 Deceptor broadly covers the IT segment of an organization by simulating Windows and Linux clients and servers, but also OT and IoT segment, including ICS SCADA, ERP, medical and point of sale systems for all these various verticals. Besides the devices themselves, Deception supports various applications and services, including things like Git Repository, VPN, SMB, SQL and many others. Now this helps the security operations to close off gaps with this comprehensive coverage of the dynamic attack surface.
I'm Peter Salkowski, Fortinet's Vice President of Investor Relations. I'd like to welcome everyone to Fortinet's 2021 Analyst and Investor Day and thank everyone for attending. Presenters today are John Madison, Fortinet's Chief Marketing Officer and Executive Vice President of products and Keith Jensen, our Chief Financial Officer. This is a video presentation that will be available for replay on the Investor Events section of our Investor Relations website. We have a slide presentation as well as a transcript of the Analyst Day will also be posted on the Investor Relations website later today.
Now for today's agenda. John will start off today's taking a deeper look into some of the topics he presented earlier today at the Accelerate 2021, A replay link of John's Accelerate 2021 keynote along with the Accelerate keynotes from CEO, Ken Xie and Joe Patrice Perch, along with all three presentation, slide decks and transcripts are posted on the Investor Events section of the Investor Relations website. Edition. After John, we'll host a brief Q and A session with our sell side research analysts. Keith will then review Fortinet's growth drivers summarize the company's consistent financial performance over the past several years and provide our 2023 financial targets.
We will then conclude a longer Q and A session where Keith will be joined by Ken, Patrice and John. During both Q and A sessions, we ask that you please limit yourself to one question. Before I turn the day over to John, I'd like to remind everyone that during today's Analyst Day, we will be making forward looking statements and that these forward looking statements are subject to risks and uncertainties, which could cause actual results to differ materially from those projected. Please refer to our SEC filings, in particular, the risk factors in our most recent Form 10 ks and Form 10 Q for more information. All forward looking statements reflect our opinions only as of the date of this presentation, and we undertake no obligation and specifically disclaim any obligation to update forward looking statements.
Lastly, I'd like to remind the analysts that if you want to pursue the Q and A session, then you need to ask at the Analyst Day using the Zoom link that they sent you earlier. We'll now turn the presentation over to John.
Thanks, Peter. Let me See if I can share my screen here. All right. So Peter has given me 20 minutes to get through this conversation. So I'll make sure I focus in on the relevant points.
So Two main points. One was, although we announced FortiOS 7.0 about a month ago, it's It's going to be available at the end of this month. It's really expanded what we call our platform of fabric approach across the endpoints, across the network and across the cloud. There's not many vendors who can support that platform across all three of those areas. And we also deliver it of our appliances, software, virtual and SaaS delivery as well.
I think the main topics I'm going to talk about in terms of product will be SaaS, although by definition seems to change Depending on who you're speaking to, but also a 0 Trust. And across those two things, I I don't see if I can share my video. It doesn't seem like I can share my video, but there you go. Sassy, across And 0 trust are use cases that span across multiple products. And one of the issues customers are finding is that because I've got point product A, point product B, point product C, Making those use cases work across all those different vendors is almost impossible for them.
So further evidence that a platform is going to be the solution going forward. The second point is our partners. And today, we announced AT and T from a Sassy partnership perspective. I've been working on this for a while. Taking SASE and implementing it through the network is absolutely the best way, SASE consisting of SD WAN and Secure gateway.
And so for sure, Sassy and implementation with service providers, we do find that there's a lot of conflicts with SaaS only companies or SaaS only companies, while the channel conflicts, our strategy is to partner with our channel, including inside that will be our large So it provides us
as well.
Now from a vision
and mission perspective, it was Fortinet, As you know and as you said to customers, this digital innovation is just accelerating. And as they accelerate that, It just expands the attack surface and they really, really want to make sure that they secure both the people, devices, data and infrastructure. And what we're seeing is greater collaboration between the CIO and CSO teams as we go forward. Who is Fortinet? We're definitely, as you know, one of the top cybersecurity brands.
And we really focus on delivering a platform that covers that entire attack surface. Now the TAM, it's always interesting to me when I see companies put up TAMs and sometimes Now I don't know where they get the information from because they claim TAM that I've never seen them operate in. But this is our TAM. It's backed up by a lot of Gartner edition. Information, obviously, we do that through Magic Quadrant and Market Guides, and I'll talk a bit about that briefly.
But our TAM, it Stretches from users and devices across the network, across cloud and security operations. We operate both in the network security world, the networking world As well as the cybersecurity world. What trends are we seeing? What's driving the marketplace Across endpoint network, cloud and cybersecurity security operations, while at the endpoint obviously was work from home, We're still seeing factories IP enabled. And I'm going to zoom in on the 0 Trust architecture for that, which is a migration from VPN.
Network security, What we're seeing is a lot more edges appear. It used to be a very well defined perimeter. Now we're seeing a lot of edges appear. And so I'll talk about SASE, which is a component of that. Now cloud security, we continue to see the rollout across hybrid, Across cloud, we're seeing migrate all the way back into distributed or edge compute.
So adaptive cloud security and security approach, I'm not going to have time To probably go through much else than 0 Trust and cloud edge SASE. This This won't be enough time, but let me focus on those two areas. So let's 0 in on the security driven networking, network security, networking accelerated convergence. We're absolutely seeing the convergence of networking and security. There's no way you can defend and protect all these edges without having a converged solution.
It's just too complex and too costly. And so this convergence is starting to happen rapidly. When When I look at the TAM, we looked at the TAM earlier for network security. These what Gala have are magic quadrants and these are well defined buying centers, network firewall, secure web gateway, SD WAN and switching wireless. Now there are some markets like IPS, intrusion prevention, we've Gone from a magic quadrant to being a market guide and the static market guide in that it's not really changing much.
The long term destination for such a addition. Marketplace will be consolidation inside one of the existing buying centers. We've seen an awful lot of the IPS marketplace get consolidated into network firewalls as we go forward. And then there's new market guides, which are new markets, often coming markets, which either form their own Magic Quadrant or do a merger With existing MagicCore, there's kind of 3 of them right now in network security. There is the performance monitoring and detection diagnostics.
There is a digital experience Monitoring, of course, SASE, which is everyone wants to kind of hear and talk about. When we look when we broke down and looked at the forecast, this is Gartner's forecast For network security, so I'm just focusing here on the network security marketplace. I've not included network performance monitoring diagnostics. Through our acquisition of Panopta, we are in that marketplace now, but I'm not included in the TAM right now. You can see there's not a huge amount of change, to be honest, In the size of the pie slices as we go forward, yes, secure web gateway increases a bit, SD WAN increases 2 points, Switching to Chris is slightly firewall, maybe 1 point.
But the overall percentage of market share of firewalling and SD WAN and web gateway wireless and switching It remains pretty much the same and it's around a 10% growth into 2024. Now, Ghana did recently published, in fact, back in August, Another view of this marketplace. This is their SASE definition, secure access services edge. And what they did what SASE really is, It's a number of those existing marketplaces repackaged into this framework or architecture. And so you can see here that what we've taken is The fundamental components of a SASE company include SD WAN, include secure web gateway, include firewalls as service, 0 Trust and CASB, which obviously Go across the endpoint, go across into the cloud and go across the network.
How does that change? Again, it doesn't change too much. You can see SD WAN increases a bit more, secure gateway decreases, but pretty much the same. But in our minds, To be a SaaS a main SaaS player going forward, you need all of these components. You need all these components delivered at the edge, cloud edge, WAN edge and LAN edge.
And again, Just to kind of show you who's in these marketplaces, we've taken the Magic Quadrants for network security. We've taken the market guides for network security. You can see the different players and the different parts there. Secure Web Gateway is a marketplace we actually are very active in. Gartner's definition is a bit strange and why they allow Certain people into that Magic Quadrant,
I
think that will change as you go forward. So what is our key strategy here for security driven networking? Well, the first thing It's enterprise class networking at all edges. That is the cloud edge. As obviously at the cloud edge, we need to be able to provide that from our data centers, our cloud.
Also at the data center edge, very high performance needed and required there at the LAN edge, either through WiFi and switching at the WAN edge through SD WAN, at the up and coming 5 gs edge, LTE edge. And we're also doing a lot of work on the OT edge. Remember, OT used to be air gapped. That's going away and that's creating edge there. So one of our key goals is to be able to supply or be able to network, provide enterprise networking at all these edges, Whether it be cloud, data center, LAN, WAN or OT through hardware, through software or through SaaS, Any one of those can be used across all those edges.
The second component of security driven networking is enterprise class security. And I often hear people say, I've got security, it's in the cloud, don't worry about it. No one's tested it. No one's looked at it and no one's certified it. And so we have tested and certified all our security components, whether it be the content, whether it be web security, user security, IoT, OT security, Our advanced operational and security operations capabilities, as well as the integration of more advanced support services as well.
But I definitely feel like this is an area that people are going to look at at some point, because you can't just say, trust me, I've got great security, but you need to make sure that security is test and certified. And then we bring all of that together through the fabric and the platform. So yes, you could have one of these components. Yes, you can have some security. But the key is then to be able to bring that all together in a platform to be able to orchestrate any one of those edges in terms of networking functionality to To be able to deliver security, any level of security or any part of security stack at any one of those edges And then to be able to make sure that it fits into the ecosystem, the customer.
The customers have made some investments in some large platforms. It needs to be a platform that's very that covers the attack surface and all the security components, but also needs to be able to integrate into the ecosystem of the customer. And this is why FortiOS is very important to us. I always tell customers, it's probably the most important investment from a Fortinet Effective is that this stack, this full stack of networking and security capability can sit at any one of these edges. It can sit in an appliance at the WAN edge.
It can sit in our SaaS delivered cloud edge in SaaS. It can sit as a powerful perimeter Sure Ignition firewall in the data center edge. It can apply security to the LTE edge, the switch edge and the Wi Fi edge. So what the customer gets is the ability to switch on any part of the networking capability and then apply security wherever they want to across all these edges. And as they go forward and as they shift different things, maybe there's a shift from work from home back to the office, maybe continue shifting things into the cloud, it goes into the edge compute, Maybe you continue IP enabling your OT infrastructure.
As these shifts happen, you can alternate that networking capability and you can increase or decrease the security depending on where the use case is and it's all consistent enterprise class because you're using this enterprise class operating system stack across all those elements. That's why FortiOS is so important And it can all be applied to a single policy engine across your entire end to end endpoint network and cloud security. And then I'll just kind of highlight the Sassy offering that came out with our 7.040 Sassy. And again, people take the Sassy definition and weld it in or mold it to whatever they've got. The fundamental tenants of Sassy are 2 components.
1 is the convergence of networking and security and the second one is a platform approach, Not a point solution, a platform approach or a framework approach to the edges as you go forward, the services edge. So from our perspective, there's 3 really important components. The first one is, you absolutely need to be able to apply a flexible edge access. And that edge could be a work from home user. It could be what we call a Fin Edge, where the device, in this case, for example, is a 4 gs or 5 gs device doesn't have the footprint to put the security on.
And then there's a what we call a SecureEdge. SecureEdge will be one of our SD WAN devices. That can put a full security stack. But even if you don't put all the security there, you still need some security on SD WAN. And so these different these flexible accesses from the edge gives the customer the ability to protect all those edges.
Once you hit our cloud, You hit the first thing is security as a service. So you may want to apply secure web gateway capabilities or you may want to apply isolation web browsing for next gen firewall or firewall as a service, but we've also integrated 0 trust. So your 0 trust network access use case Can also be derived using the Sassy access proxy. And then the second the third component, which we think is going to be extremely important going forward It's that digital experience monitoring. Yes, I put all these things in place to make it more flexible and more secure.
But on my users and devices, by the way, Getting the right experience end to end from how they access the network through the network and into the cloud. And so the peering Mobile data centers, the monitoring of the experience and high availability and then the ability to see via API Security into clouds where you can't even provide your own security becomes very important. So to us, SASE consists of these three things, access edge, Okay. Usually an appliance for SD WAN and some sort of device for 5 gs or some sort of client, It then provides we provide security as a service in the cloud, in our cloud, and we then provide digital experience monitoring, It provides that glue and that intersection between the user experience and the application. This is all rolled out under our fully sassy umbrella.
And I'm looking at time here.
I've got a few minutes. So I'm going to See if I can squeeze in the 0 Trust. 0 Trust access, this marketplace is dominated by identity actually, Although, you did have VPN and NAC and access and OT security as well. From a size perspective, Again, assets management is dominating, but 0 VPN and 0 Trust is also going to be very important as you go forward. If you look at the market guides and the Magic Quadrant is quite fragmented, but a lot of activity around 0 Trust and VPN migration.
And here's the biggest issue with 0 Trust. It's great technology. It's probably technology that we should have been implementing a while ago. It really does upgrade your VPN access big time in terms of giving you specific application access, I mean constantly doing a contextual view of per session of what's going on and then also providing that user and device Continuous identity check as you go forward. So absolutely without a doubt, VPN has served us well over the last 20, 15 years, but it will evolve forward into 0 trust.
We believe, however, we have a lot of customers on our VPN networks, obviously, of VPN solution set. That is an evolution versus a revolution in terms of you can just wipe the slate clean and start all over again, but you're going to have to Make all these different vendors work together. So from a vendor perspective, what do you really need from a 0 Trust? First of all, Obviously, you need that 0 Trust agent sitting on the endpoint. You can use files and stuff, but you really do need an agent to get the best experience.
We also believe, obviously, you need that authentication of the user and devices, multifactor as you go forward. Then there's the most important piece, which is the access proxy. Access proxy provides that granular access to the applications and also connects The user session into the contextual engine. Now what as you go forward, once you're on that application, A lot of customers and enterprises also want to apply more advanced endpoint security such as EDR, Because once you're on there, you've got to keep that behavioral monitoring going on across that endpoint. Now what I find a lot of times is that across a specific customer, you've got a vendor A for 0 trust agent, you've got another vendor for EDR, Another vendor for identity, another vendor for proxy, and it just goes on.
It's almost impossible to get a true 0 Trust networking working across so many different vendors. Now I'm not saying you need 1 vendor, but I'm saying you can't have 5 or 6 vendors. This doesn't work. So for our solution for 0 Trust, One of the key components inside there is FortiOS. That becomes the access proxy.
And the flexibility we can have is that That access proxy can be in the cloud through our Spoolie Sassy solution. But you can also sit in the customer data center. Their existing VPN termination point can be the access proxy for 0 for our 0 trust solution set. And we think there's other marketplace, It's on campus marketplaces, which could replace core switching and networking through a 0 trust architecture and proxy. So So the key for us is that we've got our 40 clients, our 40 ZTNA, authenticator token, EMS and 40 OS that provides an end to end 0 trust solution Where the proxy can be in the cloud and the data center on the campus.
We can integrate with other components, so an entity systems out there, for example. But we believe this is a great migration from our existing FortiClient and FortiGate customers into a use case 0 trust that works across all these components and will arrive in our FortiOS 7.0. So let me stop there at 21 minutes, I think, and usually on time and see if I've got any questions.
All right, John. Thank you very much. I will point out there's another John's in slides after this, but you're right. We've run out of time. So we are going to open up for Q and A.
I will remind everyone that John's slides It will be posted on the IR website after the presentations, hopefully very quickly after. And so just again a reminder, Please raise your hand to ask a question and please do limit yourself to one question. We get rid of the time and lots of people want to ask questions.
So
first one up is going to be Michael Turits From Qbank, Michael, go ahead. Just unmute yourself, Michael.
Thank you. Should be unmuted. Thanks very much. John, you guys announced the partnership with AT and T for Sassy. Can you talk about that decision to partner with service providers for the, let's call it, the networking services.
By contrast, Some of your competitors have built their own network and pops, others are partnering with cloud providers. Do you get enough control Over the end product and over the customer, if you're in this way versus these other strategies? Well, to be
clear, we'll do both, okay? So edition. I don't think you can supply a platform, a SaaS platform or SaaS platform without experiencing yourselves and understanding it yourself. So we'll do both, we have that offering. But we firmly believe that once we build that technology, transferring or enabling Our big service provider partners is the best way into the marketplace.
As I said earlier, we absolutely see channel conflict all the time edition between service providers and some of the pure SaaS vendors. So we believe you have to build it. So you know how to build it And then we can transfer some of that technology to our service providers.
Next up is Jonathan Ho from William Blair.
Hi, good afternoon. In terms of the
breadth of offering that
you just sort of That you just sort of described. Can you maybe talk a little bit about how in the SaaS and 0 Trust world having that Ronan offering. Does that provide an advantage to you relative to some of the deals that you're doing out there? And can you talk about specifically why it's an advantage to be able to offer, I guess, over 6 set of solutions. Thank you.
Thanks. Yeah, so Definitely customers are I've had enough of buying all these different point solutions. And when I speak to them, it's not that they want to go from 30 point solutions down to 1. They They want to go from 30 point solutions down to 7 or 8 platforms that interwork and work together. One of the most common ones we have is Microsoft and we have 8 different integrations into different Microsoft.
We're not saying it's 1, 7 or 8, but they need to work together. So they go into a platform. They just can't support So many different point products across network and cybersecurity. The advantage for us is that sometimes I see us Enter a customer with 1 of the products. In fact, it could be anything.
It could be authentication. It could be our WAC in So we always got something that's available to enter a customer. And the advantage long term though is that they can then build out a fabric within that kind of architecture they decided on the 7 Ray platforms And truly deliver those use cases. Again, it's not a point product anymore that can deliver 0 Trust or SaaS. It's just impossible.
You need that platform approach To be able to deliver that.
Sorry about that. Next up should be Brad Zelnick, Compressed
edition.
And John, really appreciate the presentation. Maybe a variation of the last question, you talk platform and interoperability of solutions in implementing a SASE architecture. And I just wanted to maybe understand Competitively and through the lens of the customer journey, right, what distinguishes Fortinet? Because at this point, many vendors are approaching Sassy from different starting points, Zscaler with proxy, Menlo Security with browser isolation, Cato, I think, began with Firewall as a Service, Palo Alto has a number of assets. Where does the customer journey begin for a typical Fortinet customer?
And why is that a better on ramp to Sassy versus others? And Like as
you look out on the
horizon, is it always going to be patchwork or do
you think there ends up
being winners and losers here because you're all swimming in each other's lanes?
I think the leaders long term are the point solutions. And there's not many vendors like ourselves who have enterprise class security across endpoint, across network across clouds. And if you're trying to measure the digital experience, if you're trying to provide security across that attack surface, you don't see part of it, how are you going to protect it? So our long term advantage is that we can sit across any of those edges that we can provide enterprise security across any of those edges and that we can deliver it via SaaS or appliance edition or software or agent. And that's our advantage.
There's a lot of people just in the cloud. There's a lot of people just in the network or just at endpoint. Our ability long term to sit across all those 3 is our biggest advantage. Yes, some customers I mean, if you look at the let's be honest, let's look at the SaaS marketplace today. What is it?
It's 95%, maybe more secure web gateway as a service. That's what it is. As people have migrated their proxy, More often than not, Blue Coat proxy into a cloud proxy. That's where the market is today. However, it's going to expand as people expect The orchestration between their SASE and their SD WAN, as they expand their integration into the cloud through CASB or as they expand and make sure that any endpoint To 0 trust on and off the network gets that protection per application.
So the advantage for us is the use cases, it works across all these different elements And we have all of them in place. And we spent the last, I don't know, I'm going to say 10, maybe 8 or 7 years Building it organically versus trying to bolt it together with acquisitions. We do acquisitions and Cannapta was the latest one. But they're small and we buy it for the technology. I think it's really hard to build a platform like ours if you don't do it organically.
But coming back to your question, Brad, I think our advantage is that we can sit across any part of the edge. We can deliver client software and SaaS And that gives us the ability to deliver these use cases like no one else.
Next up is Brian It's from Goldman Sachs.
Yes. Thank you, Peter. And John,
thank you very much for the presentation. I was wondering if you could maybe touch on, you
talked about the convergence Of
network and security and from the perspective of legacy or incumbent network equipment vendors,
what are you seeing
there in terms of the way that they might be approaching SaaS, particularly given the legacy installed base they might have, maybe the presence of the Canvas Edge as a competitive advantage. How are they thinking about this? Well, I think what network security what networking vendors have done and I don't think I said at the beginning, there's a big difference Between networking vendors and cybersecurity vendors, one's hardware and performance and one's software. Well, if you listen to my presentation, I'll go through that a bit. But I think they've been able to kind of buy and bolt on cybersecurity components over the last 10 years.
You just can't do that forever. And it becomes even harder when you've got to do it in the cloud or SaaS delivered. So I think they're really struggling. And We see that in the marketplace. And when the customer says, hey, I want this converged solution, and I want to be able to put security on the WAN edge or the cloud edge or the data center edge, I wanted to be consistent.
I want to be enterprise class. They just can't deliver that. It's just impossible because they try to bolt things together. That's What I've seen and it gets harder and harder because the customers get frustrated because they've been promised by us in PowerPoint, they're still coming together and years later it's not and they could be becoming very frustrated.
Got it. Thank you.
Hey, Brian. Next up is Greg Powell from BTIG and Keith Bach from your on deck.
Great, thanks.
Can you
hear me okay?
Yes, we can
hear you. Perfect. Yes. I just want to follow-up
on Brad's earlier question. Maybe just from a different angle. So Fortinet has always had Some level of secure web gateway capabilities. And I think it's been pretty successful in sort of the small and mid market. But historically, I'm not sure Fortinet's It's really been thought of as a replacement for pure play proxy architectures in larger enterprise.
So if you maybe talk about How that's changing and particularly as you focus more on the SaaS product set?
Yes, I mean, that's a good point. And I think I kind of mentioned a bit in the GARN and I just called them for Secure Web Gateway that for some reason a couple of years ago they put in that you have to be a cloud proxy to be in Even though we have got substantial revenues of secure web gateway, whether it be proxy or whether it be through our to our 40 gate, we can do that. For us, I think as we go forward, we now have that capability in the cloud. And so I think We'll get access to that access to the Magic Quadrant and I think you'll see us accessing the enterprise marketplace through there. When you look across cybersecurity, you look across networking And I didn't show you.
If you look at my one of my presentations from Accelerate this morning, I kind of flash a slide with all my different products across all these different areas is substantial. I probably would say that one of them that wasn't quite enterprise class was the proxy capability, but that will be fixed in our 4 d sensing offering.
Got it. Okay. Thank you.
And just as a reminder, Those slides are up
on the website as is the replay for the analysts, so you
can get a chance to see them this morning.
Next up, I believe, is Keith Bachman. If you do have a question, please do raise your We've got about 9 more minutes off in
the Q and A. I think we'll get
a few more in here. Keith, you're up.
All right. Thank you very much. Thank you, John and Peter. My question is going back to the market slides where you had growth rates. And I just wanted to see If you could flush out, A, how you're viewing the growth dimension surrounding firewalls versus Firewall as a service versus virtual firewalls, what do you see as a key opportunities or risk?
And then B, To broaden out the question a bit, how do you think Fortinet fits into that as architectures converge surrounding firewalls Piece of the node rather than entire solution as SASE rather becomes more prominent. So just trying to see what the risks edition. Our opportunities for Fortinet as you think about the growth of the firewalls in those various pockets. Thank you.
Yes, good question, Keith. Good question. So,
first of
all, I think firewalls as a service is a tiny marketplace. Edition. And it's just very the secure gateway moving from data centers to cloud makes a lot of sense, architectural wise and everything else. So that will just move into the cloud over the next it's like email. When I first started to do an email security back in 2007, it was all appliances.
It was moved to cloud. It's Close to the application. Web gateway needs to be close to the cloud edge. Firewall is very, very different from an architecture and network perspective. I don't think Ghana could even give you anywhere that estimate.
I have now from Sassy is a complete guess. They have no clue what the firewall is a service marketplace. And if they didn't get to a detail, I think it'd be less than $100,000,000 So, it will be there eventually, yes, but it's going to be very small. I think the more powerful Components of firewall marketplace as we go forward. There is I think it's going to become about 10%, it's probably already is about 10% virtual.
We have a very strong 40 gate virtual machine offering. There's still going to be a need for appliances at these edges, the Internet facing. There's still going to be a need for appliances in the core where you need to the hyperscale performance. But the other area we think will be very interesting will be the micro segmentation cross cloud. And that is, Even though you have native cloud firewalls from Azure and AWS, and by the way, we apply management and services sitting on top of a lot of that native security, As we've announced recently, we think of a cross cloud firewalling micro segmentation strategy.
A, it gives you that kind of firewall in the cloud and cross cloud that used to be predominantly an east west data center technology. I think Migrate to being cross cloud, but it also gives you that visibility that you can take and transfer back into your north south or endpoint network WAN capability. So I'd find all the service to me is just a tiny spec. We remain that way. It will be there and we offer it today.
But I think that the bigger component to us is still making sure we can sit in the middle of a data center, still at the edge of a network. I don't know anybody yet that's going to put that really wants to put a virtual machine at the edge of the network facing the Internet. The risks Tremendous, but we do see micro segmentation cross cloud as being an important part of the file marketplace going forward.
Next up is Fatima Bologna from UBS. And Ben Bolen, you're on deck.
Hi, thanks for taking my questions and thanks John for the presentation. John, I wanted to ask you about the AT and T opportunity and the partnership there, But maybe a bigger picture question around the SaaSESD WAN market opportunity bifurcated between the service providers and carriers And the enterprise, because my understanding is that you're able to cater to both in different ways. So I'm wondering if you can talk about those Compatible, but still different opportunities.
Yes, another good question. I think it's the marketplace is about 50% enterprise DIY, 40% service provider and 10% just cloud SASE oriented versions. And so we're very strong in the enterprise because a lot of it was just switching it on for us. And enterprises like that. Now, enterprise is different in that They need to scale across multiple customers.
They need more sophisticated orchestration. And so we're just Kind of over the last year or so entering the marketplace, it was slightly different for us. And we're starting to provide headway. But we don't think it's going to be isolated SD WAN is going to be more of this SASE. Maybe you saw my definition of SASE earlier, it's SD WAN, it's web gateway, file as a service, CASB and 0 Trust.
What we're going to see is that our customers are going to say, yes, we want to do SD WAN. This is like AT and T. They said, well, we could do SD WAN with you, but we've got a network only version of that. Why don't we do a SaaS version, which includes SD WAN, that includes a secure gateway, that will include some of these other applications going forward. And I'm having the same conversation with all the service providers.
They're saying, let's take our platform approach across our network into the customers. And they're hearing that from the customers as well. That makes sense. I do think and I've said this and our service provider customers know this They've taken the easy route out over the last 5 or 6 years. They just said, oh, this is OEM something for marketplace, a SaaS version, because it's easy.
But they're realizing now that if they just keep doing that, they're going to get devalued into being just transport, especially since MPLS is getting turned over into SD WAN and broadband. So they absolutely know. They can't just OEM list going forward. They need to have their own solution.
Thank you, John.
Next up, Ben Vaughan from Cleveland Research. We got 2 after Ben. We're going to have Andy And Eliansky from D. A. Davidson from B and A and then we're going to wrap up the Q and A session.
So we'll try to get all through them in. So Ben, you're up.
Thanks, Peter. Ed, this is John. Bigger picture, interested in how you think about The incrementality for Fortinet, either wallet share or cohort expansion as customers evolve into 0 trust in Sassy And also interesting that you have within the customer footprint for the ones who are most prepared to make this transition and already in play versus those who seem to be Maybe lagging the most. Thanks.
Yes, no good question. I split those
2 off. 0 Trust to me
is definitely something that's going to Swallowed the VPN marketplace. Now we have a certain percentage of the VPN marketplace. So, A, we want to make sure that all our VPN customers migrate to our 0 Trust versus somebody else's. But We also think that a Zero Trust allows us to go after the new marketplace plus other VPN vendors as well. So to me, that's an incremental increase addition in market opportunity.
Sassy, as I keep saying, is 95% secure gateway where we have a presence, but nowhere near the size some of the larger vendors in that. And so I see that again as being an opportunity for us. I am not worried that this firewall as a service being such a tiny component of that, it doesn't really affect our firewall business. But we see it as an opportunity to go after The proxy cloud secured gateway marketplace and again tie in other things like SD WAN or CASB integration as we go forward. And again, I keep saying this, there's people who are in the cloud, there's people at the network, the networking vendors, there's the endpoint vendors.
And by the way, our 0 trust, We want to upsell people into our EDR solution and XDR solutions as we go forward. So we think it's new incremental market opportunity, but even more so to cement our situation in the customers by building a use case across multiple products.
Next up is Zaino Nowinski from D. A. Davidson. Then we're going to end with Talian, if we do that. Zaino, you're open.
Thank you very much.
I just want to ask a question on your access proxy. I know you said it was essentially FortiOS, but I'm wondering if that's synonymous with The proxy that Zscaler has and now Palo Alto offers as part of their Prisma Access solution. So I was wondering if you could just compare and contrast Access proxy versus those 2 at a high level. Thanks.
Yes, we'll think about
the proxy access proxy and proxy web gateway are different. So the web traditional secure web gateway proxy is a certain marketplace and that is protecting users and you apply security to those to that access to the Internet. The access proxy needs the ability to apply per session Against the contextual engine, given an identity based policy of the end users' agent. So They are similar from an engine perspective, but very kind of different marketplaces. And so for us, for U.
S, it can be both. It can be that secure web gateway proxy. We have quite a few customers actually use it, our FortiGate as a The web gateway proxy, but it also will be a 0 trust network access proxy as well. So again, the amount of features and function capability we can put on FortiOS, whether it be at a proxy, whether it be at a WAN So your SD WAN, whether it be a Wi Fi controller, whether it be a 5 gs controller, this This is what gives us an advantage that we can play in so many different marketplaces with the same stack.
Edition.
Can you hear me?
We can hear you.
There you go. You may get a different name on the computer because of technical issues, but Two questions. The first one is, if I ask your typical customer, historically, if I ask them What's the one benefit of Fortinet? The answer is major price advantage, 40% discount. And the question is whether you maintain this kind of Price advantage also in a Sassy model.
And the second question is with other companies, we have seen that SaaS is a replacement of appliance revenues and there's always a decline in product revenues and increase in And it creates some differences between revenues and ARR. In your case, it looks like your focus is slightly different. Can you talk about cannibalization versus non cannibalization business that you're forecasting?
Sure. Let me answer those 2. So the first one, absolutely, We have such a price performance advantage for core networking, not just firewalling, but also SD WAN by the way, The customers obviously talk about that. They should also be talking about that it's not just performance, but it has enterprise security, it Has all the networking features. So it's not just a performance.
We wouldn't buy it, it wasn't enterprise class. We wouldn't be in the middle of many large financial organizations if it was just cheap. So I always said, yes, it's great value, but it's absolutely high performance and high effectiveness. I think the second part of your question, What's happened is Sassy, because it's also 95% QAP gateway, has ripped the heart out of blue coat proxy appliances and transferred them into the cloud. Absolutely 100% agree with that statement.
But as I keep saying, firewalls as a service is a tiny cloud. Firewalls as a service is tiny. I don't even register it. That's not ripping out our appliances and put them in the cloud. I think the long term for that marketplace is more around virtual machines, native and micro segmentation.
That's the bigger challenge to Traditional hardware appliances, but SaaS and firewall service is not. Okay. Did that answer the
question? We can We can
always come back to that
in the second Q and A after the CFO presentation. So John, thank you very much. Thanks. We're going to open the floor.
Thank you, Peter. And I appreciate you acknowledging what accomplishment that was for me to get my screen to present. The Citi is slightly advanced now. All right, good morning, everybody. Thank you very much for being here today for Furness Analyst and Investor Day, and I am indeed Keith Jensen, our CFO.
As I begin our presentation to share our Safe Harbor slide and highlight that I'll be making forward looking statements today. These forward looking statements are subject to risks and uncertainties, which could cause actual results to differ materially from those projected. All statements made today reflect our opinions only as of the date of this presentation, and we undertake no obligation and expressly disclaim any obligation to update forward looking statements in light of new information or future events. Let's take a quick look at the agenda. I'll start by highlighting our investment thesis, discuss several of our industry and company specific growth drivers and then review our financial performance for the past several years.
I'll wrap up by highlighting how the diversification of our business model and customer base has led to our very consistent and highly financial performance. Finally, I'll conclude by providing our medium term financial model and we'll follow the presentation with a 30 minute Q and A session with our senior management team. Throughout this presentation, you'll hear several recurring themes about the cybersecurity market, what uniquely positions Fortinet as an industry leader and the drivers of our consistent and sustainable growth, profitability and cash flow generation. Cybersecurity is a massive market with growth driven by long term secular tailwinds. Fortinet is an industry leader with our proprietary ASIC technology and integrated platform, enabling us to secure people, devices and data anywhere in any form factor.
Our revenues diversified across geographies, customer segments and industry verticals. With service revenue representing nearly 2 thirds of total revenue, We have a sizable recurring revenue base driving sustainable and predictable financial results and a margin profile that leads to significant free cash flow. Fortinet's history of innovation has spanned more than 20 years. Our strategy of build versus buy, Consistent financial performance and conservative financial policies have led us to where we are today. More than $3,000,000,000 in annual billings, free cash flow of over $900,000,000 non GAAP gross margins approaching 80%, Non GAAP operating margins in excess of 25% and having just reported our 11th consecutive year of GAAP profitability.
Our strategy of balanced growth and profitability was recognized by both Moody's and S and P. These credit rating companies recently created Fortinet as a triple as a strong BBB investment grade company. And importantly, 30% of all network security firewall units in the world of the Fortinet label, more than 3 times, more than the next 3 companies combined. We have over 500,000 customers worldwide that are approaching 700 U. S.
Patents. In summary, that's who we are. This slide illustrates the results from our balanced growth and profitability strategy. Not only did our revenue growth outpaced market growth for each of the last 4 years, We also increased our non GAAP operating margin 9.50 basis points during that same period. Furnace's almost all organic revenue growth for each of the last three years has been approximately 20%.
Our higher margin, more predictable service revenue grew to 3 year CAGR of 22% for the period ended December 31, 2020. And service revenue now represents nearly 2 thirds of our total revenue. Despite the pandemic, 2020 product revenue growth held firm at over 16%. In the group of major network security companies such as Checkpoint and Palo Alto, Tornett was the only company to post double digit year over year product revenue growth in 2020. I'd like now to discuss several growth drivers that have contributed to our strong performance over the past several years and that we expect to drive our growth as we go forward.
There are many drivers behind The growth in the cybersecurity industry to simply put us about bad actors getting more and more sophisticated while targeting a continually expanding attack surface of edges and include data centers, WANs, LANs, public and private clouds, 5 gs, OT and IoT. Given this backdrop, we estimate our total addressable market will grow from $65,000,000,000 in 2020 to approximately $93,000,000,000 in 2024, representing a 10% 4 year CAGR. Importantly, the TAM estimates exclude related services such as our FortiCare support and FortiGuard security updates. Central to the $93,000,000,000 TAM is network security at 48,000,000,000 Network security largely includes physical and virtual next gen firewalls as well as secure infrastructure, components of 5 gs and SASE and SD WAN. In SD WAN, Firded is at the epicenter and growing dramatically.
Our continued focus on organic innovation Means we have and we will continue to add capabilities to our security fabric platform in our integrated operating system including 0 Trust security capabilities, cloud security and security operations. Our solutions include a complete range of form factors and delivery methods, including physical and virtual appliances, cloud, SaaS and perpetual software as well as hosted and non hosted solutions. Together, they provide a range of security solutions and form factors, enabling broad integrated protection of hybrid environments in the expanding digital attack surface. Fortinet has shipped over 30% of all firewalls and currently has over 500,000 customers, evidenced by our sizable footprint. Nearly one out of every 3 firewalls deployed globally carries the Fortinet name.
This sizable deployment provides us with invaluable insights into evolving threats and vulnerabilities, which allows us to drive real time updates to our customers of all sizes and geographies. The inherent economics of scale that come with 30% of units deployed drives lower unit costs and may stress the competition as we annually add over 50,000 net new customers. In the past few years, SD SD WAN is shown to be a driver for both network security market and for Fortinet. We offer unique product that combines security and SD WAN functionality in a single appliance. Because of our SD WAN billings because of this, our SD WAN billings increased to over 11% of our total billings in 2020 from almost 0 in 2018.
Analysts believe the SD WAN market will grow to 30% to 40% in each of the next several years. Looking at our pipeline growth, we tend to agree. And at the same time, we expect to continue to grow faster than the market. It's important to note that SD WAN is a feature of the FortiGate operating system. For us SD WAN is yet another firewall use case.
Like other firewall use cases, customers often attach a variety of fabric platform products. Another growth area for Fortinet has been the move up market into larger enterprises. Expanding in the larger enterprises represents an opportunity and a journey. These two bar graphs illustrate our success thus far. We've seen a number of deals over $500,000 $1,000,000 and the related billings gross steadily.
This slide shows the consistent annual and largely organic billings growth, clustered around 20% for the last 4 years, resulting in 2020 total billings of around $3,000,000,000 FortiGate's and non FortiGate fabric billings We're at a calm down annual rate of 17% 35%, respectively. We believe the 35% growth rate is affirmation of our broad and integrated platform strategy. Next, we're going to take a closer look at the non FortiGate fabric platform. These bars provide a closer look at the billing contribution from the Fabric platform. The balance growth between infrastructure and cloud fabric drove 2020 combined billings to 39%, resulting in total billings of 743,000,000 Driven by our 3 year compound annual growth rates in the mid-thirty percent, cloud offerings generated billions of $237,000,000 for 2020 In infrastructure products such as analyzer, manager, endpoint mail, sandbox, secure access products, etcetera, generate billings of slightly over 500,000,000.
It's worth noting that cloud and infrastructure fabric fillings are in a pace to be a $1,000,000,000 business as we exit this year. This slide provides a summary of cloud and infrastructure fabric products. And it's a bit of an eye sore now, But I included here to make Peter happy because he often gets asked what's in cloud and what's in fabric for each of the analysts. Let's move on. So far, I've shared how Forna's diversified business and financial model drives consistent billings and revenue growth.
We've also looked at several growth drivers that we believe will contribute to So now let's turn to profitability. We continue to drive increases in our product gross margin through growth in our of cloud delivered and software solutions and meaningful improvements in our hardware bill of materials. At the same time, services gross margin is benefiting from the mix shift 24x7 support in economies of scale. Taken together, we've improved our total gross margin and maintain a reputation for price for performance leadership. This leadership may pressure competitors pricing when competing against us And mitigate discounting pressures on us.
I'm going to pause here for a moment as assignments go by. Okay. All of you, because that's all clear. Improvements in gross margin and expense leverage have resulted in strong operating margin growth. And while we've been increasing our margin, we continue to invest in future growth, including increasing our sales capacity.
For example, in 2020, we increased our sales and marketing headcount by 22%, very similar to our 22% CAGR from 2017 to 2020. At the end of 2020, Sales and marketing accounted for just over 50% of our headcount. With our growth In a business model that builds and collects cash upfront for service contracts, we continue to consistently grow our deferred revenue, free cash flow And free cash flow margin. To put our strong free cash flow conversion into context, We've benchmarked our free cash flow margin against the S and P 500 constituents. Our top 10% standing is testament to Our business model is driving strong deferred revenue growth, our ability to grow margins with our ASIC advantage and efficient working capital management.
As for our capital allocation policies, we have a clear hierarchy of uses of cash and free cash flow in order: Debt reduction when necessary, reinvesting in the company through R and D, CapEx investments and other organic initiatives, investing in inorganic alternatives, I. E. M and A, with a focus on smaller scale acquisitions with minimal execution risk, returning excess capital to shareholders to opportunistic share repurchases. Our free cash flow generation has not been the result of any let up in investments in our business. Our high level liquidity has enabled us to internally finance our R and D spending and where appropriate fund tuck in M and As.
We've invested over $1,000,000,000 on innovation since 2016 and $160,000,000 in several tuck in acquisitions. In 2020, we bought back $1,100,000,000 of
our stock.
Since 2016, we repurchased 32,500,000 shares for $2,000,000,000 From the start of 2016 to the end of 2020, Square and Gas stock price has increased 3 77%, over 3 times better than the other 2 pure place network security companies. As we work to transition to a more efficient balance sheet, last month we issued investment grade bonds totaling $1,000,000,000 with an average annual interest rate of 1.6%. As I stated today, our diversified business model has resulted in consistent company performance and a more predictable business model. Next three slides highlight the consistency and predictability associated with Fortinet. These four graphs illustrate the consistency of our operational metrics.
Whether you're looking at discounting, average contract term, renewal rates or service attach rates. Each of these metrics have consistently tracked within narrow bands over the last 3 years. Our revenue by geography shows almost perfect consistency for all three of the geographies year over year. And as would be expected, we have posted very similar CAGRs from 2017 to 2020. As I stated previously, our consistent and predictable performance is a Result in a very diversified customer base, whether it's by customer size, geography or industry vertical.
To illustrate our customer diversity, I would note in the last 4 years, no single customer represented more than 2% of billings in any single quarter. The geographic diversification is especially interesting. We have customers in over 80 countries that individually represent less than 3% of our billings, yet in total they represent 50% of our billings. This diversity helps mitigate the impact of country specific events that impacts local economies. At the same time, this diversity drives our need for a broad solution set As our customers are not easily pigeonholed into one type of security solution.
For example, large U. S. Enterprises We have strong financial resources, regulatory runway, Internet access and housing arrangements appropriate for remote for work and learning. These same advantages may not exist across all geographies, customer sizes and industries. Just a quick recap on the Q1 and 2021 guidance that we provided on February 4.
As you'll note in the footnotes of the screen, we expect the recent bond issuance to impact 2021 EPS by approximately 0 point 0 $5 Couple of additional modeling points. And as a reminder, my slides will be presented or will be posted on our Investor Relations website. And now, I'd like to share our medium term financial targets. Over the next 3 years, we expect continued growth. And looking out to 2023, we expect billings of at least $5,000,000,000 and total revenue of at least $4,000,000,000 Based on 2020 actuals, these projections equate to 3 year CAGR's results of approximately 17%.
As for margins, we expect our non GAAP gross margin in 2023 to be approximately 80% and our non GAAP operating margin to be at least 25%. Through 2020, we achieved the rule of 40 in 9 out of 11 years when we've been a publicly traded company. We define the rule of 40 as revenue growth plus non GAAP As we look beyond 2023, our long target is to continue to achieve the rule of 40. I'd now like to invite Ken, Patrice, John and Peter to join me for the Q and A session. Peter, We'll open up the questions.
Thank you, Keith, and congratulations for making it through that with sharing your screen. So We're going to start with the Q and A. Just like before, please raise your hand if you have a question. Also, if
you could lower your hand after asking the questions, so just
brings up the queue a little bit. I appreciate that. We're going to start with Adam Tindle from Raymond James as a first question because he was left with the last one.
So
go ahead, Adam. Adam, you're still unmuted.
Yes. Can you
hear me now? Okay. I was going to say my congrats to Keith as well for the screen share. But I did want to ask a question maybe for Ken or John, earlier today you introduced the industry's 1st hyperscale data center firewall. You talked about how the NP7 chip is the equivalent 10 high end CPUs.
And I'm wondering with that context in place, do you envision perhaps hyperscale companies becoming more meaningful customers over time? I'm asking that because we often hear investor fear over public cloud as a potential threat to Fortinet. But wondering if there's an aspect where you can flip That narrative and sell into the Amazons and Microsofts of the world, whether it's chip license or product directly?
Yes. This is Ken. The answer definitely is yes. We are working with a wider hyperscale customer and also a big service provider and enterprise to have our advantage on the chip, especially they have a huge computing power advantage Like a use in their environment, whether in the data center, in their compass or in the service provider network in the cloud.
Thanks. And do
you think that can be meaningful over time or Is that something that has changed today with MP7? Is that a new message?
Yes, we're still in Like in the mid of a ramp up MP7 with our own product refreshment, we do have a few case working with some big whether the provider or some call provider try to see how to using MP7 in their own kind of environment to build together with the other product. But it's like I said, we also kind of A few, because MP7 also tightly working with FortiOS and with other, that's also the reason when we released the FortiOS 7.0, We keep adding a lot of other features. It's all come from a huge competitive advantage from ASIC, which the general purpose CPU It's difficult to compete. So we do have the same CPU as any other competitor, but because the huge advantage, complete advantage come from ASIC, So easy for us to add more function in the OS and also apply some of these huge competitive advantages For certain service provider, cloud provider is definitely one of our direction going forward, but there's a lot of detail we need to work within and also try What's the ROI and also like what's the position going forward. So it's We're going to call provider service providers.
It's a huge market. We're working with for long term and also we'll keep the same strategy going forward.
I'd say probably will still take a couple
of years to be meaningful. Right now, it's still in a little bit early stage.
Edition. Next up is on Mandeep Singh from Bloomberg and on deck is Sterling Auty from JPMorgan.
Great. Thanks for taking my question. So I was wondering if you can tell me what What sort of product headwind you see on the MPLS side with the workloads moving to the cloud? And who do you view as the main competitor on the Cloud workflow security side, is it Cscaler, CrowdStrike or more of the firewall as a service vendors?
John, maybe that's a question probably for you.
Yes. So MPLS is It's gradually being replaced by SD WAN. So that MPLS displacement is working really well for us. You saw some of the revenue numbers from Keith. And that's just going to continue.
I think right now the market is still only 50%. And so that's a huge market opportunity for us. In terms of the workloads in the cloud, the cloud security marketplace is so fragmented. You've got some native cloud. You've got A bunch of start ups doing the container security.
It's just there's just hundreds of vendors in there. It will shake out eventually. Edition. Again, we have more of a platform solution in the cloud across the network, the platform itself and the applications. We'll work with native solutions.
We also have partners. So I just think it's very fragmented. And if you look at the market sizing there, is tiny still. So that marketplace is just really emerging still.
Thanks, John. Next one is Sterling Auty from JPMorgan and then Saket from Barclays.
Yes, thanks. Hi, guys. So You
showed Keith in your presentation headcount growth in sales and marketing, I think the CAGR was around 20% or 22%. Looking forward, the medium term targets has 17% growth in billings and revenue. I'm curious what kind of sales and marketing headcount growth do you anticipate being necessary to support that 17% CAGR going forward?
Yes. I think the I think we're very pleased with how the business model works out for us, starting with the gross margin at 80% And being staying above 25% as we continue to add sales count headcount capacity. The real question is the trade off between capacity and productivity edition. As this year plays out and as the next several years play out in terms of the midterm model. So I think the headline is that the model works with the hiring that That we've shown in the margins that we're delivering.
We had accept socket from Barclays. Sorry, from Barclays. Yes, absolutely. Can you hear me okay, Peter?
Yes.
Okay, great. Keith, thanks for the color on medium term targets. Maybe the question that I've got as part of that is, Can you just talk about how you envision that $5,000,000,000 in billings roughly in terms of FortiGate versus non FortiGate? Edition. And maybe related to that, how have you sort of thought broad brush about product revenue as part of that kind of longer term forecast?
Yes, I think the split between 48 and non-forty 8, we expect that the as I noted before, it's an what we've seen in the numbers thus far is an affirmation of the strategy. We expect to see continued affirmation of the platform strategy and I think that message has been clear throughout the presentations today, including John as well. Edition. Looking at longer term mix between product and services, the second part of the question, Saket, I mean, it's just like any other quarter in terms of guidance. So the revenue From service revenue is very visible and predictable.
And I think you can probably pencil that out and then reverse engineer what that number implies about product revenue growth.
Edition.
Okay. Next up is Greg Moskowitz Followed by Talianni. Go ahead, Gerhard.
All right. Thanks, Peter. Hi, everyone. So, I actually have a follow-up to Zach's question.
Peter, can you hear me?
We can hear you. Go ahead.
All right, great. Sorry about that. So my question is actually a follow-up to Saket's. And so as workloads Continue to shift to the cloud and as security correspondingly moves more towards cloud and cloud subscriptions, does that create more uncertainty as it relates to that $5 plus billing target for 2023 or do you feel very comfortable in terms of kind of getting there regardless of how things sort of unfold over the next couple of years or so for Work Perceva? Thank you.
Yes, I think I would probably say that regardless of how things play out, keep in mind that in that fabric number that we're talking about that includes SaaS revenues and some other things of that nature. So it won't be new to us to see some of that mix shift You're kind of inferring, if you will, a little bit to the non FortiGate part of the business.
All right. That's helpful. Thanks, Keith.
Thank you.
All right. Tom
I'm going to ask 2 questions that were asked before. The first one is Saketas, a good question. Of the €5,000,000,000 how much is 488 versus non 488? And you gave an answer that is in line with the But can you elaborate what is in your view, what is 40 ks and non 40 ks in the 5,000,000,000? And second question, Ken, I asked this question before and I'm going to expand it.
Fortinet has a price advantage In the 40 ks products, you're anywhere from 40 even more than 40% cheaper than competition. What is your main selling point with Sassy? Meaning, can you maintain price advantage in Sassy versus other Sassy solutions? And what is the basis for any Price difference and if yes or if not, can you also discuss what's the main edition. Basically selling point or what's the main advantage versus other SaaS solutions that may try to offer a similar service?
Thanks. Yes.
I'll run that and then maybe hand off the second part about the Sassy pricing advantages and other concepts like that to John.
I think if you look
at those slides and as we're going through the exercise of putting together, it really becomes very apparent how consistent the business has been. Whether you're looking at revenues by geography, whether or not you're looking at product service mix, whether or not you're looking at the FortiGate versus the non FortiGate part of the mix of the business. And so with That backdrop in mind, I would expect that those trends that you're seeing in those charts are going to continue. We really don't see something that's disruptive that's going to charge a shift dramatically From what we've seen in our trends, whether that's product versus services or whether that's FortiGate versus non FortiGate. John, do you want to Talk about SaaS, the long what's your comments on SaaS here?
Yes, this is Ken. I can answer definitely the answer is yes. So we To maintain the price advantage, whether it's SASE or some FortiGate other product, because all come from The huge architecture advantage, the computing power advantage we have over competitors and that gave us Better performance, lower cost and at the same time better gross margin. And for the SaaS, we are also the first one in the SaaS See their trust into the OS level. So I don't see any other competitor doing that yet.
It's to take multiple year effort. We first integrated SD WAN, some other CASB and then the other part of SaaS, we innovate all the same thing for the Zero Trust, which will make it not only a price advantage, but also easy to manage and has a more function And that can be also using like enterprise, they can deploy themselves and also service provider, they can either deploy themselves. Edition. You said on today's solution, you have to have multiple parts and kind of different OS solution to handle So it will be more easy to manage and provide better security, more function compared to competitors, same time as a price advantage and the cost advantage.
And if you're very successful with Sassy, let's say you're extremely successful out of the gate, does it make an impact on margins, meaning your Expenses are tied to a relationship with AT and T. Does it have any fixed expense element that might pressure margins addition. At the beginning and later on, can you talk about how your margin progression would be with Sassy?
I think if you look at This as you compare to some of parts deployed, probably on average, they
are maybe like 3x to 4x more expensive. But it's The benefit really is kind of goes to whether the vendor or service provider help them to manage that. But with this FortiOS 7.0 because all integrate together, so That's enabled some enterprise big enterprise also, some service provider, Molywha, will handle themselves. So that's what helping like Drive better business model and better margin for the whether the service provider or maybe pass the benefit to the service provider or to the enterprise themselves. So that's for us, really.
Integrating OS levels is just a first step and then we also are keeping pushing to the ASIC level. We're keeping increase the Performance of the SASE component make it even better, more kind of a cost advantage compared to the other whether you have a different box Different kind of part of the infrastructure or compare all we have a whether the same OS or even go to the ASIC level. So that's take a lot of investment, but it's a benefit also huge in the long term.
Got it.
Thank you.
Brian Essex, you're up, Benvol and you're on deck.
All right, great. Thank you, Peter. This one
is maybe for Ken or John. Particularly as we see the rollouts in new products and the levers for growth ahead, catalyst for product cycle tailwinds, how do you think about Penetrating the market by segment in terms of entry level, mid level, high end. It looks like you're getting great success at the high end of the market. Is that where you see things going forward or is this more of a develop for the high end and let the technology trickle down type of strategy? Just trying to understand where you might be Spending money to more effectively penetrate the market and where you see the best reward.
Yes, I think that's a good question and also with a good strategy as direction we're moving forward. We also have a rare chance to have Patrice, our COO here on the call to answer question. I think Patrice can give some more detail. And then maybe Patrice can
go ahead.
Yes. Thank addition. Definitely, we had a very strong footprint across the three segments from mid to high and also the service provider I would have to say that depending on geos, we are reading all this segment. But definitely, the aim is also to capture addition more on this very large part of the enterprise segment. So we're putting a bit more effort here, especially in North America.
And we realigned this segment approach across the board. So we leverage in fact the technology providing the same kind of architecture for the mid, but the large and very large of the price customer. So it's because the platform that we deliver, and that's the beauty of the platform is that we can deliver on different form factor, both software, virtual or appliance There's a different one factor of the appliance as well. So that's matched all different elements. And definitely, we'll leverage this a more segmented approach with much more focus as we move forward.
Just one comment on the entry, mid and high end. Just remember, our entry level, We built our own SD WAN chip in our appliances and that's driven a lot of that business as well. So I think across all of those segments, entry, mid for segmentation and high end for hyperscale are all very relevant marketplaces we built differentiating technology for, whether it be the system on the chip, whether it be as the SPU or the content processor. Great. Patrice, Ken and John.
Thank you. Thanks,
Next up is Ben Bollin from Cleveland Research followed by Ben Bollin from UBS.
Thanks, Peter.
Keith, I wanted to ask a question to you about gross margin and operating margin framework for the mid term model. Could you take us through how you think about the potential levers supporting upside or downside, I suppose, to those figures? Do you have any incremental investments built in your assumptions for OpEx as you have more diversity in go to market or supporting fabric? And last is, any thoughts on the productivity of your sales folks as they progress from new to experience and are selling more applications? Thanks.
Yes, I think the again, I would look at our trends in terms of margins and what you're seeing Related to the services gross margin as well as the product gross margin. Each successive generation of chip has shown the ability to take cost out of the BOM. And I don't think there's really a reason to think that that's Not going to be the case to some extent going forward in the future. Having a hardware company that's throwing off 80% gross margin There are balances no small achievement. So it's probably a pretty good target for us to have.
And then it's just really that we want to continue To balance how much we leave in the operating margin line versus how much we care to invest for other ideas going forward. One of the most and for us, investments see oftentimes is the engineering team as well as the sales team and the marketing team. And when you look at the sales team, you get very different times to productivity, if you will. Our salespeople that are focused on the channel, for example, can reach Productivity very, very quickly and actually be accretive to that margin. When you're hiring a true large enterprise salesperson, you're probably going to have to offer them A much longer runway.
But I think important in that is that, which you did not hear me say was moving anything moving away from the channel at all. And I think in Patrice's comments earlier today, he made a similar observation. The channel has been and will continue to be critical to our The fact that we're continuing to add sales headcount and no suggest we're moving away from the channel, but rather partnering more closely with the channel. I don't know if Patrice wants to add some more to that.
Yes, definitely. I can even take the example dish on the SaaS and the SD WAN leveraging the service provider. If you look worldwide, as John was mentioning, There was a quick, I will say, solution that has been adopted by those large headquarters, whatever it is, AT and T, Orange or NTT in Japan, leveraging this proxy base covering the work from home needed. But long term wise, they clearly have been asking us to work more closely on delivering and building the fabless solution that they can deliver themselves. So they own the network, they own the access.
And our view is that we want to leverage like we leverage the very large enterprise reseller, those service providers that we build long term relationship, which I've been deploying in Z1. And now as we have Z1 and we are in the place of the age, we will leverage the SaaS Heath. So that's a strategy that I think will deliver very great results. So that may create much more pressure on existing cloud provider that has to build and they have their infrastructure to compete with the accelerator, why they are not still making any money. So it's there will be a very interesting future situation that will happen.
And I have to say as well, the cloud services when you deliver SASE or proxy based SASE It's very easy to displace because there is nothing to remove from the edge or from the core network of the customer. So it's just and OpEx, so it can be very quickly replaced. So it's very more critical to own the infrastructure and to own, in fact, the edge and the core. So and then you have much stronger relationship and long term engagement with your customer. So that's another element where we see we and come back very quickly leveraging all the channel on this new trend.
Hey, Patrice. Thank you, Ben. Next question up is Fotlin Bellini from UBS. Keith Bachman, you are on deck.
Thanks, Peter. Keith, my question is for you. I'm looking at the business and the revenue segmentation where you've got about 40%, pushing up against 40% of revenue From subscription revenue, so your FortiGuard portfolio, can you maybe give us a refresher on how exactly you're going to market with FortiGuard today visavis the bundles you have. I think I may have noticed some reconstitution of some of your bundles under user and device and some of these other So wondering if you can just give us a refresher on that. And to the extent there's any pricing increases built into your forecast, especially as I think about the price performance advantage you have versus your competitors today?
Sure. No price no dramatic pricing increases are built into the model or into the guidance that pardon me, the targets that we just talked about. And just as I kind of frame up the services conversation, services now at 65% of our business, that's Split roughly 45% 55% between FortiCare, traditional support and FortiGuard, the security part of the business. That mix has been very consistent for a few years now, has not really changed when you look at it. And I don't anticipate that Which have changed dramatically in the midterm period of time that we're talking about.
Not really familiar with changes In the bundles, maybe John Madison has something there that I'm not thinking about.
Yes, just a small change. We added SOC as a service To the 360 bundle, 360 is the premium bundle, has everything in it. So that's just a small change there. Otherwise, the bundles, the ATP, the UTP, the enterprise and 360 remain the same.
Thanks, Bhavan. Next up is Keith Baku from BMO and then Michael Turits from KeyBancondack.
Okay. Thank you. I wanted
to ask about the non-forty side of the revenue. And if you could just I'd highlight, in the recent 12 months, what have been the key drivers of those revenues? You had the slide up, the Peter slide, we'll call What are the key drivers and how might that change or what's embedded in your expectations When you put out those 3 year targets, what are the key drivers you think of the non-forty side of the revenue? And embedded in my question is, just wondering how Portman is an expansion associated with that non-forty side of either revenues or billings. And I think about areas such as CASB and I don't think about Fortinet as a leader in CASB.
How important is it to expand the portfolio with the non-forty side as you think about the next 3 years. Thank you. Yes.
Thanks for the question. And I keep looking at it each quarter for the product that's going to jump out, if you will, And so this is the one that is just bribing this number. And truthfully, it really is kind of a story of Rising tide lifting all boats. I do believe that when you get into a secure SD WAN solution, secure branch, Where it brings along the switches and the secure switches and the access points. Those 2 combined are probably around a 3rd of the non FortiGate, probably a little bit less than that.
And then you really have this kind of a mix between software solutions, cloud solutions and edition. Infrastructure Fabric. The real growth driver there, I don't know, is about adding more products to the non FortiGate suite, if you will, is more about expanding into our customer base. The first sale for the company is not always a FortiGate Firewall, but the clear majority of the time it is. And I know we're seeing other instances where other products will sometimes sell first.
But the typical use case is we sell the firewall, whether it's a physical or virtual firewall. And over time, we continue to expand. It really it plays back to some of John's commentary earlier today about the platform strategy, about things like vendor fatigue addition. And CISOs and CIOs going through a phase of rationalizing their security spending and that's being there now and can use the term of being More patients, if you will, and sometimes taking longer to get it right on the common operating system. All those things are driving the opportunity to view the fabric Part of the business is an expansion opportunity.
Thanks, Keith. Both of you. Next up is Michael Turits from KeyBanc. It's probably the last one as we're coming up on the bottom of the hour here Michael, go ahead.
Great, guys. Thanks for getting me in. On margins, Keith, the guide was 25% to 27% this year, in the streets of 26. And you just got it up over 25 going forward. So how do you think about margin expansion and Maybe in longer term margin.
So are we there yet? In other words, and that's in our margin expansion on EBIT side, How do you think about that in the next couple of years? And also, what about cash flow? And should whatever we're seeing in In the EBIT margin direction, should we be seeing cash flow margins moving parallel?
Yes. I think we've framed the conversation, Starting with the idea of analyst growth and profitability and sometimes I'd like to say we're doing it for several years, but it's a reality as you can see that Ken's been doing it for 10 years, if not 20 years. And we're going to think very straightforward that some years we see the opportunity within that framework to tilt the bias one direction or edition. This is a year that we think the tilt is towards growth. As you start looking out at 2022 or 2023, I don't know that we're really at this point taking a position if you will one way or the other in terms of whether it's a year that's more conducive to growth or a year that's more conducive to Profitability, that's kind of a wait and see, if you will.
I don't think that it's just going to be a linear world for us in any way, shape or fashion as we go forward. And then of course, this free cash flow margin, I think really does it ties to the growth in the billings number and also ties to the continued improvement In that operating margin number and so as such it will be contingent upon where we're at within that framework each year between balance growth and profitability.
Thanks, Keith.
And I would add to that. I think the other part
of that long term target
is the rule of 40
and the addition. Between revenue growth and operating margin, we would expect those 2 to add up to at least 40 as they have 9 as of the last 11 years and expected to in 'twenty one based on our guidance. So with that, I'd like to thank everyone for attending today's Analyst Day. As I noted earlier, a replay of this Along with the copies of all the slide decks and transcripts of the events will be posted on the Investor Relations website hopefully, and we'll get them there With that, thank you very much. Have a great day.
If you have any follow-up questions, please feel free to reach out to me and I appreciate you for attending. Thank you very much.
Have a good day.