Tech Bytes: Building an Effective Security Platform with Fortinet (Sponsored)

There’s a lot of well-earned criticism of security platforms: They’re a tangle of acquired products, packaged so you pay for more than you need, sucking you into a single vendor. Today John Maddison from Fortinet explains why their security platform is different. Fortinet has one unified fabric with a single operating system, agent, and management console. It offers flexible plans and pricing. And it’s built to play well with others. John also touches on some of the new features in Fortinet’s latest release.

Episode Guest

John Maddison | Chief Marketing Officer, Fortinet

John Maddison has more than 30 years of executive management experience in the Cybersecurity and Telecommunications Industries. He joined Fortinet in 2012 to lead Cloud/SaaS Security development teams and is now the Chief Marketing Officer. He previously held executive leadership positions at Trend Micro focused on Advanced Threat Research and Cloud Delivered Security Services. He started his career with Lucent Technologies Mobile Division, Hewlett Packard Software and Cable & Wireless Global Networking. | LinkedIn

Episode Links

• FortiOS Operating System
• Introducing FortiOS 7.6
• Fortinet Introduces Expansive Upgrades to its Real-Time Network Security Operating System to Empower Enterprises to Fortify Their Networks
• Step into the Platform Era

Episode Transcript

This episode was transcribed by AI and lightly formatted. We make these transcripts available to help with content accessibility and searchability but we can’t guarantee accuracy. There are likely to be errors and inaccuracies in the transcription.

Drew Conry-Murray (00:00:00) – The security product lifecycle goes something like this: A new point product emerges from the threat landscape to fill an ecological niche. Over time, that point product gets incorporated into a broader suite. It happens in network security over and over. The firewall gets a VPN and then an IPS and then anti-malware and so on until you have a platform. Today’s Tech Bytes sponsor, Fortinet, has recognized this pattern and is here to make a case for its approach to platforms. That is how Fortinet designs its software and hardware to build an optimized platform. Can they make a good case? We talk with John Maddison, Fortinet Chief Marketing Officer, and you can judge for yourself. So, John, welcome to the podcast. Let’s dive right in. How does Fortinet design its products to address this sort of push and pull between point products and platforms?

John Maddison (00:00:39) – There’s always a need, I think, for point products, especially in cyber security, since the threat landscape moves a lot and people are changing their infrastructure. So there’ll always be point products, but some of those point products become commoditized or stable.

John Maddison (00:00:50) – And at that point you can then put them into what I call a functional platform. Good examples on next gen firewall or secure services edge or even, you know, even SD-WAN and gateways. And so this process will continue. There is a kind of a thinking now that you can take that functional platform even further and make it a suite. Now, it’s probably a bad name because not everything is software. But the suite would then take functional platforms and put them together. So, you know, the examples we hear about are are XDR where you’re taking SOC and endpoint together or single vendor SASE. We’re taking SD-WAN platforms and bringing them with SSE platforms or SD-branch waiting in Wi-Fi, switching the CNAP in the cloud, multiple functions. But there’s also, I think I speak to some customers, especially some larger customers who say, well, I need dual sourcing. They’re kind of the anti platform. I’m going to go, I’m gonna have two of everything. So if anything goes wrong, I’ve got it all there.

John Maddison (00:01:48) – So I think.

Greg Ferro (00:01:50) – It’s it’s the old the old security joke. If you want a protection from Israel, get a checkpoint. If you want protection from the US, get a Huawei firewall. You know that sort of joke. These have multiple different brands.

John Maddison (00:02:01) – Well, it’s also compliant as well. So if they you know, the other thing is a lot of people have implemented some SaaS security. Now when you SaaS security goes down, you’re at your desk and your exec staff are calling you going, when’s it going to get fixed? And you’re going, well, I’m waiting for waiting for an email or something to come through. I’ve got no control whatsoever. And so I need this resiliency almost inside.

Greg Ferro (00:02:22) – I think what your what you’re alluding to here is we’ve seen a bit of a messaging over the last 3 to 5 years of there’s too many security products. I think somebody said there’s like 200 categories of security products at one point. And I think it’s converged, as you say. But a lot of those are commoditized.

Greg Ferro (00:02:36) – It’s like firewalls now are commoditized. And then next generation firewalls came along and added more. And then on top of next generation firewalls, they’ve now become SD-WAN Edge points. You know, we can now put next generation firewalls with SD-WAN into a branch. And now we can, you know, and then the the security then stretched out into the branch network and into the campus. I think what we’re actually seeing here is a transition away from security as a firewall or security at the edge to many points of security to actually just the whole network is a security function. And so you’ve got to start treating it like a platform because the security needs to be in depth, evenly spread, equally managed as one platform.

John Maddison (00:03:16) – Yeah. That’s correct. And you know the fundamentals of Fortinet, the the reason the company was started was this issue around networking. You know, networking was designed to trust everything, connect everything. And it’s just got faster and faster over the last 20 or 30 years. What we’re saying is that trust nothing and check everything before you connect.

John Maddison (00:03:35) – And those connections can be anywhere, as you say, across the network today. And that’s why next gen firewalls came into place. What you’re saying let me connect. Let me check the application first. Let me check the content. What is who is the user. And that those principles then start to spread into SASE and zero trust, where you’re checking the posture of the device. Eventually, you’ll be checking a connection based on the context of that user driven by AI. And so think about those steps as you go through it. You’re checking doing more and more checks, more and more sophisticated checks for every connection you make. It just change the dynamics of networking because it was always supposed to, you know, connect everything as fast as possible. I don’t care what you’re doing or who you are.

Greg Ferro (00:04:14) – Yeah, we started off inspecting packets. Then we started off inspecting flows. Then we inspected applications. Now we’re inspecting users and taking the posture.

John Maddison (00:04:22) – And the devices.

Greg Ferro (00:04:22) – So let me ask you a question here.

Greg Ferro (00:04:23) – This idea of a platform is sometimes used by vendors to sort of get customers to buy more, saying buy our platform, but you have to buy all of this. But I think the reality for security is that different customers have different needs. Do I have to buy the entire platform? Is there some sort of flexibility in there to say, you know, I just want this part of the platform, or maybe I need to grow into it over the next five years on a budget cycle spending or something?

John Maddison (00:04:46) – Yeah. The most complaints I hear is when some large vendors sold the whole platform for this giant EA, you know, enterprise agreement and three years comes up. They’ve only used 20% of it, and they still be in charge for the entire thing. And people get upset. Quite rightly so. As I said, I think people go on their own journey and they should be able to use as much or as little as the platform as they require that that makes sense, and they should only be charged for that.

John Maddison (00:05:11) – And I also think that it’s never going to be one vendor for a reasonable sized company. You’re going to have at least 4 or 5 platforms in there. And so you need to work together and the APIs need to work. And you can’t just say, oh, I don’t I don’t like those people. I’m not working with them, and that’s not going to work.

Greg Ferro (00:05:27) – So it sounds like you’re taking a realistic approach. You’re recognizing that the real world is people start somewhere and finish somewhere else. And sometimes that’s got multiple parties involved, and sometimes that’s starting here. But growing steadily over time as the money’s available or as the skills build up.

John Maddison (00:05:44) – Yeah, exactly. They go on a journey. There’s a typical journey for us, which usually consists of firewalling. Then I switch on the SD-WAN and then I control IPs and switches. Then I’ll turn on remote access, then a bit… So everyone has a it’s usually the same, but they can stop and start at different places.

Drew Conry-Murray (00:06:02) – So one of the things we’re talking about here with the platform is that a security company or a networking company could basically acquire a bunch of point products and, you know, put some marketing slides around and say, we have a platform.

Drew Conry-Murray (00:06:11) – But Fortinet’s approach has been different intentionally.

John Maddison (00:06:14) – Yes. Yeah. And the other complaint I get is and we get asked this a lot, you know, are you going to be acquired or you’re acquiring. Because one of the worst situations is they make the decision around a specific product. It gets acquired, the company sticks their badge on it and said, oh, is now a platform. Now the trouble is with that is that when you buy a more mature product, it’s got different types of code, it’s got different APIs and management consoles. It is extremely hard to integrate and make it look like one platform, and that’s why, you know, we’ve been using our operating system FortiOS to build our firewalls. Same for SD-WAN, same for Wi-Fi switching, same for a single vendor SASE, same for SSE. So it doesn’t matter where it is. Is it in an appliance? Is it in our cloud. Is it in somebody else’s cloud. Is it virtual machine? It’s the same OS now, even ourselves doing it that way.

John Maddison (00:07:05) – We still need to make sure the management consoles that are synced up across that, it’s extremely hard. I can’t imagine trying to do it by acquiring completely different companies on different software standards and everything else. And one thing that I think I talk about with customers is that one evidence, one proof point for us is our Magic Quadrants. I don’t know, some people hate Magic Quadrants, some people love them. Most people in the middle, they most people look the whole Magic Quadrant. They don’t look at the leaders. But, you know, we’re in right now four Magic Quadrants, a firewall, SD-WAN, single vendor SASE, and most recently, we became a leader in wireless LAN, WWLAN. It’s the same product, it’s the same operating system. And for most companies, it’s either different companies or acquired products. That’s really that’s really hard to do.

Greg Ferro (00:07:50) – Does FortiOS run on the FortiFone? So you actually have IP phones, you actually sell IP telephony systems. This is something we’ve never talked about here.

Greg Ferro (00:07:59) – Does FortiOS actually run on the FortiFone?

John Maddison (00:08:02) – Well I talk about two platforms. One is our core platform, which is the operating system FortiOS, which runs about 30 applications. I just mentioned a few of them. And then we have our fabric where other products connect in through our fabric connectors. You know, we’ve done some acquisitions ourselves as well, like our EDR, but it runs on a on a different… but it’s connecting in and eventually everything comes in. So for example, in the the next year, our EDR, FortiEDR, you know, our sophisticated naming system of Forto, whatever it does. Yeah. Yeah. Eventually FortiEDR will become part of our FortiClient, which is very tightly linked into FortiOS. And think about convergence of the network. Think about convergence of the endpoint where most vendors have got, most companies got ten agents running around doing their own thing. Our FortiClient now does EPP, VPN, EDR, SASE, zero trust, digital experience monitoring all in a single agent.

Greg Ferro (00:08:57) – And that agent is still FortiOS in in as far as…

John Maddison (00:09:00) – It’s FortiClient, but it’s very closely linked to 4FortiOS in that it can talk to FortiOS with a with a special protocol. And for example, you know, the zero trust. You know, one of the most important things is in the middle of a connection or a session. Does the posture change on the endpoint device? Well, change the zero trust policy ASAP.

Greg Ferro (00:09:18) – I love that you aren’t saying that you’ve got one pane of glass. What you’re alluding to is a lot of people have, you know, that one management, one pane of glass, but really it looks more like a stained glass window, lots of small panes of glass coming together to present a vision.

John Maddison (00:09:33) – But what the biggest trick I see is people saying they use these virtual machines and they’ve got this ten consoles on one. It wants a virtual machine. They’ll go, oh, this crosses the tabs here on my on my browser, there’s a unified console.

Greg Ferro (00:09:45) – But what what I hear you saying is that you’re converging as much as possible at a reasonable, at whatever internal rate of change that you can achieve towards a single pane of glass, like less of a disparate. I bought 20 companies and I’m trying to weld them into a platform more of a, you know, and they might have been using different versions of Linux underneath. They might have completely different code base, different languages. You’re much more alluding to wherever practical FortiOS is the core operating system. And that means it’s much easier or, well, a good-er, you know.

John Maddison (00:10:16) – Good-er that’s a good word. That’s so, a good example was SD-WAN, where, you know, when SD-WAN came up, we thought it’s going to be very important and it is very important. We could have gone and bought something. We could have built it on a separate box much more quickly when we built it straight in to the operating system, which was harder for us to do because you have other things going on inside that.

John Maddison (00:10:34) – So to me, our core stuff like the wireless controller, like 5G SD-WAN is built inside there and what we can also do over time is take some of our standalone product functionality like NAC or SIEM or SOAR, which in a multi-vendor environments is essential because you got to be able to connect to all these different people and you need sophisticated enterprise AI. We’ve taken some of those pieces, like NAC, and built it straight into the OS. So the seven most common use cases of NAC are now available on our OS. Again, free of charge. You just switch them on. And a lot of companies who are more Fortinet orientated, that works very well for them.

Drew Conry-Murray (00:11:11) – So you mentioned the security fabric. Is that just for other Fortinet products that aren’t built on the FortiOS operating system, or does it include third party products as well?

John Maddison (00:11:20) – There’s two levels. You know, the ones which are very close to FortiOS are the FortiClient, FortiManager and the FortiAnalyzer, the analytics engine, which is becoming more and more important as as the data lake and the ability to see things.

John Maddison (00:11:35) – So those products themselves are on a very tightly integrated. Then as you expand out. You’ve got, you know, our SIEM, our SOAR, EDR, which are products which connect into the fabric but not quite as close. But that functionality starts to be transferred across into the into the core FortiOS and those core products.

Drew Conry-Murray (00:11:54) – So what do you mean then by a fabric.

John Maddison (00:11:56) – So fabric just means that we can exchange threat intelligence. We can exchange policies. We might use some of the most common data elements. It’s kind of a lighter integration of some of these products that enable that, that kind of enables it to act like a fabric. It’s not to me a platform, a core platform is something that’s holistic in that everything’s sitting on that platform and it can be managed by by a single instance.

Greg Ferro (00:12:21) – So what you’re saying, let me try and extrapolate that. I’ve got a policy: Permit traffic to Microsoft Azure Office. If I implement that rule, then that can be equally implemented on the campus edge, on the SASE, on the, the NAC solution or in the SSE.

Greg Ferro (00:12:38) – And I don’t have to go around and do it individually on all of them, I can just say a global and make it a fabric change.

John Maddison (00:12:45) – Yeah, yeah. And also, you know, if you want to run some sort of rule set, you know, again, you could run it on those different management consoles and it all gets applied. Our thinking is that we’re now entering this third era of network security, that we’ve gone through this first era, which was kind of firewalls, stateful firewalls, which was better than just connecting everything. You check ports, you check the IP and went through this second era of next gen firewalls, where you’re now looking at applications and some content and users. This third era of network security. We kind of refer to as unified SASE. There’s some other names out there. But now, because of what you said at the beginning, now you’ve got edges everywhere that you now need to do that convergence across all the edges. And so you’re taking SD-WAN and SSE and access points and you’re taking CASB and you’re having to kind of protect against the all the different applications and the different locations.

John Maddison (00:13:38) – This third era of of convergence also now expands from protecting the threats on the outside to protecting the data on the inside as well. So now you’re looking at the data protection piece, which I don’t think any vendors solved that well. This DLP, I was 20 years into it and people are still saying, oh, well.

Greg Ferro (00:13:58) – You’re making me laugh because that’s I used to do a lot of DLP and no, it’s not a solved problem. And, you know, I’m not 100% convinced that the current rate of change, that it will ever be a solved problem, there’s just too much… by the time DLP catches up with the state of the art, the state of the art has moved on in in a funny sort of way.

John Maddison (00:14:16) – Well, I think I AI might help a bit. The always the problem is, you know, is data now spread even further. So the problems only got worse.

Greg Ferro (00:14:23) – Well, I think also it’s the volume of it. And this is where your ASICs like your hardware leadership, like your ability to develop an ASIC.

Greg Ferro (00:14:29) – And then I think again comes back to this one OS, FortiOS. And having your own ASIC just means you can almost like it’s three ASICs really. But it almost means like, oh, I need to make my FortiOS hardware, I can just add an ASIC to it. Is that kind of the idea?

John Maddison (00:14:43) – Well, we call them ASICs here in this country, not ASIC, but that’s okay. I’ll let you slide.

Greg Ferro (00:14:50) – Tomato, tomato you know router router router.

John Maddison (00:14:56) – I think yeah I think, you know, what happens is when you, you, when you’re providing you’re asking a lot more questions before you make the connection. You’ve got a lot more data to kind of sift through and apply. And you just it’s to me it’s the same. My analogy I think I always use is: The the best you know, gaming systems rendering are the CPU plus the GPU. It will always be the highest end CPU. So the best security products are CPU plus SPU security processing unit, which will always perform a lot better.

John Maddison (00:15:26) – And the other thing I’m starting to hear, especially from Europe, is the power efficiency. They’re actually starting to test our systems. Now. You say you’re 80% more power efficient. We’re going to test it. And they do.

Greg Ferro (00:15:36) – Yeah. You know, I was talking to someone the other day and they had a 25 year old, switch very famous well known switch. And they worked out that they could buy a modern switch and replace it and get ROI in two years just from saving power. So you shouldn’t be keeping those, you know, if you’re into that level of testing and you’ve got that ability, it’s actually fairly easy to do that. And I think power is going to become a much bigger issue going forward. there’s a shortage and it’s going to be a bigger issue. And so the ASIC is a big deal. So you’ve got new stuff coming out. So at the back of this time your conference is just coming up and you’ve got some news. What’s the latest set of announcements which sort of tell us where you’re going next.

John Maddison (00:16:10) – Yeah. So each year we do a big release of FortiOS, FortiOS 7.6, maybe unlike even five years ago where we used to say, all these are all the features in our OS and they’re on the appliance and away you go. When we do a release now it sits across multiple areas. So our FortiOS release, for example. It’s, you know, speeches inside there which will be available as the new SD-WAN, new firewall features that are available in the appliance, but it’s also available in our SASE FortiSASE console that’s in our cloud. So and it’s also now connected into the FortiClient, which we’ve just announced, integrating EDR inside there and digital experience monitoring. There’s some new features inside the FortiAnalyzer, which is part of that platform as well. And in fact, at our Accelerate last week, Accelerate 2024, we have about 4000 partners and customers there. We demoed, our new GenAI in our FortiAnalyzer, where our head of product development started asking it questions, and demoed a virtual SOC analyst, asking you questions about why is that server slow? Why why is that being attacked this way? And you can see where a lot of the I know I is so over overhyped.

John Maddison (00:17:23) – We we believe that the AI piece will be part of one of the most important areas will be the GenAI sitting to make it more intuitive as a product, but actually acting as virtual virtual analysts, both on the on the NOC side and the SOC side to help you find things more quickly and run more quickly. So again, a lot of features across many different things versus just one software blob. And you just kind of announce the features inside there. When we do announcements these days of our operating system, it’s actually across multiple products and multiple areas, a lot of emphasis on making sure we can add the new applications. The client zero trust… new zero trust features, new SASE features, new analytics features as well.

Drew Conry-Murray (00:18:05) – All right. Well, that does wrap up our time today, John. If folks are curious about Fortinet, about its platform, about FortiOS, about any of the capabilities or other products, where should they go?

John Maddison (00:18:15) – Definitely Fortinet.com.

Drew Conry-Murray (00:18:17) – Nice and easy Fortinet.com

Drew Conry-Murray (00:18:19) – We’ll also have other links in the show notes for you to follow up on. Thank you, John, for joining us, and thanks to Fortinet for being a longtime sponsor of Packet Pushers and as always, thank you for listening. You can find this and many more fine free technical podcasts and our slack community. It’s all at Packet Pushers dot net. You can find us on LinkedIn, hear us on Spotify, and read us on Apple Podcasts. And last but not least, remember that too much networking would never be enough.