Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

Hello, everyone. Welcome to the 2021 edition of Accelerate. This is our second digital edition as we unfortunately still can't travel to gather and meet in person. However, the number of registrations and attendees today shows that you continue to be highly engaged with us, and I want to thank you all for that. Over the year, we have greatly accelerated our business momentum together. And last year was no exception besides the major challenge we have all faced. We are in a situation to accelerate more than ever to enable together with our partner, the massive digital transformation you are going through. 2021 is about capitalizing on the strength of our vision, platform or investment and deliver an unprecedented level of grow and put all of us in a leader seat. 2020 operated both as a catalyst and as an accelerator of the key trends that are reshaping the digital world. Let's take a look at the four key markers of this acceleration All sorts information highlight very strong acceleration of the digital transformation investment. As you can see a 44% growth between 2019 and 2021 reaching $426 billion spending. And we do see that the investment on transforming economy and, and corporate leveraging digital technology will continue to move forward beyond 2021. Let's take another look of the key marker. Home working. The global pandemic gave very serious boost to the home working. Before the pandemic, forecast was about 30%, home working in 2023. As pandemic brought home working became the norm in a couple of weeks. If you look at the Google search home working word alone, search was about 300%. We do see, as we move forward after pandemic that a portion of home working will still stay a higher portion than previous to pandemic. So the transformation of a work practice will probably stay for the long term. In 2020, the investment growth in 5G reached new level, 96% in terms of growth, reaching $8.1 billion spending, mostly in the service provider and telco space, but enterprise, also, they all betting on speed. But they're also looking for the low latency value and the high flexibility that 5G will provide. We do see emergence of new applications, self-driving car, remote surgery, immersive game-changing application, while on the go, many, many more coming. It's just the beginning of this revolution, where 5G will deliver high speed wherever you are. Cloud computing market has also grown at a very nice rate, about 18% during 2020 and is planned to reach $436 billion this year. Definitely, adoption of those new approach on leveraging public cloud provider and cloud computing will stay and will represent a significant area of the digital transformation. It's also an area where we have to look about the security. Now all of these transformational demand comes with their share of risk. The digital transformation increased the attack surface in 3 areas: New Edge are emerging, new applications are making our world more exposed, new ecosystems are being defined. All creating new weak points for data leaks. Homeworking, definitely saved our economy during the pandemic, but consequently connected more nonprofessional device, home router and family grade equipment for business-critical application. 5G brings a new world application, but the high-speed and the low latency make the security a new challenge. And cloud computing increased the risk of data leaks, privacy breaches and potential failure to comply. So all organizations had to face this accelerated evolution of the additional business. And sometimes, we are put in a very reactive position, looking for the right security solution to help solve those rising issues. And Fortinet was the right vendor to turn to, allowing us to deliver together another year of growth. 2020 was another very successful year, providing the confirmation that our vision and our execution was right. As you can see, we reached for the first time more than $3 billion in billing. But while growing at double digits, we also been able to generate a very healthy and profitable business, which otherwise also to look for the future with all the necessary financial assets that is required. The operating margin was also generating at high rates, which provide us, of course, the way to invest more and we did. We did during 2020, again, we spent about $340 million in R&D. Innovation will drive the future success. So that's part of the DNA of Fortnite. We also invested on capacity, on people, both from an R&D, but support, but as well on the sales. As you can see, we added sales capacity to better provide you value and services, about 30%. We also -- as we have a very successful sales model leveraging the channel launched last year our new program called Engage, and I will be pleased to share some of the new initiatives coming as today. And then continued to, of course, solidify the technology and the expertise that we need to cover all aspects of your security challenges. We did acquire 2 nice company that was completing, in fact, core strength in terms of network security. But this puts, in fact, both from a growth and from an investment perspective in a very strong position. As you can see, we serve all market segments. So we are now fully aligned to really provide the best value for each of you, whatever the market segment you are based. And what is also very interesting is we are almost exiting from this pandemic, we see a bit more hope as we speak. The downturn about GDP last year, which was about minus 3.5% worldwide, will come to a positive GDP growth of 5.5% in 2021. So this is a 9% shift and that will what happen in quarter over quarter. So be ready, as you can see, 2022 also is expecting to gain high-growth in terms of worldwide GDP, so be ready for acceleration. Let's look at other key area of investment, which are essential for the acceleration of channel. Our sales strategy from day 1, rely on channel, a trusted long-term relationship. And last year, as I highlighted, we launched the new Fortinet Partner program called Engage. And now is the Phase 2 of this program. The Phase 2 comes with new specialization that addresses the market requirement, such as OT specialization, Zero Trust architectures and the security operation. It also comes with a much more easy way to do business with us, it is also coming with a completely new revamped cloud channel program. So more to come during the breakout session. But I'm sure you'll be very excited as I am on launching this new program. It's also about skill and knowledge. As you know, we are all facing this global skill shortage. So the successful NSE program that we launched has also a great help on, of course, providing value and transferring value to you, our partner, and to you, our customer. With more than 5,000 certified engineers worldwide. And during pandemic, we had about 800,000 registrations to acquire expertise, leveraging our NSE certification. And as you know, we have been providing for free access to several level of this NSE certification. So part of the great program that we are providing and of course, engagement with you, partner and customer, we are very happy with the evolution of this certification program. Together with our partner, we are ready. And now let's take a look at what is coming to us. So first, look at about the success, why we are altogether very successful answering all the challenges we are facing. Success do not happen by chance. Let me share with you a few fundamental reasons of the massive adoption of our solution. It starts with the vision. Ken's vison. The convergence of network and security, which was in the DNA of Fortinet from day 1. This convergence has become essential to secure data that are being accessed and then read for anywhere. It's about providing the freedom of choice when it comes to cloud journey. We are the only security company that brings your freedom back when it comes to the security cloud journey. We offer the broadest cloud offering. We provide the choice to go for any cloud provider. We provide the timing, you can keep the pacing while leveraging your existing investment on-prem and moving step-by-step on the cloud journey. It is about, of course, leveraging the chance from a financial, but also from a technology perspective, whatever you want to have, full cloud, hybrid cloud or maintaining your existing on-prem delivery solution. But it's always a consistent security posture everywhere, from any source of the storage of the data. Your cloud strategy, your policy, your priorities still have to sit above any public cloud provider road map. And that's what we are. And then it's about the rise of the edge. Ken during the Accelerate presentation 2 years ago has presented and predicted this, this trend has accelerated, boosted by 5G, the world of innovation at the edge and it's coming. And you can see, as I highlighted, self-driving car, remote surgery and more to come, but that creates, in fact, much more new edge, which requires security to be delivered constantly across all edge, cloud edge, WAN edge, home edge, OT edge and data center edge. Those predictions are real, but let's talk about the number at least on how we have been able to tackle those new challenges during 2020. As you can see, our Secure SD-WAN was a great example of the merge of networking and security. We came late on the market, but we have been looking about the demand and what was the key blocking point to deploy this new SD-WAN technology across the world. And that was by adding security, embedded security in this solution. And with our great Secure SD-WAN, we have been able to do record year, and we have been able to grow at 96% year-over-year from last year. And we have been enjoying very nice position during the Gartner release in Q4 on the WAN Edge Infra Magic Quadrant, where we are #2. The cloud, it's again is another example, we grew about 60% or 64% of public cloud provider solution. Here again, the freedom of the choice and the security posture that you have on-prem and on the cloud, is helping to deliver such a very high number. And last is about, of course, the covering all this different edge and evolving on the Zero Trust network architecture. And here again, with our endpoint, or EDR, we have been able to enjoy 173% year over year growth. So all of those numbers confirm the great vision, the great anticipation of the market trend and the great execution that we have been altogether been able to do. To explain why we are successful in our vision of security, we have to understand the new security pipeline created by the digital transformation. Digital transformation is driving a significant shift in the way all of us deliver technology and services to connect people and object to application. The infrastructure has been, for the last 20 years, chartered around the data center. And as you can see, it was more data center centric where we had almost 80% on-prem. And it was the access to those data, which was mostly around the core networks whilst accessing to all aging DMZ perimeter. And last was about the manual config. So in order to allow access and control, it was all manual, very limited in terms of automation. The transport layer was the link between the edge and the data center. The digital transformation is forcing to shift towards a hybrid cloud centric world, where the data center is just another place where applications are hosted. The enterprise edge spans many different domains, cloud edge, security applications, on-prem and third-party and the wider internet. You can see that there is mostly likely a shift from the on-prem and off-prem, about 50%, 50% hosted or SaaS. And security need to be delivered everywhere with an end-to-end automation. So simply connecting people and things to applications, putting an end-to-end visibility with policy enforcement and automation at the center of this new program. This new paradigm affects in 4 dimensions. Architecture becomes distributed, applications are delivered through SaaS and security needs to be enforced everywhere. The management requires total visibility across multiple vendors, such as new paradigm demands an holistic approach of cybersecurity. In this context, Fortinet security fabric sees its core attributes more crucial than ever. It's broader than ever now embracing the rise of the edge in all of its dimension. It's natively integrated, and it's fully automated with an open ecosystem for third-party application. While all the set of solutions that cover these fabrics are now in 3 main aspects: Zero Trust network access, security driving networking and adaptive cloud security, all started with what we call the fabric management center, NOC/SOC automations and the FortiGuard threat Intelligence. And in 2021, Fortinet brings the security fabrics to the next level, all building blocks are now integrated at the heart of the security fabric in one operating system, the FortiOS, making this one platform able to enforce one policy consistent across all ages, they sit above cloud diversity and that keeps all scenario open in an uncertain world. No vendor can claim delivering such a security fabric value. You will now -- during Ken, especially John presentation, how Fortinet and the FortiOS allow the fabric to cover multiple new cases. So let's take a look at those, these 3 elements that I consider very critical as we see a huge demand moving in 2021. Our one platform, the Security Fabric otherwise to secure the branch or the edge range, with our secure SD branch, which is great, I will say, recognition of the Fortinet strategy and success and execution. SD-WAN is the example where we started implemented with listening from new customers what is important and embedded within our FortiOS all these networking features into a comprehensive security approach. And that has helped us to gain a huge market share, putting us as highlighted here and by Gartner in a leading position. And SD-WAN isn't the only example. Our platform approach enables us to offer an AI driven Zero Trust access solution that is seen today as the safest path into a full XDR solution. And XDR with response across an extended scope, and automated user profiling and analytic behavior endpoint monitoring. It's all about managing the user accessing to the data and the application and understanding their behavior and potentially anticipate any leakage. And this expansion, leveraging our FortiOS on the Zero Trust network access, we are about to do the same with the SASE. Our platform allow us to develop the most complete SASE architecture, including next-generation firewall as a service. Secure Web Gateway, CASB, Zero Trust Network Access. It integrates natively application security in the security fabric and in our SD-WAN. It also provides a very safer approach for the home or remote user, providing the choice for agent or agentless, looking about the best security or a compromise between easy to access and security. And it's all about performance, it's important that why those new home worker access to the application they have working, they need to maintain high performance. So it's optimized as well, the network access and scale performance. So here again, Fortinet will offer you the freedom of choice to secure home edge with the best price performance ratio without compromising on security. Through our platform, the Fortinet security fabric, we are taking leadership on the various markets, such as the next-generation firewall market and WAN Edge infrastructure. What you can see here, we have done with many other and we expect to move on the same leading position in the next 2 years. So now let's take a look at the benefit of this fabric and the 1 platform with 1 operating system. Look at first, the business benefit. We are all engaged in rationalization, especially during this very complicated time. Many companies are running short on cash investment and must need to rationalize why they are doing this digital transformation. And security is no exception. They may have to spend less money or equal money to cover more aspects, including this new trend. The native integration on our feature leveraging our security fabric and the product landscape that we provide help, of course, to leverage, in fact, this benefit from a TCO perspective, but from also a rationalization in terms of dealing with less vendors. It also provides a security benefit. The Fortinet solution provides a fully third-party validated platform, which no one can compare and it's the same security platform that excels, as I mentioned, in multiple Gartner magic quadrant. It's not a suite of heterogeneous solution artificially glued together on a side way. It's a true real security platform that allow you to react or anticipate on any attack that you are facing. And last, it's about the channel benefits. Our channel, as you know, with long-term relationship, we try to be the best vendor to dealers, enabling access to all market segments with our solution. All sizes of company across all sizes of programs be able to deliver both on OpEx, and CapEx solution by making sure that you have the choice to add the services on top of the technology we provide. And it's about loyalty and long-term vision. So again, here, quite happy with everything that we have built. And of course, very excited about the future. To conclude, I would like to leave with you with 3 takeaways. First, the vision. It has been proven, and it's true and is unique. I think it is clearly disruptive, not following everything that is on the cloud. We have a much more broader, more hybrid view on what's going on in the future. And as you will hear from Ken, the future is also to secure all new edge is, in fact, the next major wave that we have to start today to anticipate, including home edge, including OTH, including the cloud edge. And the platform is the advantage. Having 1 platform that allows you to realize through 1 single operating system all security requirements that you need to deploy and you need to manage on a daily basis to include your -- to improve your security posture. So let's, of course, look at 2021. Looking forward working with you, both, you the partner and the end user, and make a very successful and a new record year. Thank you. [Presentation]

Thank you to attending 2021 Accelerate and thanking our customer and partner for their big support in the past year, from the very beginning, Fortnite founded 20 years ago. So with all your support and help, we continue to grow faster than the market, with a CAGR in the last 20 years, averaged 45% growth year-over-year, we outpaced the market growth about 10%. And also our superior technology and long-term investment all paid off, making Fortnite today become one of the leader in the cybersecurity space. And more than 0.5 million organizations and government looking for Fortinet for the protection so we have one of the biggest deployment of cybersecurity appliance in the world with over 6 million FortiCare deployed, we account over 30% of total global deployment, making Fortinet the leader in all the network security space. And also, we bring a lot of value to the shareholder. You can look that since IPO Fortnite value grew over 2,000%. And also the 5-year and 2-year compared to our competitor, we're also the #1 outpaced all the other competitors. And appreciate everyone supporting, including all the investor analysts attending today. And we keep building the best, broadest portfolio and leading by network security and also including the endpoint, including application, including the other infrastructure and the whole portfolio we have has the broadest in the whole industry. And most of these products are organic internal developed and making working together from day 1, integrate, automate together. And this also leading by the innovation we have with more than 700 patents we have, which are more than double than any other competitor. We continue to lead innovation. We feel this is a key important part to keeping Fortinet growing going forward organically and outpace all the competitors. Plus from the business model, we have the best business model in the industry, which has both the growth and also the profit compared to some of our competitors only have growth and some other only have the profitability, but we have both, has also resulted Fortinet's best credit region in the whole cybersecurity industry, and we are also the only cybersecurity company in the S&P 500 list, which reflects all the team working together on making Fortinet as the best cybersecurity company in the space. Also, you can see, so the cybersecurity industry keep on changing every year. Our tech service is quite different compared to traditional firewall VPN market 10, 20 years ago when Fortnite started. So today, so we see there's 3 major focus we are doing. The first is a security-driven networking, which is also the vision Fortinet has since our beginning. So we do believe security and networking need to be working together, making the whole infrastructure secure. The second today is also you need to cover the so called Zero trust network access. And that's where the traditional parameter protection is no longer enough. You also need to protect all the mobile device. You also need to protect the application in the cloud. You also need to protect all the other part of infrastructure, both expanded to the WAN, like SD-WAN 5G and expanding to internally, like all the internal segmentation, switching and Wi-Fi access. So that's where the Zero Trust based protection is also very, very important thus making the whole infrastructure very, very important, including leveraging the cloud to secure all the application in the cloud. And with this Zero Trust concept, you can see we need to protect the whole infrastructure, our tech service and also protect people work from home, work from office, and also the mobile when they travel. So this whole infrastructure security is the key for today's cybersecurity. So with all this, we also have the SASE which also we built different than comparable competitors. So we have the SASE building the OS level is much better, deeper integration compared to other competitor has to use in different system or even different architecture to protect all different part of SASE solution. So that's where -- for Fortnite, even we take a little bit more long time, more effort to building OS level SASE but benefit to all the customers, to the partner and to the service provider, it's huge. I believe John Maddison will give out the detail on the SASE architecture later. And we presented these slides before. You can see going forward, Gartner do suggest, so the edge and the immersive technology will gradually replace the cloud and also mobile device. So Fortinet has the best technology and innovation to cover both today's solution in the cloud and also going forward for the edge protection. And edge will become more and more important with all the computing power move to the edge to process the real-time data and the traffic there. The key advantage Fortnite has over our competitors in this Fortinet security fabric, which is broad, integrated and automated. We have the broadest product, including not only the network security part, but also the endpoint side, the cloud side, application side, with over 30 product family together, and all these products mostly come from internal development, is integrated together, designed to working automatically from day 1, which is different than our competitor, mostly comes from our acquisition, which is very difficult to integrate and almost impossible to automate together. That's making Fortinet a huge advantage over our competitors. And today, we also want to introduce the FortiOS 7.0, which is a major release and has a few first come to the whole industry. And the first -- this is the first OS level Zero Trust network access and also the first time to have the SASE integrating the OS level, plus all the 5G feature. And also there's other 300 new features, including in this FortiOS 7.0. Now Fortinet became the leading cybersecurity vendor, has all this, a firewall based OS level, Zero Trust network access and also the SASE solution. Together with the 5G SD-WAN, making FortiOS the richest feature among the whole cybersecurity and also with the FortiOS accelerate the performance and computing power, also the best performed OS without the feature together in the whole industry. You can see we continue to expand our total addressable market. So by 2024, our total addressable market will be $93 billion. Not only we're leading the network security, which is about $51 billion, but we also have the Zero Trust endpoint solution, we also cover the cloud security. We also have the secure app, including all the lot of new products we're keeping developing. So all this together will continue to drive Fortnite's growth going forward. And we're keeping our strategy to do a lot of long-term R&D investments and the facility investment, the infrastructure investment and also supporting the marketing and sales investment. So the new headquarter will be opened later this month. And at the same time, we continue to build a global infrastructure to supporting our global business going forward. And Fortinet also is a very social responsible company. So we care the environment a lot. So we want to make sure all the products we build is environment friendly, and will be saving the energy. At the same time, we also want to contribute to the community with our ASC training we have and also supporting education, supporting all the veteran program. At the same time, we want to make sure all the people within Fortinet and also our partner, our customer can leverage the resourced opportunity we have here and continue to grow and continue to kind of grow together with the industry and making Fortinet the best company in the whole industry. So with that, I go to the key takeaway. So first, we want to continue to expand our platform, continue the long-term investment we have including not only the technology, including ASIC, the OS and also the new function, the new feature, the new product, at the same time, including the facility, including all the infrastructure, also including the people, which is, number one, more important. And that will help us to be the #1 going forward in both SD-WAN and also security-driven networking. And growth is the key word for 2021. So with that, I want to thank you, everyone to participate in this year's Accelerate 2021. Thank you. [Presentation]

Hello, everybody. Welcome to Fortinet Accelerate 2021. This is John Maddison, CMO and EVP of Products. It'd be great to be in person, but unfortunately online, maybe next time, securing all network edges. I want to talk about a lot of things, endpoint security, device, network, cloud application. But if I take one message away, is that the network is still very important, the security of the network and what's happening in the network are all these edges are forming that need to be secured. Now our vision as a company, making possible a digital world, you can always trust. One of the most recognizable symbols from Fortinet is the O in Fortinet, sometimes it's called the grid, sometimes the O. That represents the trust. And how are we going to provide that trust. Our mission is to secure people, devices and data everywhere. What we're going to be able to do is make sure we protect that entire attack surface, which has been rapidly expanding due to digital innovation. Now Patrice had this slide earlier on, it's the Gartner Magic Quadrants. We're in leadership spot for 2 magic quadrants. We're in 4 other magic quadrants, were mentioned in another 2. But also, we're in 6, what we call market guides. These are precursors to magic quadrants, new development marketplaces, IPS, Zero Trust, e-mail, operational technology, NAC and SOAR. And so Gartner really recognizes the full breadth of the Fortinet portfolio. Again, we're leaders in the network firewall and WAN Edge, sometimes called the SD-WAN. Often, the leaders are very different companies. But even if they're the same company, they're completely different platforms. For Fortinet, it's the same product, the same OS, the same API, the same management product. So best-of-breed functionality, but on a single platform. Now before I get into some of the product stuff, I wanted to talk about training. We have a huge investment in training. I think by now, we're the #1 cybersecurity training program out there. You can just see some of the numbers here. I think, in fact, we're over 600,000. In fact, half of those certifications have been done in the last 12 months. As a partner, as a customer, you should be familiar with what we call the network security expert program. It starts with foundational and solution orientated. These are all public already, all the way to our expert level, NSE8. We provide a lot of this -- these materials and curriculum to top universities and colleges around the world. Also 2 important areas. One is what we call IT awareness. That's now inside our NSC1. It's free of charge. We have over 150 customers already using this, anti-phishing, for example. Also for larger customers, we have our strategic partnerships where we export the entire curriculum into their programs, IBM, Accenture, salesforce.com. And by the way, we made all our training free of charge in 2020, it's always been free to our partners, and we're going to expand that program into 2021. Training is a very important investment for us. Okay. Let's switch gears now into product and product strategy. You heard Ken talk about our organic platform development. And this is very important. It's be -- very easy for us to go and acquire a lot of different pieces and try and bolt them together. Now we don't do that. Now we develop the platform organically. Now if you cast your mind back, and I can, between 2000 and 2010, really a lot of the data was at the endpoint. And so endpoint security, back then antivirus, was really, really important. Yes, there was firewalling, but it was more around staple firewalling. Over the last 10 years, a lot of the data has moved into the data center, and the network has become very important. Sure, the endpoint has progressed and there's people off the network. If you look at firewalling, it's progressed into next-gen firewall whilst the content and, of course, the data center became very important. Over the last few years and as we go forward over the next few years, of course cloud has entered. The network has formed different edges, and endpoints and devices will migrate to more of a zero-trust-type architecture. What's really important, though, is a platform. And it's not just a platform with endpoint, a platform in the network or a platform across the cloud, it's a platform across all 3 of those things that also includes identity and threat intelligence. The networking industry is very different from the cybersecurity industry. It's actually consolidated. And that's because although things have gotten much faster in terms of speeds and feeds, the functionalities remain the same. It's just faster switching, faster routing, faster WiFi. The only thing that's changed a lot probably in the last 2 -- 3 years is the application routing has taken over from enterprise IP routing. But still, it's a feeds and speeds game. Yes, there are some new technologies coming along, such as integrated security, AI ops, cloud networking, but the convergence of security and networking means you need to take high performance and high flexibility. The hub-and-spoke architecture of an enterprise has been here for probably 10 years. The idea was to get everybody onto the network as quickly as possible to the data center and out into the Internet. And so what's changed? Well, what's changed are all these edges. You now have a WAN Edge. You have a LAN Edge. You have off network, the home edge recently due to the pandemic. You've got now different types of cloud, SaaS infrastructure. We're seeing LTE and 5G as we go forward, operational technology edges. And so all these edges need to protect it. However, it's very complex to build a networking and then to build security on top. And so these edges will be protected by converged technology, security-driven networking. Same goes for the endpoint. If you look at the endpoint, as I said earlier, it's migrated from a signature-based system into behavior where we just recently launched XDR, which is more of a platform. Network access started as VPN. We should look at all the devices, how they get on the network that's migrating into a Zero Trust Network Access. And of course, identity is a very important part of security. And we've migrated from static passwords to multifactor to even password as we go forward. All 3 of these technologies will come together under zero-trust access. And then, of course, cloud. And cloud has gone from what we call a centralized to a distributed to a more centralized. And again, right now, it's going back to more distributed. It's gone from mainframe to personal computer to data center to multi-cloud to cross-cloud and now back to edge compute, and Gartner actually saying by 2022, 50% of enterprise-generated data will be outside of the data center. And what's important here is to look at the shared responsibility model for security, whether it be the network, the platform, the applications or the visibility. Depending on what type of cloud, you're going to need that shared responsibility model, and make sure you have the tools and controls for that particular cloud. And let's turn our attention away from infrastructure back to the cyber threat landscape. I think everybody in cybersecurity is familiar with the Kill Chain. The Kill Chain itself really hasn't changed a lot. There are some different models out there, but it really hasn't changed a lot over the last 5 to 7 years. It starts with reconnaissance. It looks at weaponization, delivery, exploitation, installation, command and control, CC, action and objectives. I think probably the most scariest thing we've seen over the last few years is state sponsored, more advanced APTs. In actual fact, the Kill Chain hasn't changed too much in its own right, but there's been more focus on each part of the Kill Chain, more sophistication, more speed, more complexity. You need to be able to look at across the entire attack surface and be able to stop the Kill Chain at any one of these points. Okay. This is the most important part of our strategy. It's called the fabric platform to some. The Fortinet Security Fabric. The first thing it does is look across the entire attack surface: Devices and users, applications, networks, IoT devices, 5G. It makes sure it can see, has broad visibility and protection of the entire digital attack surface to better manage that risk. And it does that through these 3 pillars, the zero-trust for devices and users, security-driven networking for the network and adaptive cloud security for the cloud, data center and applications. What's different about the security fabric is it's totally integrated. Because we built it organically, each one of the components can talk to each other in a peer-to-peer way. It can exchange policy and threat information. It has a single fabric management center to provide network operations and security operations. FortiGuard threat intelligence can be applied to any part of the fabric, whether it be endpoint, network or cloud. But we also understand we made investments in other parts of the infrastructure, whether it be cloud or infrastructure or data, endpoint. So it's an open ecosystem. We can integrate the fabric into the major orchestration systems and the major cloud. The end goal for the fabric is to allow automation, the ability to drive self-healing networks and AI response instantly to any attack on your data, on your infrastructure, on your users. The end goal of the platform is automation. So let's zoom in to one of the pillars. We need to deliver enterprise protection and that user experience at any edge. We use security-driven networking. What are the major technologies around security-driven networking? Well, the first one is the ability to operate at any one of those edges, LAN Edge, WAN Edge. There's a lot of vendors who just work in the cloud or just work in a network or just look at endpoint. You need to be able to protect any one of those edges. In certain instances, you need to provide very high performance, especially if you're in the core of the network, at the core of the data center. So performance is very important. Also, things like SD-WANs should be totally integrated inside the firewall itself. So now you have a secure SD-WAN, not only a next-gen firewall, but an enterprise-class SD-WAN. The same goes for SD-Branch with Wi-Fi and switching access. As we go forward, the digital experience is going to be very important. So monitoring it, measuring it but also applying AI-ops to the network end-to-end, from users all the way into the applications and through the network, so they can self-feel anything that happens inside that network. As I said, integrating everything as much as possible, integrated 5G, and then making sure you can apply certified security. There's a lot of people who'll just say they've got security. It has to be enterprise-class certified security. And what does that look like from a product portfolio, security fabric, security driven? Well, it's LAN Edge, WAN Edge, data center edge, cloud edge. As some of you may know, our products have a very straightforward naming system, Forti-whatever it does. So there's our FortiAP, a FortiSwitch, FortiGate, FortiExtender, FortiProxy, FortiGate for SD-WAN, a FortiSASE, which is new, and FortiIsolator. So let's go back to that edge diagram I talked about earlier. You can see how we cover all those edges. We cover the WAN Edge, the LAN Edge, 5G, SASE Edge, cloud edge, data center and OT edge. And so our product portfolio inside security-driven network is able to protect all those edges across your network. Now if you -- in the industry, you know the acronym SOUP is always around. The latest one, I think, is SASE. And I just wanted to go through what we think about SASE, what's our vision around SASE. The first thing we want to make sure is that we have a flexible edge access. Whether it comes from a client, whether it comes from a thin edge, such as a 5G connection through LTE, whether it comes to a more secure edge through SD-WAN, all those edges feed back into what we call our FortiSASE, which is our certified enterprise security, next-gen firewall, secure web gateway and integrated Zero Trust Network Access. Then as we connect FortiSASE into the different clouds through our peeing systems or through our APIs, such as FortiCASB, we make sure we monitor that digital experience. Again, for most companies who are developing their digital innovation, the digital experience is going to be the most important thing to their users and their customers. And let's not forget, there are still a lot of implementations of appliances in data centers, in campuses, in clouds. Fortinet continues to push the boundaries of performance for our data center firewall. We're rolling out our Network Processor 7, our new SPU last year and this year, and our Content Processor. You can see some of the benefits here, some of the speed you get compared to CPU-based systems. It's usually about 10x, whether it be throughput, whether it be specific applications. Up -- and actually, very importantly, it's green. It actually is the most energy-efficient consumption from a firewall perspective. Again, in fact, one of our NP7s equals 10 of the high-end CPUs in terms of performance. Now imagine the savings in power and space. So we'll continue to invest in this area as we go forward. All right. Let's switch gears a bit here. Knowing and controlling everyone and everything on and off your network, users and devices, zero-trust access. So a lot of our customers are using our VPN technology. And in fact, during the pandemic, the start of the pandemic, they had to go from maybe 5% work from home to almost 100%, 1,000 users to 50,000 users. VPN technology allows you onto the network. It gives you access to the entire network. It is a onetime trust check and usually, because of the scope, has a generic rule set across all users. However, VPN needs to migrate forward. It needs to migrate forward to more of a zero-trust architecture, both on and off the network, providing a continuous trust check for every session, application-specific access and user contextual rule sets. Are you on and off the network? What time? What applications are you accessing? This architecture from Fortinet is more of a migration and the rip and replace. You migrate your client forward. You migrate your FortiGate and FortiOS forward to give you the zero-trust network architecture. What are the products inside this portfolio? FortiClient, FortiNAC, FortiToken, FortiAuthenticator. And as I go through all these products, you'll be interested to know that most of them have different form factors: agents, appliances, virtual machine, cloud native, SaaS. But again, let's come back to this zero-trust vision, zero-trust architecture vision. What it's saying is that all users have application-specific access. You can provide session segmentation. They go through a flexible proxy, FortiOS. That proxy can be in your data center, it can be in our cloud, it can be on your campus. That gives you great flexibility. You apply device and user identity through our systems or through additional or external systems that you already have. And then very importantly, you provide this continuous contextual-based trust through our EMS system per application access. From a product portfolio, in fact, there are 2 main products here, FortiClient, FortiEDR migrating to FortiXDR. So there's 2 migrations going here at endpoint. One is the VPN migration to zero-trust. Encryption, on network, on and off network, network visibility. And the migration point, I think, longer term is that proxy sits in a SASE environment. The same is happening on endpoint. It's migrating from EPP to EDR, eventually XDR. If you look at both of our products, FortiClient and FortiEDR, you can see there's a bit of overlap for maybe midsized customers, who just want antivirus or web filtering. Long term, we're going to try and bring these agents together in a single zero-trust architecture. All right. Third pillar, secure any application on any cloud: cloud security, adaptive cloud security. Now I talked about the migration of applications from data centers to public cloud to SASE as we go forward on to the edge. So it's very important that any security or cloud security is available in a hybrid and cross-cloud environment. Then you break it down. You've got to get to the cloud: cloud on-ramp, virtual networking, microsegmentation. You've got to protect the platform. It may be the different clouds. It may be the data center through workload protection, container security, native security. And then you've got to protect the application: mail, web, ADC. And then the third component of this is where are you inside the DevOps? Are you shifting left to protect more of that development environment? Or are you shifting right? This all comes together in our Adaptive Cloud Security portfolio, hybrid and cross-cloud, consists of network components, FortiGate VM, cloud networking, DDoS, microsegmentation, our platform FortiCASB or FortiCWP. And one of the fastest-growing areas are a set of rule sets that sits on top of native cloud security such as IPS rules on firewalls or WAF rules on top of WAF firewalls. And then, of course, application protection: FortiWeb, FortiMail, FortiADC. And I'm not going to go through this slide in a lot of detail. It just shows you the amount of coverage you need inside these clouds, scaling from threat intelligence to the security centers. I talked about these rule sets sitting on top of native cloud security. So cloud security is very fragmented. You could use the existing cloud vendor. You can use our solution. You can use both. But we have individual road maps for every one of the major clouds out there. Okay, bringing everything together through our Fabric Management Center, starting with its SOC automate security operations across the security fabric. Traditional types of SOC security are very isolated. You put in systems such as threat hunting, malware analysis. You put in situational awareness, inside of risk, EPP, EDR. Long term, this is going to migrate to what we call an Extended Detection and Response system, a platform approach where everything is integrated, everything can share intelligence and everything can use a cloud to make decisions very quickly. What does our portfolio look like for Fabric Management Center? Consists of endpoint, breach incident response through endpoint. You got FortiEDR. XDR was just recently announced. Our sandboxing, our Deceptor or FortiAI and then incident response system analyzer, SIEM, SOAR and some new service offerings. Depending on the maturity of your organization, this can be very straightforward such as sandboxing or analyzer. As you get more sophisticated, more mature, you can make sure you can apply additional capabilities, whether that be Deception or XDR or more sophisticated automation such as SOAR. We put our systems together such that a small business, a medium business or a large business or some of our MSSP partners can scale the capabilities of their SOC to match their maturity. So what's new with the Fabric Management Center SOC with 7.0? The core of the security operations, we have a single pain for the SOC. We have an extensive ecosystem. And then we have AI-powered threat detection and response from sandboxing to EDR. On the analyzer side, 7.0, we have this new service, SOC as a service, a new best practices capability and a FortiGuard outbreak alert offering. And then on the SOAR side, at incident war room, a mobile app and some new AI-based recommendations. The other part of Fabric Management Center is the network operations, simplify network operations across the security fabric. Obviously, management is very important. And a single management console across all the products inside the fabric is very important, but we started to add some additional capabilities. We started to add orchestration for things like SD-WAN. We started to add monitoring for the digital experience. So the Fabric Management Center NOC, again, can scale from a small business using something like FortiCloud, which provides SaaS delivery of a lot of this functionality, all the way into a full-blown FortiManager that provides policy management, orchestration and monitoring. One of the most important areas of a fabric is the management center, Fabric Management Center. Two elements, as we said. One is the SOC, one is the NOC. You really need to try and simplify network operations across the security fabric. Three areas inside the Fabric Management Center. Obviously, policy and management configuration is very important -- will always be very important. But we're starting to add orchestration inside there, orchestration, for example, of SD-WAN; orchestration of SASE. And then monitoring, making sure you can look at that digital experience. And then coming together across everything will be some form of AI ops, which provides that self-healing. So from a Fabric Management Center, we have FortiManager. We also have FortiCloud, by the way, which is a SaaS-delivered cloud management system, a lot of the features and functionality of FortiManager but more in a SaaS implementation. And then FortiMonitor, which is a recent acquisition. Now similar to the SOC, you have this level of maturity. So again, for smaller customers, you may want to just use the SaaS management and configuration and policy management. As you go forward, for larger customers, you may want to look at the monitoring capabilities. So you're measuring that digital user experience. And then for larger customers, you definitely want to look at the orchestration. You want to make sure you're orchestrating across all those capabilities, across all those edges, both networking, functionality as well as the security itself. Where is the Fabric Management Center going long term? It's going towards self-healing network operations, the ability to heal and monitor and configure the LAN, the WAN, the data center and the cloud edges. What's new in 7.0? FortiMonitor, the Panopta acquisition, zero touch provisioning for SD-Branch, Policy Optimizer, best practice services and now includes management of FortiProxy. Now I just mentioned a new product, FortiMonitor. This is a SaaS-based digital experience monitoring, also a network performance monitoring system. It's SaaS based. It measures endpoint, LAN, WAN, data center. It actually has a lot of capabilities inside the cloud. As most customers drive towards that digital innovation, digital experience, this is going to be a very important part of the reporting structure to maintain that. It's very important to provide that threat intelligence to the platform. We refer to that as FortiGuard security services. Now there's quite a few of these individual services. It can range from AV signatures to IPS, to IoT detection, to management, security as a service. It can be applied to the endpoint, the network or the cloud and to any one of the form factors: hardware, software, software as a service and API. We put these into these buckets of security. The first one is content security, looking at the content and providing security there. There is the web security, then, obviously, user security and device security. And then, as we go forward, more advanced SOC and NOC. Also available, what we call bundles. These bundles bring together some of these packages starting from ATP, advanced threat protection, to unified threat protection, to enterprise protection. The most advanced bundle is the 360, which includes everything. We just added SOC as a service inside there as well. And by the way, if you are a larger customer, when I say a larger customer, with maybe 20, 30 devices, then you should look at our Enterprise License Agreement, which gives you a lot of flexibility and operational savings. Again, as I said earlier, although we have a very extensive portfolio of 30-plus products covering the entire attack surface, we also have a very large ecosystem, in fact 400-plus integrations, 200-plus ecosystem partners. And this is very important that you're able to put the fabric and connect the fabric, supply that automation outside of the fabric. Now with the fabric integration, we have different types. One is what we call a fabric connector, where we build into a major orchestration system or a major cloud. We have our own API. We have fabric API. A lot of companies from different areas have built into that API. We have a thriving fabric DevOps community across cloud. And then we have an extended ecosystem, not only sharing of threat intelligence, but some of our systems can extend well beyond. Like SIEM, for example, and that can extend well beyond our fabric ecosystem to provide that coverage. It also breaks down into the different pillars. So you've got a number of vendors who really focus on the networking side. We've got -- obviously, there's quite a few vendors on the cloud side, on the security operations side, on the zero-trust side. Some of these vendors may be competitors of ours, but we want to make sure that if you've made a decision around a specific cybersecurity vendor or networking vendor, we can provide that integration. Now again, we don't do a lot of huge acquisitions, but we do, do acquisitions. And these acquisitions are really focused on specific technologies that we want to accelerate inside the fabric. The goal is to bring them in and integrate them to the fabric as quickly as possible. These are acquisitions over the last few years. You can see it ranges from security operations, FortiEDR, enSilo, SIEM, AccelOps, ZoneFox around Insight and UEBA and SOAR. The most recent acquisitions are FortiSASE, which is OPAQ, and FortiMonitor, Panopta. A while ago, we also acquired some of NAC and some FortiAP. Again, the ones which we acquired 3 or 4 years ago, a lot of that technology has already been integrated inside the fabric. So I can't go through every product in a lot of detail in 30 minutes. This summarizes what I've just talked about in terms of the product portfolio across both the security-driven networking, the adaptive cloud, zero-trust, FortiGuard security services. Again, a very extensive portfolio as well as being very open. Now we did announce a few weeks ago FortiOS 7.0 with 300-plus new features across the fabric. That will be available at the end of this month. Again, the features range across the network, across zero-trust, across the cloud, management, NOC, advanced services, et cetera. And so do take a look at that. I think we're in beta 3 already, so you can download and take a look at some of the new features inside there. So I'm going to finish up. Thank you for listening in. As I said right at the beginning, my main message here is that most customers are driving towards a platform, but a platform that takes into account the network, the endpoints and devices and the cloud applications end-to-end versus just one of those. Thank you. [Presentation]

Hi, everyone. I want to, first of all, thank our partners, our customers, for taking the time to attend this session. This session is around simplifying SOC automation with FortiAnalyzer. I'm Satish from the product marketing team, and we have with us Ling Lu from the product management team as well. Many of you might have seen, through the previous sessions, the fabric diagram from Fortinet. In particular, what we are going to be focused on today is around fabric management center and, in particular, FortiAnalyzer, which is a core part of the SOC offering that we have as part of the Fabric Management Center. The agenda for the day is, first, we'll talk about some of the key challenges we've heard our customers face today around the security fabric, and then we talk through how are those challenges being addressed through our solution with FortiAnalyzer. And then Ling comes on, talks about FortiAnalyzer and, in particular, what's new as part of 7.0. And lastly, we leave you with a case study from a customer and then give you some next steps as well. So if you look at it, most customers struggle with complexity of operations, and that's no news for the SOC teams as well. And in particular, they're struggling with complexity because of one or many of these reasons that are listed here. Either it's because they have too many vendors in the mix or they're struggling with too many alerts that are coming in, or they have slow response. Or more importantly, I think the entire industry is struggling with lack of trained staff and we continue to have shortage of staff. Now all of these or a combination thereof are contributing to complexity of security operations for teams, small, medium or large. So how we address this is by simplifying the security operations based on a simple concept called SOC maturity. Now we define maturity based on the people, the process that they follow and the technology that they use. And we put them in either level 1 SOC maturity or level 2 SOC maturity or level 3 SOC maturity. And now Fortinet offers a range of offerings that improve the efficiency of the security teams, like I was mentioning, across all maturity levels. Now this is an attempt to help you understand some of the offerings and how it kind of fits in our framework of simplifying security operations based on your level of maturity. Now all Fortinet Security Fabric customers are encouraged to establish an analytics and automation foundation with FortiAnalyzer, as you can see here in the sketch as well. Building on this foundation, as organizations have growing concern about threat landscape and have limited security staff, skills and processes, FortiXDR enables automated incident detection and investigation and response across the fabric. For organizations who have more diverse security environment, FortiSIEM, as part -- a core part of our SIEM solution here, adds multi-vendor visibility and analytics. Well, organizations with well-defined security processes can utilize FortiSOAR to improve efficiency with orchestration and automation across their multi-vendor environment. Now this is just to help you understand how we think about simplifying operations based on the security maturity that your SOC team has. Now in the rest of this presentation, our focus is primarily going to be on that foundational layer, which is FortiAnalyzer, but we wanted to take this time and give you a sense of how we think about our offerings and how we can help you simplify security operations across the maturity level that you have with your SOC team. Now coming back to FortiAnalyzer and how FortiAnalyzer can help you automate your security operations, we think of it as 3 core themes that go into FortiAnalyzer that enable you with automating your security operations. The first is around security fabric threat detection and response, which is around automating advanced threat detection across the security fabric. In particular, we have a subscription service called indicator of compromise service that enables our customers to identify any anomalies within your environment through the subscription service that is powered by FortiGuard Labs. The second core theme is around security automation. And whether your team has a low maturity or medium maturity, we enable you to unlock the automation features that are part of FortiAnalyzer. Lastly, we believe FortiAnalyzer is a core foundation. And on that foundation, we have the subscription, security operation services that can be attached. As you feel kind of your SOC maturity is improving, you want to add more services on top of it. As you would see in a bit, we have new services that are coming out as part of 7.0 that enable you to improve your visibility, improve your automation on top of the foundational layer, which is FortiAnalyzer as well that you have. So what are the core use cases for SOC automation with FortiAnalyzer? The first core use case is around security fabric analytics. Now whether customers have 3 FortiGates or they have FortiSwitchs or FortiAPs behind those FortiGates, at the end of the day, they want very simple visualization and analytics that are happening within their environment, and FortiAnalyzer immediately helps you with that single-pane visibility with security fabric analytics. The second key use case is around advanced threat detection. In particular, like I was mentioning before, when you enable the indicator of compromise service on FortiAnalyzer, immediately, we can enable you to identify anomalies within your environment very easily. Compliance is a third key use case. We have canned reports for PCI DSS, the situational awareness report, which is governed by [ Nest ] and so forth, that enables you to accelerate compliance quickly as part of FortiAnalyzer. And lastly, based on your level of SOC maturity, we enable you to augment your SOC teams and improve your SecOps risk and compliance posture as well through the automation of SOC through FortiAnalyzer as well. With that, I want to pass the ball to Ling to talk more around FortiAnalyzer and some of the key feature updates as part of 7.0 as well.

Thanks, Satish. SOC teams require multiple areas of expertise and have to deal with many tools such as SIEM, sandboxes, threat intel systems, ticketing systems and so on. There are simply too many alerts of a SOC to monitor, alerts overloading, and this leads to slow response and missed security instance, increasing the chances of security breach that can have severe consequences. FortiAnalyzer provides the SOC team with a wealth of security analytics and building incident response frameworks to automate SOC processes for rapid response. Let's take a look at the Fortinet SOC solution as it stands today in 3 main areas. First, threat detection and incident response. FortiAnalyzer provides fabric logging, reporting and security analytics out of box or the SOC to monitor entire security fabric attack surface. It keeps things very simple to understand and simple to operate. There is very little extra configuration and rules tuning required. Today, it is integrated with the majority of our security fabric products, such as FortiGate, FortiWeb, FortiMail, FortiSandbox, FortiGuard, FortiClient and so on. It also has built-in SOC and UEBA for advanced threat detection. In 604, we added SIEM database so it can process security logs from Windows and Linux OS. Second, SOC automation. We have an incident response framework that provides playbooks to automate SOC tasks, building event handlers, alert triage and threat hunting reports. Third, cloud services. Along with all of this, we also provide cloud services for SOC. FortiAnalyzer platform as a service is available through FortiCloud and FortiGuard IOC service and SOC service available to FortiAnalyzer for threat detection and rapid incident response. The upcoming ordering guides make ordering products and services much easier. They contain all the necessary information in a digestible format. The easiest way to buy FortiAnalyzer is through hardware bundles or a VM subscription bundle. The hardware bundle includes the hardware, the first year Enterprise Protection Bundle, which contains FortiCare Support, IOC and SOC subscription. Renewal bundles are available. The VM subscription bundle is an all-in-one bundle that contains VM subscription, 24/7 support, IOC and SOC service. It's worth noting that the new FortiGuard outbreak alert service will be included in the Enterprise Protection Bundle. FortiAnalyzer licensing is based on gigabyte per day logs. Sizing number of gigabyte per day for your customer can be challenging, particularly when information such as log rates or new sessions per second are not available. Fortunately, we have a sizing tool that we have been using internally today and should be available from FNDN soon. If your customer needs a cloud-based logging analytics solution, they should go buy FortiAnalyzer Cloud platform as service. The basic FortiAnalyzer Cloud logging and analytics is included today in the FortiGate 360 Protection Bundle. The FortiAnalyzer Cloud premium subscription supports advanced logging and analytics, and it includes the upcoming new FortiAnalyzer Cloud SOC as service. The innovations for version 7 FortiAnalyzer fall into 3 areas. The first area is security fabric detection and response. In FortiAnalyzer version 7, the logs for new fabric devices such as FortiEDR, FortiDeceptor and FortiAI are now supported for scalability and performance. We are adding a capability to FortiAnalyzer to horizontally scale up a FortiAnalyzer deployment for threat detection. Basically, you have the FortiAnalyzer orchestrator to oversee and coordinate all the FortiAnalyzer instances in the cluster. Data are stored and processed in each FortiAnalyzer, but it's accessible from a single console of the orchestrator. UEBA is further enhanced for accurate detection and more coverage, and SIEM correlation and analysis are expanded for more advanced threat detection use cases. The second area is SOC automation. The Forti SOC module today is part of incident response framework on FortiAnalyzer. This built-in module provides basic SOC automation within Fortinet Security Fabric core products with a minimal configuration and set up a design for customers to easily adopt the SOC. Today, it has connectors to FortiOS, EMS, FortiGuard and FortiMail so you can create SOC playbooks for automated incident response. As the SOC grows, it needs more advanced automation and incident management capabilities to scale up the operation. FortiAnalyzer 7 has a FortiSOAR container to make this transition easier. It comes with 4 SOAR capabilities to help accelerate your SOC maturity. Now connectors in version 7 extend this automation to cloud. The XDR connector allows XDR cloud to [ carry ] FortiAnalyzer data for extended end point detection and response. The FortiCASB connector allows FortiAnalyzer to automatically uncover shadow IT, such as unsanctioned application usage. Some SIEM vendors may provide similar capabilities. However, FortiAnalyzer makes things super simple and they work out of the box. It does not require special tuning, and so it saves your security team tons of time and effort to get things going in your SOC. The third area is SOC cloud services. As data and workloads are moving to the cloud, we see increasing demand for FortiAnalyzer as a service. Today, we already have self-managed FortiAnalyzer platform as a service available for SOC. Now we are expanding to a managed SOC as a service offering. With this service, Fortinet SOC analysts monitor customer FortiGate logs for network and security events to detect misconfigurations, policy violations and security alerts and escalate them back to the customer. Two types of deployment are supported. FortiGate directly send logs to FortiAnalyzer Cloud, or FortiGate sends logs through on-premise FortiAnalyzer that forwards the logs to the cloud. The license model is very simple. You only need to add FortiAnalyzer Cloud premium subscription for each FortiGate. FortiGuard outbreak alerts is the service available to our FortiAnalyzer customers through the enterprise protection subscription. This is the downloadable content package from FortiGuard, including event handlers, reports and playbooks for malware outbreaks. To make things even easier for the SOC team, we now have FortiCare best practice services available. You don't have to figure things out yourself. And no matter if you have a new deployment or are upgrading an existing system, this annual subscription service will have Fortinet experts available for consultation to ensure your deployment or upgrade is successful. Finally, I would like to mention there are plenty of resources available from the virtual tech expo on FNDN for SOC solutions, including various demos and videos to showcase FortiAnalyzer SOC automation and incident response capabilities. FortiOS 7.0 will be GA-ed at end of Q1, and FortiAnalyzer and FortiManager 7 comes a few weeks later in April. This is all from me today. Satish, back to you. Thanks.

Thank you, Ling. With that, very quickly, I want to summarize through a case study and leave you with some next steps. This is a customer story about Kent ISD, which is a small school district with about 20 schools out of Michigan. By the way, this is, again, publicly available on our resources section as well. That enables -- and their primary objective was to have advanced threat production against rising cyberattacks against K through 12. They had, as you can see, a very small IT security team, and they want to minimize the resource involvement in terms of either bringing up -- either improving visibility or even resolving incidents. They wanted to implement that central, single pane for the team for visibility and analytics and have the best price to performance. Net-net, they went with a FortiGate next-gen firewall. And behind that is also an analytics engine, which is FortiAnalyzer, to enable them to have that central visibility and, more importantly, help them to automate their operations with a very small IT security team. I want you to take away 3 key things from today's session. The first is FortiAnalyzer enables the security fabric threat detection and response. In particular, as you would see, like Ling mentioned as well, as part of 7.0, we have increased the indicator of compromise offering that we have. And more importantly, we've also brought in behavior analytics to enable you to reduce risk and improve your behavior anomaly detection as well and then fabric event handlers to enable you with response and automating the response. We have also incorporated new fabric event handlers as part of the security fabric detection and response. The second key takeaway is around automation. Now we seriously consider FortiAnalyzer as a platform. And based on the SOC maturity, we want to give you a choice to incorporate advanced automation as part of adding new containers like FortiSOAR, which is our security orchestration, automation and response offering that can be easily attached to FortiAnalyzer as well to improve your SOC efficiency. We've also incorporated the connector into FortiCASB so that you still have that single-pane visibility. Though you have these breakouts that are happening into and accessing into your cloud, you can bring that intel back into your hybrid enterprise as well and leverage that to identify risks across your hybrid enterprise. Lastly, SOC cloud services is the third key takeaway, which is we have SOC as a service to help you augment. Whether you have an MSSP or whether you're a customer who has a SOC team, we want to automate your SOC team by providing you Fortinet aware intelligence and being your L1 into the security fabric to identify any anomalies or violations and bring it back to your attention, best practice service. Again, we see customers struggling with following best practices in terms of what to do, what automation, what playbooks to apply and so forth, and we have the service to enable you to take full advantage of your FortiAnalyzer and automation features that are available as part of FortiAnalyzer as well. With that, I want to leave you with some next steps on the web, whether it is through -- you can search for FortiAnalyzer. Whether it is [ SDN ] pillar or AI-driven security ops pillar, you can find FortiAnalyzer as part of related products, and we keep that up to date. The next thing is NSE Insider. We actually have an NSE 3 around FortiAnalyzer, which we also keep up to date. So I urge you to please take that FortiAnalyzer lesson. And then lastly, there is a dedicated fast track around SOC automation in addition to fabric management. So we urge you to please take part in that. There's also going to be a hands-on lab. So please take advantage of that. With that, I want to thank you for your time today. I hope you have a fabulous rest of Accelerate 2021. Thank you again.

Hello. Welcome to Accelerate 2021. This session, we will discuss how to create a resilient end point security strategy for the era of remote work. My name is Tsailing Merrem. I am the Director of Product Marketing. Joining me is Roy Katmor. He is the General Manager for our end point business and provide the -- and the visionary for our end point security strategy. I have been working at home for close to a year, and the pain point that facing the CISO has not changed but rather exacerbated by remote work at scale and in a hurry. So the first thing is a lack of visibility. It just get worse when people are sent home in a hurry and many companies are letting employees having more latitude in terms of downloading applications but at the same time feeling anxious about not having the visibility and control. And this also leads to breach anxiety, knowing that their hygiene can be better and also with the accelerated threat landscape, ransomware scares and the associated business disruption. The last thing is, let's not forget, the security teams are also sent home. And facing the advanced threat landscape, they have to deal with a barrage of alert and causing fatigue and potentially burnout. So all this pain point, it's getting worse and -- by the situation we are facing today. So we want to talk a little bit and give you a framework how to think about remote work security and how to establish end point resiliency, essentially shifting the mindset aside, "It may not be possible to prevent 100% of threat," and let's look at all the tools we have at our disposal to reduce the risk of getting attacked or reduce the risk of a breach and business disruption. So number one, we talk about visibility is important. So having visibility alone is not enough. It's essentially knowing what are potential threats but do nothing about is not very helpful. So the idea is you want to have the visibility. You also want to have the ability to take action, essentially preemptive controls. And then the next thing is -- and that essentially is prevention and hygiene and equivalent to doing all the right things. And also have a mindset that end point compromise is going to happen. And how do you protect the end point and what solution you put on the end point will allow the end point to self-defend, not just to block malware but also identify potential unwanted applications, identify malicious processes and shut it down in order to self-defend. And once you identify those malicious activities on the end point, how do you help the end point to "self-heal?" Essentially, it's almost like giving end point an immune system, right, to self-heal, to roll back malicious changes because let's face it, when you have 80%, 90% of your workers working from home, the old way of reimage, rebuild may not be realistic. So let's look for a way to have remote remediation as part of your strategy so you can basically decide what type of incident you will use remote remediation and then essentially roll back using the tool and what you have when you have no choice. Then you use the reimage and rebuild. So when I talk to analysts, they have estimated about 55% of enterprise has adopted EDR. And then they're still in various stages. One thing I've noticed that the early adopters may have adopted EDR 5 years ago to augment their end point protection strategy. So they are sitting with 2 disparate solution, EPP and EDR. And they're looking to consolidate the end point security. And the later adopters, the mainstream buyers now are looking for a single, unified solution for EPP plus EDR in one integrated solution with one integrated agent. And why are the security leader looking for things like that? Because just thinking back to the strategy I was talking about, they want to strengthen security posture. They want to prevent as much as possible, doing the right thing, have security hygiene across a wide range of end point and workloads. And the other thing is maintain business continuity, understand that breach may happen, understand your end point may get compromised. The idea is how do you have the layer of tools to detect early, respond quickly and recover to get business back to normal as soon as possible without interrupting business continuity or minimize interruption of business continuity. And this means factory will continue to churn out goods. This also means retail sectors, the customers are not being turned away. This means hospital can continue to help patients, and this means school can continue to have remote, distant learning without being interrupted. And then the last thing is when you think about CECL, they are thinking about the employees, their security team. And we also want to help them address the challenge. And the EDR solution, combined EPP with EDR solution, can help streamline security operations, having better visibility and enhance the SOC maturity when you select the right tools and with the automation, so essentially get your SOC employee out of the business doing mundane manual work but then do something that's more interesting and higher value. And if possible, you selectively use help of security services so you can have a 24/7 SOC while allow your security team to actually have a good, nice sleep. So the use case for EPP and EDR combined solution is -- we talk about -- today, we're going to focus on remote work security. But we also know that a very front and center for people when they're adopting a combined solution is for ransomware protection because ransomware is not just file-based. Malware, some have [ filers ] so you want to have behavior-based detection, real-time containment and essentially just shut down the malicious activity right away. And then the security leader are also looking for this type of robust end point solution with prevention detection response to help optimize incident response process to accelerate the mitigation with playbook automation and incident response and also looking for the adjacent MDR service to help them essentially lend a helping hand to augment the security team. And another thing I also see is OT security. OT traditionally has been lagging behind because they have legacy operating systems. And almost those kind of systems, you touch it, it break. So they are really concerned about not doing something too intrusive, so looking for a solution that can safeguard those systems while maintaining business continuities. Because in the OT world, you have to make sure the system availability is extremely high, but we also know the adversaries are targeting them, knowing these systems are ancient. So this is another very important use case for a combined solution that have prevention and detection response. And next, I am going to invite Roy to join me, and Roy will talk to you about FortiEDR. He will give you a product overview and his vision of building this wonderful solution and what's new, very exciting new feature coming up in 5.0. Take it away, Roy.

Thank you, Tsailing. So on the FortiEDR product overview, first, a recap of the product end-to-end, including version 5, as a reminder, the product is split into 2 main areas, the pre-infection, pre-execution, where we have 2 segments there. The first one is the discovery and attack surface reduction, which allows us to discover applications, IoTs, enrolled devices, enrich them with vulnerabilities, best practices and rating and allow to reduce the attack surface according to the best practices of the organization, namely the ability to filter vulnerabilities and restrict the access to applications or devices that have extended vulnerabilities that do not comply with the current policy. On the prevention side, our machine learning AV has now extended to also include the FortiGuard threat intelligence, web filtering. We have a sandbox with [ 2-click ] integration so you can actually integrate sandbox into the process. So new files that are being introduced and downloaded from the Internet, for example, could be vetted within a sandbox, and we support a cloud one and on-premises one. And we added a host firewall and so you can actually restrict down the -- by applications, by networks, by domain and so on. On the post-infection side of the house, we basically separated into the detection where our detection is spiced with code tracing. So we do have the smoking gun, those memory infections, those beacons that are going and extracting in memory, and we correlate all the activities together while holding all the forensics, all the execution-related stacks together so you can have the smoking gun and, of course, the very surgical remediation that is associated to this. All of that is done with a very tight classification so we can take later on a very pre-canned incident response. But it's not just a matter of auditing. And of course, we introduced a very in-depth forensics within the new threat hunting that was added in version 5, and we'll talk more about it. It's also about protection. So we talked about prevention and attack surface reduction in the pre-infection. But in the post-infection, we are the only vendor that can stop malicious connection or file tampering in real-time even though compromised. So we never assume that we are being deployed in a new and fresh environment, and we understand that there might be already infection. And therefore, we allow to diffuse those and create a micro-containment and buying time for the team not to have the consequences of an attack. When it comes to response, so it's very understood right now that we will do our best to reduce the attach surface, prevent what we know, diffuse what was already in while auditing very extensively. But if we are already infected, we obviously need to introduce also a response and investigation that allows us a better automation and orchestration around the different tools. And version 5 has in store an extended ability to activate according to the classification, different tools according to the different -- according to the context of the attack. And when it comes to remediation -- so in the same way of the response, we're also allowed to clean and roll back. Even in cases of a ransomware, we have a patent that allows us to do that and roll back in real-time when we discover that there is a ransomware that is activated and in action. But as long with that, we can have a full remediation, including isolation, including IoTs with an extended response to enact or [ socialize ] IPs to the firewall, sending e-mails, opening tickets and all of those are pre-canned recipes that we allow to utilize. When it comes to what's new in version 5, we separated it to 3 main areas. The first one, we need to support more. And the breadth of platform coverage is a key to our success but not leaving any version behind. And in so far, we supported the Windows from the XP Service Pack 2 and all the way to the newest and all the macOS and Linux flavors that are more associated with the Red Hat CentOS, Fedora and Ubuntu. Moving forward, we removed the kernel dependency that we had before and as -- in order to support the Big Sur or macOS 11 that was released late last year in 2020 and basically pushed out kernel vendors to the user space. And by doing so, by that support, we actually expanded our Linux outreach to be -- enabled to have an application-based solution. So now we can support more operating system even though we do not have the kernel extension for those with a full functionality and parity with what we had before. And added more also a platform as a service and infrastructure as a service related distribution as Oracle, Linux and the AMI, the Amazon machine interface. Within this -- the coverage, we introduced the fabric telemetry analytics of the extended fabric so we can actually digest our own fabric insights into the EDR platform in an XDR fashion, enrich those and again respond in an extended way. From a security efficacy, along with the asset control, discovery and control, and the pre- and post-infection we discussed before, we added the CPRL, the intelligence of FortiGuard, into all of our platform, which means the machine learning-based AVs now can actually have an enriched intelligence to it, which added us a web filtering or the idea to block requests that are going into known malicious or suspicious host IPs or domains. And we ended a host firewall that allows the user to basically control applications, domains and network-related just like any personal firewall all controlled through a single pane of glass. And from a SOC efficiency along with the code-tracing forensic that is unique to us to have the smoking gun and the fabric, [ firewall higher ] recipes or playbooks as we described before, we added a behavior-based threat hunting. And the idea behind that was not to just look at an audit in its very native, uncorrelated fashion, but to actually take the day logs as they're coming in from the end point and, as I mentioned before, could be from an extended resource, correlate them together and try to identify behaviors within raw logs. Along with those lines, we added to those behaviors also the [ minor ] tags so you can now go into record and click and find what kind of [ minor ] technique are they associated with. And we added a third-party integration to our fabric part -- playbook. So it's not only fabric on the response, but you can orchestrate beyond the fabric and activate other firewalls, other mails and services within our pre-canned recipes. A little overview about our new extended behavior-based threat hunting. So as many other EDR, we are collecting a lot of data and a lot of activities. We separated the activity into process-related, file-related, network-related, registry-related and also event logs, so -- which could be the raw logs that's coming at the feed or raw logs as -- exists on the host. So again, there is no need to jump from a host back to the system, the system control, the host and allow that in many ways. You can get any file from the threat hunting. You can view any running process in the current, in the past and filter those through. But the one of the nicest features that we did here are the facets or the ability to actually have the heuristics and machine learning on top of the raw data that is called activity in order to identify behaviors that are already within the data or within the benign data that we assume that is benign. And I'll give an example here. The behaviors, for example, as you can see in this example, could be any kind of behavior that could be associated with benign but also known to be a technique or a known attack flow. And we try to flag that for the users so the user won't need to look at millions or hundreds of millions of raw data but actually look at it in a correlated fashion of behavior, for example lateral movement, command and control, privilege escalation, first use of protocol executions, log deletions and so on and so forth. And if you're going just to understand any SOC engineer that has a suspicious of -- for example, a very common use case. Do we have lateral movement, benign or not? Do we have those or not within the code, within our environment? You can now actually go in, filter out by lateral movement, by behavior, which we already flagged that exist within the data that you're currently filtering, see the [ minor ] technique that is associated with it. So it's completely guided workflow that we created here and, of course, get the data and try to validate whether this specific behavior that we're looking at, which is a very small portion of the entire row data, is something that we are familiar with within the organization or not and so we can actually start and initiate an investigation according to that beginning of a needle of the big haystack of all the raw data that is collected within threat hunting. As I mentioned before, FortiEDR fabric integration was extended to also third parties. So within our pre-canned playbook, you can find within the FortiGate, FortiNAC, FortiSandbox, of course, FortiSIEM sending through a syslog, and FortiSOAR recipes. You can also integrate third parties as other firewalls, active directory, other mail providers and other log collectors. And all of those, of course, allows us to respond faster and in a scalable way across the board. A little bit about the ordering guide and just a few things to know, and I'll go quickly through a Q&A on this. The biggest changes that we introduced, we are selling in packs. The packs are 25, 500. We added a new pack group 2,000 and 10,000 seats. EDR has an MOQ. All the different SKUs that I just mentioned under the different packs are bundled with a 500-seat MOQ besides a single, all-in-one MDR blended and product that can allow 100 seats and best practices. To choose the best FortiEDR bundle for a customer, it's always something that you need to fill the budget of the customer, the need of the customer, of course, according to the RFP and RFQ, and the competitors. We put a very detailed comparison between the different vendors that we can share and -- so you know what you're looking for. You know what is your budget, and I'm sure we can find the best bundle for you. The right services is -- again, we force best practices on all of our services. And the reason is we want to have a full satisfaction with the product from day 1. And so it's an alternative to a jump-start, but the idea is that when we leave the customer side, the customer is deployed, tuned and ready to go in the best security poster that we can have and we extended our MDR services. I mentioned a little bit about XDR. We introduced and managed XDR from day 0 to help our customers to integrate our fabric together and take an extended response and triage across the different products. And of course, we have MSSPs, and there are plans for MSSPs across the board that allows us to get closer to customers and go under the MOQ for customers who need that services. And those partners are certified within the fabric and Fortinet certification, named NSE. Back to you, Tsailing.

Thank you. It's really exciting to see what's coming up in 5.0 and all this integration that your team has been busy putting together. And the next, I am going to talk to you about customer success and third-party testing, essentially give you some validation because by now, you've been thinking this solution looks great. Is it proven? So I want to share this story with you. This is one of my favorite story because we talk a lot about early adopter that typically will start with EPP and separate EDR and move on to an end point security consolidation. This is one of the such case, but one thing I like about this even more is because there's a sequel to it. So wait for it. So this customer is a well-known power tool manufacturing. It's one of the Fortune 500 manufacturer of industrial tools and household hardware. And the challenge is the CISO basically come to us and told us they're using 3 vendors. They start with a traditional end point AV. And then he knows that prevention is not enough. It's going to be -- and he also is aware of -- file-based detection is not enough. So he also acquired an EDR solution, what I call -- personally call it a first-generation EDR solution, to augment that, and knowing that the first-generation EDR solution is operating under the assumption that end point will get compromised and as a result is hypervigilant, turning out a lot of alert and potentially, some of them are false positive. So he knows, for his small team, they are not able to triage all this barrage of alerts. So he hired a third-party company, a managed security vendor, to handle MDR service. And that essentially is outsourced SOC. And this outsourced SOC has an SLA of 72 hours, which is not ideal, and he recognized that. So he is on a mission to look for a consolidated solution because, as you have seen, most of the enterprise is on a path to consolidate as much as possible because when the systems are consolidated especially at end point security, it just works so much better. And his requirement is vendor consolidation. And he also want to work with a solution that has its own MDR service. Because when your EDR solution has its own MDR service, essentially, you have your own team using the tool, and this team is going -- the MDR team is going to demand engineering to make sure the system and the solution designed is efficient to use by the security operations team. So that's his requirement. So when he reached out to FortiEDR -- back then, that was in silo, these are his requirement and he was very clear. He believed his company has a good security posture because of all of this process he put in place. His goal is to find a solution that can help him with consolidation while providing service, and the efficacy should be equal to what he had. So that is his benchmark. And when we put in FortiEDR as a POC, right away, the team discovered there is a malware. It's a crypto-mining malware that is running in, I believe, over 10,000 of end point. It basically has been moving around his environment unimpeded. And you can imagine the CISO, he's dismayed. He was very upset, and he went and talked to the EPP. He's like, "Hey, this is a malware. This is a file-based. This is pretty [ trivial ]. You guys should be able to block it." The EPP vendor essentially just apologized and say, "Hey, you know we are not perfect. That's why you bought an EDR solution. Go talk to them." And he went and talked to this first-generation EDR vendor, and the EDR vendor essentially pulled out the log and say, "We detected it along with 14,000 other alert that we just fired in the past 24 hours. But nonetheless, we detected it." And if you are any CISO, whenever you hear things, this is an absolutely nightmare. Because the problem is you have so many product that's firing alert and finding the relevant alert that's actually associated with real threat. It's so difficult. Then that's why he has the outsourced SOC. So the MDR vendor is like, "Hey, we fired the alert. You hired somebody to triage it. Go talk to them." So he went and talked to the MDR vendor and the MDR vender reminded him. He's like, "Hey, our SLA is 72 hours. And as you have seen a lot, there's over 10,000 logs, like 13,000 or 14,000. We are working our way through, and that's why you hire us for. And this threat that FortiEDR has discovered, it's less than 24 hours. So we have 2 more days. And trust us, by then, if it's not for FortiEDR, you wouldn't be none the wiser. We would triage it, block it and life goes on." So needless to say, that wasn't a very good answer. And as a result, this manufacturer has been our customer for a couple of years by now. And the idea is he reduced the risk exposure, having a combined solution and having a solution that essentially can self-protect. Whenever we discovered a threat, it can automatically isolate the process, specifically on the malicious action, so essentially, laser-focused on the malicious action and pause the attack. And also, it's a single agent. So the machine learning is learning from the subsequent detection function, as Roy have mentioned earlier, and also with better SLA. Because of MDR service and the SLA is within 24 hours, all the alerts are triaged. And another thing is, I can tell you, our MDR team is darn demanding. They do tell the product team how to continuously improve the operational efficiency to make them more streamlined, and our customers also benefit from that. And I mentioned this story has a sequel. So as you remember, at the end of last year, there was a SolarWinds hack that got a lot of coverage. And essentially, I believe about -- the assessment is about 18,000 SolarWinds customer was infected. And this attack -- this operation is highly manual. So once the customers are infected, essentially, there's a backdoor and it's [ decanaled ]. And this allegedly nation-state attacker is then -- basically pick and choose which company they want to attack. So there's a twofold -- the first onefold is customer that has SolarWinds Orion product are really concerned because they have a backdoor and that potentially make them vulnerable. Even if this nation-state attacker doesn't neutralize it because they are not their priority, other attackers can take the advantage and be opportunistic. The other thought is they are not sure if they are the target. And so the action, what we have taken is -- this is right before Christmas. And as soon as the news broke, one thing our team has done is our MDR team started to research and work with the engineering team to analyze the security incident, identify the IOC space on the disclosure and start searching across our entire environment and notify all of our customers if they have this, what I call, poisoned [ DRL ]. Essentially, that is a backdoor. And we then worked with the customer to determine, are there subsequent level of compromise? Is it -- because we know the attackers' method and techniques. So beyond this [ DRL ], this backdoor, are there any subsequent indicator of attack happening? So we worked with our customer to identify the compromise. And we also developed tools to quickly helping the non-MDR customer to determine if they have a backdoor, if there's a subsequent compromise. And for the customer I mentioned earlier, we get on the phone because they were really concerned they were using SolarWinds. So we get on the phone, identified and reassured them how our solution can protect the subsequent payload and help them ensure that we will continue to monitor for additional indicator of attack and also provide a guidance to the security team to close out the backdoor. So the result is we are using -- so anytime -- this is part of our threat research team. Anytime where we identify a potential threat, we'll identify an alert and later confirm as an attack of one customer, well use that knowledge to threat hunt across the entire environment and benefit all of our customers. We use that. We have identified some early strain of ransomware attack. And we have helped several customers to identify early-stage attack when it is using Cobalt Strike. So these are some of the examples. And the third-party testing. So we are participating in AV-Comparatives, and AV-Comparatives is an ongoing test. So essentially we submit a product twice a year, and the product sits in their lab and they does continuous tests. And AV-Comparatives has been upgrading their testing tools by -- in the past, they have a malware test. They have a real-world test, and now they have enhanced real-world test. So we are participating in all these tests. And you can see not all vendors that claim to have EDR capability are participating in this. And Fortinet, you can see that we are working with them, and you can see we have very high detection rate and very low false positive. And these are important. And again, as you have known with Fortinet, we are committed to get third-party test because, a lot of time, our competitor, or you may encounter vendors, that come to talk to you about all these things. They need to prove it. And this is our way, to continuously testing it to improve our product and also prove it. And watch this space. We are also participating in MITRE, a ATT&CK test, and there is a new MITRE test that include the protection testing. And this one, I'm especially interested because the prior MITRE is all about detection and telemetry, but as you know, you can fire 14,000 alert, and if you don't have an accurate way to block it, it doesn't help many of the customers. So MITRE -- we are very glad to see MITRE has a new protection test and we are participating in it. So 3 key takeaway. You have listened to Roy talking to you about 5.0, all this new feature; and I'm going to net it out for you. So we are continuing and we are committed to have a broad security coverage across Windows, Mac, Linux. And we will continue to protect legacy OS, and we also will have the user discovery capability to discover IoTs and other devices that you cannot put an agent on it. Why? We want you because you are only as strong as your weakness. So we want to make sure we have a broad security coverage so there's no hole in your coverage and we give you the visibility you need to cover your security. Then the next one is efficacy because you can fire out all the alert, but if you're not able to surface the important one and provide action -- so this is I have always talked about having visibility alone without action is just going to induce anxiety. So this can mean preemptive virtual patching when we discover vulnerability. This also means, when we discover potentially malicious activity, we can shut down that activity, essentially defuse the attack and pause the attack, so your team can take the time to investigate. And we can also help you with our AI-powered investigation engine to surface the important event that your team need to look at. Then the last one is all that is going to fuel into a more efficient SOC and essentially is going to make your security team more satisfied at work. The mundane work can be automated and have a real-time response, so in case they are taking a break or they have to go home or take care of personal business, knowing that if there is a threat we can pause it and buy them time to -- for other additional detection and response. And we also have MDR service to help you to augment the existing team. And moving forward, we are adding behavior-based threat hunting to allow the SOC team to do a more proactive threat hunting and because now they have the automation to take care of the mundane, boring things; and now they can do things that's interesting and higher value, like proactive threat hunting. And also, with XDR, the fabric integration, now we have extended fabric response and also XDR. So there are the resources. For public resources, I will recommend you to go to the FortiEDR page and click on resource. We have multiple recorded webinar. One I personally really recommend is if you have ransomware anxiety. There is a ransomware webinar; and that one, I talked about ransomware preparation, taking you through all the stage of how to prepare against ransomware, just as simple as having a discussion, "If this happened, do you want to pay ransom?" And give you tips on how to ensure your backup and recovery is ready enough. So the discussion is beyond end point protection. And then for partner folks out there, we also have partner resources, so go head over to the partner portal. And I have mentioned that we are expanding our coverage to the entire security fabric, starting with end point detection with extended response. And we just launched XDR; and XDR means extended detection, AI-powered investigation and extended response. So it's fully automatable across the security fabric. And there is a session on XDR, so I highly recommend you to check it out. And that's all the time I have. Thank you very much for taking the time to listen to this session. My name is Tsailing Merrem. And thanks to Roy to share their road map with us. Have a great rest of your day.

Hello. Welcome to this Accelerate breakout session focused on leveraging sandbox and virtual security analysts to empower organizations to tackle the volume, speed and sophistication of cyber threats. My name is Damien Lim, part of the Fortinet product marketing team focused on our breach protection solution and products. And joining me is Bryan, a Fortinet veteran and product manager for FortiSandbox; and Jack Chan, another veteran at Fortinet, who is the product manager for FortiAI. To provide context. FortiSandbox and FortiAI is part of the breach protection solution that is under our AI-driven security operations and is part of the overall security fabric. In today's agenda, we will cover cybersecurity challenges and the solution approaches. And one of such solution is the use of sandboxing for zero-day threat protection, and the other is the concept of virtual security analysts to aid the investigation of these threats. We'll then delve into the FortiSandbox and FortiAI unique capabilities and the validation of these solutions and then wrap it up with a recap and next steps. For now let's focus our discussion on how an organization can evolve their security to deal with the challenges that cyber attacker pose. Most organizations adopt a security framework to plan their information security strategy. One such example is to leverage the 7 stages found in the Lockheed Martin Cyber Kill Chain as the context to help provide guidance. Foundationally, a security operations team should have a good baseline in securing all threat factors or entry points against the delivery of known threats as the first stage then move into adopting sandboxing as a method to protect against delivery of unknown and zero-day attacks. And the next evolution of security ops maturity is the adoption of deception technology to detect the attackers performing reconnaissance. And finally, organizations should consider adopting sophisticated AI such as the virtual security analysts that can serve to automate the cumbersome task of investigating the many, many threats; and really help with the objective for security operations team to achieve that peak efficiency and with the ability to scale even further. To keep up with the evolving threat landscape, organizations must grow beyond securing against known threats by blocking zero-day threats and then later progressing through the other kill chain stages as a result of threat investigation. A zero-day threat is a piece of malware that embeds an exploit designed to bypass underlying security controls, increasing the success of that particular attack. An example of a sophisticated ransomware with its ability to self propagate throughout the network would be WannaCry. At least that's something that comes to my mind. Now it really gained its infamy due to the ability to infect entire networks by exploiting a Microsoft SMB vulnerability and was able to cripple quite a number of businesses. Worse yet, there are many variants created subsequently, including the NotPetya variant, and other forms of malware. Now this led to the challenge for most security operations to investigate those volumes of threat alerts that has traditionally been manual and time consuming, especially when looking for patient zero and other infected systems for mitigation. To solve these challenges, we'll take a look at these breach protection technology use cases. To block zero-day threats delivered to organizations, sandboxing is a critical component of their defenses. FortiSandbox is designed to analyze and assess for zero-day threats. And generally, indicators are compromised in order to reduce risk by sharing the latest zero-day threat intelligence with existing security controls to protect against known threats. Likewise, a security analyst is instrumental in investigating the delivery of those types of threats and then throughout the different stages found in the kill chain, ending with the actions on objectives. Now due to the shortage of experienced staff seen in many organizations, FortiAI with its deep learning can help supplement security operations with a virtual security analyst to dynamically classify the malware and its life cycle, including the identification of patient zero. Now this greatly benefits security operations with increased efficiency of the threat life cycle response and solving the operation skill issue. All of these solutions can be applied to an OT environment, as FortiAI and FortiSandbox passively monitor for targeted attacks aimed at ICS and SCADA systems, thereby reducing the risk of OT-based threats. Our AI-driven breach protection solution consisting of FortiSandbox and FortiAI will help transform an organization security posture by providing them powerful security that takes security ops to the next level of that maturity through the use of AI-powered security technologies. That enables them to secure business continuity against sophisticated evolving malware. While implementing powerful security is an important endeavor, that security needs to be applied to both IT and OT segments for holistic approach to defense; and this helps security ops close off any gaps and secure the dynamic attack surface. Now lastly, organizations can reap the benefits of SOC automation through the integration of our breach protection solution with any existing security controls [ via the ] Fortinet Security Fabric. Now this provides security operations the ability to scale and increase SOC efficiency without increasing budgets. And with that, let me turn it over to Jack and Bryan.

Hi, guys. This is Jack from the Fortinet product management team. I'm representing Bryan today also, our FortiSandbox PM, and I'm going to present both FortiSandbox and FortiAI to you. Let me start with FortiSandbox. FortiSandbox is a well-proven technology for almost a decade now to -- design to detect zero-day exploits-driven attacks. What makes FortiSandbox unique is its ability to analyze both IT- and OT-targeted malware in [ a safe ] virtual environment. In that virtual environment, it mimics the end point desktop and simulates OT services to discover the true intentions of objects; for example, a Word document that has the ability to download Trojan or ransomware, a PDF opening a port to communicate with [indiscernible]. The result of analysis are put together in a comprehensive report that includes the indicator of compromise, the IOCs; and MITRE attack mapping. Also, FortiSandbox has machine learning, 2 in fact. One is to build in static analysis; and the other, dynamic analysis to accelerate the discovery of unknown malware and improve detection. Lastly, the real secret of FortiSandbox lies in its ability to share zero-day threats intelligence in real time with a few things: first, the FortiGate to block these threats in the network and any lateral movement as part of the threat response; other and third-party security solutions to enforce zero-day threat protection for e-mail, end point, applications and many more; sandbox community to share benefits from threats found by other sandbox devices as well. Because of this proven zero-day detection capability, wide array of features and broad integration, sandbox has been helping to automate breach protection across the entire ad tech service. And now let me step into FortiAI. Here are some infographics to show the strength of FortiAI. With a high detection rate, Fortinet can detect threats and provide verdict in subsecond; is suitable for high-performance, demanding environments such as ISP, like enterprises, managed service provider where you need line rate throughput, where FortiAI VSA, the virtual security analyst, is trained in the cloud and is exposed to [ 200 billion-plus ] features. And we take the highest quality, around 6 million features, into the on-prem hardware and VM solution. One of the biggest differentiator of FortiAI is the use of artificial neural networks so that it does not require to run the file itself for malware discovery. Instead, it breaks the file down into thousands of features to go through the neural networks for analysis and provide a verdict. Virtual security analysts themselves can link and correlate infections and find the root cause of infection such as worm-based attacks and looks for malware outbreak as well as variants. Combined with on-prem learning where FortiAI will learn from customers' traffic, the goal here is to reduce the false positive and increase the catch rate further. It can identify what we call an attack scenario where FortiAI, based on the feature analysis, will review the true intention of the malware, whether this is info-stealing Trojan, banking Trojan, coin miner, ransomware and so forth. Basically this is your personal malware analysts. In terms of fabric integration, FortiAI will integrate with FortiGate for submissions. [ It has 6 adjacent ] output and also support third-party ICAP clients. And also, the latest, we've added a FortiSOAR connector, where you can submit files to FortiAI from FortiSOAR. Let me share with you what's coming in the year for 2021 for both FortiSandbox and FortiAI. What you see in the gray boxes are the existing features or coverage for the products. The acorn-colored boxes are what's coming in 2021. Like all road maps, disclaimer applies here. Road maps do change and prioritize often, and it will be good for everyone to understand AI-driven ops direction for today. Let's take a look with FortiSandbox, first. While FortiSandbox is designed to identify zero-day with static and dynamic analyses, the sandbox teams plans to introduce co-emulation to emulate executable files behavior. This will be done after the prescan and at the same time with the VM execution. Adaptive scan with FortiSandbox is about dynamically allocating resources like Windows VM and Office instances to adapt to file types to be scanned. For example, you might have more Office files at a particular time, so you don't need as much Windows VM. FortiSandbox will dynamically adjust the clones and resources to scan, hence making it more efficient. With FortiAI, the main focus for this year will be on network traffic analysis. Some people call this network behavior analytics, which is to identify anomalies traditionally next-gen firewall or IPS alone cannot pick up. This puts FortiAI in par with other vendors like Darktrace or Vectra AI. Network traffic analysis, NTA, will be released as a function under virtual security analysts around Q2, Q3. Basically your virtual security analysts will help you identify the anomalies. In terms of broad coverage, the 2 solutions already cover a wide range of vertical such as OT, MSP, government, et cetera. And FortiAI, we have plans to move to public cloud space, starting with AWS. The last piece of the road map, on the right-hand side, is the fabric integration. This has always been the strength of Fortinet allowing more customers to enjoy automation and integration within our own solution. One area is the FortiSandbox [ customer management ]. We are discussing FortiAI and FortiSandbox integration as well, taking leverage in the strength of both; and the traditional logging and SIEM integration with FortiAI. And more excitingly, we are looking also to do FortiGate and FortiAI inline blocking because of -- to utilize the speed in subsequent detection with FortiAI. So now let's take a look at some of the ordering guide. So this guide on the screen here, you can see the different offerings and main features. There are 2 main offerings for FortiSandbox which is cloud-based, that is SaaS, PaaS, public and private cloud and also the [ CapEx ]. Each offering will have different capabilities, so the easiest way to buy is based on the number of files. We refer this as the file throughput, which range from hundreds to several thousands. In any case, you may not have a way to calculate or estimate your file throughput and you can buy based on number of users. Lastly, if you need more capacity, FortiSandbox natively support clustering up to 140 sandbox node, which means 2 nodes will have doubled the capacity and 10 nodes will be 10x. This guide will be published very soon. With FortiAI, the ordering is actually much more simpler. The easiest way to buy, similar to sandbox, is based on files per hour. And you have to decide whether you are choosing a hardware or VM. So with hardware offering, we have the FortiAI-3500F with GPU. The GPU pretty much work like ASICs on FortiGate and makes the file scanning much faster with the neural network's acceleration, and VMs are roughly 25% of the hardware power. You would also like to ask yourself what fabric integrations require. So as we mentioned before, FortiSandbox is a very mature product with lots of fabric [ products ] integration. At the moment, FortiAI is catching up in this space, with the FortiGate file submission via OFTP, FortiWeb via ICAP and FortiMail, et cetera are also in -- pending in the pipeline. And what if my customer is MSSP? So FortiAI has been designed in -- with the MSP in mind, so when you look at logs, reports, et cetera, you can actually filter on [ rhythm ], devices, et cetera, which is [ great for ] MSP. And if you're thinking about ordering FortiAI hardware with the GPUs, think about whether you need the extra SSDs. As I've shown the product picture here, you can add multiple SSDs to mainly increase the log retention. Lastly, let me touch on the different FortiGuard services, the flexible offering and the assistance from our solutions, a range of services to ensure the success in the products. So first, everyone understands FortiGuards provide dynamic updates, the signatures, the lookups, the neural network's updates so that we keep the security updates at our pace and let the customers focus on their main goals; and of course, all the FortiGuard [ blocks on the malware ] research, like the latest SolarWinds attack, for example. And in the middle here, we've got security on demand. Basically we've talked about the different flexible offering that Fortisandbox offer, whether you want as a cloud service for lower-end FortiGates or whether you want to have a dedicated VM environment of your own we call the platform as a service or a different public cloud or private clouds installments. And of course, the reliable assistant from our tech centers, from our partners and full-time professional services. And you will see actually more [ RMA ] options for both of the products. And lastly, on the resources. Apart from what you can find on our websites, the demo centers, white papers, et cetera, we've touched on some of the release schedule here. Timing might change, but we're roughly looking at Fortisandbox version 4 to be released around Q2 2021. FortiAI will have 2 versions this year, with 1.5 planning at around March, April time. And then the NTA, the big sort of thing -- next thing coming up for FortiAI, will be around Q2 and Q3 2021. And don't forget, if you look on the partner website, you have a range of partner resources to help you with both solutions. So now let me hand over back to Damien to talk about the customer success stories.

Thank you, Jack. Now let's take a look at the customer and third-party testimonials associated with these solutions. For the first customer success story related to FortiAI, let's take a look at the identity and citizenship authority, which is a federal entity that provides identity services for their large population. And they are tasked with centrally authenticating these different IDs, if you will, with the various government services provided; for example, validating the ID of an air traveler during the purchase of an air ticket or when they are boarding a plane and for private businesses such as authorizing of bank transactions. Now this particular customer embarked on a project to protect their networks and services against state-sponsored attacks as well as looking for a suitable security solution for the air gap environment that they are building. In the first use case, this involves that notion of self-defending networks and web services and can be achieved with FortiAI's ability to apply self learning to subsecond threat response for sophisticated and continuously evolving threats. And with the FortiAI self-learning ability, they're able to leverage a security solution that continues to evolve as it inspects for threats in their private internal networks that is completely air gap. And then in terms of deployment, FortiAI specifically was integrated with FortiGate and FortiWeb through the ICAP protocol. So why did they choose Fortinet? Well, FortiAI's detection, investigation, response performance. They were able to leverage that to save on CapEx spending on adding more malware detection capacity on their existing solution; as well as realizing savings on the OpEx side in terms of hiring even more staff, if you will, to manage that ever-growing solution. And due to FortiAI's subsecond analysis, FortiAI was able to [ rip through ] the large volume of uploaded materials even faster; and this led to the increase in customer satisfaction score for the ID services that they provided. And lastly, as a government entity, they are subjected to different audits and to ensure they meet all these different regulations for what they provide. And FortiAI not only meets but exceeds, all right, all these different requirements, thus they are assured on the cybersecurity business impact and penalties. For FortiSandbox customers, many are adamant with the various benefits it brings to the use cases such as complementing it with the next-generation firewalls or secure e-mail gateways, as seen in this particular Gartner insight example. This and many more can be found at the Gartner Peer Insights page that collects FortiSandbox reviews by various industry peers. Also there are a number of published customer case studies available on fortinet.com, including the example here as a quote from National Benefit Services that simply state the fact that -- FortiSandbox efficacy by catching 16 unknown malware the moment it was deployed. Furthermore, FortiSandbox' efficacy and TCO are affirmed by reputable third-party test vendors such as NSS Labs that recommends FortiSandbox in the breach detection tests and separately in the breach prevention tests. Lastly, ICSA Labs, the testing arm of Verizon, [ enjoins ] NSS Labs with the certification of FortiSandbox in its advanced threat detection tests. On a side note, FortiAI capabilities are unique in the market today and we are actively exploring a collaboration with third-party test vendors, so stay tuned. With that, let me provide a quick recap and next steps. Fortinet is driving towards a breach protection solution that provides powerful security by enhancing malware detection engines with machine learning and improving it further with new emulation engine that improves efficacy even further and improved ransomware detection and adaptive scan to push that performance of sandboxing much, much, much higher. And also deep learning is the key for the future of cybersecurity, and by applying it in the form of a virtual security analyst found in FortiAI, it has the ability to investigate threats like their human counterparts but in subsecond. And expanding those deep learning capabilities further is to investigate anomalies found in the network covered, such as the network traffic analysis functionality. And all of these improvements elevate an organization's existing security posture and reduces the business disruption due to the sophistication, scale and volume of threats. Besides that, our breach protection solution can be applied to the IT segment of an organization to protect attacks (sic) [ against attacks ] aimed at Windows, Mac, Linux and Android devices; but also in the OT segment, including ICS, SCADA used in verticals such as manufacturing and utilities. Now besides the devices themselves, our solution supports a multitude of applications such as Office, PDF, HTML, Java and many more, including services such as SMB as well. Now all of this helps security operations close out the gaps with a comprehensive coverage of the dynamic attack surface. Lastly, our breach protection solution enables an organization to build automated defenses with security fabric. This is highlighted with the deeper interoperability with Fortinet's portfolio; example, FortiSandbox' native integration with FortiGate, FortiMail, FortiClient; or FortiAI's inline blocking with FortiGate; and also support of third-party security solutions through REST API, ICAP protocol support and STIX. All of this combined really helps with automating the threat protection, thereby driving better efficiencies within the SOC processes, and allows security operations to scale even further. For the next steps, I encourage you to take a look at the FortiSandbox or FortiAI on fortinet.com, where you'll find data sheet and other pertinent information regarding these different solutions. Now if you'd like to sign up for training, you can do so via the NSE training, where we offer a number of modules from the NSE 2 to level 7, covering these different topics. Or you could also participate in an upcoming fast track session on FortiSandbox, where you have the opportunity to speak to an expert and experience a hands-on training. Keep in mind FortiAI is coming really soon to fast track. And lastly, if you are interested in the other technologies I mentioned earlier, including deception, to evolve your security operations, feel free to attend the session highlighted. And with that, I'd like to thank you for your time and hope you found this session helpful. Cheers.

Hi, everyone. Thank you for joining us today. This session is around how you can rapidly respond with FortiSOAR. I'm Max Zeumer from the product marketing team. And today, I'm joined by Ling Lu, the Vice President of the product management team. So I'm sure that throughout sessions, you've seen this in one way or another. And so before we dig in, I just would like to touch on the Fortinet Security Fabric and how it provides visibility and protection to better manage risk while being integrated with our single fabric management center. And our focus now is automation, which is leveraging our AI-driven security pillar for fast and efficient operations. And this is the pillar that FortiSOAR falls under and supports the extended efforts. FortiSOAR has done extremely well in supporting mature SOC teams to rapidly respond while optimizing their SOC as being part of the fabric that differentiates us from SOAR-only solutions on the market. And with our agenda, it's pretty straightforward. We're going to discuss, me personally, walk you through some of the cybersecurity challenges and solutions and a little bit of an intro to FortiSOAR. And then Ling's going to dive into further detail on the product, its innovations and what's new. And from there, I'm going to touch into some customer stories and summarize a little bit of what we discussed about today. According to Gartner, SOCs are now ever increasing in number, shifting investments, resources and time from threat prevention to threat detection and proactive response. They also state organizations are dealing with increasingly aggressive threats where rapid response, only minutes at best, is required. This forces organizations to reduce the time to respond typically by delegating more tasks to machines. So what are the complexities that some of you might be very familiar with that are causing organizations and SOCs to shift to a proactive response and to delegate more tasks to machines? Well, the first one starts with too many vendors. And this is because a lot of products do not coordinate or integrate well with each other, and that creates this difficulty because it adds further contact switching during, for example, an investigation or just to identify what tasks an analyst has to complete on that given day, ultimately reducing the visibility and creating a fragmented scenario. What further ties to the shift is the overwhelming amount of alerts that are coming in and how you deal with them. This directly develops alert fatigue. We know they're time-consuming, and it creates opportunity to further miss alerts that might have had that common link and other developments. And particularly, when you're trying to identify the severity of an alert and how critical it might be or not critical it might be, creating an additional posed risk of missing a key alert, the next complexity that helps push these SOCs to shift to this research that Gartner has done are -- the fact is there are too many manual and slow response processes. And these repetitive and manual actions across those siloed tools takes too much precious analyst time. And sometimes, it can take days to understand incidents and investigate threats, which impede and slow down your overall response, adding to the time and length of investigations as well as the amount of time you spent sifting through those endless alerts at the start of a potential investigation. And then this last complexity, the cybersecurity talent shortage. When you compound or blend the first 3 complexities we just discussed, teams are often understaffed with an enormous task to face, turning a challenging situation to a more difficult one when you've maxed out the working capacity of the talent you currently have. So these are the factors that are contributing to these shifts of resources and focuses that Gartner is stating. We want to, at Fortinet, simplify your security operations by helping you choose an offering aligned to your SOC maturity. And Fortinet offers a range of components that improve the operational efficiency of security teams of all sizes and maturity levels with 4 unique yet integrated offerings. And it starts with the Fortinet Security Fabric customers, who are all encouraged to establish their foundation with FortiAnalyzers, analytics and automation. Building on that foundation and this framework, as organizations have this continuous concern about the cyber threat landscape and have limited security staff, as we have previously discussed, skills and processes are also impacted in this. FortiXDR enables this automated incident detection, investigation and response across the security fabric as well. And as an organization or a team might become slightly more mature, for organizations who have perhaps a more diverse security environment, FortiSIEM adds this multi-vendor visibility and analytics. And then at the peak of that is FortiSOAR. And so while organizations with mature SOCs, sizable security stacks and well-defined security processes can utilize FortiSOAR to rapidly respond while improving efficiencies with advanced orchestration and automation across our multi-vendor environments, they're enabled and -- at the peak of our framework. And this is truly designed to help customers, as we mentioned, at each stage of their maturity, identify what product is ideal for them at the current stage they're within. And so with that, we want to point out some of the key fundamental focus areas, in particular, for 2021 that FortiSOAR has. And it starts first with the rapid response. We enable organizations to accelerate their response and coordination through comprehensive case management, orchestration, automation and cross-collaboration, which supports teams that need a force multiplier, which is critical. The second key focus that we have is SOC automation. Over the last year, we have structured the products I just discussed in our portfolio to meet SOC teams at every level of their maturity. And FortiSOAR, serving as the peak of that framework, meeting enterprise teams that require full orchestration and automation of security processes across multi-vendor environments. And this is because FortiSOAR is an agnostic offering. And lastly, one of our last key focus area are cloud services. And this is essentially to help streamline deployment, management and onboarding with best practices. So FortiSOAR in the cloud will enable enterprise customers who want to move their SOC from on-prem to the cloud where enterprises would no longer have to worry about managing evolving infrastructures while supported by our best practice services, allowing for flexible deployments and seamless configuration. And these best practice services are going to be our FortiSOAR experts that are going to really help jump-start that configuration as you deploy. I want to take a moment to touch on fundamental use cases that FortiSOAR has. And when you take a look at the unified incident management use case, it's designed to streamline and centralize visibility and control, which battles a product fragmentation SOC teams face, which we discussed earlier, enabling teams to utilize existing security tools and increase their efficiency. The second use case is alert triage automation. Through FortiSOAR, alerts are automatically prioritized, assigned, correlated with other alerts while providing recommended actions to the analysts. This risk-driven prioritization allows teams to focus on the critical threats while removing false positives. Third use case would be SOC optimization. And FortiSOAR provides jump-start out-of-the-box use cases, out-of-the-box dashboards and out-of-the-box reporting but also retains flexibility and adaptation with all of the above. This allows teams to quickly optimize their overall processes and identify key SOC metrics that enable them to implement automation, resulting in their reduction of manual processes. And lastly, our SOC collaboration use case, which can run a multifunction or distributed SOC with FortiSOAR's dynamic team workspace. This is extremely valuable for our cross-collaboration amongst teams, even beyond the SOC. For example, real-time communications during a crisis management scenario is crucial. And FortiSOAR allows SOC teams and organizations to have communications with multiple departments such as legal, marketing, key executives. And this results in accelerating response coordination, which is incredibly valuable. And now I'm going to pass it over to Ling, who's going to dig further into the FortiSOAR product, its innovations and enhancements and much more.

Thanks, Max. Security teams are facing increasing challenges such as scale shortage, manual processes and disparate tools. SOC teams require multiple areas of expertise and are dealing with multiple consoles such as the SIEM, sandboxes, threat intelligence systems, ticketing systems and so on. The SOC team has too many alerts to monitor, alerts overloading. And these all lead to slow response and missed security incidence, increasing the chances of a security breach and can have severe consequences and break your business. FortiSOAR helps coordinate, execute and automate tasks for security operations, allowing the SOC team to respond quickly to cybersecurity attacks and to improve their overall security posture. Today, it is very successful in large SOC operations such as banking, government, oil and gas industries. Let's take a look at the Fortinet SOAR solution as it stands today in 3 main areas. The first area is in rapid response. FortiSOAR today comes with built-in capabilities such as alert incident management, ticket case management and team collaboration, from managing alert triage, incident investigation and escalation to remediation and response, all from a single unified console end to end. This makes life in SOC so much easier and enables them to respond quickly to security incidents. This platform is designed to allow larger security operations to eliminate alert fatigue and contact switching and to optimize their processes to accelerate incident response. The second area is SOC automation. FortiSOAR today has more than 350-plus integrations with third-party vendors and over 3,000 playbook actions for security orchestration and automation. The out-of-box content packs provide the SOC team with a ready-to-use incident response playbooks. Playbooks can be customized to streamline complex SOC processes and build consistent incident response workflows to improve SOC productivity and efficiency. The third area is cloud services. FortiSOAR platform as a service today is only available from the public cloud. In version 7, more cloud services are coming that will be available from FortiCloud. The new FortiSOAR ordering guide makes ordering for our sales partners and distributors much easier. The easiest way to buy FortiSOAR for on-premise deployment is through a VM subscription bundle. It comes with 2 additions: enterprise addition for enterprise customers; and the multi-tenancy addition designed for MSSP customers. The multi-tenancy addition has a couple of different deployment options. The VM subscription bundle is all-in-one bundle. It contains the product subscription license plus FortiCare Support and FortiCare Best Practice service. It comes with the 2 users by default, and user add-on license are available if you need to add more. Sizing license capacity for FortiSOAR is relatively straightforward. You size based on number of users. If a customer needs cloud-based deployment, they should go with the FortiSOAR cloud option, which is coming in Q2 time frame. For FortiSOAR container, for the analyzer, you need to buy the FortiSOAR enterprise license. There are 3 key areas that we have been working on for the FortiSOAR 7 release. First thing first, rapid incident response. FortiSOAR today comes with building capabilities such as alerts incident management, tickets case management and team collaboration. Now with the version 7, we have added the incident war room. This allows SOC to easily launch collaborative space to deal with the critical incident or crisis. Various stakeholders and teams across the organization can be summoned together in a very short period of time for quick mitigation and containment. The war room can be set up with just a few clicks from the incident or alert view. It consists of sections such as incident context, investigation arena and impact analysis. The info center holds hot links to various collaboration integrations like the conference bridge, the group chat, the wiki and the hotline to responders. The FortiSOAR mobile app is available from FortiExplorer. This puts SOC in the palm of your hand, and team members can respond to alerts or incidents quickly when they are on the go. There are quite a number of new integrations with the security fabric such as FortiAI, FortiNAC, FortiSandbox, FortiGuard to allow rapid response, from analyzing and identifying threats to quarantine devices for remediation within minutes. Upon detection, playbooks are set off to ask fabric devices to take immediate action. I would say that this is one of the FortiSOAR differentiators. It can leverage security fabric for rapid response. If your customers have security fabric products, tell them about FortiSOAR right now. It is super, super powerful when you know how to leverage these products together. The second key area is SOC automation. SOAR is all about using orchestration and automation to streamline SOC processes and automate SOC tasks, freeing the SOC team from manual, repetitive and mundane tasks, let the machine handle the things it's good at and let humans focus on more cognitive tasks such as threat hunting and forensic analysis. Today, FortiSOAR has various incident response playbooks to handle different SOC use cases. [ There were 150-plus ] connectors to third-party products, out-of-box content packs that contain various playbooks, the best practices and use cases for a SOC to jump start. The 7 FortiSOAR is now available as a container on FortiAnalyzer. Anyone who has FortiAnalyzer can download the FortiSOAR app from Fortinet Cloud and have it running on FortiAnalyzer, all with a simple click. This automates the install and deployment process and seamlessly integrates with the FortiAnalyzer out of box, content packs and playbooks available for SOC to use. Note that FortiAnalyzer VM or FortiAnalyzer high-end appliance 3000 Series and above are required to support FortiSOAR container. For security fab customers who are looking to establish a SOC or accelerate their existing SOC maturity, this is the most cost-effective way to go. The AI-based recommendation engine is available from version 7, pushing intelligent automation to the next level. AI, machine learning is leveraged for smart suggestions of alert severity, threat type based on pattern, similarities and also learning from past human analyst triage results. False positive alerts can be automatically identified and then closed so human analysts won't waste time looking at them. Another thing we've added is the connector wizard to automate the connector creation process. A customer can quickly build their own customer connectors within minutes and then publish it across platforms. The third area is cloud services. We've seen growing demand for cloud-hosted FortiSOAR. Today, we can set up FortiSOAR in AWS. And with version 7, FortiSOAR cloud is available for our customers. You can easily spin up a FortiSOAR instance in Fortinet Cloud. The FortiGuard outbreak alert service is also available for customers' FortiSOAR deployed on-premise. These service makes all resources such as the playbooks and threat intel available to protect customers against malware and against outbreak situation such as the recent SUNBURST outbreak for SolarWinds, helping customers to detect and also hunt the threat. To make things even easier for the SOC team, we now have FortiCare best practices service available for FortiSOAR. You don't have to figure out things yourself no matter if you have new deployment or are creating existing systems. This annual subscription service will have Fortinet experts available for consultation to ensure your deployment or upgrade is successful. Finally, I would like to mention there are resources available on FNDN Virtual Tech Expo. FortiOS 7 will be GA-ed at the end of Q1. FortiAnalyzer 7 and FortiSOAR 7 will come a few weeks later in April. That's all from me today. Max, back to you.

Thank you, Ling. FortiSOAR has had an amazing year. But how and who are driving that? I'd like to take a moment to walk you through some revalidation and customer success that highlights what is driving FortiSOAR. I'd like to quickly touch on that FortiSOAR has repeatedly been in Gartner's SOAR market guide as a vendor, including the most recent release supporting the validation of the product as it aligns with the convergence of 3 critical technologies that produce SOAR. Furthermore, I'd like to highlight a customer success story about an organization named Secure Cyber Defense. That's an MSSP that leveraged FortiSOAR not only to remedy the complexities we've discussed earlier but actually to expand and increase their business and revenue streams. Their challenges started off with battling alert fatigue. They wanted to enhance their threat response efficiencies. And another big one was that the cybersecurity skill shortage had an impact. They had a lot of very talented senior level, talented analysts that were bogged down with repetitive L1 analyst tasks that could be more focused on critical initiatives. So their goals were to increase productivity and the effectiveness of their SOC team, also to have a differentiator from their competitors within the MSSP space and expand revenue streams. And so what they were able to do was accelerate post implementation of FortiSOAR their response to perceived threats from 45 minutes manually to 2 minutes in some cases. But what's also really unique is that they were able to develop a new 7-figure revenue stream. And this is dedicated because FortiSOAR, in combination with FortiSIEM and FortiEDR, enabled Secure Cyber Defense to pursue this new business opportunity that would have not been possible if the firm had still been reliant on manual investigations. Now that they're no longer reliant on those manual processes, they are providing a managed detection and response, MDR, also known as service, and processing and responding to security events. All told, FortiSOAR has created its new 7-figure revenue stream for the firm as a result of implementing it. In addition to that, when we take a look at their SOC efficiencies, they were able to implement the FortiSOAR case management functionalities to seamlessly replace their ticketing system in just 1 day. Lastly, they created a new FortiSOAR use case where they used automation beyond just investigation purposes, which is a differentiator for the product, to track the national power grid and weather services to identify if there is a breach or power outage in one of their customer locations. And so this became a phenomenal customer success story because they were able to remedy the issues they were battling on the SOC side but also expand their overall portfolio and business to the implementation of FortiSOAR and additional fabric products that I mentioned earlier. If you'd like to read the full case study, I provided a link here where you can really read the entire story. And it's quite an incredible success story that they had that triggered with FortiSOAR. I'd like to take a moment to highlight some of the 3 key takeaways and recap the enhancements and innovations and some of the information Ling had discussed with FortiSOAR 7.0 in particular. So 3 key takeaways. First, start with rapid response. When we take a look at this -- these enhancements, in particular, a big takeaway is an instant response war room, which is also supported by the mobile app. And what this does is it increases overall efficiency by enabling teams to have faster coordination between their departments in a crisis management scenario, for example, and expand operational visibility through the mobile application by having the SOC in the palm of their hand. The next or second key takeaway from what we discussed earlier is SOC automation. You've heard Ling highlight when touching on our enhancement details the FortiSOAR [ FAS ] container. And this not only provides a trial experience to users, but it can accelerate the maturity of these users. And when you combine that as a big takeaway and then you combine that with our jump-start content packs that provide out-of-the-box use cases, it will enable these lower-level maturity SOCs to accelerate much faster because not only they'll have the full capabilities of FortiSOAR within their environment, but then they can add the jump-start content packs with those out-of-the-box use cases to their environment and quickly get that going. Lastly, our cloud services as our third key takeaway, the FortiSOAR Cloud. And this really is designed to simplify deployment, reduce the management complexities. And when you add in our best practice services, what you get is our FortiSOAR experts that will support all the overall configuration and apply their expertise and knowledge during these configurations so you can quickly get started. And this is really critical for teams that want to move from on-prem to the cloud. And so that is our last takeaway from what was discussed earlier. I'd like to take you through some next steps and resources, depending on where you are at in your journey with FortiSOAR. The first thing I recommend is going to our web page. And on our web page, you will find our free trial, which is our FortiSOAR Community Edition. And you'll be able to see how it works to its fullest capacity and implement some of the efficiencies and see how it can help your team rapidly respond and really get in there and play around with the product to further your understanding. But I also recommend, as Ling mentioned earlier, to take a stop at our virtual expo. Under our AI-driven security operations, you will find an instant response section. And that's going to detail a lot of new information and deeper dives into FortiSOAR and what's to come in FortiSOAR. That will be of great benefit for your understanding on where the product is going. Lastly, for resources, I've listed out our resources that are available on our website, where you can find everything from data sheets, e-books, solution guides, case studies, multiple webinars and our Fuse Community where we share best practices amongst customers and our FortiSOAR experts, which is extremely valuable. I hope you've enjoyed today's session, and thank you again for joining us, and we look forward to you taking a deeper dive into FortiSOAR. Take care.

Hello, and welcome. I'm Jon Speer, Director of Product Marketing. My co-presenter today is Dan Hanman, the Director of Product Management. Thanks for joining our session, Applying Advanced Threat Analytics for Earlier Threat Detection. This is a session focused primarily on FortiSIEM. And if you're confused by that, then you're in exactly the right place. It's time to expand your understanding of what a SIEM can be and must be to get in front of today's threat environment. I'll spend a few minutes level setting on the customer pain points that we consistently see and focus our solutions on. Dan will then give a quick introduction to FortiSIEM and announce some exciting new features and capabilities that you'll find in the latest release. And then I'll wrap up with some real-world validation and leave you with some key takeaways. Now before I move into the challenges that FortiSIEM focuses on, let's also take a moment to recognize the unfair advantage that FortiSIEM has if you're already a Fortinet customer. The Fortinet Security Fabric creates a SOC foundation that is so much more powerful than anything else available in the market. It's broader with more products, more integrated within the fabric management center and security operations, more automated with more workflows across all elements. More fabric ready partners have joined the ecosystem. Fortinet's open fabric ecosystem is a community of leading technology vendors and threat-sharing organizations that are committed to delivering complementary solutions for stronger security posture and protection to customers. It's one of the most extensive cybersecurity ecosystems in the industry with over 400 technology integrations that are pre-validated, documented and faster to deploy. Customers gain a wide range of scalable and secure complementary ecosystem solutions for visibility and protection of their entire digital infrastructure. Organizations face many security challenges. But across almost all organizations, whether based on size or vertical, these tend to be common to them all. Threats can be many and varied. Looking for that single chink in the armor to compromise a system with the threat coming from phishing e-mails, vulnerable systems, misconfigurations or lack of risk management, the external threat continues to evolve, and we must be positioned to detect these evolving threats and the ability to collect information from multiple vendors and use that data to identify threats quickly and effectively. The inverse to external is the internal threats, which have been some of the most high-profile compromises in the last decade. The challenge of detecting insider threats is that users typically have been granted broad access to resources, allowing for large amounts of data to be accumulated and moved to nefarious actors. So how can we detect this anomalous activity by a negligent user or a malevolent actor? Visibility is a broad challenge, but every organization should understand what assets they have, whether they are in service, whether there is performance issues and, of course, any security incident affecting the asset, service or organization. Sounds simple enough, but getting this state of visibility is often not trivial. And until understood, the management of organizational risk will remain a challenge. And lastly, compliance. With penalties, reputational damage or the inability to process transactions, compliance to a framework is common to organizations. Whether or not compliance is the main driver for a SIEM, using a compliance framework or a good practice will help focus an organization's cybersecurity maturity. Applying the appropriate people, products, processes to conquer these challenges has immense value to most organizations. Keeping up with digital transformation can be really challenging for a SOC, and it's easy to end up with blind spots as parts of the business move forward without enough consideration for how the security team can monitor. One option is to try and slow down the business. But of course, the better option is to leverage technology to help you keep up. You will never have enough talented analysts, perfectly documented processes or time to manually mitigate every incident and keep track of who did what and when. Leveraging technology to risk prioritize what gets worked on next, optimize investigations and provide preset remediation actions is critical to scaling a small team to accomplish big things. Likewise, the ability to easily scale out is critical, whether it's adding more locations, a bigger team working in investigations in parallel or giving more horsepower to just crunching through higher event loads. The SOC must keep up with the business and go where the business goes. Some use cases have been pretty consistent over time. They tend to be a little different in focus, depending on the size of the organization, the type and level of regulatory compliance they're under and the maturity of the SOC capabilities. But like many areas of technology, what was once reserved only for the large, highly funded or highly regulated eventually become achievable by smaller teams with smaller budgets. Advanced threat detection is one of these areas that was shifting towards mainstream SIEM anyway but got a pretty big boost recently from the SolarWinds situation. Teams that previously focused on how to best stay on top of alerts and work cases quickly are now also looking for ways to recognize more advanced threats such as watching for known indicators of activity earlier in the attack chain. Insider risk has always been a concern for security ops teams but previous to the last couple of years, has, for many, seemed like a threat that they just couldn't afford to take on. As compliance and risk management teams have responded to ramped up regulatory expectations for a more comprehensive insider risk management program, combined with the widespread availability of machine learning for behavioral analytics, this has now become a relatively lightweight add-on in terms of overhead load to the team but a big payoff in terms of earlier detection. Visibility has long been a cornerstone of SIEM, being able to monitor the infrastructure, see what you have and overlay events. Of course, FortiSIEM's approach has always been to go significantly further in this area than the rest of the market, from discovery to configuration management, risk scoring, extending to the cloud, even monitoring remote worker endpoints. Finally, optimized response is a fundamental use case for SIEM, the notion that the SOC can work much faster with a deployed SIEM than it would if, for instance, they just had a log aggregator product and a bunch of security point products. Every part of the job should be enhanced, and they should be able to handle a much larger workload. And when asked for proof of compliance rather than becoming a project, the SIEM must do most of that work for them. FortiSIEM meets these challenges and use cases by accelerating threat detection with machine learning and other advanced analytics, delivering real-time visibility of even the most complex, multi-vendor ecosystems and always finding new ways to improve scale and operational efficiency for the architecture, the individual analysts and the organization overall. So let's dig into the specifics with FortiSIEM's Head of Product Management, Dan Hanman.

So thank you, Jon. Well, let's take a deeper look at some of the product feature updates coming in FortiSIEM version 6.2. Let's take a quick recap of some of the main solution components within FortiSIEM though. First of all, FortiSIEM uses a correlation engine to detect incidents in near real time with over 1,300 rules out of the box, covering everything from security, of course, as well as change but also performance and availability. And it supports multiple different vendors. We have a user and entity behavior and analytics capability, UEBA, to be able to profile user behavior and alert on anomalous activity. Now FortiSIEM also provides a NOC and SOC capability, expanding the visibility from just security-related events and instants but also allowing us to understand the devices within the environment by discovering those and collecting performance information. And finally, around compliance, there's over 1,200 reports out of the box, compliance reports, fully customizable, covering the common compliance frameworks. So as John on mentioned to some of the customer challenges we see, we have different solution components within FortiSIEM to meet those challenges. So looking at how we license FortiSIEM. It can either be purchased as a perpetual license, a subscription license, as a term license or an MSSP pay-as-you-go program. It can be deployed as either a virtual appliance or a hardware appliance where we have a collector appliance, which is the purpose of collecting events and monitoring devices, or we have a mid-range appliance, which is a 2000F, or a higher-end appliance, which is a 3500G, that provides the main FortiSIEM capabilities. Now when we're licensing FortiSIEM, it's really licensed on a number of devices. Some other aspects also come into this as well. Total number of events per second is one. But if we are asking the question of our customers and organizations how many devices and how many workstations or end points are needed, we can then ask another question about how many agents are needed. And why you would need an agent as if you're needing to collect a broader set of events, collecting events at a much higher event rate that you cannot achieve using an agentless protocol, or if you have file integrity monitoring requirements. The other question to ask is how many users need monitoring for UEBA. And once you understand the number of devices, the number of agents, the number of UEBA, it's a very simple calculation to look at the service points. So once you have the service points, you can choose the correct FortiCare package and optionally choose the FortiGuard IOC package as well. So it's pretty straightforward licensing. It's built off a number of devices whether or not you need agents, whether or not you need UEBA. So let's delve a little bit deeper into what's new in 6.2. First of all, around accelerated threat detection. Analytic platforms and, in particular, SIEM, require 2 core fundamentals: One is the ability to scale to manage the demands of the organization or scale an -- as an MSSP business grows; and two, be able to scale the correlation and detection engine as more events or logs are received. New use cases are identified and incorporated or still will simply be able to perform real-time correlation and alerting. Whilst these seem to be table stakes for SIEM, not all platforms can provide this level of scalability. And whilst one of the fundamentals should be the ability to scale, really, the value that a SIEM provides an organization is the ability to detect threats and help achieve compliance or reduce and manage risks where other controls may be lacking, as SIEM can provide organizations a great deal of value as part of their security strategy or simply a tactical solution to address a specific use case. And now that we understand we can scale to meet almost all demands, what have we done to improved detection? Well, I've already mentioned that we've got a UEBA capability within FortiSIEM, and that was added to the previous release at the end of last year. This incorporated core elements of FortiInsight, our pure-play UEBA platform directly within FortiSIEM, in 2 main areas. One is around the FortiInsight agent capabilities have now been embedded within the FortiSIEM agent. And this new UEBA capability on the agent create events of user interactions between resources or files. And these events are then sent up to FortiSIEM's appliances. And within FortiSIEM, we now have the FortiInsight machine learning module embedded. So now that we have the agent telemetry coming into FortiSIEM to build up a user model of what is normal, and then if we see enormous activity, we're going to generate an alert. And one ideal use case for this is around insider threat, a notoriously difficult adversary to detect. Not only can this new UEBA agent telemetry be used on machine learning, but also as part of the standard FortiSIEM capabilities such as the correlation engine, reporting on user activity or adding information to dashboards. And in the 6.2 release, we've got some new UEBA dashboards as well. FortiSIEM's file integrity monitoring capabilities have been improved to help with compliance and change management and to also be able to pull in the files that are being monitored directly onto FortiSIEM so that you can do a comparison between what's changed. And in this release, we've significantly increased the number of security rules within FortiSIEM. We've added around 500 new rules, and I'll go over those in a bit more detail in a moment. So let's move on to real-time visibility and multi-vendor ecosystem. And FortiSIEM is a little bit different to other SIEMs on the market, as it does provide its NOC and SOC capability. But first and foremost, FortiSIEM is a SIEM, and it provides these 2 additional capabilities. The first is that it discovers the environment using standard operational protocols like SNMP or API integrations so that we understand what the device is. Is it a FortiGate or is it a switch? What's the firmware of this device? What's the configuration? Let's start monitoring the configuration for any changes. And then once that discovery is complete, FortiSIEM then monitors the device for performance such as CPU, memory, interface utilization. And this is quite unique when coupling it with security incidents and events. It provides a wider set of contexts to the analysts. We have also added new integration with FortiGuard IOC services, allowing customers to perform lookups directly into this service and get more context on the IP addresses, domains or URLs and then move directly into the FortiGuard IOC service and perform additional investigations on their indicators. And this is granted as part of the FortiSIEM IOC subscription. Efficiency is an important aspect of this SIEM. We often call SIEM a force multiplier, as one of the key value propositions is to multiply the efficiency of a user or an analyst. And that requires a positive user experience and ensures that there is a necessary context available. One of those areas is around FortiSOAR, where there's an out-of-the-box integration for -- between FortiSIEM and FortiSOAR available today. But we'll be looking to do much deeper integration between those. If you are not already aware, FortiSIEM already has a remediation framework available to augment some of the more straightforward scenarios. And in 6.2, we've added a lightweight workflow so that when an analyst needs to perform a remediation, there can be an approval step before that action is executed. And as MSSPs are a growing customer base of FortiSIEM, some of their requests have also filtered down into this release such as SAML for a single sign-on, an important part of the user experience moving between an MSSP portal and into the FortiSIEM instance. We've also optimized areas around agent management, and the use of agents are becoming more significant in the deployment as we have more capabilities around file integrity monitoring, UEBA and event collection. We've also added some new fabric content, and this includes new dashboards for the likes of FortiEDR, FortiADC, Deceptor, the new instant dashboard as well. So now when you log into FortiSIEM, as long you've integrated these devices, then you'll see these new dashboards ready to go with new rules and reports as well. In 6.2 release, we've extended our support for OT and IoT use cases. We've added new third-party integrations with the OT vendors. We've added a new use case that allows organizations to model their infrastructure using the Purdue model within FortiSIEM, alert on activities such as traffic crossing multiple Purdue levels and are able to baseline communication between OT devices. And this can be represented in dashboards and, of course, within the incidents. So we'll have a new OT dashboard and new events and incidents that will be triggering if we see suspicious activity. The MITRE ATT&CK enterprise view provides organizations with an understanding of tactics and techniques adversaries are using. With the additional integration of this framework into FortiSIEM, it allows us to understand the rule coverage that the out-of-the-box FortiSIEM rules provide against the attack framework. And therefore, we can understand where we may need to improve coverage as well. And in this release, we've added over 500 new rules to improve the coverage against the MITRE ATT&CK framework. And these can easily be understood by going to the coverage view. In addition to understanding the rule coverage, you can also understand the instants that are occurring and plotted those on the same framework, but now we can see what tactics and techniques are associated with our incidents. And as we progress in the investigation, we can simply click on one of the incidents, and we'll understand all of the different types of techniques which are being used, be able to click on the techniques and go into the MITRE website directly or bring up a summary of what that instant is and able to quickly understand what the pattern was that detected that incident. We still have the attack view, but we renamed this the MITRE ATT&CK Incident Explorer that allows us to see on a per device basis the instance as they progress through the different tactics in the attack view. And you can click on any of these bubbles to drill down into more information about the instance and down into the actual triggering events themselves. So where do you get more information about FortiSIEM? Please visit the virtual tech expert, check out the fuse community for FortiSIEM and also the resources on the Fortinet website.

Thanks, Dan. That's fantastic, really exciting stuff. Now I'd like to share some market success. But first, let's talk about the Gartner Magic Quadrant for SIEM. As many of you probably know, Gartner continues to update their Magic Quadrant for SIEM about once a year. This is the 2020 release here, which was based on the product as it existed midyear 2019. They had many positive things to say, including recommending FortiSIEM for all Fortinet customers and a strong recommendation for MSSPs. Nonetheless, they did keep us in a niche quadrant. Two of the largest shifts in the SIEM market over the last couple of years have been the focus on UEBA and the shift towards SIEM as a service really, a hosted or SaaS version of products and, of course, fully managed SOC services as well. Among many other enhancements, as you just learned, FortiSIEM does have fully embedded UEBA that we think is quite competitive with the rest of the market and was included in Gartner's survey for the upcoming 2021 SIEM MQ report. They have not been particularly generous regarding our decision to not provide a SaaS version of the product and instead using some of the top MSSP partners in the world as our delivery partners. It's not entirely clear yet how the 2021 rankings will come out, but we're actually optimistic that they are recognizing FortiSIEM's many unique strengths and look forward to the new report. Of course, there are other reports in the market. And I'm excited to talk about one by the SIEM users themselves rather than just the analyst. A great example of one of these is the SIEM Data Quadrant report from SoftwareReviews. They are pretty selective about only showing those vendors that have enough customers that have come forward and take the surveys. So you can see that it's really just down to those that have quite a bit of product in the market and others drop out. Obviously, LogPoint did a great job of rallying their installed base to take the survey, which tend to be smaller European businesses. But by their own calculations at SoftwareReviews, FortiSIEM came in second overall with really no campaign that I'm aware of, just purely organic users coming forward. What really stood out for me as well in this report is that when they segmented the survey data, FortiSIEM jumped way to the top for large enterprise customers with a Net Promoter Score of 76 and 100% planning to renew. It's interesting to see that these customers had almost no consideration of cost as well. They are completely focused on product features and capabilities. Okay. Let's wrap up and remember what we covered. First, we've been investing heavily in threat detection on a couple of fronts simultaneously, expanding the behavioral analytics that can profile what is normal in your environment and alert when suspicious anomalies occur, leveraging what the information security community is sharing in terms of effective rules, correlation rules across whatever products they're using, making sure that all of them are available to use by FortiSIEM customers. Second, we are committed to the benefit and value that MITRE ATT&CK framework can deliver to FortiSIEM users. This latest release is a huge step forward in being able to leverage the framework to easily see what coverage you have and, of course, where you may not have coverage so that you can focus there. Also, Fortinet is continuing to deepen the FortiSIEM integration with the Security Fabric and our fabric partners with more powerful and specialized dashboards, API hooks, overall tighter integrations to ensure that FortiSIEM is the most powerful and flexible SOC interface into the Security Fabric. And finally, there are several new integrations designed to enhance user experiences for us to give the analysts an enhanced experience by leaking investigations that include indicators of compromise with the new FortiGuard IOC portal, where they can choose to drill in for more info, find out what related indicators that you should keep an eye out for. You can submit requests and questions directly to the FortiGuard threat researchers. And for our service providers, especially taking advantage of existing single sign-on services so that they can provide their customers with a great segregated access to the FortiSIEM UI and make their introduction into FortiSIEM just that much easier and smoother experience. Well, thank you for attending our session, and we look forward to working with you in evaluating whether FortiSIEM is right for your environment or that of your customer. Thank you. [Break]

Hello. Welcome to this Accelerate breakout session focused on using deception technology to raise the bar for the attackers, forcing them to abandon their efforts in targeting the organization. My name is Damien Lim, part of the Fortinet product marketing team focused on our breach protection solution and products. And joining me is Moshe, VP of Product Management, instrumental in driving success of FortiDeceptor. To provide context, FortiDeceptor in today's discussion is part of the breach protection solution that is under the AI-driven security operations and is part of the overall Security Fabric. In today's agenda, we will cover the cybersecurity challenges and solution approaches. One such approach involves the use of deception to defend against external and internal attackers. We'll then delve into the FortiDeceptor's unique features and the validation of the solution and wrap it up with a recap and next steps. Without further ado, let's discuss how an organization can evolve their security to deal with the challenges that cyber attackers pose. Most organizations adopt a security framework such as NIST, MITRE ATT&CK or the MITRE Shield framework or Lockheed Martin's Cyber Kill Chain to plan their information security strategy. In our example, we will leverage the 7 stages found in the Cyber Kill Chain as a guide to our discussion. Foundationally, a security operations team should have a good baseline in securing all threat vectors or entry points against the delivery of known threats as a first stage, then move into adopting sandboxing as a method to protect against the delivery of unknown and zero-day attacks. In the next evolution of SecOps, maturity is the adoption of deception technology to detect attackers performing reconnaissance. And finally, organizations should consider adopting sophisticated AI such as the Virtual Security Analyst that can serve to automate the cumbersome task of investigating threats and its objectives so security operations teams can achieve peak efficiency and can scale even further. Now to improve an organization's security posture beyond malware protection, a defensive strategy should revolve in identifying the threat actor and their tactics in the early stage of the attack, such as those involved in the reconnaissance activities. According to Verizon's Data Breach Investigation report, the survey found 2/3 of the breaches can be attributed to the external threat actors, while the remaining 1/3 attributed to internal threat actors. The other challenge organizations face is the rising cost of mitigation. Now this is based on the success of a security incident or breach and thus is an important focus for many organizations to avoid that as much as possible by detecting and responding to these attacks at the earliest opportunity in the kill chain. To solve these challenges, one should consider deploying deception to disrupt the reconnaissance activities as seen in the first stage of the kill chain mentioned earlier. By leveraging FortiDeceptor, an organization can create a fabricated network of fake IT assets and high-value lures that facilitate the engagement with attackers through decoys that simulates real devices and applications with the intention to expose and then to respond to them. Furthermore, an organization can extend this fake network to the OT segment by recreating the OT network with fake OT devices that respond to these protocol commands. Lastly, by complementing disruption with in-place SIEM and SOAR, organizations can enrich their security incident response by taking advantage of intelligence generated by FortiDeceptor to accelerate threat hunting and perform pinpoint orchestrated response to threats. FortiDeceptor is designed to deceive, expose and eliminate external and internal threat actors. This provides security operations with powerful security that helps further improve their security posture through the use of deception technology that enables them to secure business continuity against threat actors and their tactics. While implementing powerful security is an important endeavor, that security needs to be applied to both IT and OT segments for a holistic approach to defense. This helps security operations close off any gaps and secure the dynamic attack surface. Lastly, organizations can reap the benefits of SOC automation through the integration of FortiDeceptor with existing security controls, the Fortinet Security Fabric. This provides security ops the ability to scale and increase SOC efficiency without increasing budgets. And with that, let me turn it over to Moshe.

Thanks, Damien. In the next several slide, we will cover the FortiDeceptor technology and the new upcoming feature and also the new ordering guide and knowledge resources to use. FortiDeceptor combined the notion of honeypot with threat analytics and threat mitigation into one solution. Specifically, FortiDeceptor create decoys to lure attackers and inspect their behavior to generate accurate threat intelligence, block both external and internal attacks before any significant damage occur. Fortinet is the first major security vendor to offer deception technology beside a handful of deception start-up. Their offering is available as a hardware appliance in a VM form factor. FortiDeceptor detect threats to assets that cannot provide their own telemetry, such IoT sensor or SCADA and medical devices, and detect threats moving inside the network instead of detecting threats on egress and ingress traffic. FortiDeceptor provide visibility inside the network while focusing on targeted threat detection of APT-grade actors and also APT malware missed by other security tools. Furthermore, FortiDeceptor is integrated with FortiGate and FortiNAC as part of the automated threat response process and also FortiSIEM, FortiSOAR and in FortiAnalyzer for broader visibility. Now that we understand FortiDeceptor technology, let's focus on the product long-term road map. In the next 12 months, we will release 3 major version that will support our product vision and use cases. The deception decoy and lure are the bread and butter of the product, and we will expand our decoy and lure offering by adding more platform in IoT/OT decoys and more deception lures like active directory and beaconing files. In parallel to our decoy and lure expansion, we will also improve the decoy and lure tendency by allowing features like MAC address changing, demand decoys and ensuring correlation between the deception lures and the active director environment. Deception technology generate threat intelligence and attack attribution information to improve response effectiveness. FortiDeceptor will leverage FortiSandbox and FortiAI to run more in-depth malware analysis to enrich the threat intelligence IOCs. Beside the threat intelligence creation, FortiDeceptor will share the IOC across the Fortinet fabric and third-party security tools using the market standard like STIX and TAXII. As part of our OT offering, we will release a rogue appliance with more features specifically for the OT environment. The Fortinet Security Fabric is designed to simplify the management of organization's entire security architecture. FortiDeceptor is already part of the fabric by integrating with FortiGate and FortiNAC for threat response isolation and FortiSIEM, FortiSOAR and FortiAnalyzer for broader visibility. FortiDeceptor will expand the fabric integration, focusing on FortiGate as part of the network topology map and FortiSIEM with credential theft protection model. Besides, we will improve the scalability over a large distributed network and also will provide richer context and more useful telemetry to improve the SOC threat hunting capabilities. FortiDeceptor version 3.3 is a major release, and the GA version will be released at the end of March 2021. As you can see, we expanded decoy and lure section dramatically by adding 5 new decoys and several deception lures. The new SCADA decoy will protect against OT attack, and the new ERP decoy will protect against sensitive data exfiltration attacks. The new point-of-sale decoy will protect against financial data exfiltration and theft attacks. Under medical decoys, we will offer 2 different decoys: PACs system decoy and infusion [ pump ] device decoy to protect against medical record exfiltration and medical devices attacks. The Git decoy will protect against supply chain attacks like the SolarWinds one. To increase the decoy authenticity, we also add a feature that allow modifying the decoy MAC address. In addition, we add new deception lures such cached credentials and fake network connection lure that protect from password dump attacks and detect attacker early in the kill chain. We add a new set of IPS signature against SCADA attacks to expand our OT solution offering. In the fabric integration section, we add another FortiGate integration, where FortiDeceptor will be part of the topology map feature. FortiGate admin will have the option to see FortiDeceptor appliance status and the decoys that are up and running in real time. We also expand the tight integration between FortiDeceptor and FortiSOAR by adding more playbooks and also increase the integration level between FortiDeceptor and FortiSIEM as part of our SOC efficiency use case. The new central management as a single console will allow us to manage and deploy remote FortiDeceptor appliances, get their alerts and provide alert analysis from a single console. We also improved the software license activation by moving to a new protocol over SSL and improve the [ safety ] features to add more flexibility for the whitelist capabilities. Now let's move to the ordering guide. FortiDeceptor license in Q1 will have no changes. FortiDeceptor license in Q2 will have a minor change regarding the new decoys. The new decoys ERP, POS, PACs and Git will be under the current SSL VPN SKU. In mid-Q3 2021, we will change the entire FortiDeceptor license model. The new license will be a subscription bundle based on the number of network villains the customer willing to cover. Of course, FortiCare, ARAE and all the deception models will be included in the bundle. FortiDeceptor ARAE technology and the FDS engine are unique in the deception market. FortiDeceptor is the only deception technology with IPS, AV, web filter that monitors the threat activity in the decoy level. Unlike other deception tools, our IPS engine provide more context to the attack by identifying the network attacks itself like exploit name, instead of presenting an alert with just a decoy network connection description. Important to add that our IPS engine also contains SCADA signature as part of our deception OT capabilities. Another unique capability is the web filter engine that analyze the traffic from the decoy to the Internet to detect and analyze any vector in command and control connection, get the threat actor and malware use while compromise the decoy. FortiDeceptor Fuse page is maintained and update weekly with content related to sales, marketing, proof of concept, best practice deployment and videos covering the core components of the product. We also have a very active Teams group called deceptor_FDC that I highly recommend to join. For hands-on labs, we have a fast-track session for partners that allow us to deploy and test the product. We will refresh this training session after the release of version 3.3. For FD training and demo, we will have a cloud platform that will allow the FD to deploy and test the product for training purpose. We are expecting to have this platform by the end of Q2. I will now hand it over to Damien for the remaining portion of this presentation.

Thank you, Moshe. We'll round off this presentation with a customer case study and lastly, a quick recap. On FortiDeceptor's customer success story, I would like to discuss this large media conglomerate in Europe that was looking to bolster their security architecture to detect and respond to both external and internal threats via a layered approach to security with the eventual goal of consolidating all their various security solutions. Now they went with the deception technology since it allows them to redirect external and internal threats from their hosted media platforms as well as their sensitive data and provides them with an early warning to deescalate these threats. Since their IT security team is shorthanded, they have a strong need for automating their security solutions. Currently, there are a handful of vendors offering deception with a majority of them being start-ups, and that created concerns around regional support gaps and a disruption to product development due to the possibility of acquisitions. To overcome these concerns that they had, they went with Fortinet for this particular project because it came from a well-established security vendor offering a global follow-the-sun support as well as the commitment to the homegrown FortiDeceptor investment. And most importantly, FortiDeceptor integrates through their in-place FortiGate deployment, thus fully automating all correct responses. And the best part, they saw immediate value after the deployment of deception as they cut an internal user performing port scans and attempting an unauthorized connection to one of their decoys. Now this really helps with eliminating the actual threat before it escalated even further. With that, let's discuss the key takeaways of the FortiDeceptor solution. FortiDeceptor is a powerful addition to any organization's security strategy by focusing on the attackers themselves. FortiDeceptor provides a time line-driven threat campaign analytics that reveals the attacker's intention and tactics, including malware details from the integration with FortiSandbox and FortiAI. FortiDeceptor also automatically learns the types of end points, servers and services that is found in that particular organization so it can recommend the appropriate interactive decoys, lures and services to be provisioned. Now incorporating deception is part of the proactive defense, and this really helps elevate an organization's existing security posture and reduces the business disruption due to the external or internal threat actors. Besides that, FortiDeceptor broadly covers the IT segment of an organization by simulating Windows and Linux clients and servers but also OT and IoT segment, including ICS, SCADA, ERP, medical and point-of-sale systems for all these various verticals. Besides the devices themselves, deception various applications and services, including things like git repository, VPN, SMB, SQL and many others. Now this helps the security operations to close off gaps with this comprehensive coverage of the dynamic attack surface.

I'm Peter Salkowski, Fortinet's Vice President of Investor Relations. I'd like to welcome everyone to Fortinet's 2021 Analyst and Investor Day, and thank, everyone, for attending. Presenters today are John Maddison, Fortinet's Chief Marketing Officer and Executive Vice President of Products; and Keith Jensen, our Chief Financial Officer. This is a video presentation that will be available for replay on the Investor Events section of our Investor Relations website. A copy of the slide presentation as well as a transcript of the Analyst Day and will also be posted on the Investor Relations website later today. Now over today's agenda. John, will start off today's taking a deeper look into some of the topics he presented earlier today at the Accelerate 2021. A replay link of John's Accelerate 2021 keynote, along with the Accelerate keynotes from CEO, Ken Xie; and Patrice Perche, along with all 3 presentation slide decks and transcripts are posted on the Investor Events section of the Investor Relations website. After John, we'll host a brief Q&A session with our sell-side research analysts. Keith will then review Fortinet's growth drivers, summarize the company's consistent financial performance over the past several years and provide our 2023 financial targets. We will then conclude a longer Q&A session where Keith will be joined by Ken, Patrice and John. During both Q&A sessions, we ask that you please limit yourself to one question. Before I turn the day over to John, I'd like to remind everyone that during today's Analyst Day, we will be making forward-looking statements, and that these forward-looking statements are subject to risks and uncertainties, which could cause actual results to differ materially from those projected. Please review -- refer to our SEC filings, in particular the risk factors in our most recent Form 10-K and Form 10-Q for more information. All forward-looking statements reflect our opinions only as of the date of this presentation, and we undertake no obligation and specifically disclaim any obligation to update forward-looking statements. Lastly, I'd like to remind the analysts that if you want to pursue the Q&A session that you need add to the Analyst Day using the Zoom link that you accessed earlier. I will now turn the presentation over to John.

Thanks, Peter. Let me share my screen here. All right. So Peter has given me 20 minutes to get through this conversation. So I'll make sure I focus in on the relevant points. So two main points. One was, although we announced FortiOS 7.0 about a month ago, it's going to be available at the end of this month. It's really expanded what we call our platform of fabric approach across the endpoint, across the network and across the cloud. There's not many vendors who can support that platform across all 3 of those areas. And we also deliver it via our appliances, software, virtual and SaaS delivery as well. I think the main topics I'm going to talk about in terms of product will be SASE, although that definition seems to change depending on who you're speaking to, but also Zero Trust. And across those 2 things -- I don't see they've shared my video. It seems I can't share my video. There you go. SASE across [ un- ] zero trust are use cases span across multiple products. And one of the issues customers are finding is that because I've got point product A, point product B, point product C, making those use cases work across all those different vendors is almost impossible to them. So further evidence that a platform is going to be the solution going forward. The second point is our partners. And today, we announced AT&T from a SASE partnership perspective, I've been working on this for a while. They are taking SASE and implementing it through the network, is absolutely the best way. SASE consisting of SD-WAN and secure web gateway. And so for sure, SASE and implementation with the service providers, we do find that there's a lot of conflicts with SASE only companies or SaaS only companies, a lot of channel conflicts. Our strategy is to partner with our channel, including inside that will be our large service providers as well. Now from a vision and mission perspective, and here was Fortinet, as you know, and as you explain to customers, this digital innovation is just accelerating. And as they accelerate that, it just expands the attack surface, and they really, really want to make sure that they secure both the people, devices, data and infrastructure. And what we're seeing is a greater collaboration between the CIO and the CISO teams as we go forward. Who is Fortinet? We're definitely, as you know, one of the top cybersecurity brands, and we really focus on delivering a platform that covers that entire attack service. Now the TAM, it's always interesting to me when I see companies put up TAMs. And sometimes, I don't know where they get their information from because they claim TAM that I have never seen them operate in. But this is our TAM, which is backed up by a lot of Gartner information. Obviously, we do that through major quadrants and market guides, and I'll talk a bit about that briefly. But our TAM, it stretches from users and devices, across the network, across cloud and security operators. We operate both in the network security world, the networking world as well as the cybersecurity world. What trends are we seeing? What's driving the marketplace across endpoint, network, cloud and cybersecurity security operations? Well, at the endpoint, obviously, was as they resort from home, we're still seeing factories IP enabled. And I'm going to zoom in on the Zero trust architecture for that, which is a migration from VPN. Network security, what we're seeing is a lot more edges appear. It used to be a very well-defined perimeter. Now we're seeing a lot of edges appear. And so I'll talk about SASE, which is a good component of that. Cloud security, we continue to see the rollout across hybrid, across cloud. And we're seeing it migrate all the way back into distributed or edge compute. And so adaptive Cloud Security and security approach. I'm not going to have time to probably go through much else than Zero Trust and cloud edge SASE in this moment of time. But let me focus on those 2 areas. So let's zero-in on the security-driven networking, network security, networking, accelerated convergence. We're absolutely seeing the convergence of networking and security. There's no way you can defend and protect all these edges without having a converged solution. It's just too complex and too costly. And so this convergence is starting to happen rapidly. When I look at the TAM, we looked at the TAM earlier for network security, these -- what Gartner had are Magic Quadrant. These are well-defined buying centers, a network firewall, secure web gateway, SD-WAN, switching and wireless. Now there are some markets like IPS, intrusion prevention. We've gone from a Magic Quadrant to being a market guide and the static market guide, in that it's not really changing much. The long-term destination for such a marketplace will be consolidation inside one of these existing buying centers, and we've seen an awful lot of the IPS marketplace get consolidated into Network Firewall as you go forward. And then there's new market guides, which are new markets, up and coming markets, which either form their own Magic Quadrant or do a merger with an existing Magic Quadrant. And there's kind of 3 of them right now in network security. There is the performance monitoring and detection, diagnostics, there's digital experience monitoring, of course, SASE, which is -- everyone wants to kind of hear and talk about. When we look, when we broke down a look to the forecast -- this is Gartner's forecast for network security. So I'm just focused here on the network security marketplace. I've not included network performance monitoring diagnostics. Through our acquisition of Panopta, we are in that marketplace now, but I've not included in the TAM right now. You can see there's not a huge amount of change, to be honest, in the size of the pie slices as we go forward. Yes, secure web gateway increases a bit. SD-WAN increase is 2 points. Switching [ to risk slightly ] firewall, maybe one point. But the overall percentage of market share of firewalling and SD-WAN and web gateway, wireless and switching, remains pretty much the same, and it's around a 10% growth into 2024. Now Gartner did recently published, in fact, back in August, another view of this marketplace. This is a SASE definition, Secure Access Service Edge. And what they did -- what SASE really is, is a number of those existing marketplaces repackaged into this framework or architecture. And so you can see here that what they've taken is the fundamental components of a SASE company include SD-WAN, includes secure web gateway, include Firewall-as-a-Service, Zero Trust and CASB, which obviously, go across the endpoint, grow across into the cloud and grow across the network. Now how does that change? Again, it doesn't change too much. You can see SD-WAN increases a bit more. Secure web gateway decreases, but pretty much the same. But in our minds, to be a main SASE main player going forward, you need all of these components. You need all of these components delivered at the edge, cloud edge, WAN Edge and LAN Edge. And again, just to kind of show you who's in these marketplaces. We've taken the Magic Quadrants for network security. We've taken the market guides for network security. You can see the different players and the different parts there. The secure web gateway is a marketplace we actually are very active in. Gartner's definition is a bit strange and why they allow certain people into that Magic Quadrant, I think that will change as you go forward. So what's our key strategy here for a security-driven networking? Well, the first thing is enterprise-class networking at all edges. That is the cloud edge. That is Obviously at the cloud edge. We need to be able to provide that from our data centers, our cloud. Also at the data center edge, a very high-performance needed and required there, at the LAN Edge, either through Wi-Fi and switching; at the WAN Edge through SD-WAN at the up and coming 5G edge, LTE Edge. And we're also doing a lot of work on the OT Edge. Remember, OT used to be air gapped. That's going away, and that's creating edge there. So one of our key goals is to be able to supply or be able to network, provide enterprise networking at all these edges, whether they be cloud, data center, LAN, WAN or OT, through hardware, through software or through SaaS. Any one of those can be used across all those edges. The second component of security-driven networking is enterprise-class security. And I often hear people say, "I've got security. It's in the cloud, don't worry about it." No one's tested it, no one's looked at it and no one's certified it. And so we have tested and certified all our security components, whether it be the content, whether it be web security, user security, IOT, OT security, our advanced operational and security operations capabilities as well as the integration of more advanced support services as well. But I definitely feel like this is an area that people are going to look at some point because you can't just say, "Trust me, I've got web security." You need to make sure that, that security is tested and certified. And then we bring all of that together through the fabric in the platform. And so yes, you could have one of these components. Yes, you can have some security. But the key is then is to be able to bring that all together in a platform, to be able to orchestrate any one of those edges in terms of networking functionality, to be able to deliver security, any level of security or any part of the security stack at any one of those edges. And then to be able to make sure that it fits into the ecosystem of the customer. The customers have made some investments intoe large platforms. It needs to be a platform that's very -- that covers the attack surface and all the security components, but also needs to be able to integrate into the ecosystem of the customer. And this is why FortiOS is very important to us. I always tell customers, it's probably the most important investment from a Fortinet perspective is that this stack, this full stack of networking and security capability can sit at any one of these edges. It can sit in an appliance at the WAN Edge. It can sit in our SaaS delivered cloud edge and SASE. It can sit as a powerful perimeter security, next-gen firewall in the data center edge. It can apply security to the LTE Edge, the switch edge and the Wi-Fi edge. And so what the customer gets is the ability to switch on any part of the networking capability and then apply security wherever they want to across all these edges. And as they go forward and as they shift to different things, maybe there's a shift from work from home back to the office, maybe continue shifting things into the cloud, it goes into the edge compute, maybe you continue IP enabling your OT infrastructure. As these shifts happen, you can opt to take that networking capability and you can increase or decrease the security depending on where the use case is, and it's all consistent enterprise-class because you're using this enterprise-class operating system stack across all those elements. That's why FortiOS is so important, and it can all be applied through a single policy engine across your entire end-to-end endpoint Network and Cloud Security. And I'll just kind of highlight the SASE offering that came out with our 7.0 FortiSASE. And again, people take the SASE definition and weld it in the -- mold it to whatever they've got. But the fundamental tenants of SASE are 2 components. One is the convergence of networking and security. And the second one is a platform approach, not a point solution, a platform approach or a framework approach to the edges as you go forward, the services edge. So from our perspective, there's 3 really important components. The first one is, you absolutely need to be able to apply a flexible edge access. And that edge could be a work from home user. It could be what we call a thin edge, where the device, in this case, for example, is a 4G or 5G device, doesn't have the footprint to put the security on. And then there's a -- what we call a secure edge. A secure edge would be one of our SD-WAN devices. That can put a full security stack, but even if you don't put all the security there, you still need some security on SD-WAN. And so these different -- these flexible accesses from the edge gives the customer the ability to protect all those edges. Once you hit our cloud, you hit the first thing, is security-as-a-service. So you may want to apply secure web gateway capabilities. Or you may want to try isolation web browsing or next-gen firewall or Firewall-as-a-Service. But we've also integrated Zero Trust. So your Zero Trust network access use case can also be derived using the SASE Access proxy. And then the second and third component, which we think is going to be extremely important going forward is that digital experience monitoring. Yes, I put all these things in place to make it more flexible and more secure. But on my users and devices, by the way, getting the right experience end-to-end from how they access the network, through the network and into the cloud. And so the peering of our data centers, the monitoring of the experience and high availability, and then the ability to see via our API security into clouds where you can't even provide any of your own security becomes very important. So to us, SASE consists of these 3 things, Access edge. Okay, usually, an appliance for SD-WAN and some sort of device for 5G of some sort of client, it then provide -- we provide security-as-a-service in the cloud, in our cloud. And we then provide digital experience monitoring, which provides that glue of that intersection between the user experience and the application. This is all rolled out under our FortiSASE umbrella. And I'm looking at time here, I've got a few minutes, so I'm going to see if I can squeeze in the Zero Trust. Zero Trust access, this marketplace is dominated by identity, actually, although it did have VPN and [ macOS ] and OT security in as well. From a size perspective, again, Access management is dominating, but Zero VPN and Zero Trust is also going to be very important as you go forward. If you look at the market guides and the Magic Quadrants, then it's quite fragmented, but a lot of activity around Zero Trust and VPN migration. And here's the biggest issue with Zero Trust. It's great technology. It's probably technology that we should have been implementing a while ago. It really does upgrade your VPN access big time in terms of giving you specific application access, then constantly doing a contextual view of per session on what's going on. And then also providing that user and device continuous identity check as you go forward. So absolutely, without a doubt, VPN has served us well over the last 20 -- 15 years, but it will evolve forward into Zero Trust. We believe, however, we have a lot of customers on our VPN networks, obviously, a VPN solution set that is an evolution versus a revolution in terms of you can just wipe the slate clean and start all over again, but you're going to have to make all these different vendors work together. So from a vendor perspective, what do you really need from a Zero Trust? First of all, obviously, you need that Zero Trust agent sitting on the endpoint. You can use files and stuff, but you really do need an agent to get the best experience. We also believe, obviously, you need that authentication of the user and devices, multi-factor as you go forward. Then there's the most important piece, which is the Access proxy. Access proxy provides that granular access to the applications and also connects the user session into the contextual engine. Now what -- as you go forward, once you're on that application, a lot of customers and enterprises also want to apply more advanced endpoint security such as EDR because once you're on there, you've got to keep that behavioral monitoring going on across that endpoint. Now what I find a lot of times is that across a specific customer, you've got a vendor A for Zero Trust agent, you've got another vendor for EDR, another vendor for identity, another vendor for proxy and it just goes on. It's almost impossible to get a true Zero Trust networking, working across so many different vendors. Now I'm not saying you need one vendor, but I'm saying you can't have 5 or 6 spenders, it just doesn't work. So for our solution for Zero Trust, one of the key components inside there is FortiOS, that becomes the access proxy. And the flexibility we can have is that, that access proxy can be in the cloud through our FortiSASE solution. But it can also sit in the customer data center. Their existing VPN termination point can be the excess proxy for Zero Trust solution set. And we think there's other marketplaces, on-campus marketplaces, which could replace core switching and networking through the Zero Trust architecture and proxy. So the key for us is that we've got our FortiClient, our FortiCTNA, our authenticator token, EMS and FortiOS that provides an end-to-end Zero Trust solution where the proxy can be in the cloud and the data center on the campus. We can integrate with other components. So in entity systems out there, for example. But we believe this is a great migration from our existing FortiClient and FortiGate customers into a use case Zero Trust that works across all these components and will arrive in our FortiOS 7.0. So let me stop there at 21 minutes, I think, unusually on time and see if I've got any questions.

Right, John, thank you very much. I will point out, there's another dozen slides after this, but you're right, we're really about out of time. So we are going to open up for Q&A. I will remind everyone that the -- John's slides will be posted on the IR website after the presentations. Hopefully, very quickly after. And so just again a reminder, please raise your hand to ask a question, and please do limit yourself to one question. We've got limited time and lots of people want to ask questions. So first one up is give Michael Turits from KeyBanc.

Thanks very much. John, you guys announced the partnership with AT&T today for SASE. Can you talk about that decision to partner with service providers for the, let's call it, the networking services. By contrast, some of your competitors have built their own network and POPs, others are partnering with cloud providers. Do you get enough control over the end product and over the customer, if you're in this way versus these other strategies?

Well, to be clear, we'll do both, okay? So I don't think you can supply a platform, a SASE platform or SaaS platform without experiencing yourselves and understanding it yourself. And so we'll do both. We'll have that offering. But we firmly believe that once we build that technology, transferring or enabling our big service provider partners is the best way into the marketplace. As I said earlier, we absolutely see channel conflict all the time between service providers and some of the pure SaaS vendors. So we believe you have to build it. So you know how to build it, and then we can transfer some of that technology to our service providers.

Okay. Next up is John Weidemoyer from William Blair.

In terms of the breadth of offering that you just sort of described, can you maybe talk a little bit about how in the SASE and Zero Trust world having that broadening offering, does that provide an advantage to you relative to some of the deals that you're doing out there? And can you talk about specifically why it's an advantage to be able to offer, I guess, with 6 other solutions?

Thanks. Yes. So definitely, customers are -- have had enough of buying all these different point solutions. And when I speak to them, it's not that they want to go from 30 point solutions down to 1. They want to go from 30 point solutions down to 7 or 8 platforms that interwork and work together. One of the most common ones we have is Microsoft, and we have 8 different integrations into different Microsoft. We're not saying it's one with 7 or 8, but they need to work together. So they're going to a platform. They just can't support so many open point products across network and cybersecurity. The advantage for us is that -- sometimes I see us enter a customer with one of the products. In fact, could be anything, it could be authentication, it could be our WAF in the cloud. So we've always got something that's available to enter a customer. And the advantage long term, though, is that they can then build out our fabric within that kind of architecture, they decided on the 7 or 8 platforms and truly deliver those use cases. Again, it's not a point product anymore that can deliver Zero Trust or SASE. It's just impossible. You need that platform approach to be able to deliver that.

Next up should the Brad Zelnick from Crédit Suisse.

John, really appreciate the presentation. Maybe a variation of the last question. You talked about platform and interoperability of solutions in implementing a SASE architecture. And I just wanted to maybe understand competitively and through the lens of the customer journey, right? What distinguishes Fortinet? Because at this point, many vendors are approaching SASE from different starting points, Zscaler with proxy, Menlo Security with browser isolation. Cato, I think, began with Firewall-as-a-Service, Palo Alto has a number of assets. Where does the customer journey begin for a typical Fortinet customer? And why is that a better on-ramp to SASE versus others? And like as you look out on the horizon, is it always going to be patchwork? Or do you think there ends up being winners and losers here because you're all swimming in each other's lanes?

I think the losers long-term are the point solutions. And there's not many vendors like ourselves. We have enterprise-class security across endpoint, across network and across cloud. And if you're trying to measure the digital experience, if you trying to have the right security across that attack surface, if you don't see part of it, how are you going to protect it? So our long-term advantage is that we can sit across any of those edges where we can provide enterprise security across any of those edges and that we can deliver it via SaaS or appliance or software or agent. And that's our advantage. There's a lot of people that are just in the cloud. There's a lot of people that are just in the network or just at endpoint. Our ability long-term to sit across all those 3 is our biggest advantage. Yes, some customers -- I mean, if you look at the -- let's be honest, let's look at the SASE marketplace today. What is it? It's 95% [ many ] more secure web gateway as a service, that's what it is. It's people who have migrated their proxy, more often than not blue code proxy, into a cloud proxy. That's where the market is today. However, it's going to expand as people expect the orchestration between their SASE and their SD-WAN, as they expand their integration into the cloud through CASB or as they expand and make sure that any endpoint through Zero Trust on and off the network, gets that protection per application. So the advantage for us is the use cases, it works across all these different elements, and we have all of them in place. And we've spent the last, I don't know, I'm going to say 10, maybe 8 or 7 years, building it organically versus trying to bolt it together with acquisitions. We do acquisitions and Panopta was the latest one. But they're small, and we buy it for the technology. I think it's really hard to build a platform like ours if you don't do it organically. But coming back to your question, Brad. I think our advantage is that we can sit across any part of the edge. We can deliver a client software and SaaS, and that gives us the ability to deliver these use cases like no one else.

Next up is Brian Essex from Goldman Sachs.

Yes. Thank you, Peter and John, for the presentation. I was wondering if you could maybe touch on -- you talked about the convergence of network and security. And from the perspective of legacy or incumbent network equipment vendors, what are you seeing there in terms of the way that they might be approaching SASE, particularly given the legacy installed base they might have, maybe the presence of the Canvas Edge as a competitive advantage? How are they thinking about this?

Well, I think what -- what networking vendors have done -- and I think I said at the beginning, there's a big difference between networking vendors and cybersecurity vendors. One's hardware and performance and one's software. Well, if you listen to my presentation, you'll -- I go through that a bit. But I think they've been able to kind of buy and bolt-on cybersecurity components over the last 10 years. You just can't do that forever. And it becomes even harder when you've got to do it in the cloud or SaaS-delivered. So I think that they're really struggling. And we see that in the marketplace. And when the customer says, "Hey, I want this converged solution. And I want to be able to put security on the WAN Edge or the cloud edge or the data center edge. I want it to be consistent and I want to be enterprise class," they just can't deliver that. It's just impossible because they try to bolt things together. That's what I've seen. And it gets harder and harder because the customers get frustrated because they've been promised by some PowerPoint. They saw it all coming together and years later, it's not, and they're coming very frustrated.

Next up is Gray Powell from BTIG.

Great. Thanks. Can you hear me okay?

Yes.

Perfect. Yes. So I just want to follow-up on Brad's earlier question. Maybe just sort of a different angle. So Fortinet has always had some level of secure web gateway capabilities. And I think it's been pretty successful in sort of the small and midmarket. But historically, I'm not sure Fortinet's really been thought of as a replacement for pure-play proxy architectures in larger enterprise. So can you maybe talk about how that's changing? And particularly, as you focus more on the SASE product set?

Yes. I mean it's a good point. I mean I think -- I kind of mentioned it a bit in the Gartner and the Magic Quadrant for secure gateway that for some reason, a couple of years ago, they put in that you have to be a cloud proxy to be in there, even though we have got substantial revenues of secure web gateway, whether it be proxy or whether it be through our full proxy or through our FortiGate, we can do that. For us, I think as we -- and as we go forward, we now have that capability in the cloud. And so I think we'll get access to the Magic Quadrant. And I think you'll see us accessing the enterprise marketplace through there. When you look across cybersecurity, you look across networking, and I didn't show you, if you look at one of my -- my presentation from Accelerate this morning, I kind of flash a slide with all of our different products across all these different areas. It's substantial. I probably would say that one of them that wasn't quite enterprise-class was the proxy capability, but that will be fixed in our FortiSASE offering.

And just as a reminder, those slides are up on the website as is the replay for the analysts who didn't get a chance to see him this morning. Next up, I believe, is Keith Bachman. If you do have a question, please do raise your hand. We've got about 9 more minutes left for the Q&A. I think we'll get a few more in here.

John and Peter. My question is going back to the market slides where you had growth rates. And I just wanted to see if you could flush out, a, how you're viewing the growth dimension surrounding firewalls versus Firewall-as-a-Service versus virtual firewalls. What do you see as the key opportunities or risk? And then, b, to broaden out the question a bit, how do you think Fortinet fits into that as architectures converge surrounding firewalls, a piece of the node rather than an entire solution as SASE rather becomes more prominent? So just trying to see what the risks are or opportunities for Fortinet as you think about the growth of the firewalls in those various pockets?

Yes. Good question, Keith. Good question. So first of all, I think Firewall-as-a-Service is a tiny marketplace. And it's just very different. There's fewer gateway -- moving from data centers to cloud makes a lot of sense, architectural-wise and everything else. And so that will just move into the cloud over the next -- it's like email. When I first started doing e-mail security back in 2007, it was all appliances. Well, it's moved to the cloud. It's close to the application. The web gateway needs to be close to the cloud edge. Firewall is very, very different from an architecture and network perspective. I don't think Gartner could even give you anywhere -- that estimate that I had about how many SASEs is a complete guess. They have no clue of the Firewall-as-a-Service marketplaces and they didn't get to a detail. I think it could be less than $100 million. So will it be there? Eventually, yes, but it's going to be very small. I think the more powerful components of the firewall marketplaces as we go forward, there is -- I think it's going to become about 10%, probably already is about 10% virtual. We have a very strong FortiGate Virtual Machine offering. Now there's still going to be a need for appliances at these edges, Internet facing, there's still will be a need for appliances in the core where you need super hyperscale performance. But what the other area we think will be very interesting will be the microsegmentation cross cloud. And that is even though you have native cloud firewalls in Azure and AWS -- and by the way, we apply management and services sitting on top of a lot of about native security, as we've announced recently. We think our cross-cloud firewalling microsegmentation strategy, a, gives you that kind of firewall in the cloud and cross-cloud, it used to be predominantly an East-West data center technology. I think it's going to migrate to being cross-cloud. But it also gives you that visibility that you can take and transfer back into your north-south or endpoint network WAN capability. So Firewall-as-a-Service to me is just a tiny spec, and we'll remain that way. It will be there, and we operate today. But I think the bigger component to us is still making sure we can sit in the middle of the data center, sit at the edge of the network. I don't know anybody yet that's going to put, that really wants to put a virtual machine at the edge of the network facing the Internet. The risks are tremendous, but we do see microsegmentation cross-cloud as being an important part of the file marketplace going forward.

Great. Thanks, John. Next up is Fatima Boolani from UBS and Ben Bollin you're on deck.

John, I wanted to ask you about the AT&T opportunity and the partnership there. But maybe a bigger picture question around the SASE/SD-WAN market opportunity, bifurcated between the service providers and carriers and the enterprise. Because my understanding is that you're able to cater to both in different ways. So I'm wondering if you can talk about those compatible but still different opportunities.

Yes. Another good question. I think it's -- the marketplace is about 50% enterprise, DIY, 40% service providers and 10% just cloud SASE-oriented versions. And so we're very strong in the enterprise because a lot of it was just switching it on, for us, and enterprises would like that. Now some enterprise is different in that they need to scale across multiple customers, they need more sophisticated orchestration. And so we're just kind of over the last year or so, entering that marketplace, it was slightly different for us. And we're starting to provide headway. But we don't think it's going to be isolated SD-WAN. It's going to be more of the SASE. Maybe we saw my definition of SASE earlier, it's SD-WAN, it's web gateway, files as a service, CASB and Zero Trust. What we're going to see is that our customers are going to say, yes, we want to do SD-WAN. This is like AT&T. They said, "Well, we could do SD-WAN with you, but we've got a network only version of that. Why don't we do a SaaS version, which includes SD-WAN, that includes a secured gateway, but it will include some of these other applications going forward. And I'm having the same conversation with all the service providers. They're saying, let's take our platform approach across our network into the customers and they're hearing that from their customers as well. That makes sense. I do think, and I've said this and our service provider customers know this, that they've taken the easy route out over the last 5 or 6 years. They just said, oh, this is OEM, something off the marketplace, a SaaS version because it's easy. But they're realizing now that if they just keep doing that, they're going to get devalued into being just transport, especially since MPLS is getting turned over into SD-WAN and broadband. So they absolutely know they can't just OEM this going forward. They need to have their own solution.

Thank you, John. Next up Ben Bollin from Cleveland Research. We've got 2 after Ben. We're going to have Andy Nowinski and Tal Liani. Andy Nowinski is from D.A. Davidson and Tal from BofA, and then we're going to wrap up the Q&A session. So we're going try to get all three of them in. So Ben, you're up.

Thanks, Peter. John. Bigger picture, I'm interested in how you think about the incrementality for Fortinet, either wallet share or cohort expansion as customers evolve into Zero-Trust in SASE. And also interested in any thoughts you have within the customer footprint for the ones who are most prepared to make this transition and already in play versus those who seem to be, maybe lagging, the most?

Yes. Another good question. I'll split those two off. Zero trust to me is definitely something that's going to swallow the VPN marketplace. Now we have a certain percentage of the VPN marketplace. So: A, we want to make sure that all our VPN customers migrate to our Zero Trust versus somebody else's. But we also think that a Zero Trust allows us to go after the new marketplace, plus other zero -- other VPN vendors as well. So to me, that's an incremental increase in market opportunity. SASE, as I keep saying, is 95% secured gateway where we have a presence, but nowhere near the size of some of the larger vendors in that. And so I see that again as being an opportunity for us. I am not worried that this firewall as a service being such a tiny component of that, it doesn't really affect our firewall business. But we see it as an opportunity to go after the proxy cloud secured gateway marketplace. And again, tie in other things like SD-WAN or CASB integration as we go forward. And again, I keep saying this, there's people who are in the cloud, there's people of the network, the networking vendors, the endpoint vendors. By the way, in our Zero Trust we want to upsell people into our EDR solution and XDR solutions as we go forward. So we think it's new incremental market opportunity, but even more so to cement our situation and the customers by building a use case across multiple products.

Thanks, John. Our next is from Andy Nowinski from D.A. Davidson. And we're going to end with Tal Liani from BofA. Andrew, you're open.

I just want to ask a question on your access proxy. I know you said it was essentially FortiOS, but I'm wondering if that's synonymous with the proxy that Zscaler has and now Palo Alto offers as part of their Prisma Access solutions. So I was wondering if you could just compare and contrast access proxy versus those 2 at a high level?

Yes, we'll think about the access proxy and proxy web gateway are different. So the web -- traditional secure web gateway proxy is a certain marketplace and that is protecting users. You apply security, to their access to the Internet. The access proxy needs the ability to apply per session against a contextual engine, given identity-based policy of the end users agent. So they are similar from an engine perspective, but very kind of different marketplaces. And so for us, FortiOS, could be both. It can be that secure web gateway proxy. And we're having quite a few customers actually who use it, FortiGate, as a proxy, a work gateway proxy. But it also will be the Zero Trust network access proxy as well. So again, the amount of features and function capability we can put on FortiOS, whether it be as a proxy, whether it be at a WAN edge, SD-WAN, whether it be a WiFi controller, whether it be a 5G controller, this is what gives us such an advantage that we can play in so many different marketplaces with the same stack.

Great. Thanks, John. Last one up, Tal, and then we're going to move on to the next presentation.

You might get a different name on the computer because of technical issues, but I have 2 questions. The first one is, if I ask your typical customer, historically, if I ask them what's the one benefit of Fortinet, the answer is major price advantage, 40% discount. And the question is whether you maintain this kind of price advantage also in a SASE model? And the second question is with other companies, we have seen that SASE is a replacement of appliance revenues. And there's always a decline in product revenues, an increase in SASE, and it creates some differences between revenues and ARR. In your case, it looks like your focus is slightly different. Can you talk about cannibalization versus noncannibalization business that you're forecasting?

Sure. Let me answer this, too. So the first one, absolutely, we have such a price performance advantage for core networking, not just firewalling, but also SD-WAN, by the way, that customers obviously talk about that. They should also be talking about that it's not just performance, but it has enterprise security and has all the networking features. So it's not just a performance. They wouldn't buy it if it wasn't enterprise class. We wouldn't be in the middle of many large financial organizations if it was just cheap. So I always say, it's great value, but it's absolutely high-performance and high effectiveness. I think the other -- the second part of your question, what's happened is SASE, because it's also 95% secure web gateway, has ripped the heart out of Blue Coat proxy appliances and transferred them into the cloud. Absolutely 100% agree with that statement. But as I keep saying, firewall as a service is a tiny cloud, firewall as a service is tiny. I can't even register it. That's not ripping out our appliances and putting them in the cloud. I think the long-term for that marketplace is more around virtual machines, native and micro segmentation, that's the bigger challenge to traditional hardware appliances, but SASE and firewall as a service is not.

Did that answer the question? You may come back. I mean, we can always come back to that in the second Q&A after the CFO presentation. So John, thank you very much. I can now open the floor.

Thank you, Peter, and I appreciate you acknowledging what an accomplishment that was for me to get my screen to present. So we'll see if these slides advance now. All right. Good morning, everybody. Thank you very much for being here today for Fortinet's Analyst and Investor Day, and I am indeed Keith Jensen, our CFO. As I begin our presentation to share our safe harbor slide and highlight that I'll be making forward-looking statements today. These forward-looking statements are subject to risks and uncertainties, which could cause actual results to differ materially from those projected. All statements made today reflect our opinions only as of the date of this presentation, and we undertake no obligation and expressly disclaim any obligation to update forward-looking statements in light of new information or future events. Let's take a quick look at the agenda. I'll start by highlighting our investment thesis, discuss several of our industry and company-specific growth drivers, and then review our financial performance for the past several years. I'll wrap up by highlighting how the diversification of our business model and customer base has led to our very consistent and highly financial performance. Finally, I'll conclude by providing our medium-term financial model. And we'll follow the presentation with a 30-minute Q&A session with our senior management team. Throughout this presentation, you'll hear several recurring themes about the cybersecurity market, what uniquely positions Fortinet as an industry leader, and the drivers of our consistent and sustainable growth, profitability and cash flow generation. Cybersecurity is a massive market, with growth driven by long-term secular tailwinds. Fortinet is an industry leader with our proprietary ASIC technology and integrated platform, enabling us to secure people, devices and data anywhere in any form factor. Our revenue is diversified across geographies, customer segments and industry verticals. With service revenue representing nearly 2/3 of total revenue, we have a sizable recurring revenue base, driving sustainable and predictable financial results with a margin profile that leads to significant free cash flow. Fortinet's history of innovation has spanned more than 20 years. Our strategy of build versus buy, consistent financial performance and conservative financial policies have led us to where we are today. More than $3 billion in annual billings, free cash flow of over $900 million; non-GAAP gross margins approaching 80%; non-GAAP operating margins in excess of 25%. And having just reported our 11th consecutive year of GAAP profitability. Our strategy of balanced growth and profitability was recognized by both Moody's and S&P. These credit rating companies recently graded Fortinet as a triple -- as a strong BBB investment-grade company. And importantly, 30% of all network security firewall units in the world have the Fortinet label, more than 3x -- more than the next 3 companies combined. We have over 500,000 customers worldwide and are approaching 700 U.S. patents. In summary, that's who we are. This slide illustrates the results from our balanced growth and profitability strategy. Not only did our revenue growth outpaced market growth for each of the last 4 years, we also increased our non-GAAP operating margin 950 basis points during that same period. Fortinet's almost all organic revenue growth for each of the last 3 years has been approximately 20%. Our higher-margin, more predictable service revenue grew to a 3-year CAGR of 22% for the period ended December 31, 2020, and service revenue now represents nearly 2/3 of our total revenue. Despite the pandemic, 2020 product revenue growth held firm at over 16%. In the group of major network security companies, such as Checkpoint and Palo Alto, Fortinet was the only company to post double-digit year-over-year product revenue growth in 2020. I'd like now to discuss several growth drivers that have contributed to our strong performance over the past several years and that we expect to drive our growth as we go forward. There are many drivers behind the growth in the cybersecurity industry, which, simply put, it's about bad actors getting more and more sophisticated, while targeting a continually expanding attack surface of edges that include data centers, WANs, LANs, public and private clouds, 5G OT and IoT. Given this backdrop, we estimate our total addressable market will grow from $65 billion in 2020 to approximately $93 billion in 2024, representing a 10% 4-year CAGR. Importantly, the TAM estimates exclude related services, such as our Forticare Support and FortiGuard security updates. Central to the $93 billion TAM is network security at $48 billion. Network security largely includes physical and virtual next-gen firewalls, as well as secure infrastructure, components of 5G and SASE and SD-WAN. With SD-WAN, Fortinet is at the epicenter and growing dramatically. Our continued focus on organic innovation, means we have, and we will continue to add capabilities to our security fabric platform and our integrated operating system, including Zero Trust security capabilities, cloud security and security operations. Our solutions include a complete range of form factors and delivery methods, including physical and virtual appliances, cloud, SaaS and perpetual software as well as hosted and non-hosted solutions. Together, they provide a range of security solutions and form factors, enabling broad, integrated protection of hybrid environments in the expanding digital attack surface. Fortinet has shipped over 30% of all firewalls and currently has over 500,000 customers, evidenced by our sizable footprint. Nearly 1 out of every 3 firewalls deployed globally carries the Fortinet name. This sizable deployment provides us with invaluable insights into evolving threats and vulnerabilities, which allows us to drive real-time updates to our customers of all sizes and geographies. The inherent economics of scale that come with 30% of units deployed, drives lower unit costs and may stress the competition as we annually add over 50,000 net new customers. For the past few years, SD-WAN has shown to be a driver for both network security market and for Fortinet. We offer a unique product that combines security and SD-WAN functionality in the single appliance. Because of our SD-WAN billings -- because of this, our SD-WAN billings increased to over 11% of our total billings in 2020 from almost 0 in 2018. Analysts believe the SD-WAN market will grow at 30% to 40% in each of the next several years. Looking at our pipeline growth, we tend to agree. And at the same time, we expect to continue to grow faster than the market. It's important to note that SD-WAN is a feature of the Fortigate operating system. For us, SD-WAN is yet another firewall use case. And like other firewall use cases, customers often attach a variety of fabric platform products. Another growth area for Fortinet has been the move up-market into larger enterprises. While expanding into larger enterprises represents an opportunity and a journey, these 2 bar graphs illustrate our success thus far. We've seen a number of deals over $500,000 and $1 million, and the related billings grow steadily. This slide shows the consistent annual enlarging organic billings growth, clustered around 20% for the last 4 years, resulting in 2020 total billings of around $3 billion. FortiGate's and non-FortiGate fabric billings grew at a compound annual rate of 17% and 35%, respectively. We believe the 35% growth rate is affirmation of our broad and integrated platform strategy. Right next, we're going to take a closer look at the non-FortiGate fabric platform. These bars provide a closer look at the billing contribution from the fabric platform. The balanced growth between infrastructure and cloud fabric drove 2020 combined billings to 39%, resulting in total billings of $743 million. Driven by our 3-year compound annual growth rates in the mid-30%, cloud offerings generated billings of $237 million for 2020 and infrastructure products such as Analyzer, Manager, endpoint, Mail, Sandbox, secure access products, et cetera, generated billings of slightly over $500 million. It's worth noting that cloud and infrastructure fabric billings are on a pace to be a $1 billion business as we exit this year. This slide provides a summary of cloud and infrastructure fabric products. And it's a bit of an eyesore, I know, but I include it here to make Peter happy because he often gets asked, what's in cloud and what's in fabric for each by the analysts. Let's move on. So far, I've shared how Fortinet's diversified business and financial model drives consistent billings and revenue growth. We've also looked at several growth drivers that we believe will contribute to future growth. So now let's turn to profitability. We continue to drive increases in our product gross margin through growth in our cloud delivered and software solutions and meaningful improvements in our hardware bill of materials. At the same time, services gross margin is benefiting from the mix shift to 24/7 support and economies of scale. Taken together, we've improved our total gross margin and maintained our reputation for price-for-performance leadership. This leadership may pressure competitors pricing when competing against us and mitigate discounting pressures on us. Okay. All of you, it's actually all clear. Improvements in gross margin and expense leverage have resulted in strong operating margin growth. And while we've been increasing our margin, we continue to invest in future growth, including increasing our sales capacity. For example, in 2020, we increased our sales and marketing headcount by 22%, very similar to our 22% CAGR from 2017 to 2020. At the end of 2020, sales and marketing accounted for just over 50% of our headcount. With our growth and a business model that bills and collects cash upfront for service contracts, we continue to consistently grow our deferred revenue, free cash flow and free cash flow margin. To put our strong free cash flow conversion into context, we've benchmarked our free cash flow margin against the S&P 500 constituents. Our top 10% standing is testament to our business model driving strong deferred revenue growth, our ability to grow margins with our ASIC advantage and efficient working capital management. As for our capital allocation policies, we have a clear hierarchy of uses of cash and free cash flow in order: Debt reduction, when necessary; reinvesting in the company through R&D, CapEx investments and other organic initiatives; investing in inorganic alternatives, i.e., M&A, with a focus on smaller scale acquisitions with minimal execution risk; returning excess capital to shareholders through opportunistic share repurchases. Our free cash flow generation has not been the result of any let up in investments in our business. Our high level liquidity has enabled us to internally finance our R&D spending and where appropriate fund tuck-in M&As. We've invested over $1 billion on innovation since 2016, and $160 million on several tuck-in acquisitions. In 2020, we bought back $1.1 billion of our stock. And since 2016, we repurchased 32.5 million shares for $2 billion. From the start of 2016 to the end of 2020, Fortinet stock price has increased 377%, over 3x better than the other 2 pure-play network security companies. As we work to transition to a more efficient balance sheet, last month, we issued investment-grade bonds totaling $1 billion, with an average annual interest rate of 1.6%. As I stated today, our diversified business model has resulted in consistent company performance and a more predictable business model. The next 3 slides highlight the consistency and predictability associated with Fortinet. These 4 graphs illustrate the consistency of our operational metrics. Whether you're looking at discounting, average contract term, renewal rates or service attach rates, each of these metrics have consistently tracked within narrow bands over the last 3 years. Our revenue by geography shows almost perfect consistency for all 3 of the geographies year-over-year. As would be expected, we have posted very similar CAGRs from 2017 to 2020. As I stated previously, our consistent and predictable performance results from a very diversified customer base, whether it's by customer size, geography or industry vertical. To illustrate our customer diversity, I would note in the last 4 years, no single customer represented more than 2% of billings in any single quarter. The geographic diversification is especially interesting. We have customers in over 80 countries that individually represent less than 3% of our billings. Yet in total, they represent 50% of our billings. This diversity helps mitigate the impact of country-specific events that impact local economies. At the same time, this diversity drives our need for a broad solution set, as our customers are not easily pigeonholed into one type of security solution. For example, large U.S. enterprises may have strong financial resources, regulatory runway, Internet access and housing arrangements appropriate for remote for work and learning. These same advantages may not exist across all geographies, customer sizes and industries. Just a quick recap on the first quarter and 2021 guidance that we provided on February 4. As you'll note in the footnotes to this screen, we expect the recent bond issuance to impact 2021 EPS by approximately $0.05. A couple of additional modeling points. And as a reminder, my slides will be presented -- or will be posted on our Investor Relations website. And now I'd like to share our medium-term financial targets. Over the next 3 years, we expect continued growth. And looking out to 2023, we expect billings of at least $5 billion and total revenue of at least $4 billion. Based on 2020 actuals, these projections equate to 3-year CAGRs for both of approximately 17%. As for margins, we expect our non-GAAP gross margin to be in 2023 to be approximately 80% and our non-GAAP operating margin to be at least 25%. Through 2020, we achieved the Rule of 40 in 9 out of 11 years that we've been a publicly traded company. We define the Rule of 40 as revenue growth plus non-GAAP operating margin. As we look beyond 2023, our long target is to continue to achieve the Rule of 40. I'd now like to invite Ken, Patrice, John and Peter to join me for the Q&A session. Peter, do you want to open it up for questions?

Thank you, Keith. And congratulations for making it through that with slides sharing the screen. So we're going to start with the Q&A. Just like before, please raise your hand if you have a question, also, if you could lower your hand after asking the questions. So that just cleans up the queue a little bit. I appreciate that. We're going to start with Adam Tindle from Raymond James as a first question because he was off from the last one.

I was going to say my congrats to Keith as well for the screen share. But I did want to ask a question maybe for Ken or John. Earlier today, you introduced the industry's first hyperscale data center firewall. You talked about how the NP7 chip is the equivalent of 10 high end CPUs. And I'm wondering with that context in place, do you envision perhaps hyperscale companies becoming more meaningful customers over time? I'm asking that because we often hear investor fear over public cloud as a potential threat to Fortinet. But wondering if there's an aspect where you can flip that narrative and sell into the Amazons and Microsofts of the world, whether it's chip license or product directly?

But yes, this is Ken. The answer definitely is yes. We do working with the hyperscale customer and also a big service provider and enterprise to have our advantage on the chip, especially, they have a huge computing power advantage. It might be used in their environment, whether in the data center, in their campus or in the service provider network in the cloud.

And do you think that can be meaningful over time? Or is that something that has changed today with NP7? Is that a new message?

Yes. We're still in -- like in the middle of our ramp up NP7 with our own product refreshment. We do have a few case working with some big, whether provider or some cloud provider trying to see how to using NP7 in their own kind of environment built together with the other product. But it's -- like I said, we'll be also kind of feel -- because NP7 also tightly working and with FortiOS and with other -- that's also the reason when we released the FortiOS 7.0, we keep adding in a lot of other features. It all come from the huge compute power advantage from ASIC, which the general purpose CPU is difficult to compete. So we do have the same CPU as any other competitor, but because of the huge advantage, compute advantage come from ASIC, so easy for us to add more function in the OS and also apply some of these huge compute power advantage for certain service providers as definitely one of what direction going forward. But there's a lot of detail need to working with them and also try to see what's the ROI? And also like what's the position going forward? So it's whether cloud provider, service provider, it's a huge market we're working with for long-term and also we'll keep the same strategy going forward. I say probably will still take a couple of years to be meaningful. Right now, it's still in a little bit early stage.

Again. Next up is Mandeep Singh from Bloomberg and on deck is Sterling Auty from JPMorgan.

Great. So I was wondering if you can tell me what sort of product headwind you see on the MPLS side with the workloads moving to the cloud? And who do you view as the main competitor on the cloud workload security side? Is it Zscaler, CrowdStrike or more of the firewall as a service vendors?

John, maybe that's a question perfect for you.

Yes. So MPLS is gradually being replaced by SD-WAN. So that MPLS displacement is working really well for us. You saw some of the revenue numbers from Keith. And that's just going to continue. I think right now, the market is still only 50%. And so that's a huge market opportunity for us. In terms of the workloads in the cloud, the cloud security marketplace is so fragmented. You've got some native cloud, you've got a bunch of start-ups doing the container security. It's just -- there's just hundreds of vendors in there. It will shake out eventually. Again, we have more of a platform solution in the cloud. Across their network, the platform itself and the applications. We'll work with native solutions. We also have partners. So I just think it's very fragmented. And if you look at the market sizing there, it's tiny still. So that marketplace is just really emerging still.

Thanks, John. Next up is Sterling Auty from JPMorgan and then Saket from Barclays will be after him.

So you showed, Keith, in your presentation, headcount growth in sales and marketing. I think the CAGR is around 20% or 22%. Looking forward, the medium-term targets has 17% growth in billings and revenue. I'm curious, what kind of sales and marketing headcount growth do you anticipate being necessary to support that 17% CAGR going forward?

Yes. I think the -- I think we're very pleased with how the business model works out for us, starting with the gross margin at 80%, and staying above 25% as we continue to add sales count -- headcount capacity. The real question is the trade-off between capacity and productivity as this year plays out and as the next several years play out in terms of the midterm model. So I think the headline is that the model works with the hiring that we've shown and the margins that we're delivering.

Next up, Saket from Barclays.

Keith, thanks for the color on medium-term targets. Maybe the question that I've got as part of that is can you just talk about how you envision that $5 billion in billings roughly in terms of FortiGate versus non-FortiGate? And maybe related to that, how have you sort of thought broad brush about product revenue as part of that kind of longer-term forecast?

Yes. I think the split between FortiGate and non-FortiGate, we expect that the -- as I noted before, it's a -- what we've seen in the numbers thus far is an affirmation of the strategy. We expect to see continued affirmation of the platform strategy. And I think that message has been clear throughout the presentations today, including John as well. Looking at longer-term mix between product and services, the second part of the question, Saket, I mean it's just like any other quarter in terms of guidance. The revenue from service revenue is very visible and predictable. And I think you can probably pencil that out and then reverse engineer what that number implies about product revenue growth.

Okay. Next up is Gregg Moskowitz, followed by Tal Liani. Go ahead.

All right. So actually a follow-up to Saket's question. So my question is actually a follow-up to Saket's. And so as workloads continue to shift to the cloud and then security correspondingly moves more towards cloud and cloud subscriptions. Does that create more uncertainty as it relates to that $5 billion plus billings target for 2023? Or do you feel very comfortable in terms of kind of getting there, regardless of how things sort of unfold over the next couple of years or so, or work this out.

Yes. I think the -- I would probably say that regardless of how things play out, keep in mind that in that fabric number that we're talking about, that includes some SaaS revenues and some other things of that nature. So it won't be new to us to see some of that mix shift that you're kind of inferring, if you will, a little bit, to the non-FortiGate part of the business.

Tal Liani you're up next, followed by Brian Essex from Goldman Sachs.

I'm going to ask 2 questions that were asked before. The first one is Saket asked a good question. Of the $5 billion, how much is FortiGate versus non-FortiGate, and you gave an answer that is in line with the target. But can you elaborate what is, in your view, what is FortiGate and non-FortiGate in the $5 billion? And second question, can -- I asked this question before and I'm going to expand it. Fortinet has a price advantage in the FortiGate products. You're anywhere from 40% -- even more than 40% cheaper than the competition. What is your main selling point with SASE? Meaning can you maintain price advantage in SASE versus other SASE solutions? And what is the basis for any price difference? And if yes or if no, can you also discuss what's the main, basically selling point? Or what's the main advantage versus other SASE solutions that may try to offer a similar service?

Yes. I'll try that and then maybe hand off the second part about the SASE pricing advantages and other concepts like that to John. I think if you look at those slides and as we're going through the XYs are putting it together, it really becomes very apparent how consistent the business has been. Whether you're looking at revenues by geography, whether or not you're looking at the product service mix, whether or not you're looking at the FortiGate versus the non-FortiGate part of the mix of the business. And so with that backdrop in mind, I would expect that those trends that you're seeing in those charts are going to continue. We really don't see something that's disruptive, that's going to try to shift dramatically from what we've seen in our trends, whether that's product versus services or whether that's FortiGate versus non-FortiGate. Ken, you want to talk about SASE, the long -- lots of comments on SASE there.

Yes, this is Ken. I can answer definitely, the answer is yes. So we're keep maintain the price advantage, whether it's SASE or some FortiGate, other products because it all comes from the a huge architecture advantage, the computing power advantage we have over competitors. And that gave us a better performance, lower cost, at the same time, better gross margin. And for the SASE, we are also the first one, even with SASE Zero Trust into the OS level. So I don't see any other competitor doing that yet. It will take a multiple year effort. We first integrated SD-WAN, some other CASB. And then the other part of our SASE even in OS extension for the Zero Trust. Which will make it not only we have price advantage, but also easy to manage and has a more function and that can be also using like enterprise, they can deploy themselves and also service provider, they can easily deploy themselves. It's said on today's solution, you have to have multiple bars and kind of different OS solutions to handle that. So it will be more easy to manage and provide better security, more function compared to competitors, at the same time as a price advantage and the cost advantage.

And if you're very successful with SASE, let's say, you're extremely successful out of the gate. Does it make an impact on margins, meaning your expenses are tied to a relationship with AT&T. Does it have any fixed expense element that might pressure margins at the beginning and later on. Can you talk about how your margin progression would be with SASE?

I think if you look in today SASE compared to some on a positive point, probably on average they're maybe like 3.0 to 4.0x more expensive. But the beneficially is kind of goes through whether the vendor or service providers help them to manage that. But with this FortiOS 7.0, because they all integrate together. So that enables some enterprise, big enterprise, also some service provider more know how to handle themselves. So that's what helping like drive better business model and better margin for the whether the service provider or maybe pass the benefit to the service provider or to the enterprise themself. So not for us, really integrating the OS level, that's a first step. And then we also keeping pushing to the basic level. We'll keep increase the performance of the SASE component, make it even better, more kind of a cost advantage compared to the other whether, they have different parts or different kind of part of infrastructure or compare whether the same OS or even go to the ASIC level. So that takes a lot of investment, but it's a benefit also huge in the long term.

Brian Essex, you're up. Then Bill you're on deck.

Thank you, Peter. This one's maybe for Ken or John, particularly as we see the rollouts of new products and the levers for growth ahead, catalysts for product cycle tailwinds. How do you think about penetrating the market by segment in terms of entry level, mid level, high end? It looks like you're getting great success at the high end of the market. Is that where you see things going forward? Or is this more of a developed for the high end and let the technology trickle down type of strategy? Just trying to understand where you might be spending money to more effectively penetrate the market? And where you see the best reward.

Yes, I think that's a good question. And also with the good strategy and direction we're moving forward. We also have a real chance to have Patrice, our CIO here, on the call to answer question. I think Patrice can give some more detail. And maybe Patrice can go ahead.

Yes. Thank you, Ken. Yes, definitely, we had a very strong footprint across the 3 segments from mid, to high and also the service part of the space. I would have to say that depending on geos, we are reading all these segments. But definitely, the aim is also to capture more of this very large part of the enterprise segment. So we're putting a bit more effort here, especially in North America. And we realigned this segment approach across the board. So we leverage, in fact, the technology, providing the same kind of architecture for the mid, but the large and very large enterprise customer. So it's -- because the platform that we deliver and that's the beauty of the platform is that we can deliver on different form factors, both software and virtual appliance with a different form factor on the appliance as well. So that match all different elements. And definitely, we will leverage this more segmented approach with much more focus as we move forward.

Just one comment on the entry mid and high end. Just remember, our entry-level we built our own SD-WAN chip in our appliances, and that's driven a lot of that business as well. So I think across all of those segments, entry, mid for segmentation and high-end for hyperscale are all very relevant marketplaces we built differentiating technology for, whether it be the system on a chip, whether it be the SASE SPU or the content processor?

Next up is Ben Bollin from Cleveland Research followed by Fatima Boolani from UBS.

Keith, I wanted to ask a question to you about the gross margin and operating margin framework for the midterm model. Could you take us through how you think about potential levers supporting upside or downside, I suppose, to those figures? Do you have any incremental investments built in your assumptions OpEx as you have more diversity in go-to-market at our supporting fabric? And last is, any thoughts on the productivity of your sales folks as they progress from new to experienced and are selling more applications.

Yes. I think the -- again, I would look at our trends in terms of margins and what you've seen related to the services gross margin as well as the product gross margin. Each successive generation of chip has shown the ability to take cost out of the bond, and I don't think there's really a reason to think that that's not going to be the case to some extent, going forward in the future. Having a "hardware company" that's throwing off 80% gross margin or thereabouts, is no small achievement. So it's probably a pretty good target for us to have. And then it's just really that we want to continue to balance how much we leave in the operating margin line versus how much we care to invest for other ideas going forward. One of the most -- and for us, investments, oftentimes, it's the engineering team as well as the sales team and the marketing team. And when you look at the sales team, you're getting very different times to productivity, if you will. Our salespeople that are focused on the channel, for example, can reach "productivity" very, very quickly, and that could be accretive to that margin. When you're hiring a true large enterprise salesperson, you're probably going to have to offer them a much longer runway. But I think important in that is that, what you did not hear me say was moving away from the channel at all. And I think in Patrice's comments earlier today, he made a similar observation. The channel has been and will continue to be critical to our success. The fact that we're continuing to add sales headcount in no way suggests we're moving away from the channel, but rather partnering more closely with the channel. And I don't know Patrice, if you want to add some more to that.

Yes, definitely. Can you undertake the example of the SASE and the SD-WAN, leveraging the service provider. If you will recall, as John was mentioning, there was a quick, I will say, a solution that has been adopted by those larger part, whatever it is AT&T around your entity in Japan, leveraging this proxy base covering the work from home needed. But long-term wise, they clearly have been asking us to work more closely on developing and building a targeted solution that they can deliver themselves. So they own the network, they own the access. And our view is that we want to leverage like we leverage the very large enterprise retailer, those service providers that we build long-term relationship, which have been deploying SD-WAN. And now as we have SD-WAN, and we are adding the place of the H, we will leverage it to SASE. So that's a strategy that I think will deliver very great results. And that may create much more pressure on existing cloud provider that has to be on, and their infrastructure to compete with the service provider, why they are not still making any money. So it's -- there will be a very increasing future situation that will happen. And I have to say as well the cloud services when you deliver SASE or proxy-based SASE is very easy to displace because there is nothing to remove from the edge or from the core network of the customer. So it's just an OpEx, so it can be very quickly replaced. So it's very more critical to own the infrastructure and to own, in fact, the edge and the core so -- and then you have a much stronger relationship and long-term engagement with your customer. So that's another element where we see we can come back very quickly, leveraging all the channel on these new trends.

Thank you, Ben. Next question up is Fatima Boolani from UBS. Keith Bachman, you are on deck.

Thanks, Peter. Keith, my question is for you. I'm looking at the business and the revenue segmentation, where you've got about 40% -- pushing up against 40% of revenue from subscription revenue, so your FortiGuard portfolio. Can you maybe give us a refresher on how exactly you're going to market with FortiGuard today vis-à-vis the bundles you have? I think I may have noticed some reconstitution of some of your bundles under user and device and some of these other disciplines. So wondering if you can just give us a refresher on that. And to the extent, there's any pricing increases built into your forecast, especially as I think about the price performance advantage you have versus your competitors today.

Sure. No price -- no dramatic pricing increases are built in to the model or into the guidance that are -- pardon me, the targets that we just talked about. And just as I kind of frame up the services conversation, service is now at 65% of our business. That's split roughly 45% -- 55% between FortiCare traditional support and FortiGuard, the security part of the business. That mix has been very consistent for a few years now, has not really changed when you look at it. And I don't anticipate that, that's going to change dramatically in the midterm period of time that we're talking about. Not really familiar with changes in the bundles. Maybe John Madison has something there that I'm not thinking about.

Yes. Just a small change. We added SoC as a service to the 360 bundle, 360 is the premium bundle, it has everything in it. So that was just a small change there. Otherwise, the bundles, the ATP, UTP, the Enterprise and 360, they remain the same.

Thank you, Fatima. Next up is Keith Bachman from BMO and then Michael Turits from Keybanc on deck.

Okay. I wanted to ask about the non-Forti side of the revenue. And if you could just highlight in the recent 12 months, what have been the key drivers of those revenues? You had the slide up, the Peter slide, we'll call it. What are the key drivers? And how might that change -- or what's embedded in your expectations when you put out those 3-year targets? What are the key drivers you think of the non-Forti side of the revenue? And embedded in my question is, just wondering how important is an expansion associated with that non-Forti side of either revenues or billings. And I think about areas such as CASB. And I don't think about Fortinet as a leader in CASB. How important is it to expand the portfolio with the non-Forti side as you think about the next 3 years?

Yes. Thanks for the question. And I keep looking at it each quarter for the product that's going to jump out, if you will, and say this is the one that is just driving this number. And truthfully, it really is kind of a story of a rising tide lifting all boats. I do believe that when you get into a secure SD-WAN solution, secure branch, where it brings along the switches and the -- the secure switches and the access point, those 2 combined are probably around 1/3 of the non-FortiGate, probably a little bit less than that. And then you really have this kind of a mix between software solutions, cloud solutions and fabric for -- infrastructure fabric. The real growth driver there, I don't know is about adding more products to the non-FortiGate suite, if you will, it's more about expanding into our customer base. The first sale for the company is not always affording a firewall, but the clear majority of the time, it is. And I know we're seeing other instances where other products will sometimes sell first. But the typical use case is we sell the firewall, whether it's a physical or virtual firewall. And over time, we continue to expand. And it really -- it plays back to some of John's commentary earlier today about the platform strategy, about things like vendor fatigue and CISOs and CIOs going through a phase of rationalizing their security spending. And that's being there now and Ken uses a term of being more patient, if you will, and sometimes taking longer to get it right on a common operating system. All those things are driving the opportunity to view the fabric part of the business as an expansion opportunity.

Next up is Michael Turits from Keybanc as he's probably the last one as we're coming up on the bottom of the hour here time frame. Michael, go ahead.

Guys, thanks for getting me in. On margins, Keith, the guide was 25% to 27% this year, and the Street's 26%. And you just guided up over 25% going forward. So how do you think about margin expansion and maybe and longer-term margins. So are we there yet? In other words, and that's it on margin expansion on the EBIT side? How do you think about that in the next couple of years? And also, what about cash flow? And should whatever we're seeing in the EBIT margin direction, should we see cash flow margins move in parallel?

Yes. I think we've framed the conversation starting with the idea of balanced growth and profitability and sometimes I like to say, we've been doing it for several years. But I think the reality is you can see that Ken has been doing it for 10 years, if not 20 years. And we've been, I think, very straightforward that in some years, we see the opportunity within that framework to tilt the bias one direction or the other. This is a year that we think the tilt is towards the growth. As you start looking out at 2022 or 2023, I don't know that we're really, at this point, taking a position, if you will, one way or the other, in terms of whether it's a year that's more conducive to growth, or a year that's more conducive to profitability. That's kind of a wait and see, if you will. I don't think that it's just going to be a linear world for us in any way, shape or fashion as we go forward. And then, of course, is free cash flow margin, I think really does -- it ties to the growth in the billings number. It also ties to the continued improvement in that operating margin number. And so as such, it will be contingent upon where we're at within that framework each year between balanced growth and profitability.

And I would add to that. I think the other part of that long-term target is the Rule of 40. And the fact that between revenue growth and operating margin, we would expect those 2 to add up to at least 40x as they have 9 out of the last 11 years. And expect to see it in '21 based on our guidance. So with that, I'd like to thank everyone for attending today's Analyst Day. As I noted earlier, a replay of this event, along with copies of all the slide decks and transcripts of the events will be posted to the Investor Relations website. Hopefully, please, and we'll get them there as quickly as I can. With that, thank you very much. Have a great day. If you have any follow-up questions, please feel free to reach out to me, and I appreciate you for attending. Thank you very much. Have a good day.