may 2015 toni buhrke, director systems engineering
TRANSCRIPT
FireEye + ForeScout Joint solution
May 2015
Toni Buhrke, Director Systems Engineering
© 2015 ForeScout Technologies, Page 2
Security Incidents are Increasing
Source: 2014 Global State of Information Security Survey, PwC
Source: 2014 IDG Connect Cyber Defense Maturity Report
Source: Ponemon Institute, 2014
$7.6 million per year per enterprise
Source: Wall Street Journal, December 10, 2014
“Sony breach could cost $100 million”
© 2015 ForeScout Technologies, Page 3
Why?
© 2015 ForeScout Technologies, Page 4
Reason 1: Identification of Risks is Too Slow
Source: Research study by Tenable, Inc; February 2014
© 2015 ForeScout Technologies, Page 5
Reason 2: Identification of Risks is Incomplete
Transient Devices BYOD Devices Broken Managed Devices
© 2015 ForeScout Technologies, Page 6
Reason 3: Detection of Breaches is Too Slow
Sources: 1) Mandiant, “M-Trends 2013: Attack the Security Gap”2) Gartner “Designing an Adaptive Security Architecture for Protection From Advanced
Attacks”, Neil MacDonald and Peter Firstbrook, February 2014
© 2015 ForeScout Technologies, Page 7
Reason 4: Incident Response is Too Slow
“The average time to contain a cyber attack was 31 days….”
Source: “2014 Global Report on the Cost of Cyber Crime”, Ponemon Institute, October 2014.
© 2015 ForeScout Technologies, Page 8
Reason 5: Lack of Coordination Among Security Systems
MDM
APT
“I just detected an IoC on a device with IP address 10.4.9.132
“I can limit the network access of any device immediately.”
“I can scan other devices on the network to see if they may be vulnerable.”
VA
NAC
© 2015 ForeScout Technologies, Page 9
1. Continuous, Real-time Visibility
Who are you? Who owns your device?
What type of device?
What is thedevice hygiene?
• Employee
• Partner
• Contractor
• Guest
• Corporate
• BYOD
• Rogue
• Windows, Mac
• iOS, Android
• VM
• Non-user devices
• Configuration
• Software
• Services
• Patches
• Security Agents
• Switch• Controller• VPN• Port, SSID• IP, MAC• VLAN
Where/how are you connecting?
© 2015 ForeScout Technologies, Page 10
2. Reduce Endpoint Risks and Attack Surface
“Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring.”
Gartner Security and Risk Management Summit presentation, “Preparing for Advanced Threats and Targeted Attacks”, Kelly Kavanaugh, June 2014
“A properly configured and patched endpoint will be immune to a large majority of malware attacks, freeing security professionals to focus on more sophisticated attacks that don't rely on misconfigured or vulnerable systems.”
Gartner Malware Is Already Inside Your Organization;Deal With It, February 2014,
Peter Firstbrook and Neil MacDonald
© 2015 ForeScout Technologies, Page 11
• ForeScout and FireEye work together to detect compromised endpoints and respond quickly to prevent threat propagation and data breaches
3. Rapid Response to Security Breaches
© 2015 ForeScout Technologies, Page 12
Joint Solution
+1. Gain real-time visibility
2. Reduce endpoint risks and attack surface
3. Detect and block advanced threats
4. Expedite response to security breaches Network – quarantine device Endpoint – confirm and kill malicious processes
© 2015 ForeScout Technologies, Page 13
•Discovery and inspection - who, what, where
•Managed, unmanaged, corporate, BYOD, rogue
Visibility
•Flexible policies - allow, alert, audit, limit, block
•802.1X, VLAN, ACL, virtual firewall, hybrid-mode
Access Control
•Guest management and BYOD onboarding
•Automated MDM enrollment
Onboarding
•Works with your existing IT infrastructure
•ControlFabric open integration architecture
Interoperability
•Fast implementation, agent-less, all-in-one appliance
•Multi-vendor environments, no upgrades needed
Easy Deployment
ForeScout CounterACT Next-Gen NAC
1
2
3
4
5
© 2015 ForeScout Technologies, Page 14
Multiple methods
How CounterACT Detects and Inspects DevicesDynamic and Multi-faceted
• Poll switches, APs and controllers for list of devices that are connected
• Receive SNMP trap from switches
• Monitor 802.1X requests to the built-in or external RADIUS server
• Monitor DHCP requests to detect when a new host requests an IP address
• Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners
• Run NMAP scan
• Use credentials to run a scan on the endpoint
• Use optional agents
SNMPTRAPS
RADIUSSERVER
DHCPREQUESTS
USERDIRECTORY
© 2015 ForeScout Technologies, Page 15
GUEST LANCORPORATE LAN
How CounterACT Detects and Inspects Devices
INTERNETFIREWALLVPN CONCENTRATORCORE LAYER SWITCH
VPN CLIENTS
AD / LDAP / RADIUS / DHCP
DISTRIBUTIONLAYERSWITCH
INTERNAL EXTERNAL
• USER• NAME• EMAIL• TITLE• GROUPS
WHO?• OS• BROWSER AGENT• PORTS• PROTOCOLS
WHAT?
•APPS•SERVICES•PROCESSES•VERSIONS
POSTURE?
•REGISTRY
•PATCHES
•ENCRYPTION
•ANTIVIRUS
• MAC ADDRESS• IP ADDRESS• SWITCH IP• CONTROLLER IP• PORT / SSID / VLAN
WHERE?
© 2015 ForeScout Technologies, Page 16
Type of Information CounterACT can Learn
Device
Type of device
Manufacturer
Location
Connection type
Hardware info
Authentication
MAC and IP address
Certificates
UserName
Authentication Status
Workgroup
Email and phone number
Operating System
OS Type
Version number
Patch level
Services and processes installed or running
Registry
File names, dates, sizes
Security Agents
Anti-malware/DLP agents
Patch management agents
Encryption agents
Firewall status
Configuration
Applications
Installed
Running
Version number
Registry settings
File sizes
Peripherals
Type of device
Manufacturer
Connection type
NetworkMalicious traffic
Rogue devices
© 2015 ForeScout Technologies, Page 17
Complete Situational AwarenessReal-time Network Asset Intelligence
© 2015 ForeScout Technologies, Page 18
Complete Situational AwarenessReal-time Network Asset Intelligence
See All Devices: Managed, Unmanaged,
Wired, Wireless, PC, Mobile…
© 2015 ForeScout Technologies, Page 19
Complete Situational AwarenessReal-time Network Asset Intelligence
Filter Information By:Business Unit,
Location,Device Type…
© 2015 ForeScout Technologies, Page 20
Complete Situational AwarenessReal-time Network Asset Intelligence
See Device Details:What, Where,
Who …
© 2015 ForeScout Technologies, Page 21
Complete Situational AwarenessReal-time Network Asset Intelligence
Site Summary:Devices,
Categories…
© 2015 ForeScout Technologies, Page 22
Granular Access Control Policies
Modest Strong
Open trouble ticket
Send email notification
SNMP Traps
Start application
Run script
Auditable end-user acknowledgement
Send information to external systems such as SIEM etc.
HTTP browser hijack
Deploy a virtual firewall around the device
Reassign the device to a VLAN with restricted access
Update access lists (ACLs) on switches, firewalls and routers to restrict access
DNS hijack (captive portal)
Automatically move device to a pre- configured guest network
Trigger external controls such as endpoint protection, VA etc.
Move device to quarantine VLAN
Block access with 802.1X
Alter login credentials to block access, VPN block
Block access with device authentication
Turn off switch port (802.1X, SNMP)
Install/update agents, trigger external remediation systems
Wi-Fi port block
Alert / Allow Trigger / Limit Remediate / Block
© 2015 ForeScout Technologies, Page 23
• Visibility of corporate andpersonal devices
• Automated onboarding– Identify device
– Identify user
– Assess compliance
• Flexible policy controls – Register guests
– Grant access (none, limited, full)
– Enforce time of day, connection type, device type controls
• Block unauthorized devices from the network
Onboarding
EMPLOYEE
CONTRACTOR
GUEST
UNAUTHORIZED
WEB EMAIL CRM
© 2015 ForeScout Technologies, Page 24
Information Sharing and Automation
© 2015 ForeScout Technologies, Page 25
Device
• Manufacturer, model • Hardware properties• User, ownership• Configuration• Password policy• Jailbroken or rooted
Operating System
• OS type• Version number• Patch level• Services, processes
installed or running• Registry settings
Applications
• Installed or running• Required apps• Blacklisted apps• Version numbers• Legacy applications• File dates and sizes
Peripherals
• Peripheral type
• Manufacturer
• Configuration
• Port
• Connection type
Security Agents
• Anti-malware status• Anti-virus up-to-date• DLP status• Firewall status• Patch management• Encryption status
Find Security and Compliance Gaps
© 2015 ForeScout Technologies, Page 26
User Communication
• Send email• Send to web page• Open help desk ticket• Communicate
policies• Self-remediation
Operating System
• Install patch• Configure registry• Start, stop, disable
process or service• Trigger external
remediation system
Applications
• Update application• Set configuration• Start required
application• Stop blacklisted or
legacy application
Network/Peripherals
• Quarantine
• Restrict network access
• Disable peripheral
• Disable USB ports
Security Agents
• Install agent• Start agent• Update agent• Update configuration• Trigger external
remediation service
Fix Security and Compliance Gaps
© 2015 ForeScout Technologies, Page 27
ActiveResponseTM
• Signature-less IPS technology
• No prior knowledge of vulnerability or exploit required
• Doesn’t impact legitimate traffic
• No tuning or maintenance
• Detect
• Reconnaissance
• Unexpected behavior
• Worms, zero-day threats
• Respond
• Quarantine or block malicious and infected hosts
Post-connect Threat Detection and Response
© 2015 ForeScout Technologies, Page 28
• First infection might have already occurred
– Suspicious content may have executed on endpoint in parallel with detection
– As a result the first endpoint might already be infected (patient zero)
– Internal propagation might already have started from that first endpoint
• FireEye may not detect all infected/compromised endpoints
– Endpoints pre-infected on public networks
– Infection pathways such as USB drives
• FireEye has limited threat mitigation capabilities
– It may be able to block callback to the C&C (if FireEye NX is deployed inline)
– No quarantining capabilities of endpoints
– No remediation of endpoints
FireEye Detects Advanced Threats But…
© 2015 ForeScout Technologies, Page 29
1. Pre-infected system connects to network, tries to call home
2. FireEye blocks callback
3. FireEye alerts ForeScout of infected system & indicators of compromise (IOC)
4. ForeScout isolates the infected system to prevent infection propagation
5. ForeScout scans other endpoints on the network for presence of same IOC/infection and isolates them and takes other risk mitigation actions
FireEye + ForeScout Use Case #1
Internet Firewall Switch Infected system
© 2015 ForeScout Technologies, Page 30
1. Malware or APT downloaded from the Internet
2. FireEye examines payload, detects possible malware
3. FireEye alerts ForeScout of possible infection and indicators of compromise (IOC)
4. ForeScout isolates the endpoint
5. ForeScout inspects endpoint to confirm infection and remediates if necessary (e.g. block malicious code from running)
6. ForeScout scans other endpoints on the network for presence of same IOC/infection and isolates them and takes other risk mitigation actions
FireEye + ForeScout Use Case #2
Internet Firewall Switch Endpoint
Attacker 5
© 2015 ForeScout Technologies, Page 31
ForeScout Policy Example – Threat Response
Quarantine System
Automate Mitigation Actions
Scan Other Systems
IOC detected by FireEye
© 2015 ForeScout Technologies, Page 32
Joint Solution Benefits
FireEye alone
• Identifies the threat but takes no action (may block callback if inline)
• Lacks context—who is the user, what machine, how are they connected
• Cannot scan, identify and quarantine all infected endpoints after report of a breach
FireEye with ForeScout CounterACT™
• Identify the threat
• Quarantine infected hosts to prevent callbacks and threat propagation
• Take remediation and risk mitigation actions on infected hosts
• Scan an entire organization for the IOC identified by FireEye
© 2015 ForeScout Technologies, Page 33
• For existing ForeScout customers (who add FireEye)– Superior discovery of APTs, malware, spear phishing, zero-day and other
cyber threats– FireEye supplements ForeScout’s ActiveResponse™ technology
• For existing FireEye customers (who add ForeScout CounterACT)– Faster response to security breaches
Automated endpoint quarantine Automated endpoint remediation
– Detect and block internal threat propagation– More complete visibility to endpoints and risks on the network– Reduced enterprise risk by ensuring that all endpoints have complete and
up-to-date security defenses and are properly patched
Joint Solution Value
© 2015 ForeScout Technologies, Page 34
• Easy to use– 802.1X not mandatory
– Non-intrusive, audit-only mode
– No agents needed (dissolvable or persistent agent can be used)
• Fast and easy to deploy– All-in-one appliance
– Out-of-band deployment
– No infrastructure changes or network upgrades
– Rapid time to value – unprecedented visibility in hours or days
– Physical or virtual appliances
• Ideal for multi-vendor, heterogeneous network environments
Easy Deployment
© 2015 ForeScout Technologies, Page 35
ForeScout is a Leader in the Next-Gen NAC Market
Strong Foundation Market Leadership Enterprise Deployments
#1
• In business 13 years• Campbell, CA
headquarters• 200+ global channel
partners
• Independent Network Access Control (NAC) Market Leader
• Focus: Pervasive Network Security
• 1,500+ customers worldwide• Financial services, government,
healthcare, manufacturing, retail, education
• From 500 to >1M endpoints
© 2015 ForeScout Technologies, Page 36
ForeScout – Market Leadership
**NAC Competitive LandscapeApril 2013, Frost & Sullivan
*Magic Quadrant for Network Access Control, December 2013, Gartner Inc.
*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Garnter, Inc. "Magic Quadrant for Network Access Control," Report G00249599, December 12, 2013, Lawrence Orans.
**Frost & Sullivan 2013 report NC91-74, Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth” Chard base year 2012.
© 2015 ForeScout Technologies, Page 37