Presentation is loading. Please wait.

Presentation is loading. Please wait.

Are You Exposed? Threat Protection with CounterACT

Similar presentations

Presentation on theme: "Are You Exposed? Threat Protection with CounterACT"— Presentation transcript:

1 Are You Exposed? Threat Protection with CounterACT
Len Rosenberg Security Engineer

2 Identify, Prove and Stop
Who’s Connecting to Your Network Right Now ? © ForeScout Technologies, Inc.

3 Identify, Prove and Stop
Threats Before they Impact Network Focus On The Source Of The Threat Stop Source Stop Attack Stop potential Damage Hackers Worm Propagating Sources Control to Ensure Appropriate Access In real-time Identifies Ownership of Device Measures Compliance Enforces Policies © ForeScout Technologies, Inc.

4 CounterACT – Hacker/Worm
The Revolutionary Key The Revolutionary Key Hackers and Worms have no knowledge of LAN/Network resources. They have to aggressively perform reconnaissance to look for LAN/Network vulnerabilities to exploit. Proof Point 400+ Customers Trust to put into Auto-Block Mode © ForeScout Technologies, Inc.

5 ? CounterACT – Hacker/Worm Step 1: Monitor Reconnaissance 1 2
Malicious Source Performs Reconnaissance: 2 The CounterACT Monitors: Network service scans Queries to devices that DO NOT exist Queries to devices that DO NOT support the requested services Other high level recon activity ie. attempting multiple usernames or multiple passwords Hackers and serious espionage Self propagating malware Propagates exponentially © ForeScout Technologies, Inc.

6 CounterACT – Hacker/Worm
Step 2: Interaction 3 ActiveResponse Responds to the Reconnaissance: With Uniquely marked, counterfeit information The Intruder cannot tell this is a mark Appears identical to legitimate network resources Mark is dynamic to the type of reconnaissance performed © ForeScout Technologies, Inc.

7 Sheaths or Cloaks your network in bogus data
CounterACT – Hacker/Worm Step 2: Interaction 3 CounterACT Responds to the Reconnaissance: With Uniquely marked, counterfeit information The Intruder cannot tell this is a mark Appears identical to legitimate network resources Mark is dynamic to the type of reconnaissance performed Sheaths or Cloaks your network in bogus data © ForeScout Technologies, Inc.

8 Never Affects Legitimate Network Traffic
CounterACT – Hacker/Worm Step 3: Identification 4 Malicious Source Attacks: CounterACT Has Proven the Attacker’s Malicious Intent: Immediately Without examining payload OR performing deep packet inspection Since there is NO legitimate reason for any user to attempt to gain access – no one has permission Malicious intent PROVEN beyond doubt 5 Unknowingly attempts to gain access to network using the counterfeit resource Never Affects Legitimate Network Traffic © ForeScout Technologies, Inc.

9 CounterACT – Hacker/Worm
Protection NOT Disruption IF: Zero-day Attack unfolding Accuracy of IPS allows for automatic action - Disruptive to attacker Non disruptive to network staff IF: Unknown Device/Person is infected - Completely block users access - Disruptive to user Non disruptive to your network Examples of how active response works in a non disruptive manner. Focus on how Active Response automatically takes care of self propagating code freeing the network staff from having to go through fire drills to keep a worm from taking down the network. Focus on how Active Response can block the access of an infected user automatically before it has the opportunity to infect other devices on the network. Highlights the ability of CounterACT using Active Response can block only the propagation port/specific service of the infected device keeping the use connected and productive, while ensuring the security of the network. At the same time, network administration can be notified of the infection so that remediation can be completed in a rapid manner. IF: Known Device/Person in infected - Only surgically block infected ports Non disruptive to other activities In Production Networks For Over Four Years © ForeScout Technologies, Inc.

10 ? Do Not Disrupt CounterACT Network Access Control
Detects Every Device Determining if device is company owned or guest or contractor Without need for prior knowledge of device Interrogates All Devices For degree of security policy compliance Enforces real-time protection from self-propagating threats No quarantine by default requirement Enforcement Tailored To Violation Level of restriction matched to the exact degree of policy violation Avoiding needless interruption of user productivity Deploy & Enforce Without Disruptions No disruption to the network, IT staff and compliant users Automatically guiding non-compliant users into compliance ? Do Not Disrupt Universal Discovery End Point X-Ray Tailored Enforcement Non Disruptive ForeScout Delivers Network Access. Controlled. ForeScout’s Network Access Control (NAC) is built upon 4 Principles: Universal Discovery: To detect every device, no matter what type, connecting to your network without the need for prior knowledge of the device; End Point X-Ray: To interrogate all devices for company ownership and security policy compliance while enforcing real-time protection from self-propagating threats without the need to quarantine by default; Tailored Enforcement: To custom fit enforcement, matching the level of restriction to the level of policy violation avoiding any non designated interruption of user productivity; Non Disruptive: To deploy and enforce with no disruptions for the network, IT staff and compliant users while automatically guiding non-compliant into compliance. The next set of slides drill down into the specifics of each one of these four points. © ForeScout Technologies, Inc.

11 ? Universal Discovery Enforce Policy on ALL Devices Clientless
Since No Software/Code Required on Endpoints All Devices Detected Upon Network Connection Guests, Contractors, Printers, VoIP Devices, etc Applies to Local and Global Domain Users CounterACT Works with Existing Domain Treats Domain or Non-Domain Users Differently in Accordance with Defined Policies ? Universal Discovery Universal Discovery: Because the is no requirement to have code residing on the endpoint, CounterACT can discover any device connecting to the network in real time without having any prior knowledge of the endpoint. CounterACT is completely clientless. This is significant when you consider the number of IP connected devices that would not be included if the NAC system required the endpoint to have a client/agent. As more devices like printers, VoIP phones, manufacturing equipment, etc, are connecting to the production network, if the NAC system requires an agent, these devices would go undetected and therefore could potentially expose the network to additional vulnerabilities. Not to mention the number of laptops (both company owned and visitors) that move in and out of the network on a regular basis creating either a management challenge or a new exposure. CounterACT solves this by not requiring the endpoint to have any client/agent on the endpoint. Benefits: Can automatically identify and enforce policy on any device connecting to the network. Gives the network administrators the ability to enforce policies specific to the domain Allows for the automatic identification and handling of network visitors This approach relieves the management burden of trying to deploy software to every endpoint and enables network administrators the ability to roll out a NAC system in a relatively short amount of time, while leveraging the existing directory structure to provide the necessary information to build and enforce access roles. By using the information already stored in the directory structure, CounterACT can apply this information to help differentiate between company users and network visitors. This quickly allows for appropriate handling of non domain users and ensures the protection of the network from unauthorized users. “Clientless solutions are typically the easiest to deploy, achieve broad protection and enforcement, and are the most scalable.” Jeff Wilson, Principle Security Analyst © ForeScout Technologies, Inc.

12 ? Universal Discovery Manages Guest/Student Access
CounterACT Instantly Determines Whether the Device is Managed or a Guest/Student Depending on Policy in Place… Automatically Assign to a Guest/Visitor VLAN with Internet Access Prompt Visitor for Login to the Device to Conduct an In-Depth Interrogation Limit or Block Access One of the most significant challenges being faced by the industry is how to handle network visitors/contractors. CounterACT delivers an elegant way to automate this process and provide the company the security mandated without diminishing the productivity of outside workers. By taking the clientless approach, it enables CounterACT to automatically detect if the connecting device is a member of the domain. If not, there are several enforcement option available to the network administrator. For example: The connecting device could be automatically assigned to a VLAN especially configured for network guest providing them Internet access, but keeping them completely separate from network resources. Or if the desire of the company is to simply insure the connecting device is in compliance with existing security policies, CounterACT can engage the end user and ask for permission to integrate the device. If the user allows the interrogation, the device can be allowed onto the network if it complies with security policies. Or the device could be granted limited access to non essential network resources, placed into a quarantined VLAN or simply denied access. © ForeScout Technologies, Inc.

13 Tailored Enforcement Custom Fit To Your Business Needs
Full Spectrum of Policy Enforcement Options Degree of Disruption Directly Related to Degree of Violation Maximum User Disruption is Reserved Only for Critical Violations Customized Policy Enforcement with CounterACT Business Dictates Level of Enforcement of Policy Violations Different Enforcement for Domain Users, Contractors and Guests Not Binary Provides Multiple Limited Disruption Enforcement Options End User Can Remain Productive While Minor Policy Violations are Addressed Tailored Enforcement Tailored Enforcement: At this point in the process, CounterACT has determined if the connecting device is a managed user in compliance with corporate policies or not. If a policy violation is detected, one of the most significant obstacles to deploying NAC is the issue of enforcement. Many NAC products today only offer limited enforcement options which often leave users without access for even the smallest policy violation (i.e., antivirus is out of date by one day). CounterACT provides a full spectrum of enforcement options which allow for the appropriate and specific response to any policy violation. This allows network administrators the ability to match the level of enforcement with the degree of policy violation. In other words, less critical policy violations can be handled with non disruptive enforcement like hijacking the users browser to notify them of the specific violation. More critical violations can be address with stepped up enforcement, reserving total network disconnection for the most severe policy violations as defined by the individual customer. New features in CounterACT 6.0: Application Termination, Integration with SMS for automated patching/remediation The significant difference about this approach is that it allows the customer to custom fit enforcement to each policy violation. The business is what dictates the level of enforcement, not the NAC product. This customization extends beyond just how the enforcement is applied, but also encompasses the ability to target enforcement based upon device type, domain membership, domain role, geographic location, logical grouping, etc. Products that only offer a binary response (on/off) do not allow the user to remain productive while policy violations are addressed. CounterACT lets the network administrator and ultimately the business dictate the level of enforcement that is applied to the specific policy violation. Open Trouble Ticket Deploy a Virtual Firewall around an infected or non-compliant device Turn off physical switch port Send Terminate unauthorized applications HTTP Browser Hijack © ForeScout Technologies, Inc.

14 Do Not Disrupt Non Disruptive Deploy NAC without Disruption
Non-Disruptive Deployment Not-Inline Deployment Ability to Deploy in/through Multiple Modes Audit, Inform, Educate, Enforce Non-Disruptive Management NAC System Does Not Require Continual Monitoring Simple Format for Updating/Changing Policies HTTP Interrupt Automatically Informs User of Out-of-Policy Situations and Process to Self-Remediate and Return to Compliance without IT Intervention High Availability ensures NAC policies are always enforced Non-Disruptive Access Allows Contractors/Guests Access According to Policy Without Physical Adjustment to Network Do Not Disrupt Non Disruptive Non Disruption: In a recent Gartner/ForeScout webinar, the audience was polled to see what the greatest obstacle to deploying NAC within their infrastructure. The overwhelming response was the fear of network/user disruption associated with deployment. CounterACT was built on the premise that NAC technology should be able to be deployed and managed in a manner that does not disrupt the business and continues to be non disruptive both in ongoing management and in enforcing access policies. This is accomplished by… Not inline deployment: CounterACT is typically spanned from a distribution layer switch and does not require any infrastructure upgrades or reconfiguration of the network to accommodate an in-line device. High degree of automation: Once deployed, CounterACT is easy to manage and update. Additionally as policies are enforced, CounterACT provides several automated actions which are enacted without the need for human intervention (unless this is required by the customer) High availability of CounterACT and CounterACT enterprise manager ensuring policy enforcement is always being taken care of. Rapid connection of compliant users: With ForeScout Fast Pass, compliant know users are unaware of the NAC system in place. The system is completely transparent to the end user. And with the tailored enforcement options, most policy violations can be handled automatically without the need for constant IT/helpdesk intervention. © ForeScout Technologies, Inc.

15 CounterACT Non Disruptive Deployment Know Your Network
Steps To Achieving NAC Deployment Without Network Disruption Know Your Network - Level of Current Policy Compliance - Quality of Created Policy Inform All Connecting Devices of New Policy - Hijack Browser Session Upon Every New Connection - Force verification login from notification dialogue box Engage Non Compliant End User Personally - With NetSend or Browser Hijack Notify End User of Specific Policy Violation, Using Their Name Rolling out NAC without disruption: There are four stages to rolling out NAC, which will allow users to become compliant prior to imposing sanctions. Audit: Once deployed, CounterACT initiates an automatic discovery of all network resources. This provides a full view of the network topology and the interconnectedness of all devices. At the same time policies can be created and turned on in monitor mode, allowing network administrators to gain an understanding of the current level of compliance as well as ensures that the policy created was properly created and would bring about the desired result. Inform: CounterACT provides the ability to engage the user every time the user connects or at predetermined intervals with a notification of the new network security policy. This notification could be accompanied by an additional login in order to have an auditable log of which users have stated that they have read and understand the policy that is being enacted. For example, users could be notified that in 30 days, they will need to remove all IM applications. Educate/Train: Once the inform stage is complete (the 30 day deadline has passed as in the example give in the second stage) and the user has not complied with the new policy, CounterACT provides the ability to directly address the specific user (with their name/login) and highlight the specific policy violation. With tailored enforcement options, the user could be directed to self remediation options or simply warned and given a deadline in which to comply with the policy. Flexible Automatic Enforcement: If the customer has moved through the first three stages and the user still is not in compliance, then the full spectrum of tailored enforcement options are available to the customer to custom fit the enforcement to the level of policy violation. Enforcement does not automatically mean disconnecting the user, but rather taking the appropriate steps to bring the user into compliance with the established policy (although disconnection is one of the option available if required) Flexible Automatic Enforcement - Notify/Remediate/Limit Network Access/Quarantine/Deny Access © ForeScout Technologies, Inc.

16 Number of Non-Compliant Devices
CounterACT Non Disruptive Deployment Move Users To Compliance Without Effecting Productivity Deployment Timeline Level of Compliance Enforcement Number of Non-Compliant Devices Informed Users Achieve Compliance Before Sanctions are Imposed Enforcement is Limited to a Small Number of Policy Violators Graph depicts the level of non compliant users decreasing as the NAC roll out goes through these four steps. Two things to highlight: Informed users achieve compliance before sanctions are imposed Enforcement is limited to a small number of policy violators © ForeScout Technologies, Inc.

17 Network Access Control
Analyst Recommendations “… All NAC projects should include the ability to establish baseline endpoints for malware and to quarantine infected devices before they gain network access.” Lawrence Orans, Research Director “For mass-market broad deployment there is more than enough functionality in clientless solutions to create granular access policies that meet or exceed security and compliance requirements.” Jeff Wilson, Principle Security Analyst "NAC is too important a process to wait another two years, and many enterprises have heterogeneous environments anyway. If you are unable to implement infrastructure-based NAC by year-end 2007, begin now with either endpoint software-based or appliance-based NAC solutions, but develop a strategy for integrating these solutions with infrastructure-based NAC." John Pescatore VP Distinguished Analyst © ForeScout Technologies, Inc.

18 ForeScout’s CounterACT
Controlling Access Instantly Identifies Self-Propagating Threats Without disrupting legitimate network traffic Without requiring signatures Unmatched Accuracy – Trusted by over 400 customers in auto-block mode Provides Network Access Policy Enforcement Ensures all connecting devices are compliant with network security policies End users do not have to be affected by NAC deployment (unless non-compliant) Can easily determine access rights based upon domain membership Deploy Immediately w/o Fear of Network Disruption Non-inline architecture for straight forward integration with existing infrastructure Monitor and education modes provide simple way to bring users into compliance to reach degree of compliance desired before enforcement is turned on CounterACT is NAC at Work NAC that is customer driven, global deployment proven Cuts through confusion to provide a real “working” NAC solution © ForeScout Technologies, Inc.


Download ppt "Are You Exposed? Threat Protection with CounterACT"

Similar presentations

Ads by Google