So how to identify exactly who and what is on your network at any point in time? Andrew Noonan, SE ForeScout February 2015

ForeScout is a Leader in the NAC Market #1 Strong Foundation Market Leadership Enterprise Deployments In business 13 years Campbell, CA headquarters 200+ global channel partners Independent Network Access Control (NAC) Market Leader Focus: Pervasive Network Security 1,700+ customers worldwide Financial services, government, healthcare, manufacturing, retail, education From 500 to >1M endpoints ForeScout Confidential

Inadequate Visibility Means Security Gaps Corporate Resources Non-corporate VISIBLE NOT VISIBLE Antivirus out of date Endpoints Unauthorized application Agents not installed or not running Network Devices Applications Users

Inadequate Collaboration VA MDM Patch APT Inadequate Collaboration

Detection-Mitigation Divide

Impacts to the Enterprise + IT Risks + IT Costs Greater IT Security Risks Greater IT Costs $ Investigation Mitigation Rogue devices System breach Data leakage Compliance violation

+ Coordinated Controls Desired State Real-time Visibility + Coordinated Controls Ticketing Remediation Systems Management Endpoint Security Wireless SIEM Switches MDM AAA Vulnerability

ForeScout CounterACT Visibility Access Control Onboarding Discovery and inspection - who, what, where Managed, unmanaged, corporate, BYOD, rogue Access Control Flexible policies - allow, alert, audit, limit, block 802.1X, VLAN, ACL, virtual firewall, hybrid-mode Onboarding Guest management and BYOD onboarding Automated MDM enrollment Interoperability Works with your existing IT infrastructure ControlFabric open integration architecture Ease of Deployment Fast implementation, agent-less, all-in-one appliance Multi-vendor environments, no upgrades needed 1 2 3 4 5

Continuous Monitoring and Mitigation Continuous Visibility Endpoint Mitigation Endpoint Authentication & Inspection Network Enforcement Information Integration

1. Visibility Who are you? Who owns your device? What type of device? Where/how are you connecting? What is the device hygiene? Employee Partner Contractor Guest Corporate BYOD Rogue Windows, Mac iOS, Android VM Non-user devices Switch Controller VPN Port, SSID IP, MAC VLAN Configuration Software Services Patches Security Agents

Network Visibility WHO? WHAT? WHERE? POSTURE? INTERNAL EXTERNAL CORE LAYER SWITCH AD / LDAP / RADIUS / DHCP VPN CONCENTRATOR FIREWALL INTERNET USER NAME EMAIL TITLE GROUPS WHO? OS BROWSER AGENT PORTS PROTOCOLS WHAT? DISTRIBUTION LAYER SWITCH CORPORATE LAN GUEST LAN VPN CLIENTS MAC ADDRESS IP ADDRESS SWITCH IP CONTROLLER IP PORT / SSID / VLAN WHERE? Apps Services Processes Versions POSTURE? Registry Patches Encryption Antivirus INTERNAL EXTERNAL

Real-time Network Asset Intelligence Complete Situational Awareness

2. Granular Access Control Policies Modest Strong Alert / Allow Trigger / Limit Remediate / Block Open trouble ticket Send email notification SNMP Traps Start application Run script Auditable end-user acknowledgement Send information to external systems such as SIEM etc. HTTP browser hijack Deploy a virtual firewall around the device Reassign the device to a VLAN with restricted access Update access lists (ACLs) on switches, firewalls and routers to restrict access DNS hijack (captive portal) Automatically move device to a pre- configured guest network Trigger external controls such as endpoint protection, VA etc. Move device to quarantine VLAN Block access with 802.1X Alter login credentials to block access, VPN block Block access with device authentication Turn off switch port (802.1X, SNMP) Install/update agents, trigger external remediation systems Wi-Fi port block

3. Onboarding Visibility of corporate and personal devices Automated onboarding Identify device Identify user Assess compliance Flexible policy controls Register guests Grant access (none, limited, full) Enforce time of day, connection type, device type controls Block unauthorized devices from the network EMPLOYEE CONTRACTOR GUEST UNAUTHORIZED WEB EMAIL CRM

Flexible Onboarding Options User Type Guest Internet Access Guest Registration Sponsor Authorization Limited Internal Access Authenticate via Contractor Credentials BYOD Posture Check Contractor/Partner Personal Device Corporate Asset Authenticate via Corporate Credentials BYOD Posture Check Internal Access Corporate Asset Posture Check Employee

Automated MDM Enrollment Device connects to network Classify by type Check for mobile agent If agent is missing Quarantine device Install mobile agent (HTTP Redirect) Once agent is activated Check compliance Allow policy-based access Continue monitoring 1 ForeScout CounterACT   MDM ? 2   Your Enterprise Network 3 ) ) ) ) ) ) ) MDM MDM 16

Information Sharing and Automation ASSET MANAGEMENT NETWORK OPERATIONS RISK MANAGEMENT Security Gateway GRC Continuous Monitoring and Mitigation Intelligence Exchange AAA SIEM NGFW / VPN VA/DLP System Management MDM / MAM Host Controls

5. Ease of Deployment Easy to use Fast and easy to deploy 802.1X not mandatory Non-intrusive, audit-only mode No agents needed (dissolvable or persistent agent can be used) Fast and easy to deploy All-in-one appliance Out-of-band deployment No infrastructure changes or network upgrades Rapid time to value – unprecedented visibility in hours or days Physical or virtual appliances Ideal for multi-vendor, heterogeneous network environments

Thank You

How CounterACT Detects and Inspects Devices Dynamic and Multi-faceted Multiple methods Poll switches, APs and controllers for list of devices that are connected Receive SNMP trap from switches Monitor 802.1X requests to the built-in or external RADIUS server Monitor DHCP requests to detect when a new host requests an IP address Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners Run NMAP scan Use credentials to run a scan on the endpoint Use optional agents RADIUS SERVER DHCP REQUESTS SNMP TRAPS USER DIRECTORY

Type of Information CounterACT can Learn Device Type of device Manufacturer Location Connection type Hardware info Authentication MAC and IP address Certificates Operating System OS Type Version number Patch level Services and processes installed or running Registry File names, dates, sizes Security Agents Anti-malware/DLP agents Patch management agents Encryption agents Firewall status Configuration Network Malicious traffic Rogue devices Applications Installed Running Version number Registry settings File sizes User Name Authentication Status Workgroup Email and phone number Peripherals Type of device Manufacturer Connection type

2. Access Control Authentication Options Access Control Options LDAP based Directory Systems MAC Address Lists RADIUS/802.1X Guest Registration External Repositories Access Control Options VLAN Assignment ACL Management Virtual Firewall 802.1X Block, VLAN, ACL Flexible Implementation Direct integration with directory systems and external databases Built-in RADIUS Can operate as RADIUS proxy Hybrid Mode 802.1X for wireless, non-802.1X for wired Use 802.1X as default, fall back to non-802.1X if needed

4. Interoperability Switches & Routers Endpoint & APT Protection Endpoints Firewall & VPN IT Network Services MDM Wireless Network Devices SIEM/GRC Vulnerability Assessment CEF

Information Sharing and Automation