© 2012 ForeScout Technologies, Page 1 Toni Buhrke, MBA, CISSP - Senior Security Solutions Architect Addressing the BYOD Challenge

© 2012 ForeScout Technologies, Page 2 The BYOD Phenomenon “40.7% of devices used by information workers to access business applications are ones they own themselves, including laptops, smartphones, and tablets such as Apple’s iPad.” “IT organizations underestimate the number of personal mobile devices on their network by 50%.” 1 1 IDC Research, Consumerization of IT study – Closing IT Consumerization Gap, July 2011

© 2012 ForeScout Technologies, Page Mobile Access Survey

© 2012 ForeScout Technologies, Page 4 Fight or Embrace? “The rise of "bring your own device" programs is the single most radical shift in the economics of client computing for business since PCs invaded the workplace.” - Gartner 1 1 Gartner “Bring Your Own Device: New Opportunities, New Challenges”, August 16, 2012

© 2012 ForeScout Technologies, Page 5 © 2011 Forrester Research, Inc. Reproduction Prohibited Embrace is Winning 77% Source: Already said yes to BYOD Base: 872 IT executives in enterprises in the US, the UK and Germany

© 2012 ForeScout Technologies, Page 6 IT Security Managers’ Concerns Boston Research Group, ForeScout Sponsored Mobile Security Study, January North American IT Security Professionals in Companies of 1,000+ Employees

© 2012 ForeScout Technologies, Page 7 The Dilemma How can organizations embrace the use of personal devices without compromising security?

© 2012 ForeScout Technologies, Page 8 Case Study – Large Financial Institution In 2010, a large financial services company realized that it needed a strategy for supporting personally owned devices in the workplace. The company has more than 100,000 endpoint devices distributed over 200 locations worldwide, and it anticipated that it would soon need to support approximately 10,000 employee-owned smartphones, tablets and personally owned laptops. The company's risk and compliance management team led the project and was responsible for establishing the BYOD policies.

© 2012 ForeScout Technologies, Page 9 1. Form a committee –Multiple IT departments –Users across departments 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data –Devices in use? –Ownership of devices? –Applications in use? –Entry paths? 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases –Which applications? –Which users? Role? –Offline use? –Sensitivity of data? 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases 4. Formulate policies –Which corporate applications? –Which users? –How will data be secured? –Who will be responsible for BYOD support? –What happens if the device is lost or stolen? –How will the endpoint device be updated? –Acceptable use policies? 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases 4. Formulate policies 5. Decide how to enforce policies –Network controls? –Device controls? –Data controls? 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases 4. Formulate policies 5. Decide how to enforce policies 6. Build a project plan –Remote device management? –Cloud storage? –Wipe devices when employees are terminated? 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases 4. Formulate policies 5. Decide how to enforce policies 6. Build a project plan 7. Evaluate solutions –Ease of implementation? –Cost? –Security? –Usability? 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases 4. Formulate policies 5. Decide how to enforce policies 6. Build a project plan 7. Evaluate solutions 8. Implement solutions –Network controls? –Device controls? –Data controls? 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases 4. Formulate policies 5. Decide how to enforce policies 6. Build a project plan 7. Evaluate solutions 8. Implement solutions 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page 18 Case Study – BYOD Use Case Employee Owned Smartphone The company decided that an MDM agent is required for the device to gain access to a wireless BYOD network. Employees can use any device that supports the MDM agent, including Apple, Android, Windows and BlackBerry. If the MDM agent is detected, the device is granted access to a separate wireless BYOD network. Citrix Systems' Receiver agent is used to grant access to a subset of applications on the corporate network, based on the user's profile, thereby creating a limited-access zone.

© 2012 ForeScout Technologies, Page 19 Case Study – BYOD Policy Employee Owned Smartphone If the MDM agent is not detected, the device is positioned on the guest network and is limited to Internet access only. (The user must register at the guest Web portal to gain Internet access). Jailbroken iOS devices and rootkitted Android and Windows devices are denied access to the network, including the guest network. The MDM agent determines if the device has been jailbroken or rootkitted.

© 2012 ForeScout Technologies, Page 20 Case Study – BYOD Use Case Employee Owned Windows Laptop Up-to-date patches are required. Up-to-date antivirus signatures are required (employees can select from an approved list of solutions at the company's expense, per corporate licensing agreements). Disk encryption is required (employees can select from an approved list). Specific ports must be blocked via a personal firewall (such as Telnet/SSH). Vontu's data loss prevention (DLP) agent is required.

© 2012 ForeScout Technologies, Page 21 Case Study – BYOD Policy Employee Owned Windows Laptop If the Windows laptop is compliant with all six of the policy criteria, it is granted full access to the corporate network. If the Windows laptop is noncompliant with one or more of the policies, it is positioned on the guest network and is limited to Internet access only. (The user must first register at the guest Web portal.)

© 2012 ForeScout Technologies, Page 22 Case Study – BYOD Case Study Employee Owned MacBook It must be running OS 10.5 or later. Vontu DLP agent is required.

© 2012 ForeScout Technologies, Page 23 Case Study – BYOD Policy Employee Owned MacBook If the MacBook is compliant with all three of the policy criteria, it is granted full access to the corporate network. If the MacBook is noncompliant with one or more of the policies, it is positioned on the guest network and is limited to Internet access only. (The user must first register at the guest Web portal.)

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases 4. Formulate policies 5. Decide how to enforce policies 6. Build a project plan 7. Evaluate solutions 8. Implement solutions 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page 25 What Are Your BYOD Solution Options? CHARACTERISTICS SOLUTION

© 2012 ForeScout Technologies, Page 26 What Are Your BYOD Solution Options? CHARACTERISTICS SOLUTION Block all personal devices Very secure! Career limiting… 

© 2012 ForeScout Technologies, Page 27 What Are Your BYOD Solution Options? CHARACTERISTICS SOLUTION Block all personal devices Very secure! Career limiting…  Manage all personal devices (MDM) Good security at the device level Ignores Windows and Macs Separate management console

© 2012 ForeScout Technologies, Page 28 What Are Your BYOD Solution Options? CHARACTERISTICS SOLUTION Block all personal devices Very secure! Career limiting…  Manage all personal devices (MDM) Good security at the device level Ignores Windows and Macs Separate management console Restrict the data (VDI) Strong data protection Poor user experience Not for the road warrior

© 2012 ForeScout Technologies, Page 29 What Are Your BYOD Solution Options? CHARACTERISTICS SOLUTION Block all personal devices Very secure! Career limiting…  Manage all personal devices (MDM) Good security at the device level Ignores Windows and Macs Separate management console Restrict the data (VDI) Strong data protection Poor user experience Not for the road warrior Control apps (MEAM, MAW) Leading edge approach Must be used with other controls

© 2012 ForeScout Technologies, Page 30 What Are Your BYOD Solution Options? CHARACTERISTICS SOLUTION Block all personal devices Very secure! Career limiting…  Manage all personal devices (MDM) Good security at the device level Ignores Windows and Macs Separate management console Restrict the data (VDI) Strong data protection Poor user experience Not for the road warrior Control apps (MEAM, MAW) Leading edge approach Must be used with other controls Control the network (NAC) Simple, fast, 100% coverage Protects data on the network, not on the device

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases 4. Formulate policies 5. Decide how to enforce policies 6. Build a project plan 7. Evaluate solutions 8. Implement solutions 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page 32 Multiple Security Choices

© 2012 ForeScout Technologies, Page 33 The NAC Solution Gartner, “Strategic Road Map for Network Access Control”, Lawrence Orans and John Pescatore,11 October 2011, ID number G “Although approaches such as server-based computing and virtualization will also be used to deal with consumerization, NAC provides the flexibility that enterprises need in a BYOD environment, while providing the controls that enable network and security managers to retain control over the network.”

© 2012 ForeScout Technologies, Page 34 Provides extensive BYOD flexibility –One security console for centralized visibility and enforcement –Dual protection  Network; real-time visibility, access control, block threats  Device; compliance, remote wipe/lock –All managed and personal devices; PCs and mobile Flexible mobile control 1. ForeScout CounterACT: basic visibility and access control 2. ForeScout Mobile Security Module: native security for iOS / Android 3. ForeScout MDM: full cloud and device-based mobile device management with comprehensive device, application and data security 4. ForeScout Mobile Integration Module: broader mobile platform visibility and security enforcement leveraging 3 rd party MDM integration ForeScout CounterACT and ForeScout Mobile

© 2012 ForeScout Technologies, Page 35 Deploy in one day Physical or virtual appliance Out-of-band Works with your existing infrastructure ForeScout CounterACT for Network Access Control See and control everything on your network

© 2012 ForeScout Technologies, Page 36 Who and what is on your network? Assess credentials and security posture Allow, limit or block ForeScout CounterACT for Network Access Control See and control everything on your network

© 2012 ForeScout Technologies, Page 37 Who and what is on your network? Assess credentials and security posture Allow, limit or block ForeScout CounterACT for Network Access Control See and control everything on your network CRMWeb Guest Employee Guest Sales

© 2012 ForeScout Technologies, Page 38 ForeScout Security Policy Engine Switch VPN Wi-Fi Dir, Database SIEM Windows (WSUS, SCCM) McAfee ePO and ESM McAfee ePO and ESM MDM Antivirus Advanced Security and Operational Integration VA

© 2012 ForeScout Technologies, Page 39 ForeScout Mobile Mobile Visibility –Complete, cross-vendor mobile inventory: Apps, users, OS, settings… –Tactical map tracking where, how, what and who connects – in real time Mobile Control –Manage Corporate/Guest network access –Quarantine unknown/unauthorized mobile devices Mobile Compliance –Health assessment via white/black listing of installed/running apps –Alert and remediate gaps like: apps not installed, roaming charge, etc. Mobile Security –Restrict application usage (e.g. camera, video, audio recorder, IM, facebook, twitter) –Block malicious mobile users from connecting

© 2012 ForeScout Technologies, Page 40 MDM Integration ForeScout CounterACT 100% visibility Unified reporting Automated MDM enrollment On-access assessment Block malicious activity Exchange AD/LDAP Lotus BES Certs

© 2012 ForeScout Technologies, Page 41 Automated MDM Enrollment User contacts help desk Without ForeScout: Manual Effort Help desk asks questions, determines device type and ownership Help desk denies request or sends user appropriate MDM enrollment information User enrolls device in MDM Device accesses network With ForeScout: Automation ForeScout discovers and categorizes device, authenticates user ForeScout automates MDM enrollment decision and provides information to user User enrolls device in MDM Helpdesk asks networking team set policy exception allowing internet access to get the MDM app Helpdesk asks networking team to reset the policy exception

© 2012 ForeScout Technologies, Page 42 ForeScout MDM – Full Featured SaaS for rapid implementation & easy management Mobile App Management Secure Document Sharing Easy Administration

© 2012 ForeScout Technologies, Page 43 ForeScout CounterACT: Basic Visibility and Control Mobile devices are identified and categorized

© 2012 ForeScout Technologies, Page 44 ForeScout Mobile: Detailed Visibility and Control Search the inventory for mobile apps and versions across the enterprise

© 2012 ForeScout Technologies, Page 45 ForeScout Mobile: Block Jailbroken

© 2012 ForeScout Technologies, Page 46 Unified Reporting

© 2012 ForeScout Technologies, Page 47 A variety of actions are available to manage, remediate and restrict mobile devices Multiple actions can be stacked together to provide even more control ForeScout Mobile: Remediation

© 2012 ForeScout Technologies, Page 48 ForeScout CounterACT ) ) ) ) ) ) )   ?   –Device connects to network  Classify type  Check for mobile agent –If agent is missing  Quarantine  Install agent –When agent is activated  Check compliance  Allow access  Continue monitoring The Benefits of ForeScout Integration Automated Registration ForeScout MDM Powered by MaaS360 Your Enterprise Network

© 2012 ForeScout Technologies, Page Form a committee 2. Gather data 3. Identify use cases 4. Formulate policies 5. Decide how to enforce policies 6. Build a project plan 7. Evaluate solutions 8. Implement solutions 8 Steps to BYOD Implementation

© 2012 ForeScout Technologies, Page 50 Case Study – Project Phases 1. A pilot project, in which 200 IT staffers brought personally owned devices to work. This phase lasted for six months, during which time the project team refined the Web registration portal and addressed early minor product rollout issues. 2. The project team broadened the program with the goal of supporting 1,000 employee-owned devices. –Employees in the information risk management, and the risk and compliance departments were chosen to be part of this phase. –The primary focus of Phase 2 was to assess the end-user experience and the overall performance of the solution. –A secondary goal was to define and monitor role-based access.

© 2012 ForeScout Technologies, Page 51 Case Study – Project Phases 3. The goal of Phase 3 is to open the project to all employees and contractors in the company. By year-end 2014, the company expects that the project will grow to over 10,000 personally owned devices.

© 2012 ForeScout Technologies, Page 52 Case Study - Results Of those employees that use personally owned devices at work, approximately 80% have chosen to comply with corporate policies and install the required MDM agent and other software on their mobile devices. Those users that choose not to comply with the policy must register their devices at the guest portal on a daily basis, and are only allowed Internet access. Smartphones and tablets represent about 10% of the non-corporate devices

© 2012 ForeScout Technologies, Page 53 Case Study - Results Contractor-owned and personally owned Windows laptops are the largest category, representing about 85% of the non-corporate devices on the network. Policy enforcement has gone relatively smoothly. For example, five employees reported that they lost their personally owned devices. According to the company policy, these devices were immediately wiped clean (the entire device; the company has not implemented containerization). The employees had signed waivers agreeing to the remote wipe policy.

© 2012 ForeScout Technologies, Page 54 Case Study - Results Because the policy was communicated clearly, the employees (grudgingly) accepted the fact that they lost personal content The company did not add FTEs to support the BYOD initiative. The BYOD initiative has only resulted in additional endpoint growth of approximately 1%

© 2012 ForeScout Technologies, Page 55 Easy to deploy –Non-disruptive –Interoperable, no infrastructure changes –Integrated appliance and SaaS Rapid time to value –Complete visibility in hours or days –100% coverage (no blind spots) –Users, devices, systems, VMs, apps, mobile Extensive range of automated controls –Transparent, monitor only, relaxed or aggressive Why Customers Choose ForeScout

© 2012 ForeScout Technologies, Page 56 Next Steps Work with Conexsys to : Develop your BYOD plan Identify viable products to acquire to address your BYOD initiatives Conduct a Proof Of Concept of the various products Select your product Create a deployment plan Audit your product rollout

© 2012 ForeScout Technologies, Page 57 Thank You!