ForeScout Technologies Ayelet Steinitz, Product Manager April, 2003

The Problem Constant New Threats and Vulnerabilities Current Solutions Not Sufficient Reactive Solutions Incur False Positives Reactive Solutions Miss Unknown Attacks Do not allow for automatic action Inherent Window of Vulnerability High Maintenance and TCO

A New Approach to Network Security Proven IntentAnalysisPolicy Protect By.. Key Issues Identify attacker intent Stop attacker from reaching network Proactive Pattern recognition By Anomaly Forensics Reactive Access list by services offered Characteristics Low Cost Low Complexity Dynamic High Cost To Update To Manage Low Cost Defined Policy Static Cost to Maintain Accurate Confident to act. If ActiveScout identifies a Bad Guy: It’s a BAD GUY! False Positives Not confident to take automatic action Accurate Does exactly what you told it to do! Accuracy (False Positives) ActiveScoutIDS / IPSFirewall Product

Knowledge: Mandatory Requirement Knowledge is needed 100% of the time Social Engineering Password Snare Networking Public Domain Server Web Server Reconnaissance 20 types Precedes Majority of Attacks

Knowledge: Mandatory Requirement Knowledge is needed 100% of the time Social Engineering Password Snare Networking Public Domain Server Web Server Reconnaissance 20 types Precedes Majority of Attacks

Most network attacks are preceded by reconnaissance activity to determine available services and network resources. AttackerInternetRouter FirewallEnterprise Typical Attack Process

The network sends information about available hosts and services in response to the reconnaissance. AttackerInternetRouter FirewallEnterprise Typical Attack Process

With this information, the attacker utilizes existing or new exploits to break into the network. AttackerInternetRouter FirewallEnterprise Typical Attack Process

ActiveScout Intrusion Prevention ActiveScout identifies all reconnaissance used by a potential attacker. AttackerInternetRouter FirewallEnterprise Scout Site Manager

ActiveScout watches the network’s response, and sends its own unique information to the potential attacker. This unique information, or ‘mark’, is not distinguishable from the network’s legitimate response. AttackerInternetRouter FirewallEnterprise Scout Site Manager ActiveScout Intrusion Prevention

When the attacker uses the mark to launch an exploit, ActiveScout accurately identifies it and can actively block the attacker. AttackerInternetRouter FirewallEnterprise Scout Site Manager ActiveScout Intrusion Prevention

Growing Risk of Unknown Attacks Q1 thru Q3 Only Vulnerability increase of 5000% from 1995 to 2001 Source: CERT Coordination Center, 2002 New Vulnerabilities 89% of corporations successfully attacked had firewalls, 60% had Legacy IDSes. Source: CSI/FBI 2002 Report

The ActiveScout Difference Difference #1 Difference #2 Difference #3 Difference #4 Blocks Unknown Attacks Minimal Cost Of Prevention Instantaneous Prevention 100% Accurate (no false positives, confidence to block)

The ActiveScout Difference Difference #1 Difference #2 Difference #3 Difference #4 Minimal Cost Of Prevention Instantaneous Prevention 100% Accurate (no false positives, confidence to block) Blocks Unknown Attacks

Time to Prevention Without ActiveScout Protection available New vulnerabilities (hundreds/month) Exploit is known to security community Spida spreads Spida detected Protection offered Time New Vulnerabilities Window of Vulnerability Time to Protection – Days/Weeks/Months/Never?

Time Spida spreads Spida detected Protection offered Protection available Exploit is known to security community New Vulnerabilities New vulnerabilities (hundreds/month) Time to Protection – Immediate Window of Vulnerability – Zero Instantaneous Prevention With ActiveScout

State of Security Today Intranet Security Internet Intranet Security Myriad of security products (HIDS, NIDS, anti-virus)

State of Security Today Firewall Intranet Security Internet Firewall Provides robust static prevention according to predefined policies Intranet Security Myriad of security products (HIDS, NIDS, anti-virus)

Firewall ActiveScout ActiveScout Prevents intrusions from known and unknown threats in front of the firewall Intranet Security Instantaneous Prevention Firewall Provides robust static prevention according to predefined policies Intranet Security Myriad of security products (HIDS, NIDS, anti-virus) Internet

The ActiveScout Difference Difference #1 Difference #2 Difference #3 Difference #4 Minimal Cost Of Prevention Instantaneous Prevention Blocks Unknown Attacks 100% Accurate (no false positives, confidence to block)

ActiveScout Minimal Cost of Prevention Legacy Systems ActiveScout Action Analysis of alerts Correlation analysis Policy tuning Fix the damage Installation Software updates Signature updates Write your own signature $$$$$$$$$$Investment

The ActiveScout Difference False Alarm RateTime to PreventionCost of Prevention 30%-60% 0% Days, Months, Years $$$$$$$ 0% $ Conventional Systems Conventional Systems Conventional Systems ActiveScout

ForeScout’s Intrusion Prevention Solutions ActiveScout Site Solution Precisely identifies and then blocks attackers at a single internet access point with zero false alarms. ActiveScout Enterprise Solution Precisely identifies and then blocks attackers with zero false alarms across a large enterprise. Enterprise Manager ׀Provides centralized management of all Scouts deployed Enterprise Heads-Up ׀Thwarts the rapid spread of attacks from one internet access point to the next.

. Internet Scout Site Manager Router Enterprise Firewall ActiveScout Site Solution Intrusion Prevention for Each Internet Access Point

ActiveScout Enterprise Solution Protects an entire enterprise Centralized viewing of all attack activity around the world Centralized management of groups of Scouts Ability to push new software updates to remote Scouts

Internet Scout Management Server Enterprise Manager Site Manager ActiveScout Enterprise Solution Intrusion Prevention for Multiple Internet Access Points Scout

Enterprise Heads-Up Enterprise deployments only Immediate sharing of threat information across multiple Scouts to assure proactive prevention across the enterprise Provides the fastest way to protect from new attacks traversing the internet

Enterprise Heads-Up Step 3. San Francisco Scout ready to block attacker Step 1. Attacker detected by New York Scout Step 2. Attack information immediately sent to Management Server New York San Francisco Management Server

Summary Accurate Identification Zero False Positives Block Known and Unknown Attacks Instantaneous Prevention Minimal Cost of Prevention

ForeScout Technologies, Inc Campus Drive, Suite 115 San Mateo, CA (650) Ayelet Steinitz Product Manager, ActiveScout Tel. (650)