Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 2015 Toni Buhrke, Director Systems Engineering.

Published byTeresa Chambers Modified over 8 years ago

Similar presentations

Presentation on theme: "May 2015 Toni Buhrke, Director Systems Engineering."— Presentation transcript:

1 May 2015 Toni Buhrke, Director Systems Engineering

2 © 2015 ForeScout Technologies, Page 2 Source: 2014 Global State of Information Security Survey, PwC Source: 2014 IDG Connect Cyber Defense Maturity Report Source: Ponemon Institute, 2014 $7.6 million per year per enterprise Source: Wall Street Journal, December 10, 2014 “Sony breach could cost $100 million”

3 © 2015 ForeScout Technologies, Page 3 Why?

4 © 2015 ForeScout Technologies, Page 4 Source: Research study by Tenable, Inc; February 2014

5 © 2015 ForeScout Technologies, Page 5 Transient DevicesBYOD DevicesBroken Managed Devices

6 © 2015 ForeScout Technologies, Page 6 Sources: 1) Mandiant, “M-Trends 2013: Attack the Security Gap” 2) Gartner “Designing an Adaptive Security Architecture for Protection From Advanced Attacks”, Neil MacDonald and Peter Firstbrook, February 2014

7 © 2015 ForeScout Technologies, Page 7 “The average time to contain a cyber attack was 31 days….” Source: “2014 Global Report on the Cost of Cyber Crime”, Ponemon Institute, October 2014.

8 © 2015 ForeScout Technologies, Page 8 MDM APT “I just detected an IoC on a device with IP address 10.4.9.132 “I can limit the network access of any device immediately.” “I can scan other devices on the network to see if they may be vulnerable.” VA NAC

9 © 2015 ForeScout Technologies, Page 9 Who are you?Who owns your device? What type of device? What is the device hygiene? Employee Partner Contractor Guest Corporate BYOD Rogue Windows, Mac iOS, Android VM Non-user devices Configuration Software Services Patches Security Agents Switch Controller VPN Port, SSID IP, MAC VLAN Where/how are you connecting?

10 © 2015 ForeScout Technologies, Page 10 “Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring.” Gartner Security and Risk Management Summit presentation, “ Preparing for Advanced Threats and Targeted Attacks”, Kelly Kavanaugh, June 2014 “A properly configured and patched endpoint will be immune to a large majority of malware attacks, freeing security professionals to focus on more sophisticated attacks that don't rely on misconfigured or vulnerable systems.” Gartner Malware Is Already Inside Your Organization; Deal With It, February 2014, Peter Firstbrook and Neil MacDonald

11 © 2015 ForeScout Technologies, Page 11 ForeScout and FireEye work together to detect compromised endpoints and respond quickly to prevent threat propagation and data breaches

12 © 2015 ForeScout Technologies, Page 12 + 1.Gain real-time visibility 2.Reduce endpoint risks and attack surface 3.Detect and block advanced threats 4.Expedite response to security breaches Network – quarantine device Endpoint – confirm and kill malicious processes

13 © 2015 ForeScout Technologies, Page 13 Discovery and inspection - who, what, where Managed, unmanaged, corporate, BYOD, rogue Visibility Flexible policies - allow, alert, audit, limit, block 802.1X, VLAN, ACL, virtual firewall, hybrid-mode Access Control Guest management and BYOD onboarding Automated MDM enrollment Onboarding Works with your existing IT infrastructure ControlFabric open integration architecture Interoperability Fast implementation, agent-less, all-in-one appliance Multi-vendor environments, no upgrades needed Easy Deployment 1 2 3 4 5

14 © 2015 ForeScout Technologies, Page 14 Multiple methods Dynamic and Multi-faceted Poll switches, APs and controllers for list of devices that are connected Receive SNMP trap from switches Monitor 802.1X requests to the built-in or external RADIUS server Monitor DHCP requests to detect when a new host requests an IP address Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners Run NMAP scan Use credentials to run a scan on the endpoint Use optional agents SNMP TRAPS RADIUS SERVER DHCP REQUESTS USER DIRECTORY

15 © 2015 ForeScout Technologies, Page 15 GUEST LANCORPORATE LAN INTERNETFIREWALL VPN CONCENTRATOR CORE LAYER SWITCH VPN CLIENTS AD / LDAP / RADIUS / DHCP DISTRIBUTION LAYER SWITCH INTERNALEXTERNAL USER NAME EMAIL TITLE GROUPS WHO? OS BROWSER AGENT PORTS PROTOCOLS WHAT? APPS SERVICES PROCESSES VERSIONS POSTURE? REGISTRY PATCHES ENCRYPTION ANTIVIRUS MAC ADDRESS IP ADDRESS SWITCH IP CONTROLLER IP PORT / SSID / VLAN WHERE?

16 © 2015 ForeScout Technologies, Page 16 Device Type of device Manufacturer Location Connection type Hardware info Authentication MAC and IP address Certificates User Name Authentication Status Workgroup Email and phone number Operating System OS Type Version number Patch level Services and processes installed or running Registry File names, dates, sizes Security Agents Anti-malware/DLP agents Patch management agents Encryption agents Firewall status Configuration Applications Installed Running Version number Registry settings File sizes Peripherals Type of device Manufacturer Connection type Network Malicious traffic Rogue devices

17 © 2015 ForeScout Technologies, Page 17 Complete Situational Awareness

18 © 2015 ForeScout Technologies, Page 18 Complete Situational Awareness See All Devices: Managed, Unmanaged, Wired, Wireless, PC, Mobile… See All Devices: Managed, Unmanaged, Wired, Wireless, PC, Mobile…

19 © 2015 ForeScout Technologies, Page 19 Complete Situational Awareness Filter Information By: Business Unit, Location, Device Type… Filter Information By: Business Unit, Location, Device Type…

20 © 2015 ForeScout Technologies, Page 20 Complete Situational Awareness See Device Details: What, Where, Who …

21 © 2015 ForeScout Technologies, Page 21 Complete Situational Awareness Site Summary: Devices, Categories… Site Summary: Devices, Categories…

22 © 2015 ForeScout Technologies, Page 22 ModestStrong Open trouble ticket Send email notification SNMP Traps Start application Run script Auditable end-user acknowledgement Send information to external systems such as SIEM etc. HTTP browser hijack Deploy a virtual firewall around the device Reassign the device to a VLAN with restricted access Update access lists (ACLs) on switches, firewalls and routers to restrict access DNS hijack (captive portal) Automatically move device to a pre- configured guest network Trigger external controls such as endpoint protection, VA etc. Move device to quarantine VLAN Block access with 802.1X Alter login credentials to block access, VPN block Block access with device authentication Turn off switch port (802.1X, SNMP) Install/update agents, trigger external remediation systems Wi-Fi port block Alert / Allow Trigger / Limit Remediate / Block

23 © 2015 ForeScout Technologies, Page 23 Visibility of corporate and personal devices Automated onboarding –Identify device –Identify user –Assess compliance Flexible policy controls –Register guests –Grant access (none, limited, full) –Enforce time of day, connection type, device type controls Block unauthorized devices from the network EMPLOYEE CONTRACTOR GUEST UNAUTHORIZED WEB EMAIL CRM

24 © 2015 ForeScout Technologies, Page 24

25 © 2015 ForeScout Technologies, Page 25 Device Manufacturer, model Hardware properties User, ownership Configuration Password policy Jailbroken or rooted Operating System OS type Version number Patch level Services, processes installed or running Registry settings Applications Installed or running Required apps Blacklisted apps Version numbers Legacy applications File dates and sizes Peripherals Peripheral type Manufacturer Configuration Port Connection type Security Agents Anti-malware status Anti-virus up-to-date DLP status Firewall status Patch management Encryption status

26 © 2015 ForeScout Technologies, Page 26 User Communication Send email Send to web page Open help desk ticket Communicate policies Self-remediation Operating System Install patch Configure registry Start, stop, disable process or service Trigger external remediation system Applications Update application Set configuration Start required application Stop blacklisted or legacy application Network/Peripherals Quarantine Restrict network access Disable peripheral Disable USB ports Security Agents Install agent Start agent Update agent Update configuration Trigger external remediation service

27 © 2015 ForeScout Technologies, Page 27 ActiveResponse TM Signature-less IPS technology No prior knowledge of vulnerability or exploit required Doesn’t impact legitimate traffic No tuning or maintenance Detect Reconnaissance Unexpected behavior Worms, zero-day threats Respond Quarantine or block malicious and infected hosts

28 © 2015 ForeScout Technologies, Page 28 First infection might have already occurred –Suspicious content may have executed on endpoint in parallel with detection –As a result the first endpoint might already be infected (patient zero) –Internal propagation might already have started from that first endpoint FireEye may not detect all infected/compromised endpoints –Endpoints pre-infected on public networks –Infection pathways such as USB drives FireEye has limited threat mitigation capabilities –It may be able to block callback to the C&C (if FireEye NX is deployed inline) –No quarantining capabilities of endpoints –No remediation of endpoints

29 © 2015 ForeScout Technologies, Page 29 1. Pre-infected system connects to network, tries to call home 2. FireEye blocks callback 3. FireEye alerts ForeScout of infected system & indicators of compromise (IOC) 4. ForeScout isolates the infected system to prevent infection propagation 5. ForeScout scans other endpoints on the network for presence of same IOC/infection and isolates them and takes other risk mitigation actions InternetFirewallSwitchInfected system

30 © 2015 ForeScout Technologies, Page 30 1. Malware or APT downloaded from the Internet 2. FireEye examines payload, detects possible malware 3. FireEye alerts ForeScout of possible infection and indicators of compromise (IOC) 4. ForeScout isolates the endpoint 5. ForeScout inspects endpoint to confirm infection and remediates if necessary (e.g. block malicious code from running) 6. ForeScout scans other endpoints on the network for presence of same IOC/infection and isolates them and takes other risk mitigation actions InternetFirewallSwitchEndpoint Attacker 5

31 © 2015 ForeScout Technologies, Page 31 Quarantine System Automate Mitigation Actions Scan Other Systems IOC detected by FireEye

32 © 2015 ForeScout Technologies, Page 32 FireEye alone Identifies the threat but takes no action (may block callback if inline) Lacks context—who is the user, what machine, how are they connected Cannot scan, identify and quarantine all infected endpoints after report of a breach FireEye with ForeScout CounterACT™ Identify the threat Quarantine infected hosts to prevent callbacks and threat propagation Take remediation and risk mitigation actions on infected hosts Scan an entire organization for the IOC identified by FireEye

33 © 2015 ForeScout Technologies, Page 33 For existing ForeScout customers (who add FireEye) –Superior discovery of APTs, malware, spear phishing, zero-day and other cyber threats –FireEye supplements ForeScout’s ActiveResponse™ technology For existing FireEye customers (who add ForeScout CounterACT) –Faster response to security breaches  Automated endpoint quarantine  Automated endpoint remediation –Detect and block internal threat propagation –More complete visibility to endpoints and risks on the network –Reduced enterprise risk by ensuring that all endpoints have complete and up-to-date security defenses and are properly patched

34 © 2015 ForeScout Technologies, Page 34 Easy to use –802.1X not mandatory –Non-intrusive, audit-only mode –No agents needed (dissolvable or persistent agent can be used) Fast and easy to deploy –All-in-one appliance –Out-of-band deployment –No infrastructure changes or network upgrades –Rapid time to value – unprecedented visibility in hours or days –Physical or virtual appliances Ideal for multi-vendor, heterogeneous network environments

35 © 2015 ForeScout Technologies, Page 35 Strong FoundationMarket LeadershipEnterprise Deployments #1#1 In business 13 years Campbell, CA headquarters 200+ global channel partners Independent Network Access Control (NAC) Market Leader Focus: Pervasive Network Security 1,500+ customers worldwide Financial services, government, healthcare, manufacturing, retail, education From 500 to >1M endpoints

36 © 2015 ForeScout Technologies, Page 36 **NAC Competitive Landscape April 2013, Frost & Sullivan *Magic Quadrant for Network Access Control, December 2013, Gartner Inc. *This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Garnter, Inc. "Magic Quadrant for Network Access Control," Report G00249599, December 12, 2013, Lawrence Orans. **Frost & Sullivan 2013 report NC91-74, Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth ” Chard base year 2012.

37 © 2015 ForeScout Technologies, Page 37

Download ppt "May 2015 Toni Buhrke, Director Systems Engineering."

Similar presentations

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.
Considerations To Secure Enterprise Mobility / BYOD

Considerations To Secure Enterprise Mobility / BYOD
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
© 2012 ForeScout Technologies, Page 1 Bob Reny, Sr. Systems Engineer Do you know NAC? Data Connectors - Vancouver 4/25/2013.

© 2012 ForeScout Technologies, Page 1 Bob Reny, Sr. Systems Engineer Do you know NAC? Data Connectors - Vancouver 4/25/2013.
©2011 Bradford Networks. All rights reserved. Secure Mobility Safely Onboarding Personal Devices to Corporate Networks.

©2011 Bradford Networks. All rights reserved. Secure Mobility Safely Onboarding Personal Devices to Corporate Networks.
Team MAGIC Michael Gong Jake Kreider Chris Lugo Kwame Osafoh-Kintanka Wireless Network Security.

Team MAGIC Michael Gong Jake Kreider Chris Lugo Kwame Osafoh-Kintanka Wireless Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lisa Farmer, Cedo Vicente, Eric Ahlm

Lisa Farmer, Cedo Vicente, Eric Ahlm
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Wireless Network Security

Wireless Network Security
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.

Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
It’s Not Your Father’s NAC: Next-generation NAC

It’s Not Your Father’s NAC: Next-generation NAC
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Similar presentations

Ads by Google