Wallace Sann

© 2013 ForeScout Technologies,

Wallace Sann | CISSP-ISSEP, CIPP/GDirector of Systems Engineering

Complete Visibility for Endpoint Compliance and SIEM Incident Response

April 23, 2013


About ForeScout

ForeScout is the leading global

provider of real-time

network security

solutions for Global

2000 enterprises and

government agencies.

Large Deployments• Financial institutions, government…

• Scalability - 1M+ endpoints

Federal Validation• NIAP CC EAL 4+• DISA UC APL• FIPS 140-2

At a Glance

• Founded in 2000, 160+ employees,HQ in Cupertino, CA

• Global company, customers, support

• Dominant independent vendor of Network Access Control (NAC)

• BYOD, endpoint compliance and cloud fueling growth

*Magic Quadrant for Network Access Control, December 2012, Gartner Inc.

**Forrester Wave Network Access Control, Q2-2011, Forrester Research

***Analysis of the NAC Market,February 2012, Frost & Sullivan


Over 1400 Enterprise Deployments

Austrian Post AG


ForeScout Offerings

.

ForeScout Automated Security ForeScout Automated Security Control PlatformControl Platform

ForeScout Automated Security ForeScout Automated Security Control PlatformControl Platform

InteroperableInteroperable

ScalableScalableAgentlessAgentless

KnowledgebaseKnowledgebase

Network Access Control

EndpointCompliance

• Enable BYOD• Unified Visibility &

Control• Dual Protection• Integrate MDM

Mobile Security

• Find and fix security gaps

• Enterprise toolset integrations

• Incident Response

• Infrastructure agnostic

• 802.1X, VLAN, ACL

• Block unauthorized users and devices

• Register guest

Visibility• Clientless• Built-in profiling• HW/SW Inventory• Who, what, when,

where


Access is more dynamic…Threat are broader, faster and more complex…

??

???

??

??

? ?

??

??

xx

xx

?

( ( ( (

XXX

?

??

Common Organizational Assumptions

①Visibility on all network endpoints

②Managed all access to network resources

③Wireless security is uniform

④All host based protection is active

⑤Configurations are locked / tracked

⑥Logging is always maintained

⑦Contractor access is limited

⑧Preempt unwanted apps

⑨All data leakage monitored

⑩BYOD is ok… guest network or MDM

Extended Network & Dynamic Threats


Endpoints

Network Devices

Applications

Government Resources

Host config. issue…Unwanted application…Patch/ host securityagent not installed…

Little Protection PossibleLittle Protection PossibleVisible

Users

Non-GFE

?

Protection PossibleProtection Possible

Visibility and Control Gaps


CounterACT: Continuous Monitoring & Remediation Proven Platform for Real-time Visibility and Automated Control

Port-based Enforcement [With or without 802.1x]

Natively or with 3rd party Integration

Incident ResponseCompliance Dashboard

CompleteVisibility

EnforcementRemediation

McAfee ESMHost

Inspection & McAfee ePO

Device Discovery, Profiling [HW/SW USER LOC ...]

Fully functional clientless Interrogation of

endpoints

Continuous

Monitoring

Challenge• Asset visibility

• Access and threat dynamics

• Endpoint and infrastructure diversity

• Port authentication and control

• STIG, IAVA and CCRI difficulty

Solution• Pre-admission user/device

authentication and authorization

• Continuous endpoint diagnostics, posture assessment and mitigation

• Port-based control and broad device policy enforcement

• Infrastructure agnostic, interoperable, scalable, works with enterprise tool sets


PATCH MGMT VA ESM

MDM/BYOD

ePO

Linux/Unix/MAC/ Windows/iOS/

Android/all applications

UsersComputers

ServersSwitchesPrinters

VoIP DevicesUSB Devices

Mobile DevicesAll Other Devices

Port Based Security and Authentication with or

without 802.1X

ASSET MGMT

VPNDirect Access

Bridge’s the Gap with Enterprise Tool Sets


① Port-control DISA-STIG adherence– Visibility and control without disrupting user experience– 802.1X & Non-802.1X control with assured rollout

② Independent verification and validation– Automate: detect, classify, report on all non-compliant devices– Reduce manual expense: ticketing, investigation and audit

③ Asset intelligence, HBSS Deployment, CCRI, IAVA– Dynamically see and resolve host agent, config. and security gaps– Rich integration: McAfee ePO, SIEM, data source …– Real time Situational Awareness of all endpoints connected to or

attempting to connect to a DOD enclave Medical device detection, classification and isolation

④ Personal and rogue device mitigation– Classify, block, limit mobile devices: Smartphone, tablet, WAP…– No CERT ticket issued, no manual response, full port control

ForeScout CounterACT in ActionRapid implementation, accelerated time-to-value, automation


ForeScout CounterACT Certified Integrationwith McAfee EPO & EPP

EPO

McAfee ePO Integration

• Certified integration with ePO

• Rogue System Detection (RSD) sensor – network admission events

• CounterACT real-time inspection informs ePO

• Endpoint protection policy assurance

• Fortifies HBSS compliance


Enterprise Tool Sets - HBSS

HBSS Framework Implementation status


McAfee ESM Integration

DLPOther

Sources

Routers

AV logs, system events Network events

Security Devices

FW, IPS/IDS, VPN events Privacy violations

SIEM correlates ForeScout information with information from other sources and escalates threat level of incidents when the end-point is non-compliant

2

2

SIEM initiates automated remediation action using ForeScout

4

4

ForeScout takes remediation action on endpoint

5

5

1ForeScout sends both low-level (who, what, where) and high-level (compliance status) information about endpoints to the SIEM

1

1

Database, App. events

3SIEM provides LOB based compliance dashboards/reports

3

Endpoints + BYOD


ForeScout + McAfee = Wirespeed Incident Response

McAfee ESM Correlated Event, Triggers CounterACT Response


Centralized Deployment


Decentralized Deployment


Enterprise Deployment


Visibility then Control

RUNRUNWALKWALKCRAWLCRAWL

• Deployment• Discovery • RBAC & administration• HBSS client issues• 802.1X issues • A/V issues• IAVA scanning• Reporting/Notifications• Monitoring

• Authentication• Remediation • Access Control• Integrate with ePO• Integrate with SEIM• Asset Management• Mobile policies• Block rogue device• Custom Scripts

• Full enforcement • Actions from ePO• Actions from SEIM• Asset management using authentication• Adv custom scripts• Integrate with MDM• Integrate with other GOTS & COTS products

Immediate ROI

Flexible to meet Mission and Security RequirementsCoordination - Training - Documentation


Continuous Compliance Case Study: Financial Institution

Business Problem•No real-time network intelligence: who/where/what endpoints, users, AP •Material gap on endpoints and network devices compliance•No control over corrupted, inactive or non-existent endpoint agents•Slow response: can’t quickly and easily identify, isolate and remediate

McAfee ESM/ePO•Dashboards; assets, violations, incidents, threats•Enterprise-wide policy, event correlation & log management•On-demand incident and compliance reporting per LOB•ESM corrected events trigger NAC to isolate or resolve issue

ForeScout CounterACT Network Access Control•Real-time visibility: all users / devices / apps / rogue devices•Asset profiles, access, violations and actions send to SIEM•Automated remediation of endpoint security and configuration agents•Works with existing McAfee ePO, ESM and endpoint protection products

Benefits

• Enterprise threat visibility

• Reduced business risk

• More responsive security

• Operational efficiency

• Automated remediation

• Endpoint compliance

• Demonstrable GRC gain

Benefits

• Enterprise threat visibility

• Reduced business risk

• More responsive security

• Operational efficiency

• Automated remediation

• Endpoint compliance

• Demonstrable GRC gain


Continuous Compliance, Remediation

NAC Accelerates IT-GRC Automation

Visibility

• Greater Threat Dynamics and Response Impact

• Requires full visibility in real-time.

• Network asset intelligence: Who, What, Where.

Automation

• Next-Gen NAC Closes Operational Gaps

• Automate authentication

• Automate compliance verification and remediation

• Automate access control.

Interoperability

• Demonstrable IT-GRC Value

• Increases situational awareness

• Increases IT / security responsiveness

• Effectuates GRC policy


• Easy to use and deploy with Low TCOHybrid 802.1X/Agentless approach; works within existing/legacy environment

Easy, centralized administration; high availability, scalable, non-disruptive

• Real-time situational awarenessAll users, devices, applications - infrastructure agnostic

Wired & wireless - managed & rogue - VMs, PC, mobile & embedded

• Rapid results and time-to-valueBroad application: Comply to Connect, STIG,

Command Cyber Readiness I(CCRI), IAVA, HBSS assurance

• Flexible control with bi-direction intelligenceExtensible templates and controls with robust

SIEM, HBSS, CMDB and directory integration

ForeScout CounterACT Advantages


Resources / Q&A

• Learn more about ForeScout CounterAct

and McAfee-ForeScout Joint solutions

http://www.forescout.com/support2/resources/

ForeScout, McAfee ESM solution brief

ForeScout, McAfee ePO solution brief

** The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

***Frost & Sullivan chart from 2012 market study Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth” Base year 2011, n-20

*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Questions?


CounterACT Product Family

CTR CT- 100 CT- 1000 CT- 2000 CT- 4000 CT-10000

Concurrent Devices 100 500 1000 2500 4000 10000

Bandwidth 100 Mbps 500 Mbps 1 Gbps 2 Gbps4 Gbps or10 Gbps

4 Gbps or10 Gbps

VLAN Support Unlimited Unlimited Unlimited Unlimited Unlimited Unlimited

VCTR VCT- 100 VCT- 1000 VCT- 2000 VCT- 4000 VCT- 10000

Concurrent Devices 100 500 1000 2500 4000 10000

CPU 1 2 2 2 4 10

RAM/HD Space

1GB / 80GB

1.5GB / 80GB 2GB / 80GB 4GB / 80GB 6GB / 80GB 16GB/80GB

Wallace Sann

Technology

Transcript of Wallace Sann