Throughwave Day 2015 - ForeScout Automated Security Control

Phatchara Maichandi
Presales Engineer
Throughwave (Thailand) Co., Ltd.

© 2014 ForeScoutTechnologies, Page 2
• Enterprise Security Trend
• ForeScout Capabilities
• ForeScout Integration
• BYOD Security
• Case Studies
• Conclusion

Corporate Resources
Antivirusout ofdate
Unauthorizedapplication
Agents not installedor
not running
Endpoints
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Non-corporate
VM
Users
Applications
Network
Devices

• Complex architecture
• Requires reconfiguration and upgrade of existing switches
• Requires installation of endpoint agents
• Requires 802.1X
• Long drawn-out implementations
• Brittle, prone to disruption and breakage
Outdated NAC

Fast and easy deployment
– No infrastructure changes
or network upgrades
– No need for endpoint agents
– 802.1X is optional
– Integrated appliance
(physical or virtual)
Streamline and automate
existing IT processes
– Guest registration
– MDM enrollment
– BYOD onboarding
– Asset intelligence
Shift away from restrictive
allow-or-deny policies
– Flexible controls, based on
user and device context
– Preserve user experience
Integrate with other IT systems
– Break down information silos
– Reduce window of vulnerability
by automating controls & actions

Strong Foundation Market Leadership Enterprise Deployments
#1
• In business 13 years
• Campbell, CA
headquarters
• 200+ global channel
partners
• Independent Network
Access Control (NAC)
Market Leader
• Focus: Pervasive
Network Security
• 1,800+ customers worldwide
• Financial services, government,
healthcare, manufacturing,
retail, education
• From 100 to >1M endpoints
• From 62 countries around the
world

*Magic Quadrant for Network Access
Control, December 2014, Gartner Inc.
*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from ForeScout. Gartner
does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research
publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose. Gartner "Magic Quadrant for Network Access Control,” Lawrence Orans and Claudio Neiva, December 10, 2014.

Device type, owner,
login, location
Applications,
security profile
Captures transient
users and devices
Real-time
Intelligence

Device and user-
specific policies
Mitigate OS,
configuration and
security risks
Start/stop
applications and
disable peripherals
Real-time
Intelligence
Granular
Controls

Real-time
Intelligence
Granular
Controls
Information Sharing
and Automation
Bi-directional
information exchange
Automated mitigation
and control
Enhanced
collaboration

See
Grant
Fix
Protect
Who and what are on your network?
Allow, limit or block
network access
Remediate Endpoint Systems
Block internal attack

Who are you? Who owns your
device?
What type of
device?
What is the
device hygiene?
• Employee
• Partner
• Contractor
• Guest
• Corporate
• BYOD
• Rogue
• Windows, Mac
• iOS, Android
• VM
• Non-user
devices
• Configuration
• Software
• Services
• Patches
• Security Agents
• Switch
• Controller
• VPN
• Port, SSID
• IP, MAC
• VLAN
Where/how are
you connecting?

Dynamic and Multi-faceted
DHCP
REQUESTS
AD, LDAP, RADIUS
SERVER
AGENT ACTIVE
DIRECTORY
MIRROR
TRAFFIC
NMAP SCAN

Complete Situational Awareness

Compliance Problems:
Agents, Apps, Vulnerabilities,
Configurations
See Devices:
Managed, Unmanaged, Wired,
Wireless,
PC, Mobile…

Filter Information By:
Business Unit,
Location,
Device Type…

See Device Details:
What, Where, Who,
Security Posture…

Site Summary:
Devices,
Policy Violations…

Modest Strong
Open trouble ticket
Send email notification
SNMP Traps
Start application
Run script
Auditable end-user
acknowledgement
Send information to external
systems such as SIEM etc.
HTTP browser hijack
Deploy a virtual firewall around
the device
Reassign the device to a VLAN
with restricted access
Update access lists (ACLs) on
switches, firewalls and routers to
restrict access
DNS hijack (captive portal)
Automatically move device to a
pre- configured guest network
Trigger external controls such as
endpoint protection, VA etc.
Move device to quarantine VLAN
Block access with 802.1X
Alter login credentials to block
access, VPN block
Block access with device
authentication
Turn off switch port (802.1X,
SNMP)
Install/update agents, trigger
external remediation systems
Wi-Fi port block
Alert / Allow Trigger / Limit Remediate / Block

• Visibility of corporate and
personal devices
• Network Access Control
– Identify who, what, where, when,
configuration, security posture
• Flexible policy controls
– Register guests
– Grant access (none, limited, full)
– Enforce time of day, connection
type, device type controls
• Block unauthorized devices
from the network
EMPLOYEE
CONTRACTOR
GUEST
UNAUTHORIZED
WEB EMAIL CRM

User Type
Limited Internal Access
Authenticate via
Contractor Credentials
BYOD Posture Check
Contractor/PartnerGuest
Internet Access
Guest Registration
Sponsor
Authorization
Personal Device Corporate Asset
Authenticate via
Corporate Credentials
BYOD
Posture Check
Internal Access
Corporate Asset
Posture Check
Employee

CORE
SWITCHES
ACTIVE
DIRECTORY
SCCM
ENDPOINT
PROTECTION
SIEM
VA
MDM
ATD
DATACENTER
REMOTE USERS VPN CONCENTRATOR
COUNTERACT
ENTERPRISE
MANAGER
SERVERFARM

DATACENTER
ACTIVE
DIRECTORY
SCCM
ENDPOINT
PROTECTION
SIEM
VA
MDM
ATD
COUNTERACT
ENTERPRISE
MANAGER
CORE
SWITCHES
SERVERFARM

CORE
SWITCHES
DATACENTER
COUNTERACT
ENTERPRISE
MANAGER
ACTIVE
DIRECTORY
SCCM
ENDPOINT
PROTECTION
SIEM
VA
MDM
ATD
CounterACT Deployed at the Core Layer
Management Port
Mirror Traffic

Switches & Routers
Network Devices
Endpoints
IT Network Services
Wireless
Firewall & VPN
Endpoint & APT Protection
Vulnerability Assessment
SIEM/GRC
MDM

• Visibility of all devices,
unmanaged & rogue
• Does not require agents
• Automate agent installation,
activation, update
• Quarantine and remediate
• Bi-directional integration
– Endpoint protection
– Vulnerability Assessment
– Advanced Threat Detection
– Patch management ForeScout

• ForeScout sends both low-level (who, what, where) and high-level (compliance status)
information about endpoints to SIEM
• SIEM correlates ForeScout information with information from other sources and
identifies risks posed by infected, malicious or high-risk endpoints
• SIEM initiates automated risk mitigation using ForeScout
• ForeScout takes risk mitigation action on endpoint
SIEM
Real-time Info
Correlate, Identify Risks
Initiate Mitigation
Remediate
Quarantine

Initiate Scan
Scan
Scan Results
Connect
Blockor
Allow
EndpointSwitch
Vulnerability
Assessment
System

Visibility
• Detection of virtual machines that are located in the wrong zone (e.g. port group)
• Detection of virtual machines that lack an up-to-date version of VMware tools
• Detection of peripheral devices (e.g. a physical USB drive) connected to a virtual
machine
• Detection of the hardware associated with each virtual machine
• Detection of the guest operating system running on each virtual machine

VMware vSphere VMware vSphere VMware vSphere
VMware vCenter Server
Manage
vSphere Distributed Switch
VMware Plugins
Mirror Traffic

Core Switch Virtual Environment
Server Virtualization
Virtual Desktop Infrastructure
Endpoint
• Mobile Phone
• Laptop
• PC Desktop
• Printer
• VOIP
Thin Client
Policy for Virtual
Policy for Physical Desktop
Policy for Thin Client
ForeScout

Web Services API LDAPSQL

• Mobility and BYOD are
transforming the enterprise
– Mobile device adoption
and diversity has exploded
– Enterprise perimeter becoming
more open and extended
– Over 60% of employees
use a personal device for work1
– Capabilities of consumer
technology meet or exceed
the features of IT-supplied assets
– Employees can purchase
and use mobile technology
faster than IT adoption cycles
1 Gartner, “Bring Your Own Device: The Facts and the Future”, April 2013, David A. Willis
1

Secure the Device Secure the Data Secure the Network
• Secure configuration
• Enforce passwords
• Control user actions
• Manage content & apps
• Protect privacy
• Remote wiping
Mobile Device
Management
(MDM)
• What is on my network?
• Control access
• Enforce security posture
MDM + MCM
+
VDI
Next-Generation
Network Access
Control (NAC)

• 100% visibility of all mobile devices,
including those not yet enrolled in
the MDM system
• Prevent unauthorized devices from
accessing the network.
• More highly automated MDM
enrollment process
• Real-time security posture
assessment upon network
connection
• Unified compliance reporting of all
network devices – Windows, Mac,
phones, tablets, etc. ForeScout CounterACT

) ) ) ) ) ) )

?

– Device connects to network
 Classify by type
 Check for mobile agent
– If agent is missing
 Quarantine device
 Install mobile agent
(HTTP Redirect)
– Once agent is activated
 Check compliance
 Allow policy-based access
 Continue monitoring
Enterprise
Network
MDM
MDM
1
2
3
Device can access to internal server
ForeScout
CounterACT

Device-based control Network-based control
Enterprise App Mgmt
(Distribution, Config)
Inventory
Management
Device Management
(App Inventory,
Remote Wipe, etc.)
Policy Compliance
(Jailbreak detection, PIN
lock, etc.)
Secure Data
Containers
Guest
Registration
Network Access Control
(Wireless, Wired, VPN)
Cert + Supplicant
Provisioning
Mobile + PC
Network Threat
Prevention
Visibility of
Unmanaged Devices

ต้องการระบบ Authentication สําหรับพนักงาน
ภายในองค์กรทั้งหมด โดยสามารถทําได้ทั้ง
ระบบ Wired และ Wireless ภายในอุปกรณ์ชุด
เดียว
• User ทําการ Authenticationผ่าน ForeScout
• ทํา MAC Authenticationให้กับผู้บริหาร
• ตรวจสอบ Antivirus Compliance
(Installed/Running)
• ส่ง HTTP Notification แจ้งเตือนเครื่องที่ไม่ติดตั้ง
Antivirus

ต้องการระบบ Authentication และระบบ
Hardware/Software Inventory ภายในอุปกรณ์ชุด
เดียว
• ทําระบบ BYOD
• User ทําการ Authentication ผ่าน ForeScout
• ใช้งานร่วมกับระบบ MDM
• ตรวจสอบ Endpoint Compliance
• Threat Prevention
• ประกาศข่าวสารผ่าน HTTP Notification

Corporate Resources
Endpoints
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Non-corporate
VM
Users
Applications
Network
Devices
Antivirusout ofdate
Unauthorizedapplication
Agents not installedor
not running
ForeScout Continuous Monitoring and Mitigation

Endpoint
Mitigation
Endpoint
Authentication
& Inspection
Network
Enforcement
Information
Integration
Continuous
Visibility

Fast and easy to
deploy
Infrastructure
Agnostic
Flexible and
Customizable
Agentless and
non-disruptive
Scalable, no
re-architecting
Works with mixed,
legacy environment
Avoid vendor
lock-in
Optimized for
diversity and BYOD
Supports open
integration standards

SUITE OF
PACKAGED
SOFTWARE
INTEGRATION
MODULES
Vulnerability Assessment
Advance Threat Detection
SIEM (Bi-directional)
MDM
McAfee ePO
Open
(CustomerDevelopment)
FAMILY OF
APPLIANCE
MANAGERS
Asingle appliance to handle
up to # of ForeScout
appliances
5
10
25
50
100
150
200
Virtual appliances are also
available.
FAMILY OF
APPLIANCES
Asingle appliance to handle
up to # of endpoints
Endpoints
100
500
1,000
2,500
4,000
10,000
Virtual appliances are also
available.

Choose ForeScout when you need…
• Hardware & Software Inventory
• Network Access Control
• BYOD Security
• Guest Networking
• Endpoint Compliance
• Threat Prevention
CT- 4000
CT-R
CT-100
CT-1000
CT-2000

Throughwave Day 2015 - ForeScout Automated Security Control

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Throughwave Day 2015 - ForeScout Automated Security Control

Similar to Throughwave Day 2015 - ForeScout Automated Security Control (20)

More from Aruj Thirawat

More from Aruj Thirawat (17)

Recently uploaded

Recently uploaded (20)

Throughwave Day 2015 - ForeScout Automated Security Control