Paul Cochran - Account Manager. Chris Czerwinski System Engineer

Transcription

1 Paul Cochran - Account Manager Chris Czerwinski System Engineer

2 Next-Generation NAC Fast and easy deployment No infrastructure changes or network upgrades No need for endpoint agents 802.1X is optional Integrated appliance (physical or virtual) Shift away from restrictive allow-or-deny policies Flexible controls, based on user and device context Streamline and automate existing IT processes Guest registration MDM enrollment BYOD onboarding Asset management Integrate with other IT systems Break down information silos Reduce window of vulnerability by automating controls & actions

3 Continuous Endpoint Compliance #1 Strong Foundation Market Leadership Enterprise Deployments In business 13 years Campbell, CA headquarters 200+ global channel partners Independent Endpoint Compliance and NAC Market Leader Focus: Pervasive Network Security 1,500+ customers worldwide Financial services, government, healthcare, manufacturing, retail, education From 500 to >1M endpoints

4 Continuous Endpoint Compliance 1 Visibility Capabilities 2 Compliance Assessment 3 Remediation ) 4 Interoperability 5 Easy Deployment

5 ForeScout CounterACT 1 Endpoint Discovery and inspection - who, what, where, health Visibility Compliance Managed, unmanaged, corporate, BYOD, rogue 2 Compliance Assessment Out-of-the-box templates for security best practices Flexible and extensible, assess audit compliance 3 Remediation OS, applications, configuration, processes etc. Improve ROI of existing security agents 4 Interoperability Works with your existing IT infrastructure ControlFabric open integration architecture 5 Easy Deployment Fast implementation, agent-less, all-in-one appliance Multi-vendor, designed for endpoint diversity

6 1. Visibility Who are you? Who owns your device? What type of device? Where/how are you connecting? What is the device hygiene? Employee Partner Contractor Guest Corporate BYOD Rogue Windows, Mac ios, Android VM Non-user devices Switch Controller VPN Port, SSID IP, MAC VLAN Configuration Software Services Patches Security Agents

7 Information Sharing and Automation

8 4. Interoperability Switches & Routers Endpoint & APT Protection Endpoints Firewall & VPN IT Network Services MDM Wireless Network Devices SIEM/GRC Vulnerability Assessment

9 Use Case #2: Automated Risk ForeScout sends both low-level (who, what, where) and high-level (compliance status) information about endpoints to SIEM Mitigation SIEM correlates ForeScout information with information from other sources and identifies risks posed by infected, malicious or high-risk endpoints SIEM initiates automated risk mitigation using ForeScout ForeScout takes risk mitigation action on endpoint Remediate Quarantine Initiate Mitigation Real-time Info SIE M Correlate, Identify Risks

10 The ControlFabric DATA CONSUMERS Interface CounterACT DATA PROVIDERS ControlFabric Interface Web API SQL LDAP Syslog Console Policy Engine Reporting Dashboard Network Devices Endpoints

11 Use Case #4: Threat Management Is it authorized? Is it breached? Is it attacking? Investigate Remediate Quarantine

12 Detects and Inspects AD / LDAP / RADIUS / DHCP CORE LAYER SWITCH Devices VPN CONCENTRATOR FIREWALL INTERNET WHO? USER NAME TITLE GROUPS DISTRIBUTION LAYER SWITCH WHAT? OS BROWSER AGENT PORTS PROTOCOLS CORPORATE LAN GUEST LAN VPN CLIENTS INTERNAL EXTERNAL APPS SERVICES PROCESSES POSTUR VERSIONS E? REGISTRY PATCHES ENCRYPTION ANTIVIRUS MAC ADDRESS IP ADDRESS SWITCH IP WHERE? CONTROLLER IP PORT / SSID / VLAN

13 Detects and Inspects Multiple methods Devices Poll switches, APs and controllers for list of devices that are connected Receive SNMP trap from switches Monitor 802.1X requests to the built-in or external RADIUS server Monitor DHCP requests to detect when a new host requests an IP address Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners Run NMAP scan Use administrative privileges to run a scan on the endpoint Use optional SecureConnector agent EXTERNAL RADIUS SERVER SECURE CONNECTOR AD SERVER DHCP REQUESTS SNMP TRAPS.

14 Type of Information CounterACT can Device Type of device Manufacturer Location Connection type Hardware info Authentication MAC and IP address Certificates User Name Authentication Status Workgroup and phone number Operating Learn System OS Type Version number Patch level Services and processes installed or running Registry File names, dates, sizes Applications Installed Running Version number Registry settings File sizes Security Agents Anti-malware/DLP agents Patch management agents Encryption agents Firewall status Configuration Network Malicious traffic Rogue devices Peripherals Type of device Manufacturer Connection type

15 Real-time Network Complete Situational Awareness Asset Intelligence

16 Real-time Network Complete Situational Awareness Asset Intelligence See All Devices: Managed, Unmanaged, Wired, Wireless, PC, Mobile Compliance Problems: Agents, Apps, Vulnerabilities, Configurations

17 Real-time Network Complete Situational Awareness Asset Intelligence Filter Information By: Business Unit, Location, Device Type

18 Real-time Network Complete Situational Awareness Asset Intelligence See Device Details: What, Where, Who, Security Posture

19 Real-time Network Complete Situational Awareness Asset Intelligence Site Summary: Devices, Policy Violations

20 2. Compliance Assessment Who are you? Who owns your device? What type of device? Where/how are you connecting? What is the device hygiene? Employee Partner Contractor Guest Corporate BYOD Rogue Windows, Mac ios, Android VM Non-user devices Switch Controller VPN Port, SSID IP, MAC VLAN Configuration Software Services Patches Security Agents ForeScout Advanced Policy Engine Out-of-the-box templates Flexible and extensible Device and user specific policies

21 CounterACT Compliance Assessment Device Properties Operating System Applications Security Agents Peripherals Manufacturer, model Hardware properties User, ownership Configuration Password policy Jailbroken or rooted OS type Version number Patch level Services, processes installed or running Registry settings Installed or running Required apps Blacklisted apps Version numbers Legacy applications File dates and sizes Anti-malware status Anti-virus up-to-date DLP status Firewall status Patch management Encryption status Peripheral type M anufacturer Configuration Port Connection type

22 CounterACT Compliance Assessment Properties

23 CounterACT Dashboard A Birds-Eye Compliance View

24 Sample Policy for Continuous Compliance

25 3. Remediation Who are you? Who owns your device? What type of device? Where/how are you connecting? What is the device hygiene? Employee Partner Contractor Guest Corporate BYOD Rogue Windows, Mac ios, Android VM Non-user devices Switch Controller VPN Port, SSID IP, MAC VLAN Configuration Software Services Patches Security Agents ForeScout Advanced Policy Engine Out-of-the-box templates Flexible and extensible Device and user specific policies Alert Report Remediate Disable, Block

26 CounterACT Remediation Actions User Communication Operating System Applications Security Agents Peripherals Send Send to web page Open help desk ticket Communicate policies Self-remediation Install patch Configure registry Start, stop, disable process or service Trigger external remediation system Update application Set configuration Start required application Stop blacklisted or legacy application Install agent Start agent Update agent Update configuration Trigger external remediation service Alert administrator Alert user about non-compliance Disable peripheral Disable USB ports

27 Modest Granular Access Control Policies Strong Alert & Allow Limit Access Move & Disable Open trouble ticket Send notification SNMP Traps Start application Run script Auditable end-user acknowledgement HTTP browser hijack Deploy a virtual firewall around the device Reassign the device to a VLAN with restricted access Update access lists (ACLs) on switches, firewalls and routers to restrict access DNS hijack (captive portal) Automatically move device to a pre- configured guest network Move device to quarantine VLAN Block access with 802.1X Alter login credentials to block access, VPN block Block access with device authentication Turn off switch port (802.1X, SNMP) Wi-Fi port block

28 Information Sharing and Automation

29 Visibility of all devices, unmanaged & rogue Use Case #1: Asset Intelligence and Does not require agents Automate agent installation, activation, update Endpoint Compliance Real-time compliance info Bi-directional integration Endpoint protection Vulnerability Assessment Advanced Threat ForeScout

30 Use Case #3 (FireEye + CounterACT Detail) 1. Infected system connects to network, tries to call home 2. FireEye identifies and blocks callback 3. FireEye alerts CounterACT of the infected system 4. CounterACT isolates the infected system to prevent further reconnaissance or infection propagation Internet Firewall Switch Infected system

31 Continuous Monitoring and Mitigation Continuous Visibility Endpoint Mitigation Endpoint Authentication & Inspection Network Enforcement Information Integration

32 5. Easy Deployment Easy to use No agents needed (dissolvable or persistent agent can be used) Non-intrusive, audit-only mode Fast and easy to deploy All-in-one appliance Out-of-band deployment No infrastructure changes or network upgrades Rapid time to value unprecedented visibility in hours or days Physical or virtual appliances Infrastructure agnostic Multi-vendor, heterogeneous network environments Ideal for growing endpoint diversity

33 CounterACT Centralized Deployment DATACENTER ACTIVE DIRECTORY CORE SWITCHES SCCM ENDPOINT PROTECTION COUNTERACT ENTERPRISE MANAGER SIEM VA MDM ATD REMOTE USERS VPN CONCENTRATOR

34 CounterACT Hybrid Deployment DATACENTER ACTIVE DIRECTORY CORE SWITCHES SCCM ENDPOINT PROTECTION COUNTERACT ENTERPRISE MANAGER SIEM VA MDM ATD REMOTE USERS VPN CONCENTRATOR

35 ForeScout CounterACT Product FAMILY OF APPLIANCE MANAGERS FAMILY OF APPLIANCES Family SUITE OF PACKAGED SOFTWARE INTEGRATION MODULES A single appliance to handle up to # of ForeScout appliances Virtual appliances are also available. A single appliance to handle up to # of endpoints Model Endpoints CTR 100 CT CT ,000 CT ,500 CT ,000 CT ,000 Virtual appliances are also available. Vulnerability Assessment Advance Threat Detection SIEM MDM epo Open (Customer Development)

36 How ForeScout is Different Fast and easy to deploy Agentless and non-disruptive Scalable, no re-architecting

37 How ForeScout is Different Fast and easy to deploy Infrastructure Agnostic Agentless and non-disruptive Works with mixed, legacy environment Scalable, no re-architecting Avoid vendor lock-in

38 How ForeScout is Different Fast and easy to deploy Infrastructure Agnostic Flexible and Customizable Agentless and non-disruptive Works with mixed, legacy environment Optimized for diversity and BYOD Scalable, no re-architecting Avoid vendor lock-in Supports open integration standards

39 2014 ForeScout Technologies, Page 39 Questions

40 Pervasive Network Security an IT Game Changer

41 APPENDIX

42 ForeScout CounterACT Market Leadership **NAC Competitive Landscape *Magic Quadrant for Network Access Control, December 2013, Gartner Inc. April 2013, Frost & Sullivan **Frost & Sullivan 2013 report NC91-74, Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth Chard base year *This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Garnter, Inc. "Magic Quadrant for Network Access Control," Report G , December 12, 2013, Lawrence Orans.

43 Next-Gen NAC Delivers Continuous Next-Generation Compliance NAC can dynamically identify, inspect and control all network-connecting devices, as well as ensure endpoint compliance and threat mitigation. As a result, these solutions yield better use of security investments and IT resources, as well as enable IT to be more responsive to thwart threats and maintain endpoint compliance. 1 Emerging in 2010, NAC began to occupy a valuable piece of real estate on more extended and open networks. NAC was in the right position to inspect devices, monitor activities, and enforce endpoint compliance policies in a growing number of use cases. 2 1 Frost and Sullivan, Continuous Compliance and Next Generation NAC: A Cornerstone Defense for Dynamic Endpoint intelligence and Risk Mitigation, October 2013, Chris Rogriguez 2 Enterprise Strategy Group, The Endpoint Visibility, Access and Security (EVAS) Market: The Evolution of Network Access Control (NAC), July 2013, Jon Oltsik

44 Strong Third-party Continuous Compliance and Next Generation NAC Endorsements The Endpoint Visibility, Access, Network Access Control: A Strong Resurgence is Underway and Security (EVAS) Market: The Evolution of NAC Next-generation network access control Frost and Sullivan, October 2013 Ogren Group, March 2013 Enterprise Strategy Group, July 2013 Quocirca, August

45 Augment Existing Agentbased Security Systems Corporate Resources Non-corporate Endpoints Network Devices Applications Users Antivirus out of date Unauthorized application Agents not installed or not running CounterACT Compliance Continuous Compliance Compliance Assessment for All Assessment MANAGED PossibleEndpoints NOT Not MANAGED Possible

46 ForeScout CounterACT Product FAMILY OF APPLIANCE MANAGERS FAMILY OF APPLIANCES Family SUITE OF PACKAGED SOFTWARE INTEGRATION MODULES A single appliance to handle up to # of ForeScout appliances Virtual appliances are also available. A single appliance to handle up to # of endpoints Model Endpoints CTR 100 CT CT ,000 CT ,500 CT ,000 CT ,000 Virtual appliances are also available. Vulnerability Assessment Advance Threat Detection SIEM MDM epo Open (Customer Development)

47 CounterACT Product Family CTR CT- 100 CT CT CT CT Devices Bandwidth 100 Mbps 500 Mbps 1 Gbps 2 Gbps 4 Gbps or 10 Gbps 4 Gbpsor 10 Gbps VLAN Support Unlimited Unlimited Unlimited Unlimited Unlimited Unlimited VCTR VCT- 100 VCT VCT VCT VCT Devices CPU RAM/HD Space 1GB / 80GB 1.5GB / 80GB 2GB / 80GB 4GB / 80GB 6GB / 80GB 16GB/80GB