Network Control Meets Endpoint Security Sandy Hawke, CISSP Sr. Director of Product Marketing, BigFix Jack Marsal Director of Marketing, ForeScout 1
Agenda Introductions Network and Endpoint Security Challenges Mobility Managed vs. Unmanaged users Requirements for Layered Security Continuous protection Multi-layer (at the network, at the endpoint) Multi-profile access policies Summary 2
Who is BigFix? BigFix is a leading global provider of high-performance security and systems management software for enterprise companies 40%+ year-over-year growth Global and pervasive deployment across vertical industries Highly complex environments Very large enterprise deployments > 100,000 assets Innovative BigFix technology platform Visionary in EPP and PCLM Gartner Magic Quadrants 19 patents worldwide 32 patents pending worldwide Fast Facts: Every day, trillions of $$$ flow through BigFix-managed computers Each year, over $350B in retail transactions is enabled by BigFix technology Tens of thousands of hotel reservations are made every day on BigFix-managed computers 3
Who is ForeScout? ForeScout is a leading provider of network access control (NAC) and policy compliance management for global enterprise. #1 in large enterprise NAC deployments Visionary in Gartner Magic Quadrant Easy NAC No software to install No network upgrades or reconfigurations Works with your existing infrastructure
The World of IT Circa 2000 192.168.2.X LAN FW 192.168.3.X DMZ IT Enterprise Architecture Circa: 2000 - Organizations primarily manage static computing devices that are within the corporate network and primarily access corporate assets; they focus on perimeter security keep the bad guys out 192.168.1.X Internet Back-end Servers 5
The World of IT Circa 2006 Remote Office Remote Office WAN Remote Office Corporate HQ Internet IT Enterprise Architecture Circa: 2006-2009 - Organizations must manage and secure a growing globally distributed, remote, and mobile computing environment all accessing corporate assets housed within the corporate network; they tend to focus on data center and critical infrastructure security and for the most part acquiesce management and securing mobile computing devices to fate and luck. Home Datacenter Hotel Coffee Shop 6
The World of IT 2010 and Beyond Remote Office Remote Office WAN Remote Office Corporate HQ IT Enterprise Architecture Circa: 2010+ - Organizations must manage and secure a large, complex, and globally distributed, remote, and mobile computing environment all accessing corporate assets in and outside the corporate network; The loss of visibility and control again forces them to look to how they can better maintain the health and security of their mobile computing environment - the endpoints that require access to corporate resources that are housed inside of the corporate network and in the cloud Internet SaaS applications: CRM, ERP, storage, email, etc. Outsourced Datacenter Telecommuters Remote Office 7
Blended Threats Require Blended Protection Conficker was the first, but not the last @ the endpoint: Start with the basics (e.g. passwd policies, patch management, etc.) @ the endpoint: Continuous policy enforcement @ the network: Confirm policy compliance prior to access; access tied to profile (managed vs. unmanaged) 8
Meeting Policy Enforcement Challenges Mobility now on network, now off Roaming laptops, mobile devices Consequences: maintenance challenges; increased exposure risk; loss of visibility/control Security approach: Location-aware, continuous protection policies Different user profiles Managed (employee) vs. unmanaged (guest) Consequences: too restrictive = productivity obstacles; too permissive = exposure risks Security approach: Profile-aware access policies Comprehensive security requires continuous protection regardless of computing context or network connection. 9
A Day in the (Risky) Life of a VP s Laptop/Cell Phone 8am Checks email from home before flight to partner meeting. Prints out boarding pass on airline website then clicks on ad with drive-by-download (THREAT #1) 10am Views latest NFL scores on cell phone. Tries to disable security setting that prevents a Flash plug-in from running since the website uses Flash. (THREATS #2 and #3) 11:30am Connects to partner network to provide presentation and product demo. Unfortunately, one of the gaming applications that his kids installed last weekend launched an IRC bot that tries to send IRC packets onto partner network (THREAT #4) 2pm Leaves cell phone at restaurant. Contains email with architectural design plans for the next release of their product. (THREAT #5) 6pm After checking into his hotel room, tries to download an animated screensaver that he thinks kids will like. It contains a number of dangerous spyware programs including one of which opens up a backdoor on his laptop. (THREAT #6) 10
A Day in the (Risky) Life of a VP s Laptop/Cell Phone 8am Checks email from home before flight to partner meeting. Prints out boarding pass on airline website then clicks on ad with drive-by-download (THREAT #1) Security Control: Endpoint agent prevents download 10am Views latest NFL scores on cell phone. Tries to disable security setting that prevents a Flash plug-in from running since the website uses Flash. (THREATS #2 and #3) Security Control: Endpoint agent prevents reconfiguration 11:30am Connects to partner network to provide presentation and product demo. Unfortunately, one of the gaming applications that his kids installed last weekend launched an IRC bot that tries to send IRC packets onto partner network (THREAT #4) Security Control: Endpoint agent blocks initial download and would still block on execution (if installed prior to agent) 2pm Leaves cell phone at restaurant. Contains email with architectural design plans for the next release of their product. (THREAT #5) Security Control: IT Ops remotely enforces a password policy on cell phone 6pm After checking into his hotel room, tries to download an animated screensaver that he thinks kids will like. It contains a number of dangerous spyware programs including one of which opens up a backdoor on his laptop. (THREAT #6) Security Control: Endpoint agent filters website based on web reputation; never even gets redirected to the download site! 11
A Day in the (Risky) Life of a VP s Personal Laptop Weekend Used by teenagers. Facebook. YouTube. Amazon. itunes. VP uses laptop for personal project -- Little League uniform logos. Anti-virus is out of date. QuickTime is old, contains a vulnerability. Rootkit infection.
A Day in the (Risky) Life of a VP s Personal Laptop Weekend Used by teenagers. Facebook. YouTube. Amazon. itunes. VP uses laptop for personal project -- Little League uniform logos. Anti-virus is out of date. QuickTime is old, contains a vulnerability. Rootkit infection. 10am Monday VP brings laptop to work. Connects to the network to print the Little League uniform logos on the color printer. (THREAT #1 - Conficker. THREAT #2 QuickTime vulnerability. THREAT #3 Rootkit infection. THREAT #4 -- no DLP software.)
A Day in the (Risky) Life of a VP s Personal Laptop Weekend Used by teenagers. Facebook. YouTube. Amazon. itunes. VP uses laptop for personal project -- Little League uniform logos. Anti-virus is out of date. QuickTime is old, contains a vulnerability. Rootkit infection. 10am Monday VP brings laptop to work. Connects to the network to print the Little League uniform logos on the color printer. (THREAT #1 - Conficker. THREAT #2 QuickTime vulnerability. THREAT #3 Rootkit infection. THREAT #4 -- no DLP software.) Network Security Controls: 1) Identify ownership 2) Inspect system. Identify weaknesses (out-of-date antivirus, QuickTime vulnerability) 3) Remediate update antivirus and QuickTime 4) Allow onto guest network printing and Internet access 5) Block any malicious activity by the rootkit on the system
Network Access Control Slide 15
Sales HR Finance Role-based Network Access Control Sales HR Finance Guest Network Employees Slide 16
Unmanaged Endpoints Managed Endpoints Summary: Host Security + Network Security Endpoint Security Controls Protect system from attack (malware, intrusion) Protect data from loss Identify unauthorized applications Update software and configuration Automated, closed-loop remediation Compliance and inventory reports Network Security Controls Ensure agents are running on managed endpoints prior to network admission Real-time asset discovery and visibility Allows for management in minutes via right-click automation Block attacks on the network Protect network from insecure endpoints (AV, patch, firewall, etc.) Role-based network access Remediation Compliance and inventory reports 17
THANK YOU! Sandy Hawke, CISSP Sr. Director, Product Marketing @ BigFix Sandy_hawke@bigfix.com Jack Marsal Director, Marketing @ ForeScout jmarsal@forescout.com www.bigfix.com 18