a blueprint for pervasive network security -...
TRANSCRIPT
Whitepaper
A Blueprint for Pervasive Network SecurityHow to accelerate continuous visibility, control intelligence, and policy-based response.
2
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
ContentsWhy Conventional IT Security is Failing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
1) Identification of risks is too slow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2) Identification of risks is incomplete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3) Detection of breaches is too slow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4) Response and containment is too slow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5) Coordination across security systems is lacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The Pervasive Network Security solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
1) Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2) Hardening and prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3) Continuous monitoring and detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4) Powerful, yet flexible policy engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5) Contain incidents via network enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6) Automated endpoint remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
7) Centralized management and reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8) Coordination with other IT security systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1) Network access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2) Endpoint visibility and compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3) Mobile security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4) Threat management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5) Compliance — internal and regulated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Differentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1) Vendor agnostic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2) Rapid deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3) Agentless operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4) Centralized or decentralized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5) Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
IntroductionDespite healthy investments in IT security products and staffing over the past 10 years, most CISOs are not confident1 that they can stop advanced threats from compromising their networks and stealing or taking hostage (CryptoLocker) valuable data . The situation is so dire that Gartner recently published a report titled: “Malware Is Already Inside Your Organization; Deal With It”2 .
What is causing such a monumental failure? Four reasons come to mind:
• Today’s advanced threat actors are well funded and highly skilled . Malware, phishing, social engineering, and endpoint vulnerabilities all provide fertile opportunities for threat actors to penetrate your defenses and set up shop inside your network .
• Enterprises are losing control over their IT environments, which are more complex, more dynamic, and more diverse . IT security controls that were designed just a few years ago are no longer adequate to defend the modern enterprise and manage mounting IT consumerization risks .
• Enterprises are continuing to use a “layered security” model based largely on products that don’t talk with one another, operate within separate silos, and don’t automate actions to contain exposures quickly .
• Enterprises continue to rely heavily on agent-based systems to manage and secure endpoints, despite the fact that agents are prone to failure .
The question is no longer if or when you will experience a significant security incident, but how well your processes and controls address detection, analysis and response .
Gartner is recommending a new approach3 called the “Adaptive Security Architecture” to protect against advanced threats . This architecture requires continuous monitoring, analytics, and automation between security systems to reduce the time between threat discovery and threat containment . Gartner has defined twelve critical capabilities and organized them in four quadrants: Predict, Prevent, Detect and Respond .
Similarly, the U .S . Federal Government now demands continuous monitoring as part of the Federal Information Security Management Act (FISMA) regulation, and the National Institute of Standards and Technologies (NIST) has created its Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) architecture as part of NIST 800-137 .
This paper details the challenges faced by IT security managers and outlines a solution from ForeScout Technologies called Pervasive Network Security that can help enterprises become more responsive, optimize their resources, and enhance their security posture in alignment with the frameworks suggested by Gartner, National Institute of Standards and Technology (NIST), SANS Institute, and other security authorities .
Figure 1: The 12 Critical Capabilities of Gartner’s Adaptive Security Architecture . Source:
Gartner (February 2014)
1 ForeScout. “2014 Cyber Defense Maturity Report.” July 20142 Gartner. “Malware Is Already Inside Your Organization; Deal With It.” February 2014. 3 Gartner. “Designing an Adaptive Security Architecture for Protection From Advanced Threats.” February 2014.
4
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
Why Conventional IT Security is FailingOne fact is indisputable: Security incidents are increasing in number . According to the 2014 “Global State of Information Security Survey” conducted by PwC, the number of security incidents among enterprises jumped 25% between 2011 and 2013 .
What are the sentiments of the IT security managers who are on the front lines of this war? In a recent IDG Cyber Defense Maturity Report4, 96% of respondents had one significant security incident, and 1 in 6 had five or more incidents . 40% of IT security managers believe that IT security is more challenging now than it was a year ago — specifically across problem prevention, identification, diagnostics and remediation .
Figure 2: On aggregate, the number serious of security incidents affecting
enterprises has been climbing each year .
4 IDG Connect 2014 Cyber Defense Maturity Report commissioned by ForeScout, July 2014. Scope: N-1600; US, UK and DACH regions, 50% enterprises above 2500 employees.
Figure 3: IT security managers say their jobs are getting harder each year .
2014 IDG Connect Cyber Defense Maturity Report .
Figure 4: Almost every enterprise has felt the sting of cyber attack,
sometimes multiple times per year . 2014 IDG Connect Cyber Defense
Maturity Report .
5
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
Why are intruders continuing to compromise enterprise networks? Here are the primary reasons .
1) Identification of risks is too slowAttackers most commonly target vulnerable endpoints . Studies have shown that approximately 80% of enterprise breaches started with a device on the network that contained a known vulnerability, or that should not have been on the network in the first place .
Why are existing security systems so slow to identify a rogue device, non-compliance system, or a vulnerability? The short answer is they were never designed to operate at the speed that organizations need . Most security systems are based either on polling (sometimes daily, but more typically weekly or monthly), the assumption of active host management, or they need to wait to see large or anomalous traffic from the device . A survey5 by Tenable found that 70 per cent of organizations scan their networks for vulnerabilities on a monthly or less frequent basis .
2) Identification of risks is incompleteThe old saying is “you can’t manage what you can’t see”, and this certainly applies to today’s complex IT environment . There are multiple reasons why enterprises’ existing IT security tools do not identify all the risks on the network .
A. Endpoints are increasingly transient and therefore often are not present on the network when a vulnerability scan is scheduled to take place . This is caused both by mobility and the increasing use of virtual workloads that are dynamic .
B. Endpoints are increasingly not owned by the organization and therefore not protected by an onboard management agent . If the organization relies on endpoints to self-report their configurations and the applications running on these devices, typically all of the BYOD Windows and MacOS devices will be risk blind spots because organizations typically are not aware of these devices and/or don’t or can’t install management agents onto BYOD devices .
The situation is a little better with Android and iOS operating systems because of the availability of mobile device management (MDM) systems . However, this ignores the fact that these devices typically start off as unmanaged . As such, they need to be identified and enrolled into an MDM system before they are allowed onto the network . Unfortunately, many organizations lack the appropriate visibility and control .
5 Tenable. “Study Reveals 83 Percent of Security Professionals Concerned About Missing Threats Between Vulnerability Scans.” February 2014.
Figure 5: Enterprises conduct vulnerability scans quite infrequently, and thus they lack real-time
awareness of vulnerabilities on their networks
6
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
C. Over reliance on security agents is a flawed strategy. Almost all organizations rely heavily on agents for a variety of security and system management functions . These agents serve valuable functions, and they will remain necessary components of the security arsenal . However, agents don’t work properly 100% of the time . They become misconfigured, attacked, out-of-date, uninstalled, or disabled . When the agent is missing or the linkage between the agent and management system is broken, the organization is unaware of the risks on the endpoint system .
In summary: without a real-time, independent and comprehensive view of endpoint status, organizations have an incomplete understanding of their IT risk . Based on the statistics we have gathered, IT security managers are typically unaware of at least 20% of the devices that are on their networks, and approximately 30% of the endpoints contain basic misconfigurations or vulnerabilities about which the IT department is unaware .
3) Detection of breaches is too slow“Dwell time” is a measure of the number of days between a malware infection and its detection . Mandiant reported in 2014 that the median dwell time is 229 days .6
Why is detection so slow? The general consensus in the security community is because organizations have under-invested in detection capabilities . A Gartner research note points out that “organizations have deluded themselves into believing that 100% prevention is possible, and they have become overly reliant on blocking-based and signature-based mechanisms for protection .”7
4) Response and containment is too slowOnce an exposure (or worse, a breach) has been detected, the time it takes a typical IT organization to respond is far too slow . The culprit here is lack of automation . Many of the tools used by IT security professionals do not include automated, policy-based remediation or containment capabilities . For example, an advanced threat detection system can issue an alert that an endpoint may have been compromised, but the alert must be responded to by an IT manager who may be receiving hundreds or thousands of alerts each day . This was the case of the recent breach of Target retail stores in the United States8 . Millions of credit card numbers were stolen because alerts were not responded to . Similarly, vulnerability assessment (VA) systems typically have no automated response capability, nor do security information and event management (SIEM) systems .
5) Coordination across security systems is lackingEnterprises typically employ a layered defense strategy with a large number of disparate products and vendors, each having separate silos of controls and information . These silo’d tools don’t communicate sufficiently with each other . This robs you of critically needed synergies such as the ability to share contextual information between systems, which weakens the effectiveness of each security control . In addition, the lack of automated mitigation mechanisms between different network and security systems results in delayed response and containment because the processes are manual, as described above . And of course, the lack of policy-based automation increases IT operational costs and exposure impact .
In summary: The Enterprise IT environment has grown in complexity, and the IT security systems that enterprises have relied on for many years have not adjusted to the changes . As a result, IT security managers have incomplete knowledge of who or what is accessing their networks; incomplete understanding of the risks on their networks; and delayed awareness of the exposures that have already occurred on their networks . Also, IT organizations lack an efficient means to enforce endpoint integrity, mitigate risks, and contain exposures . Existing processes are too slow and too manual .
6 Mandiant. “M-Trends 2014: Beyond the Breach.” April 2014.7 Gartner. “Designing an Adaptive Security Architecture for Protection From Advanced Attacks”, 12 February 2014, Neil MacDonald and Peter Firstbrook 8 SC Magazine, March 13, 2014. “Target did not respond to FireEye security alerts prior to breach, according to report”.
7
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
The Pervasive Network Security SolutionFor over two years, industy analysts from Gartner9, Frost and Sullivan10, IDC11, Enterprise Security Group12, Enterprise Management Associates13, and Quocirca14 have begun to recommend that enterprises augment their existing security controls with additional capabilities that are better able to address modern IT security challenges . Here are four out of six recommendations that Gartner published15 in early 2014:
• Shift your security mindset from “incident response” to “continuous response,” wherein systems are assumed to be compromised and require continuous monitoring and remediation .
• Adopt an adaptive security architecture for protection from advanced threats using Gartner’s 12 critical capabilities as the framework .
• Spend less on prevention; invest in detection, response and predictive capabilities .
• Favor context-aware network, endpoint and application security protection platforms from vendors that provide and integrate prediction, prevention, detection and response capabilities .
Gartner’s recommendations are similar to the “continuous monitoring and mitigation” requirements that have recently come from the U .S . government and standards-setting organizations such as NIST .16
ForeScout has developed a pervasive network security platform that helps enterprises close the security gaps outlined previously and implement the recommendations of these analysts and standards bodies . ForeScout’s platform helps organizations gain greater operational intelligence, reduce risk, efficiently preempt threats, and contain exposures — all without making changes to the network infrastructure or requiring additional security agents .
Key functions of our pervasive network security platform are described below .
1) VisibilityForeScout’s pervasive network security platform provides real-time visibility of users and devices attempting to connect to or already connected to an enterprise network — wired or wireless, managed or unmanaged, virtual or embedded, desktop or mobile . Devices are dynamically discovered, classified, profiled and assessed . Our platform uses a multi-factor approach of discovery and inspection that in most cases does not require the use of software agents or prior knowledge of a device . Built-in and extensible device fingerprinting technology allows for automated classification of discovered devices .
Most notably, our platform includes the following characteristics:
• Comprehensive scope. ForeScout operates at the network layer, so it is immune to the endpoint diversity and agent management problems that challenges existing agent-based security systems . It is irrelevant who owns the endpoint . This solves the scope problem mentioned earlier .
• Real-time discovery. ForeScout’s product integrates with the network infrastructure and therefore can detect devices the moment that they attempt to connect to the network . This solves the transient device problem mentioned earlier .
• Classification. ForeScout’s product automatically classifies each device by type (computer, smartphone, printer, switch, etc .), ownership (corporate, personal, rogue), and operating system version .
9 Gartner. “Designing an Adaptive Security Architecture for Protection From Advanced Attacks”, 12 February 201410 Frost and Sullivan. “Continuous Compliance and Next Generation NAC: A Cornerstone Defense for Dynamic Endpoint Intelligence and Risk Mitigation.” 2013.11 IDC. “Worldwide Security 2013 Top 10 Predictions.” February 2013.12 Enterprise Strategy Group. “Market Landscape Report: NAC Solutions Evolve to EVAS: Endpoint Visibility, Access, and Security”. July 2013.13 Enterprise Management Associates. “Achieving NAC Results.” January 2013.14 Quocirca. “Next-generation network access control — Advancing governance, risk and compliance controls in the frenetic enterprise.” August 2013.15 Gartner. “Designing an Adaptive Security Architecture for Protection From Advanced Attacks”, 12 February 2014, Gartner analyst(s) Neil MacDonald and Peter Firstbrook16 NIST Special Publication 800-137 “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”. September 2011.
8
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
• Deep assessment. Based on built-in and user-defined policies, ForeScout’s platform can detect unpatched operating system, vulnerable applications, misconfigurations, hardware parameters, unwanted or unauthorized applications, the presence and health of security and management agents, files, registry settings, ports, services, peripherals, and more .
Under the hood, ForeScout’s platform employs proprietary multi-sensor correlation with advanced heuristics to derive an accurate endpoint state from properties reported by multiple sources such as network address, identity and configuration . In addition, our platform supports both synchronous and asynchronous data processing so that as changes occur on the network or with systems, our platform is able to follow and assess these changes from multiple sources to maintain intelligence in real-time .
ForeScout’s platform is able to discover and classify devices without the need for an endpoint agent or supplicant, which greatly simplifies both deployment and management . Furthermore, our platform can provide deep, detailed information about any user device to which it has administrative level access, without the need for an endpoint agent . This differentiates ForeScout’s product from most others on the market .
2) Hardening and preventionForeScout’s visibility functions help IT security managers harden systems to prevent compromise . (The “harden” function is shown in the upper right quadrant of Gartner’s Adaptive Security Architecture, see Figure 1 .) As mentioned previously, host-based defenses are typically agent-based, and agents are only effective when they’re actually installed and running . Our customers tell us that after installing our products onto their networks, they discover that approximately 30% of their corporate-owned endpoints were non-compliant due to a problem with one or more of the security or management agents .
This hardening function, by way of notification, endpoint remediation, or triggering other controls such as patch management and vulnerability assessment, is critically important . Gartner has predicted that “through 2015, 80% of successful attacks will exploit well-known vulnerabilities .”17 Furthermore, Gartner believes that “ a properly configured and patched endpoint will be immune to a large majority of malware attacks, freeing security professionals to focus on more sophisticated attacks that don’t rely on misconfigured or vulnerable systems .”18
3) Continuous monitoring and detectionAfter a device joins the network, ForeScout’s platform continues to monitor the endpoint state as well as its behavior . Built-in technology detects endpoint changes and subterfuge, such as when an endpoint starts behaving in unexpected ways . When a fault or suspicious activity is detected, our platform can automatically provide an alert, communicate the event to an external system, or take more proactive control such as quarantining the device .
ForeScout’s pervasive network security platform includes ForeScout’s patented network intrusion prevention (IPS) capability called ActiveResponse™ that enables passive detection of network threats . ActiveResponse technology is behavior-based which allows it to accurately detect traditional malware as well as “zero-day” threats leveraging never-before-seen vulnerabilities . This is an important technique that can even detect advanced malware that has been programmed to lay dormant, be intermittent or to bypass perimeter defenses before attacking . For example, ActiveResponse was able to detect propagation of the infamous Stuxnet threat . ActiveResponse also has the ability to divert attackers’ attention, thus providing IT security managers with more time to understand their adversary .
4) Powerful, yet flexible policy engineOur policy engine gives IT security managers the flexibility to define and enforce granular policies at the network, user, device, and application level . The platform ships with an array of built-in and extensible templates to support a broad range of controls . When our product detects a policy violation, it can automatically take action such as alert, advise, restrict, remediate, and disable . This wide range of actions allows IT managers to tailor the action depending on the level of risk and disruption that is acceptable to the business .
17 Gartner. “Preparing for Advanced Threats and Targeted Attacks”. 2014. Kelly Kavanaugh.18 Gartner. “Malware Is Already Inside Your Organization; Deal With It.” February 2014. Peter Firstbrook and Neil MacDonald.
9
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
If desired, IT security managers may construct multiple sets of policies, for example one set of policies that apply to employees who are utilizing managed devices and another set of policies that apply to employees who utilize personally owned (unmanaged) devices . Our platform can automatically determine which devices are managed corporate devices and which are unmanaged BYOD devices . Depending on the organization’s security policies, different levels of network access could be granted based on any attribute, such as:
• user (guest, contractor, employee, role)
• device type (switch, medical system, camera, computer, printer, etc .)
• operating system (iOS, Android Ice Cream Sandwich, Windows XP, etc .)
• device ownership (corporate, BYOD)
• security posture (jailbroken, missing MDM agent, Windows vulnerability)
• location (wired, wireless, VPN, China, New York)
• time of day
• property derived from an external security or management system (eg . vulnerability assessment, advanced threat detection, etc .)
5) Contain incidents via network enforcementThe “contain” function is shown in the lower right quadrant of Gartner’s Adaptive Security Architecture (Figure 1) and is another critically important function .
Network enforcement is achieved by interfacing with the network infrastructure to grant, limit or deny device access pre- and post- admission . For example, our platform can identify and block a rogue device or quarantine a breached system, redirect the browser of a visitor to require him to register for guest network access, or adjust what network resources are available to an endpoint . ForeScout provides a range of network access control technologies to allow customers to easily deploy in many different types of network infrastructure .
Figure 6: ForeScout CounterACT policy wizard makes it easy to check for common endpoint
compliance errors
10
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
6) Automated endpoint remediationThe remediate function is shown in the lower left quadrant of Gartner’s Adaptive Security Architecture and is another critically important function .
As with network access control, a wide range of endpoint remediation actions are available to choose from . They generally fall into three categories:
Self-remediation — The user is informed of the security issue and presented with instructions on how to self-remediate .
Direct remediation — ForeScout’s platform directly remediates the device for example by executing a script to install a patch, update an AV signature, re-start or re-install an agent, kill a process, disable a peripheral device .
Third-party remediation — ForeScout’s platform sends a request to an external system to perform the remediation . For example, it can ask the endpoint to check with Microsoft SCCM or WSUS for missing updates, or it can communicate with McAfee ePO which will try to install a missing security agent or change a endpoint protection setting .
7) Centralized management and reportingForeScout CounterACT includes centralized management and reporting capability . This allows IT managers to apply security policies from one central point and enforce those policies across a highly distributed organization . It also provides the capabilities to centrally log events and activity, providing audit trails and management reports to support business, security and compliance requirements . Support for long-term asset inteligence and event trending and forensics is achieved by forwarding such details to external logging systems .
8) Coordination with other IT security systems When discussing their model for the Adaptive Security Architecture, Gartner says: “The end result should not be 12 silos of disparate information security solutions . The end goal should be that these different capabilities integrate and share information to build a security protection system that is more adaptive and intelligent overall .”19
We agree 100% . ForeScout’s interconnection with other IT systems is based on ForeScout ControlFabric™ architecture . ControlFabric technologies enable ForeScout’s platform to share contextual information between and among different security and IT management systems, thereby reducing the problem of information silos and facilitating automated remediation . This allows IT organizations to better leverage their existing infrastructure investments, efficiently preempt and contain exposures, and enhance their overall security posture .
19 Gartner. “Designing an Adaptive Security Architecture for Protection From Advanced Threats.” February 2014.
Figure 7: ForeScout CounterACT compliance dashboard lets you see where your violations
are located .
11
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
Our platform includes integrations with popular network and IT infrastructures (switches, wireless controllers, VPN, routers, directories), devices (Windows, Mac, Linux, iOS, Android, printers, etc .), and endpoint software (system configuration, productivity and security applications) . These integrations are packaged with our basic platform and are available at no additional charge . Other more advanced integrations are packaged and licensed as separate modules that can be added onto our basic platform .
Following are some examples of the kinds of coordination and collaboration that is possible .
Security Information and Event Management (SIEM) ForeScout’s platform shares real-time endpoint security posture details with SIEM tools, which gives these systems a more complete picture of the risks that are on a network — managed, unmanaged and rogue, corporate and personal . Also, ForeScout’s platform enables SIEMs to instruct CounterACT, based on policy, to automatically isolate or remediate a risky endpoint .
Figure 8: ForeScout ControlFabric Interface shares information between different types of security and
management systems .
Figure 9: ForeScout transforms your SIEM into a real-time security control
12
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
Vulnerability Assessment By integrating with vulnerability assessment systems, ForeScout solves the problem of transient devices . ForeScout’s platform can trigger a scan of a new device the moment it joins the network if the device has not previously been scanned . For even higher security applications, ForeScout can temporarily admit the new device to a limited access zone on the network where it can be scanned and immediately remediated if necessary . Information from the vulnerability assessment system can also flow into CounterACT where it can be used to enhance our control context as well as trigger CounterACT actions, for example quarantine or remediation .
Mobile Device Management (MDM) ForeScout’s platform helps discover and automate the enrollment of unmanaged mobile devices into the Mobile Device Management (MDM) system and ensures that only authorized and compliant mobile devices can access corporate network resources . Even without an MDM system, our platform can detect mobile device, user, and configuration attributes and apply network enforcement policies — such as limiting access to mobile devices that are jailbroken or misconfigured .
Endpoint Protection Endpoint protection systems utilize host agents and thus have a difficult time identifying and profiling unmanaged devices such as personal laptops, smartphones, and rogue wireless access points . ForeScout’s integration with endpoint protection systems provides IT security managers with visibility and control over both managed and unmanaged endpoints on the network . In addition, this integration helps organizations save time by automating the installation of security agents, and assuring those agents are active and up-to-date .
Advanced Threat Detection By integrating with advanced threat detection systems, ForeScout solves the problem of “containment” that is an important part of Gartner’s Adaptive Security Architecture . ForeScout’s platform can automatically quarantine any device that has been identified by an advanced threat detection (ATD) solution as being infected or which is performing malicious activities such as scanning other systems or exfiltrating data .
Open Integration ForeScout ControlFabric technology allows ISVs, system integrators and customers to easily build custom integrations such as with legacy, uncommon or homegrown applications . The ControlFabric interface utilizes a broad set of open integration mechanisms, for example Syslog, Web Services API, SQL and LDAP . These bi-directional integrations enable third party systems to:
– Consume information generated by ForeScout’s pervasive network security platform, such as: device type, compliance status, user information, operating system information, application information, peripheral information, physical layer information, and more .
– Provide information to ForeScout’s platform, such as any host related property or event .
– Receive or send action triggers to ForeScout’s platform .
Figure 10: ForeScout enrolls mobile devices into the MDM system
1 Connect
Initiate Scan 4
Results 6
Scan
5 Is
olat
e
2
No
Agen
t
3 7
Allo
w
Blo
ck
MDM
Install MDM Agent
13
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
Use Cases1) Network access controlForeScout’s pervasive network security platform allows IT security managers to control network access with a fine degree of precision . The platform automatically identifies when a device is trying to access the corporate network, then it determines information such as:
• the type of device attempting to access your network
• who owns the device
• who the user is, and whether the user is an employee, contractor or guest
• the security posture of the device
• location of the device and connection method
• time of day
As stated earlier in this paper, ForeScout’s platform can acquire the vast majority of this information without any need for an endpoint agent . This is a significant advantage .
Our platform supports multiple forms of authentication including 802 .1X and other methods . Compared to network access control products that are limited to 802 .1X, the fact that our product does not need to use 802 .1X is a significant advantage . In addition, our platform automates the handling of printers, phones, and other equipment that cannot authenticate via 802 .1X . Continuous monitoring of endpoint behavior after the device joins the network eliminates the security risks associated with MAC address spoofing and ARP spoofing .
2) Endpoint visibility and complianceOnce a host has been profiled through passive and/or active discovery techniques, it is evaluated against security policies . These policies are designed to uncover various endpoint exposures, such as:
• unpatched vulnerabilities
• security misconfigurations
• unsanctioned applications
• missing host-based defenses
• unauthorized peripheral devices
Endpoint exposures can be remediated either directly by our platform or via a third party system . Many of our customers prefer to leverage their existing patch management systems to deploy patches on managed devices, but in the event this method fails, ForeScout’s platform can serve as a backup remediation method .
Unlike other systems, our platform can continuously monitor and manage devices even after they leave the enterprise network .20 This requires the installation of a lightweight agent which provides a secure communications path between the host and our platform, leveraging any Internet connection that the endpoint has access to .
20 CounterACT RemoteControl is scheduled to be released in late 2014. See ForeScout’s web site for more details.
14
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
3) Mobile securityMobile Device Management (MDM) systems are commonly used to centrally manage mobile devices . However, MDM systems lack the ability to see unenrolled devices on the network, or to prevent them from accessing the network .
ForeScout’s pervasive network security platform resolves this limitation by detecting mobile devices as they connect, assessing whether they have the MDM agent installed, and restricting network access if appropriate . In the case where an approved device is missing the MDM agent, ForeScout’s platform can redirect the user to an MDM enrollment screen . This automation saves time, both for the enduser and the help desk .
For high security environments, ForeScout’s platform can trigger the MDM system to conduct a compliance check of each MDM-managed device the moment the device tries to access the network . Should the device fail the compliance test, ForeScout can restrict or remove its network access until the device once again passes the compliance test . Since this is done at the network level, it is much easier than alternative approaches which remove network access at the device level .
4) Threat managementBy itself, an advanced threat detection (ATD) system will tell you which endpoint systems may be compromised . That’s good information, but it leaves the IT security administrator with an alert that needs to be responded to . In the case of the famous Target breach, an alert such as this was never responded to . This mistake cost Target millions of dollars of damage .
ForeScout’s platform allows IT security managers to automate mitigation and remediation actions . When an ATD system suspects that a device has been compromised, it can inform our product which can then take whatever actions you wish, including:
• quarantine the endpoint
• report details about the host to other systems, for example a Security Information and Event Management (SIEM) system . The information can include the name of the logged on user, missing patches, antivirus status, running processes, applications installed, external devices connected, location of the endpoint, IP address, and device type . This contextual information greatly improves the ability of IT security managers to analyze and respond to security alerts produced by ATD systems .
• trigger a vulnerability assessment scan by a third party product
• notify the end-user and/or administrator via email or SMS
• trigger a remediation system
In addition, our platform includes patented ActiveResponse™ technology which can detect and prevent the propagation of malware or hackers inside to your network . ActiveResponse does not utilize signatures and has proven to be effective against Conficker, Zeus, Stuxnet and Flame on day-zero, before any security company had developed a signature for these attacks .
5) Compliance — internal and regulatedCompliance frameworks have common requirements with regard to inventory, system integrity, vulnerability assessment, malware, wireless security, network and perimeter defenses, data protection, access control, and audit specifications . ForeScout’s platform supports and fortifies many of these controls, processes and audit tasks .
For example, ForeScout’s dynamic asset intelligence functionality gives organizations more timely and accurate understanding of hardware and software deployment, configurations, endpoint protection, threats and violations, rogues and operational gaps . Through active mitigation mechanisms, ForeScout can improve an organization’s compliance with security standards such as host defense .
15
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
SIEM, log management, and Governance, Risk and Compliance (GRC) systems allow organizations to document compliance controls and effectiveness through reporting, auditing and forensics functionality . ForeScout’s support for syslog, SNMP, LEEF, and common event format (CEF) allows our platform to integrate with these systems to capture, retain and analyze events generated by our platform such as real-time network access violations, endpoint compliance problems, and mobile security issues — as well as mitigation and remediation actions provided by our platform .
In addition, ForeScout’s platform helps organizations simplify deployment and on-going use of log-oriented systems by facilitating logging activation and enabling vigilant monitoring of logging sources — a crucial part of any successful SIEM program . Our platform can identify known and new endpoint devices as they connect to the network, and can dynamically:
• check for the presence and activity of a logging application or service
• install or reactivate the logging application or service
• enforce or change a logging application or service
DifferentiationForeScout’s pervasive network security platform is different than other systems available on the market today . Many of the features and functions previously described are unique to ForeScout, and some of them involve patented technologies . In addition, the following general characteristics distinguish our product from others on the market .
1) Vendor agnosticOur platform works with existing infrastructure and typically does not require any change of architecture or equipment upgrades . Additionally, ForeScout ControlFabric provides a variety of standard-based integration mechanisms which enable Independent Software Vendors (ISVs), system integrators, and customers the ability to build custom integrations with other systems . Combined, these characteristics mean that our customers gain greater operational flexibility and avoid vendor lock-in when they choose our product .
2) Rapid implementationCustomers can deploy our platform quickly and easily . Typically, our large customers can completely deploy our system within a few weeks, spanning multiple locations and tens of thousands of network devices . Most of our customers have public reference restrictions, but those who have agreed to publish their success stories, as listed on our website, have “fast and easy implementation” among common observed advantages .
3) Agentless operationA key differentiator of ForeScout’s solution is the ability to operate without agents . An agentless approach expedites deployments, lowers initial deployment cost, and reduces on-going management burden . It also simplifies supporting the multitude of devices connecting to your network, including BYOD devices and specialized equipment .
In some instances, agents are helpful to obtain additional information and effectuate controls on the endpoint . For example, ForeScout has created specialized agents for iOS and Android devices that can deeply inspect these devices and report information back to CounterACT . This information can then be used within security policies, for example to prevent jailbroken or rooted devices from connecting to the network .
16
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
4) Centralized or decentralized deployment Organizations today vary in their network architecture . Some have hub-and-spoke infrastructures and some use MPLS cloud architectures . Infrastructure services such as Internet access, DHCP, DNS, and Active Directory may be centralized or distributed .
Regardless, ForeScout’s pervasive network security appliances can be deployed in either a centralized or decentralized manner . We help customers make their deployment decision by reviewing their specific project goals and network infrastructure . Even when ForeScout appliances are deployed in a centralized manner, all of the real-time discovery, visibility, network access control, and endpoint remediation features are available .
5) ScalabilityOur platform has proven ability to scale to over 500,000 endpoints . CounterACT utilizes a two-tier appliance architecture with centralized management capability that can be further subdivided by geography, business function or other security requirement, across a global enterprise . From a single console, an administrator can see and control hundreds of thousands of connected devices and can easily configure and maintain policies automatically across the entire enterprise .
Figure 11: Large, distributed organizations can deploy ForeScout CounterACT in a centralized fashion
to save time and money
17
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
ConclusionIT security tools and practices of yesteryear are overly focused on management agents, periodic assessments, disparate point solutions, and manual response processes . Enterprises must evolve their security architectures to better align with today’s complex, diverse, dynamic IT environments and burgeoning threat landscape . Enterprises should move in the direction of security architectures that emphasize:
• continuous monitoring of all users, devices, systems and applications on the network, including unmanaged, transient and non-compliant devices
• integration between multi-vendor security and management systems to share security intelligence and enhance control context
• fast, automated response to violations, exposures and indications of compromise (IoC)
ForeScout’s pervasive network security platform allows IT organizations to realize the benefits outlined above . Our platform aligns well to Gartner’s’ Adaptive Security Architecture and a majority of critical capabilities that Gartner and other leading security industry analyst firms recommend . Furthermore, we provide connectivity and integration with over sixty hardware and software products . And we support open standards based APIs that give our customers and partners the means to create their own closed-loop security architectures to protect against today’s threats .
ForeScout’s pervasive network security is not a vision — it is in active use by more than 1500 enterprise and government customers and thousands of security administrators in over 54 countries .
18
ForeScout A Blueprint for Pervasive Network Security
Whitepaper
©2014 ForeScout Technologies, Inc . All rights reserved . ForeScout Technologies, the ForeScout logo, ActiveResponse, CounterACT, and ControlFabric are trademarks of ForeScout Technologies, Inc . All other trademarks are the property of their respective owners . Doc: 2014 .0139
ForeScout Technologies, Inc .900 E . Hamilton Ave ., Suite 300 Campbell, CA 95008 U .S .A .
T 1-866-377-8771 (US)T 1-408-213-3191 (Intl .)F 1-408-371-2284 www.forescout.com
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About ForeScout TechnologiesForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks . The company’s CounterACT appliance dynamically identifies and assesses network users, endpoints and applications to provide visibility, intelligence and policy-based mitigation of security issues . ForeScout’s open ControlFabric technology allows a broad range of IT security products and management systems to share information and automate remediation actions . Because ForeScout’s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies . Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide . Learn more at www.forescout.com.