wallace sann
DESCRIPTION
TRANSCRIPT
© 2013 ForeScout Technologies, Page 1
Wallace Sann | CISSP-ISSEP, CIPP/GDirector of Systems Engineering
Complete Visibility for Endpoint Compliance and SIEM Incident Response
April 23, 2013
© 2013 ForeScout Technologies, Page 2
About ForeScout
ForeScout is the leading global
provider of real-time
network security
solutions for Global
2000 enterprises and
government agencies.
Large Deployments• Financial institutions, government…
• Scalability - 1M+ endpoints
Federal Validation• NIAP CC EAL 4+• DISA UC APL• FIPS 140-2
At a Glance
• Founded in 2000, 160+ employees,HQ in Cupertino, CA
• Global company, customers, support
• Dominant independent vendor of Network Access Control (NAC)
• BYOD, endpoint compliance and cloud fueling growth
*Magic Quadrant for Network Access Control, December 2012, Gartner Inc.
**Forrester Wave Network Access Control, Q2-2011, Forrester Research
***Analysis of the NAC Market,February 2012, Frost & Sullivan
© 2013 ForeScout Technologies, Page 3
Over 1400 Enterprise Deployments
Austrian Post AG
© 2013 ForeScout Technologies, Page 4
ForeScout Offerings
.
ForeScout Automated Security ForeScout Automated Security Control PlatformControl Platform
ForeScout Automated Security ForeScout Automated Security Control PlatformControl Platform
InteroperableInteroperable
ScalableScalableAgentlessAgentless
KnowledgebaseKnowledgebase
Network Access Control
EndpointCompliance
• Enable BYOD• Unified Visibility &
Control• Dual Protection• Integrate MDM
Mobile Security
• Find and fix security gaps
• Enterprise toolset integrations
• Incident Response
• Infrastructure agnostic
• 802.1X, VLAN, ACL
• Block unauthorized users and devices
• Register guest
Visibility• Clientless• Built-in profiling• HW/SW Inventory• Who, what, when,
where
© 2013 ForeScout Technologies, Page 5
Access is more dynamic…Threat are broader, faster and more complex…
??
???
??
??
? ?
??
??
xx
xx
?
( ( ( (
XXX
?
??
Common Organizational Assumptions
①Visibility on all network endpoints
②Managed all access to network resources
③Wireless security is uniform
④All host based protection is active
⑤Configurations are locked / tracked
⑥Logging is always maintained
⑦Contractor access is limited
⑧Preempt unwanted apps
⑨All data leakage monitored
⑩BYOD is ok… guest network or MDM
Extended Network & Dynamic Threats
© 2013 ForeScout Technologies, Page 6
Endpoints
Network Devices
Applications
Government Resources
Host config. issue…Unwanted application…Patch/ host securityagent not installed…
Little Protection PossibleLittle Protection PossibleVisible
Users
Non-GFE
?
Protection PossibleProtection Possible
Visibility and Control Gaps
© 2013 ForeScout Technologies, Page 7
CounterACT: Continuous Monitoring & Remediation Proven Platform for Real-time Visibility and Automated Control
Port-based Enforcement [With or without 802.1x]
Natively or with 3rd party Integration
Incident ResponseCompliance Dashboard
CompleteVisibility
EnforcementRemediation
McAfee ESMHost
Inspection & McAfee ePO
Device Discovery, Profiling [HW/SW USER LOC ...]
Fully functional clientless Interrogation of
endpoints
Continuous
Monitoring
Challenge• Asset visibility
• Access and threat dynamics
• Endpoint and infrastructure diversity
• Port authentication and control
• STIG, IAVA and CCRI difficulty
Solution• Pre-admission user/device
authentication and authorization
• Continuous endpoint diagnostics, posture assessment and mitigation
• Port-based control and broad device policy enforcement
• Infrastructure agnostic, interoperable, scalable, works with enterprise tool sets
© 2013 ForeScout Technologies, Page 8
PATCH MGMT VA ESM
MDM/BYOD
ePO
Linux/Unix/MAC/ Windows/iOS/
Android/all applications
UsersComputers
ServersSwitchesPrinters
VoIP DevicesUSB Devices
Mobile DevicesAll Other Devices
Port Based Security and Authentication with or
without 802.1X
ASSET MGMT
VPNDirect Access
Bridge’s the Gap with Enterprise Tool Sets
© 2013 ForeScout Technologies, Page 9
① Port-control DISA-STIG adherence– Visibility and control without disrupting user experience– 802.1X & Non-802.1X control with assured rollout
② Independent verification and validation– Automate: detect, classify, report on all non-compliant devices– Reduce manual expense: ticketing, investigation and audit
③ Asset intelligence, HBSS Deployment, CCRI, IAVA– Dynamically see and resolve host agent, config. and security gaps– Rich integration: McAfee ePO, SIEM, data source …– Real time Situational Awareness of all endpoints connected to or
attempting to connect to a DOD enclave Medical device detection, classification and isolation
④ Personal and rogue device mitigation– Classify, block, limit mobile devices: Smartphone, tablet, WAP…– No CERT ticket issued, no manual response, full port control
ForeScout CounterACT in ActionRapid implementation, accelerated time-to-value, automation
© 2013 ForeScout Technologies, Page 10
ForeScout CounterACT Certified Integrationwith McAfee EPO & EPP
EPO
McAfee ePO Integration
• Certified integration with ePO
• Rogue System Detection (RSD) sensor – network admission events
• CounterACT real-time inspection informs ePO
• Endpoint protection policy assurance
• Fortifies HBSS compliance
© 2013 ForeScout Technologies, Page 11
Enterprise Tool Sets - HBSS
HBSS Framework Implementation status
© 2013 ForeScout Technologies, Page 12
McAfee ESM Integration
DLPOther
Sources
Routers
AV logs, system events Network events
Security Devices
FW, IPS/IDS, VPN events Privacy violations
SIEM correlates ForeScout information with information from other sources and escalates threat level of incidents when the end-point is non-compliant
2
2
SIEM initiates automated remediation action using ForeScout
4
4
ForeScout takes remediation action on endpoint
5
5
1ForeScout sends both low-level (who, what, where) and high-level (compliance status) information about endpoints to the SIEM
1
1
Database, App. events
3SIEM provides LOB based compliance dashboards/reports
3
Endpoints + BYOD
© 2013 ForeScout Technologies, Page 13
ForeScout + McAfee = Wirespeed Incident Response
McAfee ESM Correlated Event, Triggers CounterACT Response
© 2013 ForeScout Technologies, Page 14
Centralized Deployment
© 2013 ForeScout Technologies, Page 15
Decentralized Deployment
© 2013 ForeScout Technologies, Page 16
Enterprise Deployment
© 2013 ForeScout Technologies, Page 17
Visibility then Control
RUNRUNWALKWALKCRAWLCRAWL
• Deployment• Discovery • RBAC & administration• HBSS client issues• 802.1X issues • A/V issues• IAVA scanning• Reporting/Notifications• Monitoring
• Authentication• Remediation • Access Control• Integrate with ePO• Integrate with SEIM• Asset Management• Mobile policies• Block rogue device• Custom Scripts
• Full enforcement • Actions from ePO• Actions from SEIM• Asset management using authentication• Adv custom scripts• Integrate with MDM• Integrate with other GOTS & COTS products
Immediate ROI
Flexible to meet Mission and Security RequirementsCoordination - Training - Documentation
© 2013 ForeScout Technologies, Page 18
Continuous Compliance Case Study: Financial Institution
Business Problem•No real-time network intelligence: who/where/what endpoints, users, AP •Material gap on endpoints and network devices compliance•No control over corrupted, inactive or non-existent endpoint agents•Slow response: can’t quickly and easily identify, isolate and remediate
McAfee ESM/ePO•Dashboards; assets, violations, incidents, threats•Enterprise-wide policy, event correlation & log management•On-demand incident and compliance reporting per LOB•ESM corrected events trigger NAC to isolate or resolve issue
ForeScout CounterACT Network Access Control•Real-time visibility: all users / devices / apps / rogue devices•Asset profiles, access, violations and actions send to SIEM•Automated remediation of endpoint security and configuration agents•Works with existing McAfee ePO, ESM and endpoint protection products
Benefits
• Enterprise threat visibility
• Reduced business risk
• More responsive security
• Operational efficiency
• Automated remediation
• Endpoint compliance
• Demonstrable GRC gain
Benefits
• Enterprise threat visibility
• Reduced business risk
• More responsive security
• Operational efficiency
• Automated remediation
• Endpoint compliance
• Demonstrable GRC gain
© 2013 ForeScout Technologies, Page 19
Continuous Compliance, Remediation
NAC Accelerates IT-GRC Automation
Visibility
• Greater Threat Dynamics and Response Impact
• Requires full visibility in real-time.
• Network asset intelligence: Who, What, Where.
Automation
• Next-Gen NAC Closes Operational Gaps
• Automate authentication
• Automate compliance verification and remediation
• Automate access control.
Interoperability
• Demonstrable IT-GRC Value
• Increases situational awareness
• Increases IT / security responsiveness
• Effectuates GRC policy
© 2013 ForeScout Technologies, Page 20
• Easy to use and deploy with Low TCOHybrid 802.1X/Agentless approach; works within existing/legacy environment
Easy, centralized administration; high availability, scalable, non-disruptive
• Real-time situational awarenessAll users, devices, applications - infrastructure agnostic
Wired & wireless - managed & rogue - VMs, PC, mobile & embedded
• Rapid results and time-to-valueBroad application: Comply to Connect, STIG,
Command Cyber Readiness I(CCRI), IAVA, HBSS assurance
• Flexible control with bi-direction intelligenceExtensible templates and controls with robust
SIEM, HBSS, CMDB and directory integration
ForeScout CounterACT Advantages
© 2013 ForeScout Technologies, Page 21
Resources / Q&A
• Learn more about ForeScout CounterAct
and McAfee-ForeScout Joint solutions
http://www.forescout.com/support2/resources/
ForeScout, McAfee ESM solution brief
ForeScout, McAfee ePO solution brief
** The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
***Frost & Sullivan chart from 2012 market study Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth” Base year 2011, n-20
*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
© 2013 ForeScout Technologies, Page 22
Questions?
© 2013 ForeScout Technologies, Page 23
CounterACT Product Family
CTR CT- 100 CT- 1000 CT- 2000 CT- 4000 CT-10000
Concurrent Devices 100 500 1000 2500 4000 10000
Bandwidth 100 Mbps 500 Mbps 1 Gbps 2 Gbps4 Gbps or10 Gbps
4 Gbps or10 Gbps
VLAN Support Unlimited Unlimited Unlimited Unlimited Unlimited Unlimited
VCTR VCT- 100 VCT- 1000 VCT- 2000 VCT- 4000 VCT- 10000
Concurrent Devices 100 500 1000 2500 4000 10000
CPU 1 2 2 2 4 10
RAM/HD Space
1GB / 80GB
1.5GB / 80GB 2GB / 80GB 4GB / 80GB 6GB / 80GB 16GB/80GB