Embed Size (px)
Citation preview
© 2013 ForeScout Technologies, Page 1© 2014 ForeScout Technologies, Page 1
It’s Not Your Father’s NAC: Next-generation NAC
© 2013 ForeScout Technologies, Page 2© 2014 ForeScout Technologies, Page 2
Challenges– Information security doesn't
have the continuous visibility it needs to detect advanced attacks
– Detective, preventive, response and predictive capabilities from vendors have been delivered in non-integrated silos, increasing costs and decreasing effectiveness
Recommendations– Shift your security mindset from
"incident response" to "continuous response”
– Favor context-aware network, endpoint and application security protection platforms …
– Architect for comprehensive, continuous monitoring at all layers of the IT stack…
Source: Gartner, Inc. “Designing an Adaptive Security Architecture for Protection From Advanced Attacks”, February 2014, MacDonald, Firstbrook
InfoSec Trends – Continuous Monitoring and Response
© 2013 ForeScout Technologies, Page 3© 2014 ForeScout Technologies, Page 3
Continuous Monitoring & Mitigation Challenges
Inadequate Visibility Transient
DevicesBYOD
DevicesBroken Managed
Devices
Inadequate Collaboration
MDM
VA
Patch
APT
Detection-Mitigation Gap
© 2013 ForeScout Technologies, Page 4© 2014 ForeScout Technologies, Page 4
Impacts to the Enterprise
Greater IT Security
Risks
GreaterIT Costs
Rogue devicesSystem breachData leakage
Compliance violation
Investigation
Mitigation
$
+IT Risks
+IT Costs
© 2013 ForeScout Technologies, Page 5© 2014 ForeScout Technologies, Page 5
Desired State
Real-time Visibility + Coordinated Controls
Ticketing Remediation
SystemsManagement
EndpointSecurity
Wireless
SIEM Switches
MDM
AAA
Vulnerability
© 2013 ForeScout Technologies, Page 6© 2014 ForeScout Technologies, Page 6
Complete Situational AwarenessReal-time Network Asset Intelligence
© 2013 ForeScout Technologies, Page 7© 2014 ForeScout Technologies, Page 7
Architecture for Real-Time Visibility
© 2013 ForeScout Technologies, Page 8© 2014 ForeScout Technologies, Page 8
Architecture for Real-Time Visibility
WHAT? • IP Address• OS• Browser Agent• Ports/Protocols
1) Span port / TAP
© 2013 ForeScout Technologies, Page 9© 2014 ForeScout Technologies, Page 9
Architecture for Real-Time Visibility
WHAT? • IP Address• OS• Browser Agent• Ports/Protocols
1) Span port / TAP
Health?• Apps• Services• Processes• Registry• Patches• Encryption• Antivirus
2) Interrogate the Device
© 2013 ForeScout Technologies, Page 10© 2014 ForeScout Technologies, Page 10
Architecture for Real-Time Visibility
WHAT? • IP Address• OS• Browser Agent• Ports/Protocols
1) Span port / TAP
Health?• Apps• Services• Processes• Registry• Patches• Encryption• Antivirus
2) Interrogate the Device
WHERE?• Controller IP• SSID• VLAN
WHO?• User• Name• Email• Title• Groups
3) Leverage your infrastructure (SNMP reads, LDAP, switches, wireless, VPN. etc.)
© 2013 ForeScout Technologies, Page 11© 2014 ForeScout Technologies, Page 11
Architecture for Real-Time Visibility... and Control
WHAT? • IP Address• OS• Browser Agent• Ports/Protocols
1) Span port / TAP
Health?• Apps• Services• Processes• Registry• Patches• Encryption• Antivirus
2) Interrogate the Device
WHERE?• Controller IP• SSID• VLAN
WHO?• User• Name• Email• Title• Groups
3) Leverage your infrastructure (SNMP reads, LDAP, switches, wireless, VPN. etc.)
Control at Device: • Alert the End User• Auto-Remediate
Control w/Traffic• HTTP Guest
Registration• HTTP Alerting• IPS• Virtual Firewall
Control w/Architecture• Dynamic ACL (SSH or
Telnet)• VLAN Change (SNMP
Write)• Shut off a port (SNMP
Write)• Push information to SIEM
© 2013 ForeScout Technologies, Page 12© 2014 ForeScout Technologies, Page 12
Taking Visibility and Control to the Next Level
Physical Layer
Device / Peripherals
Operating Systems
Applications
User Information
User Behavior
Visibility Management ControlPolicy violationsAudited responsesTrouble ticket requests
User notificationUser “signed” acceptanceSelf-remediation
Worm quarantineUser hacking prevention
User nameAuthentication statusGroup membership
Role-based policyMultiple guest policies
Guest accessRole-based quarantine
Application installed, runningRegistry valuesCompliance reporting
Application whitelistSoftware remediation
Application blockingApplication enforcement
OS fingerprint (patch, services)Compliance reportingAntivirus reporting
Vulnerability awarenessPatch managementAntivirus updates
Process blockingRegistry locking
Device typeIP address, MAC addressUSB peripherals
Inventory managementDevice-based policyData loss prevention
Shutdown, disableMulti-home, 3G modem, USB blocking, worm prevention
Switch, port, VLANGeographic locationNumber devices on port
Role-based accessPolicy-based firewallVPN status
Port control (802.1X, SNMP)ACL andVLAN
© 2013 ForeScout Technologies, Page 13© 2014 ForeScout Technologies, Page 13
Information Exchange and Response Automation
NGFW / VPN
AAA
Security Gateway
VA/DLP
SIEM
GRC
MDM / MAMHost
Controls
SystemManagement
Next-Gen NAC
© 2013 ForeScout Technologies, Page 14© 2014 ForeScout Technologies, Page 14
Use Case Example: Threat Management
Is it authorized?
Is it attacking?
Is it breached?• Quarantine• Remediate• Investigate
Next-Gen NAC
© 2013 ForeScout Technologies, Page 15© 2014 ForeScout Technologies, Page 15
Continuous Monitoring and Mitigation
Endpoint Mitigation
Endpoint Authentication & Inspection
Network Enforcement
Information Integration
Continuous Visibility
Next-Gen NetworkAccess Control
© 2013 ForeScout Technologies, Page 16© 2014 ForeScout Technologies, Page 16
SIEM Interoperability
ForeScout App for Splunk
CFI Alert
© 2013 ForeScout Technologies, Page 17© 2014 ForeScout Technologies, Page 17
Vulnerability Assessment Interoperability
© 2013 ForeScout Technologies, Page 18© 2014 ForeScout Technologies, Page 18
MDM Interoperability
© 2013 ForeScout Technologies, Page 19© 2014 ForeScout Technologies, Page 19
Advanced Threat Detection Interoperability
© 2013 ForeScout Technologies, Page 20© 2014 ForeScout Technologies, Page 20
The Players….
**NAC Competitive LandscapeApril 2013, Frost & Sullivan
*Magic Quadrant for Network Access Control, December 2013, Gartner Inc.
*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Garnter, Inc. "Magic Quadrant for Network Access Control," Report G00249599, December 12, 2013, Lawrence Orans.
**Frost & Sullivan 2013 report NC91-74, Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth” Chard base year 2012.
© 2013 ForeScout Technologies, Page 21© 2014 ForeScout Technologies, Page 21
NAC features to look for
Fast and easy to deploy
Agentless andnon-disruptive
Scalable, no re-architecting
© 2013 ForeScout Technologies, Page 22© 2014 ForeScout Technologies, Page 22
NAC features to look for
Fast and easy to deploy
Infrastructure Agnostic
Agentless andnon-disruptive
Scalable, no re-architecting
Works with mixed, legacy environment
Avoid vendor lock-in
© 2013 ForeScout Technologies, Page 23© 2014 ForeScout Technologies, Page 23
NAC features to look for
Fast and easy to deploy
Infrastructure Agnostic
Flexible and Customizable
Agentless andnon-disruptive
Scalable, no re-architecting
Works with mixed, legacy environment
Avoid vendor lock-in
Optimized for diversity and BYOD
Supports openintegration standards
© 2013 ForeScout Technologies, Page 24© 2014 ForeScout Technologies, Page 24
Pervasive Network Security an IT Game Changer
Pervasive Network Security
