Embed Size (px)
Citation preview
1
ForeScout Technologies Inc.
Frontline Defense
against Network Attack
Tim Riley, Forescout
2
ActiveScout Solution
ActiveScout solution provides: Preemptive identification of potential
attackers Accurate identification of potential attackers
to reduce false positives to zero Automatic action to block attackers in real
time Minimal installation and daily operational
costs
3
Evolution of Perimeter Protection
Firewall Provides robust staticsecurity according to predefined policies
4
Evolution of Perimeter Protection
IDSSends alerts when attack is recognized and already through the firewall
5
Evolution of Perimeter Protection Frontline Network Defense
ActiveScoutProvides accuratedetection and blockage of known and unknownattacks before they reach the network
6
Port Scan launched
Typical Attack Process without ActiveScout
Firewall
Internet
Router
EnterpriseIDS
Attacker
The majority of network attacks are preceded by reconnaissance activity. In this example, a port scan is used. These recon techniques seldom change.
7
Typical Attack Process without ActiveScout
Firewall
Enterprise
IDS
Attacker
The network sends information about hosts and services in response to the recon. This information may be used to subsequently exploit the network .
Network responds
with legitimate, available
services
Internet
Router
8
Typical Attack Process without ActiveScout
Firewall
Internet
Enterprise
IDS
Attacker
Utilizing the network information received, the attacker uses existing or new exploits to attack network hosts and services and effectively breaks into the network.
Exploit is launched
Router
9
Port Scan launched
ActiveScout Frontline Network Defense
Firewall
Internet
Router
EnterpriseIDS
Attacker ActiveScout
The attacker uses reconnaissance techniques, a port scan in this example, to discover potentially vulnerable network resources.
ActiveScout Console
10
Firewall
Enterprise
IDSRouter
ActiveScoutFrontline Network Defense
ActiveScout ActiveScout Console
Attacker
Internet
ActiveScout respondswith virtual services
Network responds withavailable services
ActiveScout identifies recon activity and watches for the network to respond. It then generates marked traffic that is sent back to the potential attacker. This traffic is not distinguishable from legitimate network traffic .
11
Firewall
Enterprise
IDS
When the attacker next uses the marked information to launch an exploit, ActiveScout with ActiveResponse technology then identifies the marked traffic. The attack is accurately identified and optionally blocked by ActiveScout or the firewall if desired.
Router
ActiveScoutFrontline Network Defense
( )( • )
ActiveScout ActiveScout Console
Exploit is launched
Attacker
Internet
12
ActiveResponse Technology
Patented technology that: Identifies all reconnaissance activity Replies to the recon attempt with an authentic-looking
response, created on the fly and registered within ActiveScout
Identifies potential attacks based on this ‘marked information’ and optionally blocks them, regardless of attack method
Result: Accurately identifies attackers and then prevents them from implementing new and/or existing attacks against the network.
13
ActiveScout Solution
Distinguishes real attacks from the noise Scarce security resources are focused on the
real crises and do not waste time on false positives
Identifies ‘low and slow’ attacks
Provides Closed Loop Perimeter Protection After identifying an attacker ActiveScout can
optionally:– Automatically block attackers
– Have the firewall automatically block
– Update all ActiveScouts when an attacker has been identified to provide automatic perimeter lockdown
14
ActiveScout Management“At-a-glance” attack situation display
Map identifies attacker location
Shows both current & historical data for trend analysis
Generates historical management reports
Enterprise Console consolidates information from multiple ActiveScouts
15
Summary
The ActiveScout solution utilizes patented ActiveResponse technology to provide Frontline Network Defense that Eliminates false positives Prevents Unkown attacks Reduces OpEx through automation Provides Enterprise wide protection
