Introducing CounterACT 8 - LB-systems Edge 2006 ForeScout ships first ... ¤Run script to install application ¤Auditable end-user acknowledgement ¤HTTP browser hijack ¤Trigger endpoint

Introducing CounterACT 8Visibility for the Extended Enterprise

Serkowitsch EddieSr. Consulting Engineer EMEA

ForeScout

2

2001ForeScoutsecures first beta customer

2000ForeScoutfounded and raises $1.5M Series A

2002ForeScoutships first product –CounterACTEdge

2006ForeScoutships first agentless version of CounterACT®

2010ForeScoutreaches 100k devices on a single network

2014ForeScoutreaches 1M devices on a single network

2015ForeScoutraises $80M Series G at $1B Valuation

2017ForeScoutlists on NASDAQ as FSCT

3

› OT networks are no longer physically separated

› Threats moving between cyber and physical dimensions

› Assets are highly critical and can rarely be patched

› Innumerable device-specific operating systems (OS)

› Cannot get agents onto new devices

› Cannot write agent-based software for every OS

Growth of Devices and Platform Diversity

IT and OTConvergence

› Threats targeting IoT and OT attack surface

› IT threats causing impact to OT networks

› Lead to service disruptions and revenue loss

Threats Targeting Non-Traditional Devices

Top-of-mind Business Issues

ForeScout Confidential – Do Not Distribute

Corporate HQ

Information Technology

• Industrial control systems

• Critical infrastructure

Operational Technology

28 Billion IP-based devices by 2020

1990s 2020

Visibility & Control Gap Vulnerability

4

Incr

easi

ng S

urfa

ce A

rea

of A

ttack

Disabling of AV agent

DDos attack using IoT

Malware on POS machine

Breach through HVAC credentials

“Patch Tuesday”

“ILOVEYOU” virus

“Melissa” virus

ForeScout Platform

6

See: Discover, Classify, and Assess Devices on the Network

› Version number› Registry› File name, dates, and sizes› Services and processes installed or

running› Installed› Running› Version number› Registry settings› Files sizes› Anti-malware / virus / DLP agents› Patch management agents› Type of device› Location› Connection type› Hardware info› MAC and IP address› Certificate› Name› Authentication status› Workgroup› Email and phone number› OS type› Encryption agents› Firewall status› Configuration› Wired, wireless, and VPN› Rogue devices› Type of device› Manufacturer› Connection type› Server name› Server OS type› Server vendor› Guest OS information

› DLP agents› Patch management agents› Encryption agents› Firewall status› Configuration› Wired, wireless, and VPN› Rogue devices› Type of device› Manufacturer› Connection type› Server name› Server OS type› Server vendor› Guest OS information› Type of device› Location› Connection type› Hardware info› MAC and IP address› Certificate› Name› Authentication status› Workgroup› Email and phone number› OS type› Version number› Registry› File name, dates, and sizes› Services and processes installed or

running› Installed› Running› Version number› Registry settings› Files sizes› Anti-malware / virus /

› Type of device› Location› Connection type› Hardware info› MAC and IP address› Certificate› Name› Authentication status› Workgroup› Email and phone number› OS type› Version number› Registry› File name, dates, and sizes› Services and processes installed or

running› Installed› Running› Version number› Registry settings› Files sizes› Anti-malware / virus / DLP agents› Patch management agents› Encryption agents› Firewall status› Configuration› Wired, wireless, and VPN› Rogue devices› Type of device› Manufacturer› Connection type› Server name› Server OS type› Server vendor› Guest OS information

Personal laptop Security camera Corporate Managed Desktop

BYOD IoT Corporate Managed

DISCOVER all IP-addressable devices at time of connect

CLASSIFY devices into categories using a rich set of data

ASSESS device security posture to take action

!

See: Discover, Classify, and Assess Devices on the Network

ForeScout Discovery and Profiling Sources

7

Distribution Layer Switch

EXTERNAL

InternetFirewallAD / LDAP / Radius

/ DHCP

VPN Client

INTERNAL

Core Layer Switch

Guest LANCorporate LAN

VPN Concentrator

Posture?• APPS• SERVICES• PROCESSES• VERSIONS

• REGISTRY• PATCHES• ENCRYPTION• ANTIVIRUS

Where?• SWITCH• CONTROLLER• PORT / SSID / VLAN

What?• FUNCTION• OS• VENDOR• MAC ADDRESS• IP ADDRESS• BROWSER AGENT• PORTS• PROTOCOLS

Who?• USER• NAME• EMAIL• TITLE• GROUPS

DYNAMIC AND MULTI-FACETED

Discovery and Profiling Techniques

8

• Poll switches, VPN concentrators, APs and controllers for list of devices that are connected

• Receive SNMP traps from switches and controller

• Receive NetFlow data

• Monitor 802.1x requests to the built-in or external RADIUS server

• Monitor DHCP requests to detect when a new host requests an IP address

• Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners

• Query public/private cloud APIs

• Import external MAC classification data or request LDAP data

• Run port, service banner and OS fingerprint scan

Analyze PoE data

• Use credentials to run a scan on the endpoint

• Use optional agent

FTP/LDAP Server

ForeScout CounterACT®

RADIUSServer

SNMP Traps

L

A

F

D

DHCPRequests

E

B

NetFlowC

H

I

J

G

K

A

B

C

D

E

F

G

H

I

J

L

K

Passive Profiling Techniques

DHCP fingerprinting

SNMP traps

Network infrastructure polling

Radius requests

SPAN traffic

HTTP user-agent

TCP fingerprinting

MAC classification database

NetFlow

Power over Ethernet

VMware® vSphere® integration

AWS® EC2® integration

CMDB or external sources

Passive-only Visibility

9

Active Profiling Techniques

NmapSMBWMIRPCSSHOptional SecureConnector®

SNMP queries to endpoints

Control: Implement Policies and Take Action

10

¤ Open trouble ticket

¤ Send email notification

¤ SNMP Traps

¤ Start application

¤ Run script to install application

¤ Auditable end-user acknowledgement

¤ HTTP browser hijack

¤ Trigger endpoint management system

¤ Deploy a virtual firewall

¤ Reassign the device to a VLAN

¤ Update access lists

¤ DNS hijack (captive portal)

¤ Move device to a guest network

¤ Move device to quarantine VLAN

¤ Block access with 802.1x

¤ Alter login credentials to block access

¤ Block access with device authentication

¤ Turn off switch port (802.1X, SNMP)

¤ Wi-Fi port block

¤ Terminate applications

¤ Disable peripheral device

NOTIFY!

COMPLY

RESTRICT

!

Security camera

Windows PC

Orchestrate: Enhance Value of Existing Security Solutions

11

ITSM

+EXTENDED MODULES

ITSM

COMPLIANCE

Advanced Compliance (SCAP)

SDN

EMM VA

SIEM

PAM

NGFW

ATD

+BASE MODULES

CMT

CLOUD

EPP / EDR

Our Product Vision

ForeScout Confidential – Do Not Distribute 12

Campus Data Center Cloud

Servers

Operational Technology

Virtual Servers

Network Mobile

Users

Private Cloud Public CloudPhysical Security

Security

Building Automation

Physical Equipment

Controller SystemsIoT Devices

Laptops / Desktops Badging

THE DE FACTO STANDARD FOR DEVICE VISIBILITY & CONTROL ACROSS THE ENTERPRISE

Business Value

13

Asset Management

Device Compliance

Network Access Control

Network Segmentation

IncidentResponse

ForeScout Visibility Platform

Campus Data center Cloud Operational technology

Why Customers Choose ForeScout

1. Visibility ü Continuous monitoringü Agentless deployment

2. Time-to-Valueü Rapid installationü Existing IT systems

3. Orchestrationü Fragmentation reductionü Automated response

14

We are a Proven Cybersecurity Partner

15

Gartner IoT Security Market GuideGartner, 2016

JP Morgan Chase Hall of Fame Innovation Award for Transformative

Security TechnologyJPMC, 2016

Deloitte’s Fastest Growing Companies in North America

Deloitte, 2017Gartner NAC Market Market Guide

Gartner, 2016

Net Promoter Score

77Above industry

average

Licenses

52M+Total device capacity

sold

Customers

2500+In over 70countries

Scale

1M+Devices in a single

deployment

16

CounterACT 8Visibility for the Extended Enterprise

Visibility PlatformExtend visibility to OT

environments, IPv6 systems and Cisco Meraki managed devices

Device CloudClassify at the pace of new devices,

harnessing the crowd-sourced ForeScout Device Cloud

IoT AssessmentIdentify IoT devices with weak

or default credentials to reduce risk and attack surface

Web ManagementImprove security operations and incident response with

the customizable dashboard

Enterprise ScalabilityScale to 2 million devices to keep up

with device growth… double appliance capacity with half the footprint

Security OrchestrationStrengthen ServiceNow, SIEM and NGFW orchestration with

IoT and OT device context


ForeScout Flexx LicensingSoftware-centric licensing for ease of purchase, deployment flexibility and license portability across the Extended Enterprise

17

Expand Visibility into OT and IPv6 SystemsThe Visibility Platform


Gain visibility into additional devices

Industrial and operational technology systems

IPv6 addressable devices

Cisco Meraki cloud controller connected devices

Active and Passive Discovery and Profiling

› Passive discovery and profiling in sensitive OT network zones without requiring agents

› Real-time asset inventory without introducing operational risk or impacting reliability

› Continuous monitoring for posture assessment and situational awareness

› Interoperability with common industrial switches – Cisco, Hirshmann/Belden

Campus Cloud Operational TechnologyData Center

DEVICE VISIBILTY AND CONTROL ACROSS THE EXTENDED ENTERPRISE

Device Classification Taxonomy

18

＞ Information Technology＞ Computer＞ Thin Client＞ Thick Client

＞ Mobile＞ Smartphone＞ Tablet＞ Many More

＞ Networking＞ Router or Switch＞ Wireless Access Point＞ And More

＞ Accessory＞ Printer＞ VoIP＞ IP Phone＞ VoIP Server

＞ Postage Meter＞ Projector

＞ Storage＞ Network Attached

Storage＞ Multimedia and

Entertainment＞ Gaming Console＞ Streamer

＞ Operational Technology＞ Healthcare＞ Electronic Health Care

Records＞ X-Ray＞ And More

＞ Non-Industry Specific＞ Facilities＞ Building Automation＞ Elevators and

Escalators＞ Lighting＞ HVAC＞ Many More

＞ Physical security＞ Surveillance＞ Alarm

Reporting＞ IP Camera＞ And More

＞ Retail & Financial＞ ATM＞ Cash Drawer＞ Point of Sale＞ Vending Machine

＞ Operating System＞ Windows＞ Windows XP＞ Windows XP Tablet

PC＞ Windows XP Tablet

PC SP1＞ Windows XP Tablet

PC SP2＞ Windows 7＞ Windows 7 Enterprise＞ Windows 7

Enterprise RTM＞ Windows 7

Enterprise SP1＞ And More

＞ Macintosh＞ OSX x 10.5 Leopard＞ OSX 10.7 Lion＞ And More

＞ iOS＞ Linux＞ CentOS＞ Debian＞ And More

＞ Android＞ And More

＞ Vendor and Model＞ Apple＞ Apple iDevice

＞ Apple iPad＞ Apple iPhone＞ Apple iPod

＞ Apple TV＞ MacBook＞ Apple Watch＞ Apple Airport

＞ BlackBerry Limited＞ 3M＞ GE＞ GE Water & Process＞ GE Healthcare＞ GE Medical System

＞ Hitachi＞ Hitachi Aloka Medical＞ Hitachi Power Solutions＞ Hitachi Metals America＞ Hitachi Industry &

Control Solutions＞ Hoana Medical ＞ And More

Profiling

• “Function” seems like a black box as to why does it match function. What are the properties within “Function” that are checked?

• In the current version of the Device Profile Library, there are a total of 27+ different properties which contribute to the classification, they are:

19

• NIC Vendor• DHCP Vendor Class• HTTP User Agent• OS Fingerprint• Network Function• TCP/IP Syn Ack Fingerprint• Virtual Machine Guest OS• Windows Version• Nmap-Banner (Ver. 7.01)• Nmap-Banner (Ver. 5.3)

• DHCP Hostname• Macintosh Manageable

(SecureConnector)• DHCP device class• Linux Manageable

(SecureConnector)• Open Ports• DHCP device OS• MAC Address• Macintosh Version• CounterACT Device Type• DHCP options fingerprint

• Linux Version• Switch Port PoE Connected

Device• DHCP request fingerprint• Classified by Action• Device is NAT• Windows Services Installed• Switch Port Name

20

Expand Visibility into OT and IPv6 SystemsWhy it Matters

CONSUMERDEVICES

800M CAMPUS UNMANAGED

3B CAMPUS MANAGED

1.6B OPERATIONAL TECHNOLOGY

277M DATACENTER

233M CLOUD

5.9BENTERPRISE CONNECTED DEVICES

2016

1B CAMPUS UNMANAGED

3B CAMPUS MANAGED

2B OPERATIONAL TECHNOLOGY

284M DATACENTER

285M CLOUD

2017

GREW TO 6.6BENTERPRISE CONNECTED DEVICES

34M MEDICAL DEVICES

800K HVAC SYSTEMS

52M CLOUD VIRTUAL SERVERS

130M SECURITY CAMERAS

3.8M CASH REGISTERS

67M PRINTERS

700M ADDRESSABLE DEVICES ADDED IN 2017, INCLUDING:

MOST CAN’T SUPPORT AGENTS


21

• Industry-leading classification for traditional, mobile, virtual, network infrastructure, IoT and OT devices

• Powered by ForeScout Device Cloudo The only crowd-sourced device repository

o 3 million+ devices

o 500+ customer community

o Get new and updated device profiles from ForeScout Research to keep pace with new devices

Accurately Classify IoT and OT DevicesPowered by ForeScout Device Cloud

Classify Your Devices

Function

1

• Tablet• Wireless Access Pt• Printer• VoIP Server• Point of Sale• X-Ray Machine• HVAC System• …

+ +

Operating System

2

• Windows 7• Windows Server 2016• OS X 10.7 Lion• OS X 10.10 Yosemite• iOS• CentOS• Android• …

Vendor & Model

3

• Apple iPad• Apple iPhone• Apple Airport• 3M Control System• GE Water Processor• Hitachi Power System• Hoana Medical• ...


22

Reduce Your IoT Attack SurfaceIoT Risk Assessment

› Identify IoT devices with factory default and commonly used credentials

› Create your custom IoT credential assessment library or leverage ForeScout provided credential library

› Create policies to automate assessment and initiate mitigation actions (alert, limit/block, segment)


23ForeScout Confidential – Do Not Distribute

Improve Security Operations & Incident ResponseWeb Dashboard

At-a-glance visibilityVisualize device landscape & compliance

From campus to cloud to OT network

Customizable views

Use Cases: Asset Management, Risk and Compliance, Incident Response

Personas: Security Operations (SOC), IT Executive & Risk Officer


Scale to Keep Up with Device GrowthEnterprise Scalability and Deployment

Management Scale › Manage 2 million devices in a single deployment across the extended enterprise

Appliance Scale› Double appliance capacity with half the footprint – 4x improvement in deployment density to

optimize rack space and data center utilization

› Full 10Gbps traffic monitoring and analysis capacity per appliance

Deployment Ease› Choice of virtual appliance deployments – KVM, VMWare or Hyper-V

› Auto IP-allocation to manage devices across cluster of physical or virtual appliances

Deployment Option› Choose between Hybrid, Centralized and Roll based

› Apply HA or Failover Cluster options


Share IT, OT and IoT Device ContextSecurity Orchestration

› Enrich CMDBs with device context for industrial and critical infrastructure systems

› Provide IT, OT classification and IoT assessment context to SIEMs for incident correlation & response

› Tag IT, IoT and OT devices based on classificationand assessment for NGFW segmentation policies

› Extent Security with Advance Threat Detection, Privilege Account Management, Vulnerability Assessment and Enterprise Mobility Management Solutions

› Secure Virtual Environments

Automate Workflows Automate Response ActionsShare Contextual Insight

SDN CLOUD

A Software-Centric Licensing Model To Consume ForeScout Products

Purchase Deploy Manage Grow

Simple Purchasing & Licensing Model

Flexible Deployment& License Portability

Streamlined License Management & Compliance

Easily Add for Device Growth & New Use Cases

Purchase and Consume with EaseForeScout Flexx Licensing

Questions

27

Documents

Introducing CounterACT 8 - LB-systems Edge 2006 ForeScout ships first ... ¤Run script to install application ¤Auditable end-user acknowledgement ¤HTTP browser hijack ¤Trigger endpoint