Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Introducing CounterACT 8Visibility for the Extended Enterprise
Serkowitsch EddieSr. Consulting Engineer EMEA
ForeScout
2
2001ForeScoutsecures first beta customer
2000ForeScoutfounded and raises $1.5M Series A
2002ForeScoutships first product –CounterACTEdge
2006ForeScoutships first agentless version of CounterACT®
2010ForeScoutreaches 100k devices on a single network
2014ForeScoutreaches 1M devices on a single network
2015ForeScoutraises $80M Series G at $1B Valuation
2017ForeScoutlists on NASDAQ as FSCT
3
› OT networks are no longer physically separated
› Threats moving between cyber and physical dimensions
› Assets are highly critical and can rarely be patched
› Innumerable device-specific operating systems (OS)
› Cannot get agents onto new devices
› Cannot write agent-based software for every OS
Growth of Devices and Platform Diversity
IT and OTConvergence
› Threats targeting IoT and OT attack surface
› IT threats causing impact to OT networks
› Lead to service disruptions and revenue loss
Threats Targeting Non-Traditional Devices
Top-of-mind Business Issues
ForeScout Confidential – Do Not Distribute
Corporate HQ
Information Technology
• Industrial control systems
• Critical infrastructure
Operational Technology
28 Billion IP-based devices by 2020
1990s 2020
Visibility & Control Gap Vulnerability
4
Incr
easi
ng S
urfa
ce A
rea
of A
ttack
Disabling of AV agent
DDos attack using IoT
Malware on POS machine
Breach through HVAC credentials
“Patch Tuesday”
“ILOVEYOU” virus
“Melissa” virus
ForeScout Platform
6
See: Discover, Classify, and Assess Devices on the Network
› Version number› Registry› File name, dates, and sizes› Services and processes installed or
running› Installed› Running› Version number› Registry settings› Files sizes› Anti-malware / virus / DLP agents› Patch management agents› Type of device› Location› Connection type› Hardware info› MAC and IP address› Certificate› Name› Authentication status› Workgroup› Email and phone number› OS type› Encryption agents› Firewall status› Configuration› Wired, wireless, and VPN› Rogue devices› Type of device› Manufacturer› Connection type› Server name› Server OS type› Server vendor› Guest OS information
› DLP agents› Patch management agents› Encryption agents› Firewall status› Configuration› Wired, wireless, and VPN› Rogue devices› Type of device› Manufacturer› Connection type› Server name› Server OS type› Server vendor› Guest OS information› Type of device› Location› Connection type› Hardware info› MAC and IP address› Certificate› Name› Authentication status› Workgroup› Email and phone number› OS type› Version number› Registry› File name, dates, and sizes› Services and processes installed or
running› Installed› Running› Version number› Registry settings› Files sizes› Anti-malware / virus /
› Type of device› Location› Connection type› Hardware info› MAC and IP address› Certificate› Name› Authentication status› Workgroup› Email and phone number› OS type› Version number› Registry› File name, dates, and sizes› Services and processes installed or
running› Installed› Running› Version number› Registry settings› Files sizes› Anti-malware / virus / DLP agents› Patch management agents› Encryption agents› Firewall status› Configuration› Wired, wireless, and VPN› Rogue devices› Type of device› Manufacturer› Connection type› Server name› Server OS type› Server vendor› Guest OS information
Personal laptop Security camera Corporate Managed Desktop
BYOD IoT Corporate Managed
DISCOVER all IP-addressable devices at time of connect
CLASSIFY devices into categories using a rich set of data
ASSESS device security posture to take action
!
See: Discover, Classify, and Assess Devices on the Network
ForeScout Discovery and Profiling Sources
7
Distribution Layer Switch
EXTERNAL
InternetFirewallAD / LDAP / Radius
/ DHCP
VPN Client
INTERNAL
Core Layer Switch
Guest LANCorporate LAN
VPN Concentrator
Posture?• APPS• SERVICES• PROCESSES• VERSIONS
• REGISTRY• PATCHES• ENCRYPTION• ANTIVIRUS
Where?• SWITCH• CONTROLLER• PORT / SSID / VLAN
What?• FUNCTION• OS• VENDOR• MAC ADDRESS• IP ADDRESS• BROWSER AGENT• PORTS• PROTOCOLS
Who?• USER• NAME• EMAIL• TITLE• GROUPS
DYNAMIC AND MULTI-FACETED
Discovery and Profiling Techniques
8
• Poll switches, VPN concentrators, APs and controllers for list of devices that are connected
• Receive SNMP traps from switches and controller
• Receive NetFlow data
• Monitor 802.1x requests to the built-in or external RADIUS server
• Monitor DHCP requests to detect when a new host requests an IP address
• Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners
• Query public/private cloud APIs
• Import external MAC classification data or request LDAP data
• Run port, service banner and OS fingerprint scan
Analyze PoE data
• Use credentials to run a scan on the endpoint
• Use optional agent
FTP/LDAP Server
ForeScout CounterACT®
RADIUSServer
SNMP Traps
L
A
F
D
DHCPRequests
E
B
NetFlowC
H
I
J
G
K
A
B
C
D
E
F
G
H
I
J
L
K
Passive Profiling Techniques
DHCP fingerprinting
SNMP traps
Network infrastructure polling
Radius requests
SPAN traffic
HTTP user-agent
TCP fingerprinting
MAC classification database
NetFlow
Power over Ethernet
VMware® vSphere® integration
AWS® EC2® integration
CMDB or external sources
Passive-only Visibility
9
Active Profiling Techniques
NmapSMBWMIRPCSSHOptional SecureConnector®
SNMP queries to endpoints
Control: Implement Policies and Take Action
10
¤ Open trouble ticket
¤ Send email notification
¤ SNMP Traps
¤ Start application
¤ Run script to install application
¤ Auditable end-user acknowledgement
¤ HTTP browser hijack
¤ Trigger endpoint management system
¤ Deploy a virtual firewall
¤ Reassign the device to a VLAN
¤ Update access lists
¤ DNS hijack (captive portal)
¤ Move device to a guest network
¤ Move device to quarantine VLAN
¤ Block access with 802.1x
¤ Alter login credentials to block access
¤ Block access with device authentication
¤ Turn off switch port (802.1X, SNMP)
¤ Wi-Fi port block
¤ Terminate applications
¤ Disable peripheral device
NOTIFY!
COMPLY
RESTRICT
!
Security camera
Windows PC
Orchestrate: Enhance Value of Existing Security Solutions
11
ITSM
+EXTENDED MODULES
ITSM
COMPLIANCE
Advanced Compliance (SCAP)
SDN
EMM VA
SIEM
PAM
NGFW
ATD
+BASE MODULES
CMT
CLOUD
EPP / EDR
Our Product Vision
ForeScout Confidential – Do Not Distribute 12
Campus Data Center Cloud
Servers
Operational Technology
Virtual Servers
Network Mobile
Users
Private Cloud Public CloudPhysical Security
Security
Building Automation
Physical Equipment
Controller SystemsIoT Devices
Laptops / Desktops Badging
THE DE FACTO STANDARD FOR DEVICE VISIBILITY & CONTROL ACROSS THE ENTERPRISE
Business Value
13
Asset Management
Device Compliance
Network Access Control
Network Segmentation
IncidentResponse
ForeScout Visibility Platform
Campus Data center Cloud Operational technology
Why Customers Choose ForeScout
1. Visibility ü Continuous monitoringü Agentless deployment
2. Time-to-Valueü Rapid installationü Existing IT systems
3. Orchestrationü Fragmentation reductionü Automated response
14
We are a Proven Cybersecurity Partner
15
Gartner IoT Security Market GuideGartner, 2016
JP Morgan Chase Hall of Fame Innovation Award for Transformative
Security TechnologyJPMC, 2016
Deloitte’s Fastest Growing Companies in North America
Deloitte, 2017Gartner NAC Market Market Guide
Gartner, 2016
Net Promoter Score
77Above industry
average
Licenses
52M+Total device capacity
sold
Customers
2500+In over 70countries
Scale
1M+Devices in a single
deployment
16
CounterACT 8Visibility for the Extended Enterprise
Visibility PlatformExtend visibility to OT
environments, IPv6 systems and Cisco Meraki managed devices
Device CloudClassify at the pace of new devices,
harnessing the crowd-sourced ForeScout Device Cloud
IoT AssessmentIdentify IoT devices with weak
or default credentials to reduce risk and attack surface
Web ManagementImprove security operations and incident response with
the customizable dashboard
Enterprise ScalabilityScale to 2 million devices to keep up
with device growth… double appliance capacity with half the footprint
Security OrchestrationStrengthen ServiceNow, SIEM and NGFW orchestration with
IoT and OT device context
ForeScout Confidential – Do Not Distribute
ForeScout Flexx LicensingSoftware-centric licensing for ease of purchase, deployment flexibility and license portability across the Extended Enterprise
17
Expand Visibility into OT and IPv6 SystemsThe Visibility Platform
ForeScout Confidential – Do Not Distribute
Gain visibility into additional devices
Industrial and operational technology systems
IPv6 addressable devices
Cisco Meraki cloud controller connected devices
Active and Passive Discovery and Profiling
› Passive discovery and profiling in sensitive OT network zones without requiring agents
› Real-time asset inventory without introducing operational risk or impacting reliability
› Continuous monitoring for posture assessment and situational awareness
› Interoperability with common industrial switches – Cisco, Hirshmann/Belden
Campus Cloud Operational TechnologyData Center
DEVICE VISIBILTY AND CONTROL ACROSS THE EXTENDED ENTERPRISE
Device Classification Taxonomy
18
> Information Technology> Computer> Thin Client> Thick Client
> Mobile> Smartphone> Tablet> Many More
> Networking> Router or Switch> Wireless Access Point> And More
> Accessory> Printer> VoIP> IP Phone> VoIP Server
> Postage Meter> Projector
> Storage> Network Attached
Storage> Multimedia and
Entertainment> Gaming Console> Streamer
> Operational Technology> Healthcare> Electronic Health Care
Records> X-Ray> And More
> Non-Industry Specific> Facilities> Building Automation> Elevators and
Escalators> Lighting> HVAC> Many More
> Physical security> Surveillance> Alarm
Reporting> IP Camera> And More
> Retail & Financial> ATM> Cash Drawer> Point of Sale> Vending Machine
> Operating System> Windows> Windows XP> Windows XP Tablet
PC> Windows XP Tablet
PC SP1> Windows XP Tablet
PC SP2> Windows 7> Windows 7 Enterprise> Windows 7
Enterprise RTM> Windows 7
Enterprise SP1> And More
> Macintosh> OSX x 10.5 Leopard> OSX 10.7 Lion> And More
> iOS> Linux> CentOS> Debian> And More
> Android> And More
> Vendor and Model> Apple> Apple iDevice
> Apple iPad> Apple iPhone> Apple iPod
> Apple TV> MacBook> Apple Watch> Apple Airport
> BlackBerry Limited> 3M> GE> GE Water & Process> GE Healthcare> GE Medical System
> Hitachi> Hitachi Aloka Medical> Hitachi Power Solutions> Hitachi Metals America> Hitachi Industry &
Control Solutions> Hoana Medical > And More
Profiling
• “Function” seems like a black box as to why does it match function. What are the properties within “Function” that are checked?
• In the current version of the Device Profile Library, there are a total of 27+ different properties which contribute to the classification, they are:
19
• NIC Vendor• DHCP Vendor Class• HTTP User Agent• OS Fingerprint• Network Function• TCP/IP Syn Ack Fingerprint• Virtual Machine Guest OS• Windows Version• Nmap-Banner (Ver. 7.01)• Nmap-Banner (Ver. 5.3)
• DHCP Hostname• Macintosh Manageable
(SecureConnector)• DHCP device class• Linux Manageable
(SecureConnector)• Open Ports• DHCP device OS• MAC Address• Macintosh Version• CounterACT Device Type• DHCP options fingerprint
• Linux Version• Switch Port PoE Connected
Device• DHCP request fingerprint• Classified by Action• Device is NAT• Windows Services Installed• Switch Port Name
20
Expand Visibility into OT and IPv6 SystemsWhy it Matters
CONSUMERDEVICES
800M CAMPUS UNMANAGED
3B CAMPUS MANAGED
1.6B OPERATIONAL TECHNOLOGY
277M DATACENTER
233M CLOUD
5.9BENTERPRISE CONNECTED DEVICES
2016
1B CAMPUS UNMANAGED
3B CAMPUS MANAGED
2B OPERATIONAL TECHNOLOGY
284M DATACENTER
285M CLOUD
2017
GREW TO 6.6BENTERPRISE CONNECTED DEVICES
34M MEDICAL DEVICES
800K HVAC SYSTEMS
52M CLOUD VIRTUAL SERVERS
130M SECURITY CAMERAS
3.8M CASH REGISTERS
67M PRINTERS
700M ADDRESSABLE DEVICES ADDED IN 2017, INCLUDING:
MOST CAN’T SUPPORT AGENTS
ForeScout Confidential – Do Not Distribute
21
• Industry-leading classification for traditional, mobile, virtual, network infrastructure, IoT and OT devices
• Powered by ForeScout Device Cloudo The only crowd-sourced device repository
o 3 million+ devices
o 500+ customer community
o Get new and updated device profiles from ForeScout Research to keep pace with new devices
Accurately Classify IoT and OT DevicesPowered by ForeScout Device Cloud
Classify Your Devices
Function
1
• Tablet• Wireless Access Pt• Printer• VoIP Server• Point of Sale• X-Ray Machine• HVAC System• …
+ +
Operating System
2
• Windows 7• Windows Server 2016• OS X 10.7 Lion• OS X 10.10 Yosemite• iOS• CentOS• Android• …
Vendor & Model
3
• Apple iPad• Apple iPhone• Apple Airport• 3M Control System• GE Water Processor• Hitachi Power System• Hoana Medical• ...
ForeScout Confidential – Do Not Distribute
22
Reduce Your IoT Attack SurfaceIoT Risk Assessment
› Identify IoT devices with factory default and commonly used credentials
› Create your custom IoT credential assessment library or leverage ForeScout provided credential library
› Create policies to automate assessment and initiate mitigation actions (alert, limit/block, segment)
ForeScout Confidential – Do Not Distribute
23ForeScout Confidential – Do Not Distribute
Improve Security Operations & Incident ResponseWeb Dashboard
At-a-glance visibilityVisualize device landscape & compliance
From campus to cloud to OT network
Customizable views
Use Cases: Asset Management, Risk and Compliance, Incident Response
Personas: Security Operations (SOC), IT Executive & Risk Officer
24ForeScout Confidential – Do Not Distribute
Scale to Keep Up with Device GrowthEnterprise Scalability and Deployment
Management Scale › Manage 2 million devices in a single deployment across the extended enterprise
Appliance Scale› Double appliance capacity with half the footprint – 4x improvement in deployment density to
optimize rack space and data center utilization
› Full 10Gbps traffic monitoring and analysis capacity per appliance
Deployment Ease› Choice of virtual appliance deployments – KVM, VMWare or Hyper-V
› Auto IP-allocation to manage devices across cluster of physical or virtual appliances
Deployment Option› Choose between Hybrid, Centralized and Roll based
› Apply HA or Failover Cluster options
25ForeScout Confidential – Do Not Distribute
Share IT, OT and IoT Device ContextSecurity Orchestration
› Enrich CMDBs with device context for industrial and critical infrastructure systems
› Provide IT, OT classification and IoT assessment context to SIEMs for incident correlation & response
› Tag IT, IoT and OT devices based on classificationand assessment for NGFW segmentation policies
› Extent Security with Advance Threat Detection, Privilege Account Management, Vulnerability Assessment and Enterprise Mobility Management Solutions
› Secure Virtual Environments
Automate Workflows Automate Response ActionsShare Contextual Insight
SDN CLOUD
A Software-Centric Licensing Model To Consume ForeScout Products
Purchase Deploy Manage Grow
Simple Purchasing & Licensing Model
Flexible Deployment& License Portability
Streamlined License Management & Compliance
Easily Add for Device Growth & New Use Cases
Purchase and Consume with EaseForeScout Flexx Licensing
Questions
27