DSS ITSEC 2012 ForeScout Technical RIGA

© 2012 ForeScout Technologies, Page 1 ForeScout Confidential

November 2012

ForeScout Product Overview

Hanan Levin, VP Products


How I (almost didn’t) Made It To Riga…


How I (almost didn’t) Made It To Riga…


ForeScout Product Solutions

All users

Corporate

Home workers

Guests

Contractors

Accelerate business productivity and connectivity by enabling secure

corporate resource access to anyone, anywhere, anytime

Network access servers

Endpoints

Servers, VMs

Cloud Off-premise endpoints

All devices

PCs, BYOD

VMs

Rogue

Off-line

All locations

Cloud

On-site

Off-site


CounterACT Appliance Architecture

EM

App1 App2 App3

RM Console


Device Visibility: How it is Done?

• Remote-Inspection (RI)

– Corporate hosts (requires domain credentials)

– Via WMI or via “Remote Registry Server” service running

– Run scripts via WMI or via ForeScout service (fsprocsvc)

– File System Access – Samba

• SecureConnector

– Guests users

– Hosts behind firewall, and behind VoIP port (trigger IP bounce post VLAN change)

– Where there is no domain

• Device info (used for classification and compliance)

– Windows OS, Registry and Files properties

– AV/P2P/IM/FW

– Microsoft vulnerabilities

– Application Installed/Services/Processes/Open ports

– User and domain information, MAC Address and network Information

– Script Results


Device Classification: How it is Done?

• Cross devices

– HPS for managed Windows

– Mac-Linux for managed Macs/Linux

– MDM (plugins and integration) for managed

iOS/Android

– Switch/Wireless plugins for configured

devices

• HPS Plugin

– NMAP OS Fingerprint scan

– NMAP Banners scan

• Packet-Engine

– Passive fingerprint

– Browser HTTP User-Agent

– DHCP traffic

• Switch Plugin

– VoIP devices (CDP)

• Wireless Plugin

– User-Agent via SNMP

• DHCP Plugin

– DHCP Request fingerprint


Device Remediation

• Remediate devices

– Kill P2P/IM/Processes

– Fix AV: start and update

– Run Script

– Install MS Patches

– Disable Dual-Homed

– Block External Devices

– Set Registry


CounterACT Integration Platform

SIEM MDM

WAP

VA

• CEF Support

• CounterACT

sends endpoint

intelligence

• CounterACT

assures logging

processes

• SIEM triggers

CounterACT

mitigation,

isolation and

blocking

• Unified visibility

• Auto-enrollment

• Policy check on

admission

• Access based on

security posture

• Network resource

restriction

• Detection, OS

classification

• Role-based

assignment

• BYOD / guest

• Access control

• WLAN quarantine

• Real-time scan

• Complete scan

• Import VA results

• CounterACT

remediation and

granular

enforcement


NAC Policy Engine

Switch VPN Wi-Fi Dir,

Database SIEM

Windows

(WSUS,

SCCM)

Mac,

Linux, iOS,

Android MDM Antivirus

CounterACT Integration Platform

VA


Database / Directory Integration

• Business intelligence via data integration module

– Inventory and policy driven by extensive information taken from databases and directories

Track changes in business app data

Make policy decisions/actions upon business contextual data

– Push real-time network and endpoint data to business apps

– Flexible integration using custom queries

Usage examples

– Validate user profile and rights (Corporate, BYOD, Guest, Contractor)

– Identify non-managed and non-accounted for devices (by MAC, User, S/N, etc.)


Introducing CounterACT Version 7


Tactical Map: At-a-Glance Global Overview

Powered by Google Maps


Tactical Map: Per Site Compliance View

Drill down to site status information


Tactical Map: Locate, Alert, Mitigate

Real-time alert, locate and mitigate in seconds


Tactical Map: Your Network Like Never Seen Before

• A new way to look, and manage, global sites

– At a glance status of entire global site

– Draw admin attention to compliance issues

– Surface alerts

• Easier to scale

– Quick track of global distributed site status

• Easy, one time setup

– Define locations and assign to segments

• Customized view

– Tune alert thresholds

– Google Maps tools: satellite view, navigation, zoom

• Executive management tool


Tactical Map: Usage

1. Track overall compliance level with corporate policies

– Set compliance thresholds : Compliance policies, Unmanaged hosts, Malicious hosts

– Identify site not meeting compliance level

– Drill down to non-compliant hosts

– Remediate hosts to become compliant

2. Locate policy results per site

– Select policy on policy tree

– Map is filtered per selected policy – only sites with hosts matching the policies shown.

– Table shows all matching hosts

3. Search for specific hosts

– Using search bar, policies and filters selection

– Sites with hosts matching the search/filter will shown with bigger circles

– Table shows all matching hosts

4. Send tactical map to CIO


Real-time Inventory: Hardware


• Collect detailed device hardware information

– Like serial numbers, CPU types, media devices and more..

• Usage examples

– Validate user

profile and rights

(Corporate, BYOD,

Guest, Contractor)

– Identify

non-managed and

non-accounted

for devices

(by MAC, User,

S/N, etc.)

– Verify valid certificate

Identify expired/revoked MS machine based X.509 certificate

Real-time Inventory: Hardware


Real-Time Inspection

SecureConnector: Polling Mode

• Host rechecked depending on policy

– Admissions

– Recheck periods

• Limitations

– Changes not reflected in real time

– To achieve real time, users tend to

reduce re-check period, resulting with

slower CounterACT performance

SC generates extensive traffic

SecureConnector: Event Driven (New)

• No need to poll hosts

– No need for host rechecks

– Not depending on admission rechecks

• Changes monitored in real-time

– SC reports immediately to CounterACT

– CounterACT display real-time picture

– More economical SC inspection

Lower bandwidth consumption/footprint

Higher HPS, CounterACT performance

• Usage examples

– User stops Antivirus => Host status

changes immediately to „not-compliant‟

– User starts P2P/IM => Host status

changes immediately to „not-compliant‟

– New process started, application installed

=> Inventory display updated


Flexible Containment and Mitigation Options

• DNS enforcement

– Enable secure corporate, BYOD and guest access on remote sites with no appliances

– Redirect connecting users to access portal

– Extend deployment scenario flexibility (e.g. multiple sites without IT teams)

• WAP VLAN quarantine

– SSID VLAN quarantine across WAP vendors using MAB &RADIUS (e.g. Cisco, Aruba)

– WAP enabled for MAB and set to authenticate against CounterACT built-in RADIUS

– Brocade WAP integration

• Dual-homed detection and protection

– Detect hosts with more than one active network interface, acting as a bridge between

trusted and untrusted networks

– Auto disable network adapter (e.g. rogue WiFi connection, LAN network-card, 3G

adapter)

– Auto re-enable the adapter once the host is disconnected from the trusted network


• Policy

– Business intelligence leverage external

sources

– MDM, SIEM, WAP and VA integration

– Windows machine certificate assurance

• Baseline

– Tactical map

– Hardware inventory

• Access Control

– Best of breed 802.1X: troubleshooting,

remediation, policy, rollout, plug & play

– Built-in RADIUS Server

ForeScout CounterACT 2012 Summary CounterACT 7.0 released Nov 15th, 2012

• Monitor, Mitigation & Containment – Real-time, event driven inspection

– DNS enforcement

– WAP VLAN quarantine extended

– Dual-homed detection & protection

• Guest & Profiling – BYOD profiling template, out of the box

– Device registration (BYOD, Contractor PC)

– Sponsor pre-registration of guests

– Limit guest access time period

• Scalability – CT-10,000, VCT-10,000

– Scaled-up Enterprise Manger

– VM Compatibility: VM-tools, MS Hyper-V


ForeScout Mobile

ForeScout MDM


Employees Bringing Their Own Devices

BYOD: Gap in Corporate Security


• Unifies security policy management

– Centralized visibility and enforcement

– All managed and personal devices

• Dual protection

– Network: real-time visibility, control access, block threats

– Device: compliance, remote wipe/lock, applications, data

• Choice of functionality

1. ForeScout CounterACT: basic mobile device visibility and network protection

2. ForeScout Mobile Security Module: extends visibility & control (iOS / Android)

3. ForeScout Mobile Integration Module: third party MDM integration

4. ForeScout MDM: complete, cloud-based enterprise mobile device management

ForeScout Mobile Security Flexible approach for BYOD


• CounterACT Mobile plugin

– Installed on CounterACT

– Integrated with CounterACT console, policy, inventory and reporting

• Mobile App

– Android app (apk) for Android 2.x devices

– Apple iPhone and iPad

– iOS app

– Leverages Apple MDM and Live Push technologies

ForeScout Mobile Security for Android and iOS

Corp Login Guest Reg. Browser Hijack Profile Install Ready Profile Rec‟d


ForeScout Mobile

– Mobile device inspection

– Corp/BYOD/Guest access control

– Mobile Compliance and remediation

– Device configuration and restrictions

– Support iOS and Android

– iOS jail-broken detection

– Remote wipe/lock/reset password

– Coming soon

Manage/control off-site mobile devices

Win Mobile

Blackberry

– Fiberlink

– SAP/Afaria

– MobileIron

– Coming soon

AirWatch

Zenprise

Good

Boxtone

ForeScout Mobile Integration Module ForeScout Mobile Security Module


ForeScout Mobile: iOS Architecture

Mobile Cloud

(APNS)

BYOD Corp

Unsecured Network

Production Network

User connects to unsecured Wifi network

User hijacked: auth. and classified (AD/RADIUS, DB)

BYOD/Corp MDM profile set on mobile device

Guest Network

Mobile device checked for compliance (via MDM)

User allowed access to production network

Install mobile apps: notifications, corporate proprietary


ForeScout MDM: Cloud, Device, Network Hybrid Cloud and On-Premise Mobile Security

ForeScout MDM Powered by MaaS360

ForeScout CounterACT

ForeScout MDM Console

BlackBerry

Symbian

Windows

webOS

Android

Agent

Apple iOS

MDM API

Cloud

Extenders


Thank You

Technology

DSS ITSEC 2012 ForeScout Technical RIGA