dss itsec 2012 forescout technical riga
DESCRIPTION
Presentation from Riga, Latvia. "Data Security Solutions" Ltd. ITSEC Conference.TRANSCRIPT
© 2012 ForeScout Technologies, Page 1 ForeScout Confidential
November 2012
ForeScout Product Overview
Hanan Levin, VP Products
© 2012 ForeScout Technologies, Page 2 ForeScout Confidential
How I (almost didn’t) Made It To Riga…
© 2012 ForeScout Technologies, Page 3 ForeScout Confidential
How I (almost didn’t) Made It To Riga…
© 2012 ForeScout Technologies, Page 4 ForeScout Confidential
ForeScout Product Solutions
All users
Corporate
Home workers
Guests
Contractors
Accelerate business productivity and connectivity by enabling secure
corporate resource access to anyone, anywhere, anytime
Network access servers
Endpoints
Servers, VMs
Cloud Off-premise endpoints
All devices
PCs, BYOD
VMs
Rogue
Off-line
All locations
Cloud
On-site
Off-site
© 2012 ForeScout Technologies, Page 5 ForeScout Confidential
CounterACT Appliance Architecture
EM
App1 App2 App3
RM Console
© 2012 ForeScout Technologies, Page 6 ForeScout Confidential
Device Visibility: How it is Done?
• Remote-Inspection (RI)
– Corporate hosts (requires domain credentials)
– Via WMI or via “Remote Registry Server” service running
– Run scripts via WMI or via ForeScout service (fsprocsvc)
– File System Access – Samba
• SecureConnector
– Guests users
– Hosts behind firewall, and behind VoIP port (trigger IP bounce post VLAN change)
– Where there is no domain
• Device info (used for classification and compliance)
– Windows OS, Registry and Files properties
– AV/P2P/IM/FW
– Microsoft vulnerabilities
– Application Installed/Services/Processes/Open ports
– User and domain information, MAC Address and network Information
– Script Results
© 2012 ForeScout Technologies, Page 7 ForeScout Confidential
Device Classification: How it is Done?
• Cross devices
– HPS for managed Windows
– Mac-Linux for managed Macs/Linux
– MDM (plugins and integration) for managed
iOS/Android
– Switch/Wireless plugins for configured
devices
• HPS Plugin
– NMAP OS Fingerprint scan
– NMAP Banners scan
• Packet-Engine
– Passive fingerprint
– Browser HTTP User-Agent
– DHCP traffic
• Switch Plugin
– VoIP devices (CDP)
• Wireless Plugin
– User-Agent via SNMP
• DHCP Plugin
– DHCP Request fingerprint
© 2012 ForeScout Technologies, Page 8 ForeScout Confidential
Device Remediation
• Remediate devices
– Kill P2P/IM/Processes
– Fix AV: start and update
– Run Script
– Install MS Patches
– Disable Dual-Homed
– Block External Devices
– Set Registry
© 2012 ForeScout Technologies, Page 9 ForeScout Confidential
CounterACT Integration Platform
SIEM MDM
WAP
VA
• CEF Support
• CounterACT
sends endpoint
intelligence
• CounterACT
assures logging
processes
• SIEM triggers
CounterACT
mitigation,
isolation and
blocking
• Unified visibility
• Auto-enrollment
• Policy check on
admission
• Access based on
security posture
• Network resource
restriction
• Detection, OS
classification
• Role-based
assignment
• BYOD / guest
• Access control
• WLAN quarantine
• Real-time scan
• Complete scan
• Import VA results
• CounterACT
remediation and
granular
enforcement
© 2012 ForeScout Technologies, Page 10 ForeScout Confidential
NAC Policy Engine
Switch VPN Wi-Fi Dir,
Database SIEM
Windows
(WSUS,
SCCM)
Mac,
Linux, iOS,
Android MDM Antivirus
CounterACT Integration Platform
VA
© 2012 ForeScout Technologies, Page 11 ForeScout Confidential
Database / Directory Integration
• Business intelligence via data integration module
– Inventory and policy driven by extensive information taken from databases and directories
Track changes in business app data
Make policy decisions/actions upon business contextual data
– Push real-time network and endpoint data to business apps
– Flexible integration using custom queries
Usage examples
– Validate user profile and rights (Corporate, BYOD, Guest, Contractor)
– Identify non-managed and non-accounted for devices (by MAC, User, S/N, etc.)
© 2012 ForeScout Technologies, Page 12 ForeScout Confidential
Introducing CounterACT Version 7
© 2012 ForeScout Technologies, Page 13 ForeScout Confidential
Tactical Map: At-a-Glance Global Overview
Powered by Google Maps
© 2012 ForeScout Technologies, Page 14 ForeScout Confidential
Tactical Map: Per Site Compliance View
Drill down to site status information
© 2012 ForeScout Technologies, Page 15 ForeScout Confidential
Tactical Map: Locate, Alert, Mitigate
Real-time alert, locate and mitigate in seconds
© 2012 ForeScout Technologies, Page 16 ForeScout Confidential
Tactical Map: Your Network Like Never Seen Before
• A new way to look, and manage, global sites
– At a glance status of entire global site
– Draw admin attention to compliance issues
– Surface alerts
• Easier to scale
– Quick track of global distributed site status
• Easy, one time setup
– Define locations and assign to segments
• Customized view
– Tune alert thresholds
– Google Maps tools: satellite view, navigation, zoom
• Executive management tool
© 2012 ForeScout Technologies, Page 17 ForeScout Confidential
Tactical Map: Usage
1. Track overall compliance level with corporate policies
– Set compliance thresholds : Compliance policies, Unmanaged hosts, Malicious hosts
– Identify site not meeting compliance level
– Drill down to non-compliant hosts
– Remediate hosts to become compliant
2. Locate policy results per site
– Select policy on policy tree
– Map is filtered per selected policy – only sites with hosts matching the policies shown.
– Table shows all matching hosts
3. Search for specific hosts
– Using search bar, policies and filters selection
– Sites with hosts matching the search/filter will shown with bigger circles
– Table shows all matching hosts
4. Send tactical map to CIO
© 2012 ForeScout Technologies, Page 18 ForeScout Confidential
Real-time Inventory: Hardware
© 2012 ForeScout Technologies, Page 19 ForeScout Confidential
• Collect detailed device hardware information
– Like serial numbers, CPU types, media devices and more..
• Usage examples
– Validate user
profile and rights
(Corporate, BYOD,
Guest, Contractor)
– Identify
non-managed and
non-accounted
for devices
(by MAC, User,
S/N, etc.)
– Verify valid certificate
Identify expired/revoked MS machine based X.509 certificate
Real-time Inventory: Hardware
© 2012 ForeScout Technologies, Page 20 ForeScout Confidential
Real-Time Inspection
SecureConnector: Polling Mode
• Host rechecked depending on policy
– Admissions
– Recheck periods
• Limitations
– Changes not reflected in real time
– To achieve real time, users tend to
reduce re-check period, resulting with
slower CounterACT performance
SC generates extensive traffic
SecureConnector: Event Driven (New)
• No need to poll hosts
– No need for host rechecks
– Not depending on admission rechecks
• Changes monitored in real-time
– SC reports immediately to CounterACT
– CounterACT display real-time picture
– More economical SC inspection
Lower bandwidth consumption/footprint
Higher HPS, CounterACT performance
• Usage examples
– User stops Antivirus => Host status
changes immediately to „not-compliant‟
– User starts P2P/IM => Host status
changes immediately to „not-compliant‟
– New process started, application installed
=> Inventory display updated
© 2012 ForeScout Technologies, Page 21 ForeScout Confidential
Flexible Containment and Mitigation Options
• DNS enforcement
– Enable secure corporate, BYOD and guest access on remote sites with no appliances
– Redirect connecting users to access portal
– Extend deployment scenario flexibility (e.g. multiple sites without IT teams)
• WAP VLAN quarantine
– SSID VLAN quarantine across WAP vendors using MAB &RADIUS (e.g. Cisco, Aruba)
– WAP enabled for MAB and set to authenticate against CounterACT built-in RADIUS
– Brocade WAP integration
• Dual-homed detection and protection
– Detect hosts with more than one active network interface, acting as a bridge between
trusted and untrusted networks
– Auto disable network adapter (e.g. rogue WiFi connection, LAN network-card, 3G
adapter)
– Auto re-enable the adapter once the host is disconnected from the trusted network
© 2012 ForeScout Technologies, Page 22 ForeScout Confidential
• Policy
– Business intelligence leverage external
sources
– MDM, SIEM, WAP and VA integration
– Windows machine certificate assurance
• Baseline
– Tactical map
– Hardware inventory
• Access Control
– Best of breed 802.1X: troubleshooting,
remediation, policy, rollout, plug & play
– Built-in RADIUS Server
ForeScout CounterACT 2012 Summary CounterACT 7.0 released Nov 15th, 2012
• Monitor, Mitigation & Containment – Real-time, event driven inspection
– DNS enforcement
– WAP VLAN quarantine extended
– Dual-homed detection & protection
• Guest & Profiling – BYOD profiling template, out of the box
– Device registration (BYOD, Contractor PC)
– Sponsor pre-registration of guests
– Limit guest access time period
• Scalability – CT-10,000, VCT-10,000
– Scaled-up Enterprise Manger
– VM Compatibility: VM-tools, MS Hyper-V
© 2012 ForeScout Technologies, Page 23 ForeScout Confidential
ForeScout Mobile
ForeScout MDM
© 2012 ForeScout Technologies, Page 24 ForeScout Confidential
Employees Bringing Their Own Devices
BYOD: Gap in Corporate Security
© 2012 ForeScout Technologies, Page 25 ForeScout Confidential
• Unifies security policy management
– Centralized visibility and enforcement
– All managed and personal devices
• Dual protection
– Network: real-time visibility, control access, block threats
– Device: compliance, remote wipe/lock, applications, data
• Choice of functionality
1. ForeScout CounterACT: basic mobile device visibility and network protection
2. ForeScout Mobile Security Module: extends visibility & control (iOS / Android)
3. ForeScout Mobile Integration Module: third party MDM integration
4. ForeScout MDM: complete, cloud-based enterprise mobile device management
ForeScout Mobile Security Flexible approach for BYOD
© 2012 ForeScout Technologies, Page 26 ForeScout Confidential
• CounterACT Mobile plugin
– Installed on CounterACT
– Integrated with CounterACT console, policy, inventory and reporting
• Mobile App
– Android app (apk) for Android 2.x devices
– Apple iPhone and iPad
– iOS app
– Leverages Apple MDM and Live Push technologies
ForeScout Mobile Security for Android and iOS
Corp Login Guest Reg. Browser Hijack Profile Install Ready Profile Rec‟d
© 2012 ForeScout Technologies, Page 27 ForeScout Confidential
ForeScout Mobile
– Mobile device inspection
– Corp/BYOD/Guest access control
– Mobile Compliance and remediation
– Device configuration and restrictions
– Support iOS and Android
– iOS jail-broken detection
– Remote wipe/lock/reset password
– Coming soon
Manage/control off-site mobile devices
Win Mobile
Blackberry
– Fiberlink
– SAP/Afaria
– MobileIron
– Coming soon
AirWatch
Zenprise
Good
Boxtone
ForeScout Mobile Integration Module ForeScout Mobile Security Module
© 2012 ForeScout Technologies, Page 28 ForeScout Confidential
ForeScout Mobile: iOS Architecture
Mobile Cloud
(APNS)
BYOD Corp
Unsecured Network
Production Network
User connects to unsecured Wifi network
User hijacked: auth. and classified (AD/RADIUS, DB)
BYOD/Corp MDM profile set on mobile device
Guest Network
Mobile device checked for compliance (via MDM)
User allowed access to production network
Install mobile apps: notifications, corporate proprietary
© 2012 ForeScout Technologies, Page 29 ForeScout Confidential
ForeScout MDM: Cloud, Device, Network Hybrid Cloud and On-Premise Mobile Security
ForeScout MDM Powered by MaaS360
ForeScout CounterACT
ForeScout MDM Console
BlackBerry
Symbian
Windows
webOS
Android
Agent
Apple iOS
MDM API
Cloud
Extenders
© 2012 ForeScout Technologies, Page 30 ForeScout Confidential
Thank You