throughwave day 2015 - forescout automated security control
TRANSCRIPT
Phatchara MaichandiPresales Engineer
Throughwave (Thailand) Co., Ltd.
© 2014 ForeScout Technologies, Page 2
• Enterprise Security Trend
• ForeScout Capabilities
• ForeScout Integration
• BYOD Security
• Case Studies
• Conclusion
© 2014 ForeScout Technologies, Page 3
© 2014 ForeScout Technologies, Page 4
Corporate Resources
Antivirus out of date
Unauthorized applicationAgents not installed or not running
Endpoints
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Non-corporate
VM
Users
Applications
NetworkDevices
© 2014 ForeScout Technologies, Page 5
© 2014 ForeScout Technologies, Page 6
© 2014 ForeScout Technologies, Page 7
© 2014 ForeScout Technologies, Page 8
• Complex architecture
• Requires reconfiguration and upgrade of existing switches
• Requires installation of endpoint agents
• Requires 802.1X
• Long drawn-out implementations
• Brittle, prone to disruption and breakage
Outdated NAC
© 2014 ForeScout Technologies, Page 9
Fast and easy deployment– No infrastructure changes
or network upgrades– No need for endpoint agents– 802.1X is optional– Integrated appliance
(physical or virtual)
Streamline and automate existing IT processes
– Guest registration
– MDM enrollment
– BYOD onboarding
– Asset intelligence
Shift away from restrictive allow-or-deny policies
– Flexible controls, based on user and device context
– Preserve user experience
Integrate with other IT systems
– Break down information silos
– Reduce window of vulnerability by automating controls & actions
© 2014 ForeScout Technologies, Page 10
© 2014 ForeScout Technologies, Page 11
Strong Foundation Market Leadership Enterprise Deployments
#1
• In business 13 years• Campbell, CA
headquarters• 200+ global channel
partners
• Independent Network Access Control (NAC) Market Leader
• Focus: Pervasive Network Security
• 1,800+ customers worldwide• Financial services, government,
healthcare, manufacturing, retail, education
• From 100 to >1M endpoints• From 62 countries around the
world
© 2014 ForeScout Technologies, Page 12
*Magic Quadrant for Network Access Control, December 2014, Gartner Inc.
*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from ForeScout. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner "Magic Quadrant for Network Access Control,” Lawrence Orans and Claudio Neiva, December 10, 2014.
© 2014 ForeScout Technologies, Page 13
Device type, owner, login, location
Applications, security profile
Captures transient users and devices
Real-time Intelligence
© 2014 ForeScout Technologies, Page 14
Device and user-specific policies
Mitigate OS, configuration and
security risks
Start/stop applications and
disable peripherals
Real-time Intelligence
Granular Controls
© 2014 ForeScout Technologies, Page 15
Real-time Intelligence
Granular Controls
Information Sharing and Automation
Bi-directional information exchange
Automated mitigation and control
Enhancedcollaboration
© 2014 ForeScout Technologies, Page 16
See
Grant
Fix
Protect
Who and what are on your network?
Allow, limit or block network access
Remediate Endpoint Systems
Block internal attack
© 2014 ForeScout Technologies, Page 17
© 2014 ForeScout Technologies, Page 18
Who are you? Who owns your device?
What type of device?
What is thedevice hygiene?
• Employee
• Partner
• Contractor
• Guest
• Corporate
• BYOD
• Rogue
• Windows, Mac
• iOS, Android
• VM
• Non-user devices
• Configuration• Software• Services• Patches• Security Agents
• Switch• Controller• VPN• Port, SSID• IP, MAC• VLAN
Where/how are you connecting?
© 2014 ForeScout Technologies, Page 19
Dynamic and Multi-faceted
DHCPREQUESTS
AD, LDAP, RADIUSSERVER
AGENT ACTIVEDIRECTORY
MIRRORTRAFFIC
NMAP SCAN
© 2014 ForeScout Technologies, Page 20
Complete Situational Awareness
© 2014 ForeScout Technologies, Page 21
Complete Situational Awareness
Compliance Problems:Agents, Apps, Vulnerabilities,
Configurations
See Devices: Managed, Unmanaged, Wired,
Wireless, PC, Mobile…
© 2014 ForeScout Technologies, Page 22
Complete Situational Awareness
Filter Information By:Business Unit,
Location,Device Type…
© 2014 ForeScout Technologies, Page 23
Complete Situational Awareness
See Device Details:What, Where, Who, Security Posture…
© 2014 ForeScout Technologies, Page 24
Complete Situational Awareness
Site Summary:Devices,
Policy Violations…
© 2014 ForeScout Technologies, Page 25
© 2014 ForeScout Technologies, Page 26
Modest Strong
Open trouble ticket
Send email notification
SNMP Traps
Start application
Run script
Auditable end-user acknowledgement
Send information to external systems such as SIEM etc.
HTTP browser hijack
Deploy a virtual firewall around the device
Reassign the device to a VLAN with restricted access
Update access lists (ACLs) on switches, firewalls and routers to restrict access
DNS hijack (captive portal)
Automatically move device to a pre- configured guest network
Trigger external controls such as endpoint protection, VA etc.
Move device to quarantine VLAN
Block access with 802.1X
Alter login credentials to block access, VPN block
Block access with device authentication
Turn off switch port (802.1X,SNMP)
Install/update agents, trigger external remediation systems
Wi-Fi port block
Alert / Allow Trigger / Limit Remediate / Block
© 2014 ForeScout Technologies, Page 27
• Visibility of corporate andpersonal devices
• Network Access Control– Identify who, what, where, when,
configuration, security posture
• Flexible policy controls – Register guests– Grant access (none, limited, full)– Enforce time of day, connection
type, device type controls
• Block unauthorized devices from the network
EMPLOYEE
CONTRACTOR
GUEST
UNAUTHORIZED
WEB EMAIL CRM
© 2014 ForeScout Technologies, Page 28
User Type
Limited Internal Access
Authenticate via Contractor Credentials
BYOD Posture Check
Contractor/PartnerGuest
Internet Access
Guest Registration
SponsorAuthorization
Personal Device Corporate Asset
Authenticate via Corporate Credentials
BYOD Posture Check
Internal Access
Corporate Asset Posture Check
Employee
© 2014 ForeScout Technologies, Page 29
© 2014 ForeScout Technologies, Page 30
CORESWITCHES
ACTIVEDIRECTORY
SCCM
ENDPOINTPROTECTION
SIEM
VA
MDM
ATD
DATACENTER
REMOTE USERS VPN CONCENTRATOR
COUNTERACTENTERPRISE MANAGER
SERVER FARM
© 2014 ForeScout Technologies, Page 31
DATACENTER
REMOTE USERS VPN CONCENTRATOR
ACTIVEDIRECTORY
SCCM
ENDPOINTPROTECTION
SIEM
VA
MDM
ATD
COUNTERACTENTERPRISE MANAGER
CORESWITCHES
SERVER FARM
© 2014 ForeScout Technologies, Page 32
CORESWITCHES
DATACENTER
REMOTE USERS VPN CONCENTRATOR
COUNTERACTENTERPRISE MANAGER
ACTIVEDIRECTORY
SCCM
ENDPOINTPROTECTION
SIEM
VA
MDM
ATD
CounterACT Deployed at the Core Layer
Management Port
Mirror Traffic
© 2014 ForeScout Technologies, Page 33
© 2014 ForeScout Technologies, Page 34
Switches & Routers
Network Devices
Endpoints
IT Network Services
Wireless
Firewall & VPN
Endpoint & APT Protection
Vulnerability Assessment
SIEM/GRC
MDM
© 2014 ForeScout Technologies, Page 35
© 2014 ForeScout Technologies, Page 36
• Visibility of all devices, unmanaged & rogue
• Does not require agents
• Automate agent installation, activation, update
• Quarantine and remediate
• Bi-directional integration– Endpoint protection– Vulnerability Assessment– Advanced Threat Detection– Patch management ForeScout
© 2014 ForeScout Technologies, Page 37
• ForeScout sends both low-level (who, what, where) and high-level (compliance status) information about endpoints to SIEM
• SIEM correlates ForeScout information with information from other sources and identifies risks posed by infected, malicious or high-risk endpoints
• SIEM initiates automated risk mitigation using ForeScout
• ForeScout takes risk mitigation action on endpoint
SIEMReal-time Info
Correlate, Identify Risks
Initiate Mitigation
Rem
edia
te
Qua
rant
ine
© 2014 ForeScout Technologies, Page 38
Initiate Scan
Scan
Scan Results
Connect
Blo
ck o
r A
llow
EndpointSwitch
Vulnerability Assessment
System
© 2014 ForeScout Technologies, Page 39
Visibility
• Detection of virtual machines that are located in the wrong zone (e.g. port group)
• Detection of virtual machines that lack an up-to-date version of VMware tools
• Detection of peripheral devices (e.g. a physical USB drive) connected to a virtual machine
• Detection of the hardware associated with each virtual machine
• Detection of the guest operating system running on each virtual machine
© 2014 ForeScout Technologies, Page 40
VMware vSphere VMware vSphere VMware vSphere
VMware vCenter Server
Manage
vSphere Distributed Switch
VMware Plugins
Mirror Traffic
© 2014 ForeScout Technologies, Page 41
Core Switch Virtual EnvironmentServer VirtualizationVirtual Desktop Infrastructure
Endpoint• Mobile Phone• Laptop• PC Desktop• Printer• VOIP
Thin Client
Policy for Virtual
Policy for Physical Desktop
Policy for Thin Client
ForeScout
© 2014 ForeScout Technologies, Page 43
Web Services API LDAPSQL
© 2014 ForeScout Technologies, Page 44
© 2014 ForeScout Technologies, Page 45
• Mobility and BYOD are transforming the enterprise
– Mobile device adoption and diversity has exploded
– Enterprise perimeter becoming more open and extended
– Over 60% of employees use a personal device for work1
– Capabilities of consumer technology meet or exceed the features of IT-supplied assets
– Employees can purchase and use mobile technology faster than IT adoption cycles
1 Gartner, “Bring Your Own Device: The Facts and the Future”, April 2013, David A. Willis
1
© 2014 ForeScout Technologies, Page 46
Secure the Device Secure the Data Secure the Network
• Secure configuration• Enforce passwords• Control user actions
• Manage content & apps• Protect privacy• Remote wiping
Mobile Device Management
(MDM)
• What is on my network?• Control access• Enforce security posture
MDM + MCM+
VDI
Next-Generation Network Access Control (NAC)
© 2014 ForeScout Technologies, Page 47
• 100% visibility of all mobile devices, including those not yet enrolled in the MDM system
• Prevent unauthorized devices from accessing the network.
• More highly automated MDM enrollment process
• Real-time security posture assessment upon network connection
• Unified compliance reporting of allnetwork devices – Windows, Mac, phones, tablets, etc. ForeScout CounterACT
© 2014 ForeScout Technologies, Page 48
) ) ) ) ) ) )
?
– Device connects to network Classify by type Check for mobile agent
– If agent is missing Quarantine device Install mobile agent
(HTTP Redirect)
– Once agent is activated Check compliance Allow policy-based access Continue monitoring
Enterprise Network
MDM
MDM
1
2
3
Device can access to internal server
ForeScout CounterACT
© 2014 ForeScout Technologies, Page 49
Device-based control Network-based control
Enterprise App Mgmt (Distribution, Config)
InventoryManagement
Device Management (App Inventory,
Remote Wipe, etc.)
Policy Compliance (Jailbreak detection, PIN
lock, etc.)
Secure Data Containers
Guest Registration
Network Access Control (Wireless, Wired, VPN)Cert + Supplicant
Provisioning
Mobile + PC
Network Threat Prevention
Visibility of Unmanaged Devices
© 2014 ForeScout Technologies, Page 50
© 2014 ForeScout Technologies, Page 51
ต้องการระบบ Authentication สําหรับพนักงาน
ภายในองค์กรทัง้หมด โดยสามารถทาํได้ทัง้
ระบบ Wired และ Wireless ภายในอุปกรณ์ชุด
เดียว
• User ทําการ Authentication ผ่าน ForeScout
• ทํา MAC Authentication ให้กบัผู้บริหาร
• ตรวจสอบ Antivirus Compliance
(Installed/Running)
• สง่ HTTP Notification แจ้งเตือนเคร่ืองท่ีไม่ตดิตัง้
Antivirus
© 2014 ForeScout Technologies, Page 52
ต้องการระบบ Authentication และระบบ
Hardware/Software Inventory ภายในอุปกรณ์ชุด
เดียว
• ทําระบบ BYOD
• User ทําการ Authentication ผ่าน ForeScout
• ใช้งานร่วมกบัระบบ MDM
• ตรวจสอบ Endpoint Compliance
• Threat Prevention
• ประกาศขา่วสารผ่าน HTTP Notification
© 2014 ForeScout Technologies, Page 53
© 2014 ForeScout Technologies, Page 54
Corporate Resources
Endpoints
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Non-corporate
VM
Users
Applications
NetworkDevices
Antivirus out of date
Unauthorized applicationAgents not installed or not running
ForeScout Continuous Monitoring and Mitigation
© 2014 ForeScout Technologies, Page 55
Endpoint Mitigation
Endpoint Authentication & Inspection
Network Enforcement
Information Integration
Continuous Visibility
© 2014 ForeScout Technologies, Page 56
Fast and easy to deploy
Infrastructure Agnostic
Flexible and Customizable
Agentless andnon-disruptive
Scalable, no re-architecting
Works with mixed, legacy environment
Avoid vendor lock-in
Optimized for diversity and BYOD
Supports openintegration standards
© 2014 ForeScout Technologies, Page 57
SUITE OF PACKAGED SOFTWARE
INTEGRATION MODULES
Vulnerability Assessment
Advance Threat Detection
SIEM (Bi-directional)
MDM
McAfee ePO
Open (Customer Development)
FAMILY OF APPLIANCE MANAGERS
A single appliance to handle up to # of ForeScout
appliances5102550100150200
Virtual appliances are also available.
FAMILY OF APPLIANCES
A single appliance to handle up to # of endpoints
Endpoints100500
1,0002,5004,00010,000
Virtual appliances are also available.
© 2014 ForeScout Technologies, Page 58
Choose ForeScout when you need…
• Hardware & Software Inventory
• Network Access Control
• BYOD Security
• Guest Networking
• Endpoint Compliance
• Threat Prevention
CT- 4000
CT-R
CT-100
CT-1000
CT-2000