DSS ITSEC 2012 ForeScout Technical RIGA


Published on

Presentation from Riga, Latvia. "Data Security Solutions" Ltd. ITSEC Conference.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

DSS ITSEC 2012 ForeScout Technical RIGA

  1. 1. ForeScout Product Overview Hanan Levin, VP Products November 2012© 2012 ForeScout Technologies, Page 1 ForeScout Confidential
  2. 2. How I (almost didn’t) Made It To Riga…© 2012 ForeScout Technologies, Page 2 ForeScout Confidential
  3. 3. How I (almost didn’t) Made It To Riga…© 2012 ForeScout Technologies, Page 3 ForeScout Confidential
  4. 4. ForeScout Product Solutions Off-premise endpoints Cloud Network access servers Servers, VMs Endpoints All users All locations All devices  Corporate  Cloud  PCs, BYOD  Home workers  On-site  VMs  Guests  Off-site  Rogue  Contractors  Off-line Accelerate business productivity and connectivity by enabling secure corporate resource access to anyone, anywhere, anytime© 2012 ForeScout Technologies, Page 4 ForeScout Confidential
  5. 5. CounterACT Appliance ArchitectureConsole EM RM App1 App2 App3© 2012 ForeScout Technologies, Page 5 ForeScout Confidential
  6. 6. Device Visibility: How it is Done? • Remote-Inspection (RI) – Corporate hosts (requires domain credentials) – Via WMI or via “Remote Registry Server” service running – Run scripts via WMI or via ForeScout service (fsprocsvc) – File System Access – Samba • SecureConnector – Guests users – Hosts behind firewall, and behind VoIP port (trigger IP bounce post VLAN change) – Where there is no domain • Device info (used for classification and compliance) – Windows OS, Registry and Files properties – AV/P2P/IM/FW – Microsoft vulnerabilities – Application Installed/Services/Processes/Open ports – User and domain information, MAC Address and network Information – Script Results© 2012 ForeScout Technologies, Page 6 ForeScout Confidential
  7. 7. Device Classification: How it is Done?• Cross devices • Switch Plugin – HPS for managed Windows – VoIP devices (CDP) – Mac-Linux for managed Macs/Linux – MDM (plugins and integration) for managed • Wireless Plugin iOS/Android – User-Agent via SNMP – Switch/Wireless plugins for configured devices • DHCP Plugin• HPS Plugin – DHCP Request fingerprint – NMAP OS Fingerprint scan – NMAP Banners scan• Packet-Engine – Passive fingerprint – Browser HTTP User-Agent – DHCP traffic© 2012 ForeScout Technologies, Page 7 ForeScout Confidential
  8. 8. Device Remediation • Remediate devices – Kill P2P/IM/Processes – Fix AV: start and update – Run Script – Install MS Patches – Disable Dual-Homed – Block External Devices – Set Registry© 2012 ForeScout Technologies, Page 8 ForeScout Confidential
  9. 9. CounterACT Integration Platform SIEM MDM WAP VA• CEF Support • Unified visibility • Detection, OS • Real-time scan• CounterACT • Auto-enrollment classification • Complete scan sends endpoint • Policy check on • Role-based • Import VA results intelligence admission assignment • CounterACT• CounterACT • Access based on • BYOD / guest remediation and assures logging security posture • Access control granular processes • Network resource • WLAN quarantine enforcement• SIEM triggers restriction CounterACT mitigation, isolation and blocking© 2012 ForeScout Technologies, Page 9 ForeScout Confidential
  10. 10. CounterACT Integration Platform NAC Policy Engine Windows Mac, Dir, (WSUS, Linux, iOS, MDM Switch VPN Wi-Fi SIEM VA Antivirus SCCM) Android Database© 2012 ForeScout Technologies, Page 10 ForeScout Confidential
  11. 11. Database / Directory Integration• Business intelligence via data integration module – Inventory and policy driven by extensive information taken from databases and directories  Track changes in business app data  Make policy decisions/actions upon business contextual data – Push real-time network and endpoint data to business apps – Flexible integration using custom queriesUsage examples – Validate user profile and rights (Corporate, BYOD, Guest, Contractor) – Identify non-managed and non-accounted for devices (by MAC, User, S/N, etc.) © 2012 ForeScout Technologies, Page 11 ForeScout Confidential
  12. 12. Introducing CounterACT Version 7© 2012 ForeScout Technologies, Page 12 ForeScout Confidential
  13. 13. Tactical Map: At-a-Glance Global Overview Powered by Google Maps© 2012 ForeScout Technologies, Page 13 ForeScout Confidential
  14. 14. Tactical Map: Per Site Compliance View Drill down to site status information© 2012 ForeScout Technologies, Page 14 ForeScout Confidential
  15. 15. Tactical Map: Locate, Alert, Mitigate Real-time alert, locate and mitigate in seconds© 2012 ForeScout Technologies, Page 15 ForeScout Confidential
  16. 16. Tactical Map: Your Network Like Never Seen Before • A new way to look, and manage, global sites – At a glance status of entire global site – Draw admin attention to compliance issues – Surface alerts • Easier to scale – Quick track of global distributed site status • Easy, one time setup – Define locations and assign to segments • Customized view – Tune alert thresholds – Google Maps tools: satellite view, navigation, zoom • Executive management tool© 2012 ForeScout Technologies, Page 16 ForeScout Confidential
  17. 17. Tactical Map: Usage 1. Track overall compliance level with corporate policies – Set compliance thresholds : Compliance policies, Unmanaged hosts, Malicious hosts – Identify site not meeting compliance level – Drill down to non-compliant hosts – Remediate hosts to become compliant 2. Locate policy results per site – Select policy on policy tree – Map is filtered per selected policy – only sites with hosts matching the policies shown. – Table shows all matching hosts 3. Search for specific hosts – Using search bar, policies and filters selection – Sites with hosts matching the search/filter will shown with bigger circles – Table shows all matching hosts 4. Send tactical map to CIO© 2012 ForeScout Technologies, Page 17 ForeScout Confidential
  18. 18. Real-time Inventory: Hardware© 2012 ForeScout Technologies, Page 18 ForeScout Confidential
  19. 19. Real-time Inventory: Hardware • Collect detailed device hardware information – Like serial numbers, CPU types, media devices and more.. • Usage examples – Validate user profile and rights (Corporate, BYOD, Guest, Contractor) – Identify non-managed and non-accounted for devices (by MAC, User, S/N, etc.) – Verify valid certificate Identify expired/revoked MS machine based X.509 certificate© 2012 ForeScout Technologies, Page 19 ForeScout Confidential
  20. 20. Real-Time InspectionSecureConnector: Polling Mode SecureConnector: Event Driven (New)• Host rechecked depending on policy • No need to poll hosts – Admissions – No need for host rechecks – Recheck periods – Not depending on admission rechecks• Limitations • Changes monitored in real-time – Changes not reflected in real time – SC reports immediately to CounterACT – To achieve real time, users tend to – CounterACT display real-time picture reduce re-check period, resulting with – More economical SC inspection  slower CounterACT performance  Lower bandwidth consumption/footprint  SC generates extensive traffic  Higher HPS, CounterACT performance • Usage examples – User stops Antivirus => Host status changes immediately to „not-compliant‟ – User starts P2P/IM => Host status changes immediately to „not-compliant‟ – New process started, application installed => Inventory display updated © 2012 ForeScout Technologies, Page 20 ForeScout Confidential
  21. 21. Flexible Containment and Mitigation Options • DNS enforcement – Enable secure corporate, BYOD and guest access on remote sites with no appliances – Redirect connecting users to access portal – Extend deployment scenario flexibility (e.g. multiple sites without IT teams) • WAP VLAN quarantine – SSID VLAN quarantine across WAP vendors using MAB &RADIUS (e.g. Cisco, Aruba) – WAP enabled for MAB and set to authenticate against CounterACT built-in RADIUS – Brocade WAP integration • Dual-homed detection and protection – Detect hosts with more than one active network interface, acting as a bridge between trusted and untrusted networks – Auto disable network adapter (e.g. rogue WiFi connection, LAN network-card, 3G adapter) – Auto re-enable the adapter once the host is disconnected from the trusted network© 2012 ForeScout Technologies, Page 21 ForeScout Confidential
  22. 22. ForeScout CounterACT 2012 Summary CounterACT 7.0 released Nov 15th, 2012 • Policy • Monitor, Mitigation & Containment – Business intelligence leverage external – Real-time, event driven inspection sources – DNS enforcement – MDM, SIEM, WAP and VA integration – WAP VLAN quarantine extended – Windows machine certificate assurance – Dual-homed detection & protection • Baseline • Guest & Profiling – Tactical map – BYOD profiling template, out of the box – Hardware inventory – Device registration (BYOD, Contractor PC) – Sponsor pre-registration of guests – Limit guest access time period • Access Control – Best of breed 802.1X: troubleshooting, • Scalability remediation, policy, rollout, plug & play – CT-10,000, VCT-10,000 – Built-in RADIUS Server – Scaled-up Enterprise Manger – VM Compatibility: VM-tools, MS Hyper-V© 2012 ForeScout Technologies, Page 22 ForeScout Confidential
  23. 23. ForeScout Mobile ForeScout MDM© 2012 ForeScout Technologies, Page 23 ForeScout Confidential
  24. 24. BYOD: Gap in Corporate Security Employees Bringing Their Own Devices© 2012 ForeScout Technologies, Page 24 ForeScout Confidential
  25. 25. ForeScout Mobile Security Flexible approach for BYOD• Unifies security policy management – Centralized visibility and enforcement – All managed and personal devices• Dual protection – Network: real-time visibility, control access, block threats – Device: compliance, remote wipe/lock, applications, data• Choice of functionality 1. ForeScout CounterACT: basic mobile device visibility and network protection 2. ForeScout Mobile Security Module: extends visibility & control (iOS / Android) 3. ForeScout Mobile Integration Module: third party MDM integration 4. ForeScout MDM: complete, cloud-based enterprise mobile device management© 2012 ForeScout Technologies, Page 25 ForeScout Confidential
  26. 26. ForeScout Mobile Security for Android and iOS • CounterACT Mobile plugin – Installed on CounterACT – Integrated with CounterACT console, policy, inventory and reporting • Mobile App – Android app (apk) for Android 2.x devices – Apple iPhone and iPad – iOS app – Leverages Apple MDM and Live Push technologiesCorp Login Guest Reg. Browser Hijack Profile Rec‟d Profile Install Ready © 2012 ForeScout Technologies, Page 26 ForeScout Confidential
  27. 27. ForeScout Mobile ForeScout Mobile Security Module ForeScout Mobile Integration Module – Mobile device inspection – Fiberlink – Corp/BYOD/Guest access control – SAP/Afaria – Mobile Compliance and remediation – MobileIron – Device configuration and restrictions – Coming soon  AirWatch – Support iOS and Android  Zenprise – iOS jail-broken detection  Good – Remote wipe/lock/reset password  Boxtone – Coming soon  Manage/control off-site mobile devices  Win Mobile  Blackberry© 2012 ForeScout Technologies, Page 27 ForeScout Confidential
  28. 28. ForeScout Mobile: iOS Architecture Mobile Cloud (APNS) Unsecured Network Guest Network Production BYOD Corp Network User connects to unsecured Wifi network User hijacked: auth. and classified (AD/RADIUS, DB) BYOD/Corp MDM profile set on mobile device User allowed access to production network Mobile device checked for compliance (via MDM) Install mobile apps: notifications, corporate proprietary© 2012 ForeScout Technologies, Page 28 ForeScout Confidential
  29. 29. ForeScout MDM: Cloud, Device, Network Hybrid Cloud and On-Premise Mobile Security Apple iOS MDM API Android Agent ForeScout MDM Cloud Powered by MaaS360 Extenders BlackBerry Symbian Windows webOS ForeScout MDM Console ForeScout CounterACT© 2012 ForeScout Technologies, Page 29 ForeScout Confidential
  30. 30. Thank You© 2012 ForeScout Technologies, Page 30 ForeScout Confidential