Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)


Published on

Network Access Control is used to control access to enterprise networks. Mobile Device Management is used to manage and secure mobile devices. Put them together and your customers can set network access policies based on knowledge of the device - the Power of Two!

Forescout is global leader in NAC. MobileIron is global leader in MDM/MCM/MAM and Secure Mobile IT.

Published in: Technology
  • Be the first to comment

DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)

  1. 1. © 2012 ForeScout Technologies, Page 1 Ed Buffone, Sr. Director WW Business Development Automated Security Control August 2013
  2. 2. © 2012 ForeScout Technologies, Page 2 About ForeScout ForeScout is the leading global provider of pervasive network security solutions for global 2000 enterprises and government organizations. • Independent Network Access Control (NAC) market leader Foundation • 1400+ global implementations • Financial services, government, healthcare, manufacturing, retail, education… • Cupertino HQ, 195 employees • 200+ global channel partners Enterprise DeploymentsMarket Leadership **NAC Competitive Landscape April 2013, Frost&Sullivan ForeScout *Magic Quadrant for Network Access Control, December 2012, Gartner Inc. ForeScout Technologies
  3. 3. © 2012 ForeScout Technologies, Page 3 Top IT Management Concerns Source: Infoworld / Forrester
  4. 4. © 2012 ForeScout Technologies, Page 4 Gartner Recommendations
  5. 5. © 2012 ForeScout Technologies, Page 5 The Enterprise Challenge: Balance Access Agility With Security • Employees, Guests, Contractors • Smartphones and personal devices • Wireless, wired, VPN • Data loss • Zero-day attacks and malware • Endpoint integrity • Regulations and compliance Security Access Agility Requires real-time, comprehensive visibility Requires real-time, automated controls
  6. 6. © 2012 ForeScout Technologies, Page 6 Visible Not Visible Limited Visibility Means Security Gaps Endpoints Network Devices Applications Corporate Resources Antivirus out of date… Unwanted application… Encryption/DLP agent not installed… Protection PossibleProtection Possible No Protection PossibleNo Protection Possible Users Non-Corporate ?
  7. 7. © 2012 ForeScout Technologies, Page 7 Control Automation Advantages ControlCosts (OpEx,CapEx) Control Coverage (risk management) W ithout ForeScout With ForeScout “The financial institution selected ForeScout CounterACT [and] was able to save over $1,000,000 per year in endpoint support costs... The automation achieved via ForeScout CounterACT reduces help desk call volume, initiates fewer job tickets for software maintenance workflows, causes fewer image refreshes, and increases user productivity.” Continuous Endpoint Compliance: An Ogren Group Special Report April 2011
  8. 8. © 2012 ForeScout Technologies, Page 8 ForeScout CounterACT Platform . Mobile Security Network Access ControlEndpoint Compliance • Block intrusions • Detect infected machines • Stop targeted attacks Threat Prevention • Real-time device intelligence • Find and fix security gaps • Enforce policies • Register guests • Block unauthorized users and devices • Limit access • Enable BYOD • Secure device, app and data use • Integrate with Wireless and MDM ForeScout Real-timeForeScout Real-time Security PlatformSecurity Platform InteroperableInteroperable ScalableScalableAgentlessAgentless KnowledgebaseKnowledgebase Unique Network PresenceUnique Network Presence ExtensibleExtensible
  9. 9. © 2012 ForeScout Technologies, Page 9 ForeScout CounterACT Functions Real-time Network Asset Intelligence • Device type, owner, location • Security posture, applications Email CRMWeb Guest User Sales Network Access Control • Block, allow, limit network access • Register guests Automated Endpoint Enforcement • Remediate OS, configuration, security agents • Start/stop applications, disable peripherals • Block worms, zero-day attacks, unwanted apps X
  10. 10. © 2012 ForeScout Technologies, Page 10 ForeScout Security Policy Engine Switch VPN Wi-Fi Dir, Database SIEM Windows (WSUS, SCCM) Mac, Linux, iOS, Android MDM Antivirus Advanced Security and Operational Integration VA
  11. 11. © 2012 ForeScout Technologies, Page 11 Gartner Recommendations “Combine NAC and mobile device management (MDM) to enforce policies in a BYOD environment. Personally owned devices that are not managed by MDM agents should be limited to Internet access only, or placed in a limited access zone where they can access a subset of applications and network resources as per user/group role.”1 “The network security team should be part of the overall project team that defines how BYOD will be supported. NAC should be an integral component of the overall architecture, so that the network has the ability to restrict access to devices that are noncompliant with BYOD policies.”2 1 Gartner, “Securing BYOD With Network Access Control, a Case Study”, 29 August 2012, Lawrence Orans 2 Gartner, “Getting Your Network Ready for BYOD”, 28 September 2012, Lawrence Orans
  12. 12. © 2012 ForeScout Technologies, Page 12 MDM Integration
  13. 13. © 2012 ForeScout Technologies, Page 13 – Device connects to network  Classify type  Check for mobile agent – If agent is missing  Quarantine  Install agent – When agent is activated  Check compliance  Allow access  Continue monitoring ForeScout CounterACT ) ) ) ) ) ) )  ?  The Benefits of ForeScout-MobileIron Integration Automated Registration Your Enterprise Network
  14. 14. © 2012 ForeScout Technologies, Page 14 Automated MDM Enrollment User contacts help desk Without ForeScout: Manual Effort Help desk asks questions, determines device type and ownership Help desk denies request or sends user appropriate MDM enrollment information User enrolls device in MDM Device accesses network With ForeScout: Automation ForeScout discovers and categorizes device, authenticates user ForeScout automates MDM enrollment decision and provides information to user User enrolls device in MDM Helpdesk asks networking team set policy exception allowing internet access to get the MDM app Helpdesk asks networking team to reset the policy exception
  15. 15. © 2012 ForeScout Technologies, Page 15 – Device connects to network – ForeScout asks MobileIron to provide real-time compliance assessment – If device is not-compliant, CounterACT blocks device and sends message to end-user – End-user corrects the problem on his mobile device – MobileIron confirms compliance, then ForeScout allows the device onto the network The Benefits of ForeScout-MobileIron Integration On-access Compliance Assessment ) ) ) ) ) ) )  ?  ForeScout CounterACT Your Enterprise Network
  16. 16. © 2012 ForeScout Technologies, Page 16 MDM + NAC = complete BYOD security Secure Mobile App Mgmt (Distribution, Config.) Inventory Management Mobile Device Management (App Inventory, Remote Wipe, etc.) Policy Compliance (Jailbreak detection, PIN lock, etc.) Secure Data and Content Guest Registration Network Access Control (Wireless, Wired, VPN) Cert + Supplicant Provisioning Mobile + PC Device-based controlDevice-based control Network-based controlNetwork-based control Network Threat Prevention Visibility of Unmanaged Devices
  17. 17. © 2012 ForeScout Technologies, Page 17 MDM + NAC: 1 + 1 = 3 NAC focus is network MDM focus is mobile device MDM Alone NAC Alone MDM + NAC Visibility Full info on managed mobile devices only Basic info on managed and unmanaged devices Complete Network Access Control None Full Complete Compliance Mobile devices PCs, Mac, Linux Complete Deploy Agent Pre-registration Network based Both
  18. 18. © 2012 ForeScout Technologies, Page 18 Unified Compliance Reports
  19. 19. © 2012 ForeScout Technologies, Page 19 How CounterACT Works ForeScout CounterACT • Out of band • Clientless • One appliance Deploy at the Core
  20. 20. © 2012 ForeScout Technologies, Page 20 End-To-End Security Automation
  21. 21. © 2012 ForeScout Technologies, Page 21 ( ( ( ( ( ( ( See Grant Fix Protect • What type of device? • Who owns it? • Who is logged in? • What applications? ForeScout CounterACT
  22. 22. © 2012 ForeScout Technologies, Page 22 See Grant Fix Protect
  23. 23. © 2012 ForeScout Technologies, Page 23 See Grant Fix Protect • Grant access • Register guests • Block access • Restrict access ( ( ( ( ( ( ( ForeScout CounterACT
  24. 24. © 2012 ForeScout Technologies, Page 24 See Grant Fix Protect Email CRMWeb Guest Employee Guest Sales
  25. 25. © 2012 ForeScout Technologies, Page 25 See Grant Fix Protect • Remediate OS • Fix security agents • Fix configuration • Start/stop applications • Disable peripheral ForeScout CounterACT
  26. 26. © 2012 ForeScout Technologies, Page 26 See Grant Fix Protect
  27. 27. © 2012 ForeScout Technologies, Page 27 See Grant Fix Protect • Detect unexpected behavior • Block insider attack • Block worms • Block intrusions ForeScout CounterACT
  28. 28. © 2012 ForeScout Technologies, Page 28 See Grant Fix Protect MOVE & DISABLEMOVE & DISABLERESTRICT ACCESSRESTRICT ACCESSALERT & REMEDIATEALERT & REMEDIATE Deploy a Virtual Firewall around an infected or non-compliant device Reassign the device into a VLAN with restricted access Update access lists (ACLs) on switches, firewalls and routers to restrict access Automatically move device to a pre- configured guest network Open trouble ticket Send email notification SNMP Traps Syslog HTTP browser hijack Auditable end-user acknowledgement Self-remediation Integrate with SMS, WSUS, SCCM, Lumension, BigFix Reassign device from production VLAN to quarantine VLAN Block access with 802.1X Alter login credentials to block access Block access with device authentication Turn off switch port (802.1X or SNMP) Terminate unauthorized applications Disable peripheral device
  29. 29. © 2012 ForeScout Technologies, Page 29 See Grant Fix Protect
  30. 30. © 2012 ForeScout Technologies, Page 30 Automated Security Benefits Function Improve Security Save Time or Money Improve Productivity Detect and control personal devices Provision guest network access Endpoint compliance and remediation Block zero-day attacks with 100% accuracy Real-time compliance and inventory reports Enforce usage policies (apps, devices, …) Quarantine rogue devices Real-time visibility
  31. 31. © 2012 ForeScout Technologies, Page 31 IT NAC Case Study Large Bank, well over 150,000 endpoints under NAC management Business Problem •No real-time network intelligence: who/where/what endpoints, users and rogue AP’s connected on corporate network? •What percentage of endpoints and network devices are compliant with company’s security policy? •No centralized visibility of enterprise-wide threat activity and compliance reporting per LOB •No way to quickly and easily remediate non-compliant end-points and wireless access-points – more manual and too late •No control over corrupted, inactive or non-existent endpoint configuration, security and compliance agents? SIEM •Executive dashboards with enterprise threat visibility •Enterprise-wide event correlation •On-demand compliance reporting per LOB NAC •Real-time visibility: all users / devices / apps / rogue devices •Asset profiles, access, violations and actions send to SIEM •Automated remediation of endpoint security and config. agents •Works with existing infrastructure and endpoint protection products Benefits • Enterprise threat visibility • Reduced business risk • More responsive security • Operational efficiency • Automated remediation • Endpoint compliance • Demonstrable GRC gain Benefits • Enterprise threat visibility • Reduced business risk • More responsive security • Operational efficiency • Automated remediation • Endpoint compliance • Demonstrable GRC gain What’s Next • Expand global deployment • Mobile security • More remediation policies • Add business intelligence What’s Next • Expand global deployment • Mobile security • More remediation policies • Add business intelligence
  32. 32. © 2012 ForeScout Technologies, Page 32 • Easy to deploy – Clientless – No infrastructure changes – Everything in a single appliance • Rapid time to value – Complete visibility in hours or days • 100% coverage (no blind spots) – Users, devices, systems, VMs, apps • Extensive range of automated controls – Transparent, gentle, or aggressive • Works with every network without costly upgrades Why Customers Choose ForeScout
  33. 33. © 2012 ForeScout Technologies, Page 33 Customer Testimonial Anthony Maciel, Director, Technology Support Services Golden West College “Literally, an hour after dropping a ForeScout appliance on our network – Bang! I could see everything that was going on.” “ForeScout CounterACT solved our data security problems perfectly. It gives us 100% visibility and control.” Todd Frazier, Systems Administrator, Culpeper County Government “ForeScout was simple – one box, one day to install ... and agentless operation. It met all our needs, and we had to make no changes to our network. That’s why we chose ForeScout – simple, cost effective, easy to use.” John Shields, Sr. Vice President and CTO Patelco Credit Union
  34. 34. © 2012 ForeScout Technologies, Page 34 Thank You *This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Garnter, Inc. "Magic Quadrant for Network Access Control," Report G002129752, December 3, 2012, Lawrence Orans, John Pescatore.