Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, visitantes, ¿BYOD?
Ya puedes ver las ponencias completas de la #jornadanextelxvi sobre la #Gestión del #Riesgo #riskmanagement http://www.nextel.es/jornadanextelxvi
10. • Visibility of all devices
• Block unauthorized
devices from the network
• Automated onboarding
– Detect device
– Detect user
– Detect compliance
• Flexible policy controls
– Block, limit, allow
– Register guests
ForeScout
11. *Magic Quadrant for Network Access
Control, December 2013, Gartner Inc.
*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner
does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the
opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability
or fitness for a particular purpose. Garnter, Inc. "Magic Quadrant for Network Access Control," Report G00249599, December 12, 2013, Lawrence Orans.
**Frost & Sullivan 2013 report NC91-74, Analysis of the Network Access Control
Market: Evolving Business Practices and Technologies Rejuvenate Market
Growth” Chard base year 2012.
**NAC Competitive Landscape
April 2013, Frost & Sullivan
12. Fast and easy to
deploy
Agentless and
non-disruptive
Scalable, no
re-architecting
13. Fast and easy to
deploy
Infrastructure
Agnostic
Agentless and
non-disruptive
Scalable, no
re-architecting
Works with mixed,
legacy environment
Avoid vendor
lock-in
14. Fast and easy to
deploy
Infrastructure
Agnostic
Flexible and
Customizable
Agentless and
non-disruptive
Scalable, no
re-architecting
Works with mixed,
legacy environment
Avoid vendor
lock-in
Optimized for
diversity and BYOD
Supports open
integration standards
15. • Visibility (discovery and classification) (device type and ownership)
• Network access control (allow, limit, block)
• Endpoint compliance management
– Assess security posture
– Remediate
• BYOD enablement
• Guest networking (register, approve, provision)
• Continuous monitoring and mitigation (ControlFabric)
– SIEM, ATD, VA, ePO (HBSS), MDM, vCenter, home-grown integrations
• Threat prevention (ActiveResponse™)
16. Function Improve
Security
Save Time
or Money
Improve
Productivity
Detect and control personal devices
Provision guest network access
Endpoint compliance and remediation
Block zero-day attacks with 100% accuracy
Real-time compliance and inventory reports
Enforce usage policies (apps, devices, …)
Quarantine rogue devices
Real-time visibility
24. • Multiple detection methods
– CounterACT polls switches for list of
devices that are connected
– Switch sends an SNMP trap to
CounterACT
– Switch sends an 802.1X request to
to a RADIUS server, which
CounterACT monitors
– CounterACT monitors DHCP
requests and will see that a new
host has requested an IP address
CounterACT monitors a network
SPAN port and sees interesting
network traffic such as HTTP traffic
25. • Passive methods
– Monitor DHCP traffic
– Monitor HTTP traffic
– Monitor banners
• Active methods
– Run an NMAP scan on the device
– Deploying SecureConnector Agent
Use administrative privileges on the endpoint to run a scan on the
endpoint
26. • Device
– Type of device
– Manufacturer
– Location
– Connection type
– RAM
– Network adapter
– Authentication
– MAC and IP
address
• Applications
– Installed
– Running
– Version number
– Registry values
– File sizes
•
–
–
–
–
•
–
–
–
•
–
–
–
•
–
–
–
–
–
–
•
–
–
–
–
27. Physical Layer
Device / Peripherals
Operating Systems
Applications
User Information
User Behavior
Visibility Management Control
Policy violations
Audited responses
Trouble ticket requests
User notification
User “signed” acceptance
Self-remediation
Worm quarantine
User hacking prevention
Segmented access
User name
Authentication status
Group membership
Role-based policy
Multiple guest policies
Guest access / registration
User authentication events
Application installed/running
Registry values
Compliance reporting
Application whitelist
Software remediation
Application licensing
Application blocking
Application enforcement
OS fingerprint (patch level)
Compliance reporting
Processes / services running
Vulnerability awareness
Patch management
Antivirus updates
Process blocking
Registry locking
Kill a process
IP address, MAC address
VoIP Phone
USB peripherals
Inventory management
Device-based policy
Data loss prevention
Shutdown, disable port
Multi-home blocking
3G modem blocking
Switch, port, VLAN
Geographic location
Number devices on port
Role-based access
Policy-based firewall
VPN status
Port control (802.1X, SNMP)
ACL
VLAN
28.
29. Modest Strong
Open trouble ticket
Send email notification
SNMP Traps
Start application
Run script to install application
Auditable end-user
acknowledgement
HTTP browser hijack
Trigger other endpoint
management system to remediate
endpoint
Deploy a virtual firewall around
the device
Reassign the device to a VLAN
with restricted access
Update access lists (ACLs) on
switches, firewalls and routers to
restrict access
DNS hijack (captive portal)
Automatically move device to a
pre- configured guest network
Move device to quarantine VLAN
Block access with 802.1X
Alter login credentials to block
access, VPN block
Block access with device
authentication
Turn off switch port (802.1X,
SNMP)
Wi-Fi port block
Terminate applications
Disable peripheral device
Alert & Remediate Limit Access Move & Disable
30. SIEM initiates automated remediation action using ForeScout
4
4
ForeScout takes remediation action on endpoint5
5
1
DLP
Other
Sources
Routers
Network events
Security
Devices
FW, IPS/IDS, VPN events Privacy violations
SIEM correlates ForeScout information with information from other sources and
escalates threat level when the end-point is non-compliant
2
2
Database, App. eventsAV logs, system events
1 ForeScout sends both low-level (who, what, where) and high-level (compliance
status) information about endpoints to SIEM
1
Endpoints + BYOD
SIEM
3 SIEM provides LOB based compliance dashboards/reports
3
34. FAMILY OF
APPLIANCES
Asingle appliance to handle
up to # of endpoints
Endpoints
100
500
1,000
2,500
4,000
10,000
Virtual appliances are also
available.
FAMILY OF
APPLIANCE
MANAGERS
Asingle appliance to handle
up to # of ForeScout
appliances
5
10
25
50
100
150
200
Virtual appliances are also
available.
SUITE OF
PACKAGED
SOFTWARE
INTEGRATION
MODULES
VulnerabilityAssessment
Advance Threat Detection
SIEM
MDM
ePO
Open
(CustomerDevelopment)
Editor's Notes
This presentation is designed for a 1stmeeting with a prospect. Goal is to gain sponsorship from an executive by describing the value that we can provide. Second meeting with the prospect would be more technical, with lower-level attendees, describing how we do what we do.======= SCRIPT FOLLOWS =======Good morning. My name is _______. Today I want to show you how ForeScout’s products can give you game-changing visibility, control and automation.
We’ve been in business for 13 years, based out of California. --- [CLICK TO ADVANCE] ---
We are the market leader in what we do. We are focused on Pervasive Network Security. --- [CLICK TO ADVANCE] ---
We have customers around the world in every industry, ranging in size from 500 to over 500,000 endpoints.We have seen it all before. --- [CLICK TO ADVANCE] ---
The first problem is inadequate visibility to risks on your network.What am I talking about? Don’t you already have enough toolsto show you everything on your network? What causes this problem? --- [CLICK TO ADVANCE] ---
The first cause of inadequate visibility isTRANSIENT DEVICES -- devices that show up on your network once a week, or maybe once a month. These could be PHYSICAL or VIRTUAL devices. Does a periodic asset scan, or a periodic vulnerability scan detect transient devices? No, it doesn’t, it misses them. --- [CLICK TO ADVANCE] --- A second problem is that of BYOD devices. You have all kinds of mobile devices, and you might even have a Mobile Device Management system to help you control these devices. But, even MDM systems can’t see devices that have not yet been enrolled in the MDM system. So you have a visibility gap. Unless you have 100% locked down all of your WiFi networks, you probably have more mobile devices on your network than you know about. --- [CLICK TO ADVANCE] --- A third causeof the visibility problem is broken managed devices – stuff that you own that isn’t working right. The management agent is not working or something. Now …. This visibility problem is so important that I want to take a minute to drill down on it so you really can start thinking deeply about this issue. Because visibility is foundational for security. --- [CLICK TO ADVANCE] ---
In many meetings I have had with companies just like yourselves, I have found that companies struggle with three problems. These three problems are pervasive among all enterprises. --- [CLICK TO ADVANCE] --- First, companies struggle with inadequateVISIBILITY– to all the things and all the risks on your network. This is especially true because of all the consumer devices that are on your network, and also I’m talking about visibility to virtual machines on your network.. --- [CLICK TO ADVANCE] --- The second problem is inadequateCOLLABORATIONamong the IT security systems you already own. Many of your IT systems operate as silos, and they often don’t have the information context that they need to perform effectively. --- [CLICK TO ADVANCE] --- And the third problem is inadequateAUTOMATIONfor quick mitigation of security problems, to keep you ahead of the cyberattackers. Today, the window of opportunity for attackers to get into your computers is too long. Too many of your controls are still manual and reactive.--- [CLICK TO ADVANCE] ---
If you look at the screen, the blue symbols represent your corporate IT resources. The things you own. You have Endpoints, Network Devices, Applications, and of course users. You own these things, you’ve installed them, so you know about them. And of course the users are your employees – they are on your payroll and in your directory. You know about them.Now … you manage your corporate endpoints with agents, right? You have antivirus, encryption, data loss prevention agents, patch management systems and so forth. Right? Now, these agents are good. They serve a useful purpose. But the truth isthat agents are hard to maintain. Theydon’t work correctly 100% of the time. Based on data we’ve gathered from our customers, we know that each security agent will not be working correctly on between 10% and 15% of the endpoint devices. The antivirus might be out of date. Or the the encryption agent might not be properly installed. Or the data loss prevention agent might not be working. This is reality. There are various studies that support these numbers. --- [CLICK TO ADVANCE] --- The symbols that I have added to this slide show the different endpoint agents that aren’t working properly in the real world. When you add up all the problems, it’s typical to find security problems on about one third of your endpoints. Some customers find more. A few years ago, Microsoft reported that over 50% of their endpoint computers had a security problem like the ones shown here.These problems tend to be hidden to you, because the client-server systems have blind spots. This is the real world. --- [CLICK TO ADVANCE] --- You also have non-corporate devices on your network. Employees bring in personal laptops,iPhones and iPads. And employees bring rogue network devices into the office. NAT devices. You know this happens. Employees are trying to “help themselves” by working around your IT organization. And of course you have unauthorized personal applications on your network. Can you detect them? Are they visible to youTypically companies don’t have good visibility into any of these things. And they can be security risks. --- [CLICK TO ADVANCE] --- Unless you have specialized technology that can show you everything touching your network, you probably only have visibility into one-half of what actually exists. And you know the security maxim: You can’t secure what you can’t see. So inadequate visibility means you have security gaps.And that is the first problem that we help customers solve.
What you really want is real-time visibility to everything on your network -- all the devices, all the applications, all the risks -- and you also want more coordinated controls. You want your IT systems to talk with one another, make smarter decisions, work with more automation. This is what ForeScout does. Before I tell you more about how we do it, let’s hear from three of our customers.
ForeScout solves this problem. ForeScout allows your existing systems to SHARE INFORMATION. We share the information that we obtain ourselves about the devices on your network (this is the endpoint visibility information that I showed you a few minutes ago), and we also share the information produced by all the other IT management systems that connect up to our platform.All these integrations are bi-directional.The result is your existing systems become SMARTER and become able to make better decisions about your security.You move from a model of periodic scanning and patching to one of CONTINUOUS MONITORING and REMEDIATION. That is what ForeScout does.And of course, all of this reduces your risk exposure to attack.Through this integration, your existing systems are all able to trigger automated mitigation. Through the ForeScout platform or thorugh the other systems that are connected to our platform. This mitigation can be at the network level (to QUARANTINE a device) or at the endpointlevel (to PATCH it, or to trigger a 3rd party system to patch the endpoint).
We call this information sharing and automation CONTROLFABRIC. Currently 66 different HW and SW products interoperate with ForeScout’s platform. More partners are signing on every month. And – ControlFabric is based on open standards. So if you have some home-grown management systems that you want build integrations with, that’s no problem, we support open standards.So that is what our product does. Now I want to give you three examples of ControlFabric in action.The first example that I want to share with you is about endpoint compliance management.
The second example I want to show you is how we help you enable BYOD while preserving security. If you have an MDM system, that’s great. It protects the mobile device. But it can only see devices that have been enrolled into the MDM system, it can’t see brand new devices that show up on the network. That’s a risk.ForeScout solves this problem because we give you 100% visibility. We show you what is on your network, and we automatically remove the things you don’t want. And we help you automatically onboard the mobile devices you do want on your network. We interoperate with all the leading MDM systems to help them onboard new mobile devices. This reduces help desk calls because it makes the process so efficient. This process is so effective, so helpful, that Gartner has published a report – a case study – about ForeScout interoperating with an MDM systems at a large financial institution. It greatly helped them. There were far fewer helpdesk calls than if ForeScout wasn’t there to help automate the enrollment of mobile devices into the MDM system. The Gartner case study also explains how our system helped our customermanage BYOD Windows devices, and Macs.
All the market analysts such as Gartner, Frost and Sullivan, and others list us as a market leader. They show us at the top of their charts next to a little company called Cisco.So that is who we are.Now let me go back to the three IT security problems that I mentioned previously. Let’s explore them more deeply. --- [CLICK TO ADVANCE] ---
First, you really have to know that ForeScout’s product is fast and easy to deploy. We have dozens of customer testimonials that say how shocked our customers were when they deployed our product. Typically, a customer will install our appliance in their network in the morning, and then we go to lunch, and when we come back from lunch, immediately we are seeing all kinds of devices that they didn’t know about. It is because we don’t require agents. We don’t disrupt anything that you have. And our system is scalable. We have customers with upwards of 500,000 devices under ForeScout management.
The second thing you need to know about how ForeScout is different is that we work with everything. We are infrastructure agnostic. We work with mixed environments, legacy environments, and we are not going to tie you into a proprietary architecture. ControlFabric is open, it is based on open standards.
And the third thing that is really important for you to know about ForeScout is that we are flexible and customizable. We have optimized our system for diversity. A few years ago, you might have been able to dictate that everyone on your network used WindowsXP. Those days are over. Since ForeScout is not tied to an agent, we can see any new thing on your network. Any new thing that Apple or Google might come out with. Any industrial machines you might have.And we support open integration standards.
Unlike other security products, ForeScout’s product has a direct ability to reduce costs and improve productivity.
We call this “Real-time Network Asset Intelligence”.This is a screenshot of ForeScout CounterACT. That is the name of our product.We give you both high-level and low-level information about everything on your network.Let me show you.
In the upper left window pane, you can see all of the devices on your network. Managed and unmanaged. Wired and wireless. If it is on your network, we show it to you, and in this area we categorize the types of devices that we see on your network and give you a total count. --- [CLICK TO ADVANCE] --- We also show you all your compliance problems. What agents are broken. What apps are on your network that you don’t want. What vulnerabilities do you have.
For your convenience, we let you filter all this information any way you want. For example, by business unit, or location.
At the bottom we provide detailed information about every device – what is it? Where is it? Who owns it? How secure is it?
Up top we provide a map where you can see a site summary of each geographical location. How many devices are at leach location? What are the policy violations at each location?
We have the SIEM integration module. You have this slide already.
Ladies and gentlemen, that is ForeScout. That is how we deliver pervasive network security. And we think it can be a game-changer for you and for your organization.