May 2015 Toni Buhrke, Director Systems Engineering

FireEye + ForeScout Joint solution

May 2015

Toni Buhrke, Director Systems Engineering

© 2015 ForeScout Technologies, Page 2

Security Incidents are Increasing

Source: 2014 Global State of Information Security Survey, PwC

Source: 2014 IDG Connect Cyber Defense Maturity Report

Source: Ponemon Institute, 2014

$7.6 million per year per enterprise

Source: Wall Street Journal, December 10, 2014

“Sony breach could cost $100 million”


Why?


Reason 1: Identification of Risks is Too Slow

Source: Research study by Tenable, Inc; February 2014


Reason 2: Identification of Risks is Incomplete

Transient Devices BYOD Devices Broken Managed Devices


Reason 3: Detection of Breaches is Too Slow

Sources: 1) Mandiant, “M-Trends 2013: Attack the Security Gap”2) Gartner “Designing an Adaptive Security Architecture for Protection From Advanced

Attacks”, Neil MacDonald and Peter Firstbrook, February 2014


Reason 4: Incident Response is Too Slow

“The average time to contain a cyber attack was 31 days….”

Source: “2014 Global Report on the Cost of Cyber Crime”, Ponemon Institute, October 2014.


Reason 5: Lack of Coordination Among Security Systems

MDM

APT

“I just detected an IoC on a device with IP address 10.4.9.132

“I can limit the network access of any device immediately.”

“I can scan other devices on the network to see if they may be vulnerable.”

VA

NAC


1. Continuous, Real-time Visibility

Who are you? Who owns your device?

What type of device?

What is thedevice hygiene?

• Employee

• Partner

• Contractor

• Guest

• Corporate

• BYOD

• Rogue

• Windows, Mac

• iOS, Android

• VM

• Non-user devices

• Configuration

• Software

• Services

• Patches

• Security Agents

• Switch• Controller• VPN• Port, SSID• IP, MAC• VLAN

Where/how are you connecting?


2. Reduce Endpoint Risks and Attack Surface

“Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring.”

Gartner Security and Risk Management Summit presentation, “Preparing for Advanced Threats and Targeted Attacks”, Kelly Kavanaugh, June 2014

“A properly configured and patched endpoint will be immune to a large majority of malware attacks, freeing security professionals to focus on more sophisticated attacks that don't rely on misconfigured or vulnerable systems.”

Gartner Malware Is Already Inside Your Organization;Deal With It, February 2014,

Peter Firstbrook and Neil MacDonald


• ForeScout and FireEye work together to detect compromised endpoints and respond quickly to prevent threat propagation and data breaches

3. Rapid Response to Security Breaches


Joint Solution

+1. Gain real-time visibility

2. Reduce endpoint risks and attack surface

3. Detect and block advanced threats

4. Expedite response to security breaches Network – quarantine device Endpoint – confirm and kill malicious processes


•Discovery and inspection - who, what, where

•Managed, unmanaged, corporate, BYOD, rogue

Visibility

•Flexible policies - allow, alert, audit, limit, block

•802.1X, VLAN, ACL, virtual firewall, hybrid-mode

Access Control

•Guest management and BYOD onboarding

•Automated MDM enrollment

Onboarding

•Works with your existing IT infrastructure

•ControlFabric open integration architecture

Interoperability

•Fast implementation, agent-less, all-in-one appliance

•Multi-vendor environments, no upgrades needed

Easy Deployment

ForeScout CounterACT Next-Gen NAC

1

2

3

4

5


Multiple methods

How CounterACT Detects and Inspects DevicesDynamic and Multi-faceted

• Poll switches, APs and controllers for list of devices that are connected

• Receive SNMP trap from switches

• Monitor 802.1X requests to the built-in or external RADIUS server

• Monitor DHCP requests to detect when a new host requests an IP address

• Optionally monitor a network SPAN port to see network traffic such as HTTP traffic and banners

• Run NMAP scan

• Use credentials to run a scan on the endpoint

• Use optional agents

SNMPTRAPS

RADIUSSERVER

DHCPREQUESTS

USERDIRECTORY


GUEST LANCORPORATE LAN

How CounterACT Detects and Inspects Devices

INTERNETFIREWALLVPN CONCENTRATORCORE LAYER SWITCH

VPN CLIENTS

AD / LDAP / RADIUS / DHCP

DISTRIBUTIONLAYERSWITCH

INTERNAL EXTERNAL

• USER• NAME• EMAIL• TITLE• GROUPS

WHO?• OS• BROWSER AGENT• PORTS• PROTOCOLS

WHAT?

•APPS•SERVICES•PROCESSES•VERSIONS

POSTURE?

•REGISTRY

•PATCHES

•ENCRYPTION

•ANTIVIRUS

• MAC ADDRESS• IP ADDRESS• SWITCH IP• CONTROLLER IP• PORT / SSID / VLAN

WHERE?


Type of Information CounterACT can Learn

Device

Type of device

Manufacturer

Location

Connection type

Hardware info

Authentication

MAC and IP address

Certificates

UserName

Authentication Status

Workgroup

Email and phone number

Operating System

OS Type

Version number

Patch level

Services and processes installed or running

Registry

File names, dates, sizes

Security Agents

Anti-malware/DLP agents

Patch management agents

Encryption agents

Firewall status

Configuration

Applications

Installed

Running

Version number

Registry settings

File sizes

Peripherals

Type of device

Manufacturer

Connection type

NetworkMalicious traffic

Rogue devices


Complete Situational AwarenessReal-time Network Asset Intelligence



See All Devices: Managed, Unmanaged,

Wired, Wireless, PC, Mobile…



Filter Information By:Business Unit,

Location,Device Type…



See Device Details:What, Where,

Who …



Site Summary:Devices,

Categories…


Granular Access Control Policies

Modest Strong

Open trouble ticket

Send email notification

SNMP Traps

Start application

Run script

Auditable end-user acknowledgement

Send information to external systems such as SIEM etc.

HTTP browser hijack

Deploy a virtual firewall around the device

Reassign the device to a VLAN with restricted access

Update access lists (ACLs) on switches, firewalls and routers to restrict access

DNS hijack (captive portal)

Automatically move device to a pre- configured guest network

Trigger external controls such as endpoint protection, VA etc.

Move device to quarantine VLAN

Block access with 802.1X

Alter login credentials to block access, VPN block

Block access with device authentication

Turn off switch port (802.1X, SNMP)

Install/update agents, trigger external remediation systems

Wi-Fi port block

Alert / Allow Trigger / Limit Remediate / Block


• Visibility of corporate andpersonal devices

• Automated onboarding– Identify device

– Identify user

– Assess compliance

• Flexible policy controls – Register guests

– Grant access (none, limited, full)

– Enforce time of day, connection type, device type controls

• Block unauthorized devices from the network

Onboarding

EMPLOYEE

CONTRACTOR

GUEST

UNAUTHORIZED

WEB EMAIL CRM


Information Sharing and Automation


Device

• Manufacturer, model • Hardware properties• User, ownership• Configuration• Password policy• Jailbroken or rooted

Operating System

• OS type• Version number• Patch level• Services, processes

installed or running• Registry settings

Applications

• Installed or running• Required apps• Blacklisted apps• Version numbers• Legacy applications• File dates and sizes

Peripherals

• Peripheral type

• Manufacturer

• Configuration

• Port

• Connection type

Security Agents

• Anti-malware status• Anti-virus up-to-date• DLP status• Firewall status• Patch management• Encryption status

Find Security and Compliance Gaps


User Communication

• Send email• Send to web page• Open help desk ticket• Communicate

policies• Self-remediation

Operating System

• Install patch• Configure registry• Start, stop, disable

process or service• Trigger external

remediation system

Applications

• Update application• Set configuration• Start required

application• Stop blacklisted or

legacy application

Network/Peripherals

• Quarantine

• Restrict network access

• Disable peripheral

• Disable USB ports

Security Agents

• Install agent• Start agent• Update agent• Update configuration• Trigger external

remediation service

Fix Security and Compliance Gaps


ActiveResponseTM

• Signature-less IPS technology

• No prior knowledge of vulnerability or exploit required

• Doesn’t impact legitimate traffic

• No tuning or maintenance

• Detect

• Reconnaissance

• Unexpected behavior

• Worms, zero-day threats

• Respond

• Quarantine or block malicious and infected hosts

Post-connect Threat Detection and Response


• First infection might have already occurred

– Suspicious content may have executed on endpoint in parallel with detection

– As a result the first endpoint might already be infected (patient zero)

– Internal propagation might already have started from that first endpoint

• FireEye may not detect all infected/compromised endpoints

– Endpoints pre-infected on public networks

– Infection pathways such as USB drives

• FireEye has limited threat mitigation capabilities

– It may be able to block callback to the C&C (if FireEye NX is deployed inline)

– No quarantining capabilities of endpoints

– No remediation of endpoints

FireEye Detects Advanced Threats But…


1. Pre-infected system connects to network, tries to call home

2. FireEye blocks callback

3. FireEye alerts ForeScout of infected system & indicators of compromise (IOC)

4. ForeScout isolates the infected system to prevent infection propagation

5. ForeScout scans other endpoints on the network for presence of same IOC/infection and isolates them and takes other risk mitigation actions

FireEye + ForeScout Use Case #1

Internet Firewall Switch Infected system


1. Malware or APT downloaded from the Internet

2. FireEye examines payload, detects possible malware

3. FireEye alerts ForeScout of possible infection and indicators of compromise (IOC)

4. ForeScout isolates the endpoint

5. ForeScout inspects endpoint to confirm infection and remediates if necessary (e.g. block malicious code from running)

6. ForeScout scans other endpoints on the network for presence of same IOC/infection and isolates them and takes other risk mitigation actions

FireEye + ForeScout Use Case #2

Internet Firewall Switch Endpoint

Attacker 5


ForeScout Policy Example – Threat Response

Quarantine System

Automate Mitigation Actions

Scan Other Systems

IOC detected by FireEye


Joint Solution Benefits

FireEye alone

• Identifies the threat but takes no action (may block callback if inline)

• Lacks context—who is the user, what machine, how are they connected

• Cannot scan, identify and quarantine all infected endpoints after report of a breach

FireEye with ForeScout CounterACT™

• Identify the threat

• Quarantine infected hosts to prevent callbacks and threat propagation

• Take remediation and risk mitigation actions on infected hosts

• Scan an entire organization for the IOC identified by FireEye


• For existing ForeScout customers (who add FireEye)– Superior discovery of APTs, malware, spear phishing, zero-day and other

cyber threats– FireEye supplements ForeScout’s ActiveResponse™ technology

• For existing FireEye customers (who add ForeScout CounterACT)– Faster response to security breaches

Automated endpoint quarantine Automated endpoint remediation

– Detect and block internal threat propagation– More complete visibility to endpoints and risks on the network– Reduced enterprise risk by ensuring that all endpoints have complete and

up-to-date security defenses and are properly patched

Joint Solution Value


• Easy to use– 802.1X not mandatory

– Non-intrusive, audit-only mode

– No agents needed (dissolvable or persistent agent can be used)

• Fast and easy to deploy– All-in-one appliance

– Out-of-band deployment

– No infrastructure changes or network upgrades

– Rapid time to value – unprecedented visibility in hours or days

– Physical or virtual appliances

• Ideal for multi-vendor, heterogeneous network environments

Easy Deployment


ForeScout is a Leader in the Next-Gen NAC Market

Strong Foundation Market Leadership Enterprise Deployments

#1

• In business 13 years• Campbell, CA

headquarters• 200+ global channel

partners

• Independent Network Access Control (NAC) Market Leader

• Focus: Pervasive Network Security

• 1,500+ customers worldwide• Financial services, government,

healthcare, manufacturing, retail, education

• From 500 to >1M endpoints


ForeScout – Market Leadership

**NAC Competitive LandscapeApril 2013, Frost & Sullivan

*Magic Quadrant for Network Access Control, December 2013, Gartner Inc.

*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Garnter, Inc. "Magic Quadrant for Network Access Control," Report G00249599, December 12, 2013, Lawrence Orans.

**Frost & Sullivan 2013 report NC91-74, Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth” Chard base year 2012.


Documents

May 2015 Toni Buhrke, Director Systems Engineering