Complete Visibility for Endpoint Compliance and SIEM Incident Response

• 1. 2013 ForeScout Technologies, Page 1Wallace Sann | CISSP-ISSEP, CIPP/GDirector of Systems EngineeringComplete Visibility for Endpoint Compliance and SIEM Incident ResponseApril 23, 2013

2. 2013 ForeScout Technologies, Page 2About ForeScoutForeScoutis the leading globalprovider of real-timenetwork securitysolutions for Global2000 enterprises andgovernment agencies.Large Deployments Financial institutions, government Scalability - 1M+ endpointsFederal Validation NIAP CC EAL 4+ DISA UC APL FIPS 140-2At a Glance Founded in 2000, 160+ employees,HQ in Cupertino, CA Global company, customers, support Dominant independent vendor ofNetwork Access Control (NAC) BYOD, endpoint compliance andcloud fueling growth*Magic Quadrant for Network AccessControl, December 2012, Gartner Inc.**Forrester Wave Network AccessControl, Q2-2011, Forrester Research***Analysis of the NAC Market,February 2012, Frost & Sullivan 3. 2013 ForeScout Technologies, Page 3Over 1400 Enterprise DeploymentsAustrian Post AG 4. 2013 ForeScout Technologies, Page 4ForeScout Offerings.ForeScout Automated SecurityForeScout Automated SecurityControl PlatformControl PlatformInteroperableInteroperableScalableScalableAgentlessAgentlessKnowledgebaseKnowledgebaseNetworkAccess ControlEndpointCompliance Enable BYOD Unified Visibility &Control Dual Protection Integrate MDMMobileSecurity Find and fixsecurity gaps Enterprise toolsetintegrations Incident Response Infrastructureagnostic 802.1X, VLAN,ACL Block unauthorizedusers and devices Register guestVisibility Clientless Built-in profiling HW/SW Inventory Who, what, when,where 5. 2013 ForeScout Technologies, Page 5Access is more dynamicThreat are broader, faster and morecomplex?????????? ?????xxxx?( ( ((XXX???Common Organizational Assumptionsa.Visibility on all network endpointsb.Managed all access to network resourcesc.Wireless security is uniformd.All host based protection is activee.Configurations are locked / trackedf.Logging is always maintainedg.Contractor access is limitedh.Preempt unwanted appsi.All data leakage monitoredj.BYOD is ok guest network or MDMExtended Network & Dynamic Threats 6. 2013 ForeScout Technologies, Page 6EndpointsNetworkDevicesApplicationsGovernment ResourcesHost config. issueUnwanted applicationPatch/ host securityagent not installedLittle Protection PossibleLittle Protection PossibleVisibleUsersNon-GFE?Protection PossibleProtection PossibleVisibility and Control Gaps 7. 2013 ForeScout Technologies, Page 7CounterACT: Continuous Monitoring & RemediationProven Platform for Real-time Visibility and Automated ControlPort-based Enforcement[With or without 802.1x]Natively or with3rdparty IntegrationIncident ResponseCompliance DashboardCompleteVisibilityEnforcementRemediationMcAfee ESMHostInspection &McAfee ePODevice Discovery, Profiling[HW/SW USER LOC ...]Fully functional clientlessInterrogation ofendpointsContinuousMonitoringChallenge Asset visibility Access and threat dynamics Endpoint and infrastructure diversity Port authentication and control STIG, IAVA and CCRI difficultySolution Pre-admission user/deviceauthentication and authorization Continuous endpoint diagnostics,posture assessment and mitigation Port-based control and broad devicepolicy enforcement Infrastructure agnostic, interoperable,scalable, works with enterprise tool sets 8. 2013 ForeScout Technologies, Page 8PATCHMGMTVA ESMMDM/BYODePOLinux/Unix/MAC/Windows/iOS/Android/allapplicationsUsersComputersServersSwitchesPrintersVoIP DevicesUSB DevicesMobile DevicesAll Other DevicesPort Based Security andAuthentication with orwithout 802.1XASSETMGMTVPNDirectAccessBridges the Gap with Enterprise Tool Sets 9. 2013 ForeScout Technologies, Page 9a. Port-control DISA-STIG adherence Visibility and control without disrupting user experience 802.1X & Non-802.1X control with assured rollouta. Independent verification and validation Automate: detect, classify, report on all non-compliant devices Reduce manual expense: ticketing, investigation and audita. Asset intelligence, HBSS Deployment, CCRI, IAVA Dynamically see and resolve host agent, config. and security gaps Rich integration: McAfee ePO, SIEM, data source Real time Situational Awareness of all endpoints connected to orattempting to connect to a DOD enclave Medical device detection, classification and isolationa. Personal and rogue device mitigation Classify, block, limit mobile devices: Smartphone, tablet, WAP No CERT ticket issued, no manual response, full port controlForeScout CounterACT in ActionRapid implementation, accelerated time-to-value, automation 10. 2013 ForeScout Technologies, Page 10ForeScout CounterACT Certified Integrationwith McAfee EPO & EPPEPOMcAfee ePO Integration Certified integration with ePO Rogue System Detection (RSD) sensor network admission events CounterACT real-time inspection informs ePO Endpoint protection policy assurance Fortifies HBSS compliance 11. 2013 ForeScout Technologies, Page 11Enterprise Tool Sets - HBSSHBSSFrameworkImplementationstatus 12. 2013 ForeScout Technologies, Page 12McAfee ESM IntegrationDLPOtherSourcesRoutersAV logs, system events Network eventsSecurityDevicesFW, IPS/IDS, VPN events Privacy violationsSIEMcorrelatesForeScoutinformation withinformation fromothersourcesandescalatesthreatlevel ofincidentswhen theend-pointis non-22d remediation action using ForeScout44ForeScouttakesremediationaction onendpoin551(who, what, where) and high-level (complianceoints to the SIEM11Database, App. events3ed compliance dashboards/reports3Endpoints + BYOD 13. 2013 ForeScout Technologies, Page 13ForeScout + McAfee = Wirespeed Incident ResponseMcAfee ESM Correlated Event, Triggers CounterACT Response 14. 2013 ForeScout Technologies, Page 14Centralized Deployment 15. 2013 ForeScout Technologies, Page 15Decentralized Deployment 16. 2013 ForeScout Technologies, Page 16Enterprise Deployment 17. 2013 ForeScout Technologies, Page 17Visibility then ControlRUNRUNWALKWALKCRAWLCRAWL Deployment Discovery RBAC & administration HBSS client issues 802.1X issues A/V issues IAVA scanning Reporting/Notifications Monitoring Authentication Remediation Access Control Integrate with ePO Integrate with SEIM Asset Management Mobile policies Block rogue device Custom Scripts Full enforcement Actions from ePO Actions from SEIM Asset managementusing authentication Adv custom scripts Integrate with MDM Integrate with otherGOTS & COTS productsImmediate ROIFlexible to meet Mission and Security RequirementsCoordination - Training - Documentation 18. 2013 ForeScout Technologies, Page 18Continuous Compliance Case Study:Financial InstitutionBusiness ProblemNo real-time network intelligence: who/where/what endpoints,users, APMaterial gap on endpoints and network devices complianceNo control over corrupted, inactive or non-existent endpointagentsSlow response: cant quickly and easily identify, isolate andremediateMcAfee ESM/ePODashboards; assets, violations, incidents, threatsEnterprise-wide policy, event correlation & log managementOn-demand incident and compliance reporting per LOBESM corrected events trigger NAC to isolate or resolve issueForeScout CounterACT Network Access ControlReal-time visibility: all users / devices / apps / rogue devicesAsset profiles, access, violations and actions send to SIEMAutomated remediation of endpoint security and configuration agentsWorks with existing McAfee ePO, ESM and endpoint protection productsBenefits Enterprise threat visibility Reduced business risk More responsive security Operational efficiency Automated remediation Endpoint compliance Demonstrable GRC gainBenefits Enterprise threat visibility Reduced business risk More responsive security Operational efficiency Automated remediation Endpoint compliance Demonstrable GRC gain 19. 2013 ForeScout Technologies, Page 19Continuous Compliance, RemediationNAC Accelerates IT-GRC AutomationVisibility Greater Threat Dynamicsand Response Impact Requires full visibility inreal-time. Network asset intelligence:Who, What, Where.Automation Next-Gen NAC ClosesOperational Gaps Automate authentication Automate complianceverification andremediation Automate access control.Interoperability Demonstrable IT-GRCValue Increases situationalawareness Increases IT / securityresponsiveness Effectuates GRC policy 20. 2013 ForeScout Technologies, Page 20 Easy to use and deploy with Low TCOHybrid 802.1X/Agentless approach; works within existing/legacy environmentEasy, centralized administration; high availability, scalable, non-disruptive Real-time situational awarenessAll users, devices, applications - infrastructure agnosticWired & wireless - managed & rogue - VMs, PC, mobile & embedded Rapid results and time-to-valueBroad application: Comply to Connect, STIG,Command Cyber Readiness I(CCRI), IAVA, HBSS assurance Flexible control with bi-direction intelligenceExtensible templates and controls with robustSIEM, HBSS, CMDB and directory integrationForeScout CounterACT Advantages 21. 2013 ForeScout Technologies, Page 21Resources / Q&A Learn more about ForeScout CounterActand McAfee-ForeScout Joint solutionshttp://www.forescout.com/support2/resources/ ForeScout, McAfee ESM solution brief ForeScout, McAfee ePO solution brief** The Forrester Wave is copyrighted by Forrester Research,Inc. Forrester and Forrester Wave are trademarks ofForrester Research, Inc. The Forrester Wave is a graphicalrepresentation of Forresters call on a market and is plottedusing a detailed spreadsheet with exposed scores, weightings,and comments. Forrester does not endorse any vendor,product, or service depicted in the Forrester Wave. Informationis based on best available resources. Opinions reflect judgmentat the time and are subject to change.***Frost & Sullivan chart from 2012market study Analysis of the NetworkAccess Control Market: EvolvingBusiness Practices and TechnologiesRejuvenate Market Growth Baseyear 2011, n-20*This Magic Quadrant graphic was published by Gartner, Inc. as part of a largerresearch note and should be evaluated in the context of the entire report. TheGartner report is available upon request from ForeScout. Gartner does notendorse any vendor, product or service ]depicted in our research publications,and does not advise technology users to select only those vendors with thehighest ratings. Gartner research publications consist of the opinions of Gartnersresearch organization and should not be construed as statements of fact. Gartnerdisclaims all warranties, expressed or implied, with respect to this research,including any warranties of merchantability or fitness for a particular purpose. 22. 2013 ForeScout Technologies, Page 22Questions? 23. 2013 ForeScout Technologies, Page 23CounterACT Product FamilyCTR CT- 100 CT- 1000 CT- 2000 CT- 4000 CT-10000ConcurrentDevices100 500 1000 2500 4000 10000Bandwidth 100 Mbps 500 Mbps 1 Gbps 2 Gbps4 Gbps or10 Gbps4 Gbps or10 GbpsVLAN Support Unlimited Unlimited Unlimited Unlimited Unlimited UnlimitedVCTR VCT- 100 VCT- 1000 VCT- 2000 VCT- 4000 VCT- 10000ConcurrentDevices100 500 1000 2500 4000 10000CPU 1 2 2 2 4 10RAM/HDSpace1GB /80GB1.5GB /80GB2GB / 80GB 4GB / 80GB 6GB / 80GB 16GB/80GB