ForeScout Technologies Ayelet Steinitz, Product Manager April, 2003.

ForeScout Technologies

Ayelet Steinitz, Product ManagerApril, 2003

The Problem

• Constant New Threats and Vulnerabilities• Current Solutions Not Sufficient

• Reactive Solutions Incur False Positives• Reactive Solutions Miss Unknown Attacks• Do not allow for automatic action

• Inherent Window of Vulnerability• High Maintenance and TCO

A New Approach to Network Security Protect By..

Key Issues

PolicyAnalysisProven Intent

Characteristics

Access list by services offered

Pattern recognition

By Anomaly

Forensics

Reactive

Identify attacker intent

Stop attacker from reaching network

Proactive

Cost to Maintain

Low CostDefined Policy

Static

High CostTo Update

To Manage

Low CostLow Complexity

Dynamic

Accuracy

(False Positives)

AccurateDoes exactly what you told it to do!

False PositivesNot confident to take automatic action

AccurateConfident to act. If ActiveScout identifies a Bad Guy: It’s a BAD GUY!

ProductFirewallIDS / IPSActiveScout

Knowledge: Mandatory Requirement

Knowledge is needed 100% of the time

Social Engineering• Password Snare• Networking

Public Domain• Email Server• Web Server

Reconnaissance• 20 types• Precedes Majority of Attacks

Knowledge: Mandatory Requirement

Knowledge is needed 100% of the time

Social Engineering• Password Snare• Networking

Public Domain• Email Server• Web Server

Reconnaissance• 20 types• Precedes Majority of Attacks

Most network attacks are preceded by reconnaissance activity to determine available services and network resources .

Attacker Internet RouterFirewall Enterprise

Typical Attack Process

The network sends information about available hosts and services in response to the reconnaissance .



With this information, the attacker utilizes existing or new exploits to break into the network.



ActiveScout Intrusion Prevention

ActiveScout identifies all reconnaissance used by a potential attacker.


Scout

Site Manager

ActiveScout watches the network’s response, and sends its own unique information to the potential attacker. This unique information, or ‘mark’, is not distinguishable from the network’s legitimate response.


Scout

Site Manager


When the attacker uses the mark to launch an exploit, ActiveScout accurately identifies it and can actively block the attacker.


Scout

Site Manager


The ActiveScout Difference

Difference #1 Difference #2


BlocksUnknownAttacks

Minimal CostOf Prevention

InstantaneousPrevention

100% Accurate(no false positives,

confidence to block)









Time to Prevention Without ActiveScout

Protection available

New vulnerabilities(hundreds/month)

Exploit is known to security community

Spida spreads

Spida detected

Protection offered

Time

New Vulnerabilities

Window of Vulnerability

Time to Protection – Days/Weeks/Months/Never?

Time

Spida spreads

Spida detected

Protection offered

Protection available

Exploit is known to security community

New VulnerabilitiesNew vulnerabilities(hundreds/month)

Time to Protection – Immediate

Window of Vulnerability – Zero

Instantaneous Prevention With ActiveScout

State of Security Today

Intranet

Security

InternetIntranet Security Myriad of security products (HIDS, NIDS, anti-virus)

State of Security Today

Firewall

Intranet

Security

Internet

Firewall Provides robust staticprevention according to predefined policies

Intranet Security Myriad of security products (HIDS, NIDS, anti-virus)

Firewall

ActiveScout

ActiveScout Prevents intrusions from known and unknown threats in front of the firewall

Intranet

Security

Instantaneous Prevention

Firewall Provides robust staticprevention according to predefined policies

Intranet Security Myriad of security products (HIDS, NIDS, anti-virus)

Internet









ActiveScout Minimal Cost of Prevention

Legacy Systems ActiveScoutAction

Analysis of alerts

Correlation analysis

Policy tuning

Fix the damage

Installation

Software updates

Signature updates

Write your own signature

Investment$$$$$$$$$$


False Alarm Rate Time to Prevention Cost of Prevention

30%-60%

0%

Days, Months, Years $$$$$$$

0% $

Conventional

Systems

Conventional

Systems

Conventional

SystemsActiveScout ActiveScout ActiveScout

ForeScout’s Intrusion Prevention Solutions

ActiveScout Site Solution• Precisely identifies and then blocks attackers at a

single internet access point with zero false alarms.ActiveScout Enterprise Solution

• Precisely identifies and then blocks attackers with zero false alarms across a large enterprise.

• Enterprise Manager׀ Provides centralized management of all Scouts deployed

• Enterprise Heads-Up׀ Thwarts the rapid spread of attacks from one internet

access point to the next.

.

Internet

Scout

Site Manager

RouterEnterpriseFirewall

ActiveScout Site Solution

Intrusion Prevention for Each Internet Access Point

ActiveScout Enterprise Solution

• Protects an entire enterprise• Centralized viewing of all attack activity

around the world• Centralized management of groups of

Scouts • Ability to push new software updates to

remote Scouts

Internet

Scout

Management Server

Enterprise Manager

Site Manager

ActiveScout Enterprise Solution

Intrusion Prevention for Multiple Internet Access Points

Scout

Enterprise Heads-Up

• Enterprise deployments only• Immediate sharing of threat information

across multiple Scouts to assure proactive prevention across the enterprise

• Provides the fastest way to protect from new attacks traversing the internet

Enterprise Heads-Up

Step 3.

San Francisco Scout ready to block attacker

Step 1.

Attacker detected by New York Scout

Step 2.

Attack information immediately sent to Management Server

New York

San Francisco

Management Server

Summary

• Accurate Identification• Zero False Positives• Block Known and Unknown Attacks• Instantaneous Prevention• Minimal Cost of Prevention

ForeScout Technologies, Inc.2755 Campus Drive, Suite 115

San Mateo, CA 94403(650 )358-5580

www.forescout.com

Ayelet SteinitzProduct Manager, ActiveScout

Tel. (650)[email protected]

ForeScout Technologies Ayelet Steinitz, Product Manager April, 2003.

Documents