NAC 101 Transforming Network Security through Visibility, Control and Response Sanjit Shah, VP BD & Marketing Hello and welcome to today’s session on Network Access Control 101 – transforming network security through visibility, control and response. My name is Sanjit Shah, and in this session I’ll discuss: how far NAC has come over the years, and how it has become a foundational piece for achieving comprehensive security posture Maybe, the title should have been NAC 501 or Redefining NAC. Before moving on, let me see a show of hands How many in the audience have NAC deployed in their network today? How many are planning to deploy in the next 12 months? (Click)

Agenda Company Overview Market Trends Enterprise Security Challenges Solution Ecosystem So, the agenda for the presentation is… (Click) Summary

Company Overview Bradford Networks is leading the evolution of Network Access Control to Security Automation & Orchestration by providing End-to-end Visibility, Dynamic Access Control and Automated Threat Response Corporate: Venture Funded Private Company with HQ in Boston Use Cases: Onboarding, Network lockdown, NAC, Compliance, Analytics, Network Segmentation, Guest Management, Threat Response, etc. Deployment: Appliances, VM, Cloud Integration: SmartEdge Platform with REST API Go-To-Market: Value Added Resellers & Distributors Customers: 1000+ in 25+ countries Verticals: Finance, Healthcare, Hospitality, Retail, Education, Utilities, Gov Market Validation: Gartner MQ Visionary; 5 Star rating from SC Magazine Bradford’s Mission So, first - our mission and positioning statement. Bradford Networks is leading the evolution of Network Access Control… (Click) Company Highlights Venture funded technology company based out of Boston Our foundational technologies addresses various use cases – such as…and you’ll see that NAC is simply a “use-case” not a complete offering Our product architecture extends the flexibility for deploying the solutions on premises via VMs and appliances, or in the cloud Integration with third-party products to leverage “indicators of trust” before onboarding endpoints and “indicators of compromise” after onboarding endpoints Available in 25+ countries through value added resellers and distributors 1000+ customers in more than 25 countries addressing various verticals We’ve had number of accolades from analyst community and trade publications *

Agenda Company Overview Market Trends Enterprise Security Challenges Solution Ecosystem So, let’s first discuss the market trends that has profoundly realigned the way in which security challenges are now being addressed (Click) Summary

Ever Expanding Attack Surface Internet Of Things Parent Company Guests Your Business Users Suppliers BYOD Ok, so let’s talk about the ever expanding attack surface… Here is your business situation as it pertains to corporate network: Up until few ago, it used to be that all you had to worry about, and give network access to, was your (Click) corporate users and your corporate assets such as Desktops, Laptops, and IP Phones. There was no Guest and very limited BYOD that was reserved for the executives. Times have now changed. (Click) Now Guests, Suppliers, Partners, and Consultants all demand some sort of access to your network for collaboration and productivity reasons. And then your corporate users want to (Click) bring their own devices and use them to increase productivity at work and at home. Add IoT devices like surveillance cameras, industrial controller, etc. that are being deployed en masse and what you have is: A potential Cyber Attack Surface that has suddenly expanded and will continue to expand at a rapid pace. It’s a simple equation - More connected endpoints implies more opportunities for compromise This transformation is driven by technological shifts such as: High speed internet pipes Public/Private/Hybrid Clouds Which has put BYOD on steroid, and has led to the adoption of IoT (Click) Consultants Partners

Tsunami of Internet of Things (IoT) Limited Protection Limited Context Internet Of Things By 2020: - 25 billion devices – from 4 billion in 2014 - 25% of attacks will involve IoT devices Moderate Protection Moderate Context BYOD But wait, there’s more: (Click) We have a world that is moving from corporate devices with good protection to BYOD (Click) with moderate protection to IoT (Click) with the least amount of protection (Click) (Click) The issue of minimizing containment time will get even more critical with Internet of Things (IoT) because of the lack of context and visibility of these billions of IP devices In order to contain IoT devices, there will be even more need for context and actionable alerts if one of these devices are compromised. And it will need to be done without an agent Stats: There will be roughly 25 billion connected things by 2020 - greater than 600% growth from 2014 number By 2020, over 25% of identified attacks in enterprises will involve IoT, though IoT will account for less than 10% of IT security budgets. Good Protection Good Context Corporate

Security Problem Growing TODAY 2020 6.4 BILLION Connected “things” 21 BILLION Connected “things” 1.5 BILLION PEOPLE Breaches will affect over 11 MILLION Records compromised in June 2016 205 DAYS To detect an external breach NO DECLINE No decline in sight $3 TRILLION Cyber crime cost $6 TRILLION Cyber crime cost 1 MILLION Open security positions 1.5 MILLION Open security positions This slide give a snapshot of what we’ll be facing in terms of security challenges as a result of trends discussed in prior slides. If you distill the data points, what you need to realize is that it will take only one open port, or an unknown device or uncontained threat to cause significant damage to your organization brand and reputation. (Click) 1 THE TRUE CHALLENGE = IT ONLY TAKES ONE OPEN PORT UNKNOWN DEVICE UNCONTAINED THREAT – Company Confidential – *

Agenda Company Overview Market Trends Enterprise Security Challenges Solution Ecosystem Let’s now look at specific “security challenges” faced by enterprises. (Click) Summary

Endpoints are Easy Targets for Hackers The sophisticated Cyber Criminals that are targeting specific individuals and organizations know that the path of least resistance is the soft underbelly of the endpoint device that can be compromised via: Malicious websites also known as “drive by downloads” Malicious attachments in emails via techniques such as spear-phishing External storage devices such as thumb drives All it takes is one single vulnerable or compromised endpoint, with legitimate credentials for network access, and hackers can really start causing damage – because from there on, it’s simply a matter of malware moving laterally to other endpoints, servers and controllers. For a lot of organizations they have the security tools in place to find these compromised endpoints and alert the IT teams, but what they lack is a quick and decisive response to these alerts. (Click)

Threat Detection & Response THREAT UNDETECTED THREAT RESPONSE 9 Months Detection Breach 205 Days Median # of days attackers are present on a victim network before detection. ? Days And to build on the prior slide – here is the reality of the situation: (Click) Attackers usually have months of access before the electronic footprint of malware is detected. And when they have access for so long, they can penetrate Deeper and move laterally to steal additional credentials, lie low and have enough time to cover their tracks after exfiltration of sensitive information. (Click) We are still not out of the woods yet once the malware is discovered. There is another challenge that looms. That Challenge is the actual Containment & Response of that threat because of the manual processes involved in locating and containing compromised endpoints. (Click) 3 Months 6 Months Source: 2015 M-Trends Report

Threat Containment Challenges Too Many Security Events Silos of Information Gap Between SOC & NOC Problem: Why is threat containment challenging? (Click) There is no easy process to convert thousands and thousands of security events into actionable security alerts with low false positives (Click) Because it’s common in many organizations for various functional groups to be partially responsible for security – not having full responsibility for Security complicates the workflow between the teams. (Click) which essentially creates the silos and the gap between the SOC and the NOC. What it means is that even if a breach is uncovered by the SOC, tying that to a specific endpoint, locating it and containing it is a function of the NOC. And typically, this involves manual steps that are error-prone in nature. (Click)

Manual Threat Containment Compromised endpoint attempts to call home 1 Switch 7 Detect Host location Network Operation Center (NOC) Corporate Network 8 Determine Device Criticality 9 Isolate/Contain Host Switch 3 Review Events 4 Review Logs To visualize the threat containment challenges, let’s look at a manual threat containment process that’s expensive and time-consuming: (Click) A compromised system connects to the corporate network and attempts to call a C&C server. (Click) The firewall or threat detection platform blocks the callback. (Click) Someone in the Security Operation Center (SOC) review the Security Events and discovers the block. (Click) They then review the logs from variety of disparate systems. (Click) The data is then analyzed and logs are correlated (Click) The Network Operation Center (NOC) is then contacted to take over the investigation (Click) The person at the NOC investigates and detects the location of the compromised endpoint. (Click) Then they determine the endpoint’s criticality (Click) Based on that, an action is taken to disconnect or Isolate the host. (Click) The result here is a Long threat containment time due to the difficulty of tracing the endpoint and its context across multiple IT domains. 5 Analyze Data 2 Firewall, IPS, Anti-Bot, Sandbox Security Operation Center (SOC) 6 Incident Response Contact NOC Callback blocked Long Threat Containment Timeline Command & Control Server Internet

Agenda Company Overview Market Trends Enterprise Security Challenges Solution Ecosystem So, hopefully, I’ve laid out the security challenges facing the organization succinctly, and BTW this has little to do with your deployed firewall, IPS/IDS, etc. But it has everything to do with addressing: full visibility controlling access and engaging in rapid response (Click) Summary

Network Security Technology Evolution Evolution of NAC Capabilities / Market Reach Security Automation & Orchestration NAC 2.0 BYOD So, how do we get from being just a “NAC” provider to helping enterprise automate and orchestrate certain aspects of security? For that, let’s look at the evolution of NAC and how it has become critical for achieving comprehensive security posture. Network Access Control has gone through an evolution of market drivers and use cases that are addressed by the same foundational technologies: The First Use case was the scalable on-boarding of 1000s of devices on to the network and providing complete network visibility The Second Use case was to ensure that devices with the right software (A/V version) were on-boarded to address compliance mandates The Third Use case was to address the BYOD trend – to onboard personally owned devices and provision appropriate network access to those devices The Fourth Use case is to add contextual information to security events that are detected by third-party solutions The Fifth use case is to minimize the threat containment time by having an automated response following the detection of a threat. (Click) NAC 1.0 Safe Onboarding Enable Scalable On-boarding Ensure Safe Devices Enable Safe Network Provisioning Guest Management Rapid Security Events Triage Reduce Threat Containment Time – Company Confidential –

3 Keys to Comprehensive Network Security Endpoints, Users, Applications Network Infrastructure Current & historical state RESULT Know the Unknowns Contextual policy management Risk assessment & mitigation Dynamic network access control RESULT Auto Adjusting Controls So, what we do with our Network Sentry offering is to address these 3 key aspects of network security that’s focused on certain best practices and use cases that are irrelevant of your deployed firewall, IPS/IDS, Endpoint Security, etc. The primary goal behind “end-to-end” visibility is knowing the unknowns. You can’t protect what you can’t see. So, that requires complete visibility into endpoint, users, applications, network devices, etc. Second, you need an ability to adjust network access controls dynamically to support movements of endpoint devices. Third, detection is only half the story. The real question after detection of malware’s electronic footprint is “now what” - “what can we do about it” Rapid security events triage Granular containment options IR work-flow integrations RESULT Containment in Seconds Analytics – Trending, Compliance, Forensics – Company Confidential –

Visibility – Heterogeneous Network SNMP CLI Radius SNMP CLI SNMP CLI Radius SNMP Syslog API SNMP Syslog API SNMP Syslog API Radius Diving into Visibility, Network Sentry can discover and communicate with every network device using SNMP, CLI, RADIUS, native API, etc. This helps us establish policy-based network access control for each endpoint requesting network access Information received from the networking infrastructure allows Network Sentry to create a live inventory of network connections (Next Slide) Switch Router Access Point SIEM IDS/IPS VPN Concentrator Firewall 16

Visibility – Endpoint, Users, Applications Where VPN Who When What Houston Inventory of Network Connections Live Dallas So, what is this Live Inventory of Network Connections? From a central location, we can access all the sites, and pull in information about all the (CLICK) networking gear, (CLICK) and the users, such as employees, contractors, etc., (click) the devices, applications and Operating Systems and also (click) the allowed connection times. These parameters are essentially the foundation of the policy – which is used to establish a “trust” (click) for example, a doctor can be given access to a medical application from a mobile device as long as it’s not jail-broken, not running dropbox and has a Mobile Device Management Software client – and the access can be granted based on time of the day. Also another side note here is that not only can we place users into their proper network segment or VLAN, but we can place devices into their proper VLAN across the entire network. We can put Printers in the Printer VLAN and Phones in the Phone VLAN and card readers into their proper VLAN and so forth. (Click) Austin

Control - Dynamic Network Access Assign Network Access Assess Risk Identify Device Unrestricted Access Restricted Access Identify User Now we come to the the “Control” aspect of the solution: This starts with identifying the user, profiling the device, and knowing the apps on the device to access the risk or trust level of the user and the device. Then based on that, different levels of access can be controlled. (Click) So, for example if an untrusted device joins the network, there would be no access (Click) If a guest joins, then they are redirected to guest portal for authentication (Click) if a contractor joins the network, they’d be given restricted access (Click) And the management team of the company, obviously, they’d have full unrestricted access This in essence dynamically segments the network so that “specific” users can get the access required by the organization based on who they are. (Click) Guest Access No Access

Response - Automated 1 4 3 2 Corporate Network NOC Bradford Networks’ Compromised endpoint attempts to call home 1 Switch Isolate/Contain endpoint Corporate Network 4 Bradford Networks’ Network Sentry Events Correlation Engine Who What Where When NOC Switch Threat Response 3 Alerts Network Sentry of compromised endpoint And now to the final piece of the puzzle – Automated Threat Response. Let’s take a look at the same security breach with Network Sentry’s Automated Threat Response: (Click) A compromised endpoint connects to the corporate network and attempts to call the C&C server. (Click) Third party threat detection solution blocks the callback and (Click) Sends an Alert to Network Sentry (Click) Network Sentry, through integration with these security solutions, understands the security event severity and takes an automated action of isolating (Click) the host, which minimizes the threat response time from days to seconds. Now this does not have to be automated from day 1. We offer a “easy button” to take action while monitoring it. And when you feel comfortable with the action, it can be automated. 2 Firewall, IPS, Anti-Bot, Sandbox SOC Callback blocked Short Threat Containment Time Command & Control Server Internet

Indicators of Compromise Response - Options Cyber Security Defense Security Events Correlation Context Security Alerts Visibility Control Response Indicators of Compromise Execute a Script Click-To Restore Context-Aware Email/Text Restrict Access

Agenda Company Overview Market Trends Enterprise Security Challenges Solution Ecosystem Here is the Agenda. Summary

Robust Partner Ecosystem Indicators Of Trust Indicators Of Compromise Partnerships with leading technology vendors to establish “trust” and mitigate “risk” of connected devices – Company Confidential –

Agenda Company Overview Market Trends Enterprise Security Challenges Solution Ecosystem Here is the Agenda. Summary

Endpoint & Network Visibility Summary – 3 Keys Endpoint & Network Visibility Dynamic Network Access Control Trends - In summary, The attack surface is expanding rapidly and a strong perimeter defense no longer offers complete protection. Lifecycle - Organizations need to address the entire security lifecycle to adequately protect its digital assets and intellectual property. 3 Keys - By utilizing Visibility, Control, and Response, you can limit the connections of unknown rogue devices on your network and respond within seconds to a known threats. Best Practice - These are the best practices to shrink your attack surface and secure your network as it evolves. Automated Threat Response

Trusted by Companies Worldwide… Retail Healthcare/ Biotech Financial Services Education Government/ Defense Technology Utilities Energy insurance manufacturing Media/ entertainment Real estate Transportation hospitality – Company Confidential –

Request Slides / Ask Questions Call to Action Request Slides / Ask Questions Info@bradfordnetworks.com Success Stories bradfordnetworks.com/resources Free Network & Endpoint Inventory ESX or Hyper-V / SNMP Read Only ggenta@bradfordnetworks.com Thanks for coming! If you would like more information you can reach out to us via email or on our web page. We also offer a free Network and Endpoint Inventory Report for your network. If you are interested, please come talk to us at the booth, send email or call us.