It’s Not Your Father’s NAC: Next-generation NAC This presentation is designed for the IANS events. ======= SCRIPT FOLLOWS ======= Good morning. My name is _______. Today I want to present to you an architecture for continuous monitoring and mitigation.

InfoSec Trends – Continuous Monitoring and Response Challenges Information security doesn't have the continuous visibility it needs to detect advanced attacks Detective, preventive, response and predictive capabilities from vendors have been delivered in non- integrated silos, increasing costs and decreasing effectiveness Recommendations Shift your security mindset from "incident response" to "continuous response” Favor context-aware network, endpoint and application security protection platforms … Architect for comprehensive, continuous monitoring at all layers of the IT stack… This subject has been receiving a lot of attention in the press and from market analysts. For example, Gartner very recently released a report about how to design a security architecture that protects you from advanced attacks, and that report complained about two common challenges that enterprises face: First, enterprises don’t have continuous visibility into what is going on in their networks, and second, many of the security products exist in non-integrated silos. This increases costs and decreases effectiveness. [CLICK TO ADVANCE] In that report, Gartner included several recommendations, and here are three that are pertinent to today’s discussion: First, shift your mindset from incident response to continuous response. Second, favor context-aware security platforms. And third, architect your security environment for comprehensive, continuous monitoring of all layers of the IT stack. Now try to remember this slide, because I’m going to drill down on everything here over the next 15 minutes, give you our viewpoint and talk with you about a continuous monitoring and response architecture that you can deploy. Let me start with those challenges – visibility and lack of integration. Source: Gartner, Inc. “Designing an Adaptive Security Architecture for Protection From Advanced Attacks”, February 2014, MacDonald, Firstbrook

Continuous Monitoring & Mitigation Challenges Inadequate Visibility Transient Devices BYOD Devices Broken Managed Devices The first challenge is inadequate visibility. What causes this? There are three common causes. The first is that of TRANSIENT DEVICES -- devices that show up on your network once a week, or maybe once a month. These could be PHYSICAL or VIRTUAL devices. A second problem is that of BYOD devices. You might have a Mobile Device Management system to help you control these devices. But, MDM systems can’t see devices that have not yet been enrolled in the MDM system. So you have a visibility gap on your network. A third cause of the visibility problem is broken managed devices – stuff that you own that isn’t working right. The management agent is not working or something. --- [CLICK TO ADVANCE] --- The second enterprise security challenge that Gartner talks about is that of inadequate collaboration among your various security controls. You likely have every one of the security systems shown here. This is standard practice – it’s called “DEFENSE IN DEPTH”. The problem is – many of these IT systems operate as SILOS. They don’t collaborate with each other. They operate with limited context. One system doesn’t know what the others systems know. This limits the effectiveness of these systems. The third major challenge is what we call the “DETECTION – MITIGATION GAP”. This happens when you have an IT security system that detects a problem but can not mitigate the fault. The mitigation is not automated, it is manual. For example, let me mention as an example an APT detection system. These systems are really good at detecting APTs, but they are not so good at mitigation. They might block the data from leaving your network, but they are not designed to quarantine the infected system, or to clean up the infection. That’s just an example of one type of APT system that I know of. (FireEye). Another example of the detection-mitigation gap is SIEM. Most SIEMs do a great job of spitting out reports, they say “Here are all the risks on your network!”, but they leave it up to you to mitigate the risk. There is no automation. So these are the things Gartner was talking about on the previous slide. What are the impacts of these 3 problems to your business? Inadequate Collaboration MDM VA Patch APT Detection- Mitigation Gap

Impacts to the Enterprise + IT Risks + IT Costs Greater IT Security Risks Greater IT Costs $ Obviously the first impact is increased risk. You can’t secure what you can’t see, and without adequate visibility you have rogue devices on your network, you have non-compliant devices that get infected. You suffer the risk of data loss, and you suffer compliance violations and penalties. --- [CLICK TO ADVANCE] --- You’re also going to have higher costs because of all the manual processes that you need to initiate. Who wants to do that? I don’t know of any company that wants to operate with silos, and without automation. It is inefficient, and it drives up costs. Investigation Mitigation Rogue devices System breach Data leakage Compliance violation

+ Coordinated Controls Desired State Real-time Visibility + Coordinated Controls Ticketing Remediation Systems Management Endpoint Security Wireless SIEM Switches MDM AAA Vulnerability What Gartner says you really want, and which we believe is 100% true, is real-time visibility to everything on your network -- all the devices, all the applications, all the risks – [CLICK TO ADVANCE] and you also want more coordinated controls. You want your IT systems to talk with one another, make smarter decisions, work with more automation. This is what a next-generation NAC product can do for you. It contains all the characteristics that Gartner was talking about on that first slide. Let me show you how this works.

Real-time Network Asset Intelligence Complete Situational Awareness We call this “Real-time Network Asset Intelligence”. This is a screenshot of ForeScout CounterACT. That is the name of our product. We give you both high-level and low-level information about everything on your network. Let me show you.

Architecture for Real-Time Visibility What do you need to do in order to obtain an architecture for real-time visibility?

Architecture for Real-Time Visibility Span port / TAP WHAT? IP Address OS Browser Agent Ports/Protocols You start by monitoring your network in real time by hooking into a SPAN or TAP port on your switch. That gives you real-time information about devices joining your network. What is the device on my network?

Architecture for Real-Time Visibility 2) Interrogate the Device Health? Apps Services Processes Registry Patches Encryption Antivirus Span port / TAP WHAT? IP Address OS Browser Agent Ports/Protocols Then we add the ability to interrogate each device to learn it’s health. What apps are on the device? What services are running? What processes?

Architecture for Real-Time Visibility 2) Interrogate the Device Health? Apps Services Processes Registry Patches Encryption Antivirus WHO? User Name Email Title Groups Span port / TAP WHAT? IP Address OS Browser Agent Ports/Protocols Then we leverage the rest of your infrastructure such as your LDAP server, the CAM tables in your switches, your VPN controllers etc. to give you contextual information. Where is each device? Who is logged into each device? WHERE? Controller IP SSID VLAN 3) Leverage your infrastructure (SNMP reads, LDAP, switches, wireless, VPN. etc.)

Architecture for Real-Time Visibility... and Control Control at Device: Alert the End User Auto-Remediate 2) Interrogate the Device Health? Apps Services Processes Registry Patches Encryption Antivirus WHO? User Name Email Title Groups Control w/Traffic HTTP Guest Registration HTTP Alerting IPS Virtual Firewall Span port / TAP WHAT? IP Address OS Browser Agent Ports/Protocols And on top of all that, we add control. We can control devices themselves with a range of controls, such as alert the user, or fix problems on the endpoint when we find them. And we can also control at the network level. If the user is not an employee, we can register him as a guest on the network. We can quarantine devices as needed, either with built-in technologies such as what we call a virtual firewall, or by leveraging your existing network architecture. We can modify the ACLs on your switches, or send a command to change an endpoint from one VLAN to another. And we can directly disable switch ports when needed. Control w/Architecture Dynamic ACL (SSH or Telnet) VLAN Change (SNMP Write) Shut off a port (SNMP Write) Push information to SIEM WHERE? Controller IP SSID VLAN 3) Leverage your infrastructure (SNMP reads, LDAP, switches, wireless, VPN. etc.)

Taking Visibility and Control to the Next Level Management Control Policy violations Audited responses Trouble ticket requests User notification User “signed” acceptance Self-remediation Worm quarantine User hacking prevention User name Authentication status Group membership Role-based policy Multiple guest policies Guest access Role-based quarantine Application installed, running Registry values Compliance reporting Application whitelist Software remediation Application blocking Application enforcement OS fingerprint (patch, services) Antivirus reporting Vulnerability awareness Patch management Antivirus updates Process blocking Registry locking Device type IP address, MAC address USB peripherals Inventory management Device-based policy Data loss prevention Shutdown, disable Multi-home, 3G modem, USB blocking, worm prevention Switch, port, VLAN Geographic location Number devices on port Role-based access Policy-based firewall VPN status Port control (802.1X, SNMP) ACL andVLAN User Behavior User Information Applications Operating Systems The end result of this architecture is complete, real-time visibility of everything on your network, from the physical layer to the operating system, to applications, to users, and even to user behavior. You can build security policies around each of these areas. Note that we can do all of these things for any device on the network. It does not need to be a device owned by your organization. It can be the device owned by a visitor or a contractor. And we do all this from a single network appliance. Device / Peripherals Physical Layer

Information Exchange and Response Automation ASSET MANAGEMENT RISK MANAGEMENT NETWORK OPERATIONS Security Gateway GRC Continuous Monitoring and Mitigation Intelligence Exchange AAA SIEM NGFW / VPN VA/DLP Next-Gen NAC Now the second part of the solution that Gartner talks about is an architecture for sharing information and automating responses. Next-generation NAC products have this ability. Not only is information shared, but actions can be triggered and automated. You move from a model of periodic scanning and patching to one of CONTINUOUS MONITORING and REMEDIATION. Through this integration, your existing systems are all able to trigger automated mitigation. This mitigation can be at the network level (to QUARANTINE a device) or at the endpoint level (to PATCH it, or to trigger a 3rd party system to patch the endpoint). System Management MDM / MAM Host Controls

Use Case Example: Threat Management Is it authorized? Is it breached? Quarantine Remediate Investigate Next-Gen NAC Let me give you an example of how this works. Let me talk about Threat Management. A Next-generation NAC appliance can gather information from a number of different sources, as shown here. Is the endpoint AUTHORIZED? Is the endpoint breached? Is the endpoint attacking your network? We take this information, then we automate your security controls. For example, FireEye can tell us that an endpoint has been infected, but FireEye can’t quarantine the endpoint or scan other endpoints to discover how far the APT has spread. So ForeScout can automate these actions. Is it attacking?

Continuous Monitoring and Mitigation Continuous Visibility Endpoint Mitigation Endpoint Authentication & Inspection Next-Gen Network Access Control This is a more complete diagram of what you can achieve when you implement an architecture for continuous monitoring and mitigation. The cycle starts with continuous visibility. Then you determine if the device is something that you want our network. Again, this is based on NAC at the center. This is the NAC product doing this. NAC can INSPECT the device for security problems. At that point, the NAC system shares the information with other systems you have on your network. --- [CLICK TO ADVANCE] --- Make them more informed, more aware, so they can make better and more timely decisions. For example, when we tell your vulnerability assessment system that a transient device has just come onto your network, that can automatically trigger your vulnerability scanner to scan the device. This closes a gap, makes your security more real-time. If your security policy dictates, we will perform NETWORK level controls, and we will also perform ENDPOINT MITIGATION. And we take inputs from your other systems. For example, if your SIEM detects an elevated risk, it can trigger us --- [CLICK TO ADVANCE] --- to remove the device from the network or to mitigate the risk on the endpoint. That is your architecture for continuous monitoring and mitigation. Let me show you a couple more quick examples. Network Enforcement Information Integration

SIEM Interoperability CFI Alert We export our data to SIEMs such as Splunk, and there is even a Splunk app that can display the information that Splunk receives from ForeScout’s product. ForeScout App for Splunk

Vulnerability Assessment Interoperability This shows how ForeScout’s product can pull in data from a vulnerability assessment system and use that data within security policies, for example network access control policies.

MDM Interoperability This shows some of the information that we obtain from an MDM system about the mobile device. In this case, we’re pulling in the information from MobileIron.

Advanced Threat Detection Interoperability And this is very popular. We integrate with advanced threat detection systems such as FireEye. The information that we get from FireEye can help you automate controls, such as quarantine the device or scan the device to confirm infection, etc.

**NAC Competitive Landscape April 2013, Frost & Sullivan The Players…. *Magic Quadrant for Network Access Control, December 2013, Gartner Inc. **NAC Competitive Landscape April 2013, Frost & Sullivan **Frost & Sullivan 2013 report NC91-74, Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth” Chard base year 2012. All the market analysts such as Gartner, Frost and Sullivan, and others list us as a market leader. They show us at the top of their charts next to a little company called Cisco. *This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Garnter, Inc. "Magic Quadrant for Network Access Control," Report G00249599, December 12, 2013, Lawrence Orans.

NAC features to look for Fast and easy to deploy Agentless and non-disruptive Now it’s really important for you to know how is ForeScout different. First, ForeScout’s product is fast and easy to deploy. We have dozens of customer testimonials that say how shocked our customers were when they deployed our product. Typically, a customer will install our appliance in their network in the morning, and then we go to lunch, and when we come back from lunch, immediately we are seeing all kinds of devices that they didn’t know about. It is because we don’t require agents. We don’t disrupt anything that you have. And our system is scalable. We have customers with upwards of 500,000 devices under ForeScout management. Scalable, no re-architecting

NAC features to look for Fast and easy to deploy Infrastructure Agnostic Agentless and non-disruptive Works with mixed, legacy environment The second thing you need to know about how ForeScout is different is that we work with everything. We are infrastructure agnostic. We work with mixed environments, legacy environments, and we are not going to tie you into a proprietary architecture. ControlFabric is open, it is based on open standards. Scalable, no re-architecting Avoid vendor lock-in

NAC features to look for Fast and easy to deploy Infrastructure Agnostic Flexible and Customizable Agentless and non-disruptive Works with mixed, legacy environment Optimized for diversity and BYOD And the third thing that is really important for you to know about ForeScout is that we are flexible and customizable. We have optimized our system for diversity. A few years ago, you might have been able to dictate that everyone on your network used WindowsXP. Those days are over. Since ForeScout is not tied to an agent, we can see any new thing on your network. Any new thing that Apple or Google might come out with. Any industrial machines you might have. And we support open integration standards. Scalable, no re-architecting Avoid vendor lock-in Supports open integration standards

Pervasive Network Security an IT Game Changer Pervasive Network Security This technology has been a game-changer for many organizations. And I’m happy to take additional questions at this time.