1. The Game has Changed… Ready or Not! Ted Lee
Systems Engineering Team Lead

2. Cyber Attack Trends Average annual cost of security incidents
Annual number of data breaches
Average annual cost of security incidents
Regulatory mandates
Among companies with revenues over $1 billion
HIPAA
PCI
$5.9 million
2014
SOX
$3.9 million
HITECH
Breaches reported
NERC
NIST
2013
Source: Identity Theft Resource Center
Source: 2015 Global State of Information Security Survey, PwC
[begin]
Whether you’re an Info Security, compliance or IT executive today, your job is harder than they have ever been before.
The number of data breaches reported today are growing ‘up and to the right’ – and so are the annual costs dealing with the numerous security incidents.
At the same time, the regulatory mandates keep changing and increasing.
You are likely spending millions of dollars per year on people and technology to deal with these trends, yet the bad guys keep getting through.
Why is this the case?
[next slide] 2

3. IT Security Challenges
53 million addresses and 56 million credit cards
Attackers used stolen vendor credential to access critical systems
Cyber attack could cost as much as $100 million
Disabled the antivirus in the target machines without detection
76 Million Households affected
Hackers took over a remote server the bank failed to properly update
The Home Depot
“44 percent of known breaches came from vulnerabilities that are 2 to 4 years old”
HP Cyber Risk Report 2015
Attackers exploit vulnerable endpoints, easily move across big flat networks
21m government employees identities stolen
OPM did not maintain a comprehensive inventory of servers, databases and network devices
80m customer records stolen
“Suspicious” administrator activity went unnoticed for months
11m customers’ medical and financial data stolen
Premera’s network security procedures were inadequate
[begin]
First of all, the threats are more sophisticated and targeted than ever before. Highly funded adversaries – both nation state and cybercriminals – engage in a marketplace to steal valuable information or cause destruction.
[click once - animation]
As we study how these breaches happen, we see some commonalities. Typically, the attacker leverages well-known vulnerabilities in endpoints, then they move laterally across the network to find the system that they really want to exploit. This has been reported again and again.
[next slide]
[below is some background info about these attacks]
Home Depot
“Hackers used a vendor's stolen log-on credentials to penetrate Home Depot's computer network and install custom-built malware that stole customer payment-card data and addresses, the retailer announced Thursday. The company had announced in September that the massive data breach allowed criminals to harvest information from 56 million credit and debit cards in the United States and Canada. The latest revelations Thursday arose from the company's investigation. Another 53 million addresses were added to the list of compromised data.” Also here:
JPMorgan Chase Hacking Affects 76 Million Households
Soon after the hacking was discovered at JPMorgan, agents with the F.B.I. determined that the attack was not particularly sophisticated: The hacking succeeded largely because the bank failed to properly update a remote server. In spite of this, it was discovered somewhat by accident and went on long enough to give hackers access to 90 servers.
Sony – attackers turned off the AV in the machines they breached without letting the server know. “what’s unfortunate about this breach is the techniques that were used are not particularly sophisticated”, WSJ,
Anthem – attackers stole network credentials of 5 individuals. They only detected the breach when one of the users noticed queries he had not made
OPM -
Nov, OPM did not maintain a comprehensive inventory of servers, databases and network devices, nor were auditors able to tell if OPM even had a vulnerability scanning program
May Premera Blue Cross, one of the insurance carriers that participates in the Federal Employees Health Benefits Program, discloses a breach affecting 11 million customers. Federal auditors at OPM warned Premera three weeks prior to the breach that its network security procedures were inadequate.
May Carefirst Blue Cross discloses breach impacting 1.1 million customers. Clues unearthed by researchers point to the same attack infrastructure and methods used in the Anthem and Premera breach. 
“44 percent of known breaches came from vulnerabilities that are 2-4 years old. Attackers continue to leverage well-known techniques to successfully compromise systems and networks. Every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago.”

4. The Challenging Threat Landscape
Dec 2014: “Within two years, 90% of all IT networks will have an IoT-based security breach”
Number of unmanaged devices is exploding
2010
2012
2014
2016
2018
2020
Less than 10% of new devices connecting to the corporate environment will be manageable through traditional methods
By 2020: 20+ Billion
Unmanaged
Connected Devices
Unmanaged Devices
Managed Devices
[begin]
The second primary reason the bad guys are winning has to do with the rapidly changing landscape of endpoints.
[click once - animation]
By 2020, less than 10% of all new devices connecting to your network will be manageable via an agent. As we all know, putting an agent on devices is the defacto standard for controlling enterprise devices; however, the onslaught of BYOD and IoT makes this no longer possible.
IDC is predicting that by the end of next year, 90% of all IT networks will have an IoT-based security breach.
[next slide]
=========================
Information about sources
BI Intelligence forecast:
Gartner forecast:
Verizon forecast:
IDC:
Source: Gartner, BI Intelligence, Verizon, ForeScout

5. IT Security Challenges
IBM
“70 to 90 percent of all malicious incidents could have been prevented or found sooner if existing logs and alerts had been monitored”
Verizon Data Breach Investigations Report
“Average time to contain a cyber attack is 31 days”
Ponemon Institute “2014 Global Report on the Cost of Cyber Crime”
Fragmented security lets attackers in
IBM
Firewall
SIEM
ATD VA
Endpoint
Patch
EMM
Security products are siloed.
Human beings are needed to compensate for lack of automation.
SecOps teams are overwhelmed and cannot respond in a timely fashion.
[begin]
The third major reason the bad guys have an advantage has to do with the lack of coordination between all of our security, management and compliance tools.
[click once – animation]
Each major technology tool does not share information with other relevant tools that could help detect, prevent or respond to a cyber threat.
Therefore, people – rather than technology – are required to connect the dots.
As we learned with some of these well-publicized breaches, relying on overwhelmed security operations teams to sift through alerts from dozens of tools, is a losing proposition.
All this fragmentation lets attackers in. The recent Verizon report states that 70 – 90 percent of malicious incidents could have been prevented or found sooner if effective coordination between disparate tools existed. And once you have been breached, it takes on average 31 days to contain the attack, and we know that much of this delay is caused by of the lack of coordination between tools.
[next slide]
NOTES:
Opportunity for the Adversaries
Swivel Chair Administration
Builds sometimes trip people up.
Defense in Depth doesn’t work because of lack of communications to each other
“throwing people at the problem”
How do they work – human beings.. Already overlooked

6. The Threat Landscape: 5 Major Trends Emerging 2016
80%
Global 2000 hit by targeted attacks 1.
Highly Targeted
Attacks
2.5x
Increase in losses from targeted attacks yoy
2015 PwC Information Security Breach Study and Symantec Internet Security Threat Report 20 (2015)

7. The Threat Landscape: 5 Major Trends Emerging 2016
60%
Can’t catch credential thieves today
Highly Targeted Attacks 2.
Credential
Theft
40%
Windows hosts with high-risk credentials for pivot points

8. The Threat Landscape: 5 Major Trends Emerging 2016
41%
Breaches caused by trusted partners
Highly Targeted Attacks
Credential Theft 3.
Insider Element
33%
Enterprises that give partners privileged network access
Protiviti 2014 IT Security and Privacy Survey and 2015 PwC Information Security Breach Study

9. The Threat Landscape: 5 Major Trends Emerging 2016
26k
Netscreen Firewalls with malicious backdoor
Highly Targeted Attacks
Credential Theft
Insider Element 4.
Hijacked Security Layers
70%
Cloud applications impacted by Heartbleed SSL flaw

10. The Threat Landscape: 5 Major Trends Emerging 2016
5 out of 6 large companies is hit with targeted attacks today
17%
Android apps that are malware
Highly Targeted Attacks
Credential Theft
Insider Element
Hijacked Security Layers 5.
New Threat
Vectors
70%
IoT devices shipping with known vulnerabilities

11. Can Agents Do It All?
Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2015
ioT = Internet of Things

12. Internet of Things, Ready or Not…
20+ Billion
Here it Comes!
IoT
5 Billion
BYOD PC
This chart shows:
A lot of unmanaged devices….
1990
2015
2020
Gartner, Nov. 10, 2015

13. Typical Mix of Devices in a Network
Unknown 3%
Construct of what networks are comprised of today, focus on the 3% of unknown

14. 3% of all devices on the network are unknown
Reality
3% of 5 billion is 150,000,000 endpoints
(a.k.a. unknown devices)
Current State
3% of all devices on the network are unknown

15. What about the Internet of Things (IoT)?
Network connectivity enables these objects to collect and exchange data:
Video cameras
Healthcare equipment
Safety equipment
Climate control
Environmental sensors
Vehicles
Asset tracking devices
Refrigerators
Smart homes
Trash cans

16. “Survey Says” Change the Rules 1 2
We need to 1st understand the relevant threat landscape then we can discuss what we can do about it.

17. Got Blind Spots?
Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2015

18. How Many Network Security Incidents?
72% Percentage of networks that had 5 or more security incidents within the past 12 months.
Continuous Monitoring and Threat Mitigation with Next-generation NAC - Frost & Sullivan – October 2015

19. Which Devices are Secure?
What devices had 5 or more security incidents in the last 12 months?
Continuous Monitoring and Threat Mitigation with Next-generation NAC - Frost & Sullivan – October 2015
BYOD – Bring your own device IoT = Internet of Things

20. Do Agents Provide the Security You Need?
What is your confidence level that agents are installed and working properly on your computers?
Recognizing that answers of “6” and “7” represent high or extreme confidence in agent installments, presented here are replies of 1 thru 5, which demonstrate a confidence that is less than “on point.”
Many network security administrators use security and management agents to track endpoints on their networks. An agent is a small piece of code installed on an endpoint that associates the endpoint to the enterprise network. The advantage to using agents is that an endpoint is more easily recognized by the network and communications such as software updates are more easily facilitated between the endpoint and the network.
However, there are three significant problems with agents. The first problem is that the majority of cyber security tools use a “polling” type of scan technology. Commonly, in vulnerability management (VM), security information and event management (SIEM), and other cyber technologies, semi-persistent scanning is initiated. This procedure works well for static devices that are attached by Ethernet to a network. However, as networks are designed to accommodate more mobile devices, much happens dynamically between polling events. Transient devices are easily lost. The second problem is that agents can be misconfigured or disabled. An enterprise network is often a fluid environment. Endpoints are frequently reconfigured and new office locations are dropped or added. If an agent is not functioning properly, the network loses visibility into the endpoint and security can be compromised.
The second problem with reliance on security agents is that agents required by IT teams cannot be installed on the increasing number of personal (BYOD) and IoT devices on the enterprise network. Hence, reliance on agents means that the network isn’t aware of the fastest growing segment of endpoints coming onto the enterprise network and reduces the organization’s security posture.
The last problem with security agents is reliance on security agents brings a false sense of security. In the Network Visibility Survey conducted by Frost & Sullivan, the survey asked security professionals about the confidence levels they had about the installed antivirus, mobile device management (MDM), encryption, and patch management agents they had on their networks.
Source: Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2016
Continuous Monitoring and Threat Mitigation with Next-generation NAC - Frost & Sullivan – October 2015
MDM = Mobile Device Management

21. Ready for Automation?
Would your security product benefit if it could automatically invoke a set of predetermined security controls?
The increasing complexity of network and information security burdens security teams that are already overtaxed. Most organizations report that they have too few information security workers. Removing manual tasks through automation would seem to make sense, but there are questions about how willing security professionals are to embrace automation. So, the question was put to the survey respondents, “To what degree would your network benefit if they could automatically invoke a set of pre-determined security controls (network security technology)? The survey results indicate a Clarion call for security vendors to add more automation to their products. (Please see Exhibit 3.) Ideally, IT and security teams would like to be able to customize settings; however, a security tool has to be effective out of the box and has to remain effective when integrated with other tools in a layered cyber defense.
Source: Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2015
Continuous Monitoring and Threat Mitigation with Next-generation NAC- Frost & Sullivan – October 2015
MDM = Mobile Device Management SIEM = Security and Event Management

22. “Survey Says” 1
Change the Rules 2

23. See Discover Classify Assess
001101
So how do you see how these BYOD and Unmanaged devices?
Notes:
Thousands of different hardened operating systems. Not prone to agents.
WE NEED TO STAY AGENTLESS SO WE SEE EVERYTHING
We need to recognize everything.  AUTO CLASSIFY 100%
THIS ALLOWS CUSTOMERS TO SET POLICIES BASED ON REAL WORLD
USE CASES (HVAC, PRINTER, BYOD..)
On slide 12 – should be DISCOVER, CLASSIFY, ASSESS – in that order… not sure having the words ‘ integrations ‘ makes sense since we are not speaking to our solution rather suggesting what should be done to SEE everything connecting to the enterprise… can you explain the order of the builds for me? I am sure there is a reason.  IE give me the talk track.

24. Less Privileged Access
Control
Less Privileged Access
Quarantine
Block
Limit
Notify
Data Center
Guest Network
Corporate Network

25. Orchestrate
ATD
SIEM VA
EMM
Custom

26. IoT Use Case
IOC Scanner 1
Device connects to the network 2
Device is detected and classified as a printer 3
Compromised printer communicates with the corporate file server 4
SIEM/ATD detects an anomaly and forwards the event to CounterACT®
Firewall
ATD
SIEM
Endpoint
Patch
EMM 5
Compromised printer is blocked from accessing the network
Corporate File Server
Network
Internet
) ) ) ) ) ) ) ) )
BYOD Devices
IoT Devices
Corporate Devices
Rogue Devices

27. Advanced Threat Detection Use Case1 1
ATD system notifies ForeScout of an infected endpoint and threat profile 2 2
ForeScout policy based on threat classification restricts network access of endpoint
ATD 3 1 3 3
ForeScout initiates managed endpoint remediation actions using details from the ATD system and removes network access restrictions on endpoint
Internet 2 3 1 5 4
ForeScout
CounterACT® 4 4
ForeScout scans other managed endpoints on the network for the IOC and initiates remediation actions
Switch
Wireless LAN Controller 5 5
ForeScout scans endpoints for IOCs as new endpoints attempt to connect to the network 4 5 2 3 1
May 2016
[begin]
BYOD Devices
Managed Devices
IoT Devices
Rogue Devices
Reference Acronym Glossary at the end of presentation

28. Vulnerability Assessment Use Case1 1
ForeScout detects an endpoint connecting to the network
ForeScout requests the VA System initiate a real-time scan of the endpoint 2 2 VA
Patch 3 2 5 3 3
VA system sends scan results to ForeScout 4 4
ForeScout places endpoint in remediation VLAN based on VA scan results and policies
Internet 5 6 4 1 3 2
ForeScout
CounterACT® 5 5
ForeScout requests patch management system to apply correct patches
Switch
Wireless LAN Controller 6 6
ForeScout provides endpoint with appropriate network access once remediated 6 4 1 2
May 2016
BYOD Devices
Managed Devices
IoT Devices
Rogue Devices
Reference Acronym Glossary at the end of presentation

29. Enterprise Mobility Management Use Case1 1
ForeScout discovers endpoint connecting to network 2 2
ForeScout queries EMM server to see if endpoint is managed by EMM, if so, network access continues
EMM 3 2 4 3 3
ForeScout moves endpoint to restricted access if not currently EMM managed, does http redirect and prompts user to install EMM agent
Internet 4 3 1 2
ForeScout
CounterACT® 4 4
ForeScout moves endpoint back to appropriate network access once EMM confirms endpoint is EMM managed and meeting EMM policy
Switch
Wireless LAN Controller 2 4 1 3
May 2016
[begin]
BYOD Devices
Managed Devices
IoT Devices
Rogue Devices
Reference Acronym Glossary at the end of presentation

30. THANK YOU!

31. Glossary (1 of 3) BYOD – Bring Your Own Device
IoT – Internet of Things
SIEM – Security Information and Event Management
ATD – Advanced Threat Detection
VA – Vulnerability Assessment
EMM – Enterprise Mobility Management
SQL – SQL Server
DNS – Domain Name Server
DHCP – Dynamic Host Configuration Protocol
VPN – Virtual Private Network
PKI – Private Key Infrastructure
SDK – Software Developer Kit
HIPAA – Health Insurance Portability and Accountability Act
PCI – Payment Card Industry
SOX – Sarbanes Oxley
NERC – North American Electric Reliability Corporation
NIST – National Institute of Standards and Technology
HITECH – Health Information for Technology for Economic and Clinical Health