Network Access Control is used to control access to enterprise networks. Mobile Device Management is used to manage and secure mobile devices. Put them together and your customers can set network access policies based on knowledge of the device - the Power of Two!
Forescout is global leader in NAC. MobileIron is global leader in MDM/MCM/MAM and Secure Mobile IT.
I’d like to spend most of my time today talking about YOUR network security and how we might be able to help make it more effective and efficient, but let me just give you one slide about who ForeScout is. In business 13 years Focused on pervasive network security Ranked a market leader by all the major analysts, such as Gartner, Forrester, and Frost and Sullivan Over 1400 customers, many of whom are large multinational organizations with over 100,000 endpoints ========================== DISCLAIMER (NOT TO BE READ) *This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner, Inc. "Magic Quadrant for Network Access Control," Report G00238941 , December 3, 2012, Lawrence Orans, John Pescatore ***Frost & Sullivan chart from 2013 market study Analysis of the Network Access Control Market ”
JACK cover this slide. This research was performed by the market research team at Forrester Research and published by InfoWorld. The study asked IT security managers to describe the most important security concerns. We can see that network security was the top concern, followed by data security, and device security.
Gartner has published a large amount of research on BYOD, and they frequently give webinars in which they present their recommendations on what types of security products enterprises should invest in to ensure that BYOD is done securely. Most of these webcasts they give are free for you to watch.
The key problem that we address – what makes us sort of unique – is our ability to help customers balance “access agility” with security. [click to advance] What I mean when I say “access agility” is the ability to have all kinds of people, and all kinds of devices such as smartphones, connecting to your network through many different types of connections. This is what is happening today, it is the road warrier experience, ant it is driving increases in productivity. [click to advance] Of course you have to be concerned about security. You lose a laptop or a smartphone that has corporate data on it, you have a data loss event. Are all the many devices like iPads running antivirus? You bet they are not, and you don’t control those devices anyway, so this is a potential threat vector. What does all this mean with respect to regulations and compliance? It is a concern, because many of these mobile devices are devices that you do not control. Yet you remain responsible for network security. [click twice to advance] To manage these risks and enable the business benefits of accessibility requires a solution that provides visibility and control which is seamless to the end user and highly automated for IT. Now …. Let me expand on the idea of comprehensive visibility. Because it is extremely important. You can’t secure what you can’t see. Let me illustrate what gaps you might have today that ForeScout could help with.
Let’s start with visibility of your corporate resources. The little blue shapes on the screen represent your corporate IT assets. You have Endpoints, Network Devices, Applications, and of course users. You typically know about all these things, don’t you? Because you’ve bought them, and because the employees are on your payroll and in your directory. Now … you secure your endpoints with various security tools, right, like antivirus agents, encryption agents, data loss prevention agents, patch management systems and so forth. Right? You’ve spent lots of money on all these good systems. But the truth is that security agents are hard to maintain, and these systems don’t work correctly 100% of the time. Based on data we’ve gathered from our customers, we know that each security agent will not be working correctly on between 10% and 15% of the endpoint devices. Why? Well, the antivirus might be out of date. Or the personal firewall might be misconfigured. Or maybe the encryption agent is not properly installed. This is reality. There are various studies that support these numbers. Now … you probably have at least three desktop agents in your organization, if not four, five or even more. That’s common. [click to advance the build] These colored “Xs” show the different endpoint agents that aren’t working properly in the real world. When you add them all up, it’s typical to find security problems on one third of your endpoints. In fact, a few years ago, Microsoft published a report that showed over 50% of their endpoint computers had a security problem because of these types of failures. Over 50%! [click to advance the build] OK, so there are also non-corporate assets. The reality is you have non-corporate assets on your network. Employees bring in personal laptops. Contractors bring in their own systems. Not to mention all the iPhones and iPads that are brought in by visitors and by employees. Move down to the next category — network devices. Employees bring rogue network devices into the office and connect them to your network. They’re innocently trying to “help themselves” by working around your IT organization. Right? You know this happens. Think about applications. Do you have any security policies against running certain types of applications? Like instant messaging or Skype? Password reminder applications? Remote access applications? Employees want to run risky applications. Do you have visibility to this? And are you able to stop it? And of course you have non-corporate users on your network. Guests and contractors. Typically enterprises don’t have good visibility into any of these things. But they are on your network, and they can be security risks as well as operational risks. [click to advance the build] Unless you have the technology that can show you everything touching your network, you probably only have visibility into one-half of what’s actually there. [click to advance the build] As for the rest of your network? Zero visibility. [click to advance the build] The result is you have gaps in protection because you can only protect what you know about. [click to advance the build] Luckily for you ForeScout solves this problem. ForeScout gives you complete visibility and a means to enforce security policy for EVERYTHING touching your network. This is real-time visibility and proactive control. And it’s highly automated. Now the other half of the equation is control. Visibility is great to see all the problems, but you also need controls to fix the problems. Let me say a few words about controls.
It is highly advantageous to implement automated controls, and this graph shows why. If you have a manual control system, your costs go up as you increase your control coverage. This is pretty much by definition. I know that some of your systems are already automated, but some are probably not. We can talk about the details later. But my point is [click to advance the build] Everything is automated with ForeScout’s platform. So once you purchase it, and once you setup your policies, ForeScout automates your security coverage, which keeps your costs low. According to a report issued by The Ogren Group in April of 2011, one large customer has actually quantified the cost savings they have achieved with ForeScout CounterACT. The answer is over $1,000,000 per year.
ForeScout provides complete visibility and control of everything on your network, and helps you enforce endpoint compliance. The functions are shown at the top of this slide, but what our customers love is how easily we do it: [click to advance the build] It’s agentless – which means there is no software that you have to install. We do provide agents for customers that want certain forms of advanced security, and this is especially important for mobile device management. But by and large, our customers are amazed at the functionality that they can obtain without an agent. It’s on the network, connected passively via a mirror port or span port, and it dynamically sees and assesses all network activity. Our platform is scalable. We have customers managing 250,000 endpoints on our system. We provide an integrated knowledgebase of the most common policies that you can configure with a simple mouse click Our platform can be integrated with a wide variety of existing IT systems, such as inventory databases, SIEM, MDM systems, etc. And our solution is completely interoperable with your existing network infrastructure and endpoint security systems. We integrate with all major brands of equipment and software. No upgrades or changes are needed to your infrastructure.
What does our product do? Well, the main functions are shown here. The first function is to show you everything on your network. You get 100% visibility, and you can see who owns each device and assess its security posture. If a security agent is not functioning properly on a PC somewhere, ForeScout tells you about it. [CLICK to advance] The second function is to automatically perform some sort of action. The actions shown in this box are to control network access, based on policies that you setup. Many other actions are available, such as sending an alert to the administrator, the end-user, or a third party application. [CLICK to advance] The third function is to fix whatever security problems have been found in step 1. If a vulnerability has been discovered, ForeScout CounterACT can trigger your existing patch management system or configuration management system to fix the problem, or you can program CounterACT to directly fix the source of the problem. CounterACT can install applications, start applications, stop applications, even disable peripheral devices.
Let me demonstrate three such examples. First, I’m going to describe how CounterACT integrates with MDM systems. Then I’ll describe how CounterACT integrates with databases. And finally I’ll describe how CounterACT integrates with SIEM systems.
Among the published recommendations that Gartner gives their clients is this set of recommendations, which are very important to today’s webcast. Gartner recommends that organizations combine NAC and MDM to enforce policies in a BYOD environment. They say that (read slide). So let’s talk more about this and dive a little deeper into how NAC and MDM can work together.
Here are examples of some of the leading MDM systems. Normally, these systems operate pretty much as islands, or silos of information. ForeScout CounterACT solves that management problem by integrating with them bi-directionally. That gives you several major security and operational benefits, as listed in the lower right corner of this slide. I will illustrate two of these in detail.
When you combine ForeScout CounterACT with MobileIron, you get some synergies that improve security and save you money with operational efficiency. Let me illustrate two examples of this: One is how the onboarding process becomes more efficient, and the second example is how security posture assessment of mobile devices can become on-demand, to improve security. To start off this animation, notice that we begin with two products – MobileIron and ForeScout CounterACT So a new device tries to access your wireless access point. Immediately ForeScout CounterACT learns about it. CounterACT figures out what kind of device this is – Apple device? Android? Then ForeScout asks MobileIron if it is aware of the device. Is this a managed device? In this example, MobileIron returns an answer that it does not know about the device. [CLICK TO ADVANCE] So ForeScout quarantines the device [CLICK TO ADVANCE] And sends the user to a web page where the user can enroll his device into MobileIron. It’s all automatic. The end user does not need prior knowledge of the MDM system, and your helpdesk does not need to get involved. [CLICK TO ADVANCE] The endpoint now communicates with MobileIron. MobileIron checks whether the endpoint is compliant with your security policies. If the device is compliant, then MobileIron reports this to ForeScout CounterACT. CounterACT communicates with the switch, lifts the quarantine, and allows the device to access your enterprise network. It’s that simple.
The second benefit I would like to illustrate is how ForeScout helps automate the enrollment of devices in your MDM system. When you have ForeScout on your network, it automatically discovers new devices the moment they try to connect to your network. ForeScout communicates with your existing MDM system to figure out whether a new device is supposed to be enrolled into the mDM system. If it is, then ForeScout automates that enrollment. Without ForeScout on your network, the process is much more manual. Typically the end user needs to first contact the help desk, who asks the end-user some questions, and there are several more manual steps.
The first thing I want to illustrate is what we call On-access compliance assessment. Let me set the stage. You can configure MobileIron to check the compliance of mobile devices every so often, but in order to not consume too much battery life of the mobile device, many customers configure the interval to 12 hours or 24 hours. And so many of our customers are quite security conscious, and they want to know in real-time, the moment that a device tries to access the network, whether the device is compliant. The moment the mobile device enters your network, that is a critical moment , because it offers a possibility for infection to spread or data loss to occur. So here is how ForeScout and MobileIron solve this problem. [CLICK TO ADVANCE] So immediately when a mobile device connects to your network, ForeScout learns what has happened. [CLICK TO ADVANCE] ForeScout will ask MobileIron to report the compliance status. [CLICK TO ADVANCE] In this case, let’s say that MobileIron will report back that the compliance information is stale or that the device is not compliant. In this example, I’m showing that the mobile device has been jailbroken. ForeScout CounterACT blocks network access and sends the end-user a message, telling him why he has been denied access. [CLICK TO ADVANCE] Once the end-user fixes the security problem on his mobile device, he triggers MobileIron to re-assess compliance. [CLICK TO ADVANCE] If MobileIron confirms that the device is compliant, then ForeScout CounterACT will allow the device onto the network.
This is one of my favorite illustrations that show you how combining MDM with NAC gives you a more complete security solution. MobileIron’s expertise is with mobile devices. ForeScout’s expertise is with the network and everything touching it. And you really need both in order to have optimal security and optimal efficiency.
When you combine MDM with NAC, you gain a more complete security solution, and you also gain some valuable automation which saves time and money. There are four basic ways that ForeScout and MobileIron have integrated our products. Of course, MobileIron’s focus is on the mobile device, and ForeScout’s focus is on the network. And when you combine the two products together, you get more complete visibility as shown here. If you want to see unmanaged devices on your network, you need NAC. Period. If you want to control where users can go on your network, to protect data on your network, NAC is what you need. If you want to manage the compliance of devices on your network, you must have MDM in order to manage the compliance of mobile devices, and NAC can manage the compliance of PCs, Macs and Linux machines. So together, you have complete coverage. And last is the problem of deploying agents onto mobile devices. MDM and NAC complement each other and together provide a more efficient, more streamlined, more automated way to get mobile devices enrolled into your MDM system. So now for the next few minutes, I’m going to talk about ForeScout’s product line, and then John Briar will talk about MobileIron’s product line, and then we’re going to show you how these two products work together to deliver a really strong, highly automated solution for BYOD security.
The first benefit that I want to illustrate is unified compliance reporting. ForeScout CounterACT pulls information from the MDM system, adds this information to what CounterACT already knows about the PCs on your network, and lets you produce unified compliance reports such as the sample shown here. This report encompasses iPads, Androiid devices, windows machines, MacOS systems – everything on your network. Obviously, going one place for a compliance report saves you time and money compared with the alternative of going to separate systems to produce separate reports.
The name of our product is ForeScout CounterACT. CounterACT is an appliance that installs out of band at the core of your network. You can deploy it in other places, there are several other deployment scenarios which are possible, but it’s very simple to deploy at the core. The clientless mode of operation is very popular, but you can also easily utilize ForeScout’s lightweight client if you wish.
Once installed, our product lets you follow the process shown in this cycle diagram: First we give you visibility into what is on your network. We let you “ see ” everything. We tell you what is on your network, and we give you deep information about the devices including their security posture and who is logged into the devices. Then we grant network access as per your security policy. The policy that you choose to enforce is up to you. Our system is very flexible, for example if you prefer to grant access very liberally and only block access to computers that are seriously infected, that is up to you. This is also the stage where our product can limit access to just portions of your network, or maybe just grant Internet access. The fourth step is Remediation. Our product not only finds the security gaps, it fixes them. Finally, we continuously inspect the traffic from ever network device to protect your network against attacks. Our system contains zero-day protection that was effective on day zero against Conficker, Zeus, and Stuxnet. Let me show you details of how this entire cycle works. Let’s start with “see”.
Our appliance tells you – in real time – what is on your network. [click to advance the build] We detect endpoints, network devices, users and applications.
This is an screenshot of our system showing you mobile devices that are on your netowrk.
The next step is to grant network access. One of the things that has made ForeScout successful with Network Access Control is the range of actions that we allow customers to take. They range from gentle actions such as sending alerts to the administrator, educational actions such as telling the user that they are violating a policy, or more assertive actions such as restricting network access. If you don’t want unauthorized devices or people on your network… [click] CounterACT can remove them. Automatically. Our product works with virtually ALL brands of network infrastructure. Cisco, Brocade, HP, Dell – we work seamlessly with all major brands of network infrastructure. So those unauthorized devices are now gone from your network. But you still might have some problems with the authorized endpoints themselves. That is where our second level of automated enforcement comes into play. Automated endpoint remediation.
Guest networking is bread-and-butter for us. This is an example of a guest registration page that our product puts up when an unrecognized device connects to the network. The user sees this page when he opens a browser. You can customize the page to say whatever you want. (CLICK to activate the animation) Many organizations go further and use our product to control who goes where on the network. As this graphic shows, you can allow guests to access the Internet, you can allow employees to access different network resources depending on the employee’s role or group membership in your directory, and you can allow specific types of employees or contractors to access resources that are appropriate for the work that they need to do.
We help you find and fix problems with your endpoints. [click] Update the operating system. [click] Disable USB memory sticks. [click] Kill applications you don’t want running. All this is from a single network appliance. And it’s all automated, saving you time and money. Our customers experience significant cost savings because of this automation.
This shows you some of the remediation capabilities that are built into our platform.
And there’s one more thing: CounterACT includes built-in threat prevention that has the smarts to detect when an otherwise “good” endpoint has gone bad due to some sort of infection or compromise. Our technology is extremely effective. In fact, CounterACT provided zero-day protection against Conficker, Zeus, even against the infamous Stuxnet Trojan.
CounterACT includes a range of actions, ranging from gentle, to more assertive. This makes rollout of our product very successful.
And the cycle repeats. We’re back to “see” and we give you reports on the compliance of everything on your network.
Unlike other security products, ForeScout’s product has a direct ability to reduce costs and improve productivity.
US Mil were using Cisco system RADIUS - then switched to ForeScout CounterACT. When upgraded to 7.0, they switch back to Cisco, and got 600 calls on the day they disconnect CounterACT Host not configured properly – Cisco say: not authorized, policy disconnect the host, help-desk get call from user, Desktop jeep drive to the user. Need to call the networking team to set as expectation. US Mil. Account: Bought $1.2 M of gear. 10 appliances for SIPRnet and 10 appliances for NIPRnet HQ has 10,000 devices, and 7 remotes sites (2500 each) for each of the two networks. Purchase motivation Primary purchase motivation was difficulty deploying 802.1x. It was taking 80% of their top network administrators time to deal with 802.1x issues. They wanted some way to automate it. During the POC, we set up a policy that made use of dynamic ACLs and a script for installing the 802.1x supplicant. If a device failed, the administrator would see it, and if he blessed it, he could hit a button and the script would push the supplicant to the endpoint. Usage: Deal with 802.1x supplicants. Their goal is to get to compliance checking for other security features as well, like A/V. Competitive vs Cisco: At one point Cisco came in and tried to sell their NAC, but it took the network down during the pilot, whereas ours worked like a champ, even unattended while the administrator was out recovering from his motorcycle accident. Cisco had a webex open for over a week with a whole team working behind the scenes trying to get it up and they failed to get it working. FS got it working in an afternoon!!
Just before I wrap up, I want to let you know the five most important reasons why customers choose our product over other solutions. Because each of the five things that I’ve shown you our product does, you can go out and buy a product that does – or says it does – each of those five things. We interview our customers after they purchase our product, and we ask them “Why did you purchase ForeScout over another brand? Did you look at any other brands?” The answers that we get back are shown here on this slide. (Read the main bullet points only – do not digress into detail!)