Post on 10-Jul-2018
Walter Doria
Technical Director – Exclusive Networks
How to bind Network Admission Controlwith
Advanced Threat Protection
FireEye and ForeScout – The Partnership
ForeScout is a Cyber Security Coalition Partner
integrations with many FireEye products
NX, TAP, EX, HX
40+ Joint customers
Executive sponsorship at highest levels
Commitment to build the best integrations and strategically approach the market
FireEye and ForeScoutTwo Sets of Eyes Provide a More Complete Picture
Makes the invisible visible
Provides the full context of all devices in the network
Enables policy-based access and controls
Ownership of the entire threat lifecycle and kill chain
Experts in forensics and investigative tools
WITHIN VMs
ACROSS VMs
CROSS ENTERPRISE
DETONATE2 MILLION
OBJECTS
PER HOUR
ANALYZE
Detection and Prevention - Technology
CORRELATE
FireEye Intelligence — A Global Defense Community
4,000 CUSTOMERS IN 67 COUNTRIES
10M+ VIRTUAL MACHINES5M+ ENDPOINTS
REAL-TIME INFORMATION SHARING
RISK AND CONTEXT TO PRIORITIZE RESPONSE
TACTICAL AND STRATEGIC INTELLIGENCE WITH ATTRIBUTIONTHAT IS APPLICABLE AND ACTIONABLE TO YOUR ORGANIZATION
DYNAMICTHREAT
INTELLIGENCE
What It does.
How It is different.
ForeScout Basics
CONTINUOUS
AGENTLESS
Not VisibleVisible
See withIoT
Managed Unmanaged
Computing Devices
Network Devices
Applications
Antivirus out-of-date
Broken agent
Vulnerability
SEE
CONTROL
AUTOMATED
POLICY-DRIVEN
INFORMADJUSTALERT SEGMENT
Users EndpointsNetwork Existing IT
ORCHESTRATE
AUTOMATE WORKFLOWS
SHARE CONTEXT
ControlFabric Open APIs
IBM
ForeScout & FireEye
How Do They Fit Into Your Network
Detection and Incident Response
• ForeScout + NX, EX, HX,TAP
HX Managed DevicesBYOD Devices Rogue DevicesIoT Devices
NX / EX HX MTP
ForeScoutCounterACT™
Internet
Network
!
1
2
3
4
5
6
NX or EX discovers a new day zero threat and informs ForeScout and HX of the IOCs
HX Managed Devices – HX finds devices with IOCs and manually quarantines; if automated containment is needed, HX turns over to ForeScout for automated containment
Non-HX Managed Devices – ForeScout finds devices with IOCs, identified by FireEye, and stops malware, automatically and in real time.
ForeScout limits access to the network for any infected devices
ForeScout feeds additional contextual info (including network, user, location, compliance) of the compromised devices to TAP ,enabling an organization to prioritize threats and assess risk
Scenariocorporate user downloads a malicious file
Malware proliferation is stopped
As devices declared clean, ForeScout allows devices back on the network.
TAP
Full Endpoint Protection
• ForeScout + HX and MTP
HX / Managed DevicesBYOD Devices IoT Devices
NX / EX HX MTP
ForeScoutCounterACT™
Internet
Network
1
2
3
4
5
ForeScout discovers ALL devices on the network – managed or unmanaged.
Managed Endpoints – ForeScout validates the HX agent is installed, fully functional and up to date; if needed, ForeScout restarts/ reinstalls HX, or triggers HX server to reinstall it
BYOD – ForeScout inspects device security against corp policy; if compliant, device is granted access; if not, it is blocked or assigned to guest network.
Mobile Corp Devices – ForeScout validates if the MTP agent is installed. If needed, ForeScout triggers installation of the MTP agent; MTP then scans all applications for malware and if compromised, ForeScout limits or blocks access
IoT Devices – ForeScout classifies IoT devices and dynamically assigns them to a dedicated network; it monitors device traffic, and limits abnormal behavior, while providing contextual information about the device
ScenarioForeScout and HX/ MTP protect all Endpoints in a corporation
TAP
MTP / Mobile Devices
Firewall SIEM ATD VA Endpoint Patch EMM
… is breaking down the silos
The Real Value
Combined Value Proposition
• Visibility• Compliance• Network/Access
Control• Guest/BYOD
Management• Continuous
monitoring• Orchestration
• Threat Detection• Threat Response• Email Protection• Threat Analytics• Forensics• Incident Response• Mobile Security
• Complete threat and security posture visibility
• Automated, policy –based incident response
• Security automation and 3rd party orchestration
VIDEO
> A host connects to the Network via a Wifi Device
> CounterACT which monitor the network is aware of this host and knows where it is
> An infected object is downloaded by the client and analysed by FireEye which is in the middle
> As per FireEye decision, the object is classified as malicious
> FireEye informs CounterACT about the security event
> CounterACT block the infected client by asking the Wifi to rewoke its authentication
> The benefit of the integration of these three security platform explain the CARM concept
> Cyber Attack Remediation and Mitigation
> The attack has happened and the host was infected
> The network reacts to the malicious event
> The impact has been minimized