© 2013 ForeScout Technologies, Page 1 Scott Gordon (CISSP-ISSMP) Vice President – ForeScout...

© 2013 ForeScout Technologies,

Scott Gordon (CISSP-ISSMP)Vice President – ForeScout Technologies

Considerations To Secure Enterprise Mobility / BYOD

March, 2013


About ForeScout

ForeScout is the leading global

provider of real-time

network security

solutions for Global

2000 enterprises and

government

organizations.

Innovative Technologies• Real-time visibility and control

• Leader ranking by Gartner, Forrester and Frost & Sullivan…

Global Deployments• Financial, healthcare, education,

manufacturing and government…

• Enterprise implementations(> 250k endpoints)

At a Glance• Founded in 2000 —

HQ in Cupertino, CA

• Dominant independent vendor of Network Access Control (NAC)

#2 market share, behind Cisco

• BYOD, endpoint compliance and cloud fueling growth

*Magic Quadrant for Network Access Control, December 2012, Gartner Inc.

**Forrester Wave Network Access Control, Q2-2011, Forrester Research

***Analysis of the NAC Market,February 2012, Frost & Sullivan


Enterprise mobility is the use of wireless, mobile and consumer devices, as well as mobile and cloud-based applications to enable access to corporate resources.

Bring Your Own Device (BYOD) strategy is the extent that an IT organization prohibits, tolerates, supports or embraces the use of personal mobile devices at work and the controls to enforce such policy.

Framing Enterprise Mobility andIT Consumerization / BYOD

Risks

• Data lossLost phone or laptopUnauthorized accessCompromised systemUnknown data protection

• MalwarePhishing, access, mobile/app

• ComplianceRogue devices, unauthorized apps, inconsistent policy

Challenge

• Proliferation of mobile devices on corporate networks impacts security

• Consumers are setting the rules with personal and mobile device and application use

• IT teams need visibility and control; user, device, application, data and network


Market Research – Mobile Security Product Requirements

Generally, virtually all respondents rate all of these MDM features as being “important” or “essential” (90% or higher). Essential features of “network access control” and “unified policy management” are unavailable from MDM solutions.

Generally, virtually all respondents rate all of these MDM features as being “important” or “essential” (90% or higher). Essential features of “network access control” and “unified policy management” are unavailable from MDM solutions.

Boston Research Group, ForeScout Sponsored Mobile Security Study, 2012

Network Access Control

SecurityPosture Security

Management SoftwareManagement Unified Policy

ManagementInventory

Management


1. Form a committee

2. Gather data

3. Identify use cases

4. Formulate policies– Which corporate applications?– Which users?– How will data be secured?– Who will be responsible for BYOD support?– What happens if the device is lost or stolen?– How will the endpoint device be updated?– Acceptable use policies?

Framework: Securing BYOD Implementation


5. Decide how to enforce policies – Network controls?– Device controls?– Data controls?– App controls?

6. Build a project plan – Device enrollment– Remote device management?– Cloud storage?– Wipe devices when employees are terminated?

7. Evaluate solutions– Ease of implementation?– Cost?– Security?– Usability?



1. Form a committee

2. Gather data


4. Formulate policies

5. Decide how to enforce policies

6. Build a project plan

7. Evaluate solutions

8. Implement solutions – Network controls?– Device controls?– Data controls?– App controls?



1. Form a committee

2. Gather data


4. Formulate policies

5. Decide how to enforce policies

6. Build a project plan

7. Evaluate solutions

8. Implement solutions



Enterprise Mobility Control CharacteristicsNAC is Fundamental to Secure BYOD/CYOD

CHARACTERISTICSAPPROACH

Block all personal devices• Very secure!• Career limiting…

Manage all personal devices (MDM)• Good security at the device level• Phones/tables… not Win & Macs• Separate management console

Restrict the data (VDI)• Strong data protection• Varying user experience• Not for the road warrior

Control apps (MEAM, MAW)• Secure the app and data• Must be used with other controls

Control the network (NAC)• Foundational, simple, real-time coverage• Network-centric visibility and control


CounterACT: Continuous Monitoring & Remediation Proven Platform for Real-time Visibility and Automated Control

Port-based Enforcement [With or without 802.1x]

Natively or with 3rd party Integration

SIEM, MDMIdentity, HBSS

CompleteVisibility

EnforcementRemediation

SystemIntegration

Endpoint Authenticate

& Inspect

Device Discovery, Profiling [HW/SW USER LOC ...]

Multi-factor, Complete,Clientless Interrogation

Continuous

Monitoring


CounterACT: Continuous Monitoring & Remediation See Grant Fix Protect

Real-time Network Asset Intelligence

• Device type owner, login, location

• Applications, security profile

Email CRMWeb

Guest

User

Sales

Policy-based Controls

• Grant access, register guests

• Limit or deny access

Automated Enforcement

• Remediate OS, configuration, security agents

• Start/stop applications, disable peripherals

• Block worms, zero-day attacks, unwanted apps

• Phased-in, manual or fully automated

X


What is Mobile Device Management

The Essentials

•Device enrollment

•OTA configuration

•Security policy management

•Real-time reporting•Remote lock, wipe, selective wipe•Self-service portal•Enterprise App portal

Advanced Management

•Email access controls•Application management•Document management•Certificate management•Profile lock-down•Corporate directory integration•Geo sensing•PII Protection

Event-based Security & Compliance

Device Enrollment,

Acceptable Use

Corp App Storefront

MDM Actions


NAC+MDM Synergies: 1+1=3Unify visibility, compliance and access control

NAC focus is network

MDM focus is mobile device

MDM Alone NAC Alone NAC+MDM

Visibility Full info on managed only.

Basic OS info on all devices

Complete

Access Control For managed and email only

Partial (Missing endpoint info)

Complete

Deployment Pre-reg agent Network-based, Automated

Complete

Enforcement Polling rate On network access Complete

Network control No Yes Complete

Root detection On profile check On network access Complete


ForeScout CounterACT


Unified Visibility and ControlSecurity operators gain greater visibility and control


• Easy to use and deploy with Low TCOHybrid 802.1X/Agentless approach; works within existing/legacy environment

Easy, centralized administration; high availability, scalable, non-disruptive

• Real-time situational awarenessAll users, devices, applications - infrastructure agnostic

Wired, wireless, managed, rogue, VMs, PC, mobile, embedded

• Flexible, Integrated Mobile SecurityValue of NAC with MDM device security

ForeScout: broadest integration with leading MDM vendors

• Rapid results and time-to-valueExtensible templates and controls with robust

SIEM, HBSS, CMDB, MDM and directory integration

ForeScout CounterACT Advantages


Thank You** The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

***Frost & Sullivan chart from 2012 market study Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth” Base year 2011, n-20

*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

© 2013 ForeScout Technologies, Page 1 Scott Gordon (CISSP-ISSMP) Vice President – ForeScout...

Documents

Transcript of © 2013 ForeScout Technologies, Page 1 Scott Gordon (CISSP-ISSMP) Vice President – ForeScout...