1

ForeScout Technologies Inc.

Frontline Defense

against Network Attack

Tim Riley, Forescout

2

ActiveScout Solution

ActiveScout solution provides: Preemptive identification of potential

attackers Accurate identification of potential attackers

to reduce false positives to zero Automatic action to block attackers in real

time Minimal installation and daily operational

costs

3

Evolution of Perimeter Protection

Firewall Provides robust staticsecurity according to predefined policies

4

Evolution of Perimeter Protection

IDSSends alerts when attack is recognized and already through the firewall

5

Evolution of Perimeter Protection Frontline Network Defense

ActiveScoutProvides accuratedetection and blockage of known and unknownattacks before they reach the network

6

Port Scan launched

Typical Attack Process without ActiveScout

Firewall

Internet

Router

EnterpriseIDS

Attacker

The majority of network attacks are preceded by reconnaissance activity. In this example, a port scan is used. These recon techniques seldom change.

7

Typical Attack Process without ActiveScout

Firewall

Enterprise

IDS

Attacker

The network sends information about hosts and services in response to the recon. This information may be used to subsequently exploit the network .

Network responds

with legitimate, available

services

Internet

Router

8

Typical Attack Process without ActiveScout

Firewall

Internet

Enterprise

IDS

Attacker

Utilizing the network information received, the attacker uses existing or new exploits to attack network hosts and services and effectively breaks into the network.

Exploit is launched

Router

9

Port Scan launched

ActiveScout Frontline Network Defense

Firewall

Internet

Router

EnterpriseIDS

Attacker ActiveScout

The attacker uses reconnaissance techniques, a port scan in this example, to discover potentially vulnerable network resources.

ActiveScout Console

10

Firewall

Enterprise

IDSRouter

ActiveScoutFrontline Network Defense

ActiveScout ActiveScout Console

Attacker

Internet

ActiveScout respondswith virtual services

Network responds withavailable services

ActiveScout identifies recon activity and watches for the network to respond. It then generates marked traffic that is sent back to the potential attacker. This traffic is not distinguishable from legitimate network traffic .

11

Firewall

Enterprise

IDS

When the attacker next uses the marked information to launch an exploit, ActiveScout with ActiveResponse technology then identifies the marked traffic. The attack is accurately identified and optionally blocked by ActiveScout or the firewall if desired.

Router

ActiveScoutFrontline Network Defense

( )( • )

ActiveScout ActiveScout Console

Exploit is launched

Attacker

Internet

12

ActiveResponse Technology

Patented technology that: Identifies all reconnaissance activity Replies to the recon attempt with an authentic-looking

response, created on the fly and registered within ActiveScout

Identifies potential attacks based on this ‘marked information’ and optionally blocks them, regardless of attack method

Result: Accurately identifies attackers and then prevents them from implementing new and/or existing attacks against the network.

13

ActiveScout Solution

Distinguishes real attacks from the noise Scarce security resources are focused on the

real crises and do not waste time on false positives

Identifies ‘low and slow’ attacks

Provides Closed Loop Perimeter Protection After identifying an attacker ActiveScout can

optionally:– Automatically block attackers

– Have the firewall automatically block

– Update all ActiveScouts when an attacker has been identified to provide automatic perimeter lockdown

14

ActiveScout Management“At-a-glance” attack situation display

Map identifies attacker location

Shows both current & historical data for trend analysis

Generates historical management reports

Enterprise Console consolidates information from multiple ActiveScouts

15

Summary

The ActiveScout solution utilizes patented ActiveResponse technology to provide Frontline Network Defense that Eliminates false positives Prevents Unkown attacks Reduces OpEx through automation Provides Enterprise wide protection