Achieving Next-Gen NAC Results: Essential Implementation, Process and Control Considerations

Transcription

1 Achieving Next-Gen NAC Results: Essential Implementation, Process and Control Considerations An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) White Paper Prepared for ForeScout Technologies, Inc. January 2015 IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING

2 Table of Contents Executive Summary...1 Effecting Better Network and Endpoint Security... 2 Aligning Policies with Use Case Scenarios... 2 Scoping Requirements... 3 Incorporation into Operational Processes... 4 Implementation Considerations X Standards and NAC... 5 Agent-based vs. Agentless Approaches... 6 Mobile Security and BYOD Approaches... 6 The Value of Interoperability... 7 Preparing the Environment... 7 Control Considerations...8 Control Options... 8 Enforcement... 8 Automated Remediation... 9 Recommended Phased Enforcement... 9 ForeScout CounterACT: Visibility, Granular Control, and Threat Response ForeScout CounterACT and the ControlFabric Architecture Success Cases: How Organizations Embrace Next Generation NAC...12 EMA Perspective...14 About ForeScout... 15

3 Executive Summary Businesses want more fluid access to data using a broader spectrum of devices while IT organizations need to maintain security. As the diversity of users and devices has grown, so has the operational complexity required to manage a dynamic and evolving network, as well as to address the multitude of advanced threats to network connected resources and sensitive information increased. The need for more flexible and automated tools to implement and manage security policies, controls, and enforcement is more obvious than ever. Rarely is this need more keenly felt than at the network endpoint where people, technology, and information assets are experiencing a broader range of issues, expanding the requirements for security and compliance. The IT consumerization trends led by bring your own device (BYOD) and corporate owned, personally enabled (COPE) initiatives and further pushed by wearable technology and the Internet of Things/Everything (IoT/IoE) have brought these issues to a head. Leading edge IT organizations must improve context for operational oversight and better automate control and policy-based response to close security gaps, remediate violations, and contain threats. To accomplish this they must have continuous monitoring and mitigation. These factors have pushed next-generation network access control (NAC) solutions into the limelight as a key option for enabling a proactive approach to managing network admission, endpoint compliance and advanced threat risks. This was highlighted by 2014 EMA research i in which 55% of respondents indicated they had a NAC product installed, or a project underway. Today s next-gen NAC technologies are delivering the promise of protecting the business and enabling its people to continue to work efficiently. This was also supported in the EMA research, which found that 94% of organizations that had deployed NAC had received expected or higher than expected business value from the project post installation. Continuous monitoring and mitigation provided by next-gen NAC technologies is a key component of cyber-defense. According to a Ponemon/Norse Live Threat Intelligence Impact Report, security needs actionable intelligence within 4.6 minutes to stop an attack from becoming a compromise, and if a compromise is detected within 60 seconds, remediation costs can be reduced by 40%. In this paper, Enterprise Management Associates (EMA ) analysts examine the fundamentals of an informed approach to selecting and deploying next-gen NAC. This paper takes into consideration how today s approaches to identify, authenticate, classify and inspect endpoint devices provide a wide range of options for preand post-admission policy definition, enforcement, and remediation, enabling organizations to secure greater network resource access and to improve continuous monitoring and mitigation capacity. This paper describes the essentials of NAC functionality along with key considerations for implementation that can produce more effective next-gen NAC results. Four enterprises that have adopted the ForeScout CounterACT solution are offered as examples of successful NAC deployments. They illustrate how comprehensive device discovery, real-time endpoint assessment, flexible policy definition, and effective controls compatible with existing infrastructure meet many of the most critical requirements for guest management, endpoint compliance, mobile security, and reducing advanced threat risks. Page 1 Page 1

4 Effecting Better Network and Endpoint Security Network access control is designed to help customers advance security and reduce costs by enabling enterprises to automate a wide range of network access, endpoint compliance, and threat response priorities including the following. Identifying and tracking of users, including guests and contractors, and all network attached endpoints, fixed and mobile. Augmenting network controls, wired, wireless and virtual, to allow, limit, or block device access. Securing enterprise mobility and BYOD policy. Monitoring, enforcement, and remediation of issues regarding appropriate configuration of the OS, software, and security agents, and user/device actions, both before and during connection to the network. Identifying threatening device and user behaviors to provide a means of proactive prevention, containment, and mitigation of a number of threats to enterprise security and regulatory compliance. Auditing and reporting that supports business, security, and compliance requirements. Providing a conduit for control intelligence allowing other tools to take advantage of NAC-triggered enforcement and remediation capabilities. Ideally, this level of management is delivered transparently to the endpoint and users with minimal business friction for deployment, maintenance, and support. Early NAC products were often either too complex or inflexible in their approach, such as requiring specific network infrastructure or security agents on the endpoint that were not always possible, particularly with the ongoing proliferation of mobile and personal endpoint devices, and rapid provisioning within virtual environments. Today s leading NAC products offer greater interoperability, integration, and functionality than ever before with the increased benefit of preserving user experience so enterprises considering NAC have more flexibility when defining their policies and requirements. To achieve the best match, project managers must closely examine vendor architectures, capabilities, and claims in order to assure success in their NAC implementation. Today s leading NAC products offer greater interoperability, integration, and functionality than ever before with the increased benefit of preserving user experience so enterprises considering NAC have more flexibility when defining their policies and requirements. To achieve the best match, project managers must closely examine vendor architectures, capabilities, and claims in order to assure success in their NAC implementation. Aligning Policies with Use Case Scenarios NAC projects begin with defining goals, objectives, and supporting use cases that facilitate NAC system selection and deployment. When executed properly, coordinating needs analysis for IT, business, and legal concerns yields a set of use cases that can be prioritized and examined, driving project participants to a short list of possible solutions. These requirements then become the basis of policy definitions. Documenting goals and objectives early in the project help to keep the project realistic and aligned with needs of both the business and the IT organization. Page 2 Page 2

5 Policies can be determined based on a number of operating scenarios and factors such as user (employee, guest, and contractor) or device information, software applications, configuration integrity, classification and segmentation of network resources and information assets, as well as acceptable behaviors of monitored devices. The technical implementation of a policy defines a condition and response. In particular, a response be it notification, access limitations to resources, device remediation or blocking must consider the necessary impact of enforcement. For example, simply disconnecting non-compliant endpoints is likely too impactful a response in most cases. This speaks to the need for NAC solutions to offer multiple techniques and flexibility for evaluating and enforcing policy. Depending on the use case, the policy may range from less aggressive controls allowing the user to maintain some level of productivity while minor compliance issues are being resolved, to very strict controls and response blocking access to highly sensitive data. Capabilities to support various policies differ by NAC product. Some policies may be considered foundational across business units such as assurance of current operating system patch level, active personal firewall, or current antivirus signatures, as well as the detection of rogue devices. Some are device specific, such as securing smartphone and tablet use, which may require Mobile Device Management (MDM) platform integration. Others may be more business or business unit specific, such as granular control of access to highsensitivity resources or monitoring for unsanctioned applications or suspicious endpoint behavior. In some cases, organizations may have already established many such policies and are searching for a means of implementing the associated controls. In other cases, NAC may offer organizations with expanding/maturing security needs a new and wider range of options for centralized policy definition, enforcement, and remediation. Scoping Requirements Determining proper scope is paramount to a successful project. In 2014 research ii, Enterprise Management Associates identified this clearly. Seventy-one percent of organizations that purchased NAC solutions said that they received the expected value with an additional 23%, indicating that they received higher than expected value. If 94% of the technology consumers indicate success in the project, it clearly shows that project failure is not a technology issue, but a project management issue. Seventy-one percent of organizations that purchased NAC solutions said that they received the expected value with an additional 23%, indicating that they received higher than expected value. If 94% of the technology consumers indicate success in the project, it clearly shows that project failure is not a technology issue, but a project management issue. Once respective goals, objectives, and supporting policy are defined, organizations must consider the technical scope of NAC deployment and enforcement. The technical scope must consider the solution architecture in terms of network coverage and locations, how and to what extent devices can be identified, how information is collected and assessed, the means to deliver enforcement, and the potential impact on both the network infrastructure and end users. Scoping a deployment will also include requirements based on the number of sites, the number of concurrent devices, device types and policies to be managed, and the operating environment, which raises questions regarding the selection and deployment of any NAC solution. Together, these requirements speak to throughput and scalability, as well as the overall administration of the NAC solution. Page 3 Page 3

6 Enterprise solutions should address multiple requirements across geographically diverse sites, heterogeneous endpoints, and multiple use cases. Those that require the deployment of new network infrastructure or endpoint products to meet requirements can significantly increase the cost and complexity of NAC deployment. On the other hand, those that can better utilize existing network and security infrastructure may provide greater flexibility in addressing NAC scope in addition to reducing the total cost of NAC ownership. Next-gen NAC can be used to enhance visibility and control in a variety of operating environments including the following. 1. Traditional end user computing systems (Windows, Macintosh, Linux) 2. Mobile device computing systems (Android, ios) 3. Virtual desktop computing (VMware, Microsoft, Citrix) 4. Data center production environment (servers: Windows, Linux, UNIX) 5. Wireless networks (wireless network controllers) 6. Virtual private network (VPN) connections 7. Infrastructure-as-a-Service (IaaS) environments (AWS, VMware vcloud, Microsoft Azure, Google Compute Engine, Citrix, RackSpace) 8. Industrial control systems environments (ICS, SCADA) 9. Wireless, and wired networked systems, embedded systems and Internet of Things in the enterprise (printers, wi-fi routers, smart appliances, kiosks, and other industrial, medical, commercial, and military devices) Incorporation into Operational Processes One of the most significant concerns about NAC deployment is its impact on day-to-day operations. This can be one of the more sensitive aspects of NAC adoption since the risk for disruption can be high depending on the selected product and how it is implemented. The choice of policy-based controls, enforcement techniques, and rollout choices can also have an impact on network and security operations. In many cases, educating users and interfacing with the service desk and other IT departments can preempt or minimize potential issues. Solutions that provide deep visibility into configuration and status of all network endpoint devices and offer an easy-to-use approach for policy enforcement and exception management can significantly reduce impacts on operational staff. Organizations are better equipped to implement and enforce NAC policy if they have granular means to classify devices and define policies, and if they can automate monitoring of the devices and the users accessing resources. For example, a phased rollout of NAC is typically recommended to limit the impact of unforeseen issues and aid in dealing with those issues early in deployment. In such a phased approach, an initial Solutions that provide deep visibility into configuration and status of all network endpoint devices and offer an easy-to-use approach for policy enforcement and exception management can significantly reduce impacts on operational staff. Organizations are better equipped to implement and enforce NAC policy if they have granular means to classify devices and define policies, and if they can automate monitoring of the devices and the users accessing resources. Page 4 Page 4

7 deployment of NAC in a monitoring-only mode enables the organization to baseline the current level of compliance and evaluate the potential impact of policy implementations. When enforcement becomes appropriate, there are a number of techniques for informing the user of the policy change that can improve the success of adoption. For example, NAC solutions can intercept an HTTP session to automate guest registration allowing those guests to utilize only the appropriate resources and maintain logging and access control while they are connected. Regardless of policy, coverage, and technical implementation, changes should be coordinated with the service desk and network operations as they are often the first groups impacted by user contact post deployment. For example, an enforcement policy that has not been effectively communicated to the organization, such as those policies that drop connections to network resources, can materially add to service desk tickets and response burdens. Implementation Considerations One of the primary values of NAC is its ability to coordinate a number of approaches to endpoint security management. When enterprises rely solely on traditional and disparate endpoint security tools such as antivirus, host intrusion prevention, or client systems management, the issue for deployment becomes how to most effectively manage the multiple solutions and how to enable uniform policy enforcement. Network-based NAC has visibility and control advantages that unify and centralize multiple aspects of endpoint security management, provide a unified policy engine for standardized enforcement, and can be deployed directly inline or out-of-band. Network-based NAC installation should also consider a centralized, distributed, or hybrid deployment. Placing a network-based solution at the core, distribution, and/or access layers will have advantages and constraints concerning endpoint access, visibility, and remediation capabilities. These deployment decisions should be reviewed with network operations as well as with the NAC provider as part of the discovery process. Inline deployments can pose risks to availability and performance. They may also significantly increase infrastructure maintenance and related costs if additional client software must be managed. Out- of-band solutions can minimize these risks if they have access to networks and endpoints. Out-of-band approaches may also be able to enforce policy without requiring modification to the monitored endpoints or the network point products already in place. This supports their overall scalability and cost-effectiveness X Standards and NAC One of the primary values of NAC is its ability to coordinate a number of approaches to endpoint security management. When enterprises rely solely on traditional and disparate endpoint security tools such as antivirus, host intrusion prevention, or client systems management, the issue for deployment becomes how to most effectively manage the multiple solutions and how to enable uniform policy enforcement. One method of authenticated network device access is to employ 802.1X, a port-based IEEE standard iii. This method requires that a device possess 802.1X client supplicant software to request access to an authentication intermediary, typically an 802.1X compliant switch. The switch then forwards the request to an authentication server, which in turn offers a binary access response in terms of denying or allowing access with respective port assignment. Page 5 Page 5

8 802.1X requires device access authentication, and as such, the current standard by itself does not have pre- or post-security posture assessment benefits associated with a complete NAC solution meaning it excludes endpoint classification and security compliance assessment capabilities rendering a binary response of authenticated or not. While the 802.1X standard and respective supplicant have been adopted within modern network and endpoint devices, it does require that these devices be manageable and can support 802.1X. Common impediments include client deployment and managing the unique supplicant configurations and device exceptions across the gamut of varied device types. Implementation may also be impacted by certificate management requirements. Thus, 802.1X requires all devices to be identified, manageable, and specifically configured and authenticated before allowing a connection this often makes larger 802.1X-reliant networks significantly more complex to manage. Agent-based vs. Agentless Approaches Another aspect of NAC adoption that has stymied some efforts is the requirement of some solutions for the installation of NAC- or authentication-specific software such as management agents or 802.1X supplicants on the endpoint. Today s preferred solutions should demonstrate the ability to obtain endpoint insight and offer control options without depending on agents, which avoids additional dependencies and associated management burdens on the business. For example, a NAC or 802.1X agent/supplicant often require on-going maintenance of an exception list for endpoints such as printers and embedded devices that are not able to support a NAC agent. Endpoint security agents have their place in device management, but those weighing a next-gen NAC implementation should realize that today s NAC approaches can use both agent and agentless methods leveraging RPC, WMI, and other means of endpoint assessment to deliver significant insight into activities within the monitored network. More agile NAC solutions are able to interrogate and control endpoints without requiring additional or persistent client software while offering 802.1X compatibility. Mobile Security and BYOD Approaches The acceptance of corporate-provisioned and personal mobile devices has had a substantial impact on IT organizations as well as on NAC. Since all personal mobile devices initially attempt to access a network as an unmanaged device, NAC can be a fundamental technology for managing BYOD. NAC solutions offer network controls that can identify smartphones and tablets to varying degrees and enforce policy based on device type, manufacturer, configuration, and the user associated with the device. Policies can range from denying, restricting, or allowing mobile device use; re-assigning WLAN and VLAN; managing guests; enforcing configuration requirements, enrolling devices into MDM and container technologies; and interfacing with MDM platforms. Since MDM may be limited to user, device, application, and data security requirements, NAC may be used in conjunction with MDM to enforce network-based controls. NAC can trigger an MDM profile check as mobile devices request network resources and can be used to remove mobile devices from the network or re-assign access to Internet-only segments due to an MDM policy violation. Security administrators can use next-gen NAC with their MDM solution to further construct multiple sets of policies based on device, owner and security state, especially for traditional personal computing devices. Page 6 Page 6

9 The Value of Interoperability NAC vendors have different means to utilize current network and security investments to enable NAC and policy enforcement. A NAC system that interoperates with existing infrastructure networking gear, virtualization as well as a diverse range of devices including mobile and personal devices can cost less than one that requires the business to replace network infrastructure and/or implement workarounds for endpoints that are not supported by the NAC system. A NAC system that interoperates with existing infrastructure networking gear, virtualization as well as a diverse range of devices including mobile and personal devices can cost less than one that requires the business to replace network infrastructure and/ or implement workarounds for endpoints that are not supported by the NAC system. The NAC solution that poses the lowest impact on the organization is likely to be the one that best leverages existing infrastructure for device and user discovery, violation detection, and pre-/postadmission policy enforcement. Enterprises should consider that existing infrastructure already offers a wide range of techniques for managing network access and use from service policies to access control lists, to Wireless LAN (WLAN) and Virtual LAN (VLAN) capabilities that can segment traffic transparently to the user. Making the most of these capabilities can be a key factor in both reducing the impact of NAC adoption and enhancing its flexibility. An additional consideration for choosing a NAC solution that relies on current network infrastructure is how long that infrastructure is expected to be in place. Choosing a NAC solution that relies on the infrastructure to provide protection ties the two solutions together for their entire lifecycle. If the network infrastructure is ready for upgrade/replacement, having the dependent system may restrict the vendor/solution options available at refresh time or requiring premature replacement of the NAC solution choice. The same condition is true for combining network resources as is often the case with mergers and acquisitions. Integration with security incident event management (SIEM), advance threat detection (ATD), next-gen firewalls (NGFW), vulnerability assessment (VA) and other security control technologies is crucial for maximizing value from NAC. Integrations with such technologies strengthen continuous monitoring and threat mitigation by providing enhanced context and accelerated response. Preparing the Environment Before embarking on a NAC rollout, organizations must consider how and where they plan to deploy it. As mentioned earlier, a phased deployment is recommended in most cases. Well before planning reaches that stage, however, organizations must consider the optimal environment for beginning a NAC rollout. Priority can be assessed by degree of security risk, business impact, and cost. Initial NAC deployment sites should lend themselves to ease of access by technical personnel. The network infrastructure and administrative credentials for access to critical NAC-related infrastructure such as switches, Firewall/VPN, directories, and domain controllers should be well documented. This may also include other management systems including SIEM, VA, ADT and virtualization. Where possible, approvals for environment and process changes should be made in advance of installation. These preparations help to better identify issues that can be encountered during rollout. Page 7 Page 7

10 Cooperation with users is clearly important to the success of a NAC deployment. Personnel should be informed of the purpose of NAC and what can be expected from initial deployment. If a phased rollout begins with monitoring-only to create an environment baseline audit and users are informed and educated early on when policy issues are detected, users are generally more supportive of the NAC deployment because they better understand the purpose and benefits of policy automation before restrictive enforcement actions are employed. Control Considerations As the previous paragraphs suggest, a realistic and stepwise NAC deployment helps support a successful rollout. Too often, organizations have assumed that NAC enforcement means a black-and-white approach where non-compliant systems are removed from the network; this denial of access means disruption of the business. Today, NAC technologies are available that take a much more enlightened and granular approach. Businesses considering NAC should recognize how these solutions differ from past approaches. Control Options Today s more capable next-gen NAC solutions embrace a wide range of approaches to control definition and enforcement. They can recognize and deal with the full range of endpoints that are often found on enterprise networks, including those not normally considered user endpoints but which are often detected as targets of opportunity, such as network-connected printers and personal mobile devices. Typical control options may include VLAN and WLAN re-assignment, 802.1X-based authentication, ACL management, DHCP assignment of IP address, HTTP hijacking, changing virtual port groups, suspending a virtual machined and sending TCP resets of connections that violate policy. Control should include the ability to enforce policy based on parameters such as user identity, device identity, IP address, hardware configuration, security settings, software versions, configuration or patch level, applications installed (blacklist or whitelist), services, registry keys, location, and/or whether or not the device is corporately administered or strictly personal. These options give businesses a broad range of tools for defining a practical implementation of policy. Enforcement When policy violations are detected or attempted, enforcement options should be just as comprehensive and flexible as well as realistic. Enforcement in many cases may simply mean limiting authorized users and devices to the resources they need to do their jobs, without exposing access to more sensitive areas. The least disruptive response is to monitor the endpoint, a recommended step in phased policy deployment. This is especially important for monitoring business critical devices such as physical or virtual application servers. Users and system administrators may also be informed of a violation through methods such as generating an to the user or interposing a message into a browsing session without denying access, which addresses the many cases of users who are simply unaware that their actions violate policy and/or pose a risk. Users may also be informed of policy changes through such means as an auditable acknowledgement from the end user that they were informed of the change. With non-compliance or insecure servers or virtual machines (VMs), notification and manual remediation may often be the preferred method so as to not disrupt IT service delivery. When a more forceful enforcement response is appropriate, a NAC system should provide a range of options, such as reassigning the device to a different WLAN or restricted VLAN, terminating an Page 8 Page 8

11 unauthorized application, disabling peripheral devices, blocking communications with specific network resources, suspending a virtual machine or disconnection from the network. This does not mean, however, that enforcement need be black and white. Assignment of the endpoint to a specific WLAN or VLAN is often used to manage guest access which supports business needs while protecting sensitive internal networks. Leveraging both user and device authentication to fine tune access privileges is another strength of next-gen NAC. Engaging network infrastructure to enforce policy through techniques already available in the network such as real-time modification of ACLs or the use of TCP resets helps further reduce the impact of NAC deployment. The ability to control application traffic (port control) can range from network re-assignment to the blocking or deactivation of specific applications, communications, or switch ports. Additional enforcement can include the means to whitelist or blacklist applications. This can include terminating application processes on the PC to disallowing network access for smartphones and tablets running prohibited applications. Automated Remediation In some cases, endpoint systems may require an update or reconfiguration to be brought into policy compliance. Here again, enforcement need not be draconian in order to achieve business objectives. Users can be connected to a public network and directed to sites where they can download the latest updates, or a NAC system may automate remediation transparently to the user, such as by activating a security application, without interrupting the use of an endpoint system. This automation may be accomplished through integration with systems management resources or through native NAC functionality that triggers an endpoint to initiate maintenance. For example, NAC can assess a transient endpoint then trigger it to make a request to a patch management system to receive a necessary update. The NAC solution may, if need be, isolate the endpoint while remediation is being performed, thus protecting other networks and endpoints from risk when high-priority issues are detected. Remediation may just be to facilitate processes such as opening a ticket with the service desk when issues are detected. This approach poses no threat to interfering with the end user or the business critical application server from performing tasks while still accomplishing business objectives to gain operational oversight and keep endpoint devices compliant with the security policy. Recommended Phased Enforcement As with any other technology rollout, a phased implementation not only reduces the impact of deployment, but can help security and IT operations as well as users become familiar with the system and isolate significant issues before they can have a wider impact. Two common approaches to phased enforcement include deployment of policies by site, or on a policy-by-policy basis. In the first case, policies are deployed at specific sites, then progressively rolled out to other sites as their effectiveness is demonstrated. In the second, individual policies are evaluated before additional policies are deployed. In either case, the following is a recommended course of action. As with any other technology rollout, a phased implementation not only reduces the impact of deployment, but can help security and IT operations as well as users become familiar with the system and isolate significant issues before they can have a wider impact. Page 9 Page 9

12 Monitor the impact of policy without engaging enforcement as a first step, or when immediate enforcement is not an overriding priority. This enables the organization to observe the impact policies could have, which helps in tailoring their effectiveness. It also allows the baselining of the current level of compliance, which can help in determining if policy will have a greater or lesser impact than expected, and tuning policies accordingly. Inform users of policy and policy changes so they can be made aware when policies are to be engaged or when changes can be expected. Educate users on how to comply with policy or offer ways to remediate policy issues. This helps with policy acceptance and understanding of enforcement when engaged. Enforce policies as needed after having laid a foundation for better policy observance and cooperation through the preceding phases. Refine policies to accommodate exceptions or new devices, resources, coverage, and use cases. ForeScout CounterACT: Visibility, Granular Control, and Threat Response As an example of a continuous monitoring and mitigation platform, ForeScout CounterACT offers a versatile approach leveraging network access control technology and one that recognizes the considerations described in this report. CounterACT is a flexible, integrated, and extensible next-gen NAC As an example of a continuous solution that provides access control, endpoint compliance, mobile monitoring and mitigation security, and threat management. CounterACT offers a hybrid NAC platform, ForeScout CounterACT approach a complete 802.1X approach operating concurrently with multi-factored device and user authentication for non-802.1x offers a versatile approach systems and environments. This approach offers enterprises the best leveraging network access of both: the advantages of 802.1X with equally capable support for control technology and one that the large numbers of devices and systems that are not, or cannot recognizes the considerations be, compatible with 802.1X. The approach also enables a selfcontained transition path to 802.1X, where appropriate or desired. described in this report. The more popular non-802.1x method can be fully implemented without requiring agents X features include a built-in RADIUS or 802.1X proxy-mode, as well as troubleshooting and supplicant management. Hybrid NAC also ships plug-ins that support a vast array of network, security, identity, virtual and mobile infrastructure, giving organizations a more flexible and timely means of NAC deployment. CounterACT is available as either a physical or virtual appliance that can be deployed out-of-band via a span or mirrored switch port within the network core. It uses centralized administration through an enterprise manager appliance. For large and distributed environments, the platform is scalable and can dynamically manage over 500,000 endpoints using two-tier appliance architecture. CounterACT delivers real-time visibility and control of all devices, systems, and applications connecting to and on the network, including managed and unknown mobile devices and VMs. The product includes a knowledge base of pre-defined device classifications, rules, and reports delivered through a WebGUI. Device classification supports a broad range of attributes to identify common devices, including smartphones, tablets, and wireless application protocol (WAP) functionality, as well as uncommon and embedded devices. Built-in and extensible templates and wizards expedite policy Page 10 Page 10

13 management and tuning. ForeScout Mobile add-on modules offer granular ios and Android device security and extensive MDM integration. CounterACT provides pre-admission and post-admission device assessment and response capabilities including unique means to monitor for malicious behavior called ActiveResponse. Real-time enforcement and remediation capabilities are equally extensive ranging from notification and reporting, virtual firewall configuration, VLAN/WLAN assignment and switch ACL modification, automated remediation scripting for endpoint control, HTTP session hijacking, as well as guest registration, DHCP and TCP resets, and user self-remediation. ForeScout CounterACT and the ControlFabric Architecture ForeScout s ControlFabric architecture is a set of bi-directional integration technologies which enable advanced interoperability between CounterACT and a variety of security and systems management tools for increased situational context and response capabilities. For example, it can integrate with security information event management (SIEM) platforms to enhance SIEM analytic coverage and enabling SIEMS to take better action on correlated events. In this way, CounterACT with ControlFabric provides accelerated remediation by enabling an information exchange between systems to more efficiently resolve a wide variety of network, security, and operational problems. CounterACT delivers an optimized, layered security approach by allowing the existing security technologies to work cooperatively, and in many ways provides an even stronger defense than they could individually. The bi-directional content exchange through ControlFabric technology allows CounterACT to gain broader operational intelligence that can be used by CounterACT administrators to invoke enforcement and remediation decisions in real time based on policy. ForeScout CounterACT offers a different approach when compared to other conventional NAC solutions that are 802.1X-centric. CounterACT starts with device identification, classification, and baselining to enable situational intelligence that supports phased-in enforcement. The following table illustrates examples of architectural differences X-centric NAC Initial deployment: Some solutions may require infrastructure modification. Initial rollout may not be transparent to end users. Deployment may require installation of new authentication servers, agents, and/or certificates on endpoints. Whitelisting may be required for MAC addresses of printers and other known network devices. DHCP, switch ports, directories and other network and security infrastructure may require manipulation to support 802.1X. Exceptions and non-classified devices may require management on a case-by-case basis. Visibility for those systems under 802.1X-based management, not for unknown systems. ForeScout CounterACT Initial deployment: Comprehensive network visibility with no impact on network availability. End users need not be aware of a monitoringonly deployment. Insight into compliance levels and NAC needs gained via passive traffic analysis and clientless inspection. A listing of all known and unknown devices is generated, identifying guest and mobile devices. Allows for partial activation of and gradual migration to 802.1X infrastructure. Enables roles-based controls with phased enforcement, beginning with more sensitive issues and classes of information. Flexible policy engine allows the action to fit the problem with extensive response options. Automation for guest registration, resource access, reporting, control enrollment, and endpoint remediation. Page 11 Page 11

14 Success Cases: How Organizations Embrace Next Generation NAC The demand for more business-friendly NAC with a wide range of flexible options for policy definition, deployment, and enforcement is exemplified by four organizations that have embraced such an approach to meet a growing set of needs for security and policy management at the endpoint. Below the paper discusses four case-studies that, aside from retail, represent oil & gas, education, and banking & finance verticals. The first case is a financial institution based in the United States. While having strict endpoint configuration and security practices, this highly-regulated firm operates a large heterogeneous environment supporting nearly 200,000 endpoints in over 150 locations that leverage CounterACT s 802.1X and non-802.1x security mechanisms. To enable wired port control for authorized systems, provide guest management, and fortify endpoint compliance, the company employed multiple CounterACT appliances centrally managed by one CounterACT NAC Enterprise Manager. They have configured their SIEM to receive CounterACT endpoint information and event details, and to enable SIEM policy to trigger CounterACT responses. By employing CounterACT, within eight months that company reduced the number of out-of-compliance Windows systems by 90%, significantly increased the effectiveness of preexisting host-based security measures such as antivirus, and greatly reduced remediation and audit costs. The bank expanded their NAC implementation to accommodate business-justified BYOD use cases. Employees using personal Windows or Apple laptops have their system automatically registered through CounterACT s guest management portal, which enables role-based directory authentication and manager approval. By integrating with their directory services Active Directory, edirectory, and other LDAP solutions, the majority of the functions that other solutions use agents for can be completed without the use of an agent. When the user logs on to the system, an assessment is automatically kicked off from the CounterACT appliance to interrogate the endpoint. In this case, the customer chose to increase their level of interrogation by using the SecureConnector dissolvable agent. Using the SecureConnector agent, CounterAct is able to gain even higher visibility into the endpoint enforcing patch, antivirus, data loss prevention, disk encryption, and personal firewall policies. Users are then granted restricted access to corporate network resources with their personal device. The firm has also rolled out a thousands ios tablets leveraging next-gen NAC and a leading MDM tool to facilitate provisioning, certificate, application, and document management and device security. Beyond MDM, the IT team recognized that additional device and network controls were needed. By using the ForeScout MDM Integration Module, the company offers guest or MDM enrollment to mobile devices that do not have the MDM agent installed. This enables this organization to deny guest access to unrecognized, jailbroken, or rooted mobile devices; automatically validate the device security profile on network access; and centralize visibility of all unmanaged and MDM-managed mobile devices with the CounterACT platform. As a result, more than 80% of personally owned devices including those of contractors as well as of employees are under policy compliance. The second case is a publicly traded retailer with 20,000 employees and outlets in North America and Europe that operated under the Payment Card Industry (PCI) Data Security Standard, a compliance priority for retailers. PCI requirements are generally compounded by additional security concerns posed by exposures from corporate headquarters, connections to suppliers, and concerns unique to each individual store. Page 12 Page 12

15 This company chose to deploy the ForeScout CounterACT solution throughout the company because of its ability to recognize a wide range of devices, including unauthorized or rogue devices; the ability to exert control over wireless devices; ease of management and use; and its flexibility in meeting a number of deployment scenarios. CounterACT provided several value propositions. The first was CounterACT s freedom from an endpoint agent, which significantly simplified deployment. The second was its ability to be deployed out-of-band while leveraging the capabilities of existing infrastructure to provide monitoring and deliver enforcement. The third was CounterACT s ability to deploy a virtual firewall to protect the organization from specific endpoint risks, improving the granularity of the solution without pushing more black-and-white enforcement on each individual endpoint. Lastly, the company was able to leverage CounterACT within their supervisory control and data acquisition (SCADA) network. The SCADA network had specialized device monitoring and management requirements and had highly restricted access and enforcement constraints. The third case is a global company in the oil and gas industry with 20,000 devices deployed that faced numerous compliance and advanced threat challenges. Beyond federal and industry standards, the continued exposure to malware and other endpoint threats led this organization to evaluate NAC. It rejected many early products due to their lack of maturity, dependence on endpoint agents, limited enforcement options and enforcement granularity, and the solutions complexity and cost. This company also chose ForeScout CounterACT for many of the same reasons as the retailer, but their primary drivers were guest management and protection from self-propagating threats such as those introduced by guests, contractors, and BYOD devices. Additional factors were an administratorfriendly management interface, the ability to meet requirements while leveraging existing network infrastructure without forcing LAN switch upgrades, no requirement for endpoint agents, and no need for inline deployment. Now ForeScout provides comprehensive visibility throughout the network, controlling network access across 20,000 devices. CounterACT s ability to leverage existing infrastructure enables this company to manage multiple endpoints on a single switch port giving security administrators access to valued CounterACT capabilities such as dynamic control of ACLs in existing network infrastructure for enforcement. This simplified their deployment strategy by giving them a wider set of enforcement options, including reduced dependence on VLAN-based enforcement. ForeScout also supported their expansion to deploy next-gen NAC in their ICS environment further strengthening their overall security posture. The final case is one of the top 10% of USA collegiate education institutions. Among its challenges were scale and the desire to allow any device access to facilitate learning. They needed enforcement across a combination of 13 campuses and satellite locations as well as support for nearly 70,000 students and a large array of student-owned devices simultaneously connected to its core network 7x24x365. Due to the number of students and devices as compared to IT staff, and the high target rate of students by attackers, continuous monitoring and automation of device addition and threat mitigation/containment were also core operational requirements. Additionally, students were not paid employees, but paying customers that required access as part of their services. Access could not be binary but required evaluation via multiple qualifications such as the type of user, type of connected device, and the device configuration prior to an enforcement decision being rendered. Lastly, they needed a solution that could support their multitude of privacy controls such as Payment Card Industry (PCI), Family Educational Rights and Privacy Act (FERPA), and Health Insurance Portability and Accountability Act (HIPAA). Page 13 Page 13

16 With the tremendous volume of unmanaged devices creating a vast attack surface and the continual attacker/malware onslaught against student devices, continuous, real-time network visibility and automated network control and threat mitigation were paramount. New unmanaged devices were introduced daily requiring an agentless solution to discover, classify, and evaluate introduced devices against existing policies both pre- and post-admission on both the wireless and wired networks across all control zones. After a thorough review of multiple solutions, including vendors already providing other control and management technologies, the institution selected ForeScout CounterACT for several key reasons. First and foremost, CounterACT did not require agents. CounterACT was able to support devices introduced on both the wired and wireless networks without the need to change any of the existing infrastructure. CounterACT was able to automate device enrollment and deliver full, continuous network visibility into the devices accessing the network, as well as providing extensible policy enforcement capabilities. Finally, ForeScout ControlFabric allowed them to further integrate with other security solutions already deployed, providing not only better controls, but improved compliance reporting and increased return on security investment (ROSI). The above organizations praise CounterACT s overall usability and means for discovering and recognizing a wide range of endpoint devices, the ability to monitor and enforce policy before endpoints connect as well as during the duration of their connection, and the ease with which policies can be rolled out based on role and severity. The above organizations praise CounterACT s overall usability and means for discovering and recognizing a wide range of endpoint devices, the ability to monitor and enforce policy before endpoints connect as well as during the duration of their connection, and the ease with which policies can be rolled out based on role and severity. The ability to perform deep interrogation of endpoint devices in real time without requiring persistent endpoint agents gives these companies significantly greater operational visibility and a high degree of insight into each endpoint. When coupled with CounterACT s integrated functionality, repertoire of enforcement capabilities, and interoperability from its ControlFabric architecture, ForeScout delivers more flexible and granular policy to determine the right course of action in each case. These companies point to cost savings from reduced remediation of security issues at the endpoint, lowered risks of data loss, and improved compliance with both regulatory and security policies. EMA Perspective When organizations pause to consider the many security and regulatory requirements on IT intended to reduce risk and the increasing threat of targeted malware, they will quickly realize how much the endpoint becomes the focus of concern. It is the point at which users interact with technology and sensitive information resources. It is where organizations are often most directly exposed to risk, from exposure to uncontrolled networks, to insecure or non-compliant endpoints, and to changes in the nature of the endpoint itself, including the use of personal and mobile devices that introduce entirely new challenges to business IT. Clearly, data is the ultimate target of today s attackers so organizations must have continuous monitoring and mitigation to properly secure their data. These factors all led to the rise of network access control as a strategy. NAC effectively adds continuous endpoint access and compliance monitoring and enforcement as a comprehensive layer of defense to complement perimeter, data, and other security countermeasures. With today s more mature next-gen NAC technologies, NAC can be applied to a broader set of use cases that improve security controls and risk management through improved automation of threat prevention, detection and response. Page 14 Page 14

17 Traditional perimeter controls and corporate devices under management are substantively affected by the adoption of wireless networks, cloud-based applications and personal mobile devices. NAC is more than access authentication solely derived from identity and managed devices; it provides a full range of options for supporting different types of users, devices, policies, and enforcement. Next-gen NAC allows organizations to gain greater intelligence and policy-based control over all known and rogue, wired and wireless, PC and mobile devices requesting access to, or operating on, their network. By providing security services for both managed and unmanaged devices without disrupting user experience, imposing network infrastructure upgrades, or requiring agent installation, they will be successful. However, enterprises considering next-gen NAC solutions must recognize that they too must take a well-prepared approach to NAC evaluation and deployment. IT organizations must understand requirements for aligning policy and defining the scope of their efforts. They must anticipate the impact on operational processes and find solutions that best fit their unique requirements. Those that do so will be best prepared to understand the need for flexibility in a wide range of capabilities for endpoint device recognition and policy response and the value of making this capability compatible with existing infrastructure and management processes. These are the organizations that will be best able to make the most of what next-generation NAC has to offer in fulfilling the promise of technology that deals with broad range of network access and endpoint compliance needs. About ForeScout ForeScout enables organizations to continuously monitor and mitigate security exposures and cyberattacks. The company s CounterACT appliance dynamically identifies and assesses network users, endpoints and applications to provide visibility, intelligence and policy-based mitigation of security issues. ForeScout s open ControlFabric architecture allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout s solutions are easy to deploy, unobtrusive, extensible and scalable, as of January 1, 2015, they have been chosen by more than 1,800 of the world s most secure enterprises and government agencies in over 54 countries. Headquartered in Campbell, California, ForeScout offers its solutions through its global network of authorized partners. Learn more at i EMA research report: The Evolution of Data Driven Security ii ibid iii See for further detail. Page 15 Page 15