ForeScout Extended Module for Splunk

Similar documents
Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Abstract. The Challenges. ESG Lab Review Lumeta Spectre: Cyber Situational Awareness

Vectra Cognito Automating Security Operations with AI

Abstract. The Challenges. ESG Lab Review Proofpoint Advanced Threat Protection. Figure 1. Top Ten IT Skills Shortages for 2016

Top 10 most important IT priorities over the next 12 months. (Percent of respondents, N=633, ten responses accepted)

ForeScout ControlFabric TM Architecture

Closing the Hybrid Cloud Security Gap with Cavirin

An All-Source Approach to Threat Intelligence Using Recorded Future

Shavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

with Advanced Protection

Abstract. The Challenges. ESG Lab Review InterSystems IRIS Data Platform: A Unified, Efficient Data Platform for Fast Business Insight

ThreatConnect TC Complete Security Operations and Analytics Platform

(TBD GB/hour) was validated by ESG Lab

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Symantec Security Monitoring Services

ESG Lab Review RingCentral Mobile Voice Quality Assurance

ESG Lab Review High-fidelity Breach Detection with Acalvio Autonomous Deception

Endpoint Security Must Include Rapid Query and Remediation Capabilities

align security instill confidence

Next-generation Endpoint Security and Cybereason

ForeScout CounterACT Pervasive Network Security Platform Network Access Control Mobile Security Endpoint Compliance Threat Management

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

SIEM Solutions from McAfee

NEXT GENERATION SECURITY OPERATIONS CENTER

SIEM: Five Requirements that Solve the Bigger Business Issues

Abstract. The Challenges. The Solution: Veritas Velocity. ESG Lab Review Copy Data Management with Veritas Velocity

i365 EVault for Microsoft System Center Data Protection Manager Date: October 2010 Authors: Ginny Roth, Lab Engineer, and Tony Palmer, Senior Engineer

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

THE ACCENTURE CYBER DEFENSE SOLUTION

IBM Data Protection for Virtual Environments: Extending IBM Spectrum Protect Solutions to VMware and Hyper-V Environments

ForeScout App for Splunk

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Enabling Hybrid Cloud Transformation

ForeScout Extended Module for Carbon Black

ESG Lab Review Accelerating Time to Value: Automated SAN and Federated Zoning with HPE 3PAR and Smart SAN for 3PAR

Securing the Evolving Enterprise Network Inside and Out

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

RSA NetWitness Suite Respond in Minutes, Not Months

Managed Endpoint Defense

Video Surveillance Solutions from EMC and Brocade: Scalable and Future-proof

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

A Practical Guide to Efficient Security Response

External Supplier Control Obligations. Cyber Security

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

GDPR: An Opportunity to Transform Your Security Operations

Integrated, Intelligence driven Cyber Threat Hunting

Security Operations & Analytics Services

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Lab Validation Report

SIEMLESS THREAT DETECTION FOR AWS

Flash Storage-based Data Protection with HPE

McAfee Endpoint Threat Defense and Response Family

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

NetApp Clustered Data ONTAP 8.2 Storage QoS Date: June 2013 Author: Tony Palmer, Senior Lab Analyst

Aligning with the Critical Security Controls to Achieve Quick Security Wins

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

CyberArk Privileged Threat Analytics

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Mastering The Endpoint

Dell EMC Isilon All-Flash

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

esendpoint Next-gen endpoint threat detection and response

ALIENVAULT USM FOR AWS SOLUTION GUIDE

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

White. Paper. The Application Deluge and Visibility Imperative. How to Ensure Network Performance for Your Business-critical Applications.

Hyperconverged Infrastructure: Cost-effectively Simplifying IT to Improve Business Agility at Scale

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

MITIGATE CYBER ATTACK RISK

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

ForeScout Extended Module for Splunk

TRUE SECURITY-AS-A-SERVICE

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Running Splunk on VxRack FLEX

SIEMLESS THREAT MANAGEMENT

Cloud Migration Strategies

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Best Practices in Securing a Multicloud World

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Transforming Security from Defense in Depth to Comprehensive Security Assurance

ForeScout Extended Module for Splunk

The Role of Converged and Hyper-converged Infrastructure in IT Transformation

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

The McGill University Health Centre (MUHC)

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

locuz.com SOC Services

Transcription:

Enterprise Strategy Group Getting to the bigger truth. ESG Lab Review ForeScout Extended Module for Splunk Date: May 2017 Author: Tony Palmer, Senior Lab Analyst Abstract This report provides a first look at the key benefits of ForeScout s bidirectional integration with Splunk Enterprise and Splunk Enterprise Security (ES), with a focus on how the ForeScout Extended Module can combine ForeScout s endpoint insight, access control, and automated response capabilities with Splunk s correlation, analysis, and search features. This integration provides visibility into and control of managed and unmanaged endpoints while helping security teams better understand their security risk posture and respond quickly to mitigate security issues. The Challenges According to ESG research, cybersecurity initiatives were cited by 32% of respondents as their most important IT initiative in 2017. 1 This is hardly surprising, considering the multitude of cyber security incidents organizations are experiencing. In a 2016 research project conducted by ESG and the Information Systems Security Association (ISSA), 39% of cybersecurity professionals say that their organization has experienced one or more incidents resulting in the need to reimage one or more endpoint or server, 27% have experienced a ransomware incident, and 20% have experienced at least one security incident that disrupted a business application. 2 Figure 1. Most Important IT Initiatives for 2017 Which of the following IT initiatives will be the most important (i.e., number 1) for your organization over the course of 2017? (Percent of respondents, N=641) Strengthening cybersecurity tools and processes Using data analytics for real-time business intelligence and customer insight Use of public cloud for applications and infrastructure Data center modernization (i.e., highly virtualized and automated data center) Mobility (i.e., providing employees and customers with mobile access to applications and IT resources) Reinventing application development processes for a mobile- and cloud-centric world 9% 17% 15% 15% 12% 32% Source: Enterprise Strategy Group, 2016 Adding to these challenges is an increasing skills gap in cybersecurity. Forty-five percent of organizations claim that they have a problematic shortage of cybersecurity skills, the most cited response by a wide margin. 3 The increase in mobile, personal, transient, and even virtual devices leaves many organizations unaware of a significant percentage of the endpoints on their networks. These devices are either not under management, have nonfunctional agents, or are only detected during intermittent scans. 1 2 Source: ESG/ISSA Research Report: Through the Eyes of Cyber Security Professionals: Annual Research Report (Part II). December 2016. 3 This ESG Lab Review was commissioned by ForeScout and is distributed under license from ESG.

Lab Review: ForeScout CounterACT Extended Module for Splunk 2 The Solution: The ForeScout Extended Module for Splunk The ForeScout CounterACT platform is designed to provide continuous security monitoring and mitigation for an organization s devices, both traditional and nontraditional, when they connect to the network. ForeScout s goal is to provide IT organizations with comprehensive insight into their endpoint landscape and compliance, and to address network access and threat management challenges. ForeScout CounterACT integrates with Splunk Enterprise and Splunk ES via the ForeScout Extended Module for Splunk. Organizations use Splunk Enterprise to obtain operational intelligence by collecting and indexing logs and machine data from their infrastructure and security tools. Splunk provides search, analysis, and visualization capabilities to help quickly discover and share insights. Splunk Enterprise Security (ES) extends the power of Splunk Enterprise, designed to streamline security operations, improve threat management, and minimize business risk. Unmanaged, bring-your-own-device (BYOD), guest, and Internet of Things (IoT) endpoints are often unpatched, lack security agents, and include unauthorized applications. Hence, they can serve as network-attached launching points for threats. By combining ForeScout s endpoint visibility, access control, and automated response capabilities with Splunk ES, customers can also leverage the joint solution and Splunk Adaptive Response framework for closed-loop remediation and threat mitigation. With this joint solution, security teams can store CounterACT data in Splunk for long-term trend analysis, visualization, and incident investigation; identify anomalous behavior and events based on CounterACT data; correlate high-value endpoint context from CounterACT with other data sources like advanced threat detection (ATD), vulnerability assessment (VA), endpoint protection platforms (EPP), endpoint detection and response (EDR) systems, and next-generation firewalls to identify and prioritize incidents; and initiate CounterACT network and host actions from Splunk to automate incident response, remediation, and threat mitigation. Figure 2. ForeScout Integration with Splunk Enterprise and Splunk ES Splunk helps organizations to comply with log retention mandates buy storing the data sent to it by CounterACT. Information sent to Splunk includes real-time inventory of connected devices on the network from traditional corporate PCs, servers, and mobile devices to BYOD and IoT devices. ForeScout sends detailed device information on device type, classification, network connection, operating system, applications, users, and peripherals, for example. Device security posture and compliance gaps are also reported, along with authentication, access, network location information, and threat indicators on devices detected by IOC scanning.

ESG Lab Tested Lab Review: ForeScout CounterACT Extended Module for Splunk 3 ESG Lab walked through ForeScout CounterACT s integration with Splunk Enterprise and Splunk ES to validate the ability of the joint solution to detect anomalies, provide context for correlation and incident prioritization, and provide automated, closed-loop incident response. ESG Lab configured the integration between ForeScout CounterACT and Splunk in just two steps. First, ESG Lab configured the Extended Module for Splunk to connect to a Splunk HTTP Event Collector CounterACT can also send detailed endpoint data and third-party alerts to Splunk using Syslog or REST API. Next, the ForeScout App for Splunk was configured to send alerts and messages to CounterACT. The whole process took less than a minute. At this point, we were ready for our first scenario, which ForeScout refers to as a multi-stage correlated action, where the information sharing between products results in a chain of events that helps customers limit risk factors in their environment. Figure 3. ForeScout App for Splunk Summary Dashboard Connection, Compliance, and Classification CounterACT sends real-time information to Splunk for long-term storage and Splunk maintains a database of information from CounterACT and multiple other systems for analysis and correlation. Keeping that data for an extended period allows organizations to run trend and compliance reports over an extended timeframe, as shown in Figure 3. The ForeScout App for Splunk Summary Dashboard visualizes information provided by ForeScout CounterACT to Splunk. The report is divided into three sections: Online, Compliance, and Device Classification. The Online chart in the upper left shows a representation of the number of endpoints that CounterACT sees and shows how many are online versus offline. Similarly, the Compliance chart shows the endpoints compliance status. Device Classification reports on what types of endpoints are on the network. Below all three charts are trend timelines that show how these three categories have changed over time. ESG Lab also looked at anomaly detection. In this example, the Splunk operator created a baseline for user authentications and the deviation that would be considered an anomaly. When ForeScout forwarded data for authentication attempts that deviated from the baseline based on frequency, location, time, or system, an anomaly detection alert was generated by Splunk. Next, endpoint context was examined. In our test environment, an IPS system sent an alert to Splunk about a potentially compromised system. Splunk used the user and device context and classification to confirm whether the event was malicious, in this case escalating the severity of the event. Splunk can also reduce severity if the event is determined to be benign. Finally, ESG Lab looked at the capability of ForeScout and Splunk to provide automated, closed-loop incident response. In this scenario, an ATD system identified an IOC and sent an alert to ForeScout and Splunk. ForeScout sent detailed endpoint context to Splunk for further analysis, and Splunk correlated the threat data from the ATD system, endpoint context from

Lab Review: ForeScout CounterACT Extended Module for Splunk 4 ForeScout, and data from other threat feeds to determine which endpoints were truly compromised. The Splunk operator sent an action request to ForeScout to release non-compromised endpoints and to block compromised endpoints. CounterACT can take a wide variety of policy-based host- or network-based actions, including warning the user via a pop-up http notification, killing the running process, assigning the device to a new VLAN, or applying a virtual firewall to isolate the device, as shown in Figure 4. ForeScout sends results data back to Splunk for review in the Incident Review dashboard, attached to the Notable Event which triggered the action requests. Figure 4. ForeScout CounterACT Policy Actions Why This Matters With the rapidly evolving threat landscape growing more difficult to manage, it s no wonder that cybersecurity initiatives represented the IT priority most often cited by ESG research respondents in 2017. 4 Splunk provides the ability to collect large amounts of information from multiple sources, including security systems, network devices, users, and IoT devices. The ability to collect, store, analyze, and correlate this information is an asset but requires manual intervention. With a significant number of unmanaged endpoints on organizations networks, whether BYOD, corporate assets with nonfunctional agents, or IOT devices, a solution that can enable organizations to automatically detect, respond to, and mitigate threats is needed. ESG Lab has validated that ForeScout CounterACT detects and profiles endpoints as they connect to the network whether managed or unmanaged and deeply integrates with Splunk Enterprise and Splunk ES to continuously monitor and remediate endpoint vulnerabilities and security gaps and provide automated, closed-loop incident response to attacks and security breaches, which improves an organizations security posture. 4

The Bigger Truth Lab Review: ForeScout CounterACT Extended Module for Splunk 5 The unprecedented diversity of users, devices, and applications on networks where employees, contractors, guests, and partners often use personal devices to connect to their own sets of network resources challenges businesses to efficiently provide appropriate network access to authorized and approved users, devices, applications, and systems. Splunk Enterprise enables organizations to acquire operational intelligence through analysis of logs and machine data from their infrastructure and security tools. Search, analysis, and visualization capabilities are designed to help operators quickly discover and share insights. Splunk Enterprise Security (ES) extends the power of Splunk Enterprise, designed to streamline security operations and improve threat management, with a goal of minimizing business risk. ESG Lab was quite impressed with ForeScout CounterACT s ability to enable organizations using Splunk to efficiently address network access, endpoint compliance, mobile security, and threat mitigation. In ESG Lab testing, CounterACT delivered realtime intelligence about devices, applications, and users on the network to Splunk, with granular controls to help enforce endpoint security policy. In addition, information sharing and automation with Splunk helped rapidly address security issues via an automatic closed-loop process. ForeScout CounterACT demonstrated that it can provide visibility, intelligence, and policy-based mitigation of security issues by providing real-time insight into the vulnerabilities and security gaps on managed and unmanaged devices while coordinating security controls and automating responses to rapidly contain threats and breaches. If your organization is currently using or considering Splunk for security intelligence, it would be a smart move to look at how ForeScout CounterACT can work with Splunk to drive efficiency and improve security and compliance postures. All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188. The goal of ESG Lab reports is to educate IT professionals about data center technology products for companies of all types and sizes. ESG Lab reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objective is to go over some of the more valuable feature/functions of products, show how they can be used to solve real customer problems and identify any areas needing improvement. ESG Lab's expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments. www.esg-global.com contact@esg-global.com P.508.482.0188

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback