ForeScout Insight

The market has spoken yet again in favor of easily-implemented, switch-agnostic network access control solutions. This month, InfoWorld awarded Virginia’s Culpeper County Government their prestigious InfoWorld 100 Award for the agency’s cyber security initiative and implementation of ForeScout CounterACT.

In addition to this award, in the last three months ForeScout has received a 5-star rating from SC Magazine, was named a finalist in the Government Security News 2009 Homeland Security Award, and won the 2009 Best Deployment Scenario award from Info Security.

In today’s environment, organizations must balance the demand for heightened network security with the need for immediate return on their investments. Vast overhauls to the network infrastructure are expensive. Customers don’t want it.

Culpeper County selected ForeScout over other NAC vendors because ForeScout was the only solution which they looked at (and they looked at 8 different NAC solutions) which could be deployed with zero upgrades or changes to the network infrastructure. ForeScout CounterACT plugged into Culpeper County’s existing network and began delivering immediate value.

The market research firm Infonetics recently commented that the latest generation of NACsolutions is far more easily deployed than the first generation. We agree, and we are happy to be leading the charge.

by T. Kent Elliott, CEO, ForeScout Technologies

Every viable security program must start with identifying real vulnerabilities in realtime. Speaking from the White House on the topic of his Cyber Security Plan, President Obama promised to make sure “…the nation’s core digital infrastructure is treated as a national asset.” A national asset, yes, but also a very personal one, the integrity of which affects our quality of life and confidence we hold for the future.

Obama properly pointed out: “Given the enormous damage that can be caused by even a single cyber attack, ad hoc responses will not do. Nor is it sufficient to simply strengthen our defenses after incidents or attacks occur…we have to have plans and resources in place beforehand, sharing information, issues warnings, and ensuring a coordinated response.”

Yes! And “we the people” must also understand what’s included in “America’s digital infrastructure” so we know:
• what systems and resources we are protecting and which are most critical
• who/what may and must not have access,
• the standards for protection and
• how to ensure realtime compliance to those policies

Common understanding leads to comprehensive defense against malicious cyber attacks, essential since everything in the IT infrastructure is interlinked. Everyone must do their part!

ForeScout’s CounterACT appliances safeguard against cyber attacks today, protecting more than 2.5 million devices in 700 of the world’s most secure enterprises, institutions, agencies, and military installations with global deployments spanning 37 countries. This unique position will help us assist the nation in answering and implement realtime solutions for setting and enforcing policies as well as directing remediating for violations to them – before an attach occurs.

Already we control and enforce access at federal, state and local government bodies as well as at highly competitive and at-risk enterprises within banking, trading, oil & gas, advertising, research, retail, manufacturing and entertainment sectors. We work with military counter-intelligence and security experts who operate within the most dynamic forefronts of cyber-surveillance and counter-surveillance today. And we continue to use information gleaned from these engagements to further equip CounterACT to be the industry’s leading anti-cyber-attack appliance.

Realtime visibility exposes realtime vulnerabilities and realtime attacks allowing CounterACT to enforce repair, disconnect or quarantine in a VLAN until repair, erect a realtime virtual firewall around a vulnerable device all through actually directing the switching fabric dynamically. CounterACT follows military countermeasure protocols – instead of only trying to stop every attack (only one needs to get through to destroy a site) – CounterACT identifies and destroys the capability of the himself itself – destruction of the attack point automatically stop all of their attacks – accurately – in real time – 24/7/365 – while continuously monitoring for changes so that real vulnerabilities can be detected and protected before a breach can occur.

CounterACT’s extensive plug-in library enables immediate and straightforward integration with an existing network without the need for wholesale replacement, thus speeding time (reducing cost) to protection.

CounterACT’s underpinning success comes from delivering Realtime Visibility to detect/treat Realtime Vulnerabilities preventing Realtime Violations & Exploits within government agencies and large enterprises.

Please accept our invitation to join us to learn more at our upcoming webinar, “Gaining Visibility and Control of the Dynamic Network with NAC .”

by T. Kent Elliott, CEO, ForeScout Technologies

Tomorrow, President Barack Obama will unveil his much anticipated cyber security report, a move that is likely to have significant impact on the security industry. President Obama has identified cyber attacks –such as those on the NYPD, Dalai Lama, the Pentagon’s Joint Strike Fighter and the U.S. electrical grid — as one of the most significant threats facing our national security. Obama has pointed out that the increased use of Web 2.0 applications and peer-to-peer architecture are making it easy for hackers to maintain armies of hijacked computers. And he has called upon federal, state and local government agencies to take steps to increase security, protect against malware and reduce insider threat.

But what can be done?

According to Steven Cooper, former CIO of both the American Red Cross and US Department of Homeland Security, and founding partner of Strativest: “It is becoming more critical for federal government agencies — and their suppliers — to consider adopting key enterprise security technologies like NAC, which successfully protect global enterprises against hackers and malware today.”

With a growing number of federal, state and local government customers, ForeScout is in a unique position to address the threats to the US infrastructure and the challenges the government faces in managing these threats to protect its citizens and their personal and national economies.

At times like these, hype and anxiety often reaches its peak. It is important to remember the basics and avoid sensational theories and ambitions that simply act to multiply the risks.

There are manageable and measureable steps that government administrations and companies, alike, can take to improve infrastructure security that will not force the nation to reinvent the wheel, but deploy current proven best practices such as:

• Identify the real vulnerabilities.
  We have to understand the scope of the issue. Many government agencies and companies have network infrastructure and users spread across multiple buildings and locations … all with varying levels of security. In realtime, you have to know who/what has access to your network, where it is and how compliant it is to your well thought-out policies … before you can protect it. As we found in working with enterprises and local government agencies such as the FAA, the US Army and Albany County, network discovery and asset management are fundamental baselines critical to identifying then eliminating real network vulnerabilities.
• Prepare to address evolving threats.
  Over the last year we have seen cyber threats take a variety of forms, from malware to peer-to-peer network breaches, to man on the inside attacks and cyber espionage launched via USB thumb storage drives. As ForeScout has found in working with government agencies to help ban the use of external computer flash drives at mission-critical locations, remove threatening peer-to-peer applications on endpoints, seeing zero-day morphing of existing worms into new, unknown attacks, etc, whatever solution the government puts in place must have the ability to respond to these evolutionary threats. ForeScout, knowing all security policies of the organization, immediately detects existing, evolving and emerging threats and violations, enabling the agency to take immediate, automatic, appropriate actions from terminating connectivity, disable a device or uninstalling a risky, banned applications – automatically, without human intervention … once the policy is established and put into enforcement mode.
• Avoid rip and replace tactics.
  The US government is already spending excessive amounts of money trying to reboot the economy – but too much money can permit easy knee jerk reactions complicating an already existing challenge. From a security expert point of view, the ripping out and replacement of network infrastructure should be the last thing we try to do with these cyber security efforts. Vast overhauls to the network infrastructure across local, state and federal levels, seriously delays protection and risk – actually increasing vulnerabilities. While new deployments attempt to be made stabilized over a very lengthy process, inherent vulnerabilities within the new infrastructure rear themselves, adding to the dangers – counter to the objectives. As has been successfully experienced in all ForeScout installations, the security technology within the company’s CounterACT product, mesh with and into already existing, stabilized heterogeneous IT infrastructures. Therefore, CounterACT brings heightened, field proven security against cyber threats without the requirement to make major IT changes, bringing speedy security capacity to vulnerable networks.
• Choose scalable solutions that automate baseline security operations.
  The network is always dynamic with never-ending comings and goings of equipment, applications, people and internet connectivity, each bringing their own threats and exposure. Automation with proven Network Access Control appliances such as CounterACT, that are accurate, provide real-time base-lining of security posture, conduct immediate and timely assessment then enforcement/remediation, is the only way to protect the enormity of the infrastructure from the magnitude of each problem that is in a constant case of flux, from case to case and moment to moment.

As the nation moves forward, we must remain wise about the solutions we put in place, using prudence to build upon current network strengths, adding to them, bolstering, making them dynamic in response to evolving threats rather than in a panic, not knowing what to do, throw an untested, non-stabilized, lengthy to deploy infrastructure at the problem.

CounterACT makes today’s static but stabilized network infrastructure dynamic, equal to the dynamics of the ever changing threats. CounterACT provides an automated/scalable infrastructure-agnostic solution for network access control that has been proven in real-life deployment across global networks to be well-equipped to address the needs of Executive, Federal and State government agencies. CounterACT has been certified after rigorous testing and field deployed in numerous US government agencies today: it is, in fact, the only approved NAC solution currently on the US Army purchase list (AIAAPL).

Solutions like CounterACT are required to close the security gaps in the Department of Homeland Security and other US networks while mitigating the rising cost of security. It is our earnest hope that those in a position to make technology recommendations and decisions – the spokespeople of BENS.org, the contract leads at Booz Allen Hamilton, the Obama appointees such as Melissa Hathaway or even Admiral Dennis Blair – will make wise, prudent and fiscally sensible choices.