Archive for the ‘ForeScout’ Category

Could ForeScout CounterACT have stopped Operation Aurora attacks on Google?

Monday, August 2nd, 2010

In January 2010, Google disclosed that sophisticated cyber attacks on its computer systems had resulted in the theft of Google intellectual property. According to sources such as NetworkWorld, the attack, referred to as “Operation Aurora”, originated in China and was directed at some 100 companies or entities. The attackers entered via Instant Messenger (IM) and leveraged a vulnerability in Internet Explorer to upload a malicious payload. The malware was then used to try to steal intellectual property and gain access to customer data.

It may seem, at first, that corporations looking to protect themselves from an attack of this type have limited options. Experts such as Gartner, as well as some vendors, have gone as far as to recommend disruptive measures such as uninstalling Internet Explorer companywide or the use of application white listing.  While these approaches may solve the problem, they come at a great cost. Application white listing in particular is disruptive to business productivity.

Could an integrated security appliance which includes network access control, network threat protection and endpoint security enforcement – such as ForeScout CounterACT – stop such an attack? It is quite possible.

In a New York Times article, “Cyberattack on Google Said to Hit Password System,” John Markoff explains how the Google attack started with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program.  By clicking on a link, the employee unintentionally provided access to his personal computer and then to Google’s network.

ForeScout CounterACT allows a corporation to gain control of its endpoints and enforce security policies.  CounterACT can prevent the use of IM and Peer-to-Peer applications. If Google had a corporate policy against external instant messaging – and a way to enforce it — perhaps the threat would have never penetrated their network.

If the attack did not enter via IM but came in another way, could CounterACT have stopped it? As many have pointed out, in persistent threats such as Operation Aurora, the sole purpose is to get around firewalls, antivirus software, intrusion detection systems and other controls.  Before this can happen, an attack such as this must gather information about potential vulnerability and configuration information through scanning and probing the network. ForeScout’s CounterACT detects attackers’ reconnaissance and responds to them with counterfeit information. If an intruder attempts to use this information to attack the network, he has proven his malicious intent and can be blocked before the network is compromised.

As we pointed out in a recent press release, ForeScout CounterACT includes strong post-connect security. Analysts such as Gartner have recently stated that post-connect security is important for NAC products to protect against targeted malware. Few NAC products contain as strong post-connect security as ForeScout CounterACT contains.

A third control that ForeScout CounterACT offers is the ability to segregate your corporate network and ensure that only authorized people can access sensitive data (like password, finance, CRM, IP servers). Depending on the policies that you establish, CounterACT will give different levels of network access to each type of user — guests, contractors, and employees of various stripes. This kind of internal network hardening makes it harder (or impossible) for an attacker who has compromised one computer to steal data on sensitive servers.

The details surrounding the attack and theft of the software from Google have been a closely guarded secret by the company. It is difficult to tell if a solution like CounterACT could have protected the network without more specifics on the attack. We do know, however, that sophisticated threats such as this are becoming more common. Traditional network security solutions, which are designed to protect against external attack, have become insufficient. Solutions such as ForeScout CounterACT offer a number of ways to protect your internal network without disrupting the productivity of your business.

  • Share/Bookmark

Tags: , , , , ,
Posted in ForeScout | No Comments »

Thoughts from the RSA show

Wednesday, March 3rd, 2010

RSA show, San Francisco:   This show seems more like a bazaar every year. Opening night there were jugglers on unicycles, pasta bars, light shows. Vendors are pulling out all the stops to make the biggest impression. Kaspersky’s booth is two stories tall, complete with staircase. 

ForeScout’s booth (739) is in the center of the show floor, catty-corner to one of our heated competitors –  Cisco. ForeScout is focusing on a very practical message: Our products are easier to deploy than Cisco’s, and deliver a lot more value.

Over eighty percent of ForeScout’s customers are Cisco shops who have chosen ForeScout CounterACT because it is vastly easier to deploy.

To illustrate this point, at the ForeScout booth we are providing a real life demonstration comparing Cisco’s approach to ForeScout’s approach.  We are also providing video testimonials of our customers explaining why they chose ForeScout over Cisco, and about the value they get from ForeScout’s product.

Please stop by our booth, # 739. You won’t see jugglers or unicycles, but you will see an eye-opening discussion on NAC implementation and capabilities.

  • Share/Bookmark

Posted in ForeScout | No Comments »

How to Detect, Disable & Remove
P2P with CounterACT

Wednesday, March 4th, 2009

As we said in our last blog, CounterACT is able to detect, disable and remove any P2P application running on an endpoint

ForeScout CounterACT customers will find an easy-to-use peer-to-peer compliance template (including usage guidelines and screen shots) in our online support knowledgebase.  CounterACT also support the creation and use of custom policies.

CounterACT’s clientless foundation offers the flexibility to conduct a remote inspection of the P2P application footprint without requiring a client or agent of any kind. For example, CounterACT can be used to inspect endpoints for any registry, file, service, port and/or process.

Note: When we say “without requiring a client or agent of any kind” we mean CounterACT can inspect endpoints for registry, files, services, port and/or process without relying on a client (Nessus, NMAP, etc.) to conduct compliance checks.

CounterACT also offers many techniques to mitigate the risks associated with peer-to-peer applications. For example:

CounterACT offers a template policy to kill each detected instance of a P2P process.

To complement the “Kill P2P” action, CounterACT offers alert and reporting mechanisms that can be used to auto-enforce “compliance and training” and enable forensics and continued compliance. For example, an email notification might be sent to a user whose laptop is found to be in violation of a “no P2P” security mandate; a copy of the email might be sent to the compliance and forensics staff; repeat offenders might be required to attend a code-of-conduct “refresher” course, etc.

To further alert and train users on corporate policy, CounterACT can be used to trigger other general department- or company-wide alerts (via Syslog/HTTP notifications/emails, etc.).

And to further reinforce the “Kill P2P” action, CounterACT’s powerful Run Script engine (for Windows, Macintosh and Linux operating systems) might be used to automate and centrally manage key remediation actions across the entire network (such as deleting P2P and other applications files, deploying anti-virus updates, and more).

For more information on this topic read the press release.

  • Share/Bookmark

Tags: , ,
Posted in ForeScout | No Comments »

NAC Plugs P2P Security Holes

Monday, March 2nd, 2009

It is no surprise that workers using common peer-to-peer (P2P) networks to share media files may be putting corporations at risk of data theft. But the problem and potential impact may be larger then we think.

The loss of blueprints for President Obama’s Marine One helicopter (CNET 2/28/09) to a cyber thief in Iran is just one of many recent P2P network breaches.

ForeScout CounterACT’s unique ability to see every IP device connected to the network and control all connections down to the switch port is helping corporate enterprises and federal organizations protect against such theft. With CounterACT, any P2P program running on any IP device on the network can be automatically discovered, shutdown, and de-installed in real-time, with or without notification to the end-user.

Recent incidents that could have been prevented with CounterACT include:

  • 1. A team of Dartmouth researchers found peer-to-peer (P2P) networks littered with sensitive healthcare information inadvertently made available by employees of hospitals and other healthcare facilities, as well as their collection agencies and other business partners. Scientific American, 2/20/2009
  • 2. Wagner Resource Group and Supreme Court Justice Breyer – Peer-to Peer security breach led to the loss of personal information for 800 clients of a Washington-area investment firm, including that of Supreme Court Justice Stephen Breyer that included private information, including birth dates and Social Security numbers – Nextgov, 7/10/09
  • 3. Citigroup’s ABN Amro Mortgage Group – Files containing social security numbers and other personal information on over 5,000 customers of a Citigroup’s ABN Amro Mortgage Group were inadvertently downloaded onto an Internet P2P file-sharing network – Dark Reading – 9/24/2007.

Contact us to learn more about how ForeScout CounterACT can be used to plug P2P security holes in your network.

  • Share/Bookmark

Tags: , , ,
Posted in ForeScout | No Comments »

NAC: Own or Lease?

Wednesday, February 18th, 2009

The acquisition of Mirage Networks by Trustwave, a managed services provider based in Chicago, may leave Mirage NAC users with an unwanted choice: continue to own? or lease?

IT managers who use the full power of NAC to help with their “command central” network security operations today, may think twice about moving to a managed services model.

Those who are interested in looking at a managed services model, may think twice about moving to niche providers focused on selling audits or hard-to-deploy NAC appliances.

ForeScout understands the dilemma and is offering a trade-up program for Mirage NAC appliance owners who’d like to “keep the keys to their business in their own pockets”!

Check out our press release and contact us for more details.

If you’d like to go with a winning MSSP provider, why not give our friends at Verizon Business a call.

When it comes to NAC , go with providers who can truly protect you … inside and out.

  • Share/Bookmark

Tags: ,
Posted in ForeScout | No Comments »

NAC and 802.1x

Monday, February 16th, 2009

There’s a world of mixed reviews and predictions as to when 802.1X will see mainstream adoption (2011? 2013? 2015?), enabling port-based network access control at Layer 2. There’s also a steady stream of claims as to what 802.1X-based NAC can and can’t do today (or in the future):

David Newman’s Review
Tim Greene’s Article
Jennifer Jabbusch/Security Uncorked Blog
Joel Snyder/Opus1 Archives

Many folks agree that 802.1X adoption is costly and complex. Some in the industry speculate that – while the standard evolves and matures – there is a need for a solid NAC solution today that supports 802.1X, but is not reliant upon it … that enables strong remediation and enforcement … sidestepping the use of faulty DHCP.

ForeScout customers are spared the worries and waiting, because CounterACT “has them covered”. CounterACT NAC is infrastructure agnostic and supports 802.1X and non-802.1X today … closing the technology gaps and bridging today’s investments to tomorrow’s infrastructures (whatever they may be).

That said … and because our customers ask … we’d like to give a little recap on 802.1X and why it offers the potential for a good NAC authentication standard.

802.1X Basics

802.1X is intended to be a proactive authentication technology that ensures any network traffic being sent is coming from an authenticated user, device, or both. Some administrators believe that 802.1X is a solution for wireless devices only, but it was actually created for campus area networks where devices, users and locations comprise a large part of the network and are always in a dynamic state of flux. The use of IEEE 802.1X offers a framework for authenticating and controlling user traffic to a protected network, as well as dynamically providing many configuration settings.

802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public-key authentication. EAP was originally designed for enterprises that wanted to do more for security than simply employ usernames and passwords for access. This desire gave birth to a new authentication protocol, called the Extensible Authentication Protocol (EAP), which was designed to supplement Point to Point Protocol (PPP). PPP is commonly used to authenticate remote users to the corporate or other remote network, and is the standard used for dial-up connections to the Internet. EAP sits inside of PPP’s authentication protocol and delivers configuration settings in tandem with 802.1X.

With 802.1X, the initial communications begin with an unauthenticated supplicant (this is the 802.1X term for the client) attempting to connect with an authenticator (this is the 802.1X term for the WAP or switch). The concentrator responds by enabling a port for passing only EAP (authentication) packets from the client to an authentication server located on the target network. All other traffic, such as HTTP, DHCP, and POP3 packets are blocked by the concentrator, until the client is authenticated.

The authentication rarely is performed by the concentrator, itself, and most network designers choose to verify the client’s identity using an authentication server (almost always RADIUS). Once authenticated, the client (supplicant) may be given configuration information such as IP address, VLAN membership, firewall ruleset, and even encryption keys. The basic 802.1X protocol should provide effective authentication regardless of whether or not you wish to provide configuration settings.

CounterACT in an 802.1X Environment

CounterACT NAC goes beyond authentication by inspecting the client for compliance with the organization’s client security policies. It helps to verify anti-virus has been installed, is currently running, has performed a scan in the last 30 days, and that dat files are up to date. It can also go beyond anti-virus checking to verify a device has all hotfixes and patches installed, a personal firewall is enabled, only approved software is installed, and it can even require encryption of the client’s hard drive. Today, CounterACT is able to allow or block access via the device’s USB ports and other removable storage, thereby protecting the organization against information leakage.

In many ways, CounterACT is the glue that holds all of the aforementioned solutions together … in many cases helping IT managers to centrally manage and monitor the security posture of every device/user on the network … thereby making the administration much less expensive and time-consuming.

These elegant solutions along with better software coding practices are beginning to blur the line between network and security administration … making it possible for network to be full protected from the inside-out.

  • Share/Bookmark

Tags: , ,
Posted in ForeScout | No Comments »

CounterACT Offers 24/7/365 Protection vs. Conficker

Wednesday, February 4th, 2009

When the recent Conficker outbreak wreaked havoc upon Windows-based LANs in enterprises worldwide, CounterACT customers called in to let us know their networks were fully protected thanks to CounterACT.

Conficker (aka Downup, Downadup and Kido) is an aggressive worm that targets Windows-based systems. It’s been estimated that the bug infected over 10 million PCs in just a few short weeks (over a million in a single 24-hour period) … making it one of the most prolific, dangerous and widespread infections in recent times.

Anyone using a Windows-based system was cautioned to verify that their system was free of the Conficker worm and was running the latest, patched version of Microsoft Windows: http://support.microsoft.com/kb/962007

CounterACT users, of course, had the peace of mind that their systems were automatically protected: read the Tech Note or view the webinar to learn why.

  • Share/Bookmark

Tags: , , ,
Posted in ForeScout | No Comments »