It may seem, at first, that corporations looking to protect themselves from an attack of this type have limited options. Experts such as Gartner, as well as some vendors, have gone as far as to recommend disruptive measures such as uninstalling Internet Explorer companywide or the use of application white listing.  While these approaches may solve the problem, they come at a great cost. Application white listing in particular is disruptive to business productivity.

Could an integrated security appliance which includes network access control, network threat protection and endpoint security enforcement – such as ForeScout CounterACT – stop such an attack? It is quite possible.

In a New York Times article, “Cyberattack on Google Said to Hit Password System,” John Markoff explains how the Google attack started with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program.  By clicking on a link, the employee unintentionally provided access to his personal computer and then to Google’s network.

ForeScout CounterACT allows a corporation to gain control of its endpoints and enforce security policies.  CounterACT can prevent the use of IM and Peer-to-Peer applications. If Google had a corporate policy against external instant messaging – and a way to enforce it — perhaps the threat would have never penetrated their network.

If the attack did not enter via IM but came in another way, could CounterACT have stopped it? As many have pointed out, in persistent threats such as Operation Aurora, the sole purpose is to get around firewalls, antivirus software, intrusion detection systems and other controls.  Before this can happen, an attack such as this must gather information about potential vulnerability and configuration information through scanning and probing the network. ForeScout’s CounterACT detects attackers’ reconnaissance and responds to them with counterfeit information. If an intruder attempts to use this information to attack the network, he has proven his malicious intent and can be blocked before the network is compromised.

As we pointed out in a recent press release, ForeScout CounterACT includes strong post-connect security. Analysts such as Gartner have recently stated that post-connect security is important for NAC products to protect against targeted malware. Few NAC products contain as strong post-connect security as ForeScout CounterACT contains.

A third control that ForeScout CounterACT offers is the ability to segregate your corporate network and ensure that only authorized people can access sensitive data (like password, finance, CRM, IP servers). Depending on the policies that you establish, CounterACT will give different levels of network access to each type of user — guests, contractors, and employees of various stripes. This kind of internal network hardening makes it harder (or impossible) for an attacker who has compromised one computer to steal data on sensitive servers.

The details surrounding the attack and theft of the software from Google have been a closely guarded secret by the company. It is difficult to tell if a solution like CounterACT could have protected the network without more specifics on the attack. We do know, however, that sophisticated threats such as this are becoming more common. Traditional network security solutions, which are designed to protect against external attack, have become insufficient. Solutions such as ForeScout CounterACT offer a number of ways to protect your internal network without disrupting the productivity of your business.

The Acceptable Use Policy (AUP) is a cornerstone of IT security. The AUP defines how a company’s IT resources can be used. Most companies require all employees to read and sign the AUP, typically when the employee first hires on and annually thereafter.

The problem is that this is a perfunctory exercise at best. Most companies do not have a good mechanism for catching employees who violate the AUP. As a result, employees’ awareness of and level of commitment to the AUP is typically very low. In such an environment, is it no wonder that most employees feel that security is unimportant and that taking risks with IT data is acceptable.

ForeScout CounterACT lets you take a proactive stance on your AUP and provide a real sense of user participation in your security program. For example, if your organization’s AUP states that instant messaging (IM) should not be utilized, ForeScout CounterACT can be used to enforce this policy. If an employee installs IM on their company-issued computer, CounterACT can detect this, can notify the employee of the AUP violation, and can direct the employee to the intranet page where the company’s AUP is stored. Education is swift and timely. And the message is given that the organization takes security very seriously.

ForeScout CounterACT is typically purchased for network access control, but this example shows that the product is a whole lot more powerful than just NAC.

ForeScout’s booth (739) is in the center of the show floor, catty-corner to one of our heated competitors –  Cisco. ForeScout is focusing on a very practical message: Our products are easier to deploy than Cisco’s, and deliver a lot more value.

Over eighty percent of ForeScout’s customers are Cisco shops who have chosen ForeScout CounterACT because it is vastly easier to deploy.

To illustrate this point, at the ForeScout booth we are providing a real life demonstration comparing Cisco’s approach to ForeScout’s approach.  We are also providing video testimonials of our customers explaining why they chose ForeScout over Cisco, and about the value they get from ForeScout’s product.

Please stop by our booth, # 739. You won’t see jugglers or unicycles, but you will see an eye-opening discussion on NAC implementation and capabilities.

In addition to this award, in the last three months ForeScout has received a 5-star rating from SC Magazine, was named a finalist in the Government Security News 2009 Homeland Security Award, and won the 2009 Best Deployment Scenario award from Info Security.

In today’s environment, organizations must balance the demand for heightened network security with the need for immediate return on their investments. Vast overhauls to the network infrastructure are expensive. Customers don’t want it.

Culpeper County selected ForeScout over other NAC vendors because ForeScout was the only solution which they looked at (and they looked at 8 different NAC solutions) which could be deployed with zero upgrades or changes to the network infrastructure. ForeScout CounterACT plugged into Culpeper County’s existing network and began delivering immediate value.

The market research firm Infonetics recently commented that the latest generation of NACsolutions is far more easily deployed than the first generation. We agree, and we are happy to be leading the charge.

Every viable security program must start with identifying real vulnerabilities in realtime. Speaking from the White House on the topic of his Cyber Security Plan, President Obama promised to make sure “…the nation’s core digital infrastructure is treated as a national asset.” A national asset, yes, but also a very personal one, the integrity of which affects our quality of life and confidence we hold for the future.

Obama properly pointed out: “Given the enormous damage that can be caused by even a single cyber attack, ad hoc responses will not do. Nor is it sufficient to simply strengthen our defenses after incidents or attacks occur…we have to have plans and resources in place beforehand, sharing information, issues warnings, and ensuring a coordinated response.”

Yes! And “we the people” must also understand what’s included in “America’s digital infrastructure” so we know:
• what systems and resources we are protecting and which are most critical
• who/what may and must not have access,
• the standards for protection and
• how to ensure realtime compliance to those policies

Common understanding leads to comprehensive defense against malicious cyber attacks, essential since everything in the IT infrastructure is interlinked. Everyone must do their part!

ForeScout’s CounterACT appliances safeguard against cyber attacks today, protecting more than 2.5 million devices in 700 of the world’s most secure enterprises, institutions, agencies, and military installations with global deployments spanning 37 countries. This unique position will help us assist the nation in answering and implement realtime solutions for setting and enforcing policies as well as directing remediating for violations to them – before an attach occurs.

Already we control and enforce access at federal, state and local government bodies as well as at highly competitive and at-risk enterprises within banking, trading, oil & gas, advertising, research, retail, manufacturing and entertainment sectors. We work with military counter-intelligence and security experts who operate within the most dynamic forefronts of cyber-surveillance and counter-surveillance today. And we continue to use information gleaned from these engagements to further equip CounterACT to be the industry’s leading anti-cyber-attack appliance.

Realtime visibility exposes realtime vulnerabilities and realtime attacks allowing CounterACT to enforce repair, disconnect or quarantine in a VLAN until repair, erect a realtime virtual firewall around a vulnerable device all through actually directing the switching fabric dynamically. CounterACT follows military countermeasure protocols – instead of only trying to stop every attack (only one needs to get through to destroy a site) – CounterACT identifies and destroys the capability of the himself itself – destruction of the attack point automatically stop all of their attacks – accurately – in real time – 24/7/365 – while continuously monitoring for changes so that real vulnerabilities can be detected and protected before a breach can occur.

CounterACT’s extensive plug-in library enables immediate and straightforward integration with an existing network without the need for wholesale replacement, thus speeding time (reducing cost) to protection.

CounterACT’s underpinning success comes from delivering Realtime Visibility to detect/treat Realtime Vulnerabilities preventing Realtime Violations & Exploits within government agencies and large enterprises.

Please accept our invitation to join us to learn more at our upcoming webinar, “Gaining Visibility and Control of the Dynamic Network with NAC .”

Tomorrow, President Barack Obama will unveil his much anticipated cyber security report, a move that is likely to have significant impact on the security industry. President Obama has identified cyber attacks –such as those on the NYPD, Dalai Lama, the Pentagon’s Joint Strike Fighter and the U.S. electrical grid — as one of the most significant threats facing our national security. Obama has pointed out that the increased use of Web 2.0 applications and peer-to-peer architecture are making it easy for hackers to maintain armies of hijacked computers. And he has called upon federal, state and local government agencies to take steps to increase security, protect against malware and reduce insider threat.

But what can be done?

According to Steven Cooper, former CIO of both the American Red Cross and US Department of Homeland Security, and founding partner of Strativest: “It is becoming more critical for federal government agencies — and their suppliers — to consider adopting key enterprise security technologies like NAC, which successfully protect global enterprises against hackers and malware today.”

With a growing number of federal, state and local government customers, ForeScout is in a unique position to address the threats to the US infrastructure and the challenges the government faces in managing these threats to protect its citizens and their personal and national economies.

At times like these, hype and anxiety often reaches its peak. It is important to remember the basics and avoid sensational theories and ambitions that simply act to multiply the risks.

There are manageable and measureable steps that government administrations and companies, alike, can take to improve infrastructure security that will not force the nation to reinvent the wheel, but deploy current proven best practices such as:

• Identify the real vulnerabilities.
  We have to understand the scope of the issue. Many government agencies and companies have network infrastructure and users spread across multiple buildings and locations … all with varying levels of security. In realtime, you have to know who/what has access to your network, where it is and how compliant it is to your well thought-out policies … before you can protect it. As we found in working with enterprises and local government agencies such as the FAA, the US Army and Albany County, network discovery and asset management are fundamental baselines critical to identifying then eliminating real network vulnerabilities.
• Prepare to address evolving threats.
  Over the last year we have seen cyber threats take a variety of forms, from malware to peer-to-peer network breaches, to man on the inside attacks and cyber espionage launched via USB thumb storage drives. As ForeScout has found in working with government agencies to help ban the use of external computer flash drives at mission-critical locations, remove threatening peer-to-peer applications on endpoints, seeing zero-day morphing of existing worms into new, unknown attacks, etc, whatever solution the government puts in place must have the ability to respond to these evolutionary threats. ForeScout, knowing all security policies of the organization, immediately detects existing, evolving and emerging threats and violations, enabling the agency to take immediate, automatic, appropriate actions from terminating connectivity, disable a device or uninstalling a risky, banned applications – automatically, without human intervention … once the policy is established and put into enforcement mode.
• Avoid rip and replace tactics.
  The US government is already spending excessive amounts of money trying to reboot the economy – but too much money can permit easy knee jerk reactions complicating an already existing challenge. From a security expert point of view, the ripping out and replacement of network infrastructure should be the last thing we try to do with these cyber security efforts. Vast overhauls to the network infrastructure across local, state and federal levels, seriously delays protection and risk – actually increasing vulnerabilities. While new deployments attempt to be made stabilized over a very lengthy process, inherent vulnerabilities within the new infrastructure rear themselves, adding to the dangers – counter to the objectives. As has been successfully experienced in all ForeScout installations, the security technology within the company’s CounterACT product, mesh with and into already existing, stabilized heterogeneous IT infrastructures. Therefore, CounterACT brings heightened, field proven security against cyber threats without the requirement to make major IT changes, bringing speedy security capacity to vulnerable networks.
• Choose scalable solutions that automate baseline security operations.
  The network is always dynamic with never-ending comings and goings of equipment, applications, people and internet connectivity, each bringing their own threats and exposure. Automation with proven Network Access Control appliances such as CounterACT, that are accurate, provide real-time base-lining of security posture, conduct immediate and timely assessment then enforcement/remediation, is the only way to protect the enormity of the infrastructure from the magnitude of each problem that is in a constant case of flux, from case to case and moment to moment.

As the nation moves forward, we must remain wise about the solutions we put in place, using prudence to build upon current network strengths, adding to them, bolstering, making them dynamic in response to evolving threats rather than in a panic, not knowing what to do, throw an untested, non-stabilized, lengthy to deploy infrastructure at the problem.

CounterACT makes today’s static but stabilized network infrastructure dynamic, equal to the dynamics of the ever changing threats. CounterACT provides an automated/scalable infrastructure-agnostic solution for network access control that has been proven in real-life deployment across global networks to be well-equipped to address the needs of Executive, Federal and State government agencies. CounterACT has been certified after rigorous testing and field deployed in numerous US government agencies today: it is, in fact, the only approved NAC solution currently on the US Army purchase list (AIAAPL).

Solutions like CounterACT are required to close the security gaps in the Department of Homeland Security and other US networks while mitigating the rising cost of security. It is our earnest hope that those in a position to make technology recommendations and decisions – the spokespeople of BENS.org, the contract leads at Booz Allen Hamilton, the Obama appointees such as Melissa Hathaway or even Admiral Dennis Blair – will make wise, prudent and fiscally sensible choices.

ForeScout CounterACT customers will find an easy-to-use peer-to-peer compliance template (including usage guidelines and screen shots) in our online support knowledgebase.  CounterACT also support the creation and use of custom policies.

CounterACT’s clientless foundation offers the flexibility to conduct a remote inspection of the P2P application footprint without requiring a client or agent of any kind. For example, CounterACT can be used to inspect endpoints for any registry, file, service, port and/or process.

Note: When we say “without requiring a client or agent of any kind” we mean CounterACT can inspect endpoints for registry, files, services, port and/or process without relying on a client (Nessus, NMAP, etc.) to conduct compliance checks.

CounterACT also offers many techniques to mitigate the risks associated with peer-to-peer applications. For example:

CounterACT offers a template policy to kill each detected instance of a P2P process.

To complement the “Kill P2P” action, CounterACT offers alert and reporting mechanisms that can be used to auto-enforce “compliance and training” and enable forensics and continued compliance. For example, an email notification might be sent to a user whose laptop is found to be in violation of a “no P2P” security mandate; a copy of the email might be sent to the compliance and forensics staff; repeat offenders might be required to attend a code-of-conduct “refresher” course, etc.

To further alert and train users on corporate policy, CounterACT can be used to trigger other general department- or company-wide alerts (via Syslog/HTTP notifications/emails, etc.).

And to further reinforce the “Kill P2P” action, CounterACT’s powerful Run Script engine (for Windows, Macintosh and Linux operating systems) might be used to automate and centrally manage key remediation actions across the entire network (such as deleting P2P and other applications files, deploying anti-virus updates, and more).

For more information on this topic read the press release.

The loss of blueprints for President Obama’s Marine One helicopter (CNET 2/28/09) to a cyber thief in Iran is just one of many recent P2P network breaches.

ForeScout CounterACT’s unique ability to see every IP device connected to the network and control all connections down to the switch port is helping corporate enterprises and federal organizations protect against such theft. With CounterACT, any P2P program running on any IP device on the network can be automatically discovered, shutdown, and de-installed in real-time, with or without notification to the end-user.

Recent incidents that could have been prevented with CounterACT include:

• 1. A team of Dartmouth researchers found peer-to-peer (P2P) networks littered with sensitive healthcare information inadvertently made available by employees of hospitals and other healthcare facilities, as well as their collection agencies and other business partners. Scientific American, 2/20/2009
• 2. Wagner Resource Group and Supreme Court Justice Breyer – Peer-to Peer security breach led to the loss of personal information for 800 clients of a Washington-area investment firm, including that of Supreme Court Justice Stephen Breyer that included private information, including birth dates and Social Security numbers – Nextgov, 7/10/09
• 3. Citigroup’s ABN Amro Mortgage Group – Files containing social security numbers and other personal information on over 5,000 customers of a Citigroup’s ABN Amro Mortgage Group were inadvertently downloaded onto an Internet P2P file-sharing network – Dark Reading – 9/24/2007.

Contact us to learn more about how ForeScout CounterACT can be used to plug P2P security holes in your network.

IT managers who use the full power of NAC to help with their “command central” network security operations today, may think twice about moving to a managed services model.

Those who are interested in looking at a managed services model, may think twice about moving to niche providers focused on selling audits or hard-to-deploy NAC appliances.

ForeScout understands the dilemma and is offering a trade-up program for Mirage NAC appliance owners who’d like to “keep the keys to their business in their own pockets”!

Check out our press release and contact us for more details.

If you’d like to go with a winning MSSP provider, why not give our friends at Verizon Business a call.

When it comes to NAC , go with providers who can truly protect you … inside and out.

David Newman’s Review
Tim Greene’s Article
Jennifer Jabbusch/Security Uncorked Blog
Joel Snyder/Opus1 Archives

Many folks agree that 802.1X adoption is costly and complex. Some in the industry speculate that – while the standard evolves and matures – there is a need for a solid NAC solution today that supports 802.1X, but is not reliant upon it … that enables strong remediation and enforcement … sidestepping the use of faulty DHCP.

ForeScout customers are spared the worries and waiting, because CounterACT “has them covered”. CounterACT NAC is infrastructure agnostic and supports 802.1X and non-802.1X today … closing the technology gaps and bridging today’s investments to tomorrow’s infrastructures (whatever they may be).

That said … and because our customers ask … we’d like to give a little recap on 802.1X and why it offers the potential for a good NAC authentication standard.

802.1X Basics

802.1X is intended to be a proactive authentication technology that ensures any network traffic being sent is coming from an authenticated user, device, or both. Some administrators believe that 802.1X is a solution for wireless devices only, but it was actually created for campus area networks where devices, users and locations comprise a large part of the network and are always in a dynamic state of flux. The use of IEEE 802.1X offers a framework for authenticating and controlling user traffic to a protected network, as well as dynamically providing many configuration settings.

802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public-key authentication. EAP was originally designed for enterprises that wanted to do more for security than simply employ usernames and passwords for access. This desire gave birth to a new authentication protocol, called the Extensible Authentication Protocol (EAP), which was designed to supplement Point to Point Protocol (PPP). PPP is commonly used to authenticate remote users to the corporate or other remote network, and is the standard used for dial-up connections to the Internet. EAP sits inside of PPP’s authentication protocol and delivers configuration settings in tandem with 802.1X.

With 802.1X, the initial communications begin with an unauthenticated supplicant (this is the 802.1X term for the client) attempting to connect with an authenticator (this is the 802.1X term for the WAP or switch). The concentrator responds by enabling a port for passing only EAP (authentication) packets from the client to an authentication server located on the target network. All other traffic, such as HTTP, DHCP, and POP3 packets are blocked by the concentrator, until the client is authenticated.

The authentication rarely is performed by the concentrator, itself, and most network designers choose to verify the client’s identity using an authentication server (almost always RADIUS). Once authenticated, the client (supplicant) may be given configuration information such as IP address, VLAN membership, firewall ruleset, and even encryption keys. The basic 802.1X protocol should provide effective authentication regardless of whether or not you wish to provide configuration settings.

CounterACT in an 802.1X Environment

CounterACT NAC goes beyond authentication by inspecting the client for compliance with the organization’s client security policies. It helps to verify anti-virus has been installed, is currently running, has performed a scan in the last 30 days, and that dat files are up to date. It can also go beyond anti-virus checking to verify a device has all hotfixes and patches installed, a personal firewall is enabled, only approved software is installed, and it can even require encryption of the client’s hard drive. Today, CounterACT is able to allow or block access via the device’s USB ports and other removable storage, thereby protecting the organization against information leakage.

In many ways, CounterACT is the glue that holds all of the aforementioned solutions together … in many cases helping IT managers to centrally manage and monitor the security posture of every device/user on the network … thereby making the administration much less expensive and time-consuming.

These elegant solutions along with better software coding practices are beginning to blur the line between network and security administration … making it possible for network to be full protected from the inside-out.