ForeScout | Access Ability

Overview

Mobile Device Management (MDM) systems are gaining rapid adoption among enterprises that wish to better manage the plethora of smartphones and tablet computers that are in common use by businesspeople. MDM systems can help IT security managers secure the sensitive corporate data that is frequently stored on such devices. But MDM by itself is not a complete security solution for the following reasons:

1. MDM systems can only see and manage devices that have already been enrolled in the MDM system. MDM is blind to unmanaged devices on the network.
2. MDM systems typically do not control access to the network, they typically control access to applications (for example, Microsoft Exchange). Thus, MDM does not prevent unauthorized access to data on the network, nor does MDM prevent infected or compromised devices from attacking the network.
3. MDM systems typically do not manage all the personal devices that employees might want to use on the corporate network. For example, personally-owned Windows and MacOS computers are typically outside the scope of MDM.
4. MDM systems are typically operated as another management silo, with another set of management screens, separate policies, and separate reports. Even worse, the MDM system is often managed by a different group of people than are responsible for computer security. This creates an opportunity for policies to be inconsistently applied and translated across the various IT management systems and groups.

The ForeScout Mobile Integration Module allows you to leverage your existing MDM solution within the broader context of unified security control that ForeScout CounterACT provides. The module links your MDM system to ForeScout CounterACT, bringing information about MDM-managed devices which are connected to the enterprise network to the CounterACT appliance, where the information is displayed alongside information about unmanaged mobile devices and devices that are outside the scope of your MDM system (such as PCs). From the CounterACT console, you can configure and enforce network security policies, monitor and report on policy adherence.

The ForeScout Mobile Integration Module, an optional plug-in for ForeScout CounterACT, is sold separately.  ForeScout currently integrates with AirWatch, Fiberlink MaaS360 and MobileIron – more are on the way. When used in conjunction with your existing MDM system, ForeScout CounterACT and the ForeScout Mobile Integration Module provide:

• Automated real-time detection. ForeScout CounterACT lets you detect mobile devices the moment they connect to your network.
• Extended visibility by detecting unmanaged devices on the network in real-time.
• Improved security by blocking unauthorized users and devices from the network, as well as imposing whatever limits you want on authorized devices.
• Unified network access policy management and compliance reporting for all endpoint devices—PCs, smartphones, and tablets.
• Automated installation of MDM agents by automatically directing unmanaged devices to an installation web page.

• Guest registration. If you wish to setup a guest network for personal mobile devices, you can use ForeScout CounterACT’s built-in guest registration system. Once a guest has been approved, ForeScout CounterACT can dynamically enforce your security policies, such as restricting the user’s access to just the Internet.
• Continuous protection. If malware exists on the mobile device and tries to propagate or interrogate your network, ForeScout CounterACT will detect the malicious behavior, block the threat, and can automatically quarantine or remove the mobile device from your network. ForeScout CounterACT includes ForeScout’s patented ActiveResponse™ technology which can detect and block zero-day threats.