Advanced Network Threat Prevention & Cyber Defense Solutions


Advanced Threats Require Rapid Response

Advanced Persistent Threat (APT) identification isn’t good enough. ForeScout CounterACT™ lets you implement automatic network and endpoint protective actions to contain advanced threats.

The Problem

Today’s cyber attacks can easily evade traditional security defenses, which are reactive and based on signatures. To effectively detect and block sophisticated threats, new detection systems are needed that do not rely on signatures.

Most advanced threat protection systems simply identify the presence of an advanced threat, issuing an alert that can easily be ignored by a busy IT security manager. A mistake such as this reportedly cost Target millions of dollars of damage.¹ Worse yet, an infection may have already occurred where a breached system lays dormant or moves laterally within your network. Without a system to automatically and quickly react to a security breach, you are leaving the window open for cyber thieves to exfiltrate data or to propagate within your network.

The ForeScout Solution

ForeScout products include patented ActiveResponse™ technology that can detect and prevent the propagation of malware or hackers inside your network. ForeScout’s ActiveResponse technology lets you:

  • Preempt zero-day attacks. ActiveResponse was able to detect and block attacks such as Zeus, Stuxnet and FLAME on day-zero, before any security company had developed a signature for these attacks.
  • Stop low-and-slow attacks. Unlike traditional IPS systems, which have a time-out period built into their attack signatures, ActiveResponse has no time-out period. It doesn’t need one. And that allows it to be effective against the low-and-slow attacker.
  • Reduce APT risks. ActiveResponse reduces the risk of APTs in two ways. First, it blocks APTs, like Stuxnet, that attempt to spread over the network. Second, it can thwart the ability of APTs, like Operation Aurora to detect and steal information over the network or use each infected machine as a launching point for subsequent theft of data over the network.

In addition, ForeScout CounterACT offers advanced interoperability with advanced threat detection (ATD) systems from vendors such as FireEye and Palo Alto Networks to deliver rapid, automated response to APTs and zero-day threats. When an ATD system suspects that a device has been compromised, it can inform CounterACT which can then take automated actions, such as:

  • Quarantine the endpoint.
  • Scan other endpoints to determine if they have been similarly compromised.
  • Trigger a vulnerability assessment scan by a third party product.
  • Notify the end-user and/or administrator via email or SMS.
  • Trigger a third-party remediation system.
  • Report details about the host to other systems, for example a Security Information and Event Management (SIEM) or ATD system. Real-time contextual information greatly improves the ability of IT security managers to make a more informed and timely respond to security alerts produced by ATD systems.

Our Advanced Threat Detection Integration Module provides integration between ForeScout CounterACT and third-party ATD systems.

For even more information about how ForeScout CounterACT fits into Gartner’s Adaptive Security Architecture, read our whitepaper “A Blueprint for Continuous Monitoring and Mitigation”.

ActiveResponse™ technology is included in both ForeScout CounterACT and ForeScout CounterACT Edge.

¹ SC Magazine,   March 13, 2014.   “Target did not respond to FireEye security alerts prior to breach, according to report”.



ForeScout’s patented ActiveResponse™ technology blocks both known and unknown attacks without signatures. This unique technology does not require any form of maintenance, so the total cost of ownership is very low.

Here is how ActiveResponse works:

The first step for most network attacks is reconnaissance. In this step, an attacker (either human or automated) gathers information about the network’s configuration and vulnerabilities. ForeScout’s Active Response technology detects this reconnaissance and responds with counterfeit or “marked” information. Any subsequent attempt to use this marked information is proof of malicious intent. This allows ForeScout products that contain ActiveResponse technology to block the attack without the need for signatures, deep-packet inspection or manual intervention.

The following diagrams illustrate how ForeScout CounterACT Edge uses ActiveResponse to identify and stop an attack coming from outside the network. The same principles apply to attacks that originate within the network, which can be detected and blocked by ForeScout CounterACT.

Cyber Defense Solutions for Network Attacks & Threats by ForeScout


  • Reduce risk by automatically preventing advanced threats from scanning or propagating within your network, rapidly quarantining affected endpoints, and scanning other systems on your network to see if they have been compromised.
  • Reduce impact by gaining dynamic endpoint intelligence to make more informed and efficient response to threats.
  • Save time by automating mitigation actions that were previously manual.
  • Save money by using ActiveResponse™ in front of your existing traditional signature-based IPS system and firewall can reduce the load on these systems. This can greatly extend the life of your existing IPS and firewall hardware, saving you money.

Case Study

The SIRVA Success Story

SIRVA, Inc. provides relocation and moving services to organizations and individual consumers around the world. Some of SIRVA’s well-known brands include Allied, Allied International, Global, and northAmerican.

SIRVA’s original IPS system produced many false positives and required a lot of management attention, causing SIRVA’s director of information security, Waqas Akkawi, to look for a new IPS system with that met the following goals:

  • Block zero-day and targeted attacks.
  • Require a minimum of administration and tuning effort.
  • Produce few false positives.
  • Improve SIRVA’s ability to comply with federal and state information security and privacy regulations such as Massachusetts CMR 201.
  • Help protect the personal identifiable information of SIRVA’s customers.

After a complete evaluation of various ISP products, Akkawi’s team selected ForeScout CounterACT Edge.

“We had very explicit requirements for IPS, and ForeScout CounterACT Edge was able to meet them all. What pretty much sealed the deal is the fact that ForeScout CounterACT enables us to continually monitor devices once they are on our network—something most NAC systems are incapable of,“ Akkawi explains.

CounterACT Edge has allowed Akkawi to retire legacy intrusion detection systems (IDS) from multiple vendors. It has also reduced the load on his Cisco firewalls. “Rather than the firewall being at 50% CPU consumption inspecting all these packets and connections, the firewall is now down to 5% CPU consumption,” Akkawi says. Offloading work from his firewalls has improved network performance.

Click here to read more about how CounterACT Edge helped SIRVA.