Threat Prevention


Sophisticated Threats Require Advanced Protection

ForeScout’s patented ActiveResponse™ technology blocks zero-day threats, identifies and suppresses propagating worms, stops low-and-slow attacks and can be used as a layered defense against APTs – without signatures and false positives. Our unique technology does not require any form of maintenance, so the total value is significant while the total cost of ownership is very low.

The Problem

Gone are the days when a firewall, an externally-facing IPS, and a well-managed anti-virus system constitute sufficient protection. While these layers of security are still valuable, attackers have found ways to work around them. Industry experts report that between 4% to 8% of enterprise computers are infected, despite the presence of host-based security agents and sophisticated patch management practices.

Why are the bad guys winning? One reason is that new business models and competitive pressures are generating explosive growth in network connectivity, both internally (wireless networks, VPN, guest network access) and externally (links to customers and business partners). This has made the network perimeter disappear. As a result, IT security becomes more challenging as more attacks come from the “inside.”

A second reason why the bad guys are winning is the onslaught of unmanaged devices that are connecting to enterprise networks. These devices include smart printers (which can be compromised but cannot be secured via traditional antivirus), smart phones, employee-owned computers, contractors’ computers, specialized equipment, etc. This phenomenon has been called the “consumerization of IT”, and market analysts are claiming that it is one of the top three challenges that organizations need to work on in 2011.

Clearly, enterprises need a new approach to threat prevention.

One approach would be to purchase traditional signature-based intrusion detection systems and place them both at the perimeter (thus protecting the network against external attack) and in the interior (protecting the network against compromised endpoints). This is doable, but very costly. The management overhead of signature-based IPS systems is high, for the following reasons:

  1. Signature-based IPS systems require constant maintenance, both signature updates and software upgrades.
  2. Signature-based IPS systems require lengthy phase-in and tuning periods. During this period, security managers place the IPS systems in monitor-only mode and tune the systems to avoid blocking legitimate traffic. Many enterprises never exit this phase, they keep their IPS systems in monitor mode forever because they never develop a sufficient level of trust in their IPS devices.
  3. Signature-based IPS systems generate large numbers of alerts, sometimes thousands per day. This becomes a treadmill for IT managers who have to review and analyze the reports.
  4. Traditional IPS devices need to be installed in-line. As a result, deployment needs to be planned very carefully to ensure there are no issues with latency or potential disruptions due to product failure. Also, the in-line requirement means that an enterprise would need a large number of IPS systems to completely protect their internal network bandwidth.
ForeScout’s Solution

ForeScout’s patented ActiveResponse™ technology blocks both known and unknown attacks without signatures. This unique technology does not require any form of maintenance, so the total cost of ownership is very low. And since ForeScout products install out-of-band, IT managers find it far easier and more economical to deploy ForeScout threat prevention products.

ForeScout’s ActiveResponse™ technology lets you:

  • Preempt zero-day attacks. ActiveResponse was able to detect and block attacks such as Zeus, Stuxnet and FLAME on day-zero, before any security company anywhere had developed a signature for these attacks. ActiveResponse will detect and block any attack that goes over the network and relies on reconnaissance to identify possible targets (which most zero-day attacks do). ActiveResponse does not rely on signatures, updates, or a learning period to detect day-zero attacks. It just works.
  • Suppress propagating worms. ActiveResponse has been able to detect and block tens of thousands of worms, such as the infamous Conficker. Conficker was the most successful computer worm since the 2003 SQL Slammer worm, infecting more than seven million government, business and home computers. Traditional IPS and antivirus systems had trouble blocking Conficker, but ActiveResponse was able to block Conficker with extreme efficiency and accuracy. Unlike traditional signature-based IPS devices or antivirus systems, ActiveResponse doesn’t need to perform deep packet inspection on either the network traffic or the payload file.
  • Stop low-and-slow attacks. Unlike traditional IPS systems which have a time-out period built into their attack signatures, ActiveResponse has no time-out period. It doesn’t need one. And that allows it to be effective against the low-and-slow attacker—someone who is just looking for one folder, one credit card number, or one social security number. The attacker is not in a rush, he is slow and patient. ActiveResponse™ is just as patient, and it blocks his attack.
  • Reduce APT risks. ActiveResponse™ reduces the risk of APTs in two ways. First, it blocks APTs that attempt to spread over the network, such as Stuxnet did. Second, it can thwart the ability of APTs to locate and steal information over the network. An example of this behavior was Operation Aurora, which used each infected machine as a launching point for subsequent theft of data over the network.

ActiveResponse™ technology is included in two different ForeScout products—one designed to protect your interior network, the other designed to protect your network perimeter:

  • ForeScout CounterACT is an automated security control platform that lets you see and control your network–devices, operating systems, applications, users. The ActiveResponse™ technology inside ForeScout CounterACT provides what is traditionally known as “post connect” protection for your network.
  • ForeScout CounterACT Edge is an intrusion prevention appliance designed to protect your network from external attack. The appliance is installed at the perimeter of your network, outside your existing firewall.



ForeScout’s patented ActiveResponse™ technology blocks both known and unknown attacks without signatures. This unique technology does not require any form of maintenance, so the total cost of ownership is very low.

Here is how ActiveResponse works:

The first step for most network attacks is reconnaissance. In this step, an attacker (either human or automated) gathers information about the network’s configuration and vulnerabilities. ForeScout’s Active Response technology detects this reconnaissance and responds with counterfeit or “marked” information. Any subsequent attempt to use this marked information is proof of malicious intent. This allows ForeScout products that contain ActiveResponse technology to block the attack without the need for signatures, deep-packet inspection or manual intervention.

The following diagrams illustrate how ForeScout CounterACT Edge uses ActiveResponse to identify and stop an attack coming from outside the network. The same principles apply to attacks that originate within the network, which can be detected and blocked by ForeScout CounterACT.



ForeScout’s patented ActiveResponse™ technology delivers strong protection against network attacks with far lower management overhead than traditional signature-based IPS systems. Here are the benefits of products that contain ActiveResponse:

  • Painless deployment. Products that contain ActiveResponse™ technology are always installed out-of-band. That means no “bump in the wire”, no latency, no possibility of network disruption.
  • Low maintenance. ActiveResponse™ does not require signature updates to remain effective. The length of time spent in the tuning phase (when the product is initially deployed) is typically short – weeks, not months.
  • Effective. ActiveResponse™ is effective against attacks that begin with reconnaissance. This includes “low and slow” attacks and many of the botnets and advanced persistent threats that are becoming so common. In environments that require very high security, ActiveResponse can be used in conjunction with a traditional signature-based network IPS product. In this scenario, ActiveResponse will efficiently detect and block the large percentage of attacks that begin with reconnaissance, and the traditional IPS product will block attacks that do not begin with surveillance, such as denial of service attacks.
  • Save money. ActiveResponse™ technology is extremely scalable and requires very little processor overhead. Thus, ActiveResponse can be used in front of traditional signature-based IPS systems and firewalls (which are very processor-intensive), reducing the load on these systems. This can greatly extend the life of existing IPS and firewall hardware, saving you money.