Alert: Tracking exposed OT/ICS: 2017 – 2024

Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Do you know every device connected to your enterprise? If so, congrats—94% of businesses don’t!

Cyber Bob, Principal Security Engineer and CTO at Forescout | September 5, 2019

Twitter: @MeetCyberBob

SANS’ distinguished analyst Don Murdoch recently did a thorough review of my company’s network device visibility and control platform. The review, titled Device Visibility and Control: Streamlining IT and OT Security with Forescout, evaluated the latest product version, Forescout 8.1, which incorporates our acquisition of SecurityMatters’ device visibility technology from the OT world into a single console. For starters, Murdoch surveyed senior security experts and compiled some very surprising statistics. For example, 94 percent of respondents did not have complete visibility of assets in the enterprise environment! Digging further, more than half (59 percent) could see less than 75 percent of their networked assets. Breaches clearly show—even huge ones like Equifax—that it only takes one compromised device to cost billions to an organization. Yes, just one device.

In an earlier blog post, I referenced the RISK= (probability) x (impact) calculation. The SANS product review expands on that theme, delving into the details of what organizations truly need when it comes to reducing risk. So, let’s look at the details.

To get a better handle on the (probability) part of the equation, organizations need a basic foundation of device knowledge that includes:

  1. An Accurate CMDB → Asset Type
    1. Location (campus, data center, OT network, and AWS or Azure cloud)
    2. Vulnerability/CVE
    3. Virtual or physical (VMware vSphere)
  2. User Access → Access (operating system level)
  3. Network Access → Network access for east/west traffic as well as north/south to the data center
    1. User- Corporate
    2. User BYOD
    3. Guest
    4. Unknown
  4. Device Awareness Context → Streamlines data collection process
    1. Port/Switch
    2. Network accessible services
    3. User data
    4. Running processes (for managed hosts)
    5. Vulnerability data

Then this overlays into the (impact) variable of the equation by also providing the following:

  1. Owner/Organization → Through understanding the User and User Org from the Centralized Directory integration

All of the above is all well and good, but it isn’t helpful unless it’s packaged in an actionable context. The SANS review highlights the Forescout platform’s ability to provide all this data very quickly and present an executive summary of device visibility through easily modified dashboards. However, security operations staff also requires the ability to filter quickly—including detecting the devices in your environment. Even better, there has to be a way to PASSIVELY collect endpoint data—especially in more sensitive network environments. All of which the platform does. It also moves the needle even further into the active profile methods available for less sensitive and rogue devices with segment-by-segment visibility.

SANS continues its review of our technology by getting more specific on a typical organizational process that tends to be very complex. This fits into one of three real business impacts:

  1. Incident response and the data required to better accelerate response—not just for security incidents, but for better ITAM.
  2. Vulnerability assessment and compliance—to better align to the RISK profile of your organization.
  3. Automating cross-functional team interaction and controls—allowing very complex tasks for teams in endpoint management, network provisioning and security response to easily and automatically initiate and complete a complex process. This includes remediating out-of-compliance AV, installing patches, and more detailed segmentation using simple VLAN and ACL assignment—or even using esoteric vendor tags in campus, data center or cloud environments.

This deep dive into the (impact) part of the equation is accomplished through various integration tools developed with the help of orchestration partners, highlighted by integration with EDR for IOC response. It’s a matter of taking a single identification that an IOC has happened on a single host, then testing other peer devices if the IOC exists. It’s simple, elegant automation with technology that most of our customers are leveraging in their environment.

In summary, the serious level of detail that SANS provides in its review of the Forescout technology is uniquely aligned with how a lot of customers evaluate our technology. In other words, it’s very process-oriented. Just through its sheer amount of detail, the SANS analysis truly speaks for itself when it comes to helping you make a better decision on technology.

Watch and listen to SANS analyst Don Murdoch, solution-oriented IT director and consultant, and Sandeep Kumar, Forescout Senior Director of Product and Technical Marketing, dig into the Forescout platform and how it provides a security solution for the modern enterprise.

To learn more read the full SANS product review here.

Demo Request Forescout Platform Top of Page