Everybody in IT security is talking about device visibility—actually the lack thereof— and this conversation is certain to intensify due to the evolving device landscape. Instead of a static set of laptops, workstations and servers that we used to see, today’s enterprise networks are populated with a diverse mix of mobile, BYOD, IoT devices, operational technologies and virtual systems.
We’re also in the midst of a fundamental shift from largely user-associated computing devices, where user identity is important for security policies, to a future with increasing numbers of IoT and OT devices where device function, type, operating system or vendor are required as identifying attributes in security policies. In fact, according to a recent survey of security professionals in large and mid-size organizations, 76% of respondents are rethinking their security strategies due to IoT security concerns.1
An increasing majority of new devices are IoT and OT systems, most of which do not support software agents. This makes it difficult to identify and classify devices, fully understand their risk profile and establish an accurate device inventory. Needless to say, bad actors can target this visibility gap to establish beachheads inside your network.
Seeing the devices connected to your networks can feel like the next best thing to nirvana. But let’s say you can detect everything connecting to your network. Then what? Just discovering devices and their IP or MAC address isn’t really going to help with your security initiatives if you can’t identify and classify them accurately. Without proper classification, how do you prevent unsanctioned surveillance systems from accessing your network? How do you segment HVAC systems into a separate security zone? And how do you mitigate a threat targeting IP cameras from specific vendors?
User identity isn’t relevant for most IoT and OT devices. You need to know the device type and function, operating system and version, and vendor and model, as well as where, when and how devices are connected to the network. CounterACT® 8 provides that vital information. Discovery is Step 1 (watch our recent webinar). Classification is Step 2 in managing your security and risk objectives.
Using our unique agentless approach, the Forescout platform allows you to accurately identify and classify devices the instant they connect to the network. How? The platform collects attributes about each device by leveraging active and passive techniques for discovery and profiling. It obtains information from network traffic, infrastructure and protocols—all without actively probing or accessing connected devices. For environments where you want to use active scanning, the platform captures more in-depth information via a number of active profiling techniques.
Next, the platform applies classification rules to these device attributes to auto-classify devices by function and type, operating system, vendor and model. It provides a device profile library with auto-classification rules, and Forescout Research publishes updates of this library incorporating our latest insights.
What about all the new IoT and OT devices that are connecting to your networks? How do you keep pace with these devices and auto-classify them? This is why we built our popular Forescout Device Cloud. It’s a crowd-sourced repository of over 3 million devices seen on our customers’ networks. Over 500 customers across 10+ industries are participating to date, and this number continues to increase weekly.
By anonymously sharing device insight with the Forescout Device Cloud, customers allow our research team to analyze new types of devices seen in real-world environments and create new or updated fingerprints to accurately classify these devices. Customers receive these classification profiles via the Forescout profile library. This improves auto-classification efficacy and coverage in your environments.
We realize that with the diversity of IoT and OT devices on enterprise networks today, you may have unique or less prevalent device types in your environment. To auto-classify such devices, we make it easy to create custom classification policies to augment the Forescout-provided classification profiles. In short, you can tailor and auto-classify devices based on your own requirements, then use this device identification and classification in your security policies.
I mentioned three challenges at the top of this blog: growing device diversity, the lack of management agents and the inability to identify and classify these devices. While customers and vendors continue to talk about these serious challenges, I’m happy to say Forescout currently addresses them. Our platform’s classification capabilities and the Forescout Device Cloud allow you to auto-classify your devices so you can create identity-aware security policies for device compliance, network access control, segmentation, and incident response.
If you are interested in additional information on CounterACT 8, click here. And, to learn more about device classification using Forescout, don’t miss our upcoming webinar: Raising the Bar on Device Classification
1 “Fail to Plan, Plan to Fail”, Forrester Consulting, November 2017.