How Forescout enables coordinated, automated incident response—without agents or blind spots
From the time a network is breached to the time the security issue is resolved, your window of vulnerability is wide open—a situation that’s tailor-made for hacking, malware proliferation and data theft. And the longer the mean time to response (MTTR), the more likely it is that an attack will spread laterally across the network.
Worse still, many organizations’ incident response (IR) teams are crippled by lack of visibility—they can’t see devices on the network that don’t have security agents on board, including rogue devices and most IoT and operational technology (OT) systems and devices. As a result, some IR teams never contain incidents due to new devices connecting and total blind spots. They never see them coming.
Forescout offers an intelligent foundation for automated information sharing and orchestrated incident response. The Forescout platform detects and assesses device compliance upon connection and orchestrates response in real time with leading security and IT management tools to reduce your window of exposure, increase the productivity of your team, and maximize your security ROI.
The first step is obtaining absolute visibility. You can’t know if devices on your network are potential threats if you can’t even see them. Because the Forescout platform discovers the increasing proportion of IoT, OT and other non-traditional systems and devices that do not or can’t have agents, our customers have reported seeing up to 60% more devices on their networks than previously known. And once devices are visible, they can be identified, classified and controlled.
This can be accomplished via the Forescout platform and endpoint detection, protection and response products that have eyeExtend product integrations. One such plarform is the the CrowdStrike® Falcon platform.
eyeExtend for CrowdStrike is an integration product that orchestrates information sharing and security workflows between the Forescout and CrowdStrike platforms to improve device hygiene, proactively detect threats across the network and automate threat response. This solution combines the agentless visibility and control capabilities of the Forescout platform with the threat intelligence and advanced endpoint protection of the CrowdStrike Falcon platform.
The integration helps customers enforce compliance by assuring endpoints have the Falcon agent installed and therefore reduces the risk of having unmanaged devices on their network. It also provides a mechanism for the distribution of endpoint management software, which improves the user experience and increases operational efficiency.
- The integration of the Forescout platform with CrowdStrike lets you:
- Fortify endpoint defenses, minimize security breaches, and reduce your attack surface
- Gain visibility and control of devices across your network and beyond
- Verify the presence of functional CrowdStrike agents at the connection time and enroll devices with missing agents
- Monitor devices for Indicators of Attacks (IOAs) received from CrowdStrike and take actions to isolate, quarantine, and remediate
- Employ combined, automated response options to quarantine or remediate infected devices
Together, Forescout and CrowdStrike provide both broad and deep endpoint discovery, threat detection, and remediation across a vast array of device types and networks. The Forescout platform also helps continually enforce device compliance upon network access.
When incident response is ineffective, it’s either delayed or nonexistent. Either way, there’s a window of vulnerability that is wide open for a period of time in which sensitive information can be stolen and infrastructure—not to mention an organization’s reputation—can be irreparably damaged.
In addition, fines for noncompliance with regulatory standards can be exorbitant. And after the bad news gets out and the dust has settled, partners and contractors may be unwilling to do business with you, and customer loyalty may also take a hit. If all of this weren’t enough, by showing the world that it is unable to deal with security incidents in a timely manner, an organization becomes a prime target for future criminal exploits.
Agentless devices such as BYOD, IoT, OT and rogue endpoints all increase risk and the attack surface of any organization. Compromised devices—even with agents—do the same. The most important best practice is establishing strong security through rapid and effective incident response, which requires:
- Unimpeded asset intelligence. You have to know that corporate-owned devices on your network are compliant with your corporate security policies. That means knowing that the agents on those devices are updated and running.
- Visibility into all IP-enabled devices. You must be able to determine whether traffic is safe or suspicious at any given time. Deploy solutions that can block rogue devices and quarantine “safe” devices when they begin to act suspiciously. Use network segmentation to wall off areas of the network that contain sensitive information.
- Reducing complexity of incident response. Automation is key. It can help to correctly prioritize alerts and assess threat criticality of incidents while reducing the downtime involved in removing suspicious systems and returning them to full access.
- Integration of various security solutions (NAC, antivirus, SIEM, VA, etc.). These systems must be able to share information and work together to validate unique identity and users prior to providing role-based network access and enforcing security policies.
The Forescout platform can be the foundation for comprehensive device visibility and control, and for overall cybersecurity. Key to SOC empowerment is the Forescout platform integration with ServiceNow®, which is facilitated by eyeExtend for ServiceNow. It’s a combination that offers:
- The ability to generate security incident alerts based on Forescout policies and enable ServiceNow to initiate automated remediation actions
- Visibility and configuration monitoring for devices across campus, data center and cloud to improve IT asset management and compliance
- Single-source-of-truth asset repository to help ensure IT teams have access to timely and accurate device information to respond to IT service requests and security incidents
Forescout eyeExtend for ServiceNow can integrate the contextual data procured by the Forescout platform with an organization’s ServiceNow configuration management database (CMDB), so security and IT staffs can be confident that the data fed into the CMDB from various sources is accurate and current. In addition, the integration allows for automating help desk ticketing. When the Forescout platform detects a rogue device, for instance, an incident ticket is automatically opened.
Aside from helping to automate and accelerate incident response, the Forescout platform can provide the continuous device visibility and control needed to bring endpoint compliance up to date and keep it current while safely onboarding guests and detecting and isolating rogue devices. If the Forescout platform detects an unknown device attempting to access the network, it can automatically route the device to a guest virtual local area network (VLAN). If malware is suspected, the Forescout platform can route the device to an isolated VLAN for quarantine and further analysis.
In many environments, mapping users to devices is essential for network and data protection. The Forescout platform rapidly and dynamically identifies and categorizes devices—even non-traditional ones such as smartphones, tablets and Internet of Things (IoT) devices—that are already on or joining the network. It achieves this without requiring software agents or previous device knowledge. Next, it pinpoints which user is logged into each device and which device is accessing various content based on the user’s name and department. The Forescout platform can be relied on to determine the device type, user, owner and operating system, as well as device configuration, software, services, patch state and the presence of security agents. Implementing integration with Palo Alto Networks® NGFWs via eyeExtend for Palo Alto Networks NGFWs can further boost network security by feeding relevant device data to the firewalls. This enables SOCs to quickly detect malicious downloads and significantly improve overall incident response.
For advanced threat detection, integration of the Forescout platform with Palo Alto Networks WildFire. With an integration assist from eyeExtend for Palo Alto Networks WildFire, this combination can prevent propagation of advanced threats across the enterprise environment by providing real-time visibility and compliance management of endpoints, facilitating effective response to advanced persistent threats (APTs) and zero-day threats, and establishing the automation to efficiently and accurately mitigate endpoint risks and advanced threats.
- The ability to:
- Discover every IP-connected physical and virtual device across campus, data center, cloud and industrial environments.
- Classify diverse IT, IoT and OT/ICS devices in real time.
- Assess and continuously monitor compliance of all devices without requiring agents.
- Share device context information in real time with myriad security solutions and, through orchestration, enable automation of remediation actions.
Maintaining real-time visibility into every device connected to the network is key to timely and effective incident response. The Forescout platform lets you see and control every device on the network—including BYOD and IoT devices, OT endpoints, and virtual machine (VM) instances—in real time. It lets you:
- Identify high-risk devices that haven’t been contained or remediated
- Execute predefined remediation for noncompliant devices at time of connect to reduce MTTR
- Search for potentially vulnerable devices
- View a single dashboard showing overall device health across the entire enterprise
Security tool orchestration that enables comprehensive detection and control (blocking, quarantining, etc.) of rogue devices, as well as identification and remediation of compromised devices, is something else that organizations value, and the Forescout platform facilitates it all both natively and via eyeExtend products.
eyeExtend products enable the Forescout platform and other IT and security products to share device context—everything from the device type, user, owner and operating system to the device configuration, software, services, patch state and presence of security agents. By facilitating information sharing at this level, eyeExtend products enable automation of policy enforcement across disparate solutions to accelerate system-wide response and mitigate risks. This increases the value of all of the integrated security solutions—even some legacy solutions. In addition, integration of the Forescout platform with leading security information and event management (SIEM), vulnerability assessment (VA), and advanced threat detection (ATD) solutions, among other security tools, enables security and IT teams to:
- Hunt for vulnerabilities, indicators of compromise (IoCs) and other attributes provided by leading threat detection, vulnerability management and SIEM vendors
- Verify device compliance for functional antivirus, up-to-date signatures, encryption and other endpoint policies and facilitate remediation actions
- Facilitate policy-driven remediation actions against noncompliant or compromised devices
- Implement dynamic network segmentation, automate controls for secure access to critical resources and create context-aware security policies within next-generation firewalls
- Automate responses to threats—even from undiscovered local privileged access accounts—based on holistic visibility into user activity, device security posture, incident severity and overall threat exposure
- Improve situational awareness and mitigate risks using advanced analytics by sharing comprehensive device information with leading SIEMs, including IoT classification and assessment context, for correlation and incident prioritization
- Share comprehensive vulnerability assessment data to initiate VA scanning of devices and automate policy-based enforcement actions as necessary
- Execute incident response actions as requested by leading survivability, operability, availability and recoverability (SOAR) vendors
Lastly, the eyeExtend Open Integration Module allows customers, systems integrators and technology vendors to integrate custom applications, security tools and management systems with the Forescout platform.