ForeScout Technologies Ayelet Steinitz, Product Manager April, 2003.
-
date post
18-Dec-2015 -
Category
Documents
-
view
222 -
download
0
Transcript of ForeScout Technologies Ayelet Steinitz, Product Manager April, 2003.
The Problem
• Constant New Threats and Vulnerabilities• Current Solutions Not Sufficient
• Reactive Solutions Incur False Positives• Reactive Solutions Miss Unknown Attacks• Do not allow for automatic action
• Inherent Window of Vulnerability• High Maintenance and TCO
A New Approach to Network Security Protect By..
Key Issues
PolicyAnalysisProven Intent
Characteristics
Access list by services offered
Pattern recognition
By Anomaly
Forensics
Reactive
Identify attacker intent
Stop attacker from reaching network
Proactive
Cost to Maintain
Low CostDefined Policy
Static
High CostTo Update
To Manage
Low CostLow Complexity
Dynamic
Accuracy
(False Positives)
AccurateDoes exactly what you told it to do!
False PositivesNot confident to take automatic action
AccurateConfident to act. If ActiveScout identifies a Bad Guy: It’s a BAD GUY!
ProductFirewallIDS / IPSActiveScout
Knowledge: Mandatory Requirement
Knowledge is needed 100% of the time
Social Engineering• Password Snare• Networking
Public Domain• Email Server• Web Server
Reconnaissance• 20 types• Precedes Majority of Attacks
Knowledge: Mandatory Requirement
Knowledge is needed 100% of the time
Social Engineering• Password Snare• Networking
Public Domain• Email Server• Web Server
Reconnaissance• 20 types• Precedes Majority of Attacks
Most network attacks are preceded by reconnaissance activity to determine available services and network resources .
Attacker Internet RouterFirewall Enterprise
Typical Attack Process
The network sends information about available hosts and services in response to the reconnaissance .
Attacker Internet RouterFirewall Enterprise
Typical Attack Process
With this information, the attacker utilizes existing or new exploits to break into the network.
Attacker Internet RouterFirewall Enterprise
Typical Attack Process
ActiveScout Intrusion Prevention
ActiveScout identifies all reconnaissance used by a potential attacker.
Attacker Internet RouterFirewall Enterprise
Scout
Site Manager
ActiveScout watches the network’s response, and sends its own unique information to the potential attacker. This unique information, or ‘mark’, is not distinguishable from the network’s legitimate response.
Attacker Internet RouterFirewall Enterprise
Scout
Site Manager
ActiveScout Intrusion Prevention
When the attacker uses the mark to launch an exploit, ActiveScout accurately identifies it and can actively block the attacker.
Attacker Internet RouterFirewall Enterprise
Scout
Site Manager
ActiveScout Intrusion Prevention
The ActiveScout Difference
Difference #1 Difference #2
Difference #3 Difference #4
BlocksUnknownAttacks
Minimal CostOf Prevention
InstantaneousPrevention
100% Accurate(no false positives,
confidence to block)
The ActiveScout Difference
Difference #1 Difference #2
Difference #3 Difference #4
Minimal CostOf Prevention
InstantaneousPrevention
100% Accurate(no false positives,
confidence to block)
BlocksUnknownAttacks
Time to Prevention Without ActiveScout
Protection available
New vulnerabilities(hundreds/month)
Exploit is known to security community
Spida spreads
Spida detected
Protection offered
Time
New Vulnerabilities
Window of Vulnerability
Time to Protection – Days/Weeks/Months/Never?
Time
Spida spreads
Spida detected
Protection offered
Protection available
Exploit is known to security community
New VulnerabilitiesNew vulnerabilities(hundreds/month)
Time to Protection – Immediate
Window of Vulnerability – Zero
Instantaneous Prevention With ActiveScout
State of Security Today
Intranet
Security
InternetIntranet Security Myriad of security products (HIDS, NIDS, anti-virus)
State of Security Today
Firewall
Intranet
Security
Internet
Firewall Provides robust staticprevention according to predefined policies
Intranet Security Myriad of security products (HIDS, NIDS, anti-virus)
Firewall
ActiveScout
ActiveScout Prevents intrusions from known and unknown threats in front of the firewall
Intranet
Security
Instantaneous Prevention
Firewall Provides robust staticprevention according to predefined policies
Intranet Security Myriad of security products (HIDS, NIDS, anti-virus)
Internet
The ActiveScout Difference
Difference #1 Difference #2
Difference #3 Difference #4
Minimal CostOf Prevention
InstantaneousPrevention
BlocksUnknownAttacks
100% Accurate(no false positives,
confidence to block)
ActiveScout Minimal Cost of Prevention
Legacy Systems ActiveScoutAction
Analysis of alerts
Correlation analysis
Policy tuning
Fix the damage
Installation
Software updates
Signature updates
Write your own signature
Investment$$$$$$$$$$
The ActiveScout Difference
False Alarm Rate Time to Prevention Cost of Prevention
30%-60%
0%
Days, Months, Years $$$$$$$
0% $
Conventional
Systems
Conventional
Systems
Conventional
SystemsActiveScout ActiveScout ActiveScout
ForeScout’s Intrusion Prevention Solutions
ActiveScout Site Solution• Precisely identifies and then blocks attackers at a
single internet access point with zero false alarms.ActiveScout Enterprise Solution
• Precisely identifies and then blocks attackers with zero false alarms across a large enterprise.
• Enterprise Manager׀ Provides centralized management of all Scouts deployed
• Enterprise Heads-Up׀ Thwarts the rapid spread of attacks from one internet
access point to the next.
.
Internet
Scout
Site Manager
RouterEnterpriseFirewall
ActiveScout Site Solution
Intrusion Prevention for Each Internet Access Point
ActiveScout Enterprise Solution
• Protects an entire enterprise• Centralized viewing of all attack activity
around the world• Centralized management of groups of
Scouts • Ability to push new software updates to
remote Scouts
Internet
Scout
Management Server
Enterprise Manager
Site Manager
ActiveScout Enterprise Solution
Intrusion Prevention for Multiple Internet Access Points
Scout
Enterprise Heads-Up
• Enterprise deployments only• Immediate sharing of threat information
across multiple Scouts to assure proactive prevention across the enterprise
• Provides the fastest way to protect from new attacks traversing the internet
Enterprise Heads-Up
Step 3.
San Francisco Scout ready to block attacker
Step 1.
Attacker detected by New York Scout
Step 2.
Attack information immediately sent to Management Server
New York
San Francisco
Management Server
Summary
• Accurate Identification• Zero False Positives• Block Known and Unknown Attacks• Instantaneous Prevention• Minimal Cost of Prevention
ForeScout Technologies, Inc.2755 Campus Drive, Suite 115
San Mateo, CA 94403(650 )358-5580
www.forescout.com
Ayelet SteinitzProduct Manager, ActiveScout
Tel. (650)[email protected]