Symantec & ForeScout Delivering a Unified Cyber Security Solution (UCSS)UCSS A Unified Approach to Managing Cyber Threats

Presenting: Tom Blauvelt (Symantec)Sean Telles (ForeScout)Chris Dullea (ForeScout)

04/18/2023 2

Tying it all together with UCSS

Proprietary & Confidential

Proactive Cyber

Defenses

Situational Awareness

Organizational Culture

Process Optimization

& Automation

04/18/2023 3

Unified Cyber Security Solution (UCSS) Summary

UCSS is Capable of Providing:•A comprehensive view into your assets ensuring

appropriate support•Drives costs down through automation and improved

security services•Improving IT service uptime and efficient and effective

operations•A strong Cyber Hygiene for your IT Services•Risk mitigation and reduction in time to respond to

threats

Proprietary & Confidential

04/18/2023 4

Three levels of maturity UCSS can assist your agency

UCSS Levels of Maturity

•Level One – Move from ad-hoc processing to process standardized, event management

•Level Two – Repeatable task automation with little or no policy driven automation

•Level Three – Complex process automation human driven, policy driven automation & continual improvement

1James A. Lewis, RaisiUCCS the Bar for Cybersecurity. WashiUCCSton, DC: CSIS, 2013.

Proprietary & Confidential

04/18/2023 5Proprietary & Confidential

Question: Where is Your Organization in Relation to Evolving from Chaos to Continual Improvement?

Identify Opportunitiesfor improvement

Complex process automation

Deliver simple process

automation

Automate simple,

repeatable tasks

Eliminate waste in manual processes

Improve situational awareness

Non-standard, manual processes

Ad-hoc manualresponse

Standardize manual

processes

Monitoringand reporting

Automation technologies

Orchestratemonitoring &

automation

Unifyautomation technologies

Continual Improvement

Level 1

Level 2

Level 3

Sec

ured

Ser

vice

s

Increased MaturityLow

Low High

High

UCSS Proposed Compliance

Maturity Levels

04/18/2023 6

Risk and Threats Everywhere, All the Time

Cloud

Hackers

Authentication & Encryption

Virtualization

Cyber Threats

Compliance

Remote Offices/Workers

Mobile Devices

Malicious & Well-meaning Users

Social Media

Advanced Persistent Attacks

Proprietary & Confidential

04/18/2023 7

What is the Scope of the Problem?

•Every Three Days (on Federal networks):–Trillions of cyber events –Billions of potentially defective hardware, software, and account changes–Millions of attempted attacks at Internet speed–Thousands of new flaws introduced –Hundreds of successful attacks

•Every Three Months:–Over 10,000 successful attacks–An unknown number of these attacks are repaired–Terabytes of data are stolen–Over 7,200 reports are written2

–Hundreds of labor hours are wasted

2Office of Management and Budget, Memorandum 02-01: Guidance for Preparing and Submitting Security Plans of Action and Milestones. Washington, DC: OMB, 2001.

Proprietary & Confidential

04/18/2023 8

Summary & Timeline of Federal Cyber Breaches continued…

•March 2014 Government Printing Office & Government Accountability Office

–China - Possible reconnaissance or testing agency defenses

•March 2014 Office of Personnel Management:–China - Background information breach of employees with security clearances

•August 2014 Healthcare.gov:–Unknown – Malware insertion on server using default password for denial of

service attack

•October 2014 White House: –Russia - Executive Office of the President’s unclassified network including email

•November 2014 U.S. State Department: –Russia / China - Similar to White House attack via unclassified email

compromise

•November 2014 US Postal Service:–China - Agency personnel data compromised affecting nearly 800,00 employees

1. Nextgov.com, The Year of the Breach: 10 Federal Agency Data Breaches in 2014

Proprietary & Confidential

Summarizing the Growing Threat

•The US Federal Bureau of Investigation (FBI), notified 3,000 companies including banks, retailers, and defense contractors that they had been victims of cybersecurity breaches in 2013

•2013 was the year of the “Mega Breach”; in 2014 number of breaches increased 23%

•In 2014, 317 million new pieces of malware were released (~1 million per day)

•According to GSN Magazine 36% of government agencies report they have a skills gap to address today’s challenges

•Many Government Agencies still rely on non standard processes to perform common support tasks

Trained people along with standardized process alone cannot close the gaps without intelligent, policy-based automation.

1. http://www.washingtonpost.com/world/national-security/2014/03/24/74aff686-aed9-11e3-96dc-d6ea14c099f9_story.html2. http://www.symantec.com/security_response/publications/threatreport.jsp 3. http://www.gsnmagazine.com/article/40704/bridging_cybersecurity_skills_gap_automation_bluep

1

2

3

2

04/18/2023 10

Common examples of cyber hygiene that can be automated with UCSS

•Asset Discovery and Classification–Organizational, Guest, Rogue

•Patch Management Lifecycle•Vulnerability Management•Application / Software Whitelisting•Configuration Management & Compliance

Monitoring•System Staging / Hardening & Deployment

Proprietary & Confidential

04/18/2023 11

The Critical Importance of Strong Cyber Hygiene

•Recent CSIS report1 found that promoting Cyber Hygiene stops 85% of cyber attacks by:

–Searching for, finding, fixing, and reporting the worst cyber problems first in near-real time

–75% of the attacks use known vulnerabilities that could be patched–More than 90% of successful attacks require only the most basic techniques–96% of successful breaches can be avoided if the victim puts in place simple or

intermediate controls.

1James A. Lewis, Raising the Bar for Cybersecurity. Washington, DC: CSIS, 2013.

Given the stated scope of the problem, people and processes need more than siloed, standalone technologies to combat this epidemic.

Proprietary & Confidential

04/18/2023 12

A Strong Cyber Hygiene Starts Knowing What is On Your Network At All Times So Ask Yourself:

Can I accurately put a number on how many wired &

wireless assets are on my network?Assuming you could, would you know how many are:

Not compliant with:

• Antivirus

• Patches

• Software

• Agency Configuration Policies

• Best Practice Standards

Its Trusted State:

• Manageable

• Unmanageable

• Guests

• Unknown

• Misconfigured

• Rogue

Asset Type:

• Windows

• Linux/Unix

• Apple

• Mobile

• Printers

• VoIP

• Networking

• …etc

Now ask yourself: How well can I protect my assets, data, & personnel without a complete picture of what is on my network?

Proprietary & Confidential

04/18/2023

System / Application

/ Data / User

Control

Process Automation

Patch MGMT

Compliance MGMT

Asset Discovery

Endpoint Protection

UCSS Reference Architecture

Proprietary & Confidential13

Standards

Dashboard & Reporting

04/18/2023 14

Introducing the Symantec / ForeScout Unified Cyber Security Solution (UCSS)

Proprietary & Confidential

Data Providers

Data Consumers

Protection Layer• Open, standards-based API• Web Service (client or server),

SQL, LDAP, Syslog, CEF, SNMP, SSH

• Bidirectional integration

EndpointsNetwork

Infrastructure ITAM/CMDB

Incident

Patch

Antivirus

Compliance

RiskTM

TM

04/18/2023 15

Configuration Management – CCS Standards Manager

Proprietary & Confidential

Control Compliance Suite Standards Manager

1. Define Standards

3. Analyze and Fix

2. Managed/Unmanaged Assets

Evaluate (agent and/or agent-less)

• Automate technical controls assessments

• Identify configuration drift

• Manage exceptions

• Support remediation

• Support for agent-based and agent-less data gathering

• Security Content Automation Protocol (SCAP)

04/18/2023 16

Symantec IT Management Suite (ITMS)Powered by Altiris

Proprietary & Confidential

Symantec IT Management Suite(ITMS)Client Management

• Provisioning• Inventory• Software management• Patch management• Application virtualization• Remote management• Reporting and analytics

Server Management• Provisioning• Inventory• Software management• Patch management• VM management• Server monitoring• Reporting and analytics

Asset Management• Asset tracking• Barcode scanning• Contract management• Compliance• Reporting and analytics

• Create, operate, and maintain an authorized hardware inventory baseline, unique identifiers for hardware, and other properties such as the manager of the hardware.

• Create, operate, and maintain an authorized software inventory, unique identifiers for software, and other properties such as the manager of the software.

Symantec ITMS Provides Full Life-Cycle IT Asset Management

04/18/2023 17

Symantec Endpoint Protection (SEP)

Proprietary & Confidential

Layered protection to stop mass, targeted and advanced threats

Network Threat

ProtectionBlocks malware before it spreads to your machine

and controls traffic

Advanced Scanning

Blocks suspicious files – even those with no

fingerprint – before they can run and steal your

data

InsightReputationSafety ratings for every single software file on the planet, and uses this to block targeted

attacks

SONARBehavior Blocking

Blocks software with suspicious behaviors to stop advanced threats

SymantecPower Eraser

Aggressive SMR technology roots out entrenched

infections and kills them in seconds

Intelligent security technologies

04/18/2023 18

ForeScout’s Value Proposition: Supporting Continuous Monitoring, Mitigation, & Control

Proprietary & Confidential

Agentless Asset Discovery

Workflow AutomationAccess Control

Endpoint Mitigation

Continuous Visibility

Endpoint Authentication & Inspection

Information Integration

Network Enforcement

04/18/2023 19

• Discovery and inspection - who, what, where, health

• Managed, unmanaged, corporate, BYOD, rogueVisibility

• Policy-driven automation of controls & best practices

• Flexible and extensible, assess system compliance

Automated Compliance Assessment

• OS, applications, configuration, processes etc.• Improve ROI of existing security agentsAutomated Remediation

• Works with your existing IT infrastructure• Open integration architectureInteroperable

• Deliver automated, continual compliance management

• Multi-vendor, designed for endpoint diversity High ROI

Symantec & ForeScout UCSS Value Proposition

1

2

3

4

5

Proprietary & Confidential

04/18/2023 20

Symantec and ForeScout UCSS Use Cases

•Use Case #1: Device Discovery for ITMS, CCS, & SEP•Use Case #2: - Identify and Control Rogue Asset •Use Case #3: SEP Augmentation & Assistance •Use Case #4: - Promoting Cyber Hygiene via Missing Patch & Remediation

Proprietary & Confidential

04/18/2023 21

Use Case #1: Device Discovery for ITMS, CCS & SEP

Networking & Storage

Endpoints & Servers

Wireless & Mobile

Applications & OS

ForeScout CounterACT Provides Comprehensive Discovery of Connected Devices

ForeScout CounterACT thenfeeds Symantec with real-time asset data and information

Proprietary & Confidential

TM

04/18/2023 22

Event

Use Case #2: - Identify and Control Rogue Asset

Network

Rogue Device

RogueDevice

Detected

RogueDevice

Quarantined

Proprietary & Confidential

04/18/2023 23

Use Case #3: SEP Augmentation & Assistance

Restrict Access

Detect Issue

Symantec AgentStopped

Restart Agent

RestoreAccess

Event

Event

Remove Application

UnapprovedApplication

Installed

Proprietary & Confidential

04/18/2023 24

Event

Use Case #4: - Promoting Cyber Hygiene Detect Missing Patch & Auto-Remediate

Network

High RiskDevice

Detected

High riskDevice

Quarantined

EventApply Missing

Patch(s)Issue

Resolved

DeviceRestored

To Production

Proprietary & Confidential

TM

Automating Common Security and Compliance Remediation Processes

04/18/2023 26

Section 2 Summary: Automated Remediation

Automating the management of the known threat

Features & Benefits Include:•Automate management of cyber hygiene•Allow operations teams to automate the simple and focus on new and

complex•Ensure compliant security configurations are maintained at all times•Mitigate known threats through strong, automated cyber hygiene

management•Improved IT service efficiency and effectiveness•Greatly reduce number of successful attacks•Reduce cost of operations •Refocus staff on innovation vs operations

Proprietary & Confidential

04/18/2023 27Proprietary & Confidential

Symantec Product Summary•Intrusion Prevention•Browser protection•Traditional AV•Reputation•Behavioral detection•Advanced removal

• Automate technical controls assessments

• Identify configuration drift

• Manage exceptions• Support remediation • Support for agent-

based and agent-less data gathering

•CMDB•Asset discovery•Hardware & software inventory•Software package deployment and install •Patch inventory and deployment•Remote management

04/18/2023 28

What do Hackers Target on Systems?

Proprietary & Confidential

SDCS: Server Advanced

Registry

Config Files

Portable Storage Devices

Applications

Operating System

Memory

Enforce Registry Integrity

Enforce File Integrity

Enforce Memory Protection

Enforce network controls

Enforce device controls

Enforce application activity

04/18/2023 29

Extending Coverage to Broader Platforms

Proprietary & Confidential

Linux / Unix servers

Thin clientsPoint of sale / Payment processors

Kiosks / ATMs

SCADA systems

Medical devices

SDCS:SA

2012

- 7

04/18/2023 30

Black Hat 2014

Unpatched data center protected by DCS:SA remained hack-proof for the third time!

•Setup – “Mini Data Center” – Windows 2000, 2003 server, RHEL, CentOS, XP and Windows 7 desktops and a NetBackup Appliance

–Point of Sale software running on the desktops connecting to servers for processing transactions–DCS:SA firewall intentionally left open–Other common misconfigurations (unpatched, passwords in files, etc)

•Goal – “capture the flag” (Gain access and steal data) on systems to win prizes

•Players - ~40 simultaneously, with members including industry professionals•Attacks – variety of techniques employed including:

–Brute force password attempts (averaging 400 password login attempts per minute throughout the conference

–Metasploit-driven attacks–Attempts to shutdown DCS:SA services

•Results – DCS:SA protected the systems yet again this year - $5,000 prize left unclaimed

Proprietary & Confidential

04/18/2023 31

ForeScout’s Value Proposition: Augmenting & Automating Compliance Management Addressing 5 Key Compliance Gaps

Proprietary & Confidential

Compliance GAP CounterACT CapabilitiesGAP #1: Difficulties persist in detecting every device connecting to classified and unclassified networks within a timely manner. This impacts all compliance efforts as compliance tools cannot completely protect their environment.

CounterACT delivers real-time, agent-less discovery of devices connected to networks through direct integration with the network infrastructure.

GAP #2: Difficulties persist with automated classification of non-traditional IP-enabled devices connecting to classified and unclassified networks. This gap heavily impacts configuration and compliance management.

CounterACT delivers a mechanism to classify non-standard IP-enabled devices connected to classified and unclassified networks through active and passive fingerprinting.

04/18/2023 32

ForeScout’s Value Proposition: Augmenting & Automating Compliance Management Addressing 5 Key Compliance Gaps

Proprietary & Confidential

Compliance GAP CounterACT CapabilitiesGAP #3: Significant difficulties persist in identifying non-manageable devices connected to classified and unclassified networks as authorized or unauthorized. These unmanaged devices provide the beachhead for adversaries to launch attacks and expand their control.

CounterACT identifies Government Furnished Equipment (GFE) devices, authorized guest devices, and rogue devices at the network level. Additionally, CounterACT delivers a mechanism to invoke or restore manageability of unmanaged GFE, BYOD, or authorized guest devices.

GAP #4: Significant difficulties persist in removing unauthorized or non-compliant devices from classified and unclassified networks.

CounterACT provides a mechanism to revoke access or restore manageability of unmanaged GFE, BYOD, or authorized guest devices.

GAP #5: Difficulties persist in ensuring that all required software components are persistently present and operational on all internal devices.

CounterACT provides a mechanism to identify and remediate missing or malfunctioning software components on GFE devices without requiring a client.

04/18/2023 33

Symantec & ForeScout UCSS Value Proposition

Proprietary & Confidential

UCSS is Capable of Providing:•Faster detection time of threats and defects

–Vulnerabilities–Mis-Configurations–Unauthorized hardware / software

•Automated or semi-automated threat response–Identification of control point failure–Alerting and/or auto-deployment

•Customization to meet unique environments and specific use cases

04/18/2023 34

Symantec and ForeScout UCSS Use Cases

•Use Case #5: Automating Hardening & Remediation•Use Case #6: - Automated Unknown Vulnerability 0-day

Scanning & Protection•Use Case #7: Provision UCCS a Hardened System

Proprietary & Confidential

Use Case #5: Automating Hardening & Remediation

35Proprietary & Confidential

CCS scans hosts to identify issues Event

Event

Symantec ITMS Hardens /

Remediates

ForeScout CounterACT

Hardens / Remediates

04/18/2023 36

Use Case #6a: - Automated Unknown Vulnerability 0-day Scanning & Protection

Network

SymantecDCS:SA

enables threat protection

0-DayVulnerability

Identified Security Scan Initiated

Proprietary & Confidential

Event

ForeScoutQuarantines

Devices

Event

ForeScoutRestores

Connection

Third Party Vulnerability Scanner

04/18/2023 37

Use Case #7: Application Whitelisting

Proprietary & Confidential

EventNetwork

UnauthorizedApplication

Detected

HarmfulApplication

Installed

SystemQuarantined& Cleaned

Event

Clean SystemReturned toProduction

Proactive security through behavioral analysis and control: Proactive Prevention

04/18/2023 39

Section 3: Proactive Security Through Behavioral Analysis and Control

Intelligence Driven Security provides a new level of defense against unknown and advanced persistent threats:

•Proactive approach to securing against new threats married with traditional signature based controls ensures a complete level of protection against known and unknown threats.

•Features include:–Protect IT services from known and unknown threats–Advanced reputation and behavioral monitoring –Behavioral security control and management –Leverage intelligent data streams for automated action based on

anomalies in system behavior

Proprietary & Confidential

04/18/2023 40

Common examples UCSS Proactive Defense

•Systems with stale updates can be immediately patched or on demand

•Predictive analysis on possible attacks (i.e. reconnaissance detection) with preventative support

•Proactive prevention through known malicious entities that are protected by the UCSS solution

•Proactive detection of possible malicious entities to prevent a possible future event

•Proactive user and system anomaly risk monitoring and alerting

Proprietary & Confidential

Symantec Data Loss Prevention| TRENDS

64% of data loss caused by well-meaning insiders

50% of employees leave with data

$3.5 million average cost of a breach

Legal and compliance penalties

A corporate black eye

Proprietary & Confidential

Proprietary & Confidential

DescribedContent Matching

Indexed Document Matching

Vector Machine Learning

Exact Data Matching

DESCRIBED DATA

Non-indexable data

Lexicons

Data Identifiers

STRUCTURED DATACUSTOMER DATA

Customer / EmployeePricing

Partial row matching

Near perfect accuracy

UNSTRUCTURED DATAIP

Designs / Source / Financials

Derivative match

Near perfect accuracy

UNSTRUCTURED DATAIP

Designs / Source / Financials

Derivative match

Very High Accuracy

Symantec Advantage| HIGHEST DETECTION ACCURACY

Symantec DLP| CONTROL POINTSOffice 365iOSAndroid

EmailWebFTPIM

USBHard Drives

Removable StorageNetwork Shares

Print/FaxCloud & Web Apps

File ServersExchange, Lotus

SharePointDatabases

Web Servers

Network

Endpoint

Storage

Cloud & M

obile

Unified Management

Proprietary & Confidential

Proprietary & Confidential

0010101000101010001001001001110010010011100101000101010001010100010010010011100100100111001010001010100010101000100100100111001001001110010100010101000101010001001001001110010010011100101000101010001010100010010010011100100100111001010001010100010101000100100100111001001001110010100010101001010100010010010011100100100111001010001010100010101000100100100111010101000101010001001001001001110010100010101000101010001001001001110010010011100101000101010001010100010010010011100100100111001010001011000100010101000100100101010001010100010101000100100100111001101010100110

Data Insight| UNKNOWNS OF UNSTRUCTURED DATA

8

Explosive growth in volume of information created

Rapid increase in security risks and compliance regulations

Growing urgencyto gain controlof costs and risks

Where is the data stored?

How is the data being used?

What is the value of the data?

What data is out there?

Who owns the data?

Who has access to data?

Symantec Intelligence| UNIQUE VISIBILITY

Proprietary & Confidential

46Proprietary & Confidential

DeepSight| PORTAL, DATA FEED & INTELLIGENCE

• Understand, prevent and respond to current and emerging cyber threats

• Create informed countermeasures for current and future threats

• Obtain timely insight into current vulnerabilities and threats and prioritize resources

• Reduce the time and effort for SOC and IR teams to investigate incidents and vulnerabilities and improve efficiency

• Gain situational awareness to drive security decisions and manage risk

04/18/2023 47

Symantec Data Center Security

Proprietary & Confidential

Policy based protection System lock down Application Whitelisting Privilege de-escalation Exploit/malware prevention Remediation automation Compliance enforcement Real-time file integrity

monitoring User Monitoring Broad OS and platform

coverage

FEATURESComplete protection

across physicaland virtual servers

High performanceand reduced

downtime

Lower costmanagement and

administration

VALUEDetection + Prevention

Symantec Data Center Security:

Server Advanced

04/18/2023 48

ForeScout’s Value Proposition: Automating Compliance Monitoring & Remediation

Proprietary & Confidential

ForeScout Compliance Monitoring & Control Including: • Network

Communications• Virus Signature

Version

• 3rd Party Agent Health

• System Configuration

• System Patch Level

• Illegal Software Removal

• Integrated Zero Day Removal

04/18/2023 49

ForeScout’s Value Proposition: Mapping Policy to System Communication via CounterACT Virtual Firewall

Proprietary & Confidential

ForeScout CounterACT Maps Expected Function to Policy Control

04/18/2023 50

Symantec and ForeScout UCSS Use Case

•Use Case #1: Crown Jewel Identification & Protection

Proprietary & Confidential

Use Case #1: Crown Jewel Identification & Protection

51Proprietary & Confidential

Data Base Server

Web Server

Block

Illegal ActionIllegal ActionIllegal Action

04/18/2023 52

Use Case #2 White Board

•Three Control points – Web Gateway, Endpoint, Email•Infuse intelligence into them, could be an email system, spam content system,

IDS / IPS, or host based security tool.•Take events that are occurring in each control points and send the telemetry

into an analytics layer (SIEM / Splunk / ETC)•Analytics tool uses the intel infused telemetry to make decisions on known,

unknown, and emerging threats

Proprietary & Confidential

04/18/2023 53

Unified Cyber Security Solution (UCSS) Summary

UCSS is Capable of Providing:•Protect against known and unknown threats•Proactive Defenses Against Evolving landscape•Reduces outage or interruption risk due to preventative

measures•Reduces problem and incident improving service

function and value•Improve IT service value through consistent

performance

Proprietary & Confidential

04/18/2023 54

Contacts

Symantec

Proprietary & Confidential

Name Title EmailRob Potter Vice President Public Sector & Healthcare Rob_Potter@symantec.comJim Kunkle Sr. Director Sales, Department of Defense Jim_Kunkle@symantec.comRob Nash Sr. Manager, Federal Civilian Rob_Nash@symantec.comDawn Swainston Director, Business Development Dawn_Swainston@symantec.comKen Durbin compliance Practice Manager Kenneth_Durbin@symantec.comTom Blauvelt Technical Architect, Security/compliance Tom_Blauvelt@symantec.com

Name Title EmailNiels Jensen VP – Federal Area & SIs Niels.Jensen@forescout.comWallace Sann RVP & Fed CTO Wallace.Sann@forescout.comDevin Archer Director, Americas Channels Devin.Archer@forescout.comGreg Fortunato Director - SIs, Programs & Channels Greg.Fortunato@forescout.comSean Telles Federal Solutions Architect Sean.Telles@forescout.comRandy Boone Federal Bus Dev. Manager Randy.Boone@forescout.comAustin Maccherola Federal Bus Dev. Rep Austin.Maccherola@forescout.com

ForeScout

DLTName Title Email

Jimmy Womack Sales Manager - ForeScout jimmy.womack@dlt.com Susan Patrick-Britton Sales Manager – Symantec susan.Patrick@dlt.com

04/18/2023 55

Questions?

Proprietary & Confidential

56