Symantec and ForeScout Delivering a Unified Cyber Security Solution
-
Upload
dlt-solutions -
Category
Software
-
view
16 -
download
6
Transcript of Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec & ForeScout Delivering a Unified Cyber Security Solution (UCSS)UCSS A Unified Approach to Managing Cyber Threats
Presenting: Tom Blauvelt (Symantec)Sean Telles (ForeScout)Chris Dullea (ForeScout)
04/18/2023 2
Tying it all together with UCSS
Proprietary & Confidential
Proactive Cyber
Defenses
Situational Awareness
Organizational Culture
Process Optimization
& Automation
04/18/2023 3
Unified Cyber Security Solution (UCSS) Summary
UCSS is Capable of Providing:•A comprehensive view into your assets ensuring
appropriate support•Drives costs down through automation and improved
security services•Improving IT service uptime and efficient and effective
operations•A strong Cyber Hygiene for your IT Services•Risk mitigation and reduction in time to respond to
threats
Proprietary & Confidential
04/18/2023 4
Three levels of maturity UCSS can assist your agency
UCSS Levels of Maturity
•Level One – Move from ad-hoc processing to process standardized, event management
•Level Two – Repeatable task automation with little or no policy driven automation
•Level Three – Complex process automation human driven, policy driven automation & continual improvement
1James A. Lewis, RaisiUCCS the Bar for Cybersecurity. WashiUCCSton, DC: CSIS, 2013.
Proprietary & Confidential
04/18/2023 5Proprietary & Confidential
Question: Where is Your Organization in Relation to Evolving from Chaos to Continual Improvement?
Identify Opportunitiesfor improvement
Complex process automation
Deliver simple process
automation
Automate simple,
repeatable tasks
Eliminate waste in manual processes
Improve situational awareness
Non-standard, manual processes
Ad-hoc manualresponse
Standardize manual
processes
Monitoringand reporting
Automation technologies
Orchestratemonitoring &
automation
Unifyautomation technologies
Continual Improvement
Level 1
Level 2
Level 3
Sec
ured
Ser
vice
s
Increased MaturityLow
Low High
High
UCSS Proposed Compliance
Maturity Levels
04/18/2023 6
Risk and Threats Everywhere, All the Time
Cloud
Hackers
Authentication & Encryption
Virtualization
Cyber Threats
Compliance
Remote Offices/Workers
Mobile Devices
Malicious & Well-meaning Users
Social Media
Advanced Persistent Attacks
Proprietary & Confidential
04/18/2023 7
What is the Scope of the Problem?
•Every Three Days (on Federal networks):–Trillions of cyber events –Billions of potentially defective hardware, software, and account changes–Millions of attempted attacks at Internet speed–Thousands of new flaws introduced –Hundreds of successful attacks
•Every Three Months:–Over 10,000 successful attacks–An unknown number of these attacks are repaired–Terabytes of data are stolen–Over 7,200 reports are written2
–Hundreds of labor hours are wasted
2Office of Management and Budget, Memorandum 02-01: Guidance for Preparing and Submitting Security Plans of Action and Milestones. Washington, DC: OMB, 2001.
Proprietary & Confidential
04/18/2023 8
Summary & Timeline of Federal Cyber Breaches continued…
•March 2014 Government Printing Office & Government Accountability Office
–China - Possible reconnaissance or testing agency defenses
•March 2014 Office of Personnel Management:–China - Background information breach of employees with security clearances
•August 2014 Healthcare.gov:–Unknown – Malware insertion on server using default password for denial of
service attack
•October 2014 White House: –Russia - Executive Office of the President’s unclassified network including email
•November 2014 U.S. State Department: –Russia / China - Similar to White House attack via unclassified email
compromise
•November 2014 US Postal Service:–China - Agency personnel data compromised affecting nearly 800,00 employees
1. Nextgov.com, The Year of the Breach: 10 Federal Agency Data Breaches in 2014
Proprietary & Confidential
Summarizing the Growing Threat
•The US Federal Bureau of Investigation (FBI), notified 3,000 companies including banks, retailers, and defense contractors that they had been victims of cybersecurity breaches in 2013
•2013 was the year of the “Mega Breach”; in 2014 number of breaches increased 23%
•In 2014, 317 million new pieces of malware were released (~1 million per day)
•According to GSN Magazine 36% of government agencies report they have a skills gap to address today’s challenges
•Many Government Agencies still rely on non standard processes to perform common support tasks
Trained people along with standardized process alone cannot close the gaps without intelligent, policy-based automation.
1. http://www.washingtonpost.com/world/national-security/2014/03/24/74aff686-aed9-11e3-96dc-d6ea14c099f9_story.html2. http://www.symantec.com/security_response/publications/threatreport.jsp 3. http://www.gsnmagazine.com/article/40704/bridging_cybersecurity_skills_gap_automation_bluep
1
2
3
2
04/18/2023 10
Common examples of cyber hygiene that can be automated with UCSS
•Asset Discovery and Classification–Organizational, Guest, Rogue
•Patch Management Lifecycle•Vulnerability Management•Application / Software Whitelisting•Configuration Management & Compliance
Monitoring•System Staging / Hardening & Deployment
Proprietary & Confidential
04/18/2023 11
The Critical Importance of Strong Cyber Hygiene
•Recent CSIS report1 found that promoting Cyber Hygiene stops 85% of cyber attacks by:
–Searching for, finding, fixing, and reporting the worst cyber problems first in near-real time
–75% of the attacks use known vulnerabilities that could be patched–More than 90% of successful attacks require only the most basic techniques–96% of successful breaches can be avoided if the victim puts in place simple or
intermediate controls.
1James A. Lewis, Raising the Bar for Cybersecurity. Washington, DC: CSIS, 2013.
Given the stated scope of the problem, people and processes need more than siloed, standalone technologies to combat this epidemic.
Proprietary & Confidential
04/18/2023 12
A Strong Cyber Hygiene Starts Knowing What is On Your Network At All Times So Ask Yourself:
Can I accurately put a number on how many wired &
wireless assets are on my network?Assuming you could, would you know how many are:
Not compliant with:
• Antivirus
• Patches
• Software
• Agency Configuration Policies
• Best Practice Standards
Its Trusted State:
• Manageable
• Unmanageable
• Guests
• Unknown
• Misconfigured
• Rogue
Asset Type:
• Windows
• Linux/Unix
• Apple
• Mobile
• Printers
• VoIP
• Networking
• …etc
Now ask yourself: How well can I protect my assets, data, & personnel without a complete picture of what is on my network?
Proprietary & Confidential
04/18/2023
System / Application
/ Data / User
Control
Process Automation
Patch MGMT
Compliance MGMT
Asset Discovery
Endpoint Protection
UCSS Reference Architecture
Proprietary & Confidential13
Standards
Dashboard & Reporting
04/18/2023 14
Introducing the Symantec / ForeScout Unified Cyber Security Solution (UCSS)
Proprietary & Confidential
Data Providers
Data Consumers
Protection Layer• Open, standards-based API• Web Service (client or server),
SQL, LDAP, Syslog, CEF, SNMP, SSH
• Bidirectional integration
EndpointsNetwork
Infrastructure ITAM/CMDB
Incident
Patch
Antivirus
Compliance
RiskTM
TM
04/18/2023 15
Configuration Management – CCS Standards Manager
Proprietary & Confidential
Control Compliance Suite Standards Manager
1. Define Standards
3. Analyze and Fix
2. Managed/Unmanaged Assets
Evaluate (agent and/or agent-less)
• Automate technical controls assessments
• Identify configuration drift
• Manage exceptions
• Support remediation
• Support for agent-based and agent-less data gathering
• Security Content Automation Protocol (SCAP)
04/18/2023 16
Symantec IT Management Suite (ITMS)Powered by Altiris
Proprietary & Confidential
Symantec IT Management Suite(ITMS)Client Management
• Provisioning• Inventory• Software management• Patch management• Application virtualization• Remote management• Reporting and analytics
Server Management• Provisioning• Inventory• Software management• Patch management• VM management• Server monitoring• Reporting and analytics
Asset Management• Asset tracking• Barcode scanning• Contract management• Compliance• Reporting and analytics
• Create, operate, and maintain an authorized hardware inventory baseline, unique identifiers for hardware, and other properties such as the manager of the hardware.
• Create, operate, and maintain an authorized software inventory, unique identifiers for software, and other properties such as the manager of the software.
Symantec ITMS Provides Full Life-Cycle IT Asset Management
04/18/2023 17
Symantec Endpoint Protection (SEP)
Proprietary & Confidential
Layered protection to stop mass, targeted and advanced threats
Network Threat
ProtectionBlocks malware before it spreads to your machine
and controls traffic
Advanced Scanning
Blocks suspicious files – even those with no
fingerprint – before they can run and steal your
data
InsightReputationSafety ratings for every single software file on the planet, and uses this to block targeted
attacks
SONARBehavior Blocking
Blocks software with suspicious behaviors to stop advanced threats
SymantecPower Eraser
Aggressive SMR technology roots out entrenched
infections and kills them in seconds
Intelligent security technologies
04/18/2023 18
ForeScout’s Value Proposition: Supporting Continuous Monitoring, Mitigation, & Control
Proprietary & Confidential
Agentless Asset Discovery
Workflow AutomationAccess Control
Endpoint Mitigation
Continuous Visibility
Endpoint Authentication & Inspection
Information Integration
Network Enforcement
04/18/2023 19
• Discovery and inspection - who, what, where, health
• Managed, unmanaged, corporate, BYOD, rogueVisibility
• Policy-driven automation of controls & best practices
• Flexible and extensible, assess system compliance
Automated Compliance Assessment
• OS, applications, configuration, processes etc.• Improve ROI of existing security agentsAutomated Remediation
• Works with your existing IT infrastructure• Open integration architectureInteroperable
• Deliver automated, continual compliance management
• Multi-vendor, designed for endpoint diversity High ROI
Symantec & ForeScout UCSS Value Proposition
1
2
3
4
5
Proprietary & Confidential
04/18/2023 20
Symantec and ForeScout UCSS Use Cases
•Use Case #1: Device Discovery for ITMS, CCS, & SEP•Use Case #2: - Identify and Control Rogue Asset •Use Case #3: SEP Augmentation & Assistance •Use Case #4: - Promoting Cyber Hygiene via Missing Patch & Remediation
Proprietary & Confidential
04/18/2023 21
Use Case #1: Device Discovery for ITMS, CCS & SEP
Networking & Storage
Endpoints & Servers
Wireless & Mobile
Applications & OS
ForeScout CounterACT Provides Comprehensive Discovery of Connected Devices
ForeScout CounterACT thenfeeds Symantec with real-time asset data and information
Proprietary & Confidential
TM
04/18/2023 22
Event
Use Case #2: - Identify and Control Rogue Asset
Network
Rogue Device
RogueDevice
Detected
RogueDevice
Quarantined
Proprietary & Confidential
04/18/2023 23
Use Case #3: SEP Augmentation & Assistance
Restrict Access
Detect Issue
Symantec AgentStopped
Restart Agent
RestoreAccess
Event
Event
Remove Application
UnapprovedApplication
Installed
Proprietary & Confidential
04/18/2023 24
Event
Use Case #4: - Promoting Cyber Hygiene Detect Missing Patch & Auto-Remediate
Network
High RiskDevice
Detected
High riskDevice
Quarantined
EventApply Missing
Patch(s)Issue
Resolved
DeviceRestored
To Production
Proprietary & Confidential
TM
Automating Common Security and Compliance Remediation Processes
04/18/2023 26
Section 2 Summary: Automated Remediation
Automating the management of the known threat
Features & Benefits Include:•Automate management of cyber hygiene•Allow operations teams to automate the simple and focus on new and
complex•Ensure compliant security configurations are maintained at all times•Mitigate known threats through strong, automated cyber hygiene
management•Improved IT service efficiency and effectiveness•Greatly reduce number of successful attacks•Reduce cost of operations •Refocus staff on innovation vs operations
Proprietary & Confidential
04/18/2023 27Proprietary & Confidential
Symantec Product Summary•Intrusion Prevention•Browser protection•Traditional AV•Reputation•Behavioral detection•Advanced removal
• Automate technical controls assessments
• Identify configuration drift
• Manage exceptions• Support remediation • Support for agent-
based and agent-less data gathering
•CMDB•Asset discovery•Hardware & software inventory•Software package deployment and install •Patch inventory and deployment•Remote management
04/18/2023 28
What do Hackers Target on Systems?
Proprietary & Confidential
SDCS: Server Advanced
Registry
Config Files
Portable Storage Devices
Applications
Operating System
Memory
Enforce Registry Integrity
Enforce File Integrity
Enforce Memory Protection
Enforce network controls
Enforce device controls
Enforce application activity
04/18/2023 29
Extending Coverage to Broader Platforms
Proprietary & Confidential
Linux / Unix servers
Thin clientsPoint of sale / Payment processors
Kiosks / ATMs
SCADA systems
Medical devices
SDCS:SA
2012
- 7
04/18/2023 30
Black Hat 2014
Unpatched data center protected by DCS:SA remained hack-proof for the third time!
•Setup – “Mini Data Center” – Windows 2000, 2003 server, RHEL, CentOS, XP and Windows 7 desktops and a NetBackup Appliance
–Point of Sale software running on the desktops connecting to servers for processing transactions–DCS:SA firewall intentionally left open–Other common misconfigurations (unpatched, passwords in files, etc)
•Goal – “capture the flag” (Gain access and steal data) on systems to win prizes
•Players - ~40 simultaneously, with members including industry professionals•Attacks – variety of techniques employed including:
–Brute force password attempts (averaging 400 password login attempts per minute throughout the conference
–Metasploit-driven attacks–Attempts to shutdown DCS:SA services
•Results – DCS:SA protected the systems yet again this year - $5,000 prize left unclaimed
Proprietary & Confidential
04/18/2023 31
ForeScout’s Value Proposition: Augmenting & Automating Compliance Management Addressing 5 Key Compliance Gaps
Proprietary & Confidential
Compliance GAP CounterACT CapabilitiesGAP #1: Difficulties persist in detecting every device connecting to classified and unclassified networks within a timely manner. This impacts all compliance efforts as compliance tools cannot completely protect their environment.
CounterACT delivers real-time, agent-less discovery of devices connected to networks through direct integration with the network infrastructure.
GAP #2: Difficulties persist with automated classification of non-traditional IP-enabled devices connecting to classified and unclassified networks. This gap heavily impacts configuration and compliance management.
CounterACT delivers a mechanism to classify non-standard IP-enabled devices connected to classified and unclassified networks through active and passive fingerprinting.
04/18/2023 32
ForeScout’s Value Proposition: Augmenting & Automating Compliance Management Addressing 5 Key Compliance Gaps
Proprietary & Confidential
Compliance GAP CounterACT CapabilitiesGAP #3: Significant difficulties persist in identifying non-manageable devices connected to classified and unclassified networks as authorized or unauthorized. These unmanaged devices provide the beachhead for adversaries to launch attacks and expand their control.
CounterACT identifies Government Furnished Equipment (GFE) devices, authorized guest devices, and rogue devices at the network level. Additionally, CounterACT delivers a mechanism to invoke or restore manageability of unmanaged GFE, BYOD, or authorized guest devices.
GAP #4: Significant difficulties persist in removing unauthorized or non-compliant devices from classified and unclassified networks.
CounterACT provides a mechanism to revoke access or restore manageability of unmanaged GFE, BYOD, or authorized guest devices.
GAP #5: Difficulties persist in ensuring that all required software components are persistently present and operational on all internal devices.
CounterACT provides a mechanism to identify and remediate missing or malfunctioning software components on GFE devices without requiring a client.
04/18/2023 33
Symantec & ForeScout UCSS Value Proposition
Proprietary & Confidential
UCSS is Capable of Providing:•Faster detection time of threats and defects
–Vulnerabilities–Mis-Configurations–Unauthorized hardware / software
•Automated or semi-automated threat response–Identification of control point failure–Alerting and/or auto-deployment
•Customization to meet unique environments and specific use cases
04/18/2023 34
Symantec and ForeScout UCSS Use Cases
•Use Case #5: Automating Hardening & Remediation•Use Case #6: - Automated Unknown Vulnerability 0-day
Scanning & Protection•Use Case #7: Provision UCCS a Hardened System
Proprietary & Confidential
Use Case #5: Automating Hardening & Remediation
35Proprietary & Confidential
CCS scans hosts to identify issues Event
Event
Symantec ITMS Hardens /
Remediates
ForeScout CounterACT
Hardens / Remediates
04/18/2023 36
Use Case #6a: - Automated Unknown Vulnerability 0-day Scanning & Protection
Network
SymantecDCS:SA
enables threat protection
0-DayVulnerability
Identified Security Scan Initiated
Proprietary & Confidential
Event
ForeScoutQuarantines
Devices
Event
ForeScoutRestores
Connection
Third Party Vulnerability Scanner
04/18/2023 37
Use Case #7: Application Whitelisting
Proprietary & Confidential
EventNetwork
UnauthorizedApplication
Detected
HarmfulApplication
Installed
SystemQuarantined& Cleaned
Event
Clean SystemReturned toProduction
Proactive security through behavioral analysis and control: Proactive Prevention
04/18/2023 39
Section 3: Proactive Security Through Behavioral Analysis and Control
Intelligence Driven Security provides a new level of defense against unknown and advanced persistent threats:
•Proactive approach to securing against new threats married with traditional signature based controls ensures a complete level of protection against known and unknown threats.
•Features include:–Protect IT services from known and unknown threats–Advanced reputation and behavioral monitoring –Behavioral security control and management –Leverage intelligent data streams for automated action based on
anomalies in system behavior
Proprietary & Confidential
04/18/2023 40
Common examples UCSS Proactive Defense
•Systems with stale updates can be immediately patched or on demand
•Predictive analysis on possible attacks (i.e. reconnaissance detection) with preventative support
•Proactive prevention through known malicious entities that are protected by the UCSS solution
•Proactive detection of possible malicious entities to prevent a possible future event
•Proactive user and system anomaly risk monitoring and alerting
Proprietary & Confidential
Symantec Data Loss Prevention| TRENDS
64% of data loss caused by well-meaning insiders
50% of employees leave with data
$3.5 million average cost of a breach
Legal and compliance penalties
A corporate black eye
Proprietary & Confidential
Proprietary & Confidential
DescribedContent Matching
Indexed Document Matching
Vector Machine Learning
Exact Data Matching
DESCRIBED DATA
Non-indexable data
Lexicons
Data Identifiers
STRUCTURED DATACUSTOMER DATA
Customer / EmployeePricing
Partial row matching
Near perfect accuracy
UNSTRUCTURED DATAIP
Designs / Source / Financials
Derivative match
Near perfect accuracy
UNSTRUCTURED DATAIP
Designs / Source / Financials
Derivative match
Very High Accuracy
Symantec Advantage| HIGHEST DETECTION ACCURACY
Symantec DLP| CONTROL POINTSOffice 365iOSAndroid
EmailWebFTPIM
USBHard Drives
Removable StorageNetwork Shares
Print/FaxCloud & Web Apps
File ServersExchange, Lotus
SharePointDatabases
Web Servers
Network
Endpoint
Storage
Cloud & M
obile
Unified Management
Proprietary & Confidential
Proprietary & Confidential
0010101000101010001001001001110010010011100101000101010001010100010010010011100100100111001010001010100010101000100100100111001001001110010100010101000101010001001001001110010010011100101000101010001010100010010010011100100100111001010001010100010101000100100100111001001001110010100010101001010100010010010011100100100111001010001010100010101000100100100111010101000101010001001001001001110010100010101000101010001001001001110010010011100101000101010001010100010010010011100100100111001010001011000100010101000100100101010001010100010101000100100100111001101010100110
Data Insight| UNKNOWNS OF UNSTRUCTURED DATA
8
Explosive growth in volume of information created
Rapid increase in security risks and compliance regulations
Growing urgencyto gain controlof costs and risks
Where is the data stored?
How is the data being used?
What is the value of the data?
What data is out there?
Who owns the data?
Who has access to data?
Symantec Intelligence| UNIQUE VISIBILITY
Proprietary & Confidential
46Proprietary & Confidential
DeepSight| PORTAL, DATA FEED & INTELLIGENCE
• Understand, prevent and respond to current and emerging cyber threats
• Create informed countermeasures for current and future threats
• Obtain timely insight into current vulnerabilities and threats and prioritize resources
• Reduce the time and effort for SOC and IR teams to investigate incidents and vulnerabilities and improve efficiency
• Gain situational awareness to drive security decisions and manage risk
04/18/2023 47
Symantec Data Center Security
Proprietary & Confidential
Policy based protection System lock down Application Whitelisting Privilege de-escalation Exploit/malware prevention Remediation automation Compliance enforcement Real-time file integrity
monitoring User Monitoring Broad OS and platform
coverage
FEATURESComplete protection
across physicaland virtual servers
High performanceand reduced
downtime
Lower costmanagement and
administration
VALUEDetection + Prevention
Symantec Data Center Security:
Server Advanced
04/18/2023 48
ForeScout’s Value Proposition: Automating Compliance Monitoring & Remediation
Proprietary & Confidential
ForeScout Compliance Monitoring & Control Including: • Network
Communications• Virus Signature
Version
• 3rd Party Agent Health
• System Configuration
• System Patch Level
• Illegal Software Removal
• Integrated Zero Day Removal
04/18/2023 49
ForeScout’s Value Proposition: Mapping Policy to System Communication via CounterACT Virtual Firewall
Proprietary & Confidential
ForeScout CounterACT Maps Expected Function to Policy Control
04/18/2023 50
Symantec and ForeScout UCSS Use Case
•Use Case #1: Crown Jewel Identification & Protection
Proprietary & Confidential
Use Case #1: Crown Jewel Identification & Protection
51Proprietary & Confidential
Data Base Server
Web Server
Block
Illegal ActionIllegal ActionIllegal Action
04/18/2023 52
Use Case #2 White Board
•Three Control points – Web Gateway, Endpoint, Email•Infuse intelligence into them, could be an email system, spam content system,
IDS / IPS, or host based security tool.•Take events that are occurring in each control points and send the telemetry
into an analytics layer (SIEM / Splunk / ETC)•Analytics tool uses the intel infused telemetry to make decisions on known,
unknown, and emerging threats
Proprietary & Confidential
04/18/2023 53
Unified Cyber Security Solution (UCSS) Summary
UCSS is Capable of Providing:•Protect against known and unknown threats•Proactive Defenses Against Evolving landscape•Reduces outage or interruption risk due to preventative
measures•Reduces problem and incident improving service
function and value•Improve IT service value through consistent
performance
Proprietary & Confidential
04/18/2023 54
Contacts
Symantec
Proprietary & Confidential
Name Title EmailRob Potter Vice President Public Sector & Healthcare [email protected] Kunkle Sr. Director Sales, Department of Defense [email protected] Nash Sr. Manager, Federal Civilian [email protected] Swainston Director, Business Development [email protected] Durbin compliance Practice Manager [email protected] Blauvelt Technical Architect, Security/compliance [email protected]
Name Title EmailNiels Jensen VP – Federal Area & SIs [email protected] Sann RVP & Fed CTO [email protected] Archer Director, Americas Channels [email protected] Fortunato Director - SIs, Programs & Channels [email protected] Telles Federal Solutions Architect [email protected] Boone Federal Bus Dev. Manager [email protected] Maccherola Federal Bus Dev. Rep [email protected]
ForeScout
DLTName Title Email
Jimmy Womack Sales Manager - ForeScout [email protected] Susan Patrick-Britton Sales Manager – Symantec [email protected]
04/18/2023 55
Questions?
Proprietary & Confidential
56