ForeScout Technologies Inc.

1
ForeScout Technologies Inc.
Frontline Defense against Network Attack Tim
Riley, Forescout
2
ActiveScout Solution

• ActiveScout solution provides
• Preemptive identification of potential attackers
• Accurate identification of potential attackers to
  reduce false positives to zero
• Automatic action to block attackers in real time
• Minimal installation and daily operational costs

3
Evolution of Perimeter Protection
Firewall Provides robust staticsecurity
according to predefined policies
4
Evolution of Perimeter Protection

IDSSends alerts when attack is recognized and
already through the firewall
5
Evolution of Perimeter Protection Frontline
Network Defense
ActiveScoutProvides accuratedetection and
blockage of known and unknownattacks before
they reach the network
6
Typical Attack Process without ActiveScout
Port Scan launched
Internet
Firewall
The majority of network attacks are preceded by
reconnaissance activity. In this example, a port
scan is used. These recon techniques seldom
change.
IDS
Enterprise
7
Typical Attack Process without ActiveScout
Network responds with legitimate,
available services
Internet
IDS
Firewall
The network sends information about hosts and
services in response to the recon. This
information may be used to subsequently exploit
the network.
Enterprise
8
Typical Attack Process without ActiveScout
Internet
IDS
Firewall
Utilizing the network information received, the
attacker uses existing or new exploits to attack
network hosts and services and effectively
breaks into the network.
Enterprise
9
ActiveScout Frontline Network Defense
ActiveScout Console
ActiveScout
Internet
Firewall
The attacker uses reconnaissance techniques, a
port scan in this example, to discover
potentially vulnerable network resources.
IDS
Enterprise
10
ActiveScoutFrontline Network Defense
ActiveScout Console
ActiveScout
ActiveScout respondswith virtual services
Network responds withavailable services
IDS
Firewall
ActiveScout identifies recon activity and watches
for the network to respond. It then generates
marked traffic that is sent back to the potential
attacker. This traffic is not distinguishable
from legitimate network traffic.
Enterprise
11
ActiveScoutFrontline Network Defense
ActiveScout Console
ActiveScout
IDS
Firewall
When the attacker next uses the marked
information to launch an exploit, ActiveScout
with ActiveResponse technology then identifies
the marked traffic. The attack is accurately
identified and optionally blocked by ActiveScout
or the firewall if desired.
Enterprise
12
ActiveResponse Technology

• Patented technology that
• Identifies all reconnaissance activity
• Replies to the recon attempt with an
  authentic-looking response, created on the fly
  and registered within ActiveScout
• Identifies potential attacks based on this
  marked information and optionally blocks them,
  regardless of attack method
• Result Accurately identifies attackers and then
  prevents them from implementing new and/or
  existing attacks against the network.

13
ActiveScout Solution

• Distinguishes real attacks from the noise
• Scarce security resources are focused on the real
  crises and do not waste time on false positives
• Identifies low and slow attacks
• Provides Closed Loop Perimeter Protection
• After identifying an attacker ActiveScout can
  optionally
• Automatically block attackers
• Have the firewall automatically block
• Update all ActiveScouts when an attacker has been
  identified to provide automatic perimeter
  lockdown

14
ActiveScout Management

• At-a-glance attack situation display
• Map identifies attacker location
• Shows both current historical data for trend
  analysis
• Generates historical management reports
• Enterprise Console consolidates information from
  multiple ActiveScouts

15
Summary

• The ActiveScout solution utilizes patented
  ActiveResponse technology to provide Frontline
  Network Defense that
• Eliminates false positives
• Prevents Unkown attacks
• Reduces OpEx through automation
• Provides Enterprise wide protection