Transcript Slide 1

Considerations To Secure Enterprise Mobility / BYOD
Scott Gordon (CISSP-ISSMP)
Vice President – ForeScout Technologies
March, 2013
© 2013 ForeScout Technologies, Page 1
About ForeScout
ForeScout
is the leading global
provider of real-time
network security
solutions for Global
2000 enterprises and
government
organizations.
At a Glance
Innovative Technologies
• Founded in 2000 —
HQ in Cupertino, CA
• Real-time visibility and control
• Dominant independent vendor of
Network Access Control (NAC)
#2 market share, behind Cisco
• BYOD, endpoint compliance and
cloud fueling growth
*Magic Quadrant for Network Access
Control, December 2012, Gartner Inc.
© 2013 ForeScout Technologies, Page 2
**Forrester Wave Network Access
Control, Q2-2011, Forrester Research
• Leader ranking by Gartner, Forrester
and Frost & Sullivan…
Global Deployments
• Financial, healthcare, education,
manufacturing and government…
• Enterprise implementations
(> 250k endpoints)
***Analysis of the NAC Market,
February 2012, Frost & Sullivan
Framing Enterprise Mobility and
IT Consumerization / BYOD
Enterprise mobility is the use of wireless, mobile and consumer devices, as well as
mobile and cloud-based applications to enable access to corporate resources.
Bring Your Own Device (BYOD) strategy is the extent that an IT organization
prohibits, tolerates, supports or embraces the use of personal mobile devices at
work and the controls to enforce such policy.
Challenge
• Proliferation of mobile devices on
corporate networks impacts security
• Consumers are setting the rules
with personal and mobile device
and application use
• IT teams need visibility and control;
user, device, application, data and
network
© 2013 ForeScout Technologies, Page 3
Risks
• Data loss
Lost phone or laptop
Unauthorized access
Compromised system
Unknown data protection
• Malware
Phishing, access, mobile/app
• Compliance
Rogue devices, unauthorized apps,
inconsistent policy
Market Research – Mobile Security Product Requirements
Generally, virtually all respondents rate all of these MDM features as being “important” or
“essential” (90% or higher). Essential features of “network access control” and
“unified policy management” are unavailable from MDM solutions.
Network
Access
Control
Security
Posture
Security
Management
Software
Management Unified Policy
Management
Boston Research Group, ForeScout Sponsored Mobile Security Study, 2012
© 2013 ForeScout Technologies, Page 4
Inventory
Management
Framework: Securing BYOD Implementation
1. Form a committee
2. Gather data
3. Identify use cases
4. Formulate policies
–
–
–
–
–
–
–
Which corporate applications?
Which users?
How will data be secured?
Who will be responsible for BYOD support?
What happens if the device is lost or stolen?
How will the endpoint device be updated?
Acceptable use policies?
© 2013 ForeScout Technologies, Page 5
Framework: Securing BYOD Implementation
5. Decide how to enforce policies
–
–
–
–
Network controls?
Device controls?
Data controls?
App controls?
6. Build a project plan
–
–
–
–
Device enrollment
Remote device management?
Cloud storage?
Wipe devices when employees are terminated?
7. Evaluate solutions
–
–
–
–
Ease of implementation?
Cost?
Security?
Usability?
© 2013 ForeScout Technologies, Page 6
Framework: Securing BYOD Implementation
1.
2.
3.
4.
5.
6.
7.
8.
Form a committee
Gather data
Identify use cases
Formulate policies
Decide how to enforce policies
Build a project plan
Evaluate solutions
Implement solutions
–
–
–
–
Network controls?
Device controls?
Data controls?
App controls?
© 2013 ForeScout Technologies, Page 7
Framework: Securing BYOD Implementation
1.
2.
3.
4.
5.
6.
7.
8.
Form a committee
Gather data
Identify use cases
Formulate policies
Decide how to enforce policies
Build a project plan
Evaluate solutions
Implement solutions
© 2013 ForeScout Technologies, Page 8
Enterprise Mobility Control Characteristics
NAC is Fundamental to Secure BYOD/CYOD
APPROACH
CHARACTERISTICS
Block all personal devices
• Very secure!
• Career limiting… 
Manage all personal devices (MDM)
• Good security at the device level
• Phones/tables… not Win & Macs
• Separate management console
Restrict the data (VDI)
• Strong data protection
• Varying user experience
• Not for the road warrior
Control apps (MEAM, MAW)
• Secure the app and data
• Must be used with other controls
Control the network (NAC)
• Foundational, simple, real-time coverage
• Network-centric visibility and control
© 2013 ForeScout Technologies, Page 9
CounterACT: Continuous Monitoring & Remediation
Proven Platform for Real-time Visibility and Automated Control
Complete
Visibility
Device Discovery, Profiling
[HW/SW USER LOC ...]
System
Integration
SIEM, MDM
Identity, HBSS
Multi-factor, Complete,
Clientless Interrogation
Remediation
Enforcement
Natively or with
party Integration
Port-based Enforcement
[With or without 802.1x]
3rd
© 2013 ForeScout Technologies, Page 10
Continuous
Monitoring
Endpoint
Authenticate
& Inspect
CounterACT: Continuous Monitoring & Remediation
See Grant Fix Protect
Real-time Network Asset Intelligence
Policy-based Controls
• Device type owner, login, location
• Grant access, register guests
• Applications, security profile
• Limit or deny access
Web Email CRM
Sales
User
Guest
Automated Enforcement
• Remediate OS, configuration, security agents
• Start/stop applications, disable peripherals
• Block worms, zero-day attacks, unwanted apps
• Phased-in, manual or fully automated
© 2013 ForeScout Technologies, Page 11
X
What is Mobile Device Management
The Essentials
•
•
•
•
•
•
•
Device enrollment
OTA configuration
Security policy management
Real-time reporting
Remote lock, wipe, selective wipe
Self-service portal
Enterprise App portal
Device Enrollment,
Acceptable Use
MDM Actions
Advanced Management
•
•
•
•
•
•
•
•
Email access controls
Application management
Document management
Certificate management
Profile lock-down
Corporate directory integration
Geo sensing
PII Protection
© 2013 ForeScout Technologies, Page 12
Corp App
Storefront
Event-based Security & Compliance
NAC+MDM Synergies: 1+1=3
Unify visibility, compliance and access control
NAC focus is
network
MDM focus is
mobile device
MDM Alone
NAC Alone
NAC+MDM
Visibility
Full info on
managed only.
Basic OS info on
all devices
Complete
Access Control
For managed and
email only
Partial (Missing
endpoint info)
Complete
Deployment
Pre-reg agent
Network-based,
Automated
Complete
Enforcement
Polling rate
On network access Complete
Network control
No
Yes
Root detection
On profile check
On network access Complete
© 2013 ForeScout Technologies, Page 13
Complete
ForeScout CounterACT
© 2013 ForeScout Technologies, Page 14
Unified Visibility and Control
Security operators gain greater visibility and control
© 2013 ForeScout Technologies, Page 15
ForeScout CounterACT Advantages
• Easy to use and deploy with Low TCO
Hybrid 802.1X/Agentless approach; works within existing/legacy environment
Easy, centralized administration; high availability, scalable, non-disruptive
• Real-time situational awareness
All users, devices, applications - infrastructure agnostic
Wired, wireless, managed, rogue, VMs, PC, mobile, embedded
• Flexible, Integrated Mobile Security
Value of NAC with MDM device security
ForeScout: broadest integration with leading MDM vendors
• Rapid results and time-to-value
Extensible templates and controls with robust
SIEM, HBSS, CMDB, MDM and directory integration
© 2013 ForeScout Technologies, Page 16
Thank You
*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger
research note and should be evaluated in the context of the entire report. The
Gartner report is available upon request from ForeScout. Gartner does not
endorse any vendor, product or service ]depicted in our research publications,
and does not advise technology users to select only those vendors with the
highest ratings. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner
disclaims all warranties, expressed or implied, with respect to this research,
including any warranties of merchantability or fitness for a particular purpose.
© 2013 ForeScout Technologies, Page 17
** The Forrester Wave™ is copyrighted by Forrester Research,
Inc. Forrester and Forrester Wave™ are trademarks of
Forrester Research, Inc. The Forrester Wave™ is a graphical
representation of Forrester's call on a market and is plotted
using a detailed spreadsheet with exposed scores, weightings,
and comments. Forrester does not endorse any vendor,
product, or service depicted in the Forrester Wave. Information
is based on best available resources. Opinions reflect judgment
at the time and are subject to change.
***Frost & Sullivan chart from 2012
market study Analysis of the Network
Access Control Market: Evolving
Business Practices and Technologies
Rejuvenate Market Growth” Base
year 2011, n-20