ForeScout Technologies

1
ForeScout Technologies

Ayelet Steinitz, Product ManagerApril, 2003
2
The Problem

• Constant New Threats and Vulnerabilities
• Current Solutions Not Sufficient
• Reactive Solutions Incur False Positives
• Reactive Solutions Miss Unknown Attacks
• Do not allow for automatic action
• Inherent Window of Vulnerability
• High Maintenance and TCO

3
A New Approach to Network Security
4
Knowledge Mandatory Requirement

• Knowledge is needed 100 of the time
• Social Engineering
• Password Snare
• Networking
• Public Domain
• Email Server
• Web Server
• Reconnaissance
• 20 types
• Precedes Majority of Attacks

5
Knowledge Mandatory Requirement

• Knowledge is needed 100 of the time
• Social Engineering
• Password Snare
• Networking
• Public Domain
• Email Server
• Web Server
• Reconnaissance
• 20 types
• Precedes Majority of Attacks

6
Typical Attack Process
Attacker
Internet
Router
Firewall
Enterprise
Most network attacks are preceded by
reconnaissance activity to determine available
services and network resources.
7
Typical Attack Process
Attacker
Internet
Router
Firewall
Enterprise
The network sends information about available
hosts and services in response to the
reconnaissance.
8
Typical Attack Process
Attacker
Internet
Router
Firewall
Enterprise
With this information, the attacker utilizes
existing or new exploits to break into the
network.
9
ActiveScout Intrusion Prevention
Scout
Site Manager
Attacker
Internet
Router
Firewall
Enterprise
ActiveScout identifies all reconnaissance used by
a potential attacker.
10
ActiveScout Intrusion Prevention
Scout
Site Manager
Attacker
Internet
Router
Firewall
Enterprise
ActiveScout watches the networks response, and
sends its own unique information to the potential
attacker. This unique information, or mark, is
not distinguishable from the networks legitimate
response.
11
ActiveScout Intrusion Prevention
Scout
Site Manager
Attacker
Internet
Router
Firewall
Enterprise
When the attacker uses the mark to launch an
exploit, ActiveScout accurately identifies it and
can actively block the attacker.
12
Growing Risk of Unknown Attacks
Vulnerability increase of 5000 from 1995 to
2001 Source CERT Coordination Center, 2002
Q1 thru Q3 Only
New Vulnerabilities
89 of corporations successfully attacked had
firewalls, 60 had Legacy IDSes.
Source CSI/FBI 2002 Report
13
The ActiveScout Difference
Difference
1
Difference
2
Blocks Unknown Attacks
100 Accurate(no false positives,confidence to
block)
3
4
Difference
Difference
Minimal Cost Of Prevention
InstantaneousPrevention
14
The ActiveScout Difference
Difference
1
Difference
2
Blocks Unknown Attacks
100 Accurate(no false positives,confidence to
block)
3
4
Difference
Difference
Minimal Cost Of Prevention
InstantaneousPrevention
15
Time to Prevention Without ActiveScout
New Vulnerabilities
New vulnerabilities(hundreds/month)
Exploit is known to security community
Protection available
Time
16
Instantaneous Prevention With ActiveScout
New Vulnerabilities
New vulnerabilities(hundreds/month)
Exploit is known to security community
Protection available
Time
17
State of Security Today
Intranet Security
Internet
Intranet Security Myriad of security products
(HIDS, NIDS, anti-virus)
18
State of Security Today
Firewall
Firewall Provides robust staticprevention
according to predefined policies
Intranet Security
Internet
Intranet Security Myriad of security products
(HIDS, NIDS, anti-virus)
19
Instantaneous Prevention
ActiveScout Prevents intrusions from known and
unknown threats in front of the firewall

Firewall
Firewall Provides robust staticprevention
according to predefined policies
Intranet Security
Internet
Intranet Security Myriad of security products
(HIDS, NIDS, anti-virus)
ActiveScout
20
The ActiveScout Difference
Difference
1
Difference
2
Blocks Unknown Attacks
100 Accurate(no false positives,confidence to
block)
3
4
Difference
Difference
Minimal Cost Of Prevention
InstantaneousPrevention
21
ActiveScout Minimal Cost of Prevention
Legacy Systems
ActiveScout
Action
22
The ActiveScout Difference
False Alarm Rate
Time to Prevention
Cost of Prevention
Days, Months, Years
30-60


0
0
Conventional Systems
Conventional Systems
Conventional Systems
ActiveScout
ActiveScout
ActiveScout
23
ForeScouts Intrusion Prevention Solutions

• ActiveScout Site Solution
• Precisely identifies and then blocks attackers at
  a single internet access point with zero false
  alarms.
• ActiveScout Enterprise Solution
• Precisely identifies and then blocks attackers
  with zero false alarms across a large enterprise.
• Enterprise Manager
• Provides centralized management of all Scouts
  deployed
• Enterprise Heads-Up
• Thwarts the rapid spread of attacks from one
  internet access point to the next.

24
ActiveScout Site Solution
Scout
Site Manager
Router
Enterprise
Firewall
Internet

• Intrusion Prevention for Each Internet Access
  Point

.
25
ActiveScout Enterprise Solution

• Protects an entire enterprise
• Centralized viewing of all attack activity around
  the world
• Centralized management of groups of Scouts
• Ability to push new software updates to remote
  Scouts

26
ActiveScout Enterprise Solution
Scout
Site Manager
Scout
Enterprise Manager
Internet
Management Server
Intrusion Prevention for Multiple Internet Access
Points
27
Enterprise Heads-Up

• Enterprise deployments only
• Immediate sharing of threat information across
  multiple Scouts to assure proactive prevention
  across the enterprise
• Provides the fastest way to protect from new
  attacks traversing the internet

28
Enterprise Heads-Up
Step 1. Attacker detected by New York Scout
New York
San Francisco
Step 2. Attack information immediately sent to
Management Server
Step 3. San Francisco Scout ready to block
attacker
Management Server
29
Summary

• Accurate Identification
• Zero False Positives
• Block Known and Unknown Attacks
• Instantaneous Prevention
• Minimal Cost of Prevention

30
Ayelet Steinitz Product Manager, ActiveScout Tel.
(650)358-5586 asteinitz_at_forescout.com
ForeScout Technologies, Inc. 2755 Campus Drive,
Suite 115 San Mateo, CA 94403 (650)
358-5580 www.forescout.com