.png)
Creating a balanced cybersecurity profile in a landscape of constant threats
Originally featured in Forbes. Written by Dan Woods, with contribution from ForeScout’s Mike DeCesare.
Over the past six months, I’ve written extensively about the need for enterprises to create a balanced cybersecurity profile to succeed in today’s landscape of constant threats and ever adapting hackers. Throughout the series of articles on individual security solutions and cybersecurity in general, I’ve emphasized that companies must find the right fit for their needs when attempting to create a cybersecurity budget. That budget should be predicated on protecting the most vital aspects of the organization, while also recognizing that no company can be completely secure. Threats can and will get in.
I’ve created a framework that itemizes the five key capabilities companies need to address within their portfolio: 1) identifying threats, 2) protecting yourself from them, 3) detecting them when they do get in (and they will), 4) responding to them, and 5) recovering from them.
Because no company has unlimited financial or engineering resources, each company must make difficult but necessary choices about how to spread cybersecurity spend across these categories. I’ve likened this to creating an investment strategy in a financial portfolio. To decide what is most important for the individual business, companies can use the NIST framework for cybersecurity, which offers five steps to getting to the right solution: 1) determine your needs; 2) allocate spending according to risk; 3) design your portfolio; 4) choose the right products; and 5) rebalance as needed.
For this piece, I had the chance to speak with ForeScout’s CEO and President Michael DeCesare. He offered unique insight into how ForeScout fits into a cybersecurity portfolio by providing companies the visibility they need, offering quality information about where their networks are vulnerable.
You Can’t Fight What You Can’t See
ForeScout’s fundamental value proposition is that it gives companies to visibility into their networks that they don’t have now.
In today’s enterprises, the number of different devices connecting to a company’s network has exploded. Most of those devices are not company owned. Employees use their own laptops, phones, and tablets. Further, the Internet of Things (IoT) means that there are huge numbers of agentless devices connected to your network at any given time.
Companies don’t want to limit their computing infrastructure by preventing these devices from connecting, but they also have to make sure they’re not exposing themselves to threats. This raises questions:
– How do you know what’s connecting to your network and that these devices are safe?
– If they’re not, what do you do about it?
ForeScout is acutely aware of this problem. “In the past, the devices that were coming onto a company’s network were substantially owned by that company—servers, Windows laptops. Now, that dynamic has completely changed,” DeCesare said. “Now, CIOs and CISOs have to go from controlling what comes into their environment to allowing everything into their environment. Every CIO worldwide is now sitting down and grappling with the concept of the exploding volume and diversity of devices onto their network. They cannot apply the same traditional approach to securing machines that they used in the era where everything was company owned and controlled.”
That’s what ForeScout seeks to address. ForeScout was founded in 2000 as a company focused on intrusion prevention. But in 2010, the company pivoted to its current work, which centers on improving visibility. The company currently works with 2400 businesses in 60 countries. It is able to detect what’s going on with any device linked to your network, assess the hygiene of that device, and then give companies the ability to control the access that device has within their network. ForeScout does this in a way that automates as much of the process as possible.
“We give companies a security posture through a visibility mechanism that they don’t already have,” DeCesare said. “We’re seeing an explosion of devices, both physically and virtually, across the enterprise, and the enterprise is not able to keep up with that. It raises compliance and security challenges as more people are able to get into the network. Our three key value propositions are that we can show companies what’s connected continuously, give them control over what those devices can do or not do, and then have the ability to orchestrate what you already know with other technologies so that companies can be smarter.”
This type of visibility is crucial in today’s security landscape, because, according to DeCesare, most companies are not aware that many of the devices on their networks even exist.
“The main thing our customers are realizing is that they’ve got a massive and growing visibility gap inside their enterprises,” DeCesare added. “And if you can’t see it, you can’t secure it. So when we talk about the visibility we give companies, we talk about every single device connected to the network. That is our definition. It doesn’t matter if it’s a device that can or can’t consume an agent. And this matters because with most companies, we’re finding 30% or more raw connections on their network that they didn’t know they had. We’ve seen that number spike as high as 60 to 65%. And this is true for companies of all levels of technical sophistication. Obviously, it’s not difficult to see that if you don’t know something’s on your network, you’re not trying very hard to make sure it isn’t doing something bad.”
How ForeScout Works
What I find interesting about ForeScout’s approach is that it’s turning over the conventional way companies have handled device security. Instead of trying to have top-down control and make sure every device that comes online was secure before it gained access, ForeScout embeds within a company’s network and then judges whether the devices that are already there are operating properly.
DeCesare likened ForeScout to a nervous system for cybersecurity. “Instead of asking the endpoint for information about itself, we ask the network,” he said. “Our technology installs on a company’s network. We install directly down into the switches and the routers. We install inside the firewall. Basically we install this integrated nervous system in place on all of those different devices that make up a company network. We’re interrogating all the traffic that’s coming off those devices, and our secret sauce is that we translate that in real time into a dashboard that shows in business terms what’s on your network. You have 54,218 Windows machines that are patched correctly. You’ve got another 5,000 Windows machines that aren’t properly patched. You’ve got 1,000 security cameras, 1,000 of this, 1,000 of that. If a device is supposed to have five products on it, we make sure those five products are running correctly before that device is allowed on the network. If it’s not, the company can go from the most benign or passive approach of, ‘Hey, just notify the SOC that something that is out of compliance,’ or we can actually force that device to download required patches and software before it’s allowed on the network. Organizations get to decide that.”
DeCesare emphasized how valuable ForeScout’s customers find this visibility. “The core IP of the company has always been around how do I get as much information or context about something, a device, either physical or virtual, without actually putting software on it,” he said. “We’re able to construct a single view of all your devices, those that you know you own versus those that are not managed by you, and create a framework that says, okay, I have discovered them, I’ve classified them and now I want to assess whether those devices should or should not have the appropriate access. And based on the operating system, based on what we know about those types of devices, we’re able to make those assessments. So it’s a three stage process: discover, classify, and assess.”
This type of visibility is especially important today when threats can come from so many places. DeCesare pointed to the example of the Mirai botnet threat. “Nobody thought twice about security cameras being on their network for the last few years. All of a sudden, the Dyn attack happens. The forensics that have come out on that attack reveal that it’s the Mirai botnet, and that this botnet no longer uses Windows devices. This botnet has moved over to a different platform, security cameras, and all of a sudden companies worldwide are scrambling, saying ‘What do we do about our security cameras?’ You have to know these devices are on your network and be ready to protect them when needed,” he said.
How ForeScout Fits Into Your Larger Cybersecurity Portfolio
Given the visibility ForeScout offers businesses, I think DeCesare’s comparison to a nervous system for cybersecurity is apt. You need a macro-level, continuous view of how everything is connecting to your network to be able to make sound decisions about what threats are coming in and how you are going to respond to them. In essence, ForeScout makes your other cybersecurity investments perform better by providing them with more actionable data.
I don’t want to give the impression that ForeScout only offers visibility; it also gives companies the ability to exert controls when a problem is detected. DeCesare said the control operates on a continuum, offering companies a range of responses, from the ability to start small, and put a device on a less privileged subnet, to taking it off the network entirely and quarantining it. This is important because to avoid impeding the work of your company, you can’t respond to every potential threat as if it’s a full-on nuclear attack. You have to be able to exert discretion.
With ForeScout, companies take what they learn from their more fully realized visibility, and institute policies that make the organization more secure. For instance, to return to the example of the security cameras, if a camera suddenly tried to start reaching an external Internet address, the company could be alerted and immediately shut it down.
As DeCesare told me, “Think of it this way – you walk into a club and some guy checks your ID, but then once you’re inside the club, they have no idea where you are anymore. That’s a one-time check. That’s different from the way we operate. We have cameras inside the club, and we know where you are at all times. The second that you try to do something bad, we go into action. That continuous part is a really big deal here, because otherwise it’s all reactive. When something happens, we try to go figure out if we are affected by it, and that realtime view at all times for every device that’s on the network allows us, when something goes wrong, to act immediately. We call it agentless, heterogeneous, and continuous. Those are the three characteristics that make visibility work for an organization.”
ForeScout is thus augmenting all of your current cybersecurity capabilities and the products you’re using to address those threats. In a subsequent article, I’ll describe how ForeScout’s ability to integrate with other security technologies could be a model for how cybersecurity as a whole is conducted in the future.
ForeScout provides enterprise class, pervasive network security. To read more about ForeScout, click here. Dan Woods helps users (CITO Research)find the right technology and vendors (Evolved Media) explain their wares. Dan’s Client List.
