Do organizations need an e-mail encryption solution? Yes, in almost all cases. Why? Every day, your organization exchanges sensitive, private, and regulated data with others via e-mail. Without encryption, this data is free and clear, all over the public Internet. Given this, one would assume that many organizations are regularly deploying e-mail encryption solutions and negotiating encryption policies and processes with business partners. Unfortunately, this isn’t the case: today’s e-mail encryption solutions remain complex, so omnipresent e-mail encryption is next to impossible.

Currently, e-mail encryption is a bit of a paradox. Organizations understand and want privacy, but e-mail encryption technology is too in-depth for mass usage. Fortunately things are changing. In this article, we’ll briefly discuss the   fundamental features of Email Encryption solutions;

1. Hassles inherent in first generation email encryption solutions (embedded with PKI Infrastructures)
2. Flexibility , ease of use  and relatively affordable cost associated with next generation solutions (IBE- Identity based Encryption).

E-mail Encryption: The Good, the Bad, and the Ugly-In spite of increasing investment in information security technology, publicly-disclosed data breaches continue unabated. There have been a total of 2,650 data breach incidents reported over the last five years (source: datalossdb.org). In 2009 alone, data breach incidents occurred at large public and private organizations like Heartland Payment Systems, the Federal Reserve Bank of New York, the Internal Revenue Service, and Aetna. According to the Privacy Rights Clearinghouse, the total number of records containing sensitive personal information exposed in data breach incidents exceeds 350 million (source: privacyrights.org).

All of these data breaches, along with general concern about data security, have driven numerous international, federal, state, and industry regulations aimed at protecting private records. In the United States, data privacy is now guided by federal regulations such as HIPAA and GLBA, international industry mandates like PCI DSS, and state regulations like Nevada NRS 590.970 and Massachusetts 210 CMR 17. Over the past few years, many countries’ security/privacy regulations have becume increasingly stringent, mandating that personal records must be encrypted at all times (i.e., data at rest and data in motion).

Of cause, data security/privacy and associated regulations are nothing new. It would be safe to assume that most large organizations have already deployed safeguards like e-mail encryption for regulatory compliance and general best practices for data security. Unfortunately, this assumption is untrue. Many continue to circumvent e-mail encryption technology entirely or deploy and use the technology on a limited basis.

Why would any organization blatantly avoid an obvious solution like e-mail encryption?  Fundamentally, the reason to use encryption is to protect data so that only a specific person (for example, jona@jonathan.com) or a machine (for example, www.jonathan.com) can access it. However, until now, encryption techniques have relied on long, randomly generated keys that must be mapped to identities using digitally-signed documents, called certificates. The management of these certificates, and the need to fetch a certificate before encrypting to a person or machine, has made encryption very difficult.

Issues with First Generation Email Encryption Offerings: These e-mail encryption technologies carries some negative baggage as it can:

1- Interrupt business processes. Since sensitive data often moves between organizations via e-mail, encryption means developing cross-organizational solutions. This can involve integrating multiple heterogeneous systems, creating a federated key management network, and training disparate users with varying skill sets. Planning alone can take months. Many avoid these intra-organizational efforts by implementing encryption in small pockets on an as-needed basis (“islands of email encryption”). Yes, this leads to interoperability headaches, but when it comes to e-mail encryption, CIOs often see this as the lesser of two evils.

2- Carry a high cost. E-mail encryption solutions bring fairly extensive costs to purchase and implement. As previously stated, many products require a complete Public Key Infrastructure (PKI) that can involve multiple internal and web-facing servers, additional storage for encrypted e-mails, and numerous software licenses. Deploying these solutions can also be time consuming and complex, requiring the acquisition of new skills. In researching this topic, SMSAM and its partners found numerous organizations claiming that the hardware, software, and implementation cost of their e-mail encryption solutions exceeded budget estimates by up to 30% while deployment projects languished weeks or months behind schedule.

3- Require costly and specialized operations and support. Once installed, PKI-based e-mail encryption solutions require constant care and feeding for activities like help desk support, registering users, rotating user certificates, and maintaining certificate revocation lists. Large organizations estimate that this effort can consume about 40% of a full-time IT employee’s time.

Ultimately, all of these challenges lead to numerous and ongoing problems. Employees either don’t know which e-mails to encrypt or don’t know how to use their encryption software. To receive encrypted e-mails, external users are forced to create accounts and then view e-mails in an unfamiliar format. Meanwhile, IT administrators make mistakes like exposing the system’s master key or mis-configuring a firewall, denying access to external users. Given this mess, it is not hard to understand why many organizations are reluctant to embrace e-mail encryption beyond a minimal commitment.

A Potential Breakthrough: Identity-based E-mail Encryption: E-mail encryption problems have not gone unnoticed by the security industry. Many vendors claim they can avoid the problems described above by eliminating client-side requirements and addressing e-mail encryption with a gateway appliance. These appliances encrypt e-mails based upon pre-defined rules—when an e-mail contains electronic Patient Health Information (ePHI), social security numbers, or credit card numbers, gateway appliances filter packets, discover private data, and encrypt the e-mails accordingly.

Gateway appliances address some of the complexities described above, but do they provide comprehensive protection? Not really. As corporate governance becomes increasingly rigorous, many organizations now require e-mail encryption for internal communications between trusted users and groups. Since gateways generally sit at the network perimeter, appliances will be blind to this traffic without major, and usually illogical, changes to the network configuration. Furthermore, future regulations may mandate that e-mails containing sensitive data must be encrypted on an end-to-end basis from sender to receiver. Once again, gateway solutions alone aren’t enough.

Identity-based encryption (IBE) is an attractive alternative. Key management doesn’t have to be this complex anymore. New solutions based upon IBE eradicate the need for digital certificates by calculating key values based upon identity characteristics like a recipient’s e-mail address. This can deliver the benefits of PKI without security researchers and PhDs to manage it. Identity-Based Encryption (IBE) takes a completely new approach to the problem of encryption. IBE can use any arbitrary string as a public key, enabling data to be protected without the need for certificates. Protection is provided by a key server that controls the mapping of identities to decryption keys.

How Identity-Based Encryption (IBE) Works: Identity-Based Encryption (IBE) dramatically simplifies the process of securing sensitive communications. For example, the following diagram illustrates how obj would send a secure email to jona using IBE:

 Step 1: Obj encrypts the email using jona’s e-mail address, “jona@j.com”, as the public key.

Step 2: When jona receives the message, he contacts the key server. The key server contacts a directory or other external authentication source to authenticate Jona’s identity and establish any other policy elements.

Step 3: After authenticating Jona, the key server then returns his private key, with which Jona can decrypt the message. This private key can be used to decrypt all future messages received by Jona.

Note that private keys need to be generated only once, upon initial receipt of an encrypted message. All subsequent communications corresponding to the same public key can be decrypted using the same private key, even if the user is offline. Also, because the public key is generated using only Jona’s email address, Jona does not need to have downloaded any software before Obj can send him a secure message!

The power of IBE is in its simplicity. By using well-known identifiers, such as email addresses, as public keys, IBE enables security policies to be encoded directly into encryption and authentication methods, eliminating the need for cumbersome certificates and Certification Authorities. See the difference yourself:

The following is a RSA public key. A certificate is required to bind this key to an identity (i.e. to state that this key belongs to jona@j.com).

Public exponent:

0×10001

Modulus:

13506641086599522334960321627880596993888147560566702752448514

38515265106048595338339402871505719094417982072821644715513736

80419703964191743046496589274256239341020864383202110372958725

76235850964311056407350150818751067659462920556368552947521350

0852879416377328533906109750544334999811150056977236890927563

In contrast, this is an IBE public key. No certificate is required because the key is the identity.

Name = jona@j.com

By eliminating the need for certificates, IBE removes the hurdles of PKI: certificate lookup, lifecycle management, Certificate Revocation Lists, and cross-certification issues. IBE’s simplicity enables it to be used in ways PKI could not; IBE can be used to build security systems that are more dynamic, lightweight and scalable.

Visibility

• http://www.forescout.com/solutions/visibility.html
• This video shows how ForeScout CounterACT lets you see every aspect of your network in real-time – who, what and where.  See switches, endpoints, operating systems, software, processes, peripheral devices, printers, handheld devices, vulnerabilities, and more. Track changes. Create reports.

Guest Networking

• http://www.forescout.com/solutions/guest_networking.html
• This video shows how ForeScout CounterACT lets you enforce network access policy. Automatically grant full network access to employees, limited access to contractors, and Internet-only access to guests. The video also shows how the guest registration process appears to an end-user.

Compliance

• http://www.forescout.com/solutions/endpointcompliance.html
• This video shows how ForeScout CounterACT can automatically monitor your network for the most common compliance policies: personal firewall, antivirus, Windows updates, and unauthorized application such as peer-to-peer and instant messaging. View the compliance dashboard. Create reports.

Remediation

• http://www.forescout.com/solutions/endpointcompliance.html
• This video shows how ForeScout CounterACT can automatically remediate OS and application vulnerabilities on your network PCs. Setup a policy that enforces and remediates security problems associated with personal firewall, antivirus, Windows updates, peer-to-peer applications, and instant messaging. The video also shows how an enforcement action (killing an application) might look to an end-user.

Mobile Security

• http://www.forescout.com/solutions/mobilesecurity.html
• This video shows how you can create a security policy within ForeScout CounterACT which detects handheld devices and allows different levels of network access depending on whether the device is an approved corporate device. The video also shows how ForeScout’s guest registration process would appear to an iPad user

INTRODUCTION.

ForeScout enables its customers to unleash the full power of their network through enterprise-class security and control. ForeScout’s automated solutions for network access control, mobile security, threat prevention and endpoint compliance empower organizations to gain access agility while preempting risks and eliminating remediation costs.

Because ForeScout security solutions are easy to deploy, unobtrusive, intelligent and scalable, they have been chosen by over 1,000 of the world’s most secure enterprises and military installations for global deployments spanning 37 countries. Headquartered in Cupertino, California, ForeScout delivers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com

THE CHALLENGE.

I’m going to make a bold statement here, but it is one that I feel comfortable saying because of our experience working with hundreds of customers. Our customers tell us that their current IT management tools leave them with gaps in visibility. They do not show you everything that is on your network. And they do not show you every person that is on your network.  And they do not show you (accurately) the security posture of your network.

Think about your current corporate IT assets. You can divide them into three buckets: Endpoints, Network Devices, and Applications.  All of these are things that your organization has bought. You own them.

You probably have some tools to manage these corporate assets and keep them secure. You might have a desktop management system, you probably have an antivirus system, you probably have deployed encryption agents or DLP to your endpoint systems.

What our customers have told us time and time again after they have deployed our product is that they have found that their existing agent-based security systems have blind spots.

As a result of these blind spots, some endpoints are not as secure as you think they are. Our customers – and we think they are fairly representative of the market as a whole – have discovered that each security agent they have deployed actually has some sort of problem on between 10% and 15% of the endpoint devices. The agent might not be installed. The agent might not be running properly. The agent might have out-of-date security signatures.

The typical enterprise has several desktop agents.  So now you consider that each of these desktop agents will have some failure rate, say 10% or 15%, but it wont always be on the same PC.

Microsoft helped quantify the problem inside their  own network. In 2007 they deployed a product similar to the product that ForeScout offers, and when they deployed it they found that over 50% of their endpoint computers were non-compliant with Microsoft’s security policies!  Now this is just the tip of the iceberg.

The reality is that there are many non-corporate assets on your network.  Employees bring personal laptops, contractors bring their own systems. You’ve got iPhones and iPads. And, there might be some non-employees on your network.  Visitors attending meetings in conference rooms might be plugging their laptops into a wall jack, or connecting to a wireless network. Contractors working in an office cube might be plugging into your network.

Employees have been known to bring rogue network devices and try to connect them to the network.  They are trying to “help themselves”, working around the IT organization, solving connectivity problems in what they consider an expedient fashion.

Now, think about applications.  Do you have any security policies against running certain types of applications?  Like instant messaging or Skype?  Password reminder applications?  Remote access applications?  Of course you have policies against many of these applications, but you know that your employees are going to want to run them.

This effect has been called the “consumerization of IT”, and it has been getting attention in the press and with industry experts such as Gartner. In fact, at Gartner’s recent Security and Risk Management Summit, Gartner analysts claimed that this is one of the top three challenges that enterprises need to find a solution for.

Unless you have a special product that can show you everything on your network, you’ve probably only got visibility into one-third of what is there. The rest of your network, you have no visibility into. As a result, you have gaps in protection.  You can only protect what you know about.

But ForeScout brings you complete visibility!%

With the idea of  cashless economy been proposed by the CBN and the attendant regulatory compliance issues to be thrown up at some point, it’s expedient for your organization to explore robust ways at reducing its total cost of ownership (TcO) while at the same time  achieving an acceptable  Return on your Security Investment (RoSI). Rise in Online Banking Fraud Costing Banks Customers, claims a Ponemon Institute/Guardian Analytics study that finds 55 percent of businesses were victims of fraud in the last 12 months and 40 percent of small and medium businesses change banks after a fraud incident. Can you afford to lose a larger % of  your commercial customer base?

As insider thefts like the WikiLeaks, Sony, Nasdaq, Episolum, Citigroup and other high profiles organizations debacle grow in magnitude, cyber attacks proliferate, advanced persistent threats persist, and targeted attacks increase, our approach to securing the enterprise must evolve.

But what exactly does Enterprise Security Intelligence entail and how can your vendor partner make it work for you?

In this EXCLUSIVE WEBCAST, leading experts from Gartner (Joseph Fieman- VP & Fellow and Mark Nicolett, VP Distinguished analyst, together with  Brendan Hannigan, President & COO, Q1 Labs)  explore how your enterprise can leverage security intelligence. They’ll look at how security intelligence addresses compliance, growing cyber attacks and insider threats, and why your strategy must look at the entire security intelligence lifecycle, before, during and after exploits.

The above webcast  is a MUST for any organization desirous of staying ahead of their game ( for compliance and in-depth security) while ensuring their eternal absence in the infamous league of enterprises (as stated above) in the headlines- albeit for the wrong and damaging reasons!

For a practical and comprehensive understanding of the concept of ESI  as discussed in the above webcast, we’ve carefully selected an array of equally exclusive videos from Q1Labs with corresponding product demonstration. I ‘ll recommend you view in these resources as itemized below;

1-     In-Depth Overview of the Q1Lab’s Flagship products-  Risk Manager, Log Manager and SIEM solution. Download this exclusive webcast here.

2-      The Ultimate Guide to Log Management- Both network and security professionals agree – a log management solution is no longer optional. It’s now a required tool in their arsenal. Unfortunately, many of their log management projects have failed because the solution they chose was unable to support the size and scope of the deployment and/or effectively deliver useful results. Log management has also emerged as a required part of an organization’s ability to deliver security best practices and meet specific auditing and reporting requirements of various government regulations, including: Payment Card Industry Data Security Standard (PCI DSS)amongst many regulations. In conjunction with the above overview video, download this webcast for more information on the best-in-class  Log management offered by Q1Lab’s.

3-      How Integrated Network Security Management Helps Detect Fraudulent Activity-An emerging challenge facing network security teams is deciding on what technologies to put in place to better detect fraudulent network activities. Although there is no single solution that can provide complete protection against fraudulent activity, a converged network security management framework can significantly improve the detection of security incidents where a user is fraudulently using another network, system, or application for their own personal gain. Download this Webcast for more information.

4-      Keys to Preventing Fraud- Is your network security team struggling with which technologies to deploy to better detect and mitigate threats? No single solution can guarantee complete protection against fraudulent activity. But experts agree a converged network security framework can significantly improve the odds in your favor. Download this webcast for more information.

5-     Managing Global Threats with Security Intelligence from QRadar- As organizations across EMEA(Europe Middle-East & Africa) face tighter requirements around privacy and compliance, they also face a mounting challenge in countering advanced threats. The accuracy of identifying threats becomes essential to effectively mitigate against offenses as security teams migrate from legacy approaches to a security intelligence model. Learn from a RotoFrank AG how QRadar reduced the time spent managing security events by 80% increased the accuracy of threat detection across their network. Download this webcast to share of the experience of RotoFrank.

6-      Stranded by Cisco? There’s an alternative to MARS- Cisco MARS has ceased expansion of support for third-party devices. Now what? If you are currently using or are considering deploying Cisco MARS – or have a predominantly Cisco environment and you are beginning a search for security intelligence/monitoring – this Webcast is for you.

As always,  we at SMSAM SYSTEMS LTD are excitedly looking forward to your  feedbacks/questions/comments. Apart from visiting us at www.smsamic.net, you can also visit our Resource Center for where you’ll find equally exclusive and helpful  up-to-date resource on Enterprise IT Security.

This piece was written specifically to demystify the somewhat confusion regarding DATA LEAK PREVENTION, DLP. I’ll therefore crave your indulgence to thoroughly peruse it contents.

Most network security products(IPS/IDS) focus on keeping the bad guys — Trojans, viruses and hackers — outside of the network, but data loss prevention (DLP) keeps the good stuff — sensitive enterprise data — in. With more business data leaks tainting the reputations of companies it’s important not only to keep your information secure but to keep it from getting into the wrong hands.

Marketers use various terms when they refer to DLP. Some examples I’ve seen are information leak prevention (ILP), content monitoring and filtering (CMF) and extrusion prevention system.

What you might ask at this point is; Is there a difference among any of those terms? I would say DLP [data loss prevention] is the industry-wide term. Usually where some of the other [terms come in] might be a company trying to differentiate themselves.

Just sure you know, there’s no difference between data loss prevention and data leakage prevention.

Another salient questions that often comes to mind is ; how does DLP fit in terms of network security, and how does [DLP] mesh in with what already [exists]? Five years ago, everything in security used to be [based on] trying to keep the bad people out…. But now the problem that enterprises are really trying to grapple with is how to protect their confidential data — whether it’s customer data from PCI, like charge card data, or it’s health records or just intellectual property — and that’s a huge problem. It’s a big business problem because as it gets out, businesses have to disclose the breach, and they have to track it down, and then it just gets nasty “nasty” being my technical term.

So there’s a big demand to help businesses make sure that their data stays secure in the data center and that as it moves around their network, there are controls in place to make sure it doesn’t escape in an unauthorized manner. In a nutshell, that’s the whole deal with DLP – just to protect the crown jewels [corporate data], so to speak. The characteristics of DLP are almost like a backward firewall . . . DLP looks at data flowing out of your network and [asks] ‘Is this data something I care about? Is it confidential?‘

In some of the presentations that I’ve made in the past, I often come across questions like, How is DLP different from Network Access Control (NAC)? Is there a difference or similarity between NAC and DLP? My answer is Yes! All the other stuff, like network access control, is more geared toward keeping malicious code out of the network. It’s more oriented toward: “Is your antivirus installed? Do you have all the right patches in place?” It comes much more from an operational integrity issue than from a data leak issue.

The characteristics of DLP are almost like a backward firewall. Where a firewall looks at data coming into the network and says, “Do I want to allow this?” DLP looks at data flowing out of your network and says, “Is this data something I care about? Is it confidential?”

In the network, it actually looks at the data packets and data flow. Instead of … looking for attacks, it finds [traffic] that’s actually confidential data and then makes a decision on whether or not to allow that to go forward. It might also interest you to note that there are others ways information leak occurs from the network besides email. DLP, also track these leaks as well.

Avenues for information leaks- The three big ways are ;

1- Email – where you send something out, usually it’s to a business partner, but sometimes mistakes happen and it doesn’t go to that person.

2- Laptop, or a USB drive – so you’ve actually made a local copy of it, and [y]our laptop gets stolen or somebody’s got something on a memory stick, and that’s got a lot of data on it.

3- Through a piece of malicious code – as with the Hannaford incident — that sits there and just sends automatically. This is spyware; it steals data and sends it out over the Internet.

That’s pretty much it. The challenge with DLP is [figuring out] … how to look at everything in the network. Also, once the data gets to a laptop — which you usually have to do for an employee — or desktop, how do you make sure that it gets cleaned up from that endpoint so that it doesn’t sit on a local drive or sit on a removable drive?

Please note that some vendors describe DLP as being broken up into three essential parts: network endpoint security, endpoint protection, and the discovery. With this background information, you might be tempted to ask, what is the most important component of DLP?

I think data discovery is the most important. Because I find that if IT knows what is there, they can do a reasonably good job of either putting technology in place or of educating the user. Much of the time, IT doesn’t really know what or where all the sensitive data is, from a security standpoint. So just being able to say, “There’s confidential data in this database or around this file share or SharePoint,” is useful information for the security [team] to have, because then they can put controls in place so that only authorized people can access it. Then those authorized people are educated as to what their responsibilities are…

The reason I think discovery is the most important is that if security knows where the confidential data is, then they can put a little bit extra vigilance into making sure that the access control policies are in place. They can make sure that all the accounts are active, that people who do access it know their responsibilities and the rules, that there is a little bit of social education a little bit above and beyond what they would normally do: They might look and be a little bit tighter with their audits of machines if they know they have consumer data on them, for instance. They would audit them more often or change the policy or look for things that don’t belong there. As an operator in the financial services sector for instance, you might have 10,000 applications, with 10,000 databases, so it helps to narrow it down to the ones that should get special attention.

The last myth I would like to clear is , ok now that we have DLP , what else does the network admin have to do? Is it just to find that material and make a stronger algorithm for it? Sure Yes, find the security controls around it.

When I talk to security people on the enterprise, I think they’ve been pretty good if they know there’s a problem: They want to do the right thing. So if they know a company is at risk, they’ll take care of it. It’s just that if they don’t know, what can they do? So half the game is letting them know that there’s a resource like a database or a file or information that really needs some TLC ( Top Level Control) — some extra care.

Thank you for your time. As always, your comments, questions are well appreciated!

If you’ve got budget or management mandate for. Content Filtering solutions( please note the keyword here, CONTENT-  I’m not speaking about URL filtering which is long DEAD anyway- in this web 2.0 era) ,   we’ll gladly offer your organization a no-obligation  30-day evaluation of the award winning, best-in-class websense v10000 content filtering solution. Please find in-depth information on this product on our website.

I would implore  you to  do a honest comparative analysis comprising benefits and costs of your existing proxy and content filtering solutions (if you have any) i.e. license renewals, software/hardware upgrades, etc , and  Websense v10000  which I’ll explaining shortly- you’ll then come to the conclusion that it’s safest for your business to have an integrated security appliance (websense v10000) that combines market leading secure Web gateway, high performance architecture, integrated Web proxy and Cache,  capabilities  at the your  organization’s gateway, radically jerking up your  RoI and RoSI (Return on Security Investment) while at the same time lowering your TcO.

Just sure you know, with the same v10000 in your environment you can deploy our best-in-class marketing leading Email security solutions and Data Leak Prevention (DLP) solutions on the same appliance without the need for additional hardware purchase. In the meantime, I’ll take time out to give you an overview of the Websense Appliance and its unified content filtering capabilities.

Please feel free to get satisfactory clarifications  to  your questions/comments/feedbacks .

Threats from externally based criminals are not the only risks faced, increasing numbers of varied devices are being attached to the enterprise network by remote workers, contractors or those requiring guest access- meaning insider threats. Whether deliberate or wrought unwittingly by out of compliance machines – can force organisations to have to face up to huge losses due to downtime, financial remediation costs and loss of public confidence, what is needed is a way to control who can access crucial systems and sensitive data…

ForeScout’s CounterACT is a military-grade security system, many aspects of which have been developed in collaboration with the U.S Military and CounterACT has an existing common criteria certification at EAL2 with EAL4+ in progress. As well as protecting the U.S military, ForeScout are also a trusted partner of the U.S government and Federal bodies, further information upon its Government and Department of Defense credentials can be found at: http://www.forescout.com/solutions/dod_gov.html
Other benefits from CounterACT include:

• In-built IPS – based upon patented ActiveResponse Technology that detects attackers’ reconnaissance and responds to them with counterfeit information which eliminates the need for signature updates

• Centralised visibility of ALL devices on the network giving the ability to control data leakage

• Proactive security that notifies, controls or blocks users that do not comply with policies and co-ordinates management of security infrastructure by integrating with wireless, anti- virus, VPN and many other technologies

• Vendor Agnostic – an out-of-band, network-based appliance that works with existing network infrastructures – no switch upgrades, no network reconfigurations. CounterACT integrates with all major enterprise switches, both 802.1x and non-802.1x. so unlike other products that require considerable network/infrastructure modifications before installation CounterACT can be installed in one day.

Other product specifics

• Clientless – No agent software download required. Enables the device to identify, track and monitor ALL devices connected to the network, including guests /contractors.
• Signature-less IPS – Monitors for malware activity specifically reconnaissance behaviour. This is then blocked.
• Out-of-Band – The appliance is located next to a core or distribution switch connect to a span port i.e. out of line
• Tailored Enforcement – A granular approach to policy enforcement dependant on a policy breach :
1) HTTP browser hijack presents a message/warning to user
2) VLAN assignment
3) Virtual Firewall – using TCP resets to block some or all traffic originating from a device
4) Switch port disable – Using SNMP, we instruct the access layer switch to turn off the port users are connected to
• Non disruptive deployment – CounterACT connects at the core or distribution layer requiring a mirrored port on the switch that it connects to.
• End Point X-Ray – end point posture for policy compliance i.e. check for things you need to see on the device (e.g. AV s/w) and things you don’t want to see (e.g. Skype)
• Reporting – A vast array of reports can be generated by the CounterACT device, from high level overviews to detailed information on compromised devices.
• Pre Defined Policies – Predefined, common place policies are available for download from the ForeScout web site.
• Integration-Seamless integration into most environments. Interoperate with most major vendors, including Cisco, Aruba, HP, Nortel, Juniper and may others.

The ForeScout Approach

ForeScout CounterACT is an integrated network security appliance that delivers real-time visibility and control of all devices on your network. CounterACT is deployed out-of-band of your real-time network data flows and through receiving mirrored traffic, or by integrating directly with network layer devices (Routers, Switches, Wireless Controllers, Authentication Services, etc.). ForeScout CounterACT is able to automatically identify who and what is on your network and controls access to your network resources from any host or segment, measuring compliance with your security policies and remediating or mitigating endpoint security and policy violations when they occur.

ForeScout CounterACT employs a proven approach for IT risk management, as shown in the diagram below. Every device that accesses the network is identified, inspected, remediated (if you wish), and continuously monitored.

ForeScout CounterACT revolutionizes Network Access Control (NAC) technology by eliminating deployment obstacles of typical solutions, such as costly hardware upgrades and lack of interoperability with existing infrastructure. Unlike other solutions, ForeScout CounterACT installs quickly and easily. It seamlessly integrates with any network environment. No software to install. No hardware upgrades.

CounterACT is 100% agentless, which means there is no software to install on endpoints. It works with all of your existing endpoints – managed and unmanaged, known and unknown. And CounterACT can control access to your network with or without 802.1X. In Summary;

Key advantages of CounterACT can be best summarized as follows:
1. Clientless Network-based Enforcement: unlike 802.1x-based network access control systems which require a desktop agent, the CounterACT system offers clientless, network-based enforcement.
2. Clientless Remediation: CounterACT can check and remediate company domain member devices (i.e. update OS and applications) without the need for an agent. To help remediate guests or other non-domain member devices, CounterACT offers its thin, dissolvable SecureConnector™ client via a web HTTP welcome screen.
3. Standards-based and Infrastructure Agnostic: CounterACT’s ability to work across heterogeneous network infrastructures has made it a favored solution for insurance, banking and financial networks. It deploys quickly without imposing costly upgrades or retrofits to the existing infrastructure: no prerequisites — such as switch upgrades, 802.1x deployment, client installation, or OS upgrade – are required. This eliminates the overhead imposed by inline solutions which take advantage of “vendor lock-in”.
4. Threat Detection: CounterACT comes with built-in threat detection and prevention technology that can determine if connecting devices are malicious or infected with self-propagating malware. This capability is recommended in Gartner’s 2008 Market Scope:
“To achieve the maximum benefits of network access control, enterprises must do more than just check for vulnerable endpoints. They must be able to detect and quarantine malicious-software-infected endpoints that can do damage to their network.” –John Pescatore, Gartner Market Scope
5. Discovery of Hidden Infrastructure: Rapid detection of rogue or unauthorized devices is a top concern in large networks. Recognized as possibly the strongest network sensor on the market today, CounterACT has demonstrated its ability to quickly and accurately identify and report details on all infrastructure components – both hidden and known. By monitoring network traffic and communicating with the switch infrastructure without the use of a client, CounterACT can see all IP devices on the network. This is a significant differentiator for ForeScout’s customers.
6. Extensive Experience in Large, Global Network Deployments: ForeScout customers include some the largest, most globally distributed companies in the world. For such companies, scalability, reliability and information security are of equal importance. CounterACT is chosen for its ability to address many industry-specific requirements; for example, its comprehensive PCI (Payment Card Industry) compliance solution together with its centralized policy management capabilities help address many bank and retail audit requirements.
7- CounterACT offers Multiple Protection Tools by:
• ActiveScout IPS Protects Internet-Exposed Services
• VPN Integration
• Guest Management
• Spoof Detection
• Unauthorized Device Detection
• Role-based Access
• Espionage Detection
8- CounterACT Finds and Fixes Weaknesses within the network by doing the following;
• Updates Microsoft Patches
• Updates Anti-virus Definitions
• Configures the Desktop Firewall
• Blocks Peer to Peer (P2P) or Instant Message (IM)
• Signature-less IPS Blocks New Worms
• Signature-less IPS Blocks Custom Worms
9- CounterACT Deters Data Leakage by doing the following;
• Inventory Monitoring for missing devices
• Kill Peer to Peer (P2P) and Instant Message (IM)
• Multi-homed wireless detection
• Unauthorized application on desktop
• USB Drive, CD/DVD-R, iPod enforcement.
10 – In disabling USB Memory Drive ( According to your policies), CounterACT do the following;
• Detects when memory drive is inserted
• Disconnects drive
• Command to make drive read-only
• Script to audit drive files
• New feature: block USB memory when offline

ForeScout CounterACT makes you smarter, your network more secure, and your staff less busy by automating tasks that are currently laborious. CounterACT is in use by over 500 of the world’s most secure enterprises and military installations with global deployments spanning 37 countries. ForeScout CounterACT is based on third generation Network Access Control (NAC) technology. Unlike other solutions, ForeScout CounterACT installs quickly and easily. No software (agent-less). Works with existing network infrastructure.

Why ForeScout’s CounterACT NAC Solutions?

• Do you have a Cisco network? Is it self-defending yet?
• Can your network protect against guests and contractors plugging their laptops into open network ports?
• Can your network automatically ensure that every endpoint is compliant with your security policies – antivirus, DLP, encryption, patch level, configuration, etc.?
• What if you could buy a simple network appliance that would work with your existing network infrastructure and give it the intelligence to fix both of these problems?
• Wouldn’t it be embarrassing if your organization learned – the hard way – that you’ve got gaps in protection? That the security agents you spent lots of money for are not installed and working properly on 100% of your endpoints? What if you could buy an appliance that would totally eliminate this risk?
• Do you have policies in place to prevent data loss? (e.g. prohibit use of P2P applications or USB drives) Do you have real-time visibility into how many of your users are violating data loss policies?
• Are you responsible for security audits? Do you have an automated system for reporting on the compliance of devices on your network?
• Do you have a tool that will tell you how many iPhones are connected to your network?

ForeScout CounterACT keeps unwanted visitors and rogue devices off your network. This helps you keep your network more secure. ForeScout CounterACT is very popular because it is so easy to deploy. Everything is contained in a simple appliance. It works with your existing IT infrastructure. No software to install, no hardware to upgrade. Some of the world’s largest enterprises have their endpoint securely managed by us, see www.forescout.com for details.

If you do require further detailed information on this product/solution (with a possible Proof Of Concept Implementation) do not hesitate to contact me directly or visit our homepage at www.smsamic.net

You may also wish to check out some exclusive IT Security resources at the RESOURCE CENTER found on our website.