Last month, Wallace Sann, the Public Sector CTO for ForeScout, and I sat down to chat about the current state of cybersecurity in the federal government. With ForeScout, government security teams can see devices as they join the network, control them, and orchestrate system-wide responses.
Many of our customers deploy both RedSeal and ForeScout side by side. I wanted to take a look at how government security teams were dealing with ongoing threats and the need to integrate difference cybersecurity tools into the “cyber stack.”
Our conversation is lightly edited for better clarity.
Wayne: Describe the challenges that ForeScout solves for customers.
Wallace: We help IT organizations identify IT resources and ensure their security posture. There’s always an “ah-ha moment” that occurs during a proof of concept. We see customers who swear by STIG, and will say they only have two versions of Adobe. We’ll show them that there are 6-7 versions running. We tell you what’s on the network and classify it.
Wayne: We often say that RedSeal is analogous to a battlefield map where you have various pieces of data coming in to update the topography map with the current situation. By placing the data into the context of the topography, you can understand where reinforcements are needed, where your critical assets are and more.
RedSeal’s map gives you this contextual information for your entire enterprise network. ForeScout makes the map more accurate, adapting to change in real time. It lets you identify assets in real time and can provide some context around device status at a more granular or tactical level.
Wallace: Many companies I speak to can create policies on the fly, but ensuring that networks and endpoints are deployed properly and that policies can be enforced is a challenge.
Wayne: Without a doubt. We were teaching a class for a bunch of IT professionals, telling them that RedSeal can identify routes around firewalls. If the networking team put a route around it, the most effective firewall won’t work. The class laughed. They intentionally routed around firewalls, because performance was too slow.
Endpoint compliance typically poses a huge challenge too. RedSeal can tell you what access a device has, but not necessarily when it comes online. Obviously, that’s one of the reasons we’re partnering with ForeScout.
Wallace: ForeScout can provide visibility that the device is online and also provide some context around the endpoint. Perhaps RedSeal has a condition that DLP is running on the endpoint. ForeScout could tell you that DLP is not loaded, and therefore no access allowed.
Wayne: Inventory what’s there. Make sure it’s managed. If not managed, you may not know you were attacked and where they came in or went. If you have that inventory, you can prevent or at least respond quicker.
Another important component is assessing risk and knowing what is important to protect. Let’s say we have two hosts of equal value. If Host 1 is compromised, you can’t leapfrog any further. No other systems will be impacted. If Host 2 is compromised, 500 devices can be compromised including two that may have command and control over payroll or some critical systems. Where do you want to put added security and visibility? On the hot spots that open you up to the most risk! We put things into network context and enable companies to be digitally resilient.
Wallace: With so many security concerns to address, prioritization is critical.
Wayne: IoT is obviously a trend that everyone is talking about and is becoming an increasing concern for agency IT Security orgs. How is ForeScout addressing IoT?
Wallace: ForeScout provides visibility, classification and assessment. If it has an IP address, we can detect it. Classification is where we are getting better. We want to be able to tell you what that device is. Is it a security camera? A printer? A thermostat? We can classify most common devices, but we want to be 75-90% accurate in device classification. The problem is that many new devices are coming out every day. Many you can’t probe traditionally; it could take the device down. And, you can’t put an agent on it. So, we’re using other techniques to passively fingerprint a device (via power over Ethernet, deep packet inspection, and more), so we can get to 95% accuracy.
Wayne: Do you see a lot IoT at customer sites, and are they concerned?
Wallace: Some don’t realize they have an issue. Many don’t know that IoT devices are on their networks. We are seeing more cases where we are asked to assess IoT environments and address it. Before, we weren’t asked to take action. We used to be asked how many Windows and Mac devices there were. Now, there is a movement by government agencies to put anything with an IP address (the OT side) under the purview of the CISO.
Wayne: We see a lot of devices – enterprise and consumer – that aren’t coded securely. IoT devices should be isolated, not connected to your mission critical operating environment.
Wallace: I was curious how RedSeal handles IoT?
Wayne: If there is vulnerability scan data, it tells us what OS, applications running, active ports, host name, MAC address, etc. Without that data, we can grab some device data, but with ForeScout, can get more context/additional data about the device. ForeScout can tell you the devices are there. RedSeal can ensure that it’s segmented the way it should be. We can tell you it’s there and how you can get to it, people need to make decisions and act. We show IoT devices as a risk.
Wayne: What are some of the trends that you are seeing that need to be addressed at customer sites?
Wallace: From a native cloud perspective, we are working on extending the customer on-premise environment and bringing visibility and control to the cloud. We are also working on making it easier to get security products to work together. People don’t have the resources for integration and ongoing management. We’re working to orchestrate bi-directionally with various toolsets to provide actionable intelligence – advanced threat detection, vulnerability assessment, etc.
We can take intel from other vendors, and ForeScout gives us the who, what, when, where from an endpoint to determine if that device should be on a network.
For example, an ATD vendor can detect malware (find it in their sandbox). They will hand us an incident of compromise (hash, code, etc.). We’ll look for those IoCs on devices on the network and then quarantine those devices.
Wayne: Security vendors need to work together. Customers don’t want to be tied to a single vendor. Thanks for your time today.