forescout security for k-16 sector - exclusive networks...agenda 2 1. k-16 education technology...
TRANSCRIPT
ForeScout Security for K-16 Sector
Agenda
2
1. K-16 Education Technology Trends
2. The Emergence of IoT and BYOD in the Education Landscape
3. Cyberattacks in the Education Space
4. Challenges with the Traditional Security Landscape
5. ForeScout Solution
6. Summary
Agenda
1. K-16 Education Technology Trends
2. The Emergence of IoT and BYOD in the Education Landscape
4. Challenges with the Traditional Security Landscape
5. ForeScout Solution
6. Summary
3. Cyberattacks in the Education Space
K-16 Education Trends
4
Goals
• Improve student achievement and outcomes
• Teach 21st century skills Enhance Student Engagement –Digital Learning
• Digital content
• Online assessments
• Blended and online learning
Drive Technology Infrastructure Readiness
• Increased BYOD usage
• IoT devices entering through facilities upgrades and wearables (iwatch, fitbits)
Reference acronym glossary at the end of presentation
Goals
Enhance
Drive
The Classroom is a Different Place Today
5Reference acronym glossary at the end of presentation
Source: “Learning Counsel 2015 National Digital Curriculum Strategy Survey.”
48%
Of teachers use digital curriculum
and content ¼ – ½ of the time
24%
Have students turn to digital resources > ½ of the time
44%
Of students take instruction online
Devices, Students and the Cybersecurity Team
6
Texas School Districts website
40K-80K devices
40K students
4 cybersecurity staff
Reference acronym glossary at the end of presentation
,
School districts have a
mix of traditional,
BYOD and IoT devices
A sample mix from a school district in Texas
IT Security Pain Point: Big Network Without a Big Budget
7
Source: Based on ForeScout customer engagement experience
A small security team needs to manage a big Enterprise size network but
without the corresponding staff strength
X-Factor, the ratio of number of devices to number of employees in an
Enterprise, is typically 3.5X
X-Factor in Educational institutions can be as high as 10X to 20X
Agenda
1. K-16 Education Technology Trends
2. The Emergence of IoT and BYOD in the Education Landscape
4. Challenges with the Traditional Security Landscape
5. ForeScout Solution
6. Summary
3. Cyberattacks in the Education Space
BYOD Devices are Increasing on Campus
BYOD includes chrome books,
smart phones, tablets, laptops,
iwatches, fitbits and gaming
consoles among others
Facilities Upgrades are Bringing in IoTDevices
10
DISASTROUSCause irreversible damage
DISRUPTIVE
Disrupt corporate andoperational processes.
DAMAGINGEnable information stealing
Illegal remote monitorig
Tampering with temperature controls
Spying via video and microphone
Accessing classified information
Obtaining user credentials
Source: ForeScout IoT Enterprise Risk ReportReference acronym glossary at the end of presentation
Extracting Wi-Fi credentials to carry out further attacks
Snooping on calls
Many IoT and
BYOD devices
lack basic
security
features
Reference acronym glossary at the end of presentation
IoT and BYOD Devices are Vulnerable
11
Many IoT and
BYOD devices
cannot be
patched
Many IoT and
BYOD devices
run on outdated
or unsupported
software
Many IoT and
BYOD devices
cannot host an
agent
IP-Connected Security Systems
An Example of IoT Device Risks
12
Many use proprietary radio
frequency technology that lack
authentication and encryption.
Attackers can form radio signals
to send false triggers and
access system controls.
User compute capability to ex-filtrate
large amounts of datas.
Disable camera to allow physical
break in.
Hijack camera to spy on employees
usage of computers, passwords,
applications, designs.
DISASTROUS
Reference acronym glossary at the end of presentation
Use as launching point for DDoS
attacks.
Agenda
1. K-16 Education Technology Trends
2. The Emergence of IoT and BYOD in the Education Landscape
3. Cyberattacks in the Educational Space
4. Challenges with the Traditional Security Landscape
5. ForeScout Solution
6. Summary
Per Capita Cost of Data Breach in USA
14IBM Ponemon report: Cost of a data breach
$177Media
$220Education
$264Financial
$301Life Science
Educational info includes staff payroll and HR info, licensed digital educational content, budget info, student behaviour records, student medical records, student grades, research work and personnel information
Reference acronym glossary at the end of presentation
Security Challenges
15
A breach can disrupt
learningThis opens up
vulnerabilities
Hackers have a
financial incentive to
steal information
Schools are
worried about
insider attacks
Increased online learning
Guests have access to same school network
Curious students launch cyberattacks on school networks
Sensitive staff and student information
Reference acronym glossary at the end of presentation
Assessments, education apps, digital contentStudents access restricted content
To change grades, watch
commercial copyrighted content
for free, watch unsafe content
Cybersecurity in the Education Sector
16Reference acronym glossary at the end of presentation
Source: 2016 Verizon Internet Data Breach Report;
Huffington Post
254 reported security
incidents in the education
sector according to
Verizon’s 2016 Internet
Data Breach Report
IoT University Breach in the News
17Reference acronym glossary at the end of presentation
Source: Network World
Well Known Cyber Breaches in Education
18Huffington Post
300K records breached in University of Maryland
300K records breached at North Dakota University
200K records breached at Butler University
146K records breached at Indiana University
4.5M records breached in UCLA Health system
Agenda
1. K-16 Education Technology Trends
2. The Emergence of IoT and BYOD in the Education Landscape
4. Challenges with the Traditional Security Landscape
5. ForeScout Solution
6. Summary
3. Cyberattacks in the Education Space
Many New Devices will be Vulnerable to Attacks
Less than 10% of new devices connecting to the corporate environment will be manageable through traditional methods
20
Source: Gartner, BI Intelligence, Verizon, ForeScout
Managed
Devices
Unmanaged
Devices
2010 2012 2014 2016 2018 2020
By 2020: 20+ BillionUnmanagedConnected Devices66%
of all networks will have an
IoT security breach by 2018
Reference acronym glossary at the end of presentation
Pre- vs. Post-Connect Access Control Solutions
21
Pre-Connect
Post-Connect
Hybrid Complete
Validates the device and user(s)
remain compliant after the
connection is granted then verfied
immediately and throughout the
“lifecycle” of the connection
One Solution provides pre-and post-connect protection
One solution provides pre-
connect and another provides
post-connect protection
Validates the device and user(s)
are compliant with organizational
policies and standards at the
time access is granted to a
production network
Reference acronym glossary at the end of presentation
Of the listed solutions, Pre-Connect Solutions provide the weakest protection for your organization
Reason #1 – Lack of Effective Scope
Why 802.1X Access Control Solutions Fail
22Reference acronym glossary at the end of presentation
Agent and or 802.1X
Supplicant
Undiscovered /
Rogue or Mac
Authentication
Bypass
Undiscovered/ Unsupported Devices
Discovered/ Supported Device
Reason #2 – Bypassing Access
Why 802.1X Access Control Solutions Fail
• Similar to a bouncer outside of a club entrance 802.1X
– Verifies the identity of the user
– Validates the identity of the connecting host
• Once validated, devices are allowed onto the network
• Considering IoT alone, 802.1X at best provides access control, with gaps in coverage that are expected to grow in size and frequency
23Reference acronym glossary at the end of presentation
Similar to the bouncer at the door, 802.1X must rely on others to maintain
secure and expected behavior once access has been granted
Reason #3 – Little or No Post-Connect Protection
Why 802.1X Access Control Solutions Fail
24Reference acronym glossary at the end of presentation
Behavioral Control
Cyber Hygiene Management
Device Populations Unprotected via M.A.B.
Limited asset visibility and Situational Awareness
Protection and advanced detection often require agents
Network Access Control
Agenda
1. K-16 Education Technology Trends
2. The Emergence of IoT and BYOD in the Education Landscape
4. Challenges with the Traditional Security Landscape
5. ForeScout Solution
6. Summary
3. Cyberattakcs in the Education Space
Many IoT Devices Are Vulnerable
26
ForeScout’s agentless solution helps overcome these limitations
Reference acronym glossary at the end of presentation
Many IoT and
BYOD devices
lack basic
security
features
Many BYOD
and IoT
devices cannot
be patched
Many BYOD
and IoT devices
run on outdated
or unsupported
software
Many BYOD and
IoT devices
cannot host an
agent
See
27
CONTINUOUS
AGENTLESS
Not VisibleVisible
See withIoT
Manageable with an
Agent
Non-
Traditional/IoT
Computing Devices
Network Devices
Applications
Antivirus out-of-date
Broken agent
Vulnerability
Reference acronym glossary at the end of presentation
Who are you?
Who owns the device?
What type of device?
Where/how are you
connecting?
What is the device
hygiene?
Many IoT devices are invisible to the traditional security systems
Control
28
Restrict
Comply
Notify
Less Privileged
Access
Guest
Network
Corporate
Network
Quarantine
Data Center
AUTOMATED
POLICY-DRIVEN
Reference acronym glossary at the end of presentation
Orchestrate
Reference Acronym Glossary at the end of presentation29
MAXIMIZE EXISITING
INVESTMENTS
BREAK DOWN SILOS
Share Contextual
Insights
Automate
Workflows
Automate
Response Actions
VENDOR OPTIONS
*As of April 2017
ATD SIEMEMM EDR/EPP NGFW VAITSM
11
2
3
4
5
Access Privilege and Auto-Remediation Capabilities
30Reference acronym glossary at end of presentation
See corporate, BYOD, IoT, rogue devices.
2
3
4
5
Corporate DevicesBYOD Devices Rogue DevicesIoT Devices
Firewall SIEM ATD VA Endpoint Patch EMM
Internet
Detect transient devices and trigger real-time vulnerability scans
Automate enrollment for guests and BYOD including mobile devices
Trigger update and patches on managed endpoints
Rapidly respond to incidents, without human intervention
Control network access based on user, device, policy
66
Why ForeScout?
31
ForeScout listed
as
representative
vendor in
Gartner IoT
Market Guide
IDC Paper: https://www.forescout.com/idc-business-value/
Faster
Time To
Value
10
24% more devices discovered
18% more devices in compliance
42% reduction in network-related breaches
38% reduction in device-related breaches
24%
18%
42%
38%
Security Benefits of a ForeScout Solution
IDC interviewed 7 ForeScout customers, and on an average, benefits were
Business Benefits of a ForeScout Solution
$2M average savings
392% ROI over 5 years
13 months to break even
Reference acronym glossary at the end of presentation
IDC Paper: https://www.forescout.com/idc-business-value/
IDC interviewed 7 ForeScout customers, and on an average, benefits were
Average benefits
for an organization
with 43K devices
A Customer Success Story: Secure Heterogeneous Environments; Integrate Two Networks
34
1
Implementing 802.1X became very cost-prohibitive and complex2
M&A brought in a hybrid IT environment with mix of 802.1X, non-
802.1X, various device hygiene, device types and applications
3
ForeScout immediately brought in higher value and ROI, turning a
3 year complex integration project into a 2 year success story.
ForeScout’s agentless approach and ability to plug into the
network out of band reduced integration effort
A Customer Success Story: Example of Containment of an Attack
35
1
Location of the system had to be determined quickly to contain
the problem2
Alert received in the endpoint security system of a computer
infected with ransomware
3
Before ForeScout, it took 30 mins or longer to locate a device and disable it,
now it is done in real time. ForeScout also cut down on staff time as the team
only had to re-image one device compared to multiple if the virus had spread.
ForeScout determined the system location and removed it from the
network in real time
A Customer Success Story: Example of Fast Remediation
36
1
Report shows assets on network that are not reporting to Asset
Management system2
Weekly threat report is generated to show risk level
ForeScout helps IT team remediate by locating and registering
these devices3
ForeScout reduced time to remediate by 83% (3 hours to 30 mins).
Scale
1M+ Devices in a single
deployment
Engineering
3x Increase
in ForeScout R&D
Customers
2500+ In over
70 countries
Service
87 NPS Net Promoter
Score
ForeScout Accolades
37
Gartner IoT Security Market Guide
Gartner, 2016
JP Morgan Chase Hall of Fame Innovation Award for Transformative
Security TechnologyJPMC, 2016
Cloud100 World’s Best Cloud CompaniesForbes, 2016, 2017
Deloitte’s Fastest Growing Companies in North America
Deloitte, 2016
20 Fastest Growing Security Companies
The Silicon Valley Review, 2016
Gartner NAC Market Guide
Gartner, 2016
Excellence Award for Threat Solutions
Gartner, 2016
Computer Reseller News Top Security Company
CRN, 2016
Inc. 5000 Fastest Growing Companies
Inc. 5000, 2016
9 Hot Cybersecurity Startups
Nanalyze, 2016
Agenda
1. K-16 Education Technology Trends
2. The Emergence of IoT and BYOD in the Education Landscape
4. Challenges with the Traditional Security Landscape
5. ForeScout Solution
6. Summary
3. Cyberattacks in the Education Space
Do you know how many
devices are in your
network?
Request a ForeScout
POC to find out.
Summary
39
ForeScout’s agentless approach has helped companies discover on an average 24% more devices
on their networks – IDC Report.
BYOD and IoT devices are entering Educational institutions in a
big way.
Many BYOD and IoT devices lack basic security features and
are invisible to traditional security systems, posing bigger
security risk!
Many organizations underestimate number of BYOD and IoT
devices in their networks thereby opening up vulnerabilities.
IDC Paper: https://www.forescout.com/idc-business-value/
Questions?
Acronym Glossary
AAA Authentication, Authorization and Accounting
ACL Access Control List
ACS Access Control Server [Cisco]
AD Active Directory
ANSI American National Standards Institute
API Application Programming Interface
ARP Address Resolution Protocol
ATD Advanced Threat Detection
ATP Advanced Threat Prevention
AUP Acceptable Use Policy
AV Antivirus
AWS Amazon Web Services
BYOD Bring Your Own Device
C&C Command and Control
CA Certificate Authority
CAM Content Addressable Memory
CASB Cloud Access Security Broker
CCE Common Configuration Enumeration
CDP Cisco Discovery Protocol
CEF Cisco Express Forwarding
CIS Center for Internet Security, Inc.
CIUP Cumulative Infrastructure Update Pack
CLI Command Line Interface
CMDB Configuration Management Database
CoA Change of Authorization
CPPM ClearPass Policy Manager
CPU Central Processing Unit
CSC Critical Security Controls
CSV Comma Seperated Value
CUP Cumulative Update Pack
CVE Common Vulnerabilities and Exposures
DB Database
DDoS Distributed Denial of Service
DHCP Dynamic Host Configuration Protocol
DLP Data Loss Prevention
DNS Domain Name Server
EDR Endpoint Detection and Response
EM Enterprise Manager
EMM Enterprise Mobility Management
ePO ePolicy Orchestrator
EPP Endpoint Protection Platform
FERC Federal Energy Regulatory Commission
FIPS Federal Information Processing standards
FQDN Fully Qualified Domain Name
FTP File Transfer Protocol
FW Firewall
GCP Google Cloud Platform
GPO Group Policy Object
GUI Graphical User Interface
HA High Availability
HBSS Host Based Security System
HIP Host Information Policy [Palo Alto Networks]
HIPAA Health Insurance Portability & Accountability Act
HITECHHealth Information Technology for Economic and
Clinical Health
HITRUST Health Information Trust Alliance
HPS Host Property Scanner
HR Human Resources
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
IaaS Infrastructure as a Service
ICMP Internet Control Message Protocol
ID Identification
IDaaS Identity as a Service
iDRAC Integrated Dell Remote Access Controller
IM Instant Messaging
IMAP Internet Message Access Protocol
IOC Indicator of Compromise
iOS iPhone Operating System [Apple]
IoT Internet of Things
IP Internet Protocol
IPMI Intelligent Platform Management Interface
IPS Intrusion Protection System
ISE Identity Services Engine [Cisco]
IT Information Technology
ITAM Information Technology Access Management
ITSM Information Technology Service Management
LAN Local area Network
LDAP Lightweight Directory Access Protocol
LLDP Link Layer Discovery Protocol
MAB Mac Authentication Bypass
MAC Media Access Control
MAPI Messaging Application Programming Interface
MDM Mobile Device Management
MTP Mobile Threat Prevention [FireEye]
MTTD Mean Time to Detection
MTTR Mean Time to Resolution
NA Not Applicable
NAC Network Access Control
NAT Network Address Translation
NBT NetBIOS over TCP/IP
NERC North American Electric Reliability Corp.
NetBIOS Network Basic Input/Output System
NGFW Next-Generation Firewall
NIC Network Interface Card
NIST National Institute of Standards and Technology
Nmap Network Mapper
NOC Network Operations Center
OS Operating System
OT Operational Technology
OU Organizational Unit
OVAL Open Vulnerability and Assessment Language
P2P Peer-to-Peer
PAM Privileged Access Management
PAN OS 7.x Palo Alto Networks Operating System 7.x
PC Personal Computer
PCI Payment Card Industry
PKI Public Key Infrastructure
PoE Power over Ethernet
POP3 Post Office Protocol
pxGrid Platform Exchange Grid [Cisco]
RADIUS Remote Authentication Dial-In User Service
RAP Roving Analysis Port
RDP Remote Desktop Protocol
Reauth Reauthorization
RI Remote Inspection
RM Recovery Manager
RMM Remote Monitoring and Management
RO Read Only
ROI Return on Investment
RPC Remote Procedure Call
RRP Remote Registry Protocol
RTU Remote Terminal Unit
RW Read/Write
SaaS Software as a Service 41
Acronym Glossary
SANSSystem Administration, Networking and Security
Institute
SCADA Supervisory Control and Data Acquisition
SCAP Security Compliance Automation Protocol
SCCM System Center Configuration Manager
SDN Software Defined Network
SEL System Event Log
SGT Security Group Tags [Cisco]
SGT Security Group Tags [Cisco]
SIEM Security Information and Event Management
SMS Short Message Service
SNMP Simple Network Management Protocol
SOC Security Operations Center
SOX Sarbanes-Oxley
SPAN Switch Port Analyzer
SQL Structured Query Language
SSH Secure Shell
SSID Service Set Identifier
SSL Secure Sockets Layer
SSO Single Sign On
STIG Security Technical Implementation Guide
SYSLOG System Log
TACACS Terminal Access Controller Access Control System
TAM Threat Assessment Manager [FireEye]
TAP Threat Analytics Platform [FireEye]
TCO Total Cost of Ownership
TCP Transmission Control Protocol
TIP Threat Intelligence Platform
TLS Transport Layer Security
UBA User Behavior Analytics
UDP User Datagram Protocol
URL Universal Resource Locator
USB Universal Serial Bus
VA Vulnerability Assessment
vCT Virtual CounterACT
VDI Virtual Desktop Infrastructure
vFW Virtual Firewall
VGA Video Graphics Array
VLAN Virtual Local Area Network
VM Virtual Machine
VoIP Voice over IP
VPN Virtual Private Network
WAF Web Application Firewall
WAN Wide Area Network
WAP Wireless Application Protocol
WMI Windows Management Instrumentation
WSUS Windows System Update Services
XCCDFThe Extensible Configuration Checklist Description
Format
XML Extensible Markup Language
42
• College spans 850 acres, 64 buildings
• ForeScout empowers schools to automate tasks, improving staff operational efficiency and effectiveness. For example, Tampa Bay-based Hillsborough Community College recently implemented ForeScout technology to better protect its networks. Doing so reduced the need for the college to reimage infected computers. IT staff now reimages only 1.5 systems per month compared to 20 to 25 each month before the college implemented ForeScout.
• “It takes a support tech five to six hours to reimage the system and restore the user’s documents, files and applications,” says Ken Compres, Hillsborough’s senior network security and integration engineer/chief security officer. “Moreover, the user is unproductive during that time, so you are literally wasting 12 hours per incident. That’s a 240- to 300-hour productivity gain per month.”
• CounterACT lets customers automate visitor enrollment while enforcing policy compliance. This is particularly important in college environments where students use multiple device types on any given day that vary wildly in terms of compliance levels.
• When a user attempts to log on via one of the college’s wireless access points, the access point queries CounterACT for 802.1X authentication. The college also allows
43
• “One of our systems became infected with CryptoLocker ransomware. As soon as it tried to communicate with the command and control server to begin propagating the ransomware across the network, FireEye saw this and immediately informed CounterACT, which blocked communications by dropping the infected system’s port. CounterACT alerted me—it was amazing to watch the scenario unfold. Upon losing their connection, the user tried to connect to four different ports. CounterACT immediately blocked them all. This malware could have encrypted all of our data files accessible to this user—including network shares and documents—across our network. In the end, we had to only reimage one system.”
• In a more recent example, a Hillsborough user downloaded a malicious payload via email. “It was a zero-day payload that our antivirus software missed. Immediately, we started seeing a higher-than-normal volume of email being sent from that user’s mailbox. The integration we have with ForeScout and FireEye quickly determined the system was attempting malicious attacks against other network resources and allowed us to stop the system before it caused any damage.” And without FireEye integration? As Compresexplains, “That same attack hit a neighboring county and brought down a critical departmental email server for two days.”
44