“In 2013, we estimated that the NAC market was 350 million dollars, which was an increase of about 55-percent over 2012,” says Lawrence Orans, Research Vice President, Gartner, Inc. According to Orans, Gartner expects that growth to slow in 2014, with an estimated increase of 45-percent over 2013 numbers. Burgeoning enterprise BYOD concerns have been the major drivers in that growth, says Orans. NAC vendor ForeScout is integrating its capabilities with those of Invincea in order to further abate those concerns.
[Containerization and mobile threats]
A new BYOD protection approach combines ForeScout’s CounterACT NAC technology with Invincea’s FreeSpace containerization technology in order to better protect corporate data. In this partnership, ForeScout offers what it describes as a control fabric for security and an architecture- and process- based approach to protecting BYOD, based on industry standards rather than isolated proprietary technologies. The control fabric works in tandem with network junctions such as firewalls and switches, where it collects data and controls / initiates the network’s response to attacks and infections.
Invincea’s security analytics increase the value and effectiveness of the partnership. “Our security analytics have a lot of value,” explains Dr. Ghosh. Invincea’s analytics inform about enterprise adversaries through out-of-band analysis of attacks and IP addresses that are the sources of the attacks. This is a big deal in financial services companies because their threat analysts use this data to do discovery about the threats.
Here, CSO examines what the ForeScout / Invincea integration accomplishes that neither technology can do alone.
NAC and containerization
Invincea’s FreeSpace containerization technology runs apps, browsers, and office software in a virtual container, protecting the device and the enterprise against infection. Invincea is behavior-based rather than a signature based tool; it is not limited by using known malware signatures to identify infection. It detects malware and attacks based on suspicious behavior. “We detect when new malware runs in the container, terminate it, and report it to our IMS service,” says Dr. Ghosh. The Invincea Management Service (IMS) responds to threat reports and manages configurations for different users and devices.
ForeScout’s foundational contribution is a module / plug-in for Invincea to ensure that Invincea’s containerization technology is running. “In some cases, users would stop Invincea or would not install or run it on their devices,” says Gil Friedrich, Vice President of Technology, ForeScout. ForeScout’s CounterACT checks devices to ensure the user has installed and is running Invincea. It automatically starts Invincea if it is not running.
[Is mobile anti-virus even necessary?]
The Invincea / ForeScout integration enforces the installation of the Invincea user agent so that the web gateway can block and / or redirect users who are not using Invincea, says Dr. Ghosh. And if the FreeSpace technology alerts CounterACT that there is something wrong with the device, CounterACT quarantines the device for remediation. “This represents what enterprises and IT shops wanted all along: best of breed products working together. This is a step in that direction,” says Dr. Ghosh.
The integration enables the two vendors to discover traces of infections that malware has left behind. If a running process has a certain value, it means that an infection occurred. “When we collect that forensics data, we can use ForeScout to search other machines for similar clues to infection, both BYOD and managed devices, including smartphones, tablets, laptops, desktops, and workstations,” says Dr. Ghosh. CounterACT can then use its integration with enterprise firewalls to block server addresses that Invincea uncovers as the source of the attacks.
What’s so next generation about CounterACT?
Previous iterations of NAC allowed enterprises to determine when someone was trying to access the network and to authenticate them and do basic compliance testing. NAC vendors like ForeScout are becoming warehouses of context, meaning that they have visibility into what devices are on the network, each device’s configuration, and its operating system, the patch level of the endpoint, and whether the anti-virus is up to date, says Orans. “They have access to this contextual information in addition to the IP address,” says Orans.
CounterACT’s Control Fabric is what makes it a warehouse of context, by collecting that data from network infrastructure and applications such as Active Directory. CounterACT counts on this context as it provides the functionality to continuously ensure that the device remains healthy and authenticated, because it could be healthy at first and then it could download something bad. “We can intervene. Our solution also manages all the network infrastructure to alert the enterprise when a device receives access, enabling the company to control and manage the endpoints and their access,” says Friedrich.
[How security is using IAM to manage BYOD]
Using a policy engine, ForeScout automates anything IT / security would like to achieve, including fine grained determinations about required or permissible endpoint network behavior. By identifying the user, CounterACT further enables the enterprise to enforce policies around BYOD use. If employees are using it inappropriately, for example, the enterprise can educate or reprimand the employee, or limit their capabilities on the network.
Security integrations broader than ForeScout and Invincea
ForeScout has enabled partner integrations with CounterACT prior to Invincea. LogRhythm, FireEye, McAfee, and certain MDM vendors are all partners. Through its Control Fabric Partnership Program, ForeScout makes APIs public and opens the ForeScout system so the enterprise customer, reseller, or VAR can integrate into ForeScout’s solutions. Standardization on open technologies makes partnership with ForeScout attractive.
“When we opened up or API, we standardized on technologies such as REST and SNMP SysLog to ensure that our APIs are using a layer everyone can access (it is not proprietary),” says Friedrich. This way even small businesses can integrate with ForeScout.
[How MDM works -- or doesn't work -- for SMBs]
“Several other NAC vendors are using a similar concept,” says Orans. Cisco has something called PX Grid, which it uses to share information between their NAC system and their partners. Aruba also has several security partners that they integrate and share information with. “ForeScout has done a good job with this but it’s not unique. It’s the trend in the NAC market,” Orans says.