Forescout Platform

CPS security business menu

CPS security business
HOME

Handling Manufacturer

solution·
service

column·
example

Document

event·
seminar

Inquiry

TOP

Products/Services

product
- Forescout Platform
service
- Device assessment service

Specifications/Technical Information

Specifications/Technical Information
- eyeInspect (formerly SilentDefence) Specifications
- Forescout Specifications Forescout Platform

solution

solution
- building security
- factory security

User stories

support

Seminar content

Evaluation machine application/FAQ

Application for evaluation machine
- ForeScout Evaluation Machine Application Forescout Platform
- ForeScout evaluation machine application eyeInspect (formerly SilentDefence)

Document request

inquiry

Forescout

ForeScout

Solution brief

feature

As a feature of the Forescout solution, we realize agentless device visualization and control by using various methods such as switch linkage.

1. agentless
2. Device visualization and control

Polls switches, VPN concentrators, APs, and controllers for connected devices
Receive SNMP Traps from switches and controllers
Receiving NetFlow, sFlow and Flexible NetFlow data
802.1x monitoring of 802.1x requests to internal or external RADIUS servers
Monitor DHCP requests to detect when a new host requests an IP address
Optional monitoring of network SPAN Port for HTTP user agents, TCP fingerprints, and over 60 protocols
パブリック/プライベートクラウドAPIのクエリAPIs
Import external MAC classification data or request LDAP data
Integration with VMware® vSphere®, AWS® EC2®, ACI and Azure
Analyzing PoE Data
Working Ports, Service Banner OS Fingerprint Scan
Run scans on endpoints using credentials
Use agent (optional)

Functions list

function		eyeSight	eye control	eye extend	eye segment
detection	passive analysis	○
detection	active analysis -Infrastructure- -device	○
classification		○
evaluation		○
notification	E-mail notification	○
notification	HTTPリダイレクト		○
Correction and control	Virtual FireWall		○
	ACL control		○
	Linkage with existing security tools			○
operation	Existing security Cooperation with countermeasure tools			○
simulation					○
segmentation					○

Use Case

1. Device compliance

A use case for the Forescout solution is achieving device compliance. After visualizing the terminals in the company, check the detailed status of the terminals. At that time, it is possible to check against security policies such as antivirus and encryption software, and notify, correct, and control terminals that do not comply with the policy.

Real-time monitoring of the status of terminals in the office network can be performed, and if there is a change or abnormality, the administrator can be immediately notified, and corrections and restrictions can be implemented in cooperation with peripheral devices. The degree of robustness of response can be flexibly designed according to the importance of terminals and equipment and the impact of changes and abnormalities. This makes it possible to respond in real time to abnormal situations.

Function introduction

Solution brief

feature

Passive configuration without stopping critical systems
Deep packet decoding of proprietary protocols for industrial control systems
Mapping complex industrial networks
Whitelist-based security detection with pre-learning
Proprietary Industrial Threat Intelligence Delivery

Functions list

Use Case

Asset management

Identify devices and terminals in the system and manage information including vulnerabilities

network visualization

Graphical display of communication statistical data such as time series, type and rate, and volume during a specified period
Categorize by device type and hierarchy, and graphically display the entire network

Compliance with standards/guidelines

Helps meet international and regional standards/guidelines (e.g. IEC 62443, NERC CIP, NIST Cybersecurity Framework, etc.)

Control system security measures

Real-time detection of external threats with a blacklist/whitelist in a passive configuration that does not affect plant operation

Prevention of control system design/operation errors

By visualizing the communication direction, it is possible to grasp unwanted communication and find design mistakes.
By visualizing the contents of communication at a deep level, it is possible to understand even the details of operations, and to detect operation errors in real time.

Measures against internal improprieties in IT systems

Support for IT network protocols such as HTTP enables real-time detection of unauthorized access to important data/systems

Introduction image

Installation

Easy deployment due to passive configuration

study period

Learn communication content
Enables ForeScout-defined security detections

Operation start

Detects traffic that does not correspond to the profile set for each user by learning
It is also possible to create scripts for each user.

Function introduction

Network map function

There is a network map function that graphically browses the network information collected by the monitoring sensors in the command center. With the network map function, what protocols are common in specific periods and specific communications? where is the contact? You can check network trends such as In addition, sniffed packets can provide detailed asset information such as model name, firmware version, vulnerability information, and inter-system protocols over the network to find inactive hosts and vulnerable PLCs. In addition, it is also possible to automatically group by role or network hierarchy. Assists in compliance with international and regional standards/guidelines (e.g. IEC 62443, NERC CIP, NIST Cybersecurity Framework, etc.).

security detection

There are detection logic implemented by ForeScout such as Built-in Module and thread library, and whitelist detection function by pre-learning such as LAN CP and DPBI. SD Script also allows users to write their own scripts in the LUA language. With this function, you can independently develop additional rules and implement rules for protocols and control devices that are not supported by SilentDefense.

Function name	Overview	Usage	supplement
Built-in Module	Detect threats as defined by ForeScout	Automatic detection of external threats through behavioral detection of unauthorized communication at a low layer (network level)	No pre-learning required Upgrading updates/adds detection methods
LAN CP	Whitelist detection based on communication direction	Analysis of communication direction Detect unauthorized/unwanted/unknown communications Detect policy violations by predefining communication direction	Prior learning required design required Target communication is updated/added by upgrade
DPBI	Whitelist detection based on communication content	Analyze communication content Detect unauthorized/unwanted/unknown communications Since it can identify even specific values, it is also possible to detect unique operation errors. It is possible to automatically leave evidence of specific operation details	Prior learning required design required Target communication is updated/added by upgrade
Thread library features	Detect threats as defined by ForeScout	Automatic detection of common operation errors Automatically detects design errors in general-purpose network equipment Automatic detection of external threats in industrial systems	No pre-learning required Threat information updated/added with upgrade
SD Script	Detected by additional development by the user	Enables visualization and detection of industrial networks including proprietary devices	Additional development required

3rd party cooperation

Information obtained by SilentDefense can be output as a log. It is possible to output alert logs with Syslog to analysis tools such as ArcSight, Splunk, McAfeeSIEM, QRadar, etc., and output communication channels and status logs to Syslog servers. In addition, it is possible to import information from existing in-house authentication servers such as AD and LDAP for analysis based on user names.

Product offer

Product offering overview

	command center	surveillance sensor
role	Graphical display Rule setting Distribute set rules to monitoring sensors Storage of data (network analysis result alerts)	network monitoring network analysis Detection based on rules distributed from the command center
Form of provision	software Subscription yearly license (Weekdays 9:00-17:00 Japanese email software support included)	software Subscription yearly license (Weekdays 9:00-17:00 Japanese email software support included)

Product provision scheme

The product provision scheme for SilentDefense is as shown below. Macnica provides verification support before installation, product design and training during installation, software support and related information via email from 9 a.m. to 5 p.m. on weekdays.

eyeSight

By utilizing Forescout's eyeSight solution, it is possible to visualize the detailed information of terminals/equipment. Specific categories and items that can be visualized are as follows.
*This table is intended to convey the information that can be obtained by each method. The information that can be obtained may differ depending on the environment.

eye control

When a terminal that matches preset conditions is found, it is possible to automatically send a TCP RST packet and limit communication related to the terminal. Communication can be restricted even if the linked switch or router does not have the ACL function.
By setting the CLI/SNMP information of the linked switch or access point in EyeSight, it is possible to automatically rewrite the ACL of the switch based on preset conditions and restrict communication.

eye extend

category	Manufacturer	product name	Usage example
Targeted attack countermeasures	check points	Forescout eyeExtend for Checkpoint Threat Prevention	Forescout discovers terminals infected with threats detected by Checkpoint. Isolate terminals, including unmanaged terminals, until countermeasures are taken.
	FireEye	Forescout eyeExtend for FireEye NX	Forescout receives zero-day threats and outbound calls detected by FireEye and quarantines the affected devices. Other devices will be quarantined until they have the same threat or countermeasures are taken.
	Palo Alto	Forescout eyeExtend for Palo Alto Networks Wildfire	Forescout discovers terminals infected with threats detected by Wildfire. Isolate terminals, including unmanaged terminals, until countermeasures are taken.
privilege management	CyberArk	Forescout eyeExtend for CyberArk	Unmanaged privileged accounts are not used by users, or if there are old or isolated accounts with high risk, they are disabled or managed.
Terminal management	HCL (IBM)	Forescout eyeExtend for IBM Big Fix	Check whether the Big Fix agent is running or not, and if it violates the policy, correct it or quarantine it. In addition, if Big Fix managed device security conflicts with policy, cooperate with Forescout and isolate the relevant device
SIEMs	IBM	Forescout eyeExtend for IBM Qradar	Security devices such as Firewall send alerts to SIEM, add device information visualized by Forescout to determine the degree of risk, and implement actions such as isolation according to the policy.
	Micro Focus	Forescout eyeExtend for Micro Focus ArcSight ESM
	Splunk	Forescout eye extender for Splunk
Device management	Airwatch	Forescout eye extender for Airwatch	Forescout checks if the device is registered on the MDM server, corrects devices that are not registered, and prompts self-registration. Also, in the case of mobile devices, when a terminal that violates the policy is detected, the data is automatically erased.
	IBM	Forescout eyeExtend for IBM MaaS360
	Mobile Iron	Forescout eyeExtend for MobileIron
	Microsoft	Forescout eye extender for Microsoft Intune
Vulnerability research	Qualys	Forescout eyeExtend for Qualys Vulnerability Management	Share vulnerability scan results with Forescout and implement isolation etc. according to the results. In addition, if there is a device that has not been patched in the device information visualized by Forescout, the vulnerability can be quickly dealt with by sharing the data.
	Rapid7	Forescout eyeExtend for Rapid7 Nexpose
	Tenable	Forescout eye Extend for Tenable
Endpoint security EDR	carbon black	Forescout eye Extend for Carbon Black	Forescout checks for the existence of agents and whether they have stopped functioning, and implements isolation etc. if policy conflicts occur. Also, based on IoC data, all devices, including unmanaged devices, are scanned and dealt with.
	CrowdStrike	Forescout eyeExtend for CrowdStrike	Forescout checks for the existence of agents and whether they have stopped functioning, and implements isolation etc. if policy conflicts occur. Also, based on IoC data, all devices, including unmanaged devices, are scanned and dealt with.
	FireEye	Forescout eyeExtend for FireEye EX (email security)	Forescout discovers terminals infected with threats attached to emails detected by FireEye. Isolate terminals, including unmanaged terminals, until countermeasures are taken. Also, if the agent is not installed, it is possible to prompt the installation.
	FireEye	Forescout eyeExtend for FireEye HX	Forescout discovers terminals infected with threats detected by FireEye. Isolate terminals, including unmanaged terminals, until countermeasures are taken. Also, if the agent is not installed, it is possible to prompt the installation.
	McAfee	Forescout eyeExtend for McAfee ePO	Forescout checks whether there is an agent or whether McAfee has stopped functioning, etc., and implements isolation etc. if it conflicts with the policy.
	Symantec	Forescout eyeExtend for Symantec Endpoint Protection	Forescout checks whether there is an agent and whether the SEP has stopped functioning, and if it violates the policy, it will be quarantined. Also, based on IoC data, all devices, including unmanaged devices, are scanned and dealt with.
Configuration management	Service Now	Forescout eye Extend for ServiceNow	Forescout detects the device and provides the acquired device information to ServiceNow. Realized to maintain real-time CMDB information.
Next generation firewall	check points	Forescout eye extender for Check Point NGFW	Forescout links information such as tag information and device status linked to devices with Firewall, and applies appropriate security policies based on device attributes and context information to automate isolation.
	Palo Alto	Forescout eyeExtend for Palo Alto Networks NGFW
	Fortinet	Forescout eyeExtend for Fortinet FortiGate NGFW

eye segment

By utilizing Forescout's eyeSegment solution, it is possible to visualize traffic flows and design and simulate policies. eyeSegment maps traffic flows into logical classifications of users, applications, services and devices, allowing you to build, simulate and optimize logical segmentation policies to understand the impact before implementation.

A single set of policies can be implemented, monitoring unexpected communications and enforcing access control, even in multi-vendor environments and multiple network domains.
Map traffic flows to logical categories of users, applications, services and devices
Build, simulate, and optimize logical segmentation policies to understand impact before implementation
Implement a single set of policies for multi-vendor environments and multiple network domains
Monitor unexpected communication and access control