#vmworld
EIOT3170BU
Bring IT Security Standards to IoT and Edge with VMware and Forescout
Wayne Dixon, Forescout TechnologiesRavishankar Chamarajnagar, VMware, Inc.
#EIOT3170BU
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
Disclaimer
This presentation may contain product features or functionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
2
The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein. VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
Agenda
3
Opportunities and Threats
VMware Pulse IoT Center
Forescout
VMware Pulse and Forescout
Better together
How it works+ demo
The Vision
Next Steps
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 44Confidential │ ©2019 VMware, Inc.
Security and Compliance
Facilities, Energyand Physical Security
New RevenueModels
Logistics, Supply Chain, Product
Operations
Customer Engagement
Analyze data at origination, improve root of trust
Unify visibility and streamline management
Monetize data and drive revenue in new ways
Agilize and automatesupply chains, business
processes
Delight and support customers in new ways
IoT is Everywhere – a Key Component in Digital xFormation
Edge Opportunity Across The Enterprise
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 5
IoT Has Increased the Surface Area of Attacks
Heartbleed gives hackers access to website servers. 66% of websites affected (2012)
KRACK exposes security weakness in all modern protected Wi-Fi networks
WannaCry ransomware infects more than 230,000 computers in over 150 countries
Mirai Botnet brought down much of America’s network the fall of 2016 with a DDosattack on Dyn Servers
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 8
Technical Challenges:
You Can’t Secure What You Can’t See™!To optimize security, you need to continuously discover, classify & assess every connected device that touches your extended enterprise network in real time!
Business Challenges:
Enterprises, on average, have ~30% more devices connected than expected across IT, OT, IoT, Guest, BYOD, Cloud, etc.
Even when enterprises know about devices connecting, they often don’t know what they are & whether they should be there
IT & regulatory device audits are challenging & often fail
Agents are not supported and/or not deployed on all devices
Little to no device attribute information to classify & assess connected devices
No single source of truth that is current for all connected devicesVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 9
Dynamically Scalable Operations
Consistent Secure Infrastructure
Rich Contextual Insight Operationalize IoT efficiently with accurate and continuous visibility into device health, network behavior, anomaly detection and remediation
Achieve deep visibility and enforce security configuration and compliance of connected IoT devices
Streamline IoT deployments, automate device onboarding and execute IoT lifecycle and security management at scale
Secure Insight – Edge Management at scale
VMware and Forescout
VMworld 2019 Content: Not for publication or distribution
10©2019 VMware, Inc.
Introducing VMware Pulse IoT Center
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 11
VMware – #1 in Infrastructure Management
vCenter for Data Center Pulse for IoT & EdgeWorkspace One for EUC
Extending VMware’s expertise to managing and securing non-IT devices
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 12
Operationalize IoT
Accelerate IoT Business Value
Manage any app, on any device, anywhere
Extend IT security and compliance to IoT
Implement a consistent scalable framework for managing any app, on any device, anywhere across your edge
Operationalize IoT efficiently with accurate and real-time visibility into device health and act on anomalies as they arise
Achieve deep visibility and control of connected devices and extend IT security and compliance standards to IoT
Streamline IoT deployments by implementing a standard to simplify device onboarding and management that scales to millions of devices.
VMware Pulse IoT Center v2.0Business Value
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 13
Enabled by VMware Pulse IoT Center
Device Lifecycle Management
PLAN
MANAGE
SECURE
END OF LIFE
ON-BOARD
MONITOR
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 14
VMware Pulse IoT Center
OT User IT User
ONBOARD MANAGEMONITOR SECUREONBOARD MANAGEMONITOR SECUREONBOARD MANAGEMONITOR SECUREONBOARD MANAGEMONITOR SECUREONBOARD MANAGEMONITOR
VMware Pulse IoT Center
Introducing 2.0
• Choice of SaaS or On-Prem versions
• Low-touch secure device enrollment
• Enhanced over-the-air (OTA) updates
• Richer alerts and notifications
• Container management
• Simpler agent (C-SDK)
• Enhanced APIs – agent and server
• RBAC, device IDs, certificates
• Scalable architecturePulse Agent
Pulse Agent
Pulse Agent
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 15
ON-BOARD CONFIGURE - MONITOR MANAGE
VMware Pulse IoT Center Security and Compliance
• TPM based authentication
• Credential based authentication
• Certificate based authentication
• Device white listing with mobile app
• Secure device token
Compliance Certifications: ISO27001 SOC 2 Type 1 GDPR
Pen test: VMware InfoSec approval Third-party Pen test
• Secure and encrypted OTA SW/FW updates and patching
• Audit log
• Encryption for all communication and services
• Backup and recovery
• RBAC and custom roles
• Login with AD / SSO
• Command execution with least privilege
• Enable/disable SSH to gateways
• Secure container distribution, configuration and management
• Enforce Gateway root credential change
VMworld 2019 Content: Not for publication or distribution
16©2019 VMware, Inc.
Introducing Forescout
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 17
The Forescout Vision and Value Proposition
UNIQUE DIFFERENTIATION
AGENTLESS HETEROGENEOUS RICH DEVICE CONTEXT
CONTINUOUS SCALABLE POLICY-DRIVEN ACTIONS
Campus ITData Center Campus IoTCloud OT
ANY DEVICE, ANY NETWORK, MASSIVE SCALE, HYPER-CONNECTED
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 18
Datacenter/Cloud Traditional IT & Mobile Endpoints
IoT & OT Edge Devices
Real-time Device Visibility, Policy-driven Controls & Remediation
vSphere & NSXWorkspace ONE,
AirWatchPulse IoT Center
Enterprise Lifecycle, Performance & Security Management
Increase operations efficiency & close security gaps by leveraging real-time device visibility & control
Forescout - VMware Integrations for Your Extended Enterprise
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 19
Increase Security with Real-time Device Visibility and ContextWhat Forescout Does How Forescout Does It
DISCOVER all IP-addressable devices
at time of connect
Physical Virtual
No device agents needed
Intelligently uses passive & active techniques
Agentless
Heterogeneous
Integrate >70 network & security technologies
Extend beyond campus to DC, cloud & OT
CLASSIFY every device & categorize appropriately
HuddleCamHD Red Hat Linuxon VMware vSphere
Managed
HP Elite Tableton Windows 10
BYODIoT
Intelligent
Device Cloud >1500 customers contributing/7M devices
Comprehensive device taxonomy across IT & OT
ASSESS device posture by
!
Continuous
Real-time, so no need to schedule scans
Policy engine constantly evaluates device state to policyVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
See What’s on Your Network at a Glance
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 22
with Policy-driven Network and System Controls
Automate Policy Enforcement and Threat Response
Open trouble ticket
Send email or on-screen notification
SNMP Traps
Start application
Run script to install application
Auditable end-user acknowledgement
HTTP browser hijack. Webpage redirect
Trigger endpoint management system
Deploy a virtual firewall
Reassign the device to a VLAN
Update access lists
DNS hijack (captive portal)
Move device to a guest network
Start mandatory application/process
Ensure security agent is operational
Change wireless user role
Move device to quarantine VLAN
Block access with 802.1x or device authentication
Use ACLs to restrict access
Block access with device authentication
Turn off switch port (802.1X, SNMP)
Block wireless or VPN access
Terminate applications
Disable NIC/dual-homed or peripheral device
NOTIFY!
COMPLY
RESTRICT
!
Security camera
Windows PCVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 23
Comprehensive Device Visibility –Cornerstone of Security & Manageability
VMworld 2019 Content: Not for publication or distribution
24©2019 VMware, Inc.
VMware and ForescoutSecure end-to-end visibility and control
VMworld 2019 Content: Not for publication or distribution
Confidential │ ©2019 VMware, Inc. 25
Discover, Classify &
Assess
Monitor Health Metrics
Forescout
VMware Pulse IoT Center
Auto Onboard, Provide Config
Properties
1. Forescout discovers, classifies and assesses devices
1
2. Forescout auto on-boards devices into Pulse IoT Center
2
3. Pulse initiates device monitoring and management
3
4. Pulse and Forescout sync data for optimized management and security
4
1
2
3
4
Manage & SecureVMworld 2019 Content: Not for publication or distribution
Confidential │ ©2019 VMware, Inc. 26
ONBOARD MANAGEMONITOR SECURE
VMware Pulse IoT Center + Forescout Value
Pulse IoT CenterEnterprise Lifecycle, Performance & Security
Management
• Discover and onboard connected IoT devices regardless of type or network tier
• Monitor device health, configuration and network behavior
• Dynamically manage, patch and segment IoT devices at scale
• Automatically enforce device security configurations and ensure regulatory compliance
Real-time Device Discovery, Assessment & Control
- Pulse IoT Gateway
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 27
VMware Pulse IoT Center & Forescout: How It Works
1. Forescout agentlessly discovers,assesses and classifies IoT devices
2. Forescout shares information & validates enrollment with Pulse IoT Center
3. IoT and edge devices not enrolled are automatically registered into Pulse IoT Center via Forescout
4. Data flows from devices to Forescout and Pulse IoT Center and to other locations such as cloud & datacenters
6. A critical security patch is missing, Forescout isolates device to mitigate risk
5. Pulse is monitoring,managing & securing IoT devices at the edge with Forescout
Device Health DataCampaigns and Rules
8. New configuration or firmware update “campaign” pushed to all applicable devices
Pulse IoT Center
7. Pulse deploys patch to edge device(s) via Forescout, Forescout allows back on network once installed
SecurityPatch
Actions & CommandsContinuous IoT…
Discovery
Assessment
Classification
Plus…
Policy / Compliance enforcement
Threat monitoring
Mitigation & Remediation
Security Patch
Pulse Gateway
VMworld 2019 Content: Not for publication or distribution
Confidential │ ©2019 VMware, Inc. 28
Registering Gateways
VMworld 2019 Content: Not for publication or distribution
Confidential │ ©2019 VMware, Inc. 29
Identifying Things
VMworld 2019 Content: Not for publication or distribution
Confidential │ ©2019 VMware, Inc. 30
Pulse & Forescout
Information Sharing
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 31
VMware and Forescout solutions deliver one secure infrastructure to create a digital foundation for supporting any IoT use case
VMware and Forescout establish end-to-end visibility across your entire edge and IoT landscape, automate device on-boarding and secure edge infrastructure at scale
Take Aways
VMware and Forescout would like to discuss your Edge and IoT Strategy and help you develop a standard, secure way to implement IoT
VMworld 2019 Content: Not for publication or distribution
32©2019 VMware, Inc.
Ask us about a POC for your organization
Learn More
Visit:
Forescout.com/vmware
vmware.com/products/pulse-iot-device-management
Contact us:
VMworld 2019 Content: Not for publication or distribution
VMworld 2019 Content: Not for publication or distribution
VMworld 2019 Content: Not for publication or distribution