EXPERIENCE THE DIFFERENCE

of The ForeScout Visibility Platform

Your guide to achieving real-time visibility and

network security for all your devices everywhere.
 It Starts with
100% Device Visibility
ForeScout Technologies is the cornerstone
of your cybersecurity program, giving
you assurance that your technology,
data and company are as secure as possible.

NEXT
 WELCOME
Explore ForeScout Solutions and learn how ForeScout keeps you HOW TO USE THIS GUIDE
secure across all your network environments: campus, IoT, data
This interactive guide includes
center, cloud and operational technology (OT). clickable links. Use them to
jump between sections or
ForeScout Solutions include Device Visibility, Asset Management, access supporting resources.
Device Compliance, Network Access Control, Network
Segmentation and Incident Response. The navigation bar at the top
allows you to move between
Start here to experience the ForeScout difference. sections.

Nearly 20% of organizations 54% percent say $3.62 million is the global
observed at least one Internet that IoT security average cost of a data breach,
of Things (IoT) - based attack gives them anxiety up 17% since 2013.
in the past three years. . -2017 Ponemon Cost
of Data Breach Study
-Gartner 2018 -Forrester 2017

NEXT
ForeScout Solutions
Need to know 100% Need 100% inventory Need to fill the gap
of what is on your of all your connected left by periodic scans
network in real-time devices to true-up your to provide real-time
and all the time? CMDB? device compliance?

DEVICE ASSET DEVICE

VISIBILITY MANAGEMENT COMPLIANCE

NETWORK NETWORK INCIDENT

ACCESS CONTROL SEGMENTATION RESPONSE

Want a NAC solution Need segmentation that Need to automate

that doesn’t require a adapts continuously threat hunting across
forktlift upgrade to your based on real-time all your devices?
network? intelligence?

Click on a icon or box to learn more

Device Visibility
You can’t secure what you
can’t see.™ The ForeScout
platform continuously discovers
all IP-connected devices the
instant they enter your network.
It provides in-depth visibility into
those devices using active and
passive discovery, profiling and
classification techniques.
WITH
100% Device
Visibility
WITHOUT Single unknown device
is all a breach needs
ForeScout
The ForeScout difference: “ForeScout CounterACT’s
• Automatically discover and classify agentless approach was key,
devices - no agents required as was its ability to give us
• Assess device security posture on full visibility into all devices,
employee-owned, contractor-owned including medical devices
and IoT/OT devices - without risking connected to or attempting
business disruption to connect to our network.”
• Continuously monitor devices and
- Michael Pinch, CISO,
compliance as devices come and go
from network University of Rochester
Medical Center”
Discovery and classification
of traditional, non-traditional
Agentless visibility - Find up to 75% more devices
(including IoT) and
no software agents required
workgroups with a
single platform
Inconsistent and incomplete
view across campus, DC,
Can’t see devices that don’t Audits find up to 75%
have a software agent unknown devices
cloud and OT
How It Works ForeScout Difference Let Us Show You
How it works - Device Visibility

A Poll switches, VPN, wireless

AP and controller
Campus LAN B SNMP trap from switches
and wireless controller
C Netflow data
Corporate D Monitor 802.1x requests
HQ
E Monitor DHCP requests Core
Distribution Switch
Switch

Distribution Core
Switch Switch
Public Cloud
Services

F Monitor SPAN/TAP network

traffic (optional) Core
Distribution Switch

G Query public/private cloud API

Switch

Data Center H Import external Mac/LDAP

database
I Use agent (optional)

Solution Brief Interactive Demo Learn More

The ForeScout Difference: Device Visibility
Discover up to 60% more devices than previously known 1

Agentless
• No agents required
Video: Extended Visibility

Video: Device Classification

Passive Scanning
• Extends visibility to critical
infrastructure IoT Solution Brief

Software-Defined
Data Center Solution Brief

ForeScout Device Cloud

• Provides real-world Enterprise Risk Report
device classifications
Device Operational Technology
Visibility Solution Brief
Continuous Monitoring
• Agentless
• Quick to deploy

Granular Device
• Classification
1
ForeScout end-user customer feedback
 Asset Management
To effectively manage and secure
business assets, you need in-depth
details about every device in your
network. Manual asset discovery can
result in an incomplete and inaccurate
configuration managment database
(CMDB), undermining IT and security
management initiatives.
The ForeScout difference:
• Illuminate blind spots that
periodic scanning tools miss
• Efficiently manage the security
posture and lifecycle of devices
• Share contextual data with
ITAM tools
“Prior to ForeScout we used a
number of disparate tools for
asset discovery and audit, and a
significant amount of manual work
was required to collate all of the
data, which introduces risk. The
ForeScout solution eliminated this
problem and the fact it is so much
more than an audit and discovery
tool added real value to us.”
- Michael Cock, Sutton & East
Surrey Water PLC

WITH Continuous asset

Plug-and-play automation
Flexible architecture
Agentless visibility Passive visibility (Extended Modules
monitoring = (supports multivendor
and classification for inventory of orchestrate real-time
up-to-date inventory networks across campus,
(comprehensive, critical infrastructure data sharing, alerts and
(detects changes data center, cloud and
accurate inventory) devices responses with ITAM
and transient devices) hybrid deployments)
and security tools

Complex deployments
Active scanning Limited support
Limited IoT, OT and Periodic scanning and vendor dependencies
discovery solutions (build-your-own API
WITHOUT unmanaged device misses transient = high TCO (due to
= critical integrations = complex
visibility = inaccurate devices = incomplete agent-based solutions with
ForeScout inventory inventory
infrastructure configurations, manual
ongoing maintenance
disruption CMDB true-ups)
and operational issues)

How It Works ForeScout Difference Let Us Show You

How it works - Asset Management
Different devices connect
to the network and ForeScout
1 discovers and classifies them in
real-time. ForeScout also
Asset Tag: x8001BF continually monitors connected
2
Manufacturer: VMware devices and can update CMDB
Fault Count: 2019
Switch IP: 192.168.1.2 with any missing devices and
Switch Post: GO1/1/2 update asset state.
VLAN: 1

The ForeScout Extended

2 Module for ServiceNow®
shares device properties,
Internet configuration information and
network context with ServiceNow®
4
Asset Tag: x8001BF to true-up asset repository.
Manufacturer: VMware
Fault Count: 2019
Switch IP: 192.168.1.2 ServiceNow® can create/update
Switch Post: GO1/1/2
VLAN: 1 3 an asset tag based on rich
Wireless LAN Switch properties received from
Controller ForeScout
ForeScout and incorporate the
information in CMDB.

ForeScout can import device

4 properties from ServiceNow®
1 and use in custom policies to
and facilitate a range of response
BYOD Devices IoT Devices actions on asset state changes.
Windows Devices

Solution Brief Interactve Demo Learn More

The ForeScout Difference: Asset Management
Deliver data and information needed to govern IT assets

Rich Classification
• Who, What, Where, version, etc.
• Real-world classification

Automated Process
• Single view
• Send data to CMBD (orchestration)

ServiceNow Datasheet

Real-Time ITAM and CMBD Solution Brief

• Instant inventory assessment
• Continuous
Asset
Management
Ease of Development
• Agentless
• Quick to deploy

Vendor Neutral
• No network upgrades
• Campus, data center/cloud
and OT (passive)
* IP-based connected devices
 Device Compliance
Partial compliance is noncompliance.
Vulnerable platforms, unpatched
devices and default passwords
expose your network to substantial
risk, creating compliance gaps that
continue to widen as more devices
are added or become virtual and
extend into the cloud.
The ForeScout difference: “In the past we had to run internal
assessments to create reports
• Gain real-time compliance
required for PCI-DSS compliance.
instead of periodic scans With ForeScout, one interface will
• Increase auditing and deliver us the status of all Windows
compliance team efficiencies updates/patches and our anti-virus,
by 26% on average* which saves us a significant amount
of time doing audit and compliance
reporting.”
• Manage all devices: managed,
unmanaged, IoT and OT - Shibu Pillai,
* IDC, November, 2016 Network Specialist (Security)
City of Guelph

WITH Agentless device Granular compliance Continuous Automated Dynamic Agentless =

hygiene/compliance assessment compliance agentless segmentation easy to deploy
= higher compliance (leveraging rich monitoring endpoint of poor-hygiene and use
levels set of endpoint remediation devices
attributes)

Agent based = Basic compliance Point-in-time Agent-based Complex design Agent based =
lower compliance assessment compliance remediation or no deployment
WITHOUT levels (due to segmentation
checks complexity
ForeScout endpoints with and high TCO
broken/missing agents)

How it Works ForeScout Difference Let Us Show You

 How it works - Device Compliance
Endpoint Different devices attempt to connect
2 Manager 1 to the network and ForeScout
discovers, classifies and verifies
if the endpoint manager agent is
installed and functional.

The ForeScout Extended Module

2 then shares this information with
endpoint manager for validation.

Internet If the device is unrecognized

3 by endpoint manager, ForeScout
puts it into a remediation zone
and redirects it to a pre-configured
1 installer for the endpoint management.

Once the user downloads and

Wireless LAN Switch
Controller
ForeScout 4 installs the required agent and is
compliant with your security policy,
the device is then granted access
to the corporate network.

1 4

Solution Brief Interactive Demo Learn More

The ForeScout Difference: Device Compliance
Gain real-time compliance

Agentless Classification
• Who, What, Where, version, etc.
• Real-world classification

Automated Process Advanced Compliance

Module Datasheet
• Single view
• Send data to EDR/VA
(orchestration) Compliance Guide

Manage Weak/Default
Password
• Agentless IoT devices
• Continuous
Device
Compliance
Ease of Development
• Agentless
• Quick to deploy

Vendor Neutral
• No network upgrades
• Campus, data center/cloud
and OT
Network Access Control (NAC)
Many devices can’t be managed
with traditional security methods
and require a new approach to
NAC that isn’t dependent on
agent-based security methods.
New types of IoT devices can
lead to serious breaches.
WITH
“ForeScout enables us to tackle
The ForeScout difference: complex security challenges.
We build something, set it and
• Gain 100% visibility - no agents forget it. Basically, we are getting
required technologies to talk to one another
• Isolate IoT and noncompliant and then solve problems in an auto-
devices on your network mated way. Automation allows are
employees, our security team, and
• Deploy without the burden our security operations center to
of costly network upgrades, focus on what really matters.”
agents or vendor lock-in
– Nick Duda, Principal Security
Engineer, HubSpot

Agentless visibility Endpoint visibility Comprehensive Dynamic Continous Automated Flexible, Easy to Network
and classification includes access segmentation monitoring remediation easy-to-use deploy and orchestration
(with rich out-of- configuration management enables policy engine use via multiple
the-box assessment appropriate integrations
taxonomy) network access

WITHOUT ForeScout

Limited IoT Agent required Limited context Complex design Point-in-time Limited Challenging, Complex Limited
visibility (limited (resulting in limited available for (802.1X is snapshots automated complex-to- to deploy, integration
out-of-the-box visibility) managing required, and remediation use policy high TCO with third-
taxonomy) appropriate other technologies engine party systems
access control may be needed)

How It Works ForeScout Difference Let Us Show You

How it works - Network Access Control

Active Directory

3 Device atempts to connect to

1 the corporate network.

ForeScout classifies the device

2 as a corporate-managed device.

ForeScout queries Active Directory

Internet
2 3 for additional user and data to
ensure access to the appropriate
resources (e.g. department,
3
geography).
Wireless LAN Switch
Controller ForeScout 4
ForeScout uses policy-based
4 actions to grant access to
appropriate network resources.

1 1 1

2 2 2

4 4 4
Managed Devices

Solution Brief Datasheet Interactive Demo Learn More

The ForeScout Difference: Network Access Control

Agentless Classification
• Who, What, Where, version, etc.
• No software agents required

Granular Device
Gartner Market Guide
• Classification

Frost and Sullivan

Continuously Monitor Perimeter-Based Network

• After connect Security by ESG

Network Access Hetrogeneous to Avoid

Control • Costly network upgrades and
deployment delays

Real-time Information Sharing

• Automates security and IT management

802.1x or Not
• Your choice
 Network Segmentation
Network segmentation limits the
lateral movement from one system
or device to another by creating
segmented zones across the network.
Yet device security posture and
behavior are constantly changing.
How do you properly segment devices
with so many dynamics in play?
The ForeScout difference:
• Use device intelligence for rich
device segmentation—including IoT
• Apply policy-based segmentation
across the entire network
• Leverage out-of-the-box
integrations with next-generation
firewalls (NGFWs) for device-based
policies
“We needed a vendor-agnostic
approach that would give us
visibility into disparate networks
coming on board due to the
merger.”
- U.S.-based Retail Bank

WITH Standardize network

Agentless visibility
and detailed context
about device and user
Segment devices Visualize and manage across
automatically based heterogeneous network segmentation policies and
on current, real-time infrastructure without management across campus,
information upgrades or standardization data center, cloud and
OT environments

Inability to “see” all Point-in-time Segmentation management Network segmentation

WITHOUT devices. Limited context segmentation upon only for vendor’s own for only one area or IT
available for making admittance. No continuous technologies, which environment
ForeScout appropriate segmentation monitoring ability to require standardization
decisions. resegment over time (vendor lock-in)

How It Works ForeScout Difference Let Us Show You

How it works - Network Segmentation
Finance Video Server The ForeScout platform discovers
1 endpoints connecting to the
network.
3 4
ForeScout classifies endpoints
2 based on device type, ownership
and user role.

ForeScout places finance user

Internet
3 with a corporate computer on
a finance VLAN segment.
4
ForeScout segments corporate
4 video camera to only communicate
Wireless LAN with video server using a
Switch
Controller ForeScout restrictive ACL.

?
3 4

BYOD
Devices
?
Windows
Devices
BYOD
Devices
IoT Devices
Axis
IP Camera Rogue
Devices

Solution Brief Interactive Demo Learn More

The ForeScout Difference: Network Segmentation
Assess and segment devices on the fly using real-time device context

Rich Classification
• Who, What, Where, version, etc.
• Real-world classification

Automated Process Next Generation Firewall

Solution Brief
• Segment devices based on policy
• Work with NGFWs (orchestration)
ESG Lab Review: ForeScout
& Palo Alto Networks

Dynamic Network
Vendor Neutral Segmentation Webinar
-
• No network upgrades
• Campus, data center/Cloud
and OT (passive)
Network
Segmentation
Ease of Development
• Agentless
• Quick to deploy

Segment Devices and Restrict Access

• VLANs/Security groups
• ACLs
 Incident Response
The instant your network security is
breached, the clock starts ticking.
Dozens of security tools only help if
they work together — your window of
vulnerability is wide open.
The ForeScout difference:
• Reduce device and network “We had no idea how big our
breaches attack surface was.”
• Automate threat detection,
- Federal Government
threat hunting and containment
to accelerate incident response
• Gain out-of-the-box workflow
interoperability with 20+ security
solutions through ForeScout
Extended Modules

WITH Agentless visibility Real-time detection Reduced window of Flexible architecture

and classification and assessment exposure due to enables unified security
at connection orchestrated incident policy from campus
response to cloud

Lack of visibility Periodic scanning Lack of orchestration Standalone, siloed

WITHOUT (limited knowledge misses transient gives attackers time to security solutions
ForeScout of devices/users devices compromise endpoints work in isolation
on network) and exfiltrate data

How it Works ForeScout Difference Let Us Show You

How it works - Incident Response
SIEM 3 User tries to access a website
6 1 that is in violation of corporate
6 policy.
Threat
EMM EPP Intel ATD VA URL filtering in firewall detects
2 the policy violation and sends
alert to the SIEM system.
2
SIEM correlates device IP with
Internet FireWall 3 device context and classification
5 from ForeScout to determine
1
the appropriate response.
6
Switch
The operator initiates response
ForeScout
4 actions via ForeScout, based
on severity of the alert.

ForeScout triggers policy-based

1 5 5 mitigation and response action
to redirect endpoint and alert
Managed Devices IoT Devices Rogue Devices the user of the policy violation.
BYOD Devices

ForeScout sends action results

6 back to SIEM. The operator
reviews action status and
results on the dashboard or in
an available ForeScout App.

Solution Brief Interactive Demo Learn More

The ForeScout Difference: Incident Response
Reduce Mean Time To Resolution (MTTR) by 47% (device breaches)
and 37% (network breaches)2
Real-Time
• At connection

Reduced Window of
Splunk Extended
Exposure Module Datasheet
• Via orchestration
ESG Lab Review:
ForeScout & Splunk

Improve Attack Response

Unified Security Policy Webinar

• Across the extended enterprise

Splunk Extended
Incident Module Demo
Response

Security Policy Templates

Readily available

Agentless Device Visibility

and Classification
• Shared with other security solutions

2
IDC, The Business Value of Pervasive Device and Network Visibility and Control with ForeScout
Success Stories

MEDICAL
Automatically discovered 4,500 previously
unknown devices (15%) including IoT and
medical systems Learn More

FINANCIAL
Fully operational in less than two weeks

Learn More

ENERGY
Detected 400 vulnerable hosts and
addressed WannaCry attached
vulnerabilities within 48 hours Learn More
FLORIDA MEDICAL CENTER

Counts on ForeScout to Secure Networks, Establish Accurate Device

“ForeScout is a Inventory and Automate Regulatory Compliance
force multiplier.
The visibility ENVIRONMENT:
and automation
ability that it 30,000 25+
gives the MEDICAL CENTER ENDPOINTS OFFICES/CLINICS

security RESULTS:
departments, Automatically discovered 4,500 previously unknown devices (15%)
it’s invaluable.” including IoT and medical systems

CISO, Florida
Achieved orchestration between ForeScout and Palo Alto Networks firewalls
Medical Center
Streamlined asset inventory and reporting, device management and
regulatory compliance

Gained $574,000+ annual increase in staff efficiency

Realized $174,000+ annual increase in business productivity

Interactive Demo Case Study

 FINANCIAL SERVICES FIRM

Counts on ForeScout for Device Visibility, Policy-Based Segmentation,

“The ForeScout Threat Response and Compliance Enforcement
platform discovers
devices and
ENVIRONMENT:
captures detailed
information. It
builds inventory
100 12,000
BRANCHES CONNECTED DEVICES
over time of what
you are seeing. RESULTS:
You can switch
VLANs on the Fully operational in less than two weeks Improved device management and
fly. I mean, it’s a regulatory compliance
powerful tool. Real-time visibility and policy-based
control Gained $415,737 in average annual
It does what you
benefits
tell it to do.” Optimized network segmentation
Realized $215,458 in IT staff
Deputy CISO from Streamlined asset inventory efficiencies
Financial Services Firm

Interactive Demo Case Study

LEADING NORTH AMERICAN ENERGY COMPANY

“We spent weeks

trying to come up Counts on ForeScout for Device Visibility, Classification and Control
with the technical
architecture that
would give our ENVIRONMENT:

20,000 3,500 25+

users secure
access to the
corporate network ENDPOINTS EMPLOYEES SITES
without comingling
with the vendor’s RESULTS:
networks. ForeScout
resolved all of this Automated discovery, identification and classification of endpoints, including
without adding IoT devices
complex design or
costly capital gear. Reduced network planning and deployment in field locations by several weeks
Within a week, it Obtained automated asset inventory and reporting for patch management
was deployed and and overall device management
off we went.”
Detected 400 vulnerable hosts and addressed WannaCry attached
Manager of IT, North vulnerabilities within 48 hours
American Energy Company

Interactive Demo Case Study

 Experience the Difference
Take a Test Drive
During your three-hour test drive, the ForeScout crew will spin up
virtual sessions and take you through real-world cybersecurity scenarios.

LEARN ABOUT TEST DRIVE

TEST DRIVES LOCATIONS

Please note: this is a technical, hands-on session where an on-site ForeScout Expert
will coach you through best-practice policy creation and deployment.
Everything you learn can be quickly applied to your environment using the ForeScout platform.

SCHEDULE A INTERACTIVE ROI

MEETING DEMO CALCULATOR
 © KodaCon, Inc. patent pending. FORESCOUT CONFIDENTIAL.
Thank you
ForeScout Technologies, Inc.
Learn more at
190 West Tasman Drive
San Jose, CA 95134 USA
www.ForeScout.com

Toll-Free (US) +1-866-377-8771 © 2018. ForeScout Technologies, Inc. is a Delaware corporation. The ForeScout logos and trademarks can be found
Tel (Intl) +1-408-213-3191 at https://www.forescout.com/company/legal/intellectual-property-patents-trademarks/. Other names mentioned
Support +1-708-237-6591 may be trademarks of their respective owners.