Want the added protection of an IDS without the management headaches? ForeScout Technologies' ActiveScout solution promises advanced intrusion prevention with no false positives.

by Jeff Goldman [July 10, 2002]

Two years ago, a group of technology gurus founded ForeScout Technologies with the grand vision of creating a kind of global early warning system for computer security. Nancy Blair, ForeScout vice president of marketing, says the company's ActiveScout product, introduced in February, represents a significant step towards achieving that vision.

"The concept was that if there were enough ActiveScouts around a corporation, a city, a state, a country, or the world, they would actively update each other in real time when they saw a malicious attack in action, and provide an automatic lockdown," Blair said. "We've now delivered the product, and we're selling that product into organizations and governments: the concept is alive and well today, just on smaller scale."

ForeScout Technologies 2755 Campus Drive, Suite 115 San Mateo, CA 94403 Voice: (650) 358-5580 E-mail: info@forescout.com

The next release of the product, Blair says, will automate the updating process. "If a bank has branches in New York, Tokyo and London, they can put an ActiveScout in each branch and manage them centrally," she said. "Then if an attack is picked up by the London office, the ActiveScout on that perimeter notices it in real time and can automatically communicate that to the ActiveScouts in New York and Tokyo."

The key difference between ActiveScout and a traditional signature-based or anomaly-based IDS is that it isn't crippled by false positives. "If you're sitting at home trying to make sure that no burglars break in, you don't want to be jumping up and down every time the postman comes," Blair said. "But that's how security managers are operating today."

Instead, ActiveScout sits outside the firewall and looks for the probes that hackers conduct before an attack. "Reconnaissance activity precedes 98 percent of all attacks," Blair said. "You do a ping sweep, a port scan—all these tools that are very common on the Internet, but there's a limited number of categories of them. ActiveScout does a very good job at identifying these kinds of reconnaissance."

Rather than alerting a security manager that reconnaissance is taking place, ActiveScout simply marks the intruder. "ActiveScout sends back information, but it's unique information generated by ActiveScout itself, and it reflects services or addresses that don't really exist," Blair said. "We mark them by sending back unique information, like giving a robber a marked bill."

If the attacker never returns, then no alert is given—but if an attempt is made to attack the nonexistent service or address, then the intruder is immediately identified. "At that point, we can block them—or we can interoperate with the firewall and have the firewall block them—or we don't have to block at all. The security manager can elect to do whatever they want, according to their security policy," Blair said.

Marking the deck
Blair contends that ActiveScout isn't meant to replace IDS, or even to compete with it as a solution. If a customer has an IDS in place, it simply allows them to turn off or tune down any signatures that are looking for reconnaissance activity. "If you can reduce all that noise by turning off the reconnaissance signatures on your intrusion detection device, you've just saved a lot of hassle," she said.

Another great benefit of ActiveScout is its enormous flexibility in responding to new attacks. "Because our whole technology is based upon looking for a mark, not a signature pattern of an attack, an attacker can literally have created a new exploit five minutes ago," Blair said. "All we do is block that IP address as soon as we see the marked information."

While a signature-based IDS can only protect against signatures of known attacks, ActiveScout will block anyone who precedes their attack with reconnaissance, no matter what method they use when they return. "It's just automatically blocked," Blair said. "That's a major difference: the product is always state of the art in terms of blocking unknown attacks."

And Blair notes that, unlike an IDS solution, managing ActiveScout couldn't be easier. "It's plug and play," she said. "The management is so simple—do you want to block or don't you, and that's it. There are reporting capabilities, so you can see where attacks are coming from—what countries and what IP addresses—so you can get a perspective on what's happening at your network access points."

Advanced users can choose to block or allow specific IP addresses, and can choose to receive alerts rather than automatically blocking intrusions. "There is some flexibility to tune the product, but only if you really want to," Blair said. "It's not necessary to operate it: you can save so much time by simply having this thing operating on its own."

There are two versions of the product. The basic ActiveScout Site Solution, which includes one ActiveScout and a Site Manager console, starts at $2,995—though the price, based on bandwidth, can go up to $29,995. "We introduced low end pricing because we found that a lot of organizations have small remote offices with no security people, and they have them connected by very low-speed lines," Blair said.

The ActiveScout Enterprise Solution, which allows for central management of multiple ActiveScouts, starts at $15,985 for two ActiveScouts and an Enterprise Manager. "The ActiveScout Enterprise Solution is capable of protecting a large organization with multiple Internet access points and geographically dispersed offices," Blair said.

Nothing like an IDS
Barry Choisser is the Network Manager for Risk Management Services, Inc. Based in Newark, California, the company provides risk modeling products and services for insurance companies and other institutions. For over two years, Choisser says, he's been looking in vain for a satisfactory intrusion detection solution.

At a conference last year, Choisser met a ForeScout Technologies representative who offered to let him try ActiveScout for a few months. After extensive testing, he recalls, he bought three units—and he says the product's simplicity was its greatest selling point.

"With an IDS solution, you have to update signatures, you have to go through logs, and there's a lot of false positives," Choisser said. "I don't have a lot of time to deal with this stuff, so what I wanted was a box that I didn't have to update, that would notify me when there was a problem, and that was proactive, not reactive, with a low number of false positives."

In retrospect, Choisser says he never would have been happy with the challenge of managing a traditional IDS solution. "If you've got someone who can just sit there and go through IDS traffic, then that's great," he said. "I don't have the manpower to do that. My group, we've got a limited number of people, so this product is great."

"It really is nothing like an IDS," Choisser said. "This is a new area. You've got firewalls, you've got IDSes, and I think soon you'll start seeing more boxes that are similar to this. It's something that was really needed out there, something that IDSes and firewalls can't provide."

— End

Online Resources:
   Intrusion Detection Systems Directory
   IDS Quick Reference Chart

Related articles:
	[Dec. 24, 2001]	White Paper: Reducing Network Security Risk
	[Sept. 25, 2001]	Physical Security Augments Logical Security
	[July 11, 2001]	ISP-Planet Survey: MSSPs