Managing the ever-evolving landscape of cybersecurity threats can be challenging when conventional security tools often lack the specialization to comprehend OT networks and protocols, resulting in the potential oversight of vulnerabilities, risks, and threats. Offering a portfolio of software applications designed for OT environments, Forescout provides a versatile array of methods to collect network information, respond to network events, and at-glance analytics into systems. By creating solutions that simplify the process to acquire an in-depth understanding of their OT networks, optimize their prioritization strategies, and execute timely actions, users can swiftly achieve an accelerated time to value in safeguarding their industrial environments.
eyeInspect
Forescout eyeInspect simplifies network visibility for users, providing a comprehensive overview of their network activities and facilitating the identification of top-priority concerns. Users have the opportunity to leverage eyeInspect's granularity to drill down deeper into the insights the Sensors and Command Center discover and present on the dashboards. In each subsequent section, we delve into specific eyeInspect features and their role in accelerating time to value.
Deployment
As part of this validation process, eyeInspect's two components, Sensor and Command Center, were isolated into separate networks. These components can be deployed on bare metal servers or as virtual machines (VMs). Forescout also offers a hybrid deployment option where the Sensor and Command Center are combined into a single VM. While deploying the Sensor and Command Center individually is not excessively time-consuming, opting for the hybrid solution expedites both deployment and configuration processes. Both the Sensor and Command Center installations are executed through the Ubuntu terminal, and the necessary installation files are accessible in the Forescout Partner Portal.
Sensor Template—During the configuration of a Passive Sensor with a command center, a unique Universal Unique Identifier (UUID) is required by the Command Center to identify each instance. If a Passive Sensor is cloned, there is a risk of having the same UUID, which can lead to complications in sensor configuration.
Prior to running the Passive Sensor installation file, users can create a virtual machine template on vSphere. This approach eliminates the need for repetitive deployment tasks, and only running a single command per virtual machine. Sensor networking settings can be adjusted afterwards to prevent potential IP conflicts.
Risk Realization
Forescout eyeInspect Command Center makes it easy to view the overall risk of the network at a high level. This visibility is achieved through informative graphs that enable users to swiftly assess their cybersecurity status. The risk score is categorized into two distinct aspects: Security and Operational. Security risk assesses the likelihood of an asset posing a security threat based on various factors such as alerts, Internet connectivity, proximity to vulnerable hosts, and existing vulnerabilities. Operational risk gauges the likelihood of an asset causing operational issues based on factors like logical location, network impact, and related alerts.
eyeInspect allows users to view individual asset risk scores presented on an asset map and represented by color-coded dots. The risk score is a combination of the security and operational risks, which helps users to quickly identify critical assets and high-risk network levels. This aids administrators in concentrating their efforts in these areas of concern.
Enterprise Command Center—eyeInspect also includes an Enterprise Command Center (ECC). The ECC was not a part of the validation, but it is a software solution that empowers eyeInspect administrators to retain local or regional control over their eyeInspect Command Center installations while achieving centralized visibility for their OT infrastructure.
This provides security analysts with an instant overview of potential issues and threats within specific regions. Analysts are presented with visual and tabular representation of vulnerabilities, alerts, and operational health status for OT networks and assets across multiple deployments of ECC. In cases where multiple Command Center deployments exist within a region, the ECC localizes each geographic area and provides summarized insights into your OT systems.
Data ingest
A crucial element of eyeInspect revolves around data ingestion, a vital consideration for effective substation management. Enhanced visibility contributes to a comprehensive overview and minimizes the risk of overlooking crucial events. eyeInspect provides multiple pathways for data ingestion that can be customized to accelerate the processes involved in data visualization.
Passive Network Monitoring—End users must configure their network devices (for example, switches or virtual switches in vSphere) to mirror network traffic to the Passive Sensor. Sensors connect to the Command Center server over TCP/IP. This adaptive approach caters to environments constrained by network traffic mirroring capabilities.
In hybrid deployments of Command Center and sensor, the option emerges to directly mirror traffic to the eyeInspect server when combined with Command Center, eliminating the requirement for a distinct sensor setup.
Packet Captures (PCAPS)—PCAPs are files containing network packet data. eyeInspect allows users to replay PCAP files in the sensor so that the sensor can ingest the network data from that file and add it to its pre-existing dataset on the connected Command Center.
As mentioned before, Forescout offers a hybrid deployment, bundling its Command Center and sensor into one VM. Within these bundled configurations, the Command Center introduces the capability for traffic captures (PCAPs) to be reenacted through the UI, facilitated by PCAP Replay Sensors. The PCAP Replay Sensor parallels the functionality of a monitoring sensor, with the sole distinction being its inability to monitor real-time traffic.