ForeScout CounterACT Review

It prevents scanning, malware spread, corporate asset misuse, and reconnaissance on our network by third-party devices.


How has it helped my organization?

  • Immediate relocation of network devices to segregated "Vendor" network based on autonomous analysis. Prevents scanning, malware spread, corporate asset (i.e. printer) misuse, and reconnaissance on our network by third-party devices. Allows us to block VPN from our corporate network but still allow Vendors to establish them.
  • Better information provided by Level 1 support (helpdesk) regarding asset information as we provide them with R/O access to the tool
  • Visitor policy communication & acceptance

What is most valuable?

  • Network Access Control, it's core use
  • Asset Intelligence for deskside
  • "What port is it plugged into" intelligence for deskside
  • Patch-level Auditing
  • Emergency response, risk assessment information to get a view of the of the vulnerability
  • "What PC is a user on" for helpdesk/IT security/deskside
  • Forces PEN Testers to request permission to exist on your network

What needs improvement?

  • JAVA Memory management - leaving the app running for multiple days requires relaunch
  • Search - needs boolean functionality (or psudeau operand now working)

What do I think about the stability of the solution?

Stability has been good.

What do I think about the scalability of the solution?

  • It is very scalable, allowing additional strategic appliances as required in either physical or VM format.
  • We control >400 field sites, two Oilsands mines, multiple remote platform locations, 2 Canadian Metro offices and 1 UK office with 4 appliances centrally located.

How are customer service and technical support?

Customer Service:

It's excellent! 

Technical Support:

It's excellent!

If you previously used a different solution, which one did you use and why did you switch?

No previous solution was used.

How was the initial setup?

It was straightforward, although I recommend having a strong relationship with network-asset owners to ensure SNMP rights are looked after.

What about the implementation team?

We used a vendor, Conexsys (Graham Cheng & Jerry G), who were excellent.

What's my experience with pricing, setup cost, and licensing?

Forescout's flex licensing has made our deployment more agile and helps us adapt our environment without buying more hardware.  

Under their old model, licensing was tied to 4k and 10k appliances which strained under the new v7 and v8 Forescout OS when nearing their designed capacity.  To acquire a new appliance, physical or virtual, meant buying licensing for that size of appliance.

Under the new flex licensing model, we've been able to deploy VM appliances, responsible for host interrogation and management, while retaining our physical appliances for SNMP switch management, and span aggregation.  

Under the flex licencing model, we've deployed to our ICS segments, and are deploying VMs to our DCS environment, allowing for full visibility under one 'pane of glass' of nearly every host on our network.

Ensure you consider everything you want to monitor that has an IP. Devices with multiple IP's count multiple times against your license count.

Which other solutions did I evaluate?

This was chosen without hands-on evaluation based on reviews and industry feedback.

What other advice do I have?

If you have distributed services (DHCP), strategically ensure you generate reliable traffic to establish timely inspections. We've avoided the use of traps by centralizing our DHCP at HQ, but it causes black holes during inspection schedules in case of a static device being plugged in.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
1 visitor found this review helpful
2 Comments
A.J. DiLorenzoReal UserELITE SQUADTOP 5

Great write-up. Quick question about the 150 field sites you mentioned. Are all of those sites networked or are you sending traffic to the ForeScouts over the Internet?

Thanks.

08 July 16
Michael VargaReal UserTOP 5POPULAR

We have a number of mpls sites, but the majority of our sites are vpn... we don't send any data to public ip addresses, it's all on internal ip space.

08 July 16
Guest

Sign Up with Email