Forescout Platform Review

• Immediate relocation of network devices to segregated "Vendor" network based on autonomous analysis. Prevents scanning, malware spread, corporate asset (i.e. printer) misuse, and reconnaissance on our network by third-party devices. Allows us to block VPN from our corporate network but still allow Vendors to establish them.
• Better information provided by Level 1 support (helpdesk) regarding asset information as we provide them with R/O access to the tool
• Visitor policy communication & acceptance

• Network Access Control, its core use
• Asset Intelligence for deskside
• "What port is it plugged into" intelligence for deskside
• Patch-level Auditing
• Emergency response, risk assessment information to get a view of the vulnerability
• "What PC is a user on" for helpdesk/IT security/deskside
• Forces PEN Testers to request permission to exist on your network

• JAVA Memory management - leaving the app running for multiple days requires relaunch
• Search - needs boolean functionality (or psudeau operand now working)

Stability has been good.

• It is very scalable, allowing additional strategic appliances as required in either physical or VM format.
• We control >400 field sites, two Oilsands mines, multiple remote platform locations, 2 Canadian Metro offices and 1 UK office with 4 appliances centrally located.

Customer Service:

It's excellent! 

Technical Support:

It's excellent!

No previous solution was used.

It was straightforward, although I recommend having a strong relationship with network-asset owners to ensure SNMP rights are looked after.

We used a vendor, Conexsys (Graham Cheng & Jerry G), who were excellent.

Forescout's flex licensing has made our deployment more agile and helps us adapt our environment without buying more hardware.  

Under their old model, licensing was tied to 4k and 10k appliances which strained under the new v7 and v8 Forescout OS when nearing their designed capacity.  To acquire a new appliance, physical or virtual, meant buying licensing for that size of appliance.

Under the new flex licensing model, we've been able to deploy VM appliances, responsible for host interrogation and management, while retaining our physical appliances for SNMP switch management, and span aggregation.  

Under the flex licencing model, we've deployed to our ICS segments, and are deploying VMs to our DCS environment, allowing for full visibility under one 'pane of glass' of nearly every host on our network.

Ensure you consider everything you want to monitor that has an IP. Devices with multiple IP's count multiple times against your license count.

This was chosen without hands-on evaluation based on reviews and industry feedback.

If you have distributed services (DHCP), strategically ensure you generate reliable traffic to establish timely inspections. We've avoided the use of traps by centralizing our DHCP at HQ, but it causes black holes during inspection schedules in case of a static device being plugged in.