Shawn Taylor, Forescout: “risk mitigation processes are key to minimizing the potential of an incident”
The complete visibility of connected devices in a company is the most efficient way to stay ahead of evolving cyber threats.
Companies of every size rely on a whole chain of digital devices. And while it’s usual practice to secure such devices as smartphones or laptops, IoT devices are often left behind, leaving them vulnerable to hacks.
Truth is, any device connected to the Internet poses security risks, and encrypting the whole network is only a small step towards a good cybersecurity posture.
That’s why we have reached out to Shawn Taylor, Vice President, Threat Defense at Forescout Technologies Inc. Taylor agreed to share his views about the best cybersecurity practices for companies.
Tell us a bit about Forescout and what the company does?
Forescout delivers automated cybersecurity across the digital terrain. We provide our customers with complete asset visibility of connected devices, continuous compliance, network segmentation, network access control, and a strong foundation for zero-trust across all asset types – IT, IoT, OT, and IoMT.
For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale.
Can you introduce us to your Continuum platform? What are its key features?
Forescout Continuum is the first solution to continuously identify and manage the risk posture of assets across the entirety of a digital terrain, including IT, IoT, IoMT (Internet of Medical Things), and OT (Operational Technology). It automates the discovery, assessment, and governance of all cyber assets. After identifying and classifying the devices, they are assessed for compliance with policies and automatically remediated if desired. The risk and traffic flow of the devices are also analyzed and mapped to ensure appropriate prioritization of mitigations, which can be automated if desired. The platform comprises multiple components, including on-premise sensors to perform packet inspection and cloud-based environments to aid in device classification and risk calculations. At any given point in time, Forescout Continuum can provide a complete picture of the connected device landscape and the real-time risk those connected devices pose, but it can also automatically remediate the devices or isolate them to minimize any damage a compromised device may cause.
Why do you think uncertain organizations are often unaware of the risks they are exposed to?
I think some organizations believe they are already secure enough, but unfortunately, you never know when a breach will occur. There hasn’t been enough attention given to helping ensure organizations have a continuous, complete understanding of the devices on their network. The visibility often stops where the agents stop, as in, IoT devices that cannot have an agent installed on them are placed onto networks. Maybe they are communicating with other devices on the network, but maybe they’re communicating out to management interfaces via the Internet. It becomes an out-of-sight, out-of-mind type of thing. For example, when you set up IP cameras, they’re communicating to a video recording unit on the network (or possibly in the cloud). IP cameras have historically been known to be very vulnerable. Organizations need to make sure they aren’t communicating over a port/protocol combination unless it’s a secure HTTPS session, such as port 443.
How did the recent global events affect your field of work? Have you noticed any new threats emerge?
There are constant changes to the threat landscape as more devices are connected to the Internet and exposed as a new attack opportunity. Adversaries are operating very opportunistically and we have seen an increase with major threat actor groups, such as Conti, increasing their attacks and targets.
I believe a large part of my role is educating organizations globally on the impact of these changes on the threat landscape. Bringing awareness of these events and ransomware gangs can help the customers we work with prepare for possible attacks and future-proof their operations so they aren’t caught unawares. As the line blurs between nation-state attacks and cybercrime, it’s our responsibility to keep the public aware of major threats, especially as we expect the number and severity of these ransomware incidents to continue to grow as more gangs enter the scene.
What security measures do you think are essential in combating these new threats?
One of the most important security measures to take is ensuring organizations have complete and absolute continuous visibility of connected devices, the device posture, and how they are communicating (either internal to the network or outside entities). That’s the only way to ensure that an organization can combat the threats. As the adage goes, you can’t defend what you can’t see.
Out of all company processes, which areas do you think would greatly improve by implementing automation?
Risk mitigation processes, such as device isolation or device remediation (automated patching) are key to minimizing the potential of an incident and could greatly benefit from implementing automation. Companies need to be able to notify the user, open a service desk ticket on their behalf, and get the device off the network. If you can put a non-compliant device into a part of the network where, if it is compromised, it can’t communicate with other devices, you’ve minimized the potential damage to that device. Upon detecting a non-compliant device, isolate it, period. Otherwise, you’ve acknowledged the risk and are willing to accept it.
What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?
I think most organizations are focused on the vulnerabilities they know about, such as Microsoft reports on Patch Tuesday. Or they look at a report from their vulnerability scanner, which can only scan what’s on the network at the time the scan passes that part of the network. Ultimately, I think the biggest issue is the vulnerabilities organizations don’t consider, such as the ones affecting IoT, IoMT, OT, or networking/infrastructure devices. Many times, these device vulnerabilities are unknown, and companies don’t have a mechanism to detect them. An example of those vulnerabilities would be Forescout Vedere Labs’ Project Memoria research effort. There are close to 100 vulnerabilities that affect embedded TCP-IP stacks in OT, IoT, and IoMT devices. That means a component that these devices rely on for communication across the network is highly vulnerable to attacks like remote code execution.
How do you think the IoT landscape is going to evolve in the near future?
I think what we’re going to see is the adversaries looking to those vulnerable IoT, IoMT, and OT devices as attack vectors for initial access. By spreading laterally, they can perform reconnaissance and ultimately deploy whatever payloads they desire to exploit or hijack the network. These types of devices have been called out for being vulnerable and cybersecurity providers have been offering solutions to help identify, secure, and remediate them. In time though, I believe they will be the primary attack vector.