Name:

The Forescout Test Drive

Experience the Difference of
Agentless Device Visibility and Control

V 1.0
Introduction

Contents
Introduction ........................................................................................................................................................ 3
Warm-Up Lap: Starting the Demo Environment ............................................................................................. 5
Visibility .................................................................................................................................................. 7
Task 1: How Does Forescout See Devices? ................................................................................................... 8
Task 2: Access Your Lab ............................................................................................................................... 10
Task 3: Use the Dashboard to View the Devices on Your Network .............................................................. 11
Task 4: Use the Dashboard to Check Your Endpoint Compliance ................................................................ 14
Asset Management .............................................................................................................................. 16
Task 1: Discover the Versions of Windows on Your Windows Desktop Endpoints ....................................... 17
Task 2: Access the Forescout Console ......................................................................................................... 19
Task 3: See Microsoft Office Installations ...................................................................................................... 20
Task 4: See Your OT Devices ....................................................................................................................... 22
Task 5: Monitor Your Distribution Center ....................................................................................................... 23
Follow Up ....................................................................................................................................................... 24
Incident Response ............................................................................................................................... 25
Task 1: Import the WannaCry Policy ............................................................................................................. 26
Task 2: Install the EternalBlue Vulnerability Policy ........................................................................................ 29
Task 3: Add WannaCry-Infected and Vulnerable Hosts to the Dashboard ................................................... 31
Follow Up ....................................................................................................................................................... 33
Segmentation ....................................................................................................................................... 34
Task 1: Visualize Your Network Traffic .......................................................................................................... 35
Task 2: Identify Segmentation Rule Violations .............................................................................................. 37
Task 3: Modify an eyeSegment Policy ........................................................................................................... 38
Task 4: Create an eyeControl Policy to Address the Traffic Violations ......................................................... 41
Follow Up ....................................................................................................................................................... 45
Take the Next Step........................................................................................................................................... 46

2 Forescout Test Drive Lab Guide

 Introduction

Introduction
Forescout Test Drive demos let you experience the powerful features of the Forescout platform firsthand.
They provide you with a live Forescout instance in a virtual lab environment and easy-to-follow, step-by-step
guidance for exploring the product. No Forescout experience necessary.

Following a quick introduction, today’s course will take you through four real-world scenarios:

• Lap One: Visibility. You can’t secure what you can’t see.™ Learn how to discover every physical and
virtual device connected to your network, classify them, and assess their security posture.

• Lap Two: Asset Management. Agentless device visibility and continuous monitoring fuel every
aspect of cybersecurity. Access a real-time hardware and software asset inventory for an annual
software audit—without pulling resources from other critical tasks. Query the Asset Inventory to quickly
obtain valuable device-related information.

• Lap Three: Incident Response. Put the Forescout policy engine through its paces as you respond to
a WannaCry outbreak. Use an automated policy to quickly locate vulnerable hosts and determine
which need to be patched and which are infected—instead of the complex process most enterprises
use today. Create dashboard entries so you can monitor your progress while responding to this
incident.

• Lap Four: Network Segmentation Assess the devices on your network and make sure they can
only access the resources they need. Segment access based on device type and security posture to
reduce the risks posed by rogue and noncompliant devices.

Forescout Test Drive Lab Guide 3

Introduction

Scenario

You are the Chief Information Security Officer of a small company, ThingCo, that distributes
Things. Your growing company recently moved into a larger facility that has a distribution
center attached to it. The automated systems in the distribution center can be controlled
from the corporate network.

You recently discovered that contractors plugged a consumer wireless access point into the
distribution center network to make it easier for them to get their systems on the network,
and then left it there. The device is not secured. Luckily, there was no sign of a breach, and
its presence did not affect the older industrial control systems running on that network.

However, it highlighted an issue that you have been trying to address. Your company’s
quarterly e-mail asking about the devices people have on the network, and the manual
collection and entry of that information, are clearly not sufficient. Additionally, the agent-
based audits of software running on your network are missing many devices in your
environment that cannot have agents installed on them. You need a real-time, agentless
view into your network.

After hearing about the capabilities of the Forescout platform, you decided to bring it in for a
Proof of Value on your network.

4 Forescout Test Drive Lab Guide

 Warm-Up Lap: Starting the Demo Environment

Warm-Up Lap: Starting the Demo Environment

The Test Drive uses virtual devices in a cloud-based environment accessed through your web browser to give
you a hands-on experience with the Forescout platform. Before the session begins, you need to enable your
lab.

Open your web browser and point it to https://demoit.online/testdrive.

Note: Google Chrome is the recommended web browser.

Forescout Test Drive Lab Guide 5

Warm-Up Lap: Starting the Demo Environment

Enter your e-mail address you used to register for the course and check the I’m not a robot
checkbox. Click Get Access.

You will receive an email address with the link to your lab.

IMPORTANT: If you do not have access to your email, or you do not receive the message
within a few minutes, ask the session moderator for the lab passphrase and
enter it in the Didn’t Receive Your Email? Field on the login page.

Click the link in your email message.

Your lab console with three devices appears.

Minimize your browser. You will be instructed when to access the lab devices shortly.

6 Forescout Test Drive Lab Guide

 Visibility

Visibility

Scenario

You heard that a recent study conducted by IDC found that Forescout customers see 24%
more devices than expected on their networks—some seeing as high as 60% more. You
had some doubts about the numbers, so you decided to try the Forescout platform on your
own network.

After installing the Forescout platform, you discovered that there were many more devices
attached to network than you anticipated—lab computers connected to the corporate
network, consumer wireless access points that were not part of the planned infrastructure,
non-corporate mobile devices, many more network-connected smart speakers than you
expected—even a game console and a smart TV.

Forescout has pioneered an agentless approach to security that provides real-time discovery, classification,
assessment and monitoring of devices, allowing you to see what’s on your network, from campus to cloud,
and to securely manage it.

Before you begin

• How do you currently track the devices that connect to your network? How many devices do you
currently have on your network? How confident are you that the number is accurate?

• Why types of devices are they? How do you know?

In this lap, you will:

1. Learn about how the Forescout platform discovers, classifies, and assesses the devices on your
network.

2. Access your lab environment.

3. Use the Dashboard to View the Devices on Your Network

4. Use the Dashboard to Check Your Endpoint Compliance

Forescout Test Drive Lab Guide 7

Visibility

Task 1: How Does Forescout See Devices?

Follow along with the Test Drive leaders as they guide you through how the Forescout platform gives you
visibility into the devices on your network.

The foundation of the Forescout platform is visibility. This need for visibility goes across the entire
enterprise—campus, IoT, data center, cloud and operational technology (OT) environments—and comes
together to solve a variety of use cases that address your business needs:

• Asset Management

• Device Compliance

• Network Access Control

• Network Segmentation

• Incident Response

8 Forescout Test Drive Lab Guide

 Visibility

Using a combination of active and passive monitoring techniques, Forescout eyeSight provides in-depth
visibility to discover devices the instant they enter the network—without requiring agents. eyeSight classifies
and assesses these devices and virtual instances, then continuously monitors them as they come and go
from the network.

Forescout Test Drive Lab Guide 9

Visibility

Task 2: Access Your Lab

You can see the devices on your network using the Forescout platform’s dashboard.

Switch to the web browser that you logged into the lab with and make the browser full screen.

Click the Forescout Console – Active Directory 2019 device.

The device interface (Windows) opens in a new tab.

Click the Fit to Window icon in the toolbar at the top.

Click the Toggle Toolbar button to move the toolbar out of the way.

10 Forescout Test Drive Lab Guide

 Visibility

Task 3: Use the Dashboard to View the Devices on Your Network

The Forescout platform’s default dashboards provide an easy way to view the devices that eyeSight discovers
on your network and the states of those devices.

Click the Chrome icon in the taskbar at the bottom of the screen.

Click the eyeSight Dashboard entry in the browser bookmark bar.

The dashboard login screen appears

Log in using the pre-populated credentials. The login credentials should be pre-populated. If they
are not, use:

User Name: admin

Password: 4Scout123

The first dashboard you see is the Device Visibility dashboard. Across the top is a summary of
the devices eyeSight discovered on your network by type of device (Campus Wired, Campus
Wireless, Data Center, Cloud, and OT)

Below the summary are the following 6 Widgets that provide various views of the devices on
your network:

• Function—is it a mobile device, medical device, computer?

• Operating System—what OS is it running?
• Vendor and Model—who made the device?
• New Devices on Network—how many devices have come on the network in the past
hour, day, week, month, or year?
• IOT Devices at Risk—which IoT devices are have weak or default credentials or
insecure ports open?
• Top 5 Unauthorized Windows Applications Installed—which applications that violate
your company policies do users have installed on their endpoints?

Forescout Test Drive Lab Guide 11

Visibility

Hover your cursor over the Windows entry in the Operating System chart.

That part of the ring diagram expands to show additional information. In this case, it breaks
down the Windows devices by Windows version.

NOTE: Your diagrams will have different data from the ones above.

Click the Windows part of the Operating System diagram.

Dashboard displays the list of Windows devices.

12 Forescout Test Drive Lab Guide

 Visibility

Click the carat to the left of the device to reveal detailed information about that device.

You can use the filters on the left to filter the display based on policy, segment, and group.

Click Device Visibility at the top of the screen to go back to the dashboard. Take a moment to
explore the data in the other widgets on the dashboard. Return to the dashboard when done.

Forescout Test Drive Lab Guide 13

Visibility

Task 4: Use the Dashboard to Check Your Endpoint Compliance

You can also quickly check on the compliance status of the devices on your network, such as having antivirus
running and up to date or having disk encryption enabled.

Click the Device Compliance tab at the top of the dashboard.

The Device Compliance Dashboard contains the following information:

• Compliance Overview—overall, what percentage of the devices on your network are

compliant with your company policies?
• Compliance Trend—view the trend of compliant vs noncompliant devices on your
network over time.
• Highly Vulnerable Devices—presents a VENN diagram of the top 3 reasons that
devices are noncompliant. The intersection of those three reasons show you the most
vulnerable devices on your network.
• Top 5 Reasons for Non-Compliance—the top 5 reasons that devices were marked
noncompliant
• Applications – Top 5 Reasons for Non-Compliance—the top 5 reasons due to
applications (out of date, not running, installed but not permitted) that devices were
marked non-compliant.
• IOT – Top 5 Reasons for Non-Compliance—The top 5 reasons your IOT devices,
such as printers, IP cameras, etc. were marked as noncompliant.

14 Forescout Test Drive Lab Guide

 Visibility

In the Highly Vulnerable Devices widget, click the intersection of the three circles.

This widget shows the top three reasons for devices that are out of compliance. The intersection
of the circles shows the most vulnerable devices – those with all three noncompliance attributes.

Click the caret to the left of one of the devices, and then click Security in the device details.

The device details show when the last time the virus definition files was updated.

Click Device Compliance at the top of the screen to go back to the dashboard. Take a moment
to explore the data in the other widgets on the dashboard. Return to the dashboard when done.

Forescout Test Drive Lab Guide 15

Asset Management

Asset Management
Scenario

After the incident with the unsecured wireless access point, your company has decided that
it needs to improve their asset management policies and procedures. Management wants
tighter control of the hardware and software running on the network.

Because you are already trying the Forescout platform, you have decided to use it to gain
visibility of the hardware and software on your network without pulling resources from other
critical tasks.

The Forescout platform enables you to discover every Internet Protocol (IP) addressable device that connects
to your network, in real time. Using both agentless and agent-based technology, it shows you the software
and processes running on the managed endpoints on your network. The Forescout platform can provide
detailed visibility into the devices in your operational technology environments.

Once you discover the devices, the Forescout platform classifies them using several criteria: type and
function, operating system (OS) and version, manufacturer, model, and network function. Finally, Forescout
can assess whether the devices are corporate-managed devices, and if those managed devices comply with
corporate policy.

Before you begin

• How do you currently track hardware and software assets in your organization? Spreadsheets?
Dedicated applications? Configuration management database (CMDB)?

• How do you keep it current? Surveys? Real-time data collection?

• How confident are you that your asset management tool is up to date with today’s information?

• Who are the consumers of this data? How are they using it? What is the impact of inaccurate, out-of-
date, or incomplete data to these users?

In this lap, you will:

1. Use the Assets dashboard to see devices and operating systems on your network.

2. Log into the Forescout console.

3. Use the Asset Inventory to quickly see how many endpoints are running Microsoft Office (and which
versions).

4. Use the Asset Inventory to see the operational technology devices running in your distribution center.

5. Use the Forescout Home tab to see all the devices running in your distribution center—both OT and
IT devices.

16 Forescout Test Drive Lab Guide

 Asset Management

Task 1: Discover the Versions of Windows on Your Windows Desktop Endpoints

You can use the Assets tab to view the devices on your network. You might have noticed that you already
used this tab—each time you drilled down in the device dashboards, you were viewing the devices on the
Assets tab.

You want to see what versions of Windows are running on your end users’ desktops. You suspect there may
be several out-of-support versions still in use, which could introduce vulnerabilities on your network.

Click the Assets tab at the top of the screen. If there is a filter applied to the view, click Clear
All.

Expand the Groups filter. Type Windows in the search field.

Forescout Test Drive Lab Guide 17

Asset Management

Scroll down the list and check Windows Desktop Zone.

You can immediately see that you have some Windows 7 devices on your network.

Click the Operating System column to sort by that column. Scroll down the list.

What other versions of Windows do you see?

Click the caret to the left of one of the devices to see the device properties.

Clear the filter and search for Mobile under Groups. Check the Mobile devices group.

Click the caret to the left of one of the devices to see the device properties.

Use the filters to sort the Asset table in different ways. When you are done, clear any filters and
click the Dashboards tab at the top of the page. Minimize the browser when you are done.

18 Forescout Test Drive Lab Guide

 Asset Management

Task 2: Access the Forescout Console

Up until now, we have done everything through the Forescout platform eyeSight dashboard. Now we are
going to access the Forescout platform console.

The Console Login dialog box should be running when you first access the console device. If it is
not, click the Forescout Console icon in the taskbar.

The Console Login dialog appears.

Enter 4Scout123 in the password field and press Enter. The password is case-sensitive.

The Forescout Console opens.

Forescout Test Drive Lab Guide 19

Asset Management

Task 3: See Microsoft Office Installations

Forescout can even tell you about software running on managed endpoints.

Click the Asset Inventory tab at the top of the screen.

In the Views tree, search for and select Windows Applications Installed.

A list of Windows applications and versions appears in the table on the right. The number of
hosts on which each application is installed is also displayed.

In the Windows Applications Installed pane’s Search field, type Office.

The list is narrowed down to applications with Office in the name.

How many versions of Microsoft Office do you see? Does your company have a standard,
licensed version?

20 Forescout Test Drive Lab Guide

 Asset Management

Click one of the versions of Microsoft Office.

A list of devices running that version of Office and their locations appear in the table below.

You can create policies for endpoints running specific versions of Microsoft Office. For example,
you could notify users of an older version that they need to upgrade to the official, licensed
version and where to obtain that version.

Forescout Test Drive Lab Guide 21

Asset Management

Task 4: See Your OT Devices

In the Views tree, search for Classification. Expand it and click Classification > Function >
Operational Technology.

NOTE: It is not the Classification (Advanced) entry. Collapse that entry to find the Classification
entry.

A list of the categories of OT devices appears in Operational Technology table on the right.

Click Programmable Logic Controller in the Operational Technology table.

A list of the PLCs in your distribution center appears in the Hosts table.

Although this Hosts table shows specific types of OT devices, it does not show every device in
your distribution center; it shows only the OT devices. The next task will show you how to see all
the devices on your OT network segment.

22 Forescout Test Drive Lab Guide

 Asset Management

Task 5: Monitor Your Distribution Center

Use the Home tab and segment filter to see the devices attached to your distribution center network. While
the Inventory tab can help you see what devices you have on your network by type, the Home tab can help
you see all the devices on specific parts of your network. This can help you track down unapproved devices
on that network.

Click the Home tab. If not already selected, click All Hosts in the Views tree.

In the Filters tree, expand the Segments > Nakatomi – In Scope > Nakatomi Trading Corp. >
By Technology tree, and then click OT.

In the All Hosts table, you will see a list of devices in your Distribution Center’s OT network. You
will be able to quickly identify devices that do not belong on this network.

Forescout Test Drive Lab Guide 23

Asset Management

Scroll through the device list. Are there any devices that you can immediately see that do not
belong?

Hint: Look at the function column as you scroll through. Looks like someone is doing some after-
hours gaming. There is an Xbox on your OT network.

Click the Asset Inventory tab to return to the Inventory view.

Follow Up
• What types of information did Forescout discover about the devices?

• How could seeing all instances of a specific device type on your network, such as IT, OT, and IoT
devices, benefit your business? Open ports?

• What problems does your organization currently face that this type of endpoint visibility could help
solve? How much effort and expense currently goes into solving these problems?

• How can Forescout help you keep your asset inventory current?

24 Forescout Test Drive Lab Guide

 Incident Response

Incident Response

Scenario

Part way through your Forescout proof of value, a malware outbreak, WannaCry
ransomware, goes global.

You need to see if any of your endpoints are infected with or vulnerable to WannaCry and
pinpoint exactly where they are. Unfortunately, it is a zero-day outbreak, and your malware
software does not yet detect WannaCry.

Luckily, the SE you are working with at Forescout is already aware of this outbreak. The SE
sent you policies you can use to discover infected and vulnerable endpoints and locate
where they are within your company.

Leveraging these policies, you discover that you have several endpoints that are
vulnerable, but also some that are already infected.

Because the Forescout platform can identify the switches and switch ports that endpoints are plugged into,
you can quickly identify the location of any endpoint.

Couple this capability with a control or orchestration policy, and you can quickly hunt for and isolate
compromised or vulnerable locations or have your vulnerability scanners scan the potentially affected
endpoints.

Forescout can then use a virtual firewall, VLAN reassignment or orchestration with your other security
products to isolate the infected systems.

Before you begin

• How do you hunt for vulnerable systems and possibly compromised locations for zero-day threats?

• What is your process for addressing those systems and locations?

• What is the impact of undiscovered infected or vulnerable endpoints to your organization? How long
does it take you to find them now?

• How does the problem/risk to the organization become worse as time elapses?

In this lap, you will:

1. Import a policy to identify endpoints possibly infected by the malware outbreak.

2. Import a policy to identify endpoints vulnerable to it.

3. Create a dashboard to monitor the progress in addressing this outbreak.

Forescout Test Drive Lab Guide 25

Incident Response

Task 1: Import the WannaCry Policy

This policy looks for specific characteristics on endpoints that indicate a WannaCry infection.

Click the Policy tab in the Forescout console toolbar.

In the Policy Folders tree, expand 3.0 Assess > 3.1 Windows and click Risk & Vulnerability.

Click the Import Policy Folder icon .

The Select Policy Folder dialog appears.

Keep the Target Node at Risk & Vulnerability. Select Add folder content to the target under
the Import Mode.

Click the file browse button next to file name and navigate to the Documents > Forescout
Policies folder. Select the WannCry Infected (Managed).xml file.

26 Forescout Test Drive Lab Guide

 Incident Response

Click OK.

The Policy detail dialog box appears.

Click OK.

The policy is added to the bottom of the eyeSight policies. You can scroll down to see the policy
at the bottom of the list.

Click Apply.

Click the Home tab at the top of the screen.

Expand the Policy tree: Policies > 3.0 Assess > 3.1 Windows > Risk & Vulnerability >
WannaCry Infected (Managed).

Click Infected.

Now you will see a list of hosts with properties that indicate a WannaCry infection. Furthermore,
you can see which switch and port they are attached to.

Forescout Test Drive Lab Guide 27

Incident Response

Now that you have identified the infected hosts, there are several things you can do:

• Take immediate action on each device by right-clicking the device and selecting an
action, such as restricting network access either by assigning the endpoint to a
quarantine VLAN or by using a virtual firewall to block it.

• Modify the policy to automatically block those devices from accessing the network.

• Locate the devices and send a support team to remediate them.

We are not going to take any action on these devices in this lap.

28 Forescout Test Drive Lab Guide

 Incident Response

Task 2: Install the EternalBlue Vulnerability Policy

It is not enough to identify the infected devices. You also want to know which devices are vulnerable to
WannaCry. WannaCry takes advantage of the EternalBlue exploit, which is a vulnerability in the Microsoft
implementation of the SMB protocol. This vulnerability has been patched. This policy detects endpoints that
are still vulnerable to the exploit.

Click the Policy tab in the Forescout console toolbar.

You should still be in the Risk & Assessment folder.

Click the Import Policy Folder icon .

The Select Policy Folder dialog appears.

Keep the Target Node at 1.0 See. Select Add folder content to the target under the Import
Mode.

Click the file browser button next to file name and navigate to the Documents > Policies folder.
Select the VR EternalBlue vulnerable.xml file.

Click OK.

The Policy detail dialog box appears.

Click OK.

The policy is added to the bottom of the list of policies.

Click Apply.

Click the Home tab at the top of the screen.

Expand the VR EternalBlue policy (it should appear above the WannaCry policy in the tree)

Forescout Test Drive Lab Guide 29

Incident Response

Click Vulnerable.

You will see a list of devices that are still vulnerable to this exploit, and therefore to WannaCry.

Like the WannaCry-infected devices, you can take several steps to remediate these devices.
You could use policy to:

• Quarantine them to a remediation VLAN.

• Start the update process so that they receive the required patches.

• Notify the users of the vulnerabilities.

We are not going to take any action on these devices in this task.

30 Forescout Test Drive Lab Guide

 Incident Response

Task 3: Add WannaCry-Infected and Vulnerable Hosts to the Dashboard

Because of the critical importance of this issue to your company, you are going to create a custom dashboard
to track the progress in identifying and eliminating infected and vulnerable systems.

Open the browser. If the Dashboards tab is not showing, click Dashboards at the top of the
page.

Click the Add Dashboard (+) icon to the right of the dashboard names at the top of the page.

The Add Dashboard dialog appears.

Name your dashboard and select Public for the privacy setting. This will enable other users to
see the dashboard.

Forescout Test Drive Lab Guide 31

Incident Response

Click Save.

Your new dashboard is created, but it is empty. Let’s add some widgets.

Click the + Add Widget button.

The Add Widget wizard appears.

Select Sub Rules for the Data Type.

Click in the Data field and search for WannaCry. Select the Infected checkbox.

Infected is added to the Data field.

Click the caret at the right of the Data field to close the search fields.

Select Trend as the Chart type.

32 Forescout Test Drive Lab Guide

 Incident Response

Click Next.

Give your policy a name and click Next.

Review the policy summary and click Finish.

Your widget is added to the Dashboard. It may take a minute to populate. It shows the number of
WannaCry-infected devices over time, enabling you to track your progress in eliminating the
threat. You can change the chart’s timeframe using the drop-down menu.

Over time, as additional hosts become infected, or as infected hosts are remediated, this widget
will enable you to track your progress in addressing this incident.

Now try adding a widget using the above steps for the VR EternalBlue policy. Use the
Vulnerable sub-rule.

Minimize the web browser when you are done.

Follow Up
• How can the Forescout platform affect your response time for zero-day threats and vulnerabilities?
How would a faster response time benefit your business?

• How would the ability to automatically act on compromised or vulnerable endpoints change the way
you currently address vulnerabilities?

Forescout Test Drive Lab Guide 33

Segmentation

Segmentation

Scenario

Although the Forescout platform helped you quickly gain control during the WannaCry
outbreak on your network, you realize that you need to reduce the attack surface on your
network to slow the spread or even stop these types of threats. You need to ensure that
your devices only have access to the resources they need and nothing more.

You know that Forescout has a product, eyeSegment, that helps you design, plan, and
deploy dynamic segmentation across the extended enterprise. You contact your Forescout
Sales Engineer to start a trial of that product. Your SE helps you to define some basic
eyeSegment policies for your network.

Network segmentation is not a one-time project. As your network grows and evolves, you need to constantly
monitor, adapt, and grow revise your segmentation strategy.

eyeSegment simplifies the process of creating context-aware segmentation policies. It facilitates visualization
and simulation of policies—prior to enforcement—for proactive finetuning and validation. You can see the
traffic flowing between the various parts of your network, design segmentation polices for that traffic, and
simulate the impact of those policies before implementing them. Then you can implement control across
diverse enforcement technologies and network domains through a single policy framework.

Before you begin

• How do you currently monitor the communication between the various parts of your extended
enterprise network?

• What is your current segmentation strategy? How do you enforce it uniformly across your different
network technologies?

• What challenges are you currently facing in your segmentation efforts? How are you minimizing the
possibility of business disruption during the rollout of your segmentation project?

In this lap, you will:

1. Use eyeSegment to visualize the traffic on the network.

2. Identify a traffic flow that should not be occurring.

3. Modify an eyeSegment policy to enable some traffic.

4. Create a policy to address the traffic that violates the segmentation rules.

34 Forescout Test Drive Lab Guide

 Segmentation

Task 1: Visualize Your Network Traffic

In this task you will examine the traffic flows on your network.

Open the Chrome browser from the console devices taskbar.

If you still have the Dashboard open, click the Segmentation tab. Otherwise, from the bookmark
bar, select eyeSight > eyeSegment.

The eyeSegment login page appears.

Log in with the prepopulated credentials. If the credentials are not already populated in the login
fields, use the following:

Username: admin
Password: 4Scout123

The eyeSegment matrix appears. The matrix shows traffic sources down the left and
destinations across the top. A dot in a cell indicate that traffic was detected from the source to
the destination indicated by the cell. You can easily see where your traffic is coming from and
where it is going to. You can also see how many endpoints seen with eyeSight all covered by
the traffic matrix.

Forescout Test Drive Lab Guide 35

Segmentation

Click the Policy Visualization toggle to see which traffic is being affected by your segmentation
rules.

The red indicates that all the traffic seen would be denied by your segmentation policy. The
orange indicates that some of the traffic seen between those would be affected by your
segmentation policy.

Click the Policy Visualization toggle again to turn off the overlay.

36 Forescout Test Drive Lab Guide

 Segmentation

Task 2: Identify Segmentation Rule Violations

There is a lot of traffic shown in the matrix. However, eyeSegment makes it easy to find the traffic that violates
the rules that you configured.

To the right of the eyeSegment matric, click the circle next to Traffic Violations.

The matrix displays an exclamation point in the cells that contain traffic that violates your
segmentation rules.

One thing that immediately stands out to you is that your printers are sending information to the
Internet zone.

Double-click the cell at the intersection of the Printer Zone and the Internet.

A table of the traffic from the Printer Zone to the Internet appears.

If you want to see more detail about the traffic, click the Occurrences value.

You can see the traffic broken down by source IP, the timeframe when the traffic was seen, and
more. What other types of information can you see?

Forescout Test Drive Lab Guide 37

Segmentation

Task 3: Modify an eyeSegment Policy

You are going to modify your eyeSegment policy to allow the NTP traffic from your printers to the Internet.

Click eyeSegment Policy in the menu on the left of the page.

The list of policies you developed appears. You know that the Printers Zone is a subset of your
IoT devices. There is already a rule for the IoT to Internet traffic. This is the rule you are going to
modify.

38 Forescout Test Drive Lab Guide

 Segmentation

Select the checkbox next to the IoT to Internet and click Edit.

The eyeSegment policy editor appears. You are advised that the violations of rules being
simulated will be cleared from the policy table. That is okay. Any new traffic that violates the
modified policy will appear in the table.

Click Add Exception.

Select Printers Zone from the Source Zone drop-down list.

Keep the Source Filter field blank and leave the default value, Internet, in the Destination Zone.

In the Services field, type NTP and then select ntp/123 (UDP).

Your rule should look like this:

Click OK.

The exception is added to the eyeSegment policy.

Click Save.

Forescout Test Drive Lab Guide 39

Segmentation

Click eyeSegment Matrix in the menu to the left.

Notice that the traffic violation icon has been removed from the Printer Zone to the Internet cell.
This is because you modified the policy.

The next time that the printers try to communicate to the Internet using FTP, you will see a
violation in this cell. If you come back to this screen later, you will see a traffic violation. Drilling
down on it will now show only the FTP traffic as a violation.

Next, you will build a policy in the Forescout console to handle the traffic violations.

40 Forescout Test Drive Lab Guide

 Segmentation

Task 4: Create an eyeControl Policy to Address the Traffic Violations

Now that you have identified and simulated the traffic violations, it is time to act. You will use eyeControl to
enforce your segmentation policies.

Switch back to the Forescout console. Click the Policy tab.

Expand the Policy tree: Policy > 4.0 Control > (eyeSegment) Network Segmentation and
click Violations.

Click Add.

The policy rule wizard appears. You will use a template to create this policy. Although you could
use a policy template, you are going to create this policy from scratch.

Forescout Test Drive Lab Guide 41

Segmentation

Click Custom at the bottom of the template list and then click Next.

Type Printer to Internet Traffic Violations in the Name field. You can also add a description.
Click Next.

The Scope dialog appears.

42 Forescout Test Drive Lab Guide

 Segmentation

In the IP Address Range dialog, select Nakatomi Trading Corp. from the Segment drop-down
list and click OK. Click Next to continue.

The Main Rule page appears.

Create the Condition:

a. Click Add in the Condition area

The Condition dialog appears.

b. Type eyeSegment in the search field and click Traffic Was Denied From This Client.

c. Select IoT to Internet Restricted and click OK.

The condition is added to the policy.

Remember, that was the eyeSegment policy that we modified to allow NTP but still deny FTP
traffic.

Forescout Test Drive Lab Guide 43

Segmentation

Create the Action for this policy:

a. Click Add in the Actions area.

The Action dialog appears.

b. Expand the Notify folder and click Send Email.

We could take a variety of actions on the endpoints that violate the eyeSegment rule. We
could block the endpoint from the network, block the specific traffic, create an incident report
in our ticketing system, and more. For this exercise, we are simply going to send an email.

c. Change the following values:

To: [email protected] (or, use your own email address)

Subject: FTP Traffic Violation

Message Add a bit more description above the Host Information, such as “The printer
below was creating an FTP connection to the Internet, which violates company
standards. Please check the printer configuration.”

44 Forescout Test Drive Lab Guide

 Segmentation

d. Click OK.

The Action is added to your policy.

Uncheck the Enable checkbox next to your action.

This is to prevent the system from actually sending email messages for each violation. If you
added your own email address, you can leave it checked to see the results of your policy.

Click OK to save the policy, and then click Apply to activate the policy.

Click the Home tab and expand the policy tree: Policies > 4.0 Control > (eyeSegment) –
Network Segmentation > Violations. Click the Printer to Internet Traffic Violations policy.

You can see the devices that have violated the rule you modified in eyeSegment.

Follow Up
• Do you currently have any segmentation projects? Could eyeSegment hep you accelerate those
projects? Reduce the risk of downtime?

• Do you currently have specific situations where eyeSegment could help you reduce your attack
surface?

• Do you have any gaps in knowing which of your devices are talking to others? To the Internet? How
do you currently keep track of that information? How are you notified when violation to your corporate
policy occur?

Forescout Test Drive Lab Guide 45

Take the Next Step

Take the Next Step

Learn more about how you can drive your security initiatives forward using the Forescout platform. We offer
several complimentary options to further boost your knowledge, help engage your peers and share the
business benefits of agentless visibility, policy-based control and multivendor security orchestration.

• Spend 10 minutes with the Forescout Business Value ROI Tool. This tool, based on IDC’s
methodology, provides statistical analysis of the business impact the Forescout platform can deliver
to your organization. It generates a custom ROI report that you can share with co-workers.

• Visit forescout.com for more information, including details on our growing list of Forescout
products that share device context between the Forescout platform and many of the security and IT
management tools you use today. Forescout eyeExtend modules can help automate policy
enforcement across disparate solutions, accelerate system-wide response to mitigate risks and
increase productivity in multiple ways.

• Contact Forescout to set up an appointment:

[email protected]
Tel: +1-866-329-9352

© 2020 Forescout Technologies, Inc. All rights reserved. Forescout Technologies, Inc. is a Delaware corporation. A list of our trademarks
and patents can be found at www.forescout.com/company/legal/intellectual-property-patents-trademarks. Other brands, products, or
service names may be trademarks or service marks of their respective owners.

46 Forescout Test Drive Lab Guide