Missouri’s Information Technology Services Division supports 14 state agencies and about 40,000 employees across more than a hundred state offices. While those numbers were established, the number of devices on the network and their security status was not.
In 2012, Missouri State Chief Information Security Officer Michael Roling asked this question of his staff as they were about to complete a routine compliance audit: “Exactly what devices are on our network, and are they all secure?” Not having a clear answer to that question was a big problem.
As Roling explains, “You cannot secure what you do not manage, so I wanted to see what was not managed and reduce risk by understanding what was happening on our network.” The goal was to ascertain the status of all the devices on the network.
That included officially sanctioned, managed devices like HVAC systems and camera systems used by the Department of Corrections, as well as discovering devices on the network that were not sanctioned. “We were surprised by the number of devices not managed,” Roling recalls.
At the time of the audit, the IT Services Division was already in the process of reviewing solutions to this problem, but the findings of the audit demonstrated the urgency of applying for funding to address it. The first solution they considered did not meet their needs due to a lack of proper documentation about how it would be deployed on the network.
Finding a Solution to Meet the State’s Security Needs
Looking for another solution, Roling found ForeScout CounterACT in the Gartner Magic Quadrant for Network Access Control. He reached out to the company to request a proof-of-concept evaluation at one of their agencies that had about 1,500 endpoints. The vendor deployed the system in a few hours, and it ran for 45 days, uncovering the devices that didn’t meet compliance policies.
The agency that was evaluated was sold on the product, which was the key to moving forward because that agency was in charge of the funding. “We planted the seed in that agency to highlight the success,” Roling says. It worked.
At the time, Roling’s team was building a case for a dedicated security budget. Among the items they were requesting was extending ForeScout to all state agencies. Getting the sign off on that took about a year.
Roling reports that a number of ForeScout’s features contribute to the state’s security goals. For example, the continuous endpoint protection support ensures that endpoints are patched and up to date. The system also issues daily reports on compliance for machines, allowing his staff to be informed and take required action quickly.
Another benefit of this technology is that it plays well with other network security products via ControlFabric Architecture. What that means for him, Roling says, is that they don’t have to make sacrifices when moving from one product to another.
For instance, the state had been using MobileIron but is transitioning to AirWatch. ForeScout accommodates both, making the shift work well without any loss of security features. It also makes it possible to automate tasks that analysts would otherwise have to handle.
Another example of integration is how ForeScout works with FireEye. When FireEye identifies malware on a machine, it communicates that directly to ForeScout, which immediately quarantines the machine. Since this happens automatically, staff members no longer have to drop what they’re doing to attend to the alert.
“We’ve been very pleased,” Roling reports. “It’s a unique product that plays nicely with a security stack as complex as ours.”