Network access control and endpoint security is critical for many businesses, but highly regulated industries -- such as the financial vertical -- are under even more scrutiny to ensure their networks and endpoints are protected at all times.
That's one reason why Bremer Financial Corp. -- which offers banking, investment and other financial services throughout Minnesota, North Dakota and Wisconsin -- deployed ForeScout Technologies' CounterACT technology. The software provides the bank with real-time network access control (NAC) and visibility across all its endpoints and in the process improves regulatory compliance and security without impacting the user experience.
"ForeScout has given Bremer the ability to dynamically see all the known users, devices and applications on our network with a tremendous amount of detail and the means to perform actions in a single pane of glass," said Joseph Thornell, security technical architect for Bremer Bank. "The insight and granularity of the tool has been an invaluable asset."
ForeScout CounterACT: An agentless approach to network access control
This wasn't Bremer Bank's first time deploying NAC technology. The institution -- which has approximately 1,900 employees throughout its 87 bank branch and corporate locations, and about 4,200 endpoints, -- had a legacy NAC product in place that was very difficult to implement and maintain, Thornell said.
"It actually caused more disruption than value. We experienced a lot of incorrect identification of our devices, and the inability of the prior tool to work properly created downtime and consumed IT's time because they were always troubleshooting and working out the issues," he said. "This led to serious frustration for our users, so we needed to create a more reliable method for corporate identification."
The legacy technology's modest capabilities allowed Thornell to apply access restrictions to known, managed devices. But Bremer Bank needed a more reliable, evolved NAC strategy that would align better with management processes. CounterAct's agentless approach to NAC was especially appealing, Thornell said, because the application reduced management overhead.
Increased visibility and control with ForeScout CounterACT
With the help of ForeScout CounterACT, compliance pressures have been reduced, Thornell said. Bremer Bank now has the ability to manage its corporate devices, while providing additional access points for guests -- like vendors and meeting attendees -- as well as for employee-owned mobile devices. The IT team is using CounterACT to block any threatening devices from gaining network access to sensitive IT resources and unapproved applications.
"Due to ForeScout's lightweight, non-intrusive and dissolvable agent, we can set policy to better ensure what we want to allow and respond to what we don't want or allow," Thornell said.
Before ForeScout, the IT team could only see whether a connected device was owned by Bremer. "Now, we can automatically classify devices by vendor type and operating system, and see every installed application on that device -- like Bremer apps or even personal apps [employees] managed to install," he said. "As we've gained insight into what is on [employee] computers or installed programs, we can see how they came to be and are firming up our processes around what they can install and how they can go about installing it," Thornell said.
Thornell and his team can also create rules around antivirus updates and patches to ensure compliance across all locations -- including remote offices-- without having to send an IT staff member to the site. "Bremer is able to install and update applications, and even block software according to policy," he said.
Additionally, ForeScout's ControlFabric technology allowed Bremer to integrate CounterACT with its networking stack and specific tools, like its IBM Security QRadar Security Information Event Management (SIEM) system. "With the CounterACT platform, we are able to put the added operational oversight to work and tie the intelligence we gain from ForeScout into other systems -- such as switches for guest management and blocking rogue devices -- and our SIEM [system], which is invaluable," Thornell said.
Long term, Thornell plans to integrate more of Bremer's network and security tools with ForeScout CounterACT. "Their ControlFabric architecture can facilitate interoperability with other systems, such as our wireless network provider, enterprise mobile management and vulnerability assessment scanning … to extend the scope of our controls," he said.
ForeScout CounterACT helps Florida College rein in BYOD
Five considerations when choosing network access control tools
ForeScout integrates with MDM vendors
Dig deeper on Network Access Control