Protect Against Ransomware Using Forescout CounterACT – Part 2: Anti-Virus Compliance


January 22, 2020

Although anti-virus software has never solved the problem that it was created to answer, it has been a part of information technology for over 30 years. Love it or hate it, every Windows device still needs an endpoint anti-virus product. Windows servers and workstations are vulnerable to all types of viruses and malware and are particularly vulnerable when the anti-virus software is not up to date with the latest signatures, running or not installed at all. If a device isn’t compliant it has no chance against ransomware. It only takes one non-compliant device for the entire network to be compromised.

Ransomware is the most heinous type of malware created. It encrypts the files of the infected computer as well as files across the network until a ransom is paid to the bad guys for the decryption keys. The number of reported ransomware victims grows every day. Brian Krebs reported in November 2019 that a MSSP for hundreds of nursing homes had been infected, endangering the lives of its patients. The ransomware infected all the company’s hosted customer data. The ransom demanded was $14 million dollars. Mr. Krebs also reported in the same month about a global veterinary care provider that had 400 local practices infected with the Ryuk ransomware. It was the company’s second Ryuk outbreak in 2019.

This article is the second in a series detailing Forescout CounterACT as a tool to defend against ransomware. The first article can be found here. At its core, CounterACT is a network access control (NAC) solution that, due to its agentless capabilities, can see, control and respond to all managed and unmanaged devices on the network. It provides an accurate device inventory, continuous compliance enforcement, policy-based access control and rapid response to security incidents. Using CounterACT can be a preventative as well as a reactive solution for ransomware.

Devices are missed. Agents are missed. Too often cybersecurity products rely on their own agent to determine if devices have the agent installed. How can the solution see a device when that device doesn’t have an agent installed? How can the solution see that the agent has stopped working on the endpoint without a functioning agent? This visibility paradox is also true with anti-virus agents and software.

For all organizations regardless of size, and for both centralized and decentralized networks, Forescout CounterACT finds and identifies network connected devices, workstations and servers, operating systems, installed applications as well as anti-virus status automatically, in real-time, and continuously without the need for an agent. CounterACT assesses the manageability of all Windows devices and determines their compliance condition including the status of the anti-virus software. CounterACT integrates with over 30 different brands of anti-virus solutions including the most popular EDR solutions such as CrowdStrike, FireEye and Carbon Black. CounterACT can confirm that the latest software and agents are installed as well as running, and the signatures are current. If any computers are non-compliant, CounterACT can report on, quarantine or remediate the devices.

For organizations that have deployed Windows Defender as their primary endpoint protection solution, Forescout integrates with Microsoft SCCM, WSUS and Intune. Without an endpoint NAC agent, CounterACT can detect the devices that have or do not have Defender enabled as well as determine which devices are current with updates. CounterACT can automate the remediation of devices that are deficient through its integration with Microsoft’s asset management tools.

As with patching, the strategic goal for anti-virus is 100% compliance but CounterACT can minimize the exposure of the non-compliant devices. CounterACT can take automated restrictive actions for devices that do not have anti-virus agents installed or devices where the signatures are woefully out of date. These actions can include disabling USB ports, restricting a device from the Internet, blocking non-compliant endpoints from joining the network or putting them in a quarantine VLAN such as blocking the device from critical resources.

As an example, in 2016, after several ransomware infections at a large regional hospital with 14,000 endpoints, Castle Ventures developed and implemented an operational policy where CounterACT continuously confirms that the McAfee anti-virus agent is installed and running on every Windows device and remediates the computers that are non-compliant. If a device joins the network that has signatures that are more than 3 days old, a remediation request for the help desk is created by CounterACT by sending an email to the ticketing system with detailed information about the endpoint including the physical location. If a Windows endpoint is detected to have signatures that are more than 6 days old, CounterACT quarantines it by blocking the computer from the Internet and creates a support request to have it remediated. There have been no further ransomware infections at this hospital since this policy has been implemented 4 years ago.

Anti-virus compliance is just one aspect of Forescout’s powerful ransomware defense. In the next article, we will examine how Forescout can detect advanced threats such as ransomware.

CounterACT See, Control and Respond
  • Agentless
  • See all network connected devices
  • Provide real-time and continuous visibility
  • Determine if workstations and servers have anti-virus software installed, running, and with up-to-date
  • Notify the SIEM, anti-virus management software, help desk, and ticketing system which devices need anti-virus software remediation
  • Integrate with WSUS, SCCM, anti-virus solutions, scanners, and asset management systems
  • Automate the remediation of non-compliant devices
  • Mitigate the risk of workstations and servers that can’t have anti-virus software installed

If you have any questions about Forescout and ransomware or want to see CounterACT in action on your network, contact me at ghedge@castleventures.com.