The media group of global advertising, marketing and communications company Omnicom has cut costs and reduced risk without business disruption by deploying ForeScout’s CounterACT network access control system.
The Omnicom Media Group (OMG) wanted to protect network resources proactively by improving visibility of users and devices on the company network across 38 offices and 5,500 employees in Europe, the Middle East and Africa.
OMG chose the ForeScout system because it was able to support the existing operating environment due to its integrated functionality and because it was a simple appliance without software agents.
“Our main goal was to reduce and manage risk without affecting users. Some of the products out there required agents to be installed, and we already have enough of those,” says David King, regional technical services director of OMG.
“We wanted something that would operate seamlessly, and CounterACT was chosen in part for its ease of deployment, centralised management, shared policies and licensing models,” he says.
According to Gartner, ForeScout is one of the leading lights in this field, specialising in security technologies.
“We also used other products from ForeScout, and were happy with their performance and the support we received, so it made sense to explore expanding the relationship,” he says.
OMG business benefits of CounterACT
- Real-time visibility – CounterACT lets OMG see, monitor and control all devices, all operating systems, all applications and all users on the network.
- Endpoint policy enforcement – OMG can ensure that all devices are running Altiris and up-to-date antivirus and block any unauthorised applications.
- Regulatory compliance – NAC is one of the tools that support OMG’s controls and audit processes.
- Threat prevention – Systems that exhibit malicious activity, such as zero-day threats and worms including Zeus, Stuxnet and FLAME, can be blocked.
- Investigation of network performance issues – For example, when people are streaming unusual applications that are not part of OMG’s normal product suite.
- Enabling localisation of security policies – This helps cater for different data privacy laws across the region.
- Time and cost savings – CounterACT enables real-time remediation by sending automated notifications to users if, for example, Altiris is not running on their endpoint.
Deploying CounterACT across Europe
After proving the network access control (NAC) concept in the US in 2006, OMG has been rolling out CounterACT appliances throughout the international network ever since.
The system enables OMG to have an operational oversight from a security perspective, while allowing employees to use a wide variety of media and mobile computing devices.
CounterACT also enforces many of OMG’s security policies, as well as providing a way of alerting users to the dangers of potentially unsafe web services and providing safe alternatives.
In Europe, OMG deployed CounterACT initially in its datacentre two years ago and in its UK offices more than 18 months ago.
“The platform easily adapted to our infrastructure – it only took a few days to deploy,” says King. “As with most implementations, we are learning and tweaking functions, and expanding policies every month.”
Most recently, OMG deployed CounterACT in Norway, which took less than a day because of the many rules in common with the UK.
“We currently have ForeScout CounterACT in four locations in Europe, and we will be looking to double that figure next year, with deployments planned in Spain, France, the Czech Republic and Italy,” says King. The plan is to monitor at least 6,000 devices across the region.
“The system has a wealth of interoperability characteristics that allow us to deploy it in different operating environments without requiring material changes to the network and systems we already have in place at these sites,” says King.
Referring to the flexibility of CounterACT, he says one of OMG’s clients insists on using Skype for voice communications, but the fact the IT team are aware of this means they can use CounterACT to control Skype’s use and ensure compliance.
“Using CounterACT, we can readily see who has what software, and which applications, to check what is installed and that it is installed for the relevant team only. This gives us real-time oversight where we can respond as appropriate,” he says.
Keeping system defences up to date
Another critical use case for CounterACT is with regard to validating and assuring secure and standard system configuration.
In particular, CounterACT supports OMG’s implementation of Symantec’s Altiris software, a configuration management system used by operations.
CounterACT’s role is to monitor that Altiris is running on every endpoint to maintain network integrity. Should it be disabled, uninstalled or non-existent, CounterACT can reactivate or install the Altiris agent and inform the action via an alert to the ticketing systems.
The same is true for endpoint protection such as Symantec AntiVirus. So at any point in time, OMG knows that system defences are active and up to date, and do not need to solely rely on the host-based agent, which could possibly be removed, corrupted or out of date. This not only improves operations, but supports compliance processes and increases helpdesk efficiency.
“All our systems are managed by Symantec Altiris. Symantec is also responsible for our endpoint protection, but it can only manage something if it is installed on a device. With CounterACT, we have a way to check all endpoints to make sure they have the necessary security controls in place,” says King.
This is done in real time, and OMG has bi-weekly CounterACT reports for compliance. “We check the servers and desktops. Material issues are alerted to our response teams and reports are sent to our helpdesk, which can subsequently remediate any issues,” says King.
Read more on network access control
- Why has NAC, like DLP, failed to take off?
- McAfee Focus 2012: NAC supplier ForeScout joins McAfee SIA scheme
- NAC technology evolves in a BYOD policy world
- Global manufacturer revamps access control with ForeScout NAC
- NAC technology evolves in a BYOD policy world
- NAC protection: Network access control policy, deployment guidelines
- Endpoint protection advice: Improving NAC with secure endpoints
- NAC security guide: How to achieve secure network access in the enterprise
Automation saves time
The automated notifications CounterACT sends to users if, for example, Altiris is not running on their endpoint delivers massive time savings, says King, as Altiris reduces the time spent by helpdesk staff on each IT problem.
“In a multi-site environment, where we have tried to centralise the service desk, being able to manage users and resolve issues remotely [using Altiris] save minutes per call,” he says.
“At an average of 600 calls a week, that’s 3,000 minutes or one service desk person for each of three principal locations,” says King.
“Virus removal can take a significant amount of time, so the fact that we can identify potentially vulnerable machines before any issues arise, and have them self-heal, is a great benefit,” he says.
Mobile device management
Although OMG is not yet looking at strong policy enforcement and security control of personal mobile devices, King plans to use CounterACT to help prepare for tighter mobile management.
The system will help understand how mobile devices are being used by employees, contractors and guests by identifying who is using what devices to connect to network resources.
CounterACT can be passive in monitoring or can be used to enforce guest management across all wireless access points and segregate these users and their devices from the production network.
OMG wants to preserve user experience and use of personal mobile devices, but determine the scope and how to phase in a bring your own device (BYOD) policy.
“With CounterACT, I’m currently cataloguing how mobile devices are being used within our organisation, and what options employees are using,” says King.
ForeScout has a mobile security plug-in, which he is planning to explore for more granular visibility and control of iOS and Android devices.
King is also researching ForeScout’s mobile device management (MDM) integration. “I believe this will support our data privacy laws, and give us the ability to design an acceptable use policy with even stronger security requirements,” he says.