Schedule Demo Contact Us

Promisec & NAC

NAC is a group of security management utilities that enforce which system should be allowed on the production network. Most NAC offerings include an agent, which may be not deployed on all endpoints or not configured properly. This leads to a challenge where the IT real status and the information scope may be partial and not accurate. This means that the overall information that is propagated to these SOC / NOC systems, doesn’t reflect the real IT status.

Integrating network access control (NAC) solutions with Promisec can help broaden user and machine identities, which can then be used to strengthen every policy across the organization.

Let’s assume the NAC solution deployed in the organization is Portnox and start with two scenarios that happen in nearly every customer environment:

  1. Block compromised endpoints on access to a network resource.
  2. Detecting when an already authenticated client is compromised to block further access.

In a perfect world, you would stop all compromised systems from gaining access to network resources or connecting out of the network to exfiltrate data or post authentication detect they were compromised and remove their access to secured resource. Unfortunately if your endpoint security is not working tightly with your network security and access controls, these very universal scenarios are hard to detect and control.

The Promisec, Portnox and HP solution

To address these fundamental scenarios takes utilizing products that you likely already have in your environment (such as a NAC solution like Portnox and SIEM such as HP ArcSight) working with an advanced threat detection and remediation solution from Promisec.

The following scenarios highlight the key interactions of this solution:

Scenario 1: Block compromised endpoints on access

Imagine two endpoints accessing a network resource: one that is completely clean and compliant, the other is compromised. The combined solution of Promisec, Portnox and HP Arcsight will detect and handle this scenario every time.

Endpoint A: Clean endpoint

  1. Endpoint A requests access to a network resource
  2. Portnox detects access request and pushes IP to Promisec to scan the incoming system
  3. Promisec determines that client 1 is clean and compliant with corporate security controls and notifies HP ArcSight.
  4. HP Arcsight notifies Portnox to allow access to resource
  5. Portnox allows access to Endpoint A

Endpoint B: Compromised endpoint

  1. Endpoint B requests access to a network resource
  2. Portnox detects access request and pushes IP to Promisec to scan the incoming system
  3. Promisec determines that client 2 has an issue with compliance or that it has a known malware onboard and notifies HP ArcSight
  4. HP Arcsight notifies Portnox to NOT allow access to resource
  5. Portnox blocks access to Endpoint B.

1Scenario 2: Block newly compromised endpoints after access was granted

Imagine a client that was previously granted access to a network resource but as become compromised. The joint solution will determine will determine this scenario, shutdown access to the network resources and put the client on a private network to allow the Security Operations Center to further investigate.

Endpoint A: Once Clean Endpoint, Gets Compromised, Is Then Blocked

  1. Endpoint A which was previously authenticated becomes infected with some new malware via a client side email attack or a drive by attack from their internet browser; the malware turns off the local AV service to prevent from being discovered and persists itself to survive a reboot.
  2. Promisec, via continuous monitoring detects both the AV was turned off and a change in the file system from this malware and further classifies this malware as a high alert item.
  3. Promisec alerts HP Arcsight of the issue on Endpoint A in that there is a compromise by malware
  4. HP Arcsight has a rule defined that indicates that it should remove (quarantine) this client from the network and notify the SOC team to investigate further.
  5. Portnox receives this alert from HP Arcsight and removes this client from the network and access to the resources are terminated. It puts this client on a private network VLan that ensures that the client is accessible but only to the SOC team to investigate further.

2Next Steps

Since these two scenarios are fundamentally about detecting and blocking when a bad actor in the form of a compromised endpoint might be trying to gain access to your network you can easily utilize them as building blocks for completing your security solution picture for both preventative measures and detective measures and in the process enable you to better handle advanced threats at the earliest possible time.

Contact Promisec to better understand what Amdocs, ZIM and other global brands are enjoying about this joint solution.