0:00 I'm going to let Jesse have it right because he is a smart man in the room and let him have the let him have the floor. 0:05 So Jesse, it is yours. 0:09 Great. 0:09 Thanks, JT I'm going to go ahead and share my screen. 0:13 Thank you everybody for joining us today. 0:15 Just a little background about myself, make sure I get this shared here. 0:19 OK, great. 0:20 Yeah, my name is Jesse Davis. 0:22 I've been with Versa now since July 2020. 0:25 And actually before that, I was a customer at A, at a very large enterprise. 0:30 So I've seen both sides of it. 0:31 I've seen our platform evolve from the early days of just strictly St. 0:36 Wan with, with some of that inherent security capabilities at the edge. 0:41 But over the last four years especially, we've really become a true unified platform from the security, the SSE and SD Wan side. 0:50 And, and that's what's great. 0:51 I know JT touched on it. 0:53 It's a great point is that from an SSE and SASE perspective, it's completely integrated with your existing SD Wan Fabric. 1:01 And so one of the main benefits is that not only do you get that single pane of glass from management of your policies and structure, but also those remote access users, when they connect to your secure web gateways, they get that instant access to the rest of your SD Wan fabric. 1:18 So there's a lot of goodness there. 1:20 So today's focus is about endpoint information profiles, or in other words, this is host posture checks, right? 1:27 So this is how we are validating that the endpoint meets a set of defined requirements. 1:34 So for today's talk, I've just laid out a couple examples here. 1:37 There's many different categories that we can choose from that you can look at on the endpoint to determine whether a device is in or out of compliance. 1:46 And it's very, it's very flexible in how you do it. 1:49 Here, for example, I've got 4, I'm going to do a Windows domain check. 1:54 So here we're, we're quite literally looking to make sure that this PC that I'm going to test with this is part of a predefined domain. 2:01 We're also going to check the status of our Windows firewall. 2:04 And of course, we're not just checking that it's installed or even configured, but we also need to make sure that it's running at all times, that if it stops running, we're going to detect that and we're going to take some sort of action. 2:16 We can also look at things like anti malware. 2:19 So in this case, we're going to look at the Windows Defender, same style here. 2:23 We're going to make sure that it's installed, whether or not it's configured. 2:27 We can, in this case, I'm actually not looking at it taking the default settings. 2:31 So there's no custom configuration. 2:33 But is the service running? 2:35 And also is real time protection enabled, right? 2:37 So if we disable that, that would be considered a posture violation. 2:41 And then we can also do custom type checks. 2:43 So here I've got an example you can actually read into the registry do for example test for the presence of certificates. 2:50 That has some numerous advantages. 2:53 Things like a way to validate if a machine is say a Azure Active Directory AAD joined, you can do that in a certain place that those machines will pull a certificate. 3:05 Really, you can read into the registry and and iterate over any key to make that determination. 3:11 We'll also do some other things here. 3:12 I'm going to pop over in our demo. 3:14 We'll show some things like. 3:16 Let me go ahead and open my rule here. 3:29 We're going to do some CASB demos, so we're going to restrict some actions to different things like Box, YouTube, LinkedIn, and specific to YouTube. 3:40 What we're going to do is we have the ability to take action or prevent action. 3:45 So for example, you can allow your users to open up YouTube. 3:48 They can search for videos, but maybe we don't want them under their corporate account that they've used to log in, for example, and access YouTube. 3:57 Maybe we don't want them providing feedback because that could potentially be opinions associated with our company. 4:02 So we can prevent comments, we can prevent them from liking and disliking, you know, different things like that. 4:08 So I'm going to go ahead and jump in and please along the way, stop me, ask any questions. 4:13 This is this is definitely meant to be interactive. 4:16 So the first thing we're going to do here is I'm going to pull up my client and what I did is in the background while JT was talking, I went ahead and generated this alert here. 4:25 And what happened here is I actually stopped the firewall service on this machine. 4:30 I then attempted to connect and what we did is we blocked that connection. 4:34 So that's one method for handling a device that is not imposture. 4:38 So that's kind of the easy one though, right? 4:41 The the machine goes to try to connect to the gateway, we see that it's not compliant and we simply block that connection. 4:48 What we can also do though is what happens if that posture is good when the client connects. 4:54 Then mid session something changes and now the machine is no longer compliant. 4:59 What kind of things can we do there? 5:01 So let's go ahead and get connected here. 5:05 The first step here is you can see I'm about to pick a certificate. 5:08 That's because we're enforcing 2 layers of authentication here. 5:10 Not only are we authenticating the device, so that certificate check there, we've got to be authenticated to ensure that the machine has a valid certificate. 5:20 We're also then going to authenticate the user. 5:22 So right away we're enforcing some very strict postures here, not only for the user, but the device that the user signing in on by app. 5:30 So I'm going to run through just a couple of examples here that we talked about. 5:41 I get my browser open. 5:42 I like to go right into Incognito mode because you know, we want to ensure that everything that we're going to do here today is live, right? 5:50 There's there's no cache pages here. 5:53 There's my full tunnel connection to me. 5:55 Launch this again. 5:56 I apologize. 5:57 I think my my full tunnel connected it interrupted my own sessions and I get logged back in. 6:14 OK, there we go. 6:15 So we're back on. 6:16 You can see we're still connected here. 6:17 We can see to our time. 6:19 So I'm going to go ahead and just run through a couple examples here. 6:22 For example, this is a this is a good one. 6:24 So one way that we can combat data exfiltration. 6:27 So, for example, we want to allow our users to legitimately log in for cloud storage purposes. 6:34 Maybe they can upload, do a couple actions, but we don't necessarily want them to be able to pull down or extract data out of a site like, for example, box.com. 6:44 So what we can do is write some controls so that if a user attempts to download that action, we can actually block that and then flash an alert on the back end. 6:53 Of course, there'll be a log alert generated at Analytics, so we have historical tracing there. 6:58 We'll look at that here in a minute. 7:00 We can also take sort of a harder stance for things like social media. 7:05 Maybe while users are on a company asset and connected to the network, necessarily want them accessing different types of social media. 7:12 So here just a very quick example of what I'm going to do is I'm actually going to block a login here to LinkedIn. 7:19 All right, so we went to go sign in and we're going to go ahead and block that action. 7:23 But we could be a little more flexible. 7:25 We could allow the users to log into LinkedIn and then take away or block certain actions once you're inside LinkedIn. 7:33 One of the other features that we have is we can also do a SAS tenant restriction. 7:38 So this is a really powerful feature here. 7:40 And what this allows you to do is also combat sort of that that data exfiltration. 7:46 And when users are on corporate devices, we don't necessarily want them to be able to access things like personal O365 accounts or maybe personal Gmail accounts. 7:57 So what you can do is you can whitelist when it comes to O365, you can whitelist tenants, right? 8:03 So in this case, for example, I have whitelisted other tenants, but not my corporateversusnetworks.com tenant. 8:11 So if I go ahead and try and log in here, we're actually going to block that, right? 8:15 And it shows, it says Microsoft's good about this. 8:19 Your network administrator has blocked access. 8:21 Now, if I were to try to log in with a different permitted tenant, then I would be able to go through. 8:27 And we can do the same thing with things like Google, for example. 8:30 We don't want users logging into personal Google accounts and then maybe uploading corporate documents and to save their personal drive. 8:39 So in this case, I have restricted personal accounts. 8:41 So if I try to log in with my own personal account here, the expectation is, yeah, we're going to go ahead and block that. 8:48 But I do maybe we, we use Google Docs or we have, you know, corporate accounts through Google Workspace. 8:55 In that case, we do want to allow that access, right, with some controls around it. 8:59 So in this case, I am going to be able to, well, let me see there. 9:12 OK, so now I'm logged into Google, but I'm under my corporate account, right? 9:15 I've placed some controls around that. 9:18 So then we can get into because I'm there's a lot of services that launch off of Google, things like YouTube. 9:24 So while we allow our users to use, say, Google Workspace in their corporate account, what we don't want them to do is to be able to actually do things, post feedback, for example, while watching videos on Youtubes. 9:37 Go ahead and mute this. 9:38 So we're going to go ahead and pull up one of our videos here. 9:41 And what I'm going to do is while I do want my users to be able to search, pull videos, watch videos, there's the legitimate training purposes. 9:50 What I don't necessarily want them to be able to do here is leave a comment. 9:55 So the expectation is when somebody tries to post some feedback against this video, we want to restrict that action, right? 10:02 I think we'd see here we've taken away their ability to actually post comments to this video again, because I'm logged in with my corporate workspace account. 10:12 And sometimes companies can be sensitive to views and opinions of their employees don't necessarily reflect that of the company. 10:20 OK, so just a couple things there. 10:23 So what I'm going to do now is I'm going to go ahead and create a violated condition. 10:26 So just a level set here. 10:28 So if I check the status of my firewall state for all three profiles, domain, private and public, we can see that it's on. 10:36 But I'm going to go ahead and turn that off. 10:38 And we're going to go ahead and look in analytics here. 10:40 So I'm going to set the state to false. 10:43 So I got a nice little pop up there for Windows. 10:46 Now we're off. 10:46 So now we've created a violated condition. 10:49 And so one of the things we can do, I'm going to shift over to analytics, is when we first looked, if you remember, I showed you when I tried to connect right up front and I was in a posture violated status, we blocked that connection, right? 11:02 And and that's great, right? 11:03 We're not letting a violated machine on the network. 11:07 But what happens if we let a compliant machine on the network, then their posture changes. 11:13 What we can do then is then a number of things. 11:16 So right away what we can do is we can take them out of their permissive firewall and and access status and really put them in a restricted environment. 11:27 And the goal there is what we want to do is we can give them access to a limited set of resources of our choosing. 11:35 For example, one of the things that I I see customers do is to try to reduce that friction when somehow a a client, customer or employee has become non compliant. 11:46 Maybe we don't necessarily want to just take away everything and then they've got to pick up the phone and call the help desk. 11:51 What if we could do things like capture all their traffic, deny everything except redirections to our internal corporate portal and at that point they could say open a support ticket or even allow remote access. 12:06 So from a firewall perspective, we're going to look before and after here. 12:11 When I go into first my EIP log, what we need to do is we need to report on this event so that our operations teams, our help desks have some awareness because in this example, we've got a profile here called EIP Profile fail. 12:24 So that's our first clue to the operations team. 12:28 OK, here's a user on this resource with this IP. 12:32 There's the name of the profile and that profile. 12:34 There may be many checks, right? 12:36 I showed you 4, but we could be checking for 678 things. 12:40 And any number of them can produce the same condition where I have a user that no longer has access to resources because they failed a posture check. 12:49 But what we're going to do is we're going to extract and report the exact failure. 12:52 So in this case, the detected my Windows firewall service has failed. 12:56 And when that does is it gives that operations team that immediate triage ability. 13:00 They can see, OK, something has happened here with this firewall check. 13:05 We can go compare what it should be to what it is now. 13:09 We're also going to expose this in our firewall logs. 13:13 So when we look here, if we notice before the posture check failure, we were just simply matching various rules allowing this traffic. 13:23 In the redirection and failure scenario, we're still going to allow this traffic, but now they're matching a different rule, right? 13:30 And the reason we allow it versus the straight deny is we need to take in that traffic, but we're really intercepting and redirecting it. 13:38 So while a user may be trying to go to say google.com, we're intercepting that in real time and we're redirecting them to somewhere of our choosing. 13:46 So let's take a let's take a look here and see what this looks at. 13:49 So by just trying to pick a website here, you hear what we're doing is we're actually we're acting like a captive portal. 13:58 We have intercepted that request and we are redirecting them to an internal site. 14:04 And it doesn't matter what what I try to look still on go to another one. 14:07 We're still going to capture it, right? 14:09 Let's say they send non web traffic. 14:12 Well, we're still going to block that, right? 14:14 We're still going to deny it. 14:15 Obviously, though, we can't redirect on something like an ICMP, but we're still protecting our internal resources, right? 14:21 This user doesn't matter what type of traffic that they generate. 14:26 If it's web traffic, this is how we interact with the user in a Safeway, right? 14:31 They're trying to do something. 14:32 They, they failed their caposter check compliance. 14:35 We're redirecting them to the site. 14:37 The goal here is maybe there's a little bit of self help. 14:39 So we've blocked all their access except their ability to say get into your internal support portal. 14:46 And this can be anything you want. 14:47 It could be, say maybe there's a checklist of things that users can go through, self help, self remedy. 14:54 That's the goal here. 14:55 What if also maybe we don't want to allow them anywhere except what we want to do is we're going to go ahead and allow our remote operations teams to take over this machine. 15:05 And that's what I've done here in the background is I've gone in over the network to this machine that is effectively quarantined. 15:11 And we're allowing our, let's say our OPS team, OPS desk for using something like Teamviewer. 15:16 So now I can come in, I can troubleshoot. 15:19 I saw in the log, OK, the firewall service, something happened. 15:23 I see it's off. 15:25 Well, we need to go ahead and get that re enabled and get this user back into the clients. 15:28 So we're going to go ahead and re enable that service. 15:32 I as the user as the as the OPS guy did that right? 15:36 I don't have to rely on the user to do that. 15:38 And then when we're done, we're simply going to drop out because this user's going to go compliant, right? 15:44 So let's go ahead and take a look here. 15:45 When we look into our logs, let's just do a quick check so we can see we re enabled our firewall service. 15:55 So this should now go on for all three profiles. 16:17 We'll come back to that a little bit slow. 16:19 Come back. 16:21 So let's go back into here and what we're going to see here in in less than two minutes. 16:29 JT, can you still hear me? 16:33 Yes, we can. 16:43 Hello. 16:45 Can you hear us OK? 16:48 Yeah, I can hear you guys. 16:49 I apologize. 16:50 I'm not sure what happened there, even though my Internet dropped out for a minute. 16:56 Can you still hear me? 16:56 OK, Clint? 16:57 Yeah. 16:58 We hear you sound great. 16:59 OK, Yep, sorry about that. 17:01 So just to close this out, what I was doing is showing that we've re enabled our firewall service. 17:06 We're going to come back into analytics and what we'll see is in about 30 seconds or so our traffic for our user, it's going to start to move out of this restricted redirect and now we're going to move back into compliance, right. 17:20 So we now have full access restored. 17:22 We had our you re enabled our firewall. 17:25 Our posture is now good. 17:27 So if I go back into my machine here and now, I'm going to try to access a couple things and see if we've got things opened back up because we're not compliant. 17:35 Almost there. 17:36 So we're looking at my timer here. 17:38 Yeah, we're about 15 seconds out. 17:42 As JT mentioned, we can do this posture check as fast as 5 seconds. 17:45 Right now. 17:46 I just had it set to the default of two minutes. 17:49 How fast you do it is, is really a product of how many items are you checking? 17:53 Because we got to find that sweet spot between we're constantly pulling the machine for posture changes, but we also don't want to have a negative impact on the performance of the machine itself. 18:04 So generally it's, it's a, it's a game between how fast you want to detect it and how many items that you're detecting while you're doing that. 18:12 OK, so we got our access restored. 18:14 We've reported to the gateway that we're now compliance. 18:16 So if I go ahead and pull up any website, my traffic is fully restored. 18:21 So that's one way we handle the posture check, right? 18:24 Failure is that we didn't just simply drop the user I'm going to bring that here up you can see my connection has been up for 12 minutes almost 13 minutes now so we didn't have to disconnect them and I didn't have to re authenticate right I, I didn't get any screen pop or anything like that to say hey who are you or re authenticate. 18:43 We just simply did that dynamically. 18:44 We detected it, we reported it. 18:47 We dynamically shifted the user to a different set of permissions. 18:50 Once they were remedied, we brought them back to their original posture. 18:54 So I'm going to go ahead and close this out. 18:57 I think that's all that I had. 18:59 I'm going to turn it back over to JT and Clint and I'm happy to answer.