Forescout CTO exposes hidden risks in connected devices

Image created by DALL·E 3.

Managing connected devices often seems like a massive undertaking, primarily because enterprises are running blind trying to develop a strategy.

In 2020, Gartner reported that over 80% of organisations are leveraging the Internet of Things (IoT) to overcome business challenges. However, more than two-thirds of CISOs surveyed had no confidence that risks from such connected devices could be adequately addressed and mitigated.

Justin Foster, Chief Technology Officer of cybersecurity firm Forescout, believes the number of organisations using IoT has now climbed to 100%. Yet the same problems remain because of a missing link — visibility.

Foster sat down with Frontier Enterprise to chat about the evolving threat landscape among connected devices and how Forescout is trying to address it through generative AI.

Threat exposure 

Among connected devices, vulnerabilities in IoT jumped from 14% in 2023 to 33% in 2024, marking an alarming 136% increase. IT devices, which are still the most vulnerable at 58% in 2024, have seen a significant decrease from 78% in 2023, as per Forescout’s Vedere Labs.

According to Foster, these numbers reflect the growing number of IoT devices in use.

“We’re seeing a massive explosion in unmanageable devices. These are not like my laptop or phone. These are the grocery stores nowadays that have these little e-ink tags to change the prices on the fly and show sales, so they don’t have to go around with paper tags anymore. Each of those is a little computer,” he said.

Vedere Labs further ranked the riskiest connected devices per category in 2024:

ITRouter, Wireless Access Point, Server, Computer, Hypervisor
IoTNetwork Attached Storage (NAS), VoIP, IP Camera, Network Video Recorder, Printer
OTUninterruptible Power Supply (UPS), Distributed Control Systems (DCS), Programmable Logic Controller (PLC), Robotics, Building Management System (BMS)
IoMTMedical Information System, Electrocardiograph, DICOM Workstation, Picture Archiving and Communication System (PACS), Medication Dispensing System

“When I think of the OT and IoT side, it’s more about not knowing the devices and having so many of them. When we talk about the IT side, the riskiest vector is still the human element, as we lack sufficient training, and issues like social engineering, phishing, and ransomware are significant,” the CTO added.

Blind spot

Talking to businesses, Foster said many are often surprised at how much unmanaged devices they do not know about.

“We had one company where they thought they had 190,000 assets, but once we deployed, they actually had 236,000 assets. Imagine that’s 46,000 computers which they had no idea of. They weren’t tracking them, patching them, or managing them,” he recalled.

Justin Foster, Chief Technology Officer, Forescout. Image courtesy of Forescout.

In addition to visibility, enterprises should also be concerned about segmenting their connected devices, Foster remarked. This became more evident with the advent of bring your own device (BYOD) practice at the height of the pandemic.

“We’re connecting our phones to these laptops, for example, and we have this explosion of unmanageable devices. Hence, trying to understand what you have and make sense of it requires a different approach, because you can’t install an agent on these devices—be it OT or IoT,” he said.

As soon as an IoT device, with its hundreds of often unsecured protocols, communicates with the network, a hacker can take over that device if the network is not segmented. 

“Controlling access to your network is key. We watch the traffic going by and say, ‘Yes, this is a Siemens PLC which controls the gate in the factory that opens a flow of gas, or this is an IV machine, which pumps stats to the nurses’ station to know when the IV runs out.’ We watch at the network level for those things and we watch for the threats, but we also use that traffic to classify what those devices are,” Foster explained.

Healthcare under attack

In 2023, Vedere Labs identified healthcare as the riskiest industry in terms of connected devices. After significant initiatives, such as reducing the usage of remote desktop protocol (RDP) and legacy Windows versions, it now ranks as the least risky among the 10 industries surveyed.

Despite this, there are still a lot of security breaches among healthcare organisations.

“Unfortunately, we’re witnessing ransomware attacks that take down entire hospital groups, along with threat actors disrupting patient care, medication delivery, and cancer treatment. Much of this issue stems from the practice of placing everything on the same network and the inability to replace CT or X-ray machines every three years when they are out of service. These devices become aging, poorly maintained entry points for backdoor attacks that can spread throughout the network,” Foster noted.

The Forescout CTO recalled talking to a hospital CISO who knew their equipment was being recalled, yet they could not afford to buy 100 new dialysis machines. 

“I feel for them because it’s a tough problem to have. Typically, in a hospital chain, the security team is tiny and usually part of IT, which often has limited budget and staffing. They lack sufficient personnel to monitor the IoMT devices. Consequently, patient care takes priority in funding. However, if they deploy the right tools, visibility, and processes, overseeing these devices becomes easier,” he continued.

Segmenting the network makes a huge difference, Foster said, because critical devices like biomedical equipment won’t be able to communicate with less secure devices such as those on the guest network that patients are connecting to.

“The strategy involves implementing proper controls, patching devices whenever possible, and replacing them when necessary. Also, maintaining a manifest of your assets is crucial, so you know which ones are vulnerable, aging, or non-compliant with corporate policies,” he added.

Fighting fire with fire

Across industries, many cyberattacks have been powered by AI, with instances of generative AI being used to write malicious code.

In order to counter such sophisticated threats, Forescout decided to use the attackers’ weapons against them. Unlike most companies, however, they did not build a chatbot.

“The problem with that is what we call generative hallucinations. We saw a case where someone asked a chatbot to create a contract to sell them a truck for one dollar. This creates legal liability issues. Then you’ve got people using it for inappropriate reasons. It might be a security product, but they’re asking it how long to cook an egg, for example,” Foster said.

Foster presenting on the increasing threat of ransomware. Image courtesy of Forescout.

Part of Forescout’s AI strategy is to pre-feed data to large language models to get the desired results.

“It’s called prompt engineering, where we’ll take complex data about an asset, threat, or risk. Normally, it might take a human two hours to read through all the information and try to retain it, but we feed that to the language model and come out with a result that says, ‘The attack started 5 minutes ago and it laterally moved to this area.’ Basically, you’re pre-summarising human language,” the CTO elaborated.

Forescout is using generative AI for threat reporting, addressing issues with network visibility and threat response.

“We added this capability into our analytics. Beneath the numbers, there is a generative AI summary explaining what the data means. This creates a human-readable report that the CISO can present to the CEO or the board, making it clear and understandable. The generative AI is excellent at describing data and pointing out anomalies,” Foster added.


Prior to his current role at Forescout, Foster spent nearly a decade with Trend Micro in various roles, before co-founding and serving as CTO of SOC-as-a-service firm Cysiv. In 2022, Forescout acquired Cysiv.

Reflecting on his career trajectory, Foster observed that the security industry has become better at relating to non-IT professionals.

“We started as highly technical, using terms like IDS (intrusion detection system) and IPS (intrusion prevention system). We’ve become better at providing easier solutions and talking more in language that people understand. Security is a highly technical domain, but the more we can make it easier for application developers building a cloud application or home users, the better. I’ve seen a shift towards making security easier and more well-defined,” he recalled.

Foster noted that the reason for Cysiv’s inception was due to a gap in data science-based approaches to threat hunting.

“Cysiv integrated well into Forescout because Forescout excels at understanding the assets you have, the risks you face, and how to mitigate those risks. We added the threat dimension to that understanding. So if something is actively attacking your network, should you isolate those machines until you can address the threat?” he said.

In the coming years, Forescout plans to focus its resources on four areas: asset, risk, control, and automation.

“Asset involves classification, identifying protocols that sense devices the moment they interact on the network. Risk focuses on understanding vulnerabilities and whether they are being exploited. Control ensures that assets are compliant, not at high risk, and not currently facing threats like a phishing email that has downloaded a backdoor. Lastly, automation involves collaborating with 200 different vendors to ensure they can see the data and take action together,” Foster explained.

Additionally, the company intends to move more to the cloud, make sensors easier to use, and further automate the cyber ecosystem.

“Nobody has enough people, so they need to automate as much as possible,” Foster concluded.