Ved Christian Stahl, Microsoft Enterprise Services Forefront Codenname ”Stirling”
-
Upload
cecily-zoe-tate -
Category
Documents
-
view
220 -
download
0
Transcript of Ved Christian Stahl, Microsoft Enterprise Services Forefront Codenname ”Stirling”
Agenda
• Introduktion til Security Management• Introduktion til ForeFront Codename
”Stirling”• Stirling funktionalitet• Stirling arkitektur
Security Management today
Jumping between consoles waste time
Each console has its own policy paradigm
Product’s are in silos with no integration
Lack of integration with infrastructure generate inefficiencies
Difficult to know if solutions are protecting from emerging threats
Management Console Management Console Management Console
Reporting Console Reporting Console Reporting Console
Console
Endpoint ProtectionServer Application
Protection Network EdgeVulnerability Assessment
• One console for simplified, role-based security management
• Define one security policy for your assets across protection technologies
• Deploy signatures, policies and software quickly
• Integrates with your existing infrastructure: SCOM, SQL, WSUS, AD, NAP, SCCM
Simplified Management with Stirling
Network EdgeServer ApplicationsClient and Server OS
Comprehensive line of business security
products that helps you gain greater protection
and secure access through deep integration
and simplified management
Forefront codename "Stirling"
Next GenerationForefront
Client Security
Antivirus / Antispyware
Host Firewall & NAP
Others – To be announced at a later date
Next GenerationForefront
Server Security
Exchange Protection
SharePoint Protection
Others – To be announced at a later date
Next Generation
Edge Security
and Access
Firewall
VPN
Others – To be announced at a later date
• Comprehensive, coordinated protection with dynamic responses to complex threats
• Unified management across client, server application, & edge security in one console
• Critical visibility into overall security state including threats and vulnerabilities
Management & Visibility
Dynamic Response
Network EdgeServer ApplicationsClient and Server OS vNext
An Integrated Security System
• Integrated protection across clients, server and edge
• Dynamic responses to emerging threats
• Next generation protection technologies
• Manage from a single role-based console
• Asset and policy centric model
• Integrates with your existing infrastructure
• Know your security state in real-time
• View insightful reports
• Investigate & remediate security issues
An Integrated Security System that delivers comprehensive,
coordinated protection with simplified management and critical
visibility across clients, servers, and the network edge
ComprehensiveProtection
Simplified Management
CriticalVisibility
Silo'd best of breed solution are not enough
• Breaches came from a combination of event:– 62% were attributed to a significant error– 59% resulted from hacking and intrusions– 31% incorporated malicious code– 22% exploited a vulnerability– 15% were due to physical threats
Time span of data breach events
Source: 2008 Data Breach Investigations Report. Verizon Businesshttp://www.verizonbusiness.com/resources/security/databreachreport.pdf
DNS Reverse Lookup
Client Event Log
Edge Protection
Log
Network Admin
Edge Protection
Client Security
DEMO-CLT1 Andy
DesktopAdmin
Manual: Launch a scan
WEB
Malicious Web Site
Phone
Manual: Disconnect the Computer
Example: Zero Day Scenario
Security Assessments Channel
TMG identifies malware on DEMO-CLT1 computer attempting to propagate (Port Scan)
Security Admin
Network Admin
DEMO-CLT1 Andy
DesktopAdmin
Malicious Web Site
WEB
Forefront TMG
Client Security
CompromisedComputer DEMO-CLT1High FidelityHigh SeverityExpire: Wed
CompromisedUser: AndyLow FidelityHigh SeverityExpire: Wed
Stirling Core
NAPActive
Directory
Forefront Server
for:Exchange
, SharePoi
ntOCS
FCS identifies Andy has logged on to DEMO-CLT1
Alert
Scan Computer
Block Email
Block IM
Reset Account
Quarantine
Example: Zero Day ScenarioWith Stirling and Dynamic Response
Shared Information…Assessment Severity Definition
Compromised Computer
High Malware gains admin-level control over the computer or the computer imposes active and immediate threat to other computers.Example - Rootkit, bot, fast self-propagating worm
Med Malware has user-level control on the computer; malware might affect the computer moderately.Example - Virus with user account privileges; virus requiring humans to propagate
Low Malware has minimal control over the computer, similar to the control obtained by a guest account. Example - spyware
Vulnerable Computer
High The computer is more likely to be compromised in the very near future with a potential damage that corresponds to a high severity compromised computer. Example - Can be exploited by self-propagating worm
Med The computer is more likely to be compromised eventually, but there is no immediate threat.Example – missing patch mitigated by default configuration
Low The computer can be compromised with major effort such as a full blown dictionary attack, or having a n intruder gain physical access to the computer) The potential damage is expected to be low. Example – weak password, miss-configured IE
Compromised User
High Attacker is the legal owner of the account. (Intended to be used as a manual injected assessment) Example - clear insider threat
Med The attacker has full control over the accountExample – attacker obtains users password
Low The attacker has limited control of the account, usually the attacker does not have account privileges. Example - email worm that propagates only when user is logged-in
70+ assessments across are coming with Stirling Beta 2.
Know your security state
View insightful reports
Investigate and remediate
security risks
Critical Visibility & Control
Risk Management Dashboard
• Risk = Security State X Asset Value • Asset value via Stirling policies• Overall security risk driven by actionable rules• Single number to sort assets by• Enterprise security status reports
Security Risk Summary
Security Risk Trend during the Last Month
8/308/228/158/88/1
HighMediumLowMinimal
Security Risk Level during the Last Day
12am12pm12am 6am 6pm
x xx x xx
xx
x
x
x
x
x xx xx x x xx
Groups at Highest Risk during the Last Day 10 Groups out of 39 Total
Security Risk Level at <last sample timestamp> High
HR_Servers
Asset / Users Group Percentage of Time at the Risk Level
Production_ServersHR ServersRedmond Bldg 43 ServersHaifa Sensitive ServersLong Island ServersTestlab1 ServersSensitive Client ComputersDefault Computers GroupDefault Servers Group
50% 20% 20% 10%
Asset Asset Last Highest Reason Active Response(s) Investigation Name Value Risk Level Risk Level Assessment(s) Applied Opened
Srv-DC1 Multiple... (3) 3 ü -
Srv-Prn1 Virus infection found 1 - ü
Red\JohnDoe Port scan found 1 ü -Spam found 1 - -
Security Risk per Group
HR Servers Risk Total Assets at Risk: 3-
Group Security Risk Trend during the Last Month
8/308/228/158/88/1
Group Security Risk Level during the Last Day
HighMediumLowMinimal
12am12pm12am 6am 6pm
x xx x xx
x x
x x xx
x xx x
x
x
xx
x
x x
x
Security Risk Level at <last sample timestamp> High
50% 20% 20% 10%
+
-
Exchange Protection Activity
Total Message Scanned: 550
Message trend
Malware Discovery Rate: 90%
Detail Report
Filter Hit Rate: 20%
TypeMalwareFiltering HitQuarantinedTotal
12am12pm12am 6pm6am
50403020100
Incident Rate trend during the last day
12am12pm12am 6pm6am
100%80%
40%
Malware Discovery rate trend
Detail ReportFilter hit rate trend
Incident Rate trend during the last day
12am12pm12am 6pm6am
20%
10%
5%
HighLowMinimal
HighLowMinimal
Detail Report
Total Message Quarantined: 300
Detail ReportSpam rate trend
6pm6am
100%80%
40%
Type
Block by IPBlock by contentSPAM rate
SPAM Rate:Total SPAM Found: 30000 90%
Acitivity Reporting
• Technology specific • Complementing security and health
monitoring• Visibility into
– Security Effectiveness– Resource consumption– Productivity Impact
• Planning and measuring
Contribution of FSE Protection Service to the Security Risk Detection and Mitigation
FSE Contribution to detection of Compromised Users during the Last Day
FSE Contribution to detection of Compromised Users during the Last Month
Compromised Users Trend during the Last MonthCompromised Users during the Last Day
Security Risk Trend during the Last Month
8/308/228/158/88/1
Security Risk Level during the Last Day
SeverityHigh MedLow
8/308/228/158/88/1
50403020100
Severity
High MedLow
8/308/228/158/88/1
50403020100
12am12pm12am 6pm6am
50403020100
HighMediumLowMinimal
12am12pm12am 6am 6pmx xx x xx
xx
xx
x
x
x xx xx x x xx
FSE Contribution to Security Risk detection during the Last Day FSE Contribution to Security Risk detection during the Last Month
8/308/228/158/88/1
HighMediumLowMinimal
12am12pm12am 6am 6pmx xx x xx
xx
xx
x
x
x xx xx x x xx
50403020100 12am12pm12am 6pm6am
Security Responses Trend during the Last MonthSecurity Responses during the Last Day50403020100 8/308/228/158/88/1
ResponsesAlertsAppliedCancelled
5040302010012am12pm12am 6pm6am
FSE Contribution to Security Responses Trend during the Last MonthFSE Contribution to Security Responses during the Last Day50403020100 8/308/228/158/88/1
ResponsesAlertsAppliedCancelled
5040302010012am12pm12am 6pm6am
Desktops, Laptops and Servers
Stirling Core Server
Exchange Servers
SharePoint Servers
Threat Management
Gateway Servers
Microsoft Update
Virus &Spyware Definitions
Events
Settings
Events
Settings
Events
Settings
Stirling Console
Systems Center
Operations
Manager
Windows Server Update Services (WSUS)
Stirling Data Analysis & Collection Servers Events
Settings
Forefront Security Assessment Channel
3rd party protection
service
Stirling Conceptual Architecture
Stirling Server Roles
• Stirling defines several roles that make up the overall system– Stirling Core – central processing– Stirling Core DB – Stirling databases– “DAC”
• DAC-RMS – System Center Operations Manager – Root Management Server
• DAC-MS – Management Server• DAC-DB – SCOM databases
– Stirling Reporting– Stirling NPS (Network Policy Server)– Stirling Console
Stirling Common Questions
• Q: Can I use my existing SCOM infrastructure for Stirling?
• A: Yes, but unless it’s already managing all your desktops too, you’ll have to add more servers to scale it out
• Q: Can I use .. – Clusters?– Virtualization?
• A: Yes