virtual techdaysINDIA │ 9-11 February 2011

Microsoft Forefront Endpoint Protection 2010

Madan Mohan │ Consultant, MGSI

Agenda

Differentiate and demonstrate new features/functionalities included in FEP 2010 Illustrate the different topologies supported and the core FEP components Demonstrate the benefits of integration between Configuration Manager and FEP To get a technical overview and see live demonstrations of the new enhancements in

Forefront Endpoint Protection 2010 Learn about the advanced threat detection and malware protection technologies included

in FEP 2010

virtual techdaysINDIA │ 9-11 February 2011

SESSION Agenda

AGENDABusiness Needs and IT Challenges for Endpoint Protection

Microsoft Solution• Convergence of Desktop Management and Security

What’s New in Forefront Endpoint Protection 2010?• Ease of Deployment

• Enhanced Protection

• Simplified Management

Resources

Business Needs and IT Challenges

Expensive to maintain separate infrastructure

Constantly evolving threats

Agility and Flexibility ControlBUSINESS Needs IT Needs

Stop known and unknown threats

Make it easier to secure endpoints

Reduce cost of protecting clients

Increased complexity with separate workloads for endpoint protection and

management

Microsoft SolutionOne infrastructure for desktop management and protection

“The integration of Forefront Endpoint Protection with System Center Configuration Manager lets us break down the silos within our organization and increase efficiency.”

Reduced cost and complexity

Improved visibility and response to threats

Centralized management and protection

Convergence of Desktop Security and Management

“The integration of management and security makes our IT organization more agile. We’re more efficient in the way that we use our personnel. We’ve increased the number of people available to respond to security incidents by 20% with no increase in headcount.” – Riga Stradins University

IMPROVED PROTECTION• Security personnel have access to

desktop configuration data.

• Health and protection status are delivered in a single interface, with consolidated reporting.

• Incident response (identify/patch/remediate) is more targeted.

Security + Management

LOWER COSTS• There is one server infrastructure to

maintain.• A single mechanism deploys software

updates to clients.• IT can implement central policy for

security and management.• Administrators use one set of training

materials.• Only a single license (ECAL) must be

purchased.

Optimized DesktopManage risk with enhanced security

Protect sensitive data

Windows BitLocker® and BitLocker To Go™

Office Information Rights Management

Protect and manage against threats

Secure access

Windows DirectAccessUnified Access Gateway

(UAG)

Forefront Endpoint Protectionwith System Center Configuration

Manager

Internet Explorer® 8

Extend security to remote workers without risking sensitive data

End-to-end desktop protection:

Create single admin experience for desktop security and management

Let users safely run applications, edit documents, and browse the web

Build on existing infrastructure to reduce support and hardware costs

› Integration with System Center Configuration Manager 2007

› Industry-leading anti-malware protection

›Builds on Windows® 7 Security

What’s New

Forefront Endpoint Protection 2010Next Generation Of Forefront Client Security

• Built on distribution infrastructure of Microsoft® System Center Configuration Manager software

• Supports all System Center Configuration Manager topologies and enables enterprise-wide scalability

• Facilitates easy migration

• Able to deploy across various operating systems (including Microsoft Windows® client and Microsoft Windows Server ®)

• Protection against viruses, spyware, rootkits, and network vulnerabilities

• Productivity-oriented default configuration

• Integrated management of host firewall

• Backed by Microsoft Malware Protection Center

• Unified management interface for desktop administrators

• Timely and effective alerts

• Simple, operation-oriented policy administration

• Historical reporting for security administrators

Ease of Deployment Enhanced Protection Simplified Desktop Management

Building Endpoint Protection On Configuration Manager 2007

• Uses existing Configuration Manager 2007 infrastructure– No new servers– Integrated console– Supports SP2/R2 and later

• Simple install process– Installs on central site, deploys to hierarchy– Discover Configuration Manager roles and

attach FEP roles and context (or allow separate installs)

– Automatically creates additional components (FEP distribution packages, DCM baselines)

– Creates new reporting database

Central Site

Primary Site

Primary Site

Primary Site

FEP

Topologies

• Basic– Aligned with Configuration Manager deployment

components reside on Site Servers– Easiest to deploy

• Basic with Remote databases• Advanced – Allows the placement of Data Warehouse and

reporting Services on remote system for performance gains

– The FEP Auxiliary database must be on the same Server as Primary Site Database

Configuration Manager: Management

Centralized dashboard to monitor desktop security• Centralized policy management

• Progress of deployment and policy distribution

• Critical security alerts

• Rich, extensible historical reporting

Configuration Manager: Deployment

Seamlessly integrated with Configuration Manager Software Distribution• Scales efficiently to the largest enterprises around the globe• Supports branch office and non-domain-joined systems

Easy migration from other solutions• Detects and removes prevalent endpoint security agents (such as Symantec, McAfee,

TrendMicro)• Updates previous version of Forefront (FCS v1.0)

“The deployment process for Forefront Endpoint Protection was very simple. With any application you expect to need training on installation and management, but FEP was so intuitive that we were able to move much more quickly than anticipated.”

Third-party detection Silent removal of third-party products

FEP client installation Policy configuration Signature update

Exceptional Anti-malware Protection

“Forefront Endpoint Protection offers us better virus protection than we had with our previous solution. We had an incident with the Conficker virus, and our old anti-virus product was only able to disable and partially remove the virus. FEP was able to fully remove the virus from our environment. It is definitely a better tool.”

Company Award Detection Rate

False Positives

Symantec Advanced+ 98.70% 9

Microsoft Advanced 97.60% 3

Sophos Advanced 96.80% 13

McAfee Advanced 99.40% 24

Kaspersky Advanced 98.30% 46

Trend Micro Tested 90.30% 23

AV ComparativesOn Demand TestAugust 2010

Vendor/Product

Reactive Average Proactive RAP

Kaspersky 94.89% 77.94% 90.66%

Microsoft 84.64% 69.33% 80.81%

McAfee 74.67% 54.06% 69.52%

Symantec 70.16% 53.76% 66.06%

Vendor % proactive detection of new malware

#1 Trustport, Panda 63%#2 GData 61%#3 Kaspersky, Microsoft 59%

#7 Symantec 43%#8 McAfee 38%#13 Trend Micro 26%

AV ComparativesProactive TestMay 2010

VB100August 2010

›Ranked with market-leading engines

›Considered a leading solution for proactive detection of unknown threats

›Rated consistently among the lowest occurrences of false positives

Proactive DetectionGenerics/Heuristics Allows a single signature to detect thousands of files, using

emulated behavior or binary characteristics.

Dynamic Translation Translates code that accesses real resources (unsafe) into code that accesses virtualized resources (safe).

Behavioral Monitoring Tracks behavior of unknown processes and known good processes gone bad.

Dynamic Signature Service Queries reputation data on “interesting” files. If a file is known bad, a new signature is delivered to the requesting client in real time.

Network Vulnerability Shielding

Inspects all traffic for known exploits to known vulnerabilities. If system is already patched, this feature is automatically disabled.

Builds on Windows 7 SecurityRootkit detection

Behavior Monitoring & Heuristics

Vulnerability Assessment

Windows Firewall Management

Signature-based antimalware

Windows Firewall Management:Ensures that Windows® Firewall is active and working properly to protect against network-layer threats. It also enables administrators to more easily manage these protections across the enterprise.

Application Control

Full disk encryption

Removable storage encryption

Web Protection (IE 8)

• Minimize impact of application vulnerabilities and exploits with integral mechanisms developed fromthe Security Development Lifecycle

• Prevent unauthorized operations by running in “standard user” mode using User Account Control

• Protect against network threats with built-in firewall

• Restrict applications installation and usage with Windows AppLocker policies

FEP

PRIMARY SITES

CENTRAL SITECENTRAL SITE

Endpoint Protection Based on System Center Configuration Manager

During installation, Forefront Endpoint Protection:• Discovers System Center Configuration

Manager roles and attaches Forefront Endpoint Protection roles and context

• Automatically creates Forefront Endpoint Protection distribution packages, DCM baselines, and other components

• Creates a new reporting database

Simplified installation using existing infrastructure• No new servers• Support for SP2/R2 and later versions• Integrated console

System Center Configuration Manager

Multiple Topologies for Management

Single Site Deployment

• Enables consolidated management on a central site

• Option to offload reporting server

Hierarchical Deployment

• Enables distributed management of endpoint security

• Consolidated reporting on the central site for enterprise wide visibility

Secondary Site

Secondary Site

Secondary Site

CENTRAL SITECENTRAL SITE

Primary Site

Primary Site

Primary Site

FEP Console ExtensionsFEP Console Extensions

FEP Server ExtensionsFEP Server Extensions

FEP ReportsFEP Reports

FEP Console ExtensionsFEP Console Extensions

FEP Server ExtensionsFEP Server Extensions

FEP ReportsFEP Reports

FEP Console ExtensionsFEP Console Extensions

FEP Server ExtensionsFEP Server Extensions

FEP ReportsFEP Reports

Hierarchical Deployment for Distributed Management

FEP REPORTSFEP REPORTS

Policy configuration

Simplified Client DistributionConfiguration Manager integration

• Same software distribution process to deploy FEP Clients

• Support for all topologies, including Branch Office and Non-Domain-Joined

Flexible deployment and migration

• Deploy across Windows client and Windows Server

• Support for FEP pre-installation on golden image

• Support for standalone unmanaged deployment without Configuration Manager

Easy migration from existing solutions and automatic removal of existing clients

• Symantec

• McAfee

• TrendMicro

• Forefront Client Security

Third-party detection

Silent removal of third-party products

FEP client installation

Signature update

Client Distribution Flow

Event LogEvent Log

UPDATE SOURCES

Signature Update Distribution• Multiple update sources

• Configurable priority for sources

• Uses existing infrastructure of Microsoft Windows Server Update Services

• Improved size of signature downloads reduces bandwidth use

Corporatenetwork(UNC share)

Internet(MU/WU)

Corporate network

(WSUS)

Antimalware Service (FEP Client)Antimalware Service (FEP Client)

Network service

Network service Local systemLocal system

Reactive Techniques (Against Known Threats)

Proactive Techniques (Against Unknown Threats)

Windows Firewall Centralized ManagementWindows Firewall Centralized Management

Comprehensive Protection Stack

Network

File System

Application

Microsoft AppLocker™Microsoft AppLocker™

Forefront Endpoint Protection

Windows 7

Windows Internet Explorer® 8 SmartScreen

Windows Internet Explorer® 8 SmartScreen

Microsoft

Malw

are Protection CenterM

icrosoft M

alware Protection Center

Dynam

ic Signature ServiceD

ynamic Signature ServiceVulnerability Shielding (Network Inspection System)

Dynamic Cloud Updates

Data Execution Prevention

Behavior Monitoring

Address Space Layout Randomization

Windows Resource Protection

Anti-malware Dynamic Translation and Emulation

Generics and Heuristics: Dynamic Translation

Dynamic Translation translates code that accesses real resources (unsafe) into code that accesses virtualized resources (safe).• Generics and heuristics

based on emulated behavior and/or decrypted binary characteristics

• Industry-leading proactive detection

• Single signature that can detect thousands of files

Real resources Virtualized resources

PotentialmalwarePotentialmalware

Safe translationSafe translation

Dynamic Translation

Dynamic Translation

Behavior Monitoring and Dynamic Signature Service

• Live system monitoring identifies new threats

• Tracks behavior of unknown processes and known bad processes

• Dynamic Signature Service: Low-fidelity signatures• Detects suspicious characteristics as Dynamic

Translation emulates behavior

• Queries reputation service about suspicious files

• New signature delivered in real time to a client requesting a bad file

• Time and cost of signature distribution balanced with need for real-time updates

ResearchersReal-time signature delivery

Behavior classifiers

Reputation

ClientClient

SpyNet/MRS

Properties/Behavior

Properties/Behavior

Real-time signatureReal-time signature

SamplerequestSamplerequest

SamplesubmitSamplesubmit

Network Vulnerability Shielding• Minimizes opportunities to exploit the system between vulnerability announcements and

patch deployments

• Based on Network Inspection System (NIS) Technology

• Detects and blocks Conficker-style threats

• Inspects inbound and outbound network traffic

• Enables signatures based on patch status—disabled on patched machines

• Disables traffic interception if no signatures are active

A new NIS signature is released

Exploits Launched Attack is blocked

Patch validated and deployed

NIS Event Logged, telemetry sent

Time to test the update patch

Update Patch Available

With Forefront Endpoint Protection

A new vulnerability discovered

Protect Clients with Reduced Complexity

Simple interface

• Minimal, high-level user interactions

• Only necessary interactions

Administration options

• User configurability controls

• Central policy enforcement

Maintains high productivity

– CPU throttling during scans– Faster scans through

advanced caching

Unified Management Interface

• Simplified operations for client management and security through a unified console

• Centralized console for policy management and monitoring

• Enterprise-wide visibility into client security

• Quick identification and remediation of client security issues

Centralized Policy Management• Author policies and edit policy settings:

• Forefront Endpoint Protection – Configuration Manager

• Group Policy – GPEDIT + ADMX

• Deploy policies via:

• Configuration Manager

• Group Policy

• Installation

• Script

• Preconfigured templates for server roles:

• Performance, security, or by server role template

• Sixteen templates provide best practices based on server roles

Historical Reports and Critical alerting

• Rich SQL Reporting Services-based information about:

• Malware incidents

• Protection status

• Security compliance

• Policy distribution

• Alerts

• Customizable filters and views, easily extensible for use in other tools

• Available in multiple formats

• Set levels for critical security alerts, including:• Malware outbreak

• Malware detection

• Multiple malware detection

• Machines with repeated infections

• Receive email notifications of malware activity

FEP Security Management Pack for Operations Manager

• Server-centric view in System Center Operations Manager

• Pre-defined settings optimized per server workload

• Server security and availability tasks

• Service Level Objectives reports integrated with Operations Manager 2007 R2

• Real-time monitoring and alerting for critical systems

FEP Console Extension

FEP Console Extension

FEP Server ExtensionsFEP Server Extensions FEP ReportsFEP Reports

Security Management TopologyFEP on current Configuration Manager server roles

• Centralized policies, monitoring, and reporting capabilities

• Discovery and installation of Forefront Endpoint Protection server roles on the Configuration Manager server roles

• Option to install Forefront Endpoint Protection Console extension on other sites

PRIMARY SITES

CENTRAL SITECENTRAL SITE

PRIMARY SITES

FEP Console Extension

FEP Console Extension

FEP Server ExtensionsFEP Server Extensions

Security Management TopologyCentral FEP Server with Remote Reporting Database

• Enables distribution of resources in the infrastructure

• Forefront Endpoint Protection reporting role and database offloaded to a remote machine

• Option to specify a remote Microsoft SQL Server® during installation

FEP REPORTSFEP REPORTSSystem Center Configuration Manager

FEP Console ExtensionsFEP Console Extensions

Security Management TopologyDistributed Management

Secondary Site

Secondary Site

Secondary Site

CENTRAL SITECENTRAL SITE

Primary Site

Primary Site

Primary Site

FEP Console ExtensionsFEP Console Extensions

FEP Server ExtensionsFEP Server Extensions

FEP ReportsFEP Reports

FEP Console ExtensionsFEP Console Extensions

FEP Server ExtensionsFEP Server Extensions

FEP ReportsFEP Reports

FEP Console ExtensionsFEP Console Extensions

FEP Server ExtensionsFEP Server Extensions

FEP ReportsFEP Reports

• Separate security management and operations to child sites

Distributed Management with Consolidated Reporting

FEP ReportsFEP Reports• Separate security

management and operations to child sites

• Consolidated reporting on central site

Secondary Site

Secondary Site

Secondary Site

CENTRAL SITECENTRAL SITE

Primary Site

Primary Site

Primary Site

FEP Console ExtensionsFEP Console Extensions

FEP Server ExtensionsFEP Server Extensions

FEP ReportsFEP Reports

FEP Console ExtensionsFEP Console Extensions

FEP Server ExtensionsFEP Server Extensions

FEP ReportsFEP Reports

FEP Console ExtensionsFEP Console Extensions

FEP Server ExtensionsFEP Server Extensions

FEP ReportsFEP Reports

Alerting• Set levels for critical security alerts,

including:

• Malware outbreak

• Malware detection

• Multiple malware detection

• Machines with repeated infections

• Receive email notifications of malware activity

• Record alerts in event log

• Include alerts in historical reports

• Experienced researchers with prior work at various global response and research labs

• Microsoft security technology specialists who understand best practices

• Continuous coverage with malware research labs in several countries

• Microsoft Security Response Alliance (MSRA)

• Experienced researchers with prior work at various global response and research labs

• Microsoft security technology specialists who understand best practices

• Continuous coverage with malware research labs in several countries

• Microsoft Security Response Alliance (MSRA)

• Microsoft Malicious Software Removal Tool

• Windows Defender (SpyNet)

• Microsoft Windows Live OneCare™

• Microsoft Forefront

• Windows Live™ Hotmail®

• Microsoft Exchange Hosted Services

• Microsoft Product Support Services support organization

• Customer submissions

• Microsoft Malicious Software Removal Tool

• Windows Defender (SpyNet)

• Microsoft Windows Live OneCare™

• Microsoft Forefront

• Windows Live™ Hotmail®

• Microsoft Exchange Hosted Services

• Microsoft Product Support Services support organization

• Customer submissions

• Integrated response processes with global support organization• Brings Windows and

cross-product resourcesto address issues

• Microsoft Malware Protection Center portal• Search and browse

anti-malware encyclopedia

• Top threat telemetry

• Integrated response processes with global support organization• Brings Windows and

cross-product resourcesto address issues

• Microsoft Malware Protection Center portal• Search and browse

anti-malware encyclopedia

• Top threat telemetry

Microsoft Malware Protection Center http://www.microsoft.com/security/portal

Committed to long-term investment and leadership

GLOBAL RESEARCH BROAD INSIGHT INTEGRATED RESPONSE

“The integration of management and security makes our IT organization more agile. We’re more efficient in the way that we use our personnel. We’ve increased the number of people available to respond to security incidents by 20% with no increase in headcount.”

Riga Stradins University

Convergence of Desktop Security and Management

IMPROVED PROTECTION• Security personnel have access to desktop

configuration data

• Health status and protection status in a single interface, with consolidated reporting

• Incident response (identify / patch / remediate) is more targeted

IMPROVED PROTECTION• Security personnel have access to desktop

configuration data

• Health status and protection status in a single interface, with consolidated reporting

• Incident response (identify / patch / remediate) is more targeted

LOWER COSTS• One server infrastructure to maintain

• A single mechanism to deploy software updates to clients

• Central policy implementation for security and management

• One set of training for administrators

• A single license to purchase (ECAL)

LOWER COSTS• One server infrastructure to maintain

• A single mechanism to deploy software updates to clients

• Central policy implementation for security and management

• One set of training for administrators

• A single license to purchase (ECAL)

Security + ManagementSecurity + Management

Protect Information Wherever it Goes or Resides

2Protection and policy stay with the file or e-mail

4 Policy

Portal stores file in the clear

Policy

Portal protects file on access

5

1Protection and policy stay with the document or e-mail

3Protection and policy stay with the file or e-mail

6Policy

Archive stores file and policy in the clear

Policy

Policy Policy

• Creates a single administrator experience for managing and securing endpoints

• Improves visibility for identifying and safeguarding potentially vulnerable endpoints

SimplifySimplify

SummaryForefront Endpoint Protection 2010

• Lowers ownership costs by using a single infrastructure for both endpoint management and security

• Deploys effortlessly to hundreds of thousands of endpoints using existing System Center Configuration Manager agents

Integrate

Integrate

• Provides highly accurate detection of known and unknown threats

• Actively helps protect against network-level attacks by managing Windows Firewall configurations

ProtectProtect

Resources

Optimized Desktop: www.microsoft.com/windows/enterprise

TechCenter:http://technet.microsoft.com/forefront

Forefront Endpoint Protection 2010 Trial:www.microsoft.com/forefront

©2010 Microsoft Corporation. All rights reserved. Microsoft, AppLocker, Forefront, Internet Explorer, SharePoint, SQL Server, Hotmail, Windows, Windows Live, Windows Server, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the

date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.