Virtual techdays INDIA │ 9-11 February 2011 Microsoft Forefront Endpoint Protection 2010 Madan...
-
Upload
adrian-merritt -
Category
Documents
-
view
216 -
download
0
Transcript of Virtual techdays INDIA │ 9-11 February 2011 Microsoft Forefront Endpoint Protection 2010 Madan...
virtual techdaysINDIA │ 9-11 February 2011
Microsoft Forefront Endpoint Protection 2010
Madan Mohan │ Consultant, MGSI
Agenda
Differentiate and demonstrate new features/functionalities included in FEP 2010 Illustrate the different topologies supported and the core FEP components Demonstrate the benefits of integration between Configuration Manager and FEP To get a technical overview and see live demonstrations of the new enhancements in
Forefront Endpoint Protection 2010 Learn about the advanced threat detection and malware protection technologies included
in FEP 2010
virtual techdaysINDIA │ 9-11 February 2011
SESSION Agenda
AGENDABusiness Needs and IT Challenges for Endpoint Protection
Microsoft Solution• Convergence of Desktop Management and Security
What’s New in Forefront Endpoint Protection 2010?• Ease of Deployment
• Enhanced Protection
• Simplified Management
Resources
Business Needs and IT Challenges
Expensive to maintain separate infrastructure
Constantly evolving threats
Agility and Flexibility ControlBUSINESS Needs IT Needs
Stop known and unknown threats
Make it easier to secure endpoints
Reduce cost of protecting clients
Increased complexity with separate workloads for endpoint protection and
management
Microsoft SolutionOne infrastructure for desktop management and protection
“The integration of Forefront Endpoint Protection with System Center Configuration Manager lets us break down the silos within our organization and increase efficiency.”
Reduced cost and complexity
Improved visibility and response to threats
Centralized management and protection
Convergence of Desktop Security and Management
“The integration of management and security makes our IT organization more agile. We’re more efficient in the way that we use our personnel. We’ve increased the number of people available to respond to security incidents by 20% with no increase in headcount.” – Riga Stradins University
IMPROVED PROTECTION• Security personnel have access to
desktop configuration data.
• Health and protection status are delivered in a single interface, with consolidated reporting.
• Incident response (identify/patch/remediate) is more targeted.
Security + Management
LOWER COSTS• There is one server infrastructure to
maintain.• A single mechanism deploys software
updates to clients.• IT can implement central policy for
security and management.• Administrators use one set of training
materials.• Only a single license (ECAL) must be
purchased.
Optimized DesktopManage risk with enhanced security
Protect sensitive data
Windows BitLocker® and BitLocker To Go™
Office Information Rights Management
Protect and manage against threats
Secure access
Windows DirectAccessUnified Access Gateway
(UAG)
Forefront Endpoint Protectionwith System Center Configuration
Manager
Internet Explorer® 8
Extend security to remote workers without risking sensitive data
End-to-end desktop protection:
Create single admin experience for desktop security and management
Let users safely run applications, edit documents, and browse the web
Build on existing infrastructure to reduce support and hardware costs
› Integration with System Center Configuration Manager 2007
› Industry-leading anti-malware protection
›Builds on Windows® 7 Security
What’s New
Forefront Endpoint Protection 2010Next Generation Of Forefront Client Security
• Built on distribution infrastructure of Microsoft® System Center Configuration Manager software
• Supports all System Center Configuration Manager topologies and enables enterprise-wide scalability
• Facilitates easy migration
• Able to deploy across various operating systems (including Microsoft Windows® client and Microsoft Windows Server ®)
• Protection against viruses, spyware, rootkits, and network vulnerabilities
• Productivity-oriented default configuration
• Integrated management of host firewall
• Backed by Microsoft Malware Protection Center
• Unified management interface for desktop administrators
• Timely and effective alerts
• Simple, operation-oriented policy administration
• Historical reporting for security administrators
Ease of Deployment Enhanced Protection Simplified Desktop Management
Building Endpoint Protection On Configuration Manager 2007
• Uses existing Configuration Manager 2007 infrastructure– No new servers– Integrated console– Supports SP2/R2 and later
• Simple install process– Installs on central site, deploys to hierarchy– Discover Configuration Manager roles and
attach FEP roles and context (or allow separate installs)
– Automatically creates additional components (FEP distribution packages, DCM baselines)
– Creates new reporting database
Central Site
Primary Site
Primary Site
Primary Site
FEP
Topologies
• Basic– Aligned with Configuration Manager deployment
components reside on Site Servers– Easiest to deploy
• Basic with Remote databases• Advanced – Allows the placement of Data Warehouse and
reporting Services on remote system for performance gains
– The FEP Auxiliary database must be on the same Server as Primary Site Database
Configuration Manager: Management
Centralized dashboard to monitor desktop security• Centralized policy management
• Progress of deployment and policy distribution
• Critical security alerts
• Rich, extensible historical reporting
Configuration Manager: Deployment
Seamlessly integrated with Configuration Manager Software Distribution• Scales efficiently to the largest enterprises around the globe• Supports branch office and non-domain-joined systems
Easy migration from other solutions• Detects and removes prevalent endpoint security agents (such as Symantec, McAfee,
TrendMicro)• Updates previous version of Forefront (FCS v1.0)
“The deployment process for Forefront Endpoint Protection was very simple. With any application you expect to need training on installation and management, but FEP was so intuitive that we were able to move much more quickly than anticipated.”
Third-party detection Silent removal of third-party products
FEP client installation Policy configuration Signature update
Exceptional Anti-malware Protection
“Forefront Endpoint Protection offers us better virus protection than we had with our previous solution. We had an incident with the Conficker virus, and our old anti-virus product was only able to disable and partially remove the virus. FEP was able to fully remove the virus from our environment. It is definitely a better tool.”
Company Award Detection Rate
False Positives
Symantec Advanced+ 98.70% 9
Microsoft Advanced 97.60% 3
Sophos Advanced 96.80% 13
McAfee Advanced 99.40% 24
Kaspersky Advanced 98.30% 46
Trend Micro Tested 90.30% 23
AV ComparativesOn Demand TestAugust 2010
Vendor/Product
Reactive Average Proactive RAP
Kaspersky 94.89% 77.94% 90.66%
Microsoft 84.64% 69.33% 80.81%
McAfee 74.67% 54.06% 69.52%
Symantec 70.16% 53.76% 66.06%
Vendor % proactive detection of new malware
#1 Trustport, Panda 63%#2 GData 61%#3 Kaspersky, Microsoft 59%
#7 Symantec 43%#8 McAfee 38%#13 Trend Micro 26%
AV ComparativesProactive TestMay 2010
VB100August 2010
›Ranked with market-leading engines
›Considered a leading solution for proactive detection of unknown threats
›Rated consistently among the lowest occurrences of false positives
Proactive DetectionGenerics/Heuristics Allows a single signature to detect thousands of files, using
emulated behavior or binary characteristics.
Dynamic Translation Translates code that accesses real resources (unsafe) into code that accesses virtualized resources (safe).
Behavioral Monitoring Tracks behavior of unknown processes and known good processes gone bad.
Dynamic Signature Service Queries reputation data on “interesting” files. If a file is known bad, a new signature is delivered to the requesting client in real time.
Network Vulnerability Shielding
Inspects all traffic for known exploits to known vulnerabilities. If system is already patched, this feature is automatically disabled.
Builds on Windows 7 SecurityRootkit detection
Behavior Monitoring & Heuristics
Vulnerability Assessment
Windows Firewall Management
Signature-based antimalware
Windows Firewall Management:Ensures that Windows® Firewall is active and working properly to protect against network-layer threats. It also enables administrators to more easily manage these protections across the enterprise.
Application Control
Full disk encryption
Removable storage encryption
Web Protection (IE 8)
• Minimize impact of application vulnerabilities and exploits with integral mechanisms developed fromthe Security Development Lifecycle
• Prevent unauthorized operations by running in “standard user” mode using User Account Control
• Protect against network threats with built-in firewall
• Restrict applications installation and usage with Windows AppLocker policies
FEP
PRIMARY SITES
CENTRAL SITECENTRAL SITE
Endpoint Protection Based on System Center Configuration Manager
During installation, Forefront Endpoint Protection:• Discovers System Center Configuration
Manager roles and attaches Forefront Endpoint Protection roles and context
• Automatically creates Forefront Endpoint Protection distribution packages, DCM baselines, and other components
• Creates a new reporting database
Simplified installation using existing infrastructure• No new servers• Support for SP2/R2 and later versions• Integrated console
System Center Configuration Manager
Multiple Topologies for Management
Single Site Deployment
• Enables consolidated management on a central site
• Option to offload reporting server
Hierarchical Deployment
• Enables distributed management of endpoint security
• Consolidated reporting on the central site for enterprise wide visibility
Secondary Site
Secondary Site
Secondary Site
CENTRAL SITECENTRAL SITE
Primary Site
Primary Site
Primary Site
FEP Console ExtensionsFEP Console Extensions
FEP Server ExtensionsFEP Server Extensions
FEP ReportsFEP Reports
FEP Console ExtensionsFEP Console Extensions
FEP Server ExtensionsFEP Server Extensions
FEP ReportsFEP Reports
FEP Console ExtensionsFEP Console Extensions
FEP Server ExtensionsFEP Server Extensions
FEP ReportsFEP Reports
Hierarchical Deployment for Distributed Management
FEP REPORTSFEP REPORTS
Policy configuration
Simplified Client DistributionConfiguration Manager integration
• Same software distribution process to deploy FEP Clients
• Support for all topologies, including Branch Office and Non-Domain-Joined
Flexible deployment and migration
• Deploy across Windows client and Windows Server
• Support for FEP pre-installation on golden image
• Support for standalone unmanaged deployment without Configuration Manager
Easy migration from existing solutions and automatic removal of existing clients
• Symantec
• McAfee
• TrendMicro
• Forefront Client Security
Third-party detection
Silent removal of third-party products
FEP client installation
Signature update
Client Distribution Flow
Event LogEvent Log
UPDATE SOURCES
Signature Update Distribution• Multiple update sources
• Configurable priority for sources
• Uses existing infrastructure of Microsoft Windows Server Update Services
• Improved size of signature downloads reduces bandwidth use
Corporatenetwork(UNC share)
Internet(MU/WU)
Corporate network
(WSUS)
Antimalware Service (FEP Client)Antimalware Service (FEP Client)
Network service
Network service Local systemLocal system
Reactive Techniques (Against Known Threats)
Proactive Techniques (Against Unknown Threats)
Windows Firewall Centralized ManagementWindows Firewall Centralized Management
Comprehensive Protection Stack
Network
File System
Application
Microsoft AppLocker™Microsoft AppLocker™
Forefront Endpoint Protection
Windows 7
Windows Internet Explorer® 8 SmartScreen
Windows Internet Explorer® 8 SmartScreen
Microsoft
Malw
are Protection CenterM
icrosoft M
alware Protection Center
Dynam
ic Signature ServiceD
ynamic Signature ServiceVulnerability Shielding (Network Inspection System)
Dynamic Cloud Updates
Data Execution Prevention
Behavior Monitoring
Address Space Layout Randomization
Windows Resource Protection
Anti-malware Dynamic Translation and Emulation
Generics and Heuristics: Dynamic Translation
Dynamic Translation translates code that accesses real resources (unsafe) into code that accesses virtualized resources (safe).• Generics and heuristics
based on emulated behavior and/or decrypted binary characteristics
• Industry-leading proactive detection
• Single signature that can detect thousands of files
Real resources Virtualized resources
PotentialmalwarePotentialmalware
Safe translationSafe translation
Dynamic Translation
Dynamic Translation
Behavior Monitoring and Dynamic Signature Service
• Live system monitoring identifies new threats
• Tracks behavior of unknown processes and known bad processes
• Dynamic Signature Service: Low-fidelity signatures• Detects suspicious characteristics as Dynamic
Translation emulates behavior
• Queries reputation service about suspicious files
• New signature delivered in real time to a client requesting a bad file
• Time and cost of signature distribution balanced with need for real-time updates
ResearchersReal-time signature delivery
Behavior classifiers
Reputation
ClientClient
SpyNet/MRS
Properties/Behavior
Properties/Behavior
Real-time signatureReal-time signature
SamplerequestSamplerequest
SamplesubmitSamplesubmit
Network Vulnerability Shielding• Minimizes opportunities to exploit the system between vulnerability announcements and
patch deployments
• Based on Network Inspection System (NIS) Technology
• Detects and blocks Conficker-style threats
• Inspects inbound and outbound network traffic
• Enables signatures based on patch status—disabled on patched machines
• Disables traffic interception if no signatures are active
A new NIS signature is released
Exploits Launched Attack is blocked
Patch validated and deployed
NIS Event Logged, telemetry sent
Time to test the update patch
Update Patch Available
With Forefront Endpoint Protection
A new vulnerability discovered
Protect Clients with Reduced Complexity
Simple interface
• Minimal, high-level user interactions
• Only necessary interactions
Administration options
• User configurability controls
• Central policy enforcement
Maintains high productivity
– CPU throttling during scans– Faster scans through
advanced caching
Unified Management Interface
• Simplified operations for client management and security through a unified console
• Centralized console for policy management and monitoring
• Enterprise-wide visibility into client security
• Quick identification and remediation of client security issues
Centralized Policy Management• Author policies and edit policy settings:
• Forefront Endpoint Protection – Configuration Manager
• Group Policy – GPEDIT + ADMX
• Deploy policies via:
• Configuration Manager
• Group Policy
• Installation
• Script
• Preconfigured templates for server roles:
• Performance, security, or by server role template
• Sixteen templates provide best practices based on server roles
Historical Reports and Critical alerting
• Rich SQL Reporting Services-based information about:
• Malware incidents
• Protection status
• Security compliance
• Policy distribution
• Alerts
• Customizable filters and views, easily extensible for use in other tools
• Available in multiple formats
• Set levels for critical security alerts, including:• Malware outbreak
• Malware detection
• Multiple malware detection
• Machines with repeated infections
• Receive email notifications of malware activity
FEP Security Management Pack for Operations Manager
• Server-centric view in System Center Operations Manager
• Pre-defined settings optimized per server workload
• Server security and availability tasks
• Service Level Objectives reports integrated with Operations Manager 2007 R2
• Real-time monitoring and alerting for critical systems
FEP Console Extension
FEP Console Extension
FEP Server ExtensionsFEP Server Extensions FEP ReportsFEP Reports
Security Management TopologyFEP on current Configuration Manager server roles
• Centralized policies, monitoring, and reporting capabilities
• Discovery and installation of Forefront Endpoint Protection server roles on the Configuration Manager server roles
• Option to install Forefront Endpoint Protection Console extension on other sites
PRIMARY SITES
CENTRAL SITECENTRAL SITE
PRIMARY SITES
FEP Console Extension
FEP Console Extension
FEP Server ExtensionsFEP Server Extensions
Security Management TopologyCentral FEP Server with Remote Reporting Database
• Enables distribution of resources in the infrastructure
• Forefront Endpoint Protection reporting role and database offloaded to a remote machine
• Option to specify a remote Microsoft SQL Server® during installation
FEP REPORTSFEP REPORTSSystem Center Configuration Manager
FEP Console ExtensionsFEP Console Extensions
Security Management TopologyDistributed Management
Secondary Site
Secondary Site
Secondary Site
CENTRAL SITECENTRAL SITE
Primary Site
Primary Site
Primary Site
FEP Console ExtensionsFEP Console Extensions
FEP Server ExtensionsFEP Server Extensions
FEP ReportsFEP Reports
FEP Console ExtensionsFEP Console Extensions
FEP Server ExtensionsFEP Server Extensions
FEP ReportsFEP Reports
FEP Console ExtensionsFEP Console Extensions
FEP Server ExtensionsFEP Server Extensions
FEP ReportsFEP Reports
• Separate security management and operations to child sites
Distributed Management with Consolidated Reporting
FEP ReportsFEP Reports• Separate security
management and operations to child sites
• Consolidated reporting on central site
Secondary Site
Secondary Site
Secondary Site
CENTRAL SITECENTRAL SITE
Primary Site
Primary Site
Primary Site
FEP Console ExtensionsFEP Console Extensions
FEP Server ExtensionsFEP Server Extensions
FEP ReportsFEP Reports
FEP Console ExtensionsFEP Console Extensions
FEP Server ExtensionsFEP Server Extensions
FEP ReportsFEP Reports
FEP Console ExtensionsFEP Console Extensions
FEP Server ExtensionsFEP Server Extensions
FEP ReportsFEP Reports
Alerting• Set levels for critical security alerts,
including:
• Malware outbreak
• Malware detection
• Multiple malware detection
• Machines with repeated infections
• Receive email notifications of malware activity
• Record alerts in event log
• Include alerts in historical reports
• Experienced researchers with prior work at various global response and research labs
• Microsoft security technology specialists who understand best practices
• Continuous coverage with malware research labs in several countries
• Microsoft Security Response Alliance (MSRA)
• Experienced researchers with prior work at various global response and research labs
• Microsoft security technology specialists who understand best practices
• Continuous coverage with malware research labs in several countries
• Microsoft Security Response Alliance (MSRA)
• Microsoft Malicious Software Removal Tool
• Windows Defender (SpyNet)
• Microsoft Windows Live OneCare™
• Microsoft Forefront
• Windows Live™ Hotmail®
• Microsoft Exchange Hosted Services
• Microsoft Product Support Services support organization
• Customer submissions
• Microsoft Malicious Software Removal Tool
• Windows Defender (SpyNet)
• Microsoft Windows Live OneCare™
• Microsoft Forefront
• Windows Live™ Hotmail®
• Microsoft Exchange Hosted Services
• Microsoft Product Support Services support organization
• Customer submissions
• Integrated response processes with global support organization• Brings Windows and
cross-product resourcesto address issues
• Microsoft Malware Protection Center portal• Search and browse
anti-malware encyclopedia
• Top threat telemetry
• Integrated response processes with global support organization• Brings Windows and
cross-product resourcesto address issues
• Microsoft Malware Protection Center portal• Search and browse
anti-malware encyclopedia
• Top threat telemetry
Microsoft Malware Protection Center http://www.microsoft.com/security/portal
Committed to long-term investment and leadership
GLOBAL RESEARCH BROAD INSIGHT INTEGRATED RESPONSE
“The integration of management and security makes our IT organization more agile. We’re more efficient in the way that we use our personnel. We’ve increased the number of people available to respond to security incidents by 20% with no increase in headcount.”
Riga Stradins University
Convergence of Desktop Security and Management
IMPROVED PROTECTION• Security personnel have access to desktop
configuration data
• Health status and protection status in a single interface, with consolidated reporting
• Incident response (identify / patch / remediate) is more targeted
IMPROVED PROTECTION• Security personnel have access to desktop
configuration data
• Health status and protection status in a single interface, with consolidated reporting
• Incident response (identify / patch / remediate) is more targeted
LOWER COSTS• One server infrastructure to maintain
• A single mechanism to deploy software updates to clients
• Central policy implementation for security and management
• One set of training for administrators
• A single license to purchase (ECAL)
LOWER COSTS• One server infrastructure to maintain
• A single mechanism to deploy software updates to clients
• Central policy implementation for security and management
• One set of training for administrators
• A single license to purchase (ECAL)
Security + ManagementSecurity + Management
Protect Information Wherever it Goes or Resides
2Protection and policy stay with the file or e-mail
4 Policy
Portal stores file in the clear
Policy
Portal protects file on access
5
1Protection and policy stay with the document or e-mail
3Protection and policy stay with the file or e-mail
6Policy
Archive stores file and policy in the clear
Policy
Policy Policy
• Creates a single administrator experience for managing and securing endpoints
• Improves visibility for identifying and safeguarding potentially vulnerable endpoints
SimplifySimplify
SummaryForefront Endpoint Protection 2010
• Lowers ownership costs by using a single infrastructure for both endpoint management and security
• Deploys effortlessly to hundreds of thousands of endpoints using existing System Center Configuration Manager agents
Integrate
Integrate
• Provides highly accurate detection of known and unknown threats
• Actively helps protect against network-level attacks by managing Windows Firewall configurations
ProtectProtect
Resources
Optimized Desktop: www.microsoft.com/windows/enterprise
TechCenter:http://technet.microsoft.com/forefront
Forefront Endpoint Protection 2010 Trial:www.microsoft.com/forefront
©2010 Microsoft Corporation. All rights reserved. Microsoft, AppLocker, Forefront, Internet Explorer, SharePoint, SQL Server, Hotmail, Windows, Windows Live, Windows Server, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.