View
223
Download
3
Category
Preview:
Citation preview
Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft's Secure Endpoint SolutionAdwait Joshi Randy TreitSr. Product Manager Sr. Program Manager
SESSION CODE: SIA 320
Agenda
Business Needs and IT ChallengesThreat TrendsSecure Endpoint Solution OverviewDeep Dive in to Multi-layered Antimalware protection
Forefront Threat Management GatewayForefront Endpoint Protection 2010
Reduce security management costs
Protect sensitive data on endpoints
Enable secure access to resources from anywhere
Multiple vendors and complex management
Easily accessible sensitive data on multiple devices
Financially motivated evolving threats
Wide range of users and devices
Business Needs And IT Challenges
Protect endpoints from advanced threats
Threat Trends
National Interest
Personal Gain
Personal Fame
Curiosity
Amateur Expert Specialist
Largest area by volume
Largest area by $ lost
Script-Kiddy
Largest segment by $ spent on defense
Fastest growing segment
AuthorVandal
Thief
Spy
Trespasser
Crime On The RiseFinancial Motivation
Source: Microsoft Security Intelligence Report
Wide variety of malwareTrends in the last yearPhishing Sites
Targeting social networking and financial sites
Jul-09 Aug-09 Sep-09 Oct-09 Nov-09 Dec-09
0%10%20%30%40%50%60%70%80%90%
100%
Social Networking SitesOnline ServicesE-Commerce SitesFinancial Sites
Source: Microsoft Security Intelligence Report
Hardware
O/S
Drivers
Applications
GUI
User
Physical
ExamplesWeb based exploitsPhishing/Social engineeringSpywareRootkitsApplication attacks
Attacks Getting More SophisticatedTraditional defenses are inadequate
Across on-premises & cloud
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Integrate and extend securityacross the enterprise
Block
from:
Enable
Cost Value
Siloed Seamless
to:
Simplify the security experience, manage compliance
Protect everywhere,access anywhere
Highly Secure & Interoperable Platform
Identity
PROTECT everywhere ACCESS anywhere
SIMPLIFY security,MANAGE compliance
Protect endpoints from emerging threats and information loss, while enabling more secure access from virtually anywhere
INTEGRATE and EXTEND security
Secure Endpoint Solution
• Provides unified administration for desktop management and protection
• Increases visibility of potentially vulnerable desktops
• Uses existing System Center Configuration Manager infrastructure
• Builds on and extends Windows security
• Enables multi-layered antimalware protection
• Protects critical data wherever it resides
• Provides more secure always-on access
Secure Endpoint –Defense in Depth Strategy
InformationProtection
Active Directory Rights Management Services (RMS) Encrypting File System (EFS)BitLocker & BitLocker to goDevice Control
SecureAccess
DirectAccessUnified Access Gateway 2010Network Access Protection (NAP)IPv6IPsec
MalwareProtection
Protection from web based threats at the edge Forefront Threat Management Gateway 2010
Advanced anti-malware on the desktopForefront Endpoint Protection 2010
Desktop FirewallApplication Control (AppLocker)
DIR
ECT ACCESS
Multi-Layered Antimalware Protection:Forefront Threat Management Gateway 2010
New Forefront Threat Management Gateway 2010
• Enables employees to safely use the Internet without worrying about malware and other threats.
Comprehensive Web Security
• Includes and improves proven network protection technologies of ISA 2006
Next Generation of
ISA Server
Threat Management Gateway 2010-Secure Web Gateway Features
• Download scanning of files• Integrated Microsoft AV/AM engine• Inspection settings per rule
Malware inspection
URL filtering
HTTPS inspection
• URL category sets and exclusions• Integrated with forward proxy
• URL filtering, malware scanning and IPS protection• Firewall Client notification to end users
• Protection against vulnerability exploits• Protocol analysisNetwork Inspection System
Why Malware Protection Gateway?
Machines without host antivirus (AV)
Host AV not up to date
Centralized monitoring
Content policy enforcement
How TMG Malware Inspection Works
Proxy Engine
Malware Inspection Filter
1
3
4
6
7
2
5
•Content delivery methods by various content features• Detects: Malware, Scripts, etc.
SignaturesDB
• Integrating Microsoft AM engine• Automatic engine and signature updates• Subscription based
• Source/Destination exception• Inspection options (block encrypted, nested archives,
files sizes…)• Logging and reporting support
Internet
Admin
Forefront TMG- URL Filtering
Why URL Filtering?
Enhance securityReduce liability risksImprove productivity Save network bandwidthRegulatory compliance Analyze Web usage
Classify
Evaluate
Enforce
Report
Forefront TMG URL Filtering Explained•Categorization services provided by Microsoft Reputation Service (MRS)•84 built-in categories•Secured communication channel•Subscription based
•Policy editing•URL Category override•URL Category query•Logging and Reporting support•Web Access Wizard Integration
•Customizable, per-rule, deny messages
End users
TMG admin
MRS
Internet
Microsoft Reputation Services
The problem with existing URL filtering solutionsURL classification is complicatedEach vendor focuses on different area (productivity, malicious sites, spam, etc.)
MRS unique architectureMRS merges URL databases from multiple sources/vendorsBased on Microsoft internal sources as well as collaboration with third-party partnersCloud and local cacheScalable
An ongoing collaboration effortM8e6 SecurityBright cloudOthers
Bright Cloud
iFilter
Marshal 8e6
Forefront TMG- HTTPS Inspection
Traditional SSL Security
Web browser sends CONNECT (when proxy configured)CONNECT host_name:port HTTP/1.1
Web proxy allows the request to be sent to the TCP port specified in the requestProxy informs the client that the connection is establishedClients sends encrypted packets directly to destination on specified port without proxy mediation
What lies within this encrypted tunnel?
HTTP ConnectEstablish connection
Connection established 200 Connection established
Encrypted tunnel
HTTPS Traffic Inspection
Contoso.com
SIGNED BY TMG
Internet
Contoso.com
SIGNED BY
VERISIGN
•Deployment options (via Group Policy or via Export)
•Proxy certificates generation/import and customization•Exclusion list, validate only option•Logging Support•Web Access Wizard integration
•Client notifications about HTTPS inspection (via TMG Client) •Certificate validation (Revocation, Trusted, Expiration
validation, ...)
Forefront TMG- Network Inspection System
Protecting against vulnerability exploits with NIS
Detect and block known vulnerability-based attack attempts at the Edge of the network or in data centerSame day availability of the patch and NIS signature Closes the vulnerability window which is needed for patch testing\deployment:
Patches need to be tested more thoroughlyCustomer acceptance (similar to AV updates)
21
Vulnerabilityfound Signature authoring team
How NIS Works
Design Time
GAPAL (GAPA Language)
Compiler
Run Time
Protocol Parsers
Signatures
NIS Engine
Microsoft Update
Network Interception
Signatures & Protocol Parsers
Telemetry& Portal
DemoProtection From Web Based Threats Using Forefront TMG
Multi-Layered Antimalware ProtectionForefront Endpoint Protection 2010
Forefront Endpoint Protection 2010
• Proven Microsoft Antimalware Engine• Zero Day Protection
Through:• Behavior Monitoring• Emulation• Heuristics & Generics
• Antimalware/Rootkit Protection• Windows Firewall Management• Performance-Oriented Defaults
• Template-driven policy creation based on risk
• Workload-specific policies for servers
HELP PROTECT everywhere
INTEGRATE and EXTEND security
• Built on System Center Configuration Manager 2007 R2
• Enterprise Deployment• Upgrade from FCS v1• Detection & removal of
existing endpoint protection solutions
• Large-scale client roll-out through Configuration Manager
• Extended Topologies • Non-domain-joined PCs• Branch office topologies• Standalone (‘unmanaged’)
• Converged System Management• Simple Centralized Policy• Critical Level Alerting• Security admin-oriented
Reporting
• Desired Configuration Manager (DCM)-based Vulnerability Assessments
SIMPLIFY security MANAGEMENT experience
Forefront Endpoint Protection 2010 provides enhanced endpoint protection and simplified management while greatly reducing infrastructure costs
Forefront Endpoint Protection 2010Enhanced Protection
Protect Endpoints Without ComplexitySimple interface
Keep user interactions minimal and high-levelProvide necessary interactions
Admin-managed options
Control user configurabilityEnforce central policy
New or improved in Forefront Endpoint Protection 2010!
DFSP
AR
DSS
BHO
BM
kBTR
NIS
SM
DSORP
RIM
KSL
DCFGMOAC
FFR
RTP
Forefront Endpoint Protection Stack Firewall & Configuration Management
Anti-rootkit
Generics and Heuristics
Real-time Protection
Behavior Monitoring
Dynamic Signature Service
Malware Response
Core antimalware and management capabilities provide high-quality reactive detection.
Industry leading proactive detection based on our Dynamic Translation technology.
FEP customer submissions and telemetry are prioritized across the global response team.
Browser Protection Scanning of web content and scripts. FEP 2010 scans the page in-memory, blocking malicious scripts before they run..PREVIEW
Advanced rootkit detection and remediation defends against sophisticated threats.
Live system behavior monitoring identifies new threats.
The Dynamic Signatures Service delivers real-time signatures from the cloud.
Signatures
Samples
Endpoint Protection Scenarios
Microsoft Confidential
Endpoint MMPC
1. Known malware: blocked. Some new malware: blocked by generics.
2. Remaining new malware: samples sent to MMPC for analysis. New signatures delivered to customers.
GOAL: Continue to provide high-quality protection & Cover more attack vectors.
GOAL: Shrink customer “window of vulnerability” by discovering new threats and delivering signatures faster
Real-time Protection
Generics and Heuristic Behavior
Browser Protection
Anti-rootkit
Behavior Monitoring Dynamic Signature Service
Malware Response
Before malware runs After malware runs
Dynamic Signature Service“Interesting” files detected and reported to Microsoft
Behavior Monitoring detectionsAnti-rootkit: files hooking the kernelLo-fi signatures: new class of generics looks for suspicious characteristics as behavior is emulated with dynamic translationQueries reputation service about ‘interesting’ files
If the file is known bad, a new signature is delivered in real-time to the client requesting itBalances signature distribution time/cost with need for real-time updatesAdmins must choose to opt-in to use this feature
Client
Researchers
SpyNet / MRS
Real-Time Signature Delivery
Behavior Classifiers
Prop
ertie
s /
Beha
vior
Sam
ple
Req
Sam
ple
Subm
it
Real
-tim
e Si
gnat
ure
Reputation
DemoBehavior Monitoring and Dynamic Signature Service
Forefront Endpoint Protection 2010Simplified Deployment and Management
Building Endpoint Protection On Configuration Manager 2007
Uses existing Configuration Manager 2007 infrastructure
No new serversIntegrated consoleSupports SP2/R2 and later
Simple install processInstalls on root site, deploys to hierarchyDiscover Configuration Manager roles and attach FEP roles and context (or allow separate installs)Automatically creates additional components (FEP distribution packages, DCM baselines)Creates new reporting database
Central Site
Primary Site
Primary Site
Primary Site
FEP
Client Distribution and DeploymentClient Distribution
Configuration Manager software distributionDetects and removes incompatible applications
Signature DistributionConfiguration Manager Software Updates ManagementAlso supports:
Microsoft UpdatePoint to fileshare
Forefront Endpoint Protection & Configuration Manager Integration
Configuration Manager Reporting
Configuration Manager Console
Configuration Manager Agent
FEP Reports
Forefront Endpoint
Protection 2010WMI
Configuration Manager DB
FEP Reporting DB
Configuration Manager Server DCM
Configuration ManagerFEP
FEP UI
Managed Computer
Registry
Event logConfiguration Manager Software Distribution
Improved Visibility
Fix client security problems in Configuration Manager
Dashboard view of statusDrill down to see affected computers to remediate within Configuration Manager
Receive email alerts on outbreaksProvides security policy compliance tracking
Extending Endpoint Protection to Servers
Server-Centric View in OpsMgr
Predefined settings optimized per server workloadServer security and availability tasksService Level Objectives reports integrated with OpsMgr 2007 R2
Real-Time Monitoring and Alerting for Critical Systems
DemoForefront Endpoint Protection 2010
Summary
Defense in Depth strategy is necessary to protect from evolving threatsMicrosoft’s Secure Endpoint Solution:
Provides a holistic security solution for endpoint protectionLowers deployment cost via shared infrastructure and common technologiesSimplifies management of endpoint security
Learn more & try our solutions at: www.microsoft.com/forefront
Related ContentSIA320 |Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft's Secure Endpoint SolutionSIA301 |Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access SolutionSIA308 | Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep DiveSIA309 |Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 - A Deep Dive into the Features and Protection TechnologiesSIA325 | Secure Endpoint: Virtualizing Microsoft Forefront Threat Management Gateway (TMG) SIA02-INT | Secure Endpoint: Planning DirectAccess Deployment with Microsoft Forefront Unified Access GatewaySIA07-INT | Secure Endpoint: Architecting Forefront Endpoint Protection 2010 on Microsoft System Center Configuration Manager
SIA05-HOL | Microsoft Forefront Threat Management Gateway OverviewSIA09-HOL | Secure Endpoint Solution: Business Ready Security with Microsoft Forefront and Active DirectorySIA11-HOL | Microsoft Forefront Unified Access Gateway (UAG) and Direct Access: Better Together
Red SIA-3 | Microsoft Forefront Secure Endpoint Solution
Track Resources
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:http://www.microsoft.com/forefront/trial
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
JUNE 7-10, 2010 | NEW ORLEANS, LA
Recommended