introducing microsoft forefront client security
Post on 07-Jun-2015
1.208 Views
Preview:
TRANSCRIPT
Introducing Microsoft Introducing Microsoft Forefront Client SecurityForefront Client Security
Steve LambSteve Lamb
Technical Security Advisor, Microsoft LtdTechnical Security Advisor, Microsoft Ltdstephen.lamb@microsoft.com
http://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb
IntroductionIntroduction
Infrastructure OverviewInfrastructure Overview
Defining Security Steady StateDefining Security Steady State
Keeping Systems Up to DateKeeping Systems Up to Date
Reporting and AlertingReporting and Alerting
SummarySummary
Threats are moreThreats are moredangerous than everdangerous than ever
Fragmentation ofFragmentation ofsecurity technologysecurity technology
Difficult to use,Difficult to use,deploy and managedeploy and manage
More advancedMore advanced
Profit motivatedProfit motivated
More frequentMore frequent
Application-orientedApplication-oriented
Too many point Too many point products products
Poor interoperability Poor interoperability among security among security productsproducts
Lack of integration Lack of integration with IT infrastructurewith IT infrastructure
Multiple consolesMultiple consoles
Uncoordinated event Uncoordinated event reporting & analysisreporting & analysis
Cost and complexityCost and complexity
Security Solution RequirementsSecurity Solution RequirementsSecurity Solution RequirementsSecurity Solution Requirements
““All security frameworks All security frameworks should include a should include a comprehensive, comprehensive, layered approach...” layered approach...”
Understanding the Nine Protection Understanding the Nine Protection Styles of Host-Based Intrusion Styles of Host-Based Intrusion PreventionPreventionGartner – May 2005Gartner – May 2005
““Integration and simplified manageabilityIntegration and simplified manageabilityare important drivers when purchasing are important drivers when purchasing security” security”
The State of Security in SMB & Enterprises,The State of Security in SMB & Enterprises,Forrester Research, Inc. – Sept. 21, 2005Forrester Research, Inc. – Sept. 21, 2005
Microsoft Forefront’s comprehensive line of
business security products helps you gain
greater protection through deep integration
and simplified management
Remove most Remove most prevalent viruses prevalent viruses
Remove all Remove all known known
viruses viruses Real-time Real-time antivirusantivirus
Remove all Remove all known known
spywarespywareReal-time Real-time antispywareantispyware
Central reporting Central reporting and alertingand alerting
CustomizationCustomization
MicrosoftMicrosoftForefront Forefront
ClientClientSecuritySecurity
MSRT MSRT Windows Windows DefenderDefender
Windows Windows Live Safety Live Safety
Center Center
Windows Windows Live Live
OneCare OneCare
IT Infrastructure IT Infrastructure IntegrationIntegration
FOR INDIVIDUAL USERSFOR INDIVIDUAL USERSFOR FOR
BUSINESSESBUSINESSES
One solution for spyware and virus protectionBuilt on protection technology used by millions worldwideEffective threat responseComplements other Microsoft security products
One console for simplified security administrationDefine one policy to manage client protection agent settings Deploy signatures and software fasterIntegrates with your existing infrastructure
One dashboard for visibility into threats and vulnerabilitiesView insightful reportsStay informed with state assessment scans and security alerts
Unified malware protection for business
desktops, laptops and server operating
systems that is easier to manage and
control
One engine for virus and spyware protectionOne engine for virus and spyware protection
Also used in Windows Defender, OneCare, Antigen, MSRT, etc.Also used in Windows Defender, OneCare, Antigen, MSRT, etc.
Comprehensive system cleaning for viruses and spyware, with Comprehensive system cleaning for viruses and spyware, with checks to ensure system is fully functional after cleaningchecks to ensure system is fully functional after cleaning
Real-time, scheduled or on-demand detection & removal Real-time, scheduled or on-demand detection & removal
Checks to ensure system is fully functional after cleaningChecks to ensure system is fully functional after cleaning
Tenets of a unified designTenets of a unified design
Security, accuracy & performance: Core engine metricsSecurity, accuracy & performance: Core engine metrics
Scale: Usage drives sample submissions and signature creationScale: Usage drives sample submissions and signature creation
Multi-user or limited user supportMulti-user or limited user support
Consistent UX for detection & protection from malwareConsistent UX for detection & protection from malware
Detection and removal capabilities include:Detection and removal capabilities include:
Scanning dozens of archives and packersScanning dozens of archives and packers
Using tunneling signatures that bypass user mode rootkitsUsing tunneling signatures that bypass user mode rootkits
Code emulation for behavior analysis and polymorphic virusesCode emulation for behavior analysis and polymorphic viruses
Heuristic or generic detections for new malware and variantsHeuristic or generic detections for new malware and variants
Directed quick-scanDirected quick-scan
Identifies latent registry keys and files that reference the scan target filesIdentifies latent registry keys and files that reference the scan target files
Quarantines/removes ClassIDs, RunKeys, and the infected files as one unitQuarantines/removes ClassIDs, RunKeys, and the infected files as one unit
Cleaning scriptsCleaning scripts
Custom script language for cleaning difficult threatsCustom script language for cleaning difficult threats
Flexible engine design enablesFlexible engine design enables
Frequent updates for new format support and detection featuresFrequent updates for new format support and detection features
Engine to be delivered as part of the signature packageEngine to be delivered as part of the signature package
Define security steady stateDefine security steady stateSpecify the ongoing security behavior of my clientsSpecify the ongoing security behavior of my clients
Keep systems up-to-dateKeep systems up-to-dateEnsure that clients have the latest signaturesEnsure that clients have the latest signatures
View reportsView reportsDetermine the security state, now and over timeDetermine the security state, now and over time
Respond to alertsRespond to alertsWhat critical security events require my attention?What critical security events require my attention?
Console deploys policy through use of Console deploys policy through use of Active Directory Group Policy ObjectsActive Directory Group Policy Objects
Granularity at OU-level with exceptions Granularity at OU-level with exceptions using security groupsusing security groups
If:If:
Policy A Policy A Redmond OURedmond OU
Policy B Policy B Marketing Security GroupMarketing Security Group
ThenThen
Marketing in the Redmond OU will get Policy BMarketing in the Redmond OU will get Policy B
Console creates GPO, sends to Sysvol, GP Console creates GPO, sends to Sysvol, GP deploys profiledeploys profile
Policy applied on host per AD defaultPolicy applied on host per AD default
READ,READ,SAVESAVEGPOGPO
*Agents deployed via existing software distribution system*Agents deployed via existing software distribution system
Client Client Security Security ConsoleConsole
GPMCGPMC Existing SW Existing SW Dist SystemDist System
Infrastructure Infrastructure used used
Targeting Targeting granularity granularity
Create and edit Create and edit profileprofile
Profile Profile exceptionsexceptions
Enables profile Enables profile compliance compliance
reportreport
AD/GPAD/GP AD/GPAD/GP SW dist SW dist systemsystem
OU-levelOU-level Single Single machinemachine
Single Single machinemachine
Security Security GroupsGroups UnlimitedUnlimited UnlimitedUnlimited
YesYes NoNo NoNo
In ConsoleIn Console GPMC, using GPMC, using ADM fileADM file
ExportedExportedfilesfiles
Tightly integrated Tightly integrated with industry with industry leading MSRC leading MSRC
response processresponse process
Dedicated team, Dedicated team, analysis analysis
automation and automation and testingtesting
Multiple data Multiple data sources enabling sources enabling
advanced advanced telemetry on telemetry on
threatsthreats
Security Research OrganizationSecurity Research Organization• Identify malware and create signature definitionsIdentify malware and create signature definitions
• Develop Windows Defender (25+ million users) & MSRTDevelop Windows Defender (25+ million users) & MSRT
• Achieved VB 100% award, West Coast Labs & ICSA CertificationAchieved VB 100% award, West Coast Labs & ICSA Certification
• With protection engine implementation in Windows Live With protection engine implementation in Windows Live OneCareOneCare
• MSRT whitepaper: In-depth perspective of the malware MSRT whitepaper: In-depth perspective of the malware landscapelandscape
Signature deployment optimized for Signature deployment optimized for Windows Server Update Services (WSUS)Windows Server Update Services (WSUS)
Can use any software distribution systemCan use any software distribution system
Auto and manual approval of definitionsAuto and manual approval of definitions
Client Security installs an Update Assistant Client Security installs an Update Assistant service to:service to:
Increase sync frequency between WSUS and Increase sync frequency between WSUS and Microsoft Update (MU) for definitionsMicrosoft Update (MU) for definitions
Notify console when new signatures require Notify console when new signatures require approvalapproval
Support for roaming usersSupport for roaming users
Failover from WSUS to Microsoft updateFailover from WSUS to Microsoft update
Malware Malware ResearchResearchMUMU
WSUS + WSUS + Update Update AssistantAssistant
Desktops, Desktops, Laptops and Laptops and ServersServers
SyncSync
SyncSync
One dashboard for visibility One dashboard for visibility into threats and into threats and vulnerabilitiesvulnerabilities
Insightful reportsInsightful reportsReal-time and emerging Real-time and emerging trendstrends
Focus on critical informationFocus on critical information
Executive reports Executive reports
Drill down for detailDrill down for detail
Linked within the consoleLinked within the console
Built on MOM 2005 technologyBuilt on MOM 2005 technology
Uses SQL Reporting ServicesUses SQL Reporting Services
Enables focus on threats and possible vulnerabilitiesEnables focus on threats and possible vulnerabilities
State assessment scans determine which machines:State assessment scans determine which machines:Need to be patchedNeed to be patched
Are configured insecurely Are configured insecurely
Report categories include:Report categories include:Malware Threat(s)Malware Threat(s)
Vulnerability SummaryVulnerability Summary
Scan ResultsScan Results
Historical InformationHistorical Information
Summary ReportSummary Report
Deployment Deployment
AlertsAlerts
ComputersComputers
Security SummarySecurity Summary
Alert Alert SummarySummary
Computer Computer SummarySummary
Threat SummaryThreat Summary
Vulnerability Vulnerability SummarySummary
Deployment Deployment SummarySummary
Alert configuration is policy specificAlert configuration is policy specific
Alerts notify admin of high-value incidents, Alerts notify admin of high-value incidents, including:including:
Alert levels control type & volume of alerts Alert levels control type & volume of alerts generatedgenerated
11 55443322
OutbreakOutbreak Malware Malware removal removal
failedfailed
Signature Signature update update failedfailed
Malware Malware detected and detected and
removedremoved
Signature Signature update failed update failed
(per min)(per min)
Rich Data,Rich Data,High Value AssetsHigh Value Assets
Critical Issues Only,Critical Issues Only,Low Value Assets Low Value Assets
Malware detectedMalware detected
Malware failed to removeMalware failed to removeMalware outbreakMalware outbreak
Malware protection Malware protection disableddisabled
Currently in private beta with select customersCurrently in private beta with select customers
Public beta planned for Q4 CY2006Public beta planned for Q4 CY2006
Release to manufacturing planned for 1H CY2007Release to manufacturing planned for 1H CY2007
Unified malware protection for business desktops, laptops Unified malware protection for business desktops, laptops and server operating systemsand server operating systems that is easier to manage and that is easier to manage and control control
Unified ProtectionUnified Protection
Simplified AdministrationSimplified Administration
Critical Visibility & ControlCritical Visibility & Control
An integral part of Microsoft ForefrontAn integral part of Microsoft Forefront
For more informationFor more information
Visit:Visit:http://www.microsoft.com/clientsecurityhttp://www.microsoft.com/clientsecurity to learn about to learn about Forefront Client Security and register for beta Forefront Client Security and register for beta informationinformation
http://www.microsoft.com/forefronthttp://www.microsoft.com/forefront to learn more to learn more about other Microsoft Forefront offeringsabout other Microsoft Forefront offerings
top related