320 likes | 823 Views
Required Slide. SESSION CODE: SIA309. Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 –A Deep Dive into the Features and Protection Technologies . Adwait Joshi Senior Technical Product Manager Microsoft. Bill Jensen Senior Product Planner Microsoft. Agenda.
E N D
Required Slide SESSION CODE: SIA309 Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 –A Deep Dive into the Features and Protection Technologies Adwait Joshi Senior Technical Product Manager Microsoft Bill Jensen Senior Product Planner Microsoft
Agenda • The Secure Endpoint Solution • Enhanced Protection Technologies • Simplified Deployment and Management
Business Ready SecurityHelp securely enable business by managing risk and empowering people Protection Access Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance Across on-premise & cloud from: to: Block Enable Cost Value Siloed Seamless
Secure Endpoint Solution Protect endpoints from emerging threats and information loss, while enabling more secure access from virtually anywhere PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Provides unified administration for desktop management and protection • Increases visibility of potentially vulnerable desktops • Enables multi-layered anti-malware protection • Protects critical data wherever it resides • Provides more secure always-on access • Uses existing System Center Configuration Manager infrastructure • Builds on and extends Windows security
Forefront Endpoint Protection 2010 • Lower Cost of Deployment • Built on Configuration Manager software distribution infrastructure • Supports all Configuration Manager topologies including Branch Office and Non-Domain-Joined • Ease of migration • Deployed across various operating systems (Windows Client & Server) • Be Protected and Stay Productive • Protect your desktops against viruses, spyware, rootkits, and malware • Productivity oriented default configuration • Integrated host firewall management • Backed by global Malware Research and Response • Unified Desktop Management • Unified management interface targeted for the desktop admin • Actionable and timely alerting • Simple operation-oriented policy administration • Historic reporting for security administrator
Protection Scenarios Protection Malware Protection • Proven Microsoft Antimalware Engine • Zero Day Protection Through: • Behavior Monitoring • Emulation • Heuristics & Generics • Antimalware/Rootkit Protection • Windows Firewall Management • Performance-Oriented Defaults • Template-driven policy creation based on risk • Workload-specific policies for servers I need effective yet easy experience on my PCs to protect files, information, and identity High Productivity My users just want to work w/ minimal productivity hit, in the office or on the go
Protect Clients Without Complexity • Simple interface • Keep user interactions minimal and high-level • Provide necessary interactions • Admin-managed options • Control user configurability • Enforce central policy
The Protection Stack Reactive Techniques (Against Known Threats) Proactive Techniques (Against Unknown Threats) Behavior Monitoring Application Layer Behavior Monitoring Address Space Layer Randomization Windows Resource Protection Data Execution Protection Dynamic Translation & Emulation Antimalware File System Layer Dynamic Translation & Emulation Antimalware Internet Explorer 8 SmartScreen AppLocker Network Layer Windows Firewall Centralized Management Windows Firewall Centralized Management In FEP 2010 In Win7
Antimalware Architecture Client UI Systray Icon WSC Integration • Real-time on-access protection Behavior Monitoring AM Engine + Sigs Rootkit Detection • System scanning and cleaning User RTP/ Minifilter • Behavior Monitoring Kernel • Reputation Services Microsoft Update Spynet/MRS Portal • Dynamic Signature Service Backend Signatures Sample Queue/ Automation • Rootkit Detection and Removal
Endpoint Protection Methods New in FEP SpyNet / MRS Improved Lo-Fi Generics Behavior and Kernel Monitoring 3 2 2 Dynamic Signature Service Real-time Protection Behavior Monitoring Events 1 4 Generics / Heuristics Advanced Remediation Before Malware Runs After Malware Runs Scheduled / On Demand Scans Response Portal
Dynamic Translation (DT) • DT translates code that accesses real resources (unsafe) into code that accesses virtualized resources (safe). • DT runs the translated program on the real CPU – very fast. Potential malware Safe translation Real Resources Virtualized Resources • HANDLE hFile; • hFile = CreateFile(L"NewVirus.exe", GENERIC_WRITE, 0, NULL, CREATE_NEW, • FILE_ATTRIBUTE_HIDDEN, NULL); • ... • push 40000000h • push offset string L"NewVirus.exe” • call dwordptr [__imp__CreateFileW@28] • cmpesi,esp • ... • push 40000000h • push offset string L"NewVirus.exe” • call dwordptr [DT_CreateFile] • cmpesi,esp DT
Dynamic Signature Service • SpyNet / MRS • Low-Fidelity Signatures • New class of generics looks for suspicious characteristics as behavior is emulated with dynamic translation • Queries reputation service about ‘interesting’ files • If the file is known bad, a new signature is delivered in real-time to the client requesting it • Balances signature distribution time/cost with need for real-time updates • Admins must choose to opt-in to use this feature Researchers • Reputation • Real-Time Signature Delivery • Behavior Classifiers Sample Submit Real-time Signature Properties / Behavior Sample Req Client
Management Scenarios Keep Protected Management I need to centrally monitor FEP deployment, push missing updates and fix configuration issues • Converged System Management • Simple Centralized Policy • Critical Level Alerting • Security admin-oriented Reporting • Desired Configuration Manager (DCM)-based Vulnerability Assessments Report Compliance Show me last month trend of protection compliance Alert on Outbreak Alert me on emerging threats before they affect productivity
Building Endpoint Protection On Configuration Manager 2007 • Uses existing Configuration Manager 2007 infrastructure • No new servers • Integrated console • Supports SP2/R2 and later • Simple install process • Installs on root site, deploys to hierarchy • Discover Configuration Manager roles and attach FEP roles and context (or allow separate installs) • Automatically creates additional components (FEP distribution packages, DCM baselines) • Creates new reporting database Central Site FEP Primary Site Primary Site Primary Site
Client Distribution and Deployment • Client Distribution • Configuration Manager software distribution • Detects and removes incompatible applications • Signature Distribution • Configuration Manager Software Updates Management • Also supports: • Microsoft Update • Point to fileshare
Forefront Endpoint Protection & Configuration Manager Integration Configuration Manager Console FEP UI Configuration Manager Server Configuration Manager Agent Forefront Endpoint Protection 2010 Event log Configuration Manager Software Distribution Registry DCM Configuration Manager Reporting WMI FEP Reports Managed Computer FEP Reporting DB Configuration Manager DB Configuration Manager FEP
Control Policy Where You Feel Comfortable • Configuration Manager • Operationalized interface • Provides logging, reporting, status • Group Policy • Allows server admins to manage directly • Reporting and logging through System Center interface FEP Client FW AM Status, tasks Events Update Policy Event Log Registry WMI WSUS GP Configuration Manager
Check client protection status • Fix client security problems in Configuration Manager • Dashboard view of status • Drill down to see affected computers to remediate within Configuration Manager • Receive email alerts on outbreaks
Track Historic Security Compliance • Provides security policy compliance tracking for security organization • Security-specific information store for historical reporting
Extending Endpoint Protection to Servers • Server-Centric View in OpsMgr • Predefined settings optimized per server workload • Server security and availability tasks • Service Level Objectives reports integrated with OpsMgr 2007 R2 • Real-Time Monitoring and Alerting for Critical Systems
Forefront Endpoint Protection: The Road Ahead • Customer Technical Preview (CTP2): See demo at Forefront booth (Expo Hall) • Beta: Q3 2010 • RTM: H2 2010 • Ops Mgr Mgmt Pack: H1 2011 FEP 2010 FEP vNext • Deeper integration with Configuration Manager • High priority information channel for security incidents • Role-based and scope-based access controls for security admins • Heterogeneous support for Mac and Linux
Key Takeaways • Convergence of endpoint protection and client management will: • Lower deployment cost via shared infrastructure and common technologies • Enhance endpoint protection through single console for configuration • Increase visibility through a single pane of glass
Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content SIA320 |Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft's Secure Endpoint Solution SIA301 |Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access Solution SIA308 | Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep Dive SIA309 |Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 - A Deep Dive into the Features and Protection Technologies SIA325 | Secure Endpoint: Virtualizing Microsoft Forefront Threat Management Gateway (TMG) SIA02-INT | Secure Endpoint: Planning DirectAccess Deployment with Microsoft Forefront Unified Access Gateway SIA07-INT | Secure Endpoint: Architecting Forefront Endpoint Protection 2010 on Microsoft System Center Configuration Manager • SIA05-HOL | Microsoft Forefront Threat Management Gateway Overview • SIA09-HOL | Secure Endpoint Solution: Business Ready Security with Microsoft Forefront and Active Directory • SIA11-HOL | Microsoft Forefront Unified Access Gateway (UAG) and Direct Access: Better Together Red SIA-3 | Microsoft Forefront Secure Endpoint Solution
Track Resources Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial
Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn
Required Slide Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.