Your SlideShare is downloading. ×
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

NIC2012 - System Center Endpoint Protection 2012

6,054

Published on

System Center Endpoint Protection 2012 slides from presentation at NIC2012 13-14.Jan 2012 in Oslo

System Center Endpoint Protection 2012 slides from presentation at NIC2012 13-14.Jan 2012 in Oslo

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
6,054
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
144
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Nicolai HenriksenChief Infrastructure ArchitectEDB ErgoGroupMVP Configuration ManagerBlog: systemcenterforefront.blogspot.comTwitter: @nicolaitwitt
  • 2. Whats new in Endpint Protection 2012 • Integrated in System Center Configuration Manager 2012 • Improved real time alerts and reports • Role-based management • User-centric reports (post beta) • Easy migration from FEP 2010/ConfigMgr 2007 • Support for FEP 2010 client agents• Endpoint Protection 2012 continues to provide proactive protection against known and unknown threats using multiple technologies in the antimalware engine like behavior monitoring, network inspection system and heuristics. With cloud based updates through the spynet service, endpoints get updated protection against new threats in real time. Benefits of enabling Dynamic Signature Service in FEP
  • 3. Do we need antivirus?
  • 4. Important No exeptions
  • 5. Are we ready for the market NIC 2012
  • 6. History.. ‘It’s not a newbie.. NIC 2012
  • 7. Forefront Client Security in 2006 NIC 2012
  • 8. Security Essentials beta 2008Release of beta inNovember, 2008.They’d had someprevious offerings(Windows Defender),but Security Essentialswas the first to offer acomplete anti-virus andanti-spyware solutionthat was free (WindowsLive OneCare was ashort-lived subscription-based precursor toSecurity Essentials)January 16, 2012 NIC 2012
  • 9. Security Essentials was not to compete with other “for-pay”anti-virus software, but is instead towards the 50-60% of PCusers who don’t have (or won’t pay for) anti-virus and anti-malware protection It’s clear that Microsoft was doing something right; in February 2010, a rogue anti-virus package calling itself Security Essentials 2010Microsoft has built on the success of SecurityEssentials in the enterprise with the newForefront Endpoint Protection 2010 package. NIC 2012
  • 10. Forefront Endpoint Protection2010 released Dec 2010January 16, 2012 NIC 2012
  • 11. ‘hey, if I can have free anti-virus onmy home PC, why are we paying somuch for it for our enterprisedesktops? NIC 2012
  • 12. System Center EndpointProtection 2012 – RTM ..soon NIC 2012
  • 13. If I were to make a Antivirus Software.. I would have wanted it to be...• Very Good detecting and removing malware!• As fast as possible• Use as little resources as possible• Easy to deploy• Easy to manage and good reporting
  • 14. Is it any good?
  • 15. http://www.virusbtn.com/vb100/archive/compare?tab=onDemand&id=23&id2=2&id3=3&id4=52&id5=&id6=
  • 16. FactsSystem Center Endpoint Protection 2012 is thenext-generation security and antimalware solutionintegrated into System Center ConfigurationManager 2012.FEP provides a software solution that delivers security and antimalwaremanagement for desktops, portable computers, and servers, while providing alower total cost-of-ownership enterprise solution that enables desktopadministrators in your organization to add security management to their day-to-day operations.
  • 17. Endpoint Protection 2012One infrastructure for desktop management and protection Simplified Desktop Ease of Deployment Enhanced Protection Management• Built on top of • Protection against all type • Unified management Microsoft® System of malware interface for desktop Center Configuration administrators Manager • Proactive security against zero day threats • Effective alerts• Supports all System Center Configuration • Productivity-oriented • Simple, operation- Manager topologies and default configuration oriented policy scale administration • Integrated management• Facilitates easy migration of host firewall • Historical reporting for security administrators• Deploy across various • Backed by Microsoft operating systems Malware Protection Windows® client and Center Server
  • 18. Antimalware Realities• Malware threats used to be relatively simple…
  • 19. Antimalware RealitiesWith advancesin the Webcomeincreasinglycomplexthreats
  • 20. 1) “Malware Author’ grows BOTNET & makes available to “buyers” 2) Access is purchased via ‘MarketPlace’Malwarehas growninto a 3) BOTNET 4) BOTNET attacks seenthriving use granted at multiple entry pointsglobalbusiness 5) BOTNET also serves to ‘recruit’ additional BOTs
  • 21. Antimalware Realities• The volume of malware is exploding Malicious Files 40 000 000 30 000 000 20 000 000 10 000 000 0 2006 2008 2010
  • 22. Antimalware Engineering Releases• Platform – once / yearly• Engine – monthly• Signatures – 3x day• Dynamic Signatures (DSS) – realtime
  • 23. Some features..• Zip file detection/remediation • Kernel inspection• Diagnostic scan • Dynamic signature service• Process/registry/network RTP watchers • WLSP integration• Directional scanning • Network vulnerability shielding• Persisted file cache (NIS)• Wildcard support for exclusions • Kernel Support Library (KSL) driver• Scheduled scan randomization • Reboot tracking (remediation)• CPU throttling • Directed scanning improvements• Command line scanner • Offline scan integration• Signature update package chaining • Zip file detection/remediation• UNC signature distribution• Signature source ordering fallback • Service hardening/anti-tampering• Dynamic translation • State management • Kernel-mode boot-time removal • Live system behavior monitoring
  • 24. Dynamic Signature Service (DSS) • Delivers protection for new threats notFirewall & Configuration Management in signature set on endpoint. – Low Fidelity: New class of generics looks for suspicious characteristics Antimalware as behavior is emulated with Dynamic Translation – Queries SpyNet telemetry service Generics and HeuristicsDynamic about ‘interesting’ filesSignature • Back-end classifiers use machine Service learning to identify new malware Behavior Monitoring • If the file is known bad, a new signature is delivered in real-time to the client Anti-Rootkit requesting it • Balances signature distribution time/cost with need for real-time Vulnerability Shielding updates • Admins must choose to opt-in to at least Malware Response “MMPC” ‘Basic’ SpyNet to use this feature
  • 25. Anti-Rootkit • Advanced rootkit scanning and remediation defends against sophisticated threats.Firewall & Configuration Management • New remediation features: – Reboot Tracking Provides awareness that the system is in the Antimalware process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out registry hives) – Directed scanning improvements Generics and HeuristicsDynamic – Offline scan integrationSignature – Diagnostic Scan Service Behavior Monitoring Microsoft Anti-Rootkit Test Results Source: AV-Test.org Anti-Rootkit Detection Rate 100% 80% 60% Network Vulnerability Shielding 40% 20% 0% Detect Detect active Remove Malware Response “MMPC” inactive active 2007 83% 57% 33% 2009 100% 72% 60% 2010 100% 100% 86%
  • 26. LogsLog name Description Computer with log file Records details about the installation of theEndpointProtectionAgent.log Endpoint Protection client and the application of Client antimalware policy to that client. Records details about the synchronization of malware threat information from the EndpointEPCtrlMgr.log Site system server Protection role server into the Configuration Manager database. Monitors the status of the Endpoint Protection siteEPMgr.log Site system server system role. Provides information about the installation of theEPSetup.log Site system server Endpoint Protection site system role.
  • 27. Simplified Deployment & Migration CENTRAL ADMINISTRATION SITE PRIMARY SITES
  • 28. You should consider managing policy You should consider managing policyFEP Policy: CfgMgr or Group Policy?with CfgMgr if… with Group Policy if… You want unified management  Some of the computers you want to (Recommended) manage don’t have CfgMgr You have CfgMgr deployed on all the  You prefer to manage policy with computers you will manage group policy You have non domain-joined machines  You want extremely granular control You do not want to have to over settings understand and manage many low  You prefer to “layer” policies, that is to level settings apply more than one policy per You don’t need more than one policy computer per computer, even on servers
  • 29. Standard High Security Perf. OptimizedPolicy Templates - ClientEnable NIS   Scheduled Scans Weekly Quick Daily Quick Weekly Quick Weekly FullScan only when idle   Force if 2 scans missed   (on reboot)Throttle CPU 50% - 30%Force definition 1 day 1 day -update afterFirewall Block incoming Block incoming in Not Configured in all profiles all profiles
  • 30. # Server Role or Server Application1Available Server Workloads Policies SQL 2005 Ent/Std (with clustering)2 SQL 2008 Ent/Std (with clustering)3 SCOM 2007 R2 (with clustering) in FEP-S Configuration4 SCCM 2007 (with clustering) in FEP Configuration5 Exchange2007 (HubTransport, ClientAccess, Mailbox)6 Exchange2010 (HubTransport, ClientAccess, Mailbox)7 SharePoint8 File Services9 Internet Information Services 610 Internet Information Services 711 DNS Server12 Active Directory Domain Services (including SYSVOL/FRS/DFS/DFS-R)13 DHCP Server14 Terminal Services15 Hyper-V16 Forefront Protection for Exchange
  • 31. Default Policies• FEP provides 2 default policies: – Default Desktop Policy • Weekly quick scan, RTP on, default exclusions, Firewall enabled • Assigned to Deployment SucceededDeployed Desktops Collection – Default Server Policy • No scheduled scan, RTP on, default exclusions, Firewall not enabled • Assigned to Deployment SucceededDeployed Servers Collection – Can be modified but not deleted
  • 32. Policy Precedence• Computers can belong to multiple Collections, so may be candidates for multiple policies• Only one policy can be applied via ConfigMgr at a time – ConfigMgr-delivered policy does not support “layering”• Precedence is used to determine the effective policy
  • 33. Config. / Dashboard FEP Architecture ReportsSpyNet DATA SQL ConfigMgr Site Reporting ConfigM Server & DB Services gr Software Distributi (or File on ConfigMgr Share) Desired Configuration EVENTS Management TELEMETRY Desktops, Laptops, and Servers running ConfigMgr Client & EP 2012
  • 34. EP Capacity Planning Criteria Recommended EP 2012 Resource availability 300K topology based on CM HW internal test results recommendation SQL server CPU impact 20% <5% by EP (delta) SCCM Server CPU 10% <2% impact by EP (delta) Memory footprint 500MB <100MB Expected disk capacity 500GB <400GB after 1-year* Actual capacity planning depends on organization load profile, retention policy and specifichardware deployment*http://blogs.technet.com/b/clientsecurity/archive/2011/01/19/fep-capacity-planning-worksheet.aspx
  • 35. Supported platformsWindows 7 (x86 or x64), orWindows 7 XP mode, orWindows Vista (x86 or x64) or later versions, orWindows XP Service Pack 2 (x86 or x64) or later versions, orWindows Server 2008 R2 (x64) or later versions, orWindows Server 2008 R2 Server Core (x64), orWindows Server 2008 (x86 or x64) or later versions, orWindows Server 2003 Service Pack 2 (x86 or x64) or later versions, orWindows Server 2003 R2 (x86 or x64) or later versions
  • 36. Migration to Endpoint Protection made simple • Automatically removal of existing AV products: – Symantec Endpoint Protection version 11 – Symantec Endpoint Protection Small Business Edition version 12 – Symantec Corporate Edition version 10 – McAfee VirusScan Enterprise version 8.5 and version 8.7 – TrendMicro OfficeScan version 8.0 and version 10.0 – Forefront Client Security v1If the previously installed antimalware client has a tamper protection feature enabled, for example, ifthe software is password protected, you need to disable that tamper protection before you can installFEP. Otherwise, the FEP installation program will not be able to uninstall the existing antimalware client.
  • 37. Demo
  • 38. Thank you!Nicolai HenriksenChief Infrastructure ArchitectEDB ErgoGroupMVP Configuration ManagerBlog: systemcenterforefront.blogspot.comTwitter: @nicolaitwitt

×