Introduction to Kaspersky Endpoint Security for Businesss
1. See it – Control it – Protect it
– An into of Kaspersky Endpoint Security for Business
Nathan Wang, VP of Tech Divisions Kaspersky APAC
nathan.wang@kaspersky.com
KESB Launch | Hong Kong | March 7-8, 2013
PAGE 1 | 51
2. Topics of discussion
1 Business demands and IT challenges
2 Kaspersky Endpoint Security for Business
Encryption: a difficult play or an easy game?
System Manager: what’s new?
MDM: a convenient alternative?
Others: KSV 2.0, KS-Exchange and KLMS 8
3 Kaspersky Lab datasheet
PAGE 2 | 51
3. Business drivers and their impact on IT
66% of business owners
AGILITY Move fast, be nimble and flexible identify business agility as a
priority
Cut costs 54% of organizations say that
EFFICIENCY their business processes
Consolidate and streamline could be improved
Maximise the value of existing resources 81% of business owners cite
PRODUCTIVITY operational efficiencies as
Do more with less their top strategic priority
IMPACT on IT
IT complexity: more data, more systems, more technology
Pressure on resources and budgets
PAGE 3 | 51
4. And then, there’s the rise of malware…
New threats every day 200K
Malicious programs specifically targeting mobile devices >35K
Malware files in Kaspersky Lab collection Jan 2013 >100m
1999 2001 2003 2005 2007 2009 2011 2013
PAGE 4 | 51
5. The impact on IT security
Response:
Malware Anti-malware plus management
tool / dashboard
The #1 target: Response:
Systems / patch
applications!
management
YOUR DATA
Your data is on Response:
the move! Data encryption
Response:
Mobile / BYOD Mobile device
management (MDM)
PAGE 5 | 51
6. What if?
Malware
The #1 target:
1
applications! PLATFORM
MANAGEMENT CONSOLE
COST YOUR DATA
Your data is on
the move!
Mobile / BYOD
PAGE 6 | 51
7. Topics of discussion
1 Business demands and IT challenges
2 Kaspersky Endpoint Security for Business
Encryption: a difficult play or an easy game?
System Manager: what’s new?
MDM: a convenient alternative?
Others: KSV 2.0, KS-Exchange and KLMS 8
3 Kaspersky Lab datasheet
PAGE 7 | 51
8. A high level glance of KES/KSC10
SEE CONTROL PROTECT
Physical, virtual, mobile Configure and deploy Evolve beyond anti-
Identify vulnerabilities Set and enforce IT virus
Inventory HW and SW policies Meet security demands
Take action with clear Manage employee- Protect data and
reporting owned devices devices anywhere
Prioritize patches Rely on Kaspersky
License Management expertise
NAC
PAGE 8 | 51
9. A high level glance of KES/KSC10
Kaspersky Kaspersky
Endpoint Security Security Center
•Anti-malware •Security policy mgmnt
•Control Tools •Mobile Device Mgmnt
•Encryption •Systems Management
•Mail and Web •Image Mgmnt •Vulnerability Scan
•NAC •Patch Mgmnt
•Collaboration Server •SW/HW Mgmnt •License Mgmnt
•Smartphones •Server
•Tablets •Workstation
•Laptop
PAGE 9 | 51
10. A high level glance of KES/KSC10
Total
Collaboration Mail Gateway
Advanced License Network Software
Kaspersky Security Center
Management Admission (NAC) Installation
Systems Management (SMS)
Image Patch Vulnerability
Management Management Scan
Data Protection (Encryption)
Select Mobile Endpoint Mobile Device Management
Security (MDM)
File Server Security
Application
Control Device Control Web Control
Core Anti Malware + Firewall
Management Endpoint Infrastructure
Cloud protection is enabled for business users via the
PAGE 10 | 51 Kaspersky Security Network (KSN)
11. Topics of discussion
1 Business demands and IT challenges
2 Kaspersky Endpoint Security for Business
Encryption: a difficult play or an easy game?
System Manager: what’s new?
MDM: a convenient alternative?
Others: KSV 2.0, KS-Exchange and KLMS 8
3 Kaspersky Lab datasheet
PAGE 11 | 51
12. Encryption – quite difficult mechanism
---- Who is listening and what to do?
Alice eVe Bob
1 0 0 0 2
0+1 0+1 0+2
1 0+2 0+2 0+1 2
0+1+2
0+1+2 0+1+2
PAGE 12 | 51
13. Encryption – quite difficult mechanism
---- Color trick & numerical arithmetic with one-way function
Alice eVe Bob
PAGE 13 | 51
14. Encryption – quite difficult mechanism
Encryption offering
Full Disk Encryption (FDE)
File Level Encryption (FLE)
Removable Media data Encryption (RME)
Asymmetric encryption — protection for data in transit
Secure connection between EP and KSC (SSL)
User and computer keys’ management exchange
Protection for recovery data
Symmetric encryption — protection for data at rest
Full disk encryption
File level encryption
Removable media data encryption
AES encryption module
256-bit
56-bit
PAGE 14 | 51
15. Encryption – quite difficult mechanism
---- Keys used in encryption
An individual master
key for each computer
An individual key for
User’s key
each user
Master key
MS DPAPI
The computer key is
encrypted using
the public key of
the Security Center
The user’s key is Master key
encrypted using Master key
the personal key Computer key
store User key store
PAGE 15 | 51
17. Encryption – quite difficult mechanism
---- Boot order when FDE is used
Authentication Agent starts before the operating system
Key for decrypting the system boot sector
Special drivers are responsible for decrypting disk files
during and after the operating system start
Password
Pre-boot Environment
MBR Operating system boot record File system
(Authentication Agent)
Open data Encrypted data
PAGE 17 | 51
18. Encryption – an easy operation
---- Single Sign-On for end users
Passwords
match
Passwords do
not match
Authentication Agent Windows
Username/Password Username/Password
Authentication Agent
changes the password
Next start
PAGE 18 | 51
19. Encryption – an easy operation
---- SSO, a routine policy configuration for IT guys
PAGE 19 | 51
20. Encryption – an easy operation
---- Enable encryption and policy configuration
PAGE 20 | 51
21. Encryption – an easy operation
---- “Tough” requirements for FLE and data recovery
The only requirement for FLE is the accessibility of KSC
• The File Level Encryption is integrated to Windows’ authentication;
• The key exchange is materialized automatically;
• The Kaspersky encryption implementation is seamless to end
users and applications, a great example of ease of use;
The data recovery requirement is simple
• The computer to which the damaged disk connected can not have
FDE enabled;
• Just connect the damaged disk and run the recovery utility;
No FDE enabled Old hard disk
PAGE 21 | 51
22. Encryption – an easy operation
---- Data sent to external parties
PAGE 22 | 51
23. Encryption – an easy operation
---- Removable Media data Encryption in clicks
PAGE 23 | 51
24. Encryption – an easy operation
---- Removable Media data Encryption in clicks
PAGE 24 | 51
25. Topics of discussion
1 Business demands and IT challenges
2 Kaspersky Endpoint Security for Business
Encryption: a difficult play or an easy game?
System Manager: what’s new?
MDM: a convenient alternative?
Others: KSV 2.0, KS-Exchange and KLMS 8
3 Kaspersky Lab datasheet
PAGE 25 | 51
26. System Management: What’s new?
---- SM function via KSC and Network Agent
Software monitoring/inventory
Hardware monitoring/inventory
License Management
Vulnerability detection
Update management
Installation of 3rd party’s applications
Network Access Control (NAC)
Deployment of operating system images
PAGE 26 | 51
28. System Management: What’s new?
---- Licensed management (NOT licensing enforcement)
Examples of use cases:
Error, the number of licenses is exceeded;
Warning, license will expire soon (in 14 days);
Info, 95% of the available licenses are used up
PAGE 28 | 51
29. System Management: What’s new?
---- New update management
KL Expertise
KL Vulnerability DB
1. Missing
Windows
updates
Windows
Update 2. Vulnerabilities
Vulnerability from KL
Scan Task database
PAGE 29 | 51
32. System Management: What’s new?
---- SM features in KSC9 and in the new KSC10
The previous implementation in KSC 9 are available:
• Find vulnerabilities and Microsoft application updates (via the local
WU service);
• Installation of selected Microsoft updates (via the local WU service);
• Installation of updates manually created and assigned by
the administrator;
The new licensed capabilities added to KSC 10:
• Automatic installation of updates and patches according to
the specified rules;
• Using of the KSC Server as a WSUS server;
• Installation of updates and patches for the applications; included in
the Kaspersky Lab database;
• Other new features;
PAGE 32 | 51
33. System Management: What’s new?
---- Network Access/Admission Control (NAC)
NAC basics
• Usually people think NAC is an appliance using SNMP;
• NAC can be used to securely control authenticated/unauthenticated;
user traffic according policies (based on port, protocol, subnet);
Capabilities of KL software based NAC
• Block Internet access for computers having «bad» protection status;
• Redirect unmanaged computers to the authorization portal;
• Block any network activity for new devices;
• Allow new computers accessing a special isolated subnet;
KL NAC architecture
• Enforcers, Policy server, Access policy and Network devices;
• Simple deployment and requires no changes on DHCP, DC;
PAGE 33 | 51
35. System Management: What’s new?
---- Remote deployment of operating system images
Capturing an Operating System image
• Install and use Windows Automated Installation Kit;
• Enable representation of the OS image capture and distribution
functionality;
• Capture a computer image, say a Windows 8 operating system,
with application pre-installed;
Deploying the image
• Remote install the Windows 8 image to managed computers;
• Remote install the Windows 8 image to ―bare metal‖ computers;
PAGE 35 | 51
36. Topics of discussion
1 Business demands and IT chandleries
2 Kaspersky Endpoint Security for Business
Encryption: a difficult play or an easy game?
System Manager: what’s new?
MDM: a convenient alternative?
Others: KSV 2.0, KS-Exchange and KLMS 8
3 Kaspersky Lab datasheet
PAGE 36 | 51
37. MDM: a convenient alternative?
---- What we have been doing manually
PAGE 37 | 51
39. MDM: a convenient alternative?
---- KL MDM architecture
iOS
Apple Push
Notification
Service
Android
Windows Mobile
Windows Phone
Palm (WebOS)
Nokia (Symbian, Maemo)
PAGE 39 | 51
40. MDM: a convenient alternative?
---- KL Mobile Devices Server installation
Adding Exchange ActiveSync Mobile Devices Server
• Install Agent and MDM server on an Exchange Server;*
• Testing the connection with a KSC Server;
• Exchange ActiveSync configuration;
Profile creation and policy configuration
• On the KSC, configures profiles and polices for selected mailbox of the
Exchange
• Sync the profile and policy with the Exchange
Mobile devices receive profiles and polices**
• Direct Push is used for pushing notifications (MS Exchange ActiveSync)
• Users receive it during the synchronization with the Exchange server
PAGE 40 | 51
41. MDM: a convenient alternative?
---- Synchronizing Mobile Devices with KSC
Mobile
Devices
PAGE 41 | 51
42. Kaspersky Mobile Endpoint Security
---- Centrally managed by the KSC
CONFIGURE/DEPLOY SECURITY ANTI-THEFT
Via SMS, email or Anti-malware GPS find
tether Anti-phishing Remote block
Anti-spam
POLICY COMPLIANCE APPLICATIONS DATA ACCESS
Set password Containerization Data Encryption
Jailbreak / Root Data access Remote wipe
notice restriction
Force settings
PAGE 42 | 51
43. MDM: a convenient alternative?
---- Still want to go back to the old manual operation?
PAGE 43 | 51
44. KES/KSC10 in a nutshell
Platform
Console
Cost
See it Control it
PAGE 44 | 51 Protect it
45. Topics of discussion
1 Business demands and IT challenges
2 Kaspersky Endpoint Security for Business
Encryption: a difficult play or an easy game?
System Manager: what’s new?
MDM: a convenient alternative?
Others: KSV 2.0, KS-Exchange and KLMS 8
3 Kaspersky Lab datasheet
PAGE 45 | 51
46. KSV 2, KS-Exchange 8, KLMS 8, SPE 10…
---- Kaspersky comprehensive security offering
Kaspersky Security for Virtualization
• Effectively integrated with vShield, an agentless solution to deliver
cloud/local anti-malware, network protection under KSC management;
• Materialize the mission for VMware to enhance security via an effective
agentless approach;
Mail, collaboration and gateway security
• Email, SharePoint and gateway security are always the essential;
• Multi-layered spam filtering plus the best anti-malware for security
elevation and resource optimization;
Service Provider Edition
• A web application designed for ISPs to provide anti-malware security
control/monitoring service for corporate network;
• Coupled with KSV, it delivers cloud based security products and services;
PAGE 46 | 51
47. Topics of discussion
1 Business demands and IT challenges
2 Kaspersky Endpoint Security for Business
Encryption: a difficult play or an easy game?
System Manager: what’s new?
MDM: a convenient alternative?
Others: KSV 2.0, KS-Exchange and KLMS 8
3 Kaspersky Lab datasheet
PAGE 47 | 51