Nicolai HenriksenChief Infrastructure ArchitectEDB ErgoGroupMVP Configuration ManagerBlog: systemcenterforefront.blogspot....
Whats new in Endpint Protection 2012     • Integrated in System Center Configuration Manager       2012     • Improved rea...
Do we need antivirus?
Important            No exeptions
Are we ready for the market               NIC 2012
History.. ‘It’s not a newbie..                NIC 2012
Forefront Client Security in 2006                NIC 2012
Security Essentials beta 2008Release of beta inNovember, 2008.They’d had someprevious offerings(Windows Defender),but Secu...
Security Essentials was not to compete with other “for-pay”anti-virus software, but is instead towards the 50-60% of PCuse...
Forefront Endpoint Protection2010 released Dec 2010January 16, 2012   NIC 2012
‘hey, if I can have free anti-virus onmy home PC, why are we paying somuch for it for our enterprisedesktops?             ...
System Center EndpointProtection 2012 – RTM ..soon               NIC 2012
If I were to make a Antivirus Software..    I would have wanted it to be...•   Very Good detecting and removing malware!• ...
Is it any good?
http://www.virusbtn.com/vb100/archive/compare?tab=onDemand&id=23&id2=2&id3=3&id4=52&id5=&id6=
FactsSystem Center Endpoint Protection 2012 is thenext-generation security and antimalware solutionintegrated into System ...
Endpoint Protection 2012One infrastructure for desktop management and protection                                          ...
Antimalware Realities• Malware threats used to be relatively simple…
Antimalware RealitiesWith advancesin the Webcomeincreasinglycomplexthreats
1) “Malware Author’ grows                                                                                   BOTNET & makes...
Antimalware Realities• The volume of malware is exploding                            Malicious Files        40 000 000    ...
Antimalware Engineering Releases•   Platform – once / yearly•   Engine – monthly•   Signatures – 3x day•   Dynamic Signatu...
Some features..•   Zip file detection/remediation       •   Kernel inspection•   Diagnostic scan                      •   ...
Dynamic Signature Service (DSS)                                         •   Delivers protection for new threats notFirewal...
Anti-Rootkit                             •              Advanced rootkit scanning and remediation defends                 ...
LogsLog name                      Description                                          Computer with log file             ...
Simplified Deployment & Migration                    CENTRAL ADMINISTRATION                              SITE             ...
You should consider managing policy       You should consider managing policyFEP Policy: CfgMgr or Group Policy?with CfgMg...
Standard          High Security     Perf. OptimizedPolicy Templates - ClientEnable NIS                                  ...
#    Server Role or Server Application1Available Server Workloads Policies     SQL 2005 Ent/Std (with clustering)2    SQL ...
Default Policies• FEP provides 2 default policies:   – Default Desktop Policy      • Weekly quick scan, RTP on, default ex...
Policy Precedence• Computers can belong to multiple Collections, so may  be candidates for multiple policies• Only one pol...
Config. /                                                          Dashboard                     FEP Architecture         ...
EP Capacity Planning       Criteria                  Recommended               EP 2012                                 Res...
Supported platformsWindows 7 (x86 or x64), orWindows 7 XP mode, orWindows Vista (x86 or x64) or later versions, orWindows ...
Migration to Endpoint Protection   made simple   • Automatically removal of existing AV products:        – Symantec Endpoi...
Demo
Thank you!Nicolai HenriksenChief Infrastructure ArchitectEDB ErgoGroupMVP Configuration ManagerBlog: systemcenterforefront...
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
Upcoming SlideShare
Loading in …5
×

NIC2012 - System Center Endpoint Protection 2012

6,854 views

Published on

System Center Endpoint Protection 2012 slides from presentation at NIC2012 13-14.Jan 2012 in Oslo

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,854
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
158
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

NIC2012 - System Center Endpoint Protection 2012

  1. 1. Nicolai HenriksenChief Infrastructure ArchitectEDB ErgoGroupMVP Configuration ManagerBlog: systemcenterforefront.blogspot.comTwitter: @nicolaitwitt
  2. 2. Whats new in Endpint Protection 2012 • Integrated in System Center Configuration Manager 2012 • Improved real time alerts and reports • Role-based management • User-centric reports (post beta) • Easy migration from FEP 2010/ConfigMgr 2007 • Support for FEP 2010 client agents• Endpoint Protection 2012 continues to provide proactive protection against known and unknown threats using multiple technologies in the antimalware engine like behavior monitoring, network inspection system and heuristics. With cloud based updates through the spynet service, endpoints get updated protection against new threats in real time. Benefits of enabling Dynamic Signature Service in FEP
  3. 3. Do we need antivirus?
  4. 4. Important No exeptions
  5. 5. Are we ready for the market NIC 2012
  6. 6. History.. ‘It’s not a newbie.. NIC 2012
  7. 7. Forefront Client Security in 2006 NIC 2012
  8. 8. Security Essentials beta 2008Release of beta inNovember, 2008.They’d had someprevious offerings(Windows Defender),but Security Essentialswas the first to offer acomplete anti-virus andanti-spyware solutionthat was free (WindowsLive OneCare was ashort-lived subscription-based precursor toSecurity Essentials)January 16, 2012 NIC 2012
  9. 9. Security Essentials was not to compete with other “for-pay”anti-virus software, but is instead towards the 50-60% of PCusers who don’t have (or won’t pay for) anti-virus and anti-malware protection It’s clear that Microsoft was doing something right; in February 2010, a rogue anti-virus package calling itself Security Essentials 2010Microsoft has built on the success of SecurityEssentials in the enterprise with the newForefront Endpoint Protection 2010 package. NIC 2012
  10. 10. Forefront Endpoint Protection2010 released Dec 2010January 16, 2012 NIC 2012
  11. 11. ‘hey, if I can have free anti-virus onmy home PC, why are we paying somuch for it for our enterprisedesktops? NIC 2012
  12. 12. System Center EndpointProtection 2012 – RTM ..soon NIC 2012
  13. 13. If I were to make a Antivirus Software.. I would have wanted it to be...• Very Good detecting and removing malware!• As fast as possible• Use as little resources as possible• Easy to deploy• Easy to manage and good reporting
  14. 14. Is it any good?
  15. 15. http://www.virusbtn.com/vb100/archive/compare?tab=onDemand&id=23&id2=2&id3=3&id4=52&id5=&id6=
  16. 16. FactsSystem Center Endpoint Protection 2012 is thenext-generation security and antimalware solutionintegrated into System Center ConfigurationManager 2012.FEP provides a software solution that delivers security and antimalwaremanagement for desktops, portable computers, and servers, while providing alower total cost-of-ownership enterprise solution that enables desktopadministrators in your organization to add security management to their day-to-day operations.
  17. 17. Endpoint Protection 2012One infrastructure for desktop management and protection Simplified Desktop Ease of Deployment Enhanced Protection Management• Built on top of • Protection against all type • Unified management Microsoft® System of malware interface for desktop Center Configuration administrators Manager • Proactive security against zero day threats • Effective alerts• Supports all System Center Configuration • Productivity-oriented • Simple, operation- Manager topologies and default configuration oriented policy scale administration • Integrated management• Facilitates easy migration of host firewall • Historical reporting for security administrators• Deploy across various • Backed by Microsoft operating systems Malware Protection Windows® client and Center Server
  18. 18. Antimalware Realities• Malware threats used to be relatively simple…
  19. 19. Antimalware RealitiesWith advancesin the Webcomeincreasinglycomplexthreats
  20. 20. 1) “Malware Author’ grows BOTNET & makes available to “buyers” 2) Access is purchased via ‘MarketPlace’Malwarehas growninto a 3) BOTNET 4) BOTNET attacks seenthriving use granted at multiple entry pointsglobalbusiness 5) BOTNET also serves to ‘recruit’ additional BOTs
  21. 21. Antimalware Realities• The volume of malware is exploding Malicious Files 40 000 000 30 000 000 20 000 000 10 000 000 0 2006 2008 2010
  22. 22. Antimalware Engineering Releases• Platform – once / yearly• Engine – monthly• Signatures – 3x day• Dynamic Signatures (DSS) – realtime
  23. 23. Some features..• Zip file detection/remediation • Kernel inspection• Diagnostic scan • Dynamic signature service• Process/registry/network RTP watchers • WLSP integration• Directional scanning • Network vulnerability shielding• Persisted file cache (NIS)• Wildcard support for exclusions • Kernel Support Library (KSL) driver• Scheduled scan randomization • Reboot tracking (remediation)• CPU throttling • Directed scanning improvements• Command line scanner • Offline scan integration• Signature update package chaining • Zip file detection/remediation• UNC signature distribution• Signature source ordering fallback • Service hardening/anti-tampering• Dynamic translation • State management • Kernel-mode boot-time removal • Live system behavior monitoring
  24. 24. Dynamic Signature Service (DSS) • Delivers protection for new threats notFirewall & Configuration Management in signature set on endpoint. – Low Fidelity: New class of generics looks for suspicious characteristics Antimalware as behavior is emulated with Dynamic Translation – Queries SpyNet telemetry service Generics and HeuristicsDynamic about ‘interesting’ filesSignature • Back-end classifiers use machine Service learning to identify new malware Behavior Monitoring • If the file is known bad, a new signature is delivered in real-time to the client Anti-Rootkit requesting it • Balances signature distribution time/cost with need for real-time Vulnerability Shielding updates • Admins must choose to opt-in to at least Malware Response “MMPC” ‘Basic’ SpyNet to use this feature
  25. 25. Anti-Rootkit • Advanced rootkit scanning and remediation defends against sophisticated threats.Firewall & Configuration Management • New remediation features: – Reboot Tracking Provides awareness that the system is in the Antimalware process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out registry hives) – Directed scanning improvements Generics and HeuristicsDynamic – Offline scan integrationSignature – Diagnostic Scan Service Behavior Monitoring Microsoft Anti-Rootkit Test Results Source: AV-Test.org Anti-Rootkit Detection Rate 100% 80% 60% Network Vulnerability Shielding 40% 20% 0% Detect Detect active Remove Malware Response “MMPC” inactive active 2007 83% 57% 33% 2009 100% 72% 60% 2010 100% 100% 86%
  26. 26. LogsLog name Description Computer with log file Records details about the installation of theEndpointProtectionAgent.log Endpoint Protection client and the application of Client antimalware policy to that client. Records details about the synchronization of malware threat information from the EndpointEPCtrlMgr.log Site system server Protection role server into the Configuration Manager database. Monitors the status of the Endpoint Protection siteEPMgr.log Site system server system role. Provides information about the installation of theEPSetup.log Site system server Endpoint Protection site system role.
  27. 27. Simplified Deployment & Migration CENTRAL ADMINISTRATION SITE PRIMARY SITES
  28. 28. You should consider managing policy You should consider managing policyFEP Policy: CfgMgr or Group Policy?with CfgMgr if… with Group Policy if… You want unified management  Some of the computers you want to (Recommended) manage don’t have CfgMgr You have CfgMgr deployed on all the  You prefer to manage policy with computers you will manage group policy You have non domain-joined machines  You want extremely granular control You do not want to have to over settings understand and manage many low  You prefer to “layer” policies, that is to level settings apply more than one policy per You don’t need more than one policy computer per computer, even on servers
  29. 29. Standard High Security Perf. OptimizedPolicy Templates - ClientEnable NIS   Scheduled Scans Weekly Quick Daily Quick Weekly Quick Weekly FullScan only when idle   Force if 2 scans missed   (on reboot)Throttle CPU 50% - 30%Force definition 1 day 1 day -update afterFirewall Block incoming Block incoming in Not Configured in all profiles all profiles
  30. 30. # Server Role or Server Application1Available Server Workloads Policies SQL 2005 Ent/Std (with clustering)2 SQL 2008 Ent/Std (with clustering)3 SCOM 2007 R2 (with clustering) in FEP-S Configuration4 SCCM 2007 (with clustering) in FEP Configuration5 Exchange2007 (HubTransport, ClientAccess, Mailbox)6 Exchange2010 (HubTransport, ClientAccess, Mailbox)7 SharePoint8 File Services9 Internet Information Services 610 Internet Information Services 711 DNS Server12 Active Directory Domain Services (including SYSVOL/FRS/DFS/DFS-R)13 DHCP Server14 Terminal Services15 Hyper-V16 Forefront Protection for Exchange
  31. 31. Default Policies• FEP provides 2 default policies: – Default Desktop Policy • Weekly quick scan, RTP on, default exclusions, Firewall enabled • Assigned to Deployment SucceededDeployed Desktops Collection – Default Server Policy • No scheduled scan, RTP on, default exclusions, Firewall not enabled • Assigned to Deployment SucceededDeployed Servers Collection – Can be modified but not deleted
  32. 32. Policy Precedence• Computers can belong to multiple Collections, so may be candidates for multiple policies• Only one policy can be applied via ConfigMgr at a time – ConfigMgr-delivered policy does not support “layering”• Precedence is used to determine the effective policy
  33. 33. Config. / Dashboard FEP Architecture ReportsSpyNet DATA SQL ConfigMgr Site Reporting ConfigM Server & DB Services gr Software Distributi (or File on ConfigMgr Share) Desired Configuration EVENTS Management TELEMETRY Desktops, Laptops, and Servers running ConfigMgr Client & EP 2012
  34. 34. EP Capacity Planning Criteria Recommended EP 2012 Resource availability 300K topology based on CM HW internal test results recommendation SQL server CPU impact 20% <5% by EP (delta) SCCM Server CPU 10% <2% impact by EP (delta) Memory footprint 500MB <100MB Expected disk capacity 500GB <400GB after 1-year* Actual capacity planning depends on organization load profile, retention policy and specifichardware deployment*http://blogs.technet.com/b/clientsecurity/archive/2011/01/19/fep-capacity-planning-worksheet.aspx
  35. 35. Supported platformsWindows 7 (x86 or x64), orWindows 7 XP mode, orWindows Vista (x86 or x64) or later versions, orWindows XP Service Pack 2 (x86 or x64) or later versions, orWindows Server 2008 R2 (x64) or later versions, orWindows Server 2008 R2 Server Core (x64), orWindows Server 2008 (x86 or x64) or later versions, orWindows Server 2003 Service Pack 2 (x86 or x64) or later versions, orWindows Server 2003 R2 (x86 or x64) or later versions
  36. 36. Migration to Endpoint Protection made simple • Automatically removal of existing AV products: – Symantec Endpoint Protection version 11 – Symantec Endpoint Protection Small Business Edition version 12 – Symantec Corporate Edition version 10 – McAfee VirusScan Enterprise version 8.5 and version 8.7 – TrendMicro OfficeScan version 8.0 and version 10.0 – Forefront Client Security v1If the previously installed antimalware client has a tamper protection feature enabled, for example, ifthe software is password protected, you need to disable that tamper protection before you can installFEP. Otherwise, the FEP installation program will not be able to uninstall the existing antimalware client.
  37. 37. Demo
  38. 38. Thank you!Nicolai HenriksenChief Infrastructure ArchitectEDB ErgoGroupMVP Configuration ManagerBlog: systemcenterforefront.blogspot.comTwitter: @nicolaitwitt

×