Jason Githens Mahyar Ghadiali Senior Program Manager Lead Program Manager Microsoft Microsoft UDB331 Session Objectives Session Objectives Understanding the Microsoft protection stack ID: 416801
Download Presentation The PPT/PDF document "System Center 2012 Endpoint Protection O..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
System Center 2012 Endpoint Protection Overview
Jason Githens Mahyar GhadialiSenior Program Manager Lead Program ManagerMicrosoft Microsoft
UD-B331Slide3
Session Objectives
Session Objective(s)Understanding the Microsoft protection stack
Changes in System Center 2012 Endpoint Protection Service Pack 1
Getting to know the Endpoint Protection clientSlide4
Comprehensive Protection Stack
Building on Windows Platform security
MANAGEMENT
ANTIMALWARE
PLATFORM
System Center Configuration Manager and Endpoint Protection
Windows
Microsoft Malware Protection Center
Dynamic
Signature Svc
Available
only
in Windows 8
Endpoint Protection Management
Software Updates + SCUP
Operating System Deployment
Settings Management
System Center 2012 Endpoint Protection
Antimalware
Dynamic Translation
Behavior Monitoring
Software Distribution
Vulnerability Shielding
Windows Defender Offline
Internet Explorer
BitLocker
AppLocker
Address Space Layout Randomization
Data Execution Prevention
User Access Control
Secure Boot through UEFI
Windows Resource Protection
Measured Boot
Early Launch Antimalware (ELAM)
MDM
Software Updates
ELAM & Measured Boot
Cloud clean restoreSlide5
System Center 2012 Endpoint Protection SP1
Real time Endpoint Protection operations from console
Simplified Administration
Single administrator experience for simplified endpoint protection and management
Simplified, 3X delivery of definitions through software updates
Malware-driven operations from the console
Client-side merge of antimalware policies
Integrated optimizations for Windows Embedded clients
New and improved Endpoint Protection clientSlide6
Real-time Operations
EP operations to clients in <1 minuteMonitor one-time operationsAvailable EP operations:
Run Definition Updates
Run Quick Scan
Run Full Scan
Allow threats
Exclude paths and/or filesRestore files quarantined by threatSlide7
Malware Driven Operations
Admin can easily view and take follow up actions on specific malware by type, and remediation statusSlide8
Antimalware Operations
Mahyar GhadialiSlide9
Client-side merge
Create granular policies for specific scenarios and have those merged on the clientsRemoves overhead of redundant policies
Policies still honors relative priority, and merge when possible (exclusions, for example)Slide10
Improved software update integration
Architectural changes to support 3X a dayCategory-based scans from clients
Delta synchs between SUP and WSUS
Architectural changes to simplify SUP setup
Source top-level SUP from internal WSUS server (removes WU/MU-based catalog dependency)
Simplified, fault tolerant software update point
setup (add multiple SUPs as needed, up to 8 per Primary Site no NLB or active SUP requirements)
Multiple SUP model is built for fault toleranceBest performance comes from using a shared SUSDB for your software update pointsClients are optimized to NOT switch SUPs, and only do so after 4 failures (@ 30 minute intervals)
Full cross-forest support of SUPs including untrusted forestsClients optimized to fallback to SUPs within their own forest first
If NLB required, then configure through the SDK (no longer in UI).Use GP preferences if setting a WSUS server for client deployments.Slide11
PRIMARY SITE
Hierarchy (Forest1)
Hierarchy (Forest2)
Client
Software Update: SUP List
Client
Software Update Point 1
Software Update Point 2
Software Update Point 3
Software Update Point 4
Client.Forest1
Client.Forest2
4XSlide12
Windows Embedded Optimizations
Endpoint Protection client installation can honor maintenance windowsEndpoint Protection client installation can install in the overlay, or disable write filters and commit the changes
Definition update deployments through SUM can commit changes or write in overlaySlide13
System Center 2012 Endpoint Protection
Common antimalware platform across Microsoft AM clients
Proactive protection against known and unknown threats
Reduced complexity while protecting clients
Enhanced Protection
Protect against known and unknown threats with endpoint inspection at behavior, application, and network levels
Integration with UEFI Trusted Boot, early-launch antimalwareSlide14
Common Antimalware Platform
Common platform for all of Microsoft’s antimalware clients.Security Essentials alone has over 100 million users (#1 in North America).
660 million executions of Malicious Software Removal Tool per month
All of these clients service Microsoft’s protection services research and response
System Center 2012 Endpoint Protection
Windows Intune
Forefront Endpoint Protection 2010
Windows Azure Endpoint Protection
Microsoft Security Essentials
Windows Defender in Windows 8
Diagnostics and Recovery Toolkit
Malicious Software Removal Tool
Windows Defender OfflineSlide15
Antimalware Protection Service
AM API
Microsoft Malware Protection Center
Windows Update Microsoft Update
Microsoft Active Protection Services & Cloud Restore
Updates
Engine and Definitions
Network Inspection System
Client UI and Action Center
Registry
WMI
Events
Policy
Status
Events
ConfigMgr
Kernel
Early Launch Antimalware
Minifilter
(Driver), File, Registry, Process
Network
Application
MGMT
DATA INTERCEPTION AND ENFORCEMENT
CLOUD
Samples, Telemetry, DSS
CCFSlide16
Behavior Monitoring And Dynamic Signatures
Live system monitoring identifies new threats
Tracks behavior of unknown processes and known bad processes
Multiple sensors to detect
OS anomaly
Updates for new threats delivered through the cloud in real time
Real time signature delivery with Microsoft Active Protection Service
Immediate protection against
new threats without waiting for scheduled updates
RESEARCHERS
REPUTATION
REAL-TIME SIGNATURE DELIVERY
BEHAVIOR CLASSIFIERS
Microsoft Active Protection Service
Properties/
Behavior
Real-time signature
Sample
request
Sample
submit
1
2
3
4Slide17
Dynamic Translation With Heuristics
Real Time Protection Driver Intercepts
Industry-leading
proactive detection
Emulation based detection helps provide better protection
Safe translation in a virtual environment for analysis
Enables faster scanning and response to threats
Heuristics enable one signature to detect thousands of variants
Potential Malware
Execution attempt
on the system
VIRTUALIZED RESOURCES
Safe
Translation Using DT
Malware Detected
Malicious File BlockedSlide18
Cloud Clean Restore
Advanced system file cleaning through replacement
Replaces infected system files with clean versions from a cloud source.
Uses a trusted Microsoft cloud source for the replacement file
Restart requirements orchestrated on system and wired to client UI (for in use file replacement).
Microsoft Symbol Store
System file compromise detected (RTP or scan)
Compromised file replaced
Request new file
1
2
3
4
Download replacement fileSlide19
Trusted and Measured Boot with UEFI
Trusted BootEnd to end boot process protection: Windows operating system loader
Windows system files and drivers
Anti-malware software
Ensures and prevents:
a compromised operating system from starting
software from starting before Windows3rd party software from starting before Anti-malwareAutomatic remediation/self healing if compromised
Measured Boot
Creates comprehensive set of measurements based on Trusted Boot execution
Can offer measurements to a Remote Attestation Service for analysisSlide20
Windows 7
Windows 8
Malware is able to boot before Windows and Anti-malware
Malware able to hide and remain undetected
Systems can be compromised before AM starts
Secure Boot loads Anti-Malware early in the boot process
Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft
Windows starts AM software before any 3rd party boot drivers
Malware can no longer bypass AM inspection
Trusted Boot: Early Load Anti-MalwareSlide21
Windows 8
Windows 7
Measurements of some boot components evaluated as part of boot
Only enabled when BitLocker has been provisioned
Measures all boot components
Measurements are stored in a Trusted Platform Module (TPM)
Remote attestation, if available, can evaluate client state
Enabled when TPM is present. BitLocker not required
Measured BootSlide22
Windows
OS Loader
UEFI Boot
Windows Kernel and Drivers
AM Software
AM software is started before all 3
rd
party software
Boot Policy
AM Policy
3
rd
Party Software
2
TPM
3
Measurements of components including AM software are stored in the TPM
Client
Remote Attestation Service
5
Client retrieves TPM measurements of client and sends it to Remote Attestation Service
Windows Logon
Client Health Claim
6
Remote Attestation Service issues Client Health Claim to Client
Secure Boot prevents malicious OS loader
1
Remote Resource
(Fie Server)
4
Client attempts to access resource. Server requests Client Health Claim.
Remote Resource
(File Server)
7
Client provides Client Health Claim. Server reviews and grants access to healthy clients.
Malware Resistance : Putting it all togetherSlide23
Protect Clients With Reduced Complexity
Simple interface
Minimal, high-level
user interactions
Administrative Control
User configurability options
Central policy enforcement
UI Lockdown and disable
Maintains high productivity
CPU throttling during scans
Faster scans through
advanced caching
Minimal network and client impact of definition updates
Binary delta signature update 3 times per day (<.5MB)
Full update (new machine, or not updated in 31 days, <80MB)
Delta signature update (missed 3 days of delta, <5MB)Slide24
Heterogeneous Antimalware Clients
FeaturesAnti-virus and Anti-malware support
Machines connect directly to internet service for security content
Client UI for user visibility and control
SCOM monitoring pack for Linux with management control
Platforms
Apple Mac (10.6-10.7). Linux Server: Redhat Enterprise 6SuSE Linux 11Slide25
Better Together – Operationalized Security
Jason GithensSlide26
Key Takeaways
Key Takeways
How Microsoft delivers on the protection promise, end to end
What’s new in System
Center 2012 Endpoint Protection Service Pack
1
Understanding the Endpoint Protection clientThe benefits of operationalized security (Configuration Manager and Endpoint Protection integration)Slide27
Online Resources
Launching a Windows Defender Offline Scan with Configuration Manager 2012 OSD
Operating System Deployment and Endpoint Protection Client Installation
Software Update Content Cleanup in System Center 2012 Configuration Manager
Building Custom Endpoint Protection Reports in System Center 2012 Configuration Manager
Managing Software Updates in Configuration Manager 2012
Endpoint Protection by the numbers
Group Policy Preferences and Software Updates
Software Update Points in Configuration Manager 2012 SP1
How-to-Videos
Product Documentation Security and Compliance Manager – Configuration PacksSlide28
Related Content
Breakout Sessions
UD-B309 Deploying and Configuring Mobile Device Management Infrastructure
UD-B310 Deploying and Managing Windows 8 with Configuration Manager 2012 SP1
UD-B317 Manageability of Mac & Linux Using System Center 2012 Configuration Manager SP1
UD-B318 Managing Embedded Devices with Configuration Manager 2012
UD-B325 System Center 2012 Configuration Manager SP1 Overview
UD-B330 System Center 2012 Configuration Manager SP1 and Windows Intune: Unified Modern Device Management
UD-B331 System Center 2012 Endpoint Protection Integration With Configuration Manager 2012 SP1
UD-B332 What’s New with Microsoft Deployment Toolkit 2012 Update 1
UD-B333 What's New: Configuration Manager 2012 SP1 Infrastructure Improvements and Hierarchy Design
UD-B335 Windows Intune OverviewUD-B403 Infrastructure Changes for System Center 2012 Configuration Manager SP1: Advanced Topics and TroubleshootingSlide29
Related Content
Instructor-led and Hands-on LabsUD-IL301 Basic Software Distribution
UD-IL302 Deploying a Configuration Manager Hierarchy
UD-IL303 Deploying Configuration Manager
UD-IL304 Deploying Windows 8 to Bare Metal Clients
UD-IL306 Implementing Endpoint Protection
UD-IL307 Implementing Role-Based AdministrationUD-IL308 Implementing Settings Management
UD-IL309 Introduction to Configuration ManagerUD-IL310 Managing ApplicationsUD-IL311 Managing ClientsUD-IL312 Managing ContentUD-IL313 Managing Microsoft Software UpdatesUD-IL314 Migrating from Configuration Manager 2007 to Configuration Manager 2012
UD-IL315 New for SP1: Deploying Windows 8 Applications in Configuration Manager 2012 SP1UD-IL316 New for SP1: Expanding a Configuration Manager 2012 SP1 HierarchyUD-IL317 New for SP1: Implementing App-V 5.0 in Configuration Manager 2012 SP1UD-IL318 New for SP1: Implementing Database Replication Controls in Configuration Manager 2012 SP1
UD-IL319 New for SP1: Implementing Linux Clients in Configuration Manager 2012 SP1UD-IL320 New for SP1: Upgrading from Configuration Manager 2012 to Configuration Manager 2012 SP1UD-IL401 Advanced Software DistributionSlide30
AppendixSlide31
Evaluation
Complete your session evaluations today and enter to win prizes daily.
Provide your feedback at a CommNet kiosk or log on at
www.2013mms.com
.
Upon submission you will receive instant notification if you have won a prize.
Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer.
Entry details can be found on the MMS website.
We want to hear from you!Slide32
Resources
http://channel9.msdn.com/Events
Access MMS Online to view session recordings after the event.Slide33
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.