Ved Christian Stahl, Microsoft Enterprise Services - PowerPoint Presentation

Slide1

Ved Christian Stahl, Microsoft Enterprise Services

Forefront

Codenname

”Stirling”Slide2

AgendaIntroduktion til Security ManagementIntroduktion til ForeFront Codename

”Stirling”

Stirling funktionalitet

Stirling arkitekturSlide3

Security Management today

Jumping between consoles waste time

Each console has its own policy

paradigm

Product’s are in silos with no integrationLack of integration with infrastructure generate inefficienciesDifficult to know if solutions are protecting from emerging threats

Management Console

Management Console

Management Console

Reporting Console

Reporting Console

Reporting Console

Console

Endpoint Protection

Server Application Protection

Network Edge

Vulnerability AssessmentSlide4

One console for simplified, role-based security management

Define one security policy for your assets across protection technologies

Deploy signatures, policies and software quickly

Integrates with your existing infrastructure:

SCOM, SQL, WSUS, AD, NAP, SCCM

Simplified Management with StirlingSlide5

Network Edge

Server Applications

Client and Server OS

Comprehensive line

of business security products that helps you gain greater protection and secure access through deep integration and simplified managementSlide6

PollHvor mange anvender:ForeFront Client?ISA Server?

ForeFront

for Exchange eller MOSS?Slide7

Forefront codename "Stirling"

Next Generation

Forefront Client Security

Antivirus / Antispyware

Host

Firewall & NAP

Others – To be announced at a later date

Next Generation

Forefront Server Security

Exchange Protection

SharePoint Protection

Others – To be announced at a later date

Next Generation

Edge Security and Access

Firewall

VPN

Others – To be announced at a later date

Comprehensive, coordinated protection with dynamic responses to complex threats

Unified

m

anagement

across client, server application, & edge security in one console

Critical visibility

into overall security state including threats and vulnerabilitiesSlide8

Management & Visibility

Dynamic Response

Network Edge

Server Applications

Client and Server OS

vNext

An Integrated Security SystemSlide9

Integrated protection across clients, server and edge

Dynamic responses to emerging threats

Next generation protection technologies

Manage from a single role-based console

Asset and policy centric model

Integrates with your existing infrastructure

Know your security state in real-time

View insightful reports

Investigate & remediate security issues

An

Integrated Security System that delivers comprehensive, coordinated protection

with simplified management and critical visibility across clients, servers, and the network edge

Comprehensive

Protection

Simplified

Management

Critical

VisibilitySlide10

Silo'd best of breed solution are not enoughBreaches came from a combination of event:

62%

were attributed to a significant error

59%

resulted from hacking and intrusions

31% incorporated malicious code22% exploited a vulnerability15% were due to physical threatsTime span of data breach events

Source: 2008 Data Breach Investigations Report. Verizon Business

http://www.verizonbusiness.com/resources/security/databreachreport.pdf

Slide11

DNS Reverse

Lookup

Client Event

Log

Edge Protection

Log

Network

Admin

Edge

Protection

Client Security

DEMO-CLT1

Andy

Desktop

Admin

Manual: Launch a scan

WEB

Malicious Web Site

Phone

Manual: Disconnect the Computer

Example:

Zero Day ScenarioSlide12

Security Assessments Channel

TMG identifies malware on DEMO-CLT1 computer attempting to propagate (Port Scan)

Security

Admin

Network

Admin

DEMO-CLT1

Andy

Desktop

Admin

Malicious Web Site

WEB

Forefront

TMG

Client Security

Compromised

Computer

DEMO-CLT1

High

Fidelity

High

Severity

Expire: Wed

Compromised

User:

Andy

Low

Fidelity

High

Severity

Expire: Wed

Stirling Core

NAP

Active Directory

Forefront Server for:

Exchange,

SharePoint

OCS

FCS identifies Andy has logged on to DEMO-CLT1

Alert

Scan Computer

Block Email

Block IM

Reset Account

Quarantine

Example: Zero Day Scenario

With

Stirling

and

Dynamic ResponseSlide13

Shared Information…

Assessment

Severity

Definition

Compromised Computer

HighMalware gains admin-level control over the computer or the computer imposes active and immediate threat to other computers.Example - Rootkit, bot, fast self-propagating wormMedMalware has user-level control on the computer; malware might affect the computer moderately.

Example - Virus with user account privileges; virus requiring

humans

to propagate

Low

Malware has minimal control over the computer, similar to the control obtained by a guest account. Example - spyware

Vulnerable Computer

HighThe computer is more likely to be compromised in the very near future with a potential damage that corresponds to a high severity compromised computer.

Example - Can be exploited by self-propagating worm

MedThe computer is more likely to be compromised eventually, but there is no immediate threat.

Example – missing patch mitigated by default configurationLow

The computer can be compromised with major effort such as a full blown dictionary attack, or having a n intruder gain physical access to the computer) The potential damage is expected to be low. Example – weak password, miss-configured IE

Compromised User

HighAttacker is the legal owner of the account. (Intended to be used as a manual injected assessment)

Example - clear insider threat

MedThe attacker has full control over the account

Example – attacker obtains users password

Low

The attacker has limited control of the account, usually the attacker does not have account privileges. Example - email worm

that propagates only when user is logged-in

70+ assessments across are coming with Stirling Beta 2.Slide14

Console Sneak PeakSlide15

Know your security state

View insightful reports

Investigate

and

remediate security risks

Critical

Visibility & ControlSlide16

Risk Management Dashboard

Risk = Security State X Asset Value

Asset value via Stirling policies

Overall security risk driven by actionable rules

Single number to sort assets by

Enterprise security status reports Slide17

A

citivity Reporting

Technology specific

Complementing security and health monitoring

Visibility into

Security EffectivenessResource consumptionProductivity ImpactPlanning and measuringSlide18

TMG: Connect to "Stirling"

Provided by Stirling AdminSlide19

Stirling: TMG connectivity state19Slide20

Stirling: Response Plan (Policy)Slide21

TMG Assessment / ResponseSlide22

TMG: Response ImplementationSlide23

PollHvor mange anvender:SCOM?WSUS?Slide24

Desktops, Laptops and Servers

Stirling Core Server

Exchange Servers

SharePoint Servers

Threat Management Gateway Servers

Microsoft Update

Virus &Spyware Definitions

Events

Settings

Events

Settings

Events

Settings

Stirling Console

Systems Center Operations Manager

Windows Server Update Services (WSUS)

Stirling Data Analysis & Collection Servers

Events

Settings

Forefront Security Assessment Channel

3

rd

party protection service

Stirling Conceptual ArchitectureSlide25

Stirling Server RolesStirling defines several roles that make up the overall systemStirling Core – central processing

Stirling Core DB – Stirling databases

“DAC”

DAC-RMS – System Center Operations Manager – Root Management Server

DAC-MS – Management Server

DAC-DB – SCOM databasesStirling ReportingStirling NPS (Network Policy Server)Stirling ConsoleSlide26
Slide27

1-Box ConfigurationSlide28

2-Box ConfigurationSlide29

Scaling Your DeploymentSlide30

Stirling Common QuestionsQ: Can I use my existing SCOM infrastructure for Stirling?A: Yes, but unless it’s already managing all your desktops too, you’ll have to add more servers to scale it out

Q: Can I use ..

Clusters?

Virtualization?

A: YesSlide31

Stirling Common QuestionsQ: How many clients can each SCOM server support?A: Performance testing is well underway , but I’ll cover some of our scale goals coming up