Forefront Codenname Stirling Agenda Introduktion til Security Management Introduktion til ForeFront Codename Stirling Stirling funktionalitet Stirling arkitektur Security Management today ID: 241442
Download Presentation The PPT/PDF document "Ved Christian Stahl, Microsoft Enterpris..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Ved Christian Stahl, Microsoft Enterprise Services
Forefront
Codenname
”Stirling”Slide2
AgendaIntroduktion til Security ManagementIntroduktion til ForeFront Codename
”Stirling”
Stirling funktionalitet
Stirling arkitekturSlide3
Security Management today
Jumping between consoles waste time
Each console has its own policy
paradigm
Product’s are in silos with no integrationLack of integration with infrastructure generate inefficienciesDifficult to know if solutions are protecting from emerging threats
Management Console
Management Console
Management Console
Reporting Console
Reporting Console
Reporting Console
Console
Endpoint Protection
Server Application Protection
Network Edge
Vulnerability AssessmentSlide4
One console for simplified, role-based security management
Define one security policy for your assets across protection technologies
Deploy signatures, policies and software quickly
Integrates with your existing infrastructure:
SCOM, SQL, WSUS, AD, NAP, SCCM
Simplified Management with StirlingSlide5
Network Edge
Server Applications
Client and Server OS
Comprehensive line
of business security products that helps you gain greater protection and secure access through deep integration and simplified managementSlide6
PollHvor mange anvender:ForeFront Client?ISA Server?
ForeFront
for Exchange eller MOSS?Slide7
Forefront codename "Stirling"
Next Generation
Forefront Client Security
Antivirus / Antispyware
Host
Firewall & NAP
Others – To be announced at a later date
Next Generation
Forefront Server Security
Exchange Protection
SharePoint Protection
Others – To be announced at a later date
Next Generation
Edge Security and Access
Firewall
VPN
Others – To be announced at a later date
Comprehensive, coordinated protection with dynamic responses to complex threats
Unified
m
anagement
across client, server application, & edge security in one console
Critical visibility
into overall security state including threats and vulnerabilitiesSlide8
Management & Visibility
Dynamic Response
Network Edge
Server Applications
Client and Server OS
vNext
An Integrated Security SystemSlide9
Integrated protection across clients, server and edge
Dynamic responses to emerging threats
Next generation protection technologies
Manage from a single role-based console
Asset and policy centric model
Integrates with your existing infrastructure
Know your security state in real-time
View insightful reports
Investigate & remediate security issues
An
Integrated Security System that delivers comprehensive, coordinated protection
with simplified management and critical visibility across clients, servers, and the network edge
Comprehensive
Protection
Simplified
Management
Critical
VisibilitySlide10
Silo'd best of breed solution are not enoughBreaches came from a combination of event:
62%
were attributed to a significant error
59%
resulted from hacking and intrusions
31% incorporated malicious code22% exploited a vulnerability15% were due to physical threatsTime span of data breach events
Source: 2008 Data Breach Investigations Report. Verizon Business
http://www.verizonbusiness.com/resources/security/databreachreport.pdf
Slide11
DNS Reverse
Lookup
Client Event
Log
Edge Protection
Log
Network
Admin
Edge
Protection
Client Security
DEMO-CLT1
Andy
Desktop
Admin
Manual: Launch a scan
WEB
Malicious Web Site
Phone
Manual: Disconnect the Computer
Example:
Zero Day ScenarioSlide12
Security Assessments Channel
TMG identifies malware on DEMO-CLT1 computer attempting to propagate (Port Scan)
Security
Admin
Network
Admin
DEMO-CLT1
Andy
Desktop
Admin
Malicious Web Site
WEB
Forefront
TMG
Client Security
Compromised
Computer
DEMO-CLT1
High
Fidelity
High
Severity
Expire: Wed
Compromised
User:
Andy
Low
Fidelity
High
Severity
Expire: Wed
Stirling Core
NAP
Active Directory
Forefront Server for:
Exchange,
SharePoint
OCS
FCS identifies Andy has logged on to DEMO-CLT1
Alert
Scan Computer
Block Email
Block IM
Reset Account
Quarantine
Example: Zero Day Scenario
With
Stirling
and
Dynamic ResponseSlide13
Shared Information…
Assessment
Severity
Definition
Compromised Computer
HighMalware gains admin-level control over the computer or the computer imposes active and immediate threat to other computers.Example - Rootkit, bot, fast self-propagating wormMedMalware has user-level control on the computer; malware might affect the computer moderately.
Example - Virus with user account privileges; virus requiring
humans
to propagate
Low
Malware has minimal control over the computer, similar to the control obtained by a guest account. Example - spyware
Vulnerable Computer
HighThe computer is more likely to be compromised in the very near future with a potential damage that corresponds to a high severity compromised computer.
Example - Can be exploited by self-propagating worm
MedThe computer is more likely to be compromised eventually, but there is no immediate threat.
Example – missing patch mitigated by default configurationLow
The computer can be compromised with major effort such as a full blown dictionary attack, or having a n intruder gain physical access to the computer) The potential damage is expected to be low. Example – weak password, miss-configured IE
Compromised User
HighAttacker is the legal owner of the account. (Intended to be used as a manual injected assessment)
Example - clear insider threat
MedThe attacker has full control over the account
Example – attacker obtains users password
Low
The attacker has limited control of the account, usually the attacker does not have account privileges. Example - email worm
that propagates only when user is logged-in
70+ assessments across are coming with Stirling Beta 2.Slide14
Console Sneak PeakSlide15
Know your security state
View insightful reports
Investigate
and
remediate security risks
Critical
Visibility & ControlSlide16
Risk Management Dashboard
Risk = Security State X Asset Value
Asset value via Stirling policies
Overall security risk driven by actionable rules
Single number to sort assets by
Enterprise security status reports Slide17
A
citivity Reporting
Technology specific
Complementing security and health monitoring
Visibility into
Security EffectivenessResource consumptionProductivity ImpactPlanning and measuringSlide18
TMG: Connect to "Stirling"
Provided by Stirling AdminSlide19
Stirling: TMG connectivity state19Slide20
Stirling: Response Plan (Policy)Slide21
TMG Assessment / ResponseSlide22
TMG: Response ImplementationSlide23
PollHvor mange anvender:SCOM?WSUS?Slide24
Desktops, Laptops and Servers
Stirling Core Server
Exchange Servers
SharePoint Servers
Threat Management Gateway Servers
Microsoft Update
Virus &Spyware Definitions
Events
Settings
Events
Settings
Events
Settings
Stirling Console
Systems Center Operations Manager
Windows Server Update Services (WSUS)
Stirling Data Analysis & Collection Servers
Events
Settings
Forefront Security Assessment Channel
3
rd
party protection service
Stirling Conceptual ArchitectureSlide25
Stirling Server RolesStirling defines several roles that make up the overall systemStirling Core – central processing
Stirling Core DB – Stirling databases
“DAC”
DAC-RMS – System Center Operations Manager – Root Management Server
DAC-MS – Management Server
DAC-DB – SCOM databasesStirling ReportingStirling NPS (Network Policy Server)Stirling ConsoleSlide26Slide27
1-Box ConfigurationSlide28
2-Box ConfigurationSlide29
Scaling Your DeploymentSlide30
Stirling Common QuestionsQ: Can I use my existing SCOM infrastructure for Stirling?A: Yes, but unless it’s already managing all your desktops too, you’ll have to add more servers to scale it out
Q: Can I use ..
Clusters?
Virtualization?
A: YesSlide31
Stirling Common QuestionsQ: How many clients can each SCOM server support?A: Performance testing is well underway , but I’ll cover some of our scale goals coming up