a-02 overblik over forefront protection manager 2010
If you can't read please download the document
DESCRIPTION
A-02 Overblik over Forefront Protection Manager 2010. Christian Stahl [email protected]. Formål. Formålet med denne session er at give et overblik over ForeFront Protection Manager (FPM). Hvem er jeg. Christian Stahl - Ansat i Microsoft Services som Engagement Manager - PowerPoint PPT PresentationTRANSCRIPT
ForeFront Protection Manager
A-02 Overblik over Forefront Protection Manager 2010Christian [email protected]://www.microsoft.com/technetITPROHOT-15FormlFormlet med denne session er at give et overblik over ForeFront Protection Manager (FPM)2http://www.microsoft.com/technetITPROHOT-15Hvem er jegChristian Stahl - Ansat i Microsoft Services som Engagement Manager
CISSP og CISA
Underviser p ITU, IT Arkitektur og Sikkerhed
Har vret i IT branchen siden 1996
HP Danmark fra 1996 til 2000 (konsulent) HP USA fra 2000 til 2002 (konsulent) HP Danmark fra 2002 til 2004 (senior konsulent) Saxo bank 2004 til 2005 (senior manager) Microsoft 2005 nu
Fokus har altid vret IT sikkerhed, infrastruktur og mobility
Arbejdet de sidste mange r som lsningsarkitekt for strre komplekse projekter involverende alt fra fysiske serverrum til netvrk og applikationsdesign
3http://www.microsoft.com/technetITPROHOT-15AgendaIntroduktion til Security ManagementIntroduktion til ForeFront Protection Manager (FPM)FPM funktionalitetFPM arkitekturDemo
4http://www.microsoft.com/technetITPROHOT-15Protection and Access Solutions
Active Directory RMS
Active Directory RMSManagementTodayForefront RoadmapCY 2009H2CY 2010H1Management Consoles5http://www.microsoft.com/technetITPROHOT-15Security Management todayJumping between consoles waste timeEach console has its own policy paradigmProducts are in silos with no integrationLack of integration with infrastructure generate inefficienciesDifficult to know if solutions are protecting from emerging threatsManagement ConsoleManagement ConsoleManagement ConsoleReporting ConsoleReporting ConsoleReporting ConsoleConsoleEndpoint ProtectionServer Application ProtectionNetwork EdgeVulnerability Assessment
1/20/2010 5:20 PM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6http://www.microsoft.com/technetITPROHOT-15Silo'd best of breed solution are not enoughBreaches came from a combination of event:62% were attributed to a significant error59% resulted from hacking and intrusions31% incorporated malicious code22% exploited a vulnerability
Time span of data breach events
Source: 2008 Data Breach Investigations Report. Verizon Businesshttp://www.verizonbusiness.com/resources/security/databreachreport.pdf TechReady7 Breakout Chalktalk Template1/20/2010 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.7http://www.microsoft.com/technetITPROHOT-15One console for simplified, role-based security managementDefine one security policy for your assets across protection technologiesDeploy signatures, policies and software quicklyIntegrates with your existing infrastructure: SCOM, SQL, WSUS, AD, NAP, SCCM
Simplified Management with FPM8http://www.microsoft.com/technetITPROHOT-15Forefront Protection ManagerNext GenerationForefront Client SecurityAntivirus / AntispywareHost Firewall & NAPOthers To be announced at a later dateNext GenerationForefront Server SecurityExchange ProtectionSharePoint ProtectionOthers To be announced at a later dateNext GenerationEdge Security and AccessFirewallVPNOthers To be announced at a later dateComprehensive, coordinated protection with dynamic responses to complex threatsUnified management across client, server application, & edge security in one consoleCritical visibility into overall security state including threats and vulnerabilities9http://www.microsoft.com/technetITPROHOT-15Management & Visibility
Dynamic Response
Network Edge
Server Applications
Client and Server OS
vNext
An Integrated Security Systemhttp://www.microsoft.com/technetITPROHOT-15Security Assessments Channel
TMG identifies malware on DEMO-CLT1 computer attempting to propagate (Port Scan)
Security Admin
Network AdminDEMO-CLT1Andy
DesktopAdmin
Malicious Web SiteWEB
Forefront TMGClient Security
CompromisedComputer DEMO-CLT1High FidelityHigh SeverityExpire: Wed
CompromisedUser: AndyLow FidelityHigh SeverityExpire: Wed
FPM CoreNAPActive DirectoryForefront Server for:Exchange, SharePointOCSFCS identifies Andy has logged on to DEMO-CLT1
Alert
Scan Computer
Block Email
Block IM
Reset Account
QuarantineExample: Zero Day Scenario11http://www.microsoft.com/technetITPROHOT-15Shared InformationAssessment SeverityDefinitionCompromised ComputerHighMalware gains admin-level control over the computer or the computer imposes active and immediate threat to other computers.Example - Rootkit, bot, fast self-propagating wormMedMalware has user-level control on the computer; malware might affect the computer moderately.Example - Virus with user account privileges; virus requiring humans to propagateLowMalware has minimal control over the computer, similar to the control obtained by a guest account. Example - spywareVulnerable ComputerHighThe computer is more likely to be compromised in the very near future with a potential damage that corresponds to a high severity compromised computer. Example - Can be exploited by self-propagating wormMedThe computer is more likely to be compromised eventually, but there is no immediate threat.Example missing patch mitigated by default configurationLowThe computer can be compromised with major effort such as a full blown dictionary attack, or having a n intruder gain physical access to the computer) The potential damage is expected to be low. Example weak password, miss-configured IECompromised UserHighAttacker is the legal owner of the account. (Intended to be used as a manual injected assessment) Example - clear insider threatMedThe attacker has full control over the accountExample attacker obtains users passwordLowThe attacker has limited control of the account, usually the attacker does not have account privileges. Example - email worm that propagates only when user is logged-inTechReady7 Breakout Chalktalk Template1/20/2010 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.12http://www.microsoft.com/technetITPROHOT-15Console Sneak Peak
TechReady7 Breakout Chalktalk Template1/20/2010 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.13http://www.microsoft.com/technetITPROHOT-15
14http://www.microsoft.com/technetITPROHOT-15Know your security stateView insightful reportsInvestigate and remediate security risks
Critical Visibility & Control15http://www.microsoft.com/technetITPROHOT-15Risk Management DashboardRisk = Security State X Asset Value Asset value via FPM policiesOverall security risk driven by actionable rulesSingle number to sort assets byEnterprise security status reports
16http://www.microsoft.com/technetITPROHOT-15Desktops, Laptops and Servers
FPM Core Server
Exchange ServersSharePoint ServersThreat Management Gateway ServersMicrosoft Update
Virus &Spyware DefinitionsEventsSettingsEventsSettingsEventsSettings
FPM ConsoleSystems Center Operations Manager
Windows Server Update Services (WSUS)FPM Data Analysis & Collection ServersEventsSettings
Forefront Security Assessment Channel3rd party protection service
FPM Conceptual ArchitectureTechReady7 Breakout Chalktalk Template1/20/2010 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.17http://www.microsoft.com/technetITPROHOT-15TMG: Connect to FPM
Provided by FPM Admin18http://www.microsoft.com/technetITPROHOT-15FPM: TMG connectivity state19
19http://www.microsoft.com/technetITPROHOT-15Response
20http://www.microsoft.com/technetITPROHOT-15FPM: Response Plan (Policy)
21http://www.microsoft.com/technetITPROHOT-15TMG Assessment / Response
22http://www.microsoft.com/technetITPROHOT-15TMG: Response Implementation
23http://www.microsoft.com/technetITPROHOT-15Deployment
24http://www.microsoft.com/technetITPROHOT-15Single Server
25http://www.microsoft.com/technetITPROHOT-15Multiple server deployment
26http://www.microsoft.com/technetITPROHOT-15Title
Security Risk Summary
Security Risk Level during the Last Day
Groups at Highest Risk during the Last Day
Security Risk Trend during the Last Month
8/30
8/22
8/15
8/8
8/1
Title
Security Risk per Group
HR Servers RiskTotal Assets at Risk: 3
Asset Asset Last HighestReason Active Response(s) Investigation NameValueRisk LevelRisk Level Assessment(s) Applied Opened Srv-DC1Multiple... (3)3 -
Srv-Prn1 Virus infection found1 -
Red\JohnDoePort scan found 1 -Spam found 1 - -
-