Embed Size (px)
Citation preview
Forefront Client and Server Security next Generation Codename “Stirling”Dominik ZempTSP SecurityMicrosoft [email protected]
Agenda
Forefront Codename “Stirling” Overview
Security Assessment SharingInfrastructure and ArchitectureDeployment and Scalability Monitoring
“Stirling” Protection TechnologiesForefront Client SecurityForefront Server Security
Live DemoNew Roadmap
Integrated Identity & Security Integrated Identity &
Security offerings to help customers:
S e c u r e & I n t e r o p e r a b l e P l a t f o r m
Raise Productivity
Improve Protection
Lower Cost of Ownership
Increase Visibility
Management
Console
Management
Console
Network Edge
Server Applications
Client and Server OS
Management
Console
Comprehensive line of business security products that helps you gain greater protection and secure access through deep integration and simplified management
Forefront Codename „Stirling“Technical Overview
• Multiple industry-leading detection technologies for advanced protection against viruses, spyware, spam, and web-based threats
• End to end coordinated protection across multiple products with correlated analytics and health assessment
• Support from industry-leading malware research and response
• Single console for managing endpoint, collaboration, on-premise and cloud messaging server security for policy configuration for faster responses
• Enterprise-wide visibility and reporting into threats and vulnerabilities to enable compliance
• Automated risk assessment with prioritized view of threats for easy investigation and auditing
• Integrated multilayered protection that optimizes performance and resource efficiency
• Integrates with existing Microsoft Infrastructure for integrated security and operational efficiency
• Enables third party technology partners to interoperate for improved real time visibility of enterprise security risk assessment
Comprehensive Protection
Simplified Management
Integrated Security
An integrated security suite that deliverscomprehensive protection across endpoint, application servers and the edge that is easier to manage and control
“Stirling” Central Mgmt Server
Network EdgeServer ApplicationsClient and Server OS
vNext
Shared Assessment Sharing (SAS)
3rd Party Partner Solutions
Other Microsoft Solutions
Unified Management
In Depth Investigation
Enterprise-wide Visibility
An integrated security suite that deliverscomprehensive protection across endpoint, application servers and the edge that is easier to manage and control
Active Directory
NAP
Silo'ed, Best of Breed Solutions Are Not Enough
DNS Reverse Lookup
Client Event Log
Edge Protection
Log
Network Admin
Edge Protection
Client Security
DEMO-CLT1 Andy
DesktopAdmin
Manual: Launch a scanWEB
Malicious Web Site
Phone
Manual: Disconnect the Computer
Hours?Days?
The Answer: Security Assessment Sharing
Security Assessments Sharing
TMG identifies malware on DEMO-CLT1 computer attempting to propagate (Port Scan)
Security Admin
Network Admin
DEMO-CLT1 Andy
DesktopAdmin
Malicious Web Site
WEB
Forefront TMG
Client Security
CompromisedComputer DEMO-CLT1High ConfidenceHigh SeverityExpire: Wed
CompromisedUser: AndyLow ConfidenceHigh SeverityExpire: Wed
Stirling Core
NAPActive
Directory
Forefront Server for:Exchange, SharePoint
OCS
FCS identifies Andy has logged on to DEMO-CLT1
Alert
Scan Computer
Block Email
Block IM
Reset Account
Quarantine
Minutes
SAS Technology ComponentsSecure Communication Channel
Trusted ServicesTechnologies (protection & other) part of the systemGenerate Security Assessments
Based on domain specific data Based on assessments from others
Take local actions
Consume Assessments from others
Provide visibility for monitoring & investigation
SASWho: User, Computer (IT Asset)
What: Compromised / Vulnerable
What else: Confidence Level, Severity, Temporary
Security AssessmentA conclusion about the observed security state on an IT asset
Layered Protection across the organizationProtection technologies that work togetherProtection technologies that share security informationProtection technologies that take action together
Infrastructure Integration
REPORTS
POLICY
GROUPS
POLICY
EV
EN
TS
Network AccessProtection (NAP)
Forefront Client Security, Forefront Security for Exchange,Forefront Security for SharePoint, Forefront Threat Management Gateway
Required Infrastructure
INTEGRATION INFRASTRUCTURE
CORE INFRASTRUCTURE
SIGNATURE, UPDATES
MicrosoftUpdate
How it Works in Depth (1/2)Policy and Tasks Down
SCOM Server
Administrator’s Computer
SQL Server
DB
Stirling Server
Network Boundary
1
3 5
7
SCOM
SCOM Server
SCOM
Net
wo r
k B
ound
a rie
s
2
7
8
Policy
Managed Asset
9
Agent10
Managed Asset
9
Agent10
Managed Asset
9
Agent10
Managed Asset
9
Agent10
Policy
Policy Policy
Policy Policy Policy Policy
6 6
`
Managed Asset
Agent
ProtectionTechnology
Policy
9
10
11
Stirling Core Service
4
How it Works in Depth (2/2)Telemetry Up
SCOM Server
Administrator’s Computer
SQL Server
DB
Stirling Server
Network Boundary
1
3
SCOM
SCOM Server
SCOM
Net
wor
k B
ound
arie
s
2
Managed Asset
Agent
Managed Asset
Agent
Managed Asset
Agent
Managed Asset
Agent
DataSet
`
Managed Asset
Agent
ProtectionTechnology
Stirling Core Service
Events
XML
EventLogTelemetry TelemetryTelemetry Telemetry
Telemetry Telemetry
Queries
1
2
3
Telemetry4
4444
5 5
6
7
Deployment and Scalability
Stirling Core
Stirling Console
Stirling SQL DB
SCOM Root Management Server (RMS)
SCOM SQL DB
SQL Reporting Server
SQL Reporting DB
Stirling Server Roles
Software/Signature Deploymente.g. WSUS or SCCM(TYPICALLY ALREADY DEPLOYED BEFORE STIRLING)
250 – 2,500 Assets
Up to 25,000 Assets
Stirling ConsoleStirling CoreSCOM (RMS)SQL Reporting Server
Stirling SQL DBSCOM SQL DBSQL Reporting DB
WSUS
4
1 2
1
Scaling Up….
Stirling ConsoleStirling CoreSQL Reporting Server
SCOM RMS
SCOM SQL DB
+
Per 25,000 Assets Per 20,000 Assets
1
1
WSUS1
1Stirling SQL DBSQL Reporting DB
1
An asset is a computer with one of the Stirling protection technologies
(FCS, FSE, FSSP and/or TMG)1
„Stirling“ Protection Technologies
Antivirus / Antispyware
Dynamic Signature Service
Device Control
NAP Integration
Vulnerability Assessment & Remediation
Exchange Protection
New AntimalwareCapabilities
Advanced Antispam
Sharepoint Protection
Content Filtering
Firewall
Web (URL) Filtering
HTTP/FTP AV
Network Intrusion Prevention
Remote Access
NAP Integration
Security Assessment SharingCorrelated Assessments InvestigationInformation Sharing
Forefront Online Security for Exchange Mgmt
Forefront “Stirling” Management Server & Console
Host Firewall Mgmt
New AntimalwareCapabilities
Forefront Client SecurityNext Version Codename „Stirling“
Antivirus – AntispywareBuilding on FCS v1
Integrated anti-virus/anti-spyware agent delivering real-time protection
Uses Windows Filter ManagerMaintains stable operationScans viruses and spyware in real-time
Dynamic TranslationUnique to Microsoft agentMaximizes scanning speed: Decryption and code emulation of malware with speed of native code execution
Other protection features:Tunneling signatures for detecting & removing rooktitsAdvanced system cleaning: Customized remediation (recreating registry entries, restoring settings)Event Flood Protection: Shields reporting infrastructure during outbreak from infected clientsHeuristics for classifying programs based on behavior
Antivirus – Antispyware New Behavior based Blocking
Dynamic Signature ServiceClient and back end infrastructureUsed when FCS detects an “interesting” and unknown programEnables customer to receive real time signatures via SpyNetThis will narrow the FCS protection gap …
of unknown threats without waiting for signature updates.for suspicious new binaries, without having to wait for regularly-scheduled signature updates.
Vulnerability Assessment & RemediationProactively reduce the surface area
Assess
Remediate
NEW
Detect common vulnerabilities and missing security updatesDiscover mis-configuration exposuresConfigure security checks parameterNew checks: IE Security Setting, DEP, IIS Setting, and more…
Compare system configuration against security best practicesAssign score based on associated riskSurface issues found across the enterprise in real time
Automatically remediate based on policyIntegrate with NAP for compliance enforcementRemotely remediate from the management console
Host Firewall ManagementFirewall Management: Centralized management of the Windows Firewall
Windows XP/2003, Windows Vista/2008 and Windows 7Support Inbound and Outbound FilteringConfigure Firewall Exceptions for Ports, Applications, ServicesConfigure Network Location Profiles for Roaming Users
Centralized Visibility: Firewall State in the Enterprise
Sensors for Security Incident DetectionActivity MonitoringStatistics
Forefront Server SecurityNext Version Codename „Stirling“
FSE DNSBL FeatureFSE-protected
Exchange server
DNSBL Service Provider
Connecting Client
5. If hash fails or request comes in clear, NXDOMAIN will be returned back,
DNS Query format example: Connecting IP address: 131.107.88.67 Hashed query format: 123ASD098LKJ0192 -131.107.88.67.blocklist.messaging.microsoft.com 123ASD098LKJ0192 – hashed
token 131.107.88.67 – original IP address blocklist.messaging.microsoft.com – DNSBL service provider
2. FSE DNSBL agent constructs a DNS query with attached hashed token and sends the query to the DNSBL service provider,
3. DNSBL service provider validates the hash and responds to the query,
4. DNSBL provider will send the response in clear:• If a match found, it will return 127.0.0.x
code• If no match found, NXDOMAIN will be
returned
INTERNET
1. DNSBL agents triggered by Connection request from the Internet,
6. DNSBL is totally transparent to administration – there is nothing to configure!
Advanced AntispamFSE Content Filter Fingerprinting
Fingerprinting algorithms applied to every incoming message
Relevant parts of the message are fingerprinted
Message reduced to anonymous fingerprints
Fingerprints do not indicate whether message is legitimate or spam
Fingerprints compared to local cache of known bad fingerprints
Cache data updated every 45 seconds
Match: message is identified as abuse
No match: Heuristics are applied.
No match & No heuristics: message is identified as legitimate
Spam
Legit.
FSE-protected Exchange recipient
Fingerprint Cache Rejec
t
Forefront Codename „Stirling“Monitoring
Know Your Security StateFrom The Top Down
Firewall: Port Exception
Forefront for SharePoint: Malware Incidents Forefront for Exchange: Quarantine Items
NAP: Computers with restricted network access
Policy Deployment: User Status
Authorized Software Management: Unknown Applications
Security Updates: Approved and Missing
Client Antimalware: Protection Coverage
Security Assessment Check: Failed Remediation Client Antimalware: Affected Assets
One stop shop to know if “you are secure”
Measure Secure risk across all assets Risk = Security State X Asset Value Across protection technologies Clients, Servers, Network
Granular visibility deep into each layer
Drill down into every report and control60+ customizable controls
Security Risk Summary
HighMediumLowMinimal
Security Risk Level during the Last Day
12am12pm12am 6am 6pm
x xx x xx
xx
x
x
x
x
x xx xx x x xx
Groups at Highest Risk during the Last Day 10 Groups out of 39 Total
Security Risk Level at <last sample timestamp> High
HR_Servers
Asset / Users Group Percentage of Time at the Risk Level
Production_ServersHR ServersRedmond Bldg 43 ServersHaifa Sensitive ServersLong Island ServersTestlab1 ServersSensitive Client ComputersDefault Computers GroupDefault Servers Group
50% 20% 20% 10%
Forefront Codename “Stirling”
Dominik ZempTSP SecurityMicrosoft Switzerland
demo
Roadmap
H1 2009
Client andServer OS
ServerApplications
Network Edge
IntegratedSecurity System
NEW
NEX
TN
EXT
NEWBETA 1
H1 2008 Q4 2009
NEX
T
BETA 1
BETA 1
BETA 1
BETA 2
BETA 2
BETA 2
BETA 2
H1 2010
NEX
T
Forefront & Security BlogsForefront Team Blog
http://blogs.technet.com/forefront
Microsoft Forefront Server Security Bloghttp://blogs.technet.com/fss
Forefront Server Security Support Bloghttp://blogs.technet.com/fssnerds/
Forefront Client Security Team Bloghttp://blogs.technet.com/clientsecurity
Forefront Client Security Support Bloghttp://blogs.technet.com/fcsnerds
Microsoft Malware Protection Center Bloghttp://blogs.technet.com/mmpc
The Microsoft Security Response Center (MSRC)http://blogs.technet.com/msrc/
Security Research & Defensehttp://blogs.technet.com/srd/
Q & A
Your MSDN resourcescheck out these websites, blogs & more!
PresentationsTechDays: www.techdays.chMSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxMSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx
MSDN EventsMSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspxSave the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
MSDN Flash (our by weekly newsletter)Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx
MSDN Team BlogRSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx
Developer User Groups & CommunitiesMobile Devices: http://www.pocketpc.ch/Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.chFoxPro User Group Switzerland: www.fugs.ch
Your TechNet resourcescheck out these websites, blogs & more!
PresentationsTechDays: www.techdays.ch
TechNet EventsTechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
TechNet Flash (our by weekly newsletter)Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx
Schweizer IT Professional und TechNet BlogRSS: http://blogs.technet.com/chitpro-de/
IT Professional User Groups & CommunitiesSwissITPro User Group: www.swissitpro.ch NT Anwendergruppe Schweiz: www.nt-ag.ch PASS (Professional Association for SQL Server): www.sqlpass.ch
Save the date for tech·days next year!
7. – 8. April 2010Congress Center Basel
Classic Sponsoring Partners
Media Partner
Premium Sponsoring Partners
