Upload
zoe-oliver
View
220
Download
1
Embed Size (px)
Citation preview
System Center 2012 Endpoint Protection OverviewJason Githens Mahyar GhadialiSenior Program Manager Lead Program ManagerMicrosoft Microsoft
UD-B331
Session ObjectivesSession Objective(s)Understanding the Microsoft protection stackChanges in System Center 2012 Endpoint Protection Service Pack 1Getting to know the Endpoint Protection client
Comprehensive Protection Stack Building on Windows Platform security
MANAGEMENT
ANTIMALWARE
PLATFORM
System Center Configuration Manager and Endpoint Protection
Windows
Microsoft Malware Protection Center
Dynamic Signature Svc
Available only in Windows 8
Endpoint Protection
Management
Software Updates +
SCUP
Operating System
Deployment
Settings Management
System Center 2012 Endpoint Protection
Antimalware
Dynamic Translatio
n
Behavior Monitorin
g
Software Distributio
n
Vulnerability Shielding
Windows Defender
Offline
Internet Explorer BitLockerAppLocker
Address Space Layout Randomizatio
n
Data Execution Prevention
User Access Control
Secure Boot through UEFI
Windows Resource Protection
Measured Boot
Early Launch
Antimalware (ELAM)
MDM Software Updates
ELAM & Measured
Boot
Cloud clean
restore
System Center 2012 Endpoint Protection SP1
Real time Endpoint Protection operations from consoleSimplified
Administration
Single administrator experience for simplified endpoint protection and
management
Simplified, 3X delivery of definitions through software updates
Malware-driven operations from the console
Client-side merge of antimalware policies
Integrated optimizations for Windows Embedded clients
New and improved Endpoint Protection client
Real-time OperationsEP operations to clients in <1 minuteMonitor one-time operationsAvailable EP operations:Run Definition UpdatesRun Quick ScanRun Full ScanAllow threatsExclude paths and/or filesRestore files quarantined by threat
Malware Driven Operations
Admin can easily view and take follow up actions on specific malware by type, and remediation status
Client-side mergeCreate granular policies for specific scenarios and have those merged on the clientsRemoves overhead of redundant policiesPolicies still honors relative priority, and merge when possible (exclusions, for example)
Improved software update integrationArchitectural changes to support 3X a dayCategory-based scans from clientsDelta synchs between SUP and WSUS
Architectural changes to simplify SUP setupSource top-level SUP from internal WSUS server (removes WU/MU-based catalog dependency)Simplified, fault tolerant software update point setup (add multiple SUPs as needed, up to 8 per Primary Site no NLB or active SUP requirements)• Multiple SUP model is built for fault tolerance• Best performance comes from using a shared SUSDB for your software update
points• Clients are optimized to NOT switch SUPs, and only do so after 4 failures (@ 30
minute intervals)• Full cross-forest support of SUPs including untrusted forests• Clients optimized to fallback to SUPs within their own forest first• If NLB required, then configure through the SDK (no longer in UI).• Use GP preferences if setting a WSUS server for client deployments.
PRIMARY SITE
Hierarchy (Forest1) Hierarchy (Forest2)
Client
Software Update: SUP List
Client
Software Update Point
1
Software Update Point
2
Software Update Point
3
Software Update Point
4
Client.Forest1 Client.Forest2
4X
Windows Embedded OptimizationsEndpoint Protection client installation can honor maintenance windowsEndpoint Protection client installation can install in the overlay, or disable write filters and commit the changesDefinition update deployments through SUM can commit changes or write in overlay
System Center 2012 Endpoint Protection
Common antimalware platform across Microsoft AM clients
Proactive protection against known and unknown threats
Reduced complexity while protecting clients
Enhanced Protection
Protect against known and unknown threats with endpoint inspection at
behavior, application, and network levels
Integration with UEFI Trusted Boot, early-launch antimalware
Common Antimalware PlatformCommon platform for all of Microsoft’s antimalware clients.Security Essentials alone has over 100 million users (#1 in North America).660 million executions of Malicious Software Removal Tool per monthAll of these clients service Microsoft’s protection services research and response
System Center 2012 Endpoint
ProtectionWindows Intune
Forefront Endpoint
Protection 2010
Windows Azure Endpoint Protection
Microsoft Security
Essentials
Windows Defender in Windows 8
Diagnostics and Recovery
Toolkit
Malicious Software
Removal Tool
Windows Defender
Offline
Antimalware Protection Service
AM API
Microsoft Malware Protection Center
Windows Update Microsoft Update
Microsoft Active Protection
Services & Cloud Restore
Updates
Engine and Definitions
Network Inspection
System
Client UI and Action
Center
Registry
WMI
Events
Policy
Status
Events
ConfigMgr
KernelEarly
Launch Antimalwar
e
Minifilter (Driver), File,
Registry, Process
Network
Application
MGMT DATA INTERCEPTION AND ENFORCEMENT CLOUD
Samples, Telemetry, DSS
CCF
Behavior Monitoring And Dynamic Signatures
Live system monitoring identifies new threats Tracks behavior of unknown
processes and known bad processes
Multiple sensors to detect OS anomaly
Updates for new threats delivered through the cloud in real time Real time signature delivery with
Microsoft Active Protection Service
Immediate protection against new threats without waiting for scheduled updates
RESEARCHERS REPUTATIONREAL-TIME SIGNATURE DELIVERY
BEHAVIOR CLASSIFIERS
Microsoft Active Protection Service
Properties/Behavior
Real-time signature
Samplerequest
Samplesubmit
1 2 3 4
Dynamic Translation With Heuristics
Real Time Protection
Driver Intercepts
Industry-leading proactive detection Emulation based detection
helps provide better protection
Safe translation in a virtual environment for analysis
Enables faster scanning and response to threats Heuristics enable one
signature to detect thousands of variants
Potential Malware Execution attempt on the system
VIRTUALIZED RESOURCES
Safe Translation Using DT
Malware Detecte
d
Malicious File
Blocked
Cloud Clean Restore
Advanced system file cleaning through replacement Replaces infected system files
with clean versions from a cloud source.
Uses a trusted Microsoft cloud source for the replacement file
Restart requirements orchestrated on system and wired to client UI (for in use file replacement).
Microsoft Symbol Store
System file compromise detected
(RTP or scan)
Compromised file
replaced
Request new file
1
2 3
4
Download replaceme
nt file
Trusted and Measured Boot with UEFI• Trusted Boot
• End to end boot process protection: • Windows operating system loader• Windows system files and drivers • Anti-malware software
• Ensures and prevents: • a compromised operating system from starting• software from starting before Windows• 3rd party software from starting before Anti-malware
• Automatic remediation/self healing if compromised
Measured BootCreates comprehensive set of measurements based on Trusted Boot executionCan offer measurements to a Remote Attestation Service for analysis
Windows 7BIOS OS Loader
(Malware)3rd Party Drivers
(Malware)Anti-Malware Software
Start
Windows 8Native UEFI
Windows 8OS Loader
Anti-Malware Software Start 3rd Party Drivers
• Malware is able to boot before Windows and Anti-malware• Malware able to hide and remain undetected• Systems can be compromised before AM starts
• Secure Boot loads Anti-Malware early in the boot process• Early Load Anti-Malware (ELAM) driver is specially signed by
Microsoft• Windows starts AM software before any 3rd party boot drivers• Malware can no longer bypass AM inspection
Trusted Boot: Early Load Anti-Malware
Windows 8UEFI
Windows 8OS Loader
Windows Kernel & Drivers Anti-Malware Software
Windows 7BIOS MBR & Boot Sector OS Loader Kernel Initialization 3rd Party Drivers
• Measurements of some boot components evaluated as part of boot
• Only enabled when BitLocker has been provisioned
• Measures all boot components• Measurements are stored in a Trusted Platform Module (TPM)• Remote attestation, if available, can evaluate client state• Enabled when TPM is present. BitLocker not required
Measured Boot
Windows OS Loader
UEFI Boot
Windows Kernel and
DriversAM Software
AM software is started before all 3rd party software
Boot Policy
AM Policy
3rd Party Software
2
TPM3
Measurements of components including AM software are stored in the TPM
ClientRemote
Attestation Service
5
Client retrieves TPM measurements of client and sends it to Remote Attestation Service
Windows Logon
Client Health Claim
6
Remote Attestation Service issues Client Health Claim to Client
Secure Boot prevents malicious OS loader
1
Remote Resource
(Fie Server)
4
Client attempts to access resource. Server requests Client Health Claim.
Remote Resource
(File Server)
7
Client provides Client Health Claim. Server reviews and grants access to healthy clients.
Malware Resistance : Putting it all together
Protect Clients With Reduced ComplexitySimple interface Minimal, high-level
user interactions
Administrative Control User configurability options Central policy enforcement UI Lockdown and disable
Maintains high productivity CPU throttling during scans Faster scans through
advanced caching
Minimal network and client impact of definition updates
Binary delta signature update 3 times per day (<.5MB)
Full update (new machine, or not updated in 31 days, <80MB)
Delta signature update (missed 3 days of delta, <5MB)
Heterogeneous Antimalware ClientsFeaturesAnti-virus and Anti-malware supportMachines connect directly to internet service for security contentClient UI for user visibility and controlSCOM monitoring pack for Linux with management control
PlatformsApple Mac (10.6-10.7). Linux Server: Redhat Enterprise 6SuSE Linux 11
Key Takeaways
Key TakewaysHow Microsoft delivers on the protection promise, end to endWhat’s new in System Center 2012 Endpoint Protection Service Pack 1Understanding the Endpoint Protection clientThe benefits of operationalized security (Configuration Manager and Endpoint Protection integration)
Online ResourcesLaunching a Windows Defender Offline Scan with Configuration Manager 2012 OSDOperating System Deployment and Endpoint Protection Client InstallationSoftware Update Content Cleanup in System Center 2012 Configuration ManagerBuilding Custom Endpoint Protection Reports in System Center 2012 Configuration ManagerManaging Software Updates in Configuration Manager 2012Endpoint Protection by the numbersGroup Policy Preferences and Software UpdatesSoftware Update Points in Configuration Manager 2012 SP1How-to-Videos Product Documentation Security and Compliance Manager – Configuration Packs
Related ContentBreakout Sessions
UD-B309 Deploying and Configuring Mobile Device Management Infrastructure
UD-B310 Deploying and Managing Windows 8 with Configuration Manager 2012 SP1
UD-B317 Manageability of Mac & Linux Using System Center 2012 Configuration Manager SP1
UD-B318 Managing Embedded Devices with Configuration Manager 2012
UD-B325 System Center 2012 Configuration Manager SP1 Overview
UD-B330 System Center 2012 Configuration Manager SP1 and Windows Intune: Unified Modern Device Management
UD-B331 System Center 2012 Endpoint Protection Integration With Configuration Manager 2012 SP1
UD-B332 What’s New with Microsoft Deployment Toolkit 2012 Update 1
UD-B333 What's New: Configuration Manager 2012 SP1 Infrastructure Improvements and Hierarchy Design
UD-B335 Windows Intune Overview
UD-B403 Infrastructure Changes for System Center 2012 Configuration Manager SP1: Advanced Topics and Troubleshooting
Related ContentInstructor-led and Hands-on Labs
UD-IL301 Basic Software DistributionUD-IL302 Deploying a Configuration Manager HierarchyUD-IL303 Deploying Configuration ManagerUD-IL304 Deploying Windows 8 to Bare Metal ClientsUD-IL306 Implementing Endpoint ProtectionUD-IL307 Implementing Role-Based AdministrationUD-IL308 Implementing Settings ManagementUD-IL309 Introduction to Configuration ManagerUD-IL310 Managing ApplicationsUD-IL311 Managing ClientsUD-IL312 Managing ContentUD-IL313 Managing Microsoft Software UpdatesUD-IL314 Migrating from Configuration Manager 2007 to Configuration Manager 2012UD-IL315 New for SP1: Deploying Windows 8 Applications in Configuration Manager 2012 SP1UD-IL316 New for SP1: Expanding a Configuration Manager 2012 SP1 HierarchyUD-IL317 New for SP1: Implementing App-V 5.0 in Configuration Manager 2012 SP1UD-IL318 New for SP1: Implementing Database Replication Controls in Configuration Manager 2012 SP1UD-IL319 New for SP1: Implementing Linux Clients in Configuration Manager 2012 SP1UD-IL320 New for SP1: Upgrading from Configuration Manager 2012 to Configuration Manager 2012 SP1UD-IL401 Advanced Software Distribution
Evaluation
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
We want to hear from you!
Resources
http://channel9.msdn.com/Events
Access MMS Online to view session recordings after the event.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.