Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft's Secure Endpoint SolutionAdwait Joshi Randy TreitSr. Product Manager Sr. Program Manager

SESSION CODE: SIA 320

Agenda

Business Needs and IT ChallengesThreat TrendsSecure Endpoint Solution OverviewDeep Dive in to Multi-layered Antimalware protection

Forefront Threat Management GatewayForefront Endpoint Protection 2010

Reduce security management costs

Protect sensitive data on endpoints

Enable secure access to resources from anywhere

Multiple vendors and complex management

Easily accessible sensitive data on multiple devices

Financially motivated evolving threats

Wide range of users and devices

Business Needs And IT Challenges

Protect endpoints from advanced threats

Threat Trends

National Interest

Personal Gain

Personal Fame

Curiosity

Amateur Expert Specialist

Largest area by volume

Largest area by $ lost

Script-Kiddy

Largest segment by $ spent on defense

Fastest growing segment

AuthorVandal

Thief

Spy

Trespasser

Crime On The RiseFinancial Motivation

Source: Microsoft Security Intelligence Report

Wide variety of malwareTrends in the last yearPhishing Sites

Targeting social networking and financial sites

Jul-09 Aug-09 Sep-09 Oct-09 Nov-09 Dec-09

0%10%20%30%40%50%60%70%80%90%

100%

Social Networking SitesOnline ServicesE-Commerce SitesFinancial Sites

Source: Microsoft Security Intelligence Report

Hardware

O/S

Drivers

Applications

GUI

User

Physical

ExamplesWeb based exploitsPhishing/Social engineeringSpywareRootkitsApplication attacks

Attacks Getting More SophisticatedTraditional defenses are inadequate

Across on-premises & cloud

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Integrate and extend securityacross the enterprise

Block

from:

Enable

Cost Value

Siloed Seamless

to:

Simplify the security experience, manage compliance

Protect everywhere,access anywhere

Highly Secure & Interoperable Platform

Identity

PROTECT everywhere ACCESS anywhere

SIMPLIFY security,MANAGE compliance

Protect endpoints from emerging threats and information loss, while enabling more secure access from virtually anywhere

INTEGRATE and EXTEND security

Secure Endpoint Solution

• Provides unified administration for desktop management and protection

• Increases visibility of potentially vulnerable desktops

• Uses existing System Center Configuration Manager infrastructure

• Builds on and extends Windows security

• Enables multi-layered antimalware protection

• Protects critical data wherever it resides

• Provides more secure always-on access

Secure Endpoint –Defense in Depth Strategy

InformationProtection

Active Directory Rights Management Services (RMS) Encrypting File System (EFS)BitLocker & BitLocker to goDevice Control

SecureAccess

DirectAccessUnified Access Gateway 2010Network Access Protection (NAP)IPv6IPsec

MalwareProtection

Protection from web based threats at the edge Forefront Threat Management Gateway 2010

Advanced anti-malware on the desktopForefront Endpoint Protection 2010

Desktop FirewallApplication Control (AppLocker)

DIR

ECT ACCESS

Multi-Layered Antimalware Protection:Forefront Threat Management Gateway 2010

New Forefront Threat Management Gateway 2010

• Enables employees to safely use the Internet without worrying about malware and other threats.

Comprehensive Web Security

• Includes and improves proven network protection technologies of ISA 2006

Next Generation of

ISA Server

Threat Management Gateway 2010-Secure Web Gateway Features

• Download scanning of files• Integrated Microsoft AV/AM engine• Inspection settings per rule

Malware inspection

URL filtering

HTTPS inspection

• URL category sets and exclusions• Integrated with forward proxy

• URL filtering, malware scanning and IPS protection• Firewall Client notification to end users

• Protection against vulnerability exploits• Protocol analysisNetwork Inspection System

Why Malware Protection Gateway?

Machines without host antivirus (AV)

Host AV not up to date

Centralized monitoring

Content policy enforcement

How TMG Malware Inspection Works

Proxy Engine

Malware Inspection Filter

1

3

4

6

7

2

5

•Content delivery methods by various content features• Detects: Malware, Scripts, etc.

SignaturesDB

• Integrating Microsoft AM engine• Automatic engine and signature updates• Subscription based

• Source/Destination exception• Inspection options (block encrypted, nested archives,

files sizes…)• Logging and reporting support

Internet

Admin

Forefront TMG- URL Filtering

Why URL Filtering?

Enhance securityReduce liability risksImprove productivity Save network bandwidthRegulatory compliance Analyze Web usage

Classify

Evaluate

Enforce

Report

Forefront TMG URL Filtering Explained•Categorization services provided by Microsoft Reputation Service (MRS)•84 built-in categories•Secured communication channel•Subscription based

•Policy editing•URL Category override•URL Category query•Logging and Reporting support•Web Access Wizard Integration

•Customizable, per-rule, deny messages

End users

TMG admin

MRS

Internet

Microsoft Reputation Services

The problem with existing URL filtering solutionsURL classification is complicatedEach vendor focuses on different area (productivity, malicious sites, spam, etc.)

MRS unique architectureMRS merges URL databases from multiple sources/vendorsBased on Microsoft internal sources as well as collaboration with third-party partnersCloud and local cacheScalable

An ongoing collaboration effortM8e6 SecurityBright cloudOthers

Bright Cloud

iFilter

Marshal 8e6

Forefront TMG- HTTPS Inspection

Traditional SSL Security

Web browser sends CONNECT (when proxy configured)CONNECT host_name:port HTTP/1.1

Web proxy allows the request to be sent to the TCP port specified in the requestProxy informs the client that the connection is establishedClients sends encrypted packets directly to destination on specified port without proxy mediation

What lies within this encrypted tunnel?

HTTP ConnectEstablish connection

Connection established 200 Connection established

Encrypted tunnel

HTTPS Traffic Inspection

Contoso.com

SIGNED BY TMG

Internet

Contoso.com

SIGNED BY

VERISIGN

•Deployment options (via Group Policy or via Export)

•Proxy certificates generation/import and customization•Exclusion list, validate only option•Logging Support•Web Access Wizard integration

•Client notifications about HTTPS inspection (via TMG Client) •Certificate validation (Revocation, Trusted, Expiration

validation, ...)

Forefront TMG- Network Inspection System

Protecting against vulnerability exploits with NIS

Detect and block known vulnerability-based attack attempts at the Edge of the network or in data centerSame day availability of the patch and NIS signature Closes the vulnerability window which is needed for patch testing\deployment:

Patches need to be tested more thoroughlyCustomer acceptance (similar to AV updates)

21

Vulnerabilityfound Signature authoring team

How NIS Works

Design Time

GAPAL (GAPA Language)

Compiler

Run Time

Protocol Parsers

Signatures

NIS Engine

Microsoft Update

Network Interception

Signatures & Protocol Parsers

Telemetry& Portal

DemoProtection From Web Based Threats Using Forefront TMG

Multi-Layered Antimalware ProtectionForefront Endpoint Protection 2010

Forefront Endpoint Protection 2010

• Proven Microsoft Antimalware Engine• Zero Day Protection

Through:• Behavior Monitoring• Emulation• Heuristics & Generics

• Antimalware/Rootkit Protection• Windows Firewall Management• Performance-Oriented Defaults

• Template-driven policy creation based on risk

• Workload-specific policies for servers

HELP PROTECT everywhere

INTEGRATE and EXTEND security

• Built on System Center Configuration Manager 2007 R2

• Enterprise Deployment• Upgrade from FCS v1• Detection & removal of

existing endpoint protection solutions

• Large-scale client roll-out through Configuration Manager

• Extended Topologies • Non-domain-joined PCs• Branch office topologies• Standalone (‘unmanaged’)

• Converged System Management• Simple Centralized Policy• Critical Level Alerting• Security admin-oriented

Reporting

• Desired Configuration Manager (DCM)-based Vulnerability Assessments

SIMPLIFY security MANAGEMENT experience

Forefront Endpoint Protection 2010 provides enhanced endpoint protection and simplified management while greatly reducing infrastructure costs

Forefront Endpoint Protection 2010Enhanced Protection

Protect Endpoints Without ComplexitySimple interface

Keep user interactions minimal and high-levelProvide necessary interactions

Admin-managed options

Control user configurabilityEnforce central policy

New or improved in Forefront Endpoint Protection 2010!

DFSP

AR

DSS

BHO

BM

kBTR

NIS

SM

DSORP

RIM

KSL

DCFGMOAC

FFR

RTP

Forefront Endpoint Protection Stack Firewall & Configuration Management

Anti-rootkit

Generics and Heuristics

Real-time Protection

Behavior Monitoring

Dynamic Signature Service

Malware Response

Core antimalware and management capabilities provide high-quality reactive detection.

Industry leading proactive detection based on our Dynamic Translation technology.

FEP customer submissions and telemetry are prioritized across the global response team.

Browser Protection Scanning of web content and scripts. FEP 2010 scans the page in-memory, blocking malicious scripts before they run..PREVIEW

Advanced rootkit detection and remediation defends against sophisticated threats.

Live system behavior monitoring identifies new threats.

The Dynamic Signatures Service delivers real-time signatures from the cloud.

Signatures

Samples

Endpoint Protection Scenarios

Microsoft Confidential

Endpoint MMPC

1. Known malware: blocked. Some new malware: blocked by generics.

2. Remaining new malware: samples sent to MMPC for analysis. New signatures delivered to customers.

GOAL: Continue to provide high-quality protection & Cover more attack vectors.

GOAL: Shrink customer “window of vulnerability” by discovering new threats and delivering signatures faster

Real-time Protection

Generics and Heuristic Behavior

Browser Protection

Anti-rootkit

Behavior Monitoring Dynamic Signature Service

Malware Response

Before malware runs After malware runs

Dynamic Signature Service“Interesting” files detected and reported to Microsoft

Behavior Monitoring detectionsAnti-rootkit: files hooking the kernelLo-fi signatures: new class of generics looks for suspicious characteristics as behavior is emulated with dynamic translationQueries reputation service about ‘interesting’ files

If the file is known bad, a new signature is delivered in real-time to the client requesting itBalances signature distribution time/cost with need for real-time updatesAdmins must choose to opt-in to use this feature

Client

Researchers

SpyNet / MRS

Real-Time Signature Delivery

Behavior Classifiers

Prop

ertie

s /

Beha

vior

Sam

ple

Req

Sam

ple

Subm

it

Real

-tim

e Si

gnat

ure

Reputation

DemoBehavior Monitoring and Dynamic Signature Service

Forefront Endpoint Protection 2010Simplified Deployment and Management

Building Endpoint Protection On Configuration Manager 2007

Uses existing Configuration Manager 2007 infrastructure

No new serversIntegrated consoleSupports SP2/R2 and later

Simple install processInstalls on root site, deploys to hierarchyDiscover Configuration Manager roles and attach FEP roles and context (or allow separate installs)Automatically creates additional components (FEP distribution packages, DCM baselines)Creates new reporting database

Central Site

Primary Site

Primary Site

Primary Site

FEP

Client Distribution and DeploymentClient Distribution

Configuration Manager software distributionDetects and removes incompatible applications

Signature DistributionConfiguration Manager Software Updates ManagementAlso supports:

Microsoft UpdatePoint to fileshare

Forefront Endpoint Protection & Configuration Manager Integration

Configuration Manager Reporting

Configuration Manager Console

Configuration Manager Agent

FEP Reports

Forefront Endpoint

Protection 2010WMI

Configuration Manager DB

FEP Reporting DB

Configuration Manager Server DCM

Configuration ManagerFEP

FEP UI

Managed Computer

Registry

Event logConfiguration Manager Software Distribution

Improved Visibility

Fix client security problems in Configuration Manager

Dashboard view of statusDrill down to see affected computers to remediate within Configuration Manager

Receive email alerts on outbreaksProvides security policy compliance tracking

Extending Endpoint Protection to Servers

Server-Centric View in OpsMgr

Predefined settings optimized per server workloadServer security and availability tasksService Level Objectives reports integrated with OpsMgr 2007 R2

Real-Time Monitoring and Alerting for Critical Systems

DemoForefront Endpoint Protection 2010

Summary

Defense in Depth strategy is necessary to protect from evolving threatsMicrosoft’s Secure Endpoint Solution:

Provides a holistic security solution for endpoint protectionLowers deployment cost via shared infrastructure and common technologiesSimplifies management of endpoint security

Learn more & try our solutions at: www.microsoft.com/forefront

Related ContentSIA320 |Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft's Secure Endpoint SolutionSIA301 |Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access SolutionSIA308 | Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep DiveSIA309 |Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 - A Deep Dive into the Features and Protection TechnologiesSIA325 | Secure Endpoint: Virtualizing Microsoft Forefront Threat Management Gateway (TMG) SIA02-INT | Secure Endpoint: Planning DirectAccess Deployment with Microsoft Forefront Unified Access GatewaySIA07-INT | Secure Endpoint: Architecting Forefront Endpoint Protection 2010 on Microsoft System Center Configuration Manager

SIA05-HOL | Microsoft Forefront Threat Management Gateway OverviewSIA09-HOL | Secure Endpoint Solution: Business Ready Security with Microsoft Forefront and Active DirectorySIA11-HOL | Microsoft Forefront Unified Access Gateway (UAG) and Direct Access: Better Together

Red SIA-3 | Microsoft Forefront Secure Endpoint Solution

Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:http://www.microsoft.com/forefront/trial

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA