Microsoft System Center 2012 Endpoint Protection Overview

Adwait Joshi (AJ)Product Marketing ManagerMicrosoft Corporation

Mark FloridaPrincipal Program Manager LeadMicrosoft Corporation

MGT310

Session Objectives And Takeaways

Session Objectives: The evolution of malwareOverview of System Center 2012 Endpoint ProtectionDemos on EP client installation and management+securityOverview of the Endpoint Protection client

The Evolution Of Malware

In 1991, 1000 known threats, in 2001 there were 60,000Today there are millions, and it’s growing every daySophistication and production rates continue to evolveAnybody can do it—full malware suites available onlineYour stuff is worth money, and they want it!

Nefarious Personas

National Interest

Personal Gain

Personal Fame

Curiosity

Script-Kiddy HobbyistHacker

Expert Specialist

Vandal

Thief

Spy

TrespasserTools created by experts now used by less skilled attackers and criminals

Fastest growing segment

Author

Unified Infrastructure

Reduce the cost of maintaining secure

endpoints with unified management

and security infrastructure

Simplified Administration

Single administrator experience for simplified endpoint protection and

management

Enhanced Protection

Protect against known and unknown threats with

endpoint inspection at behavior, application, and

network levels

System Center 2012 Endpoint ProtectionNext generation of Forefront Endpoint Protection 2010

Mgmt + Security In Configuration Manager 2012

Exchange Connector

Settings Management

Software Updates + SCUP

Endpoint ProtectionSWDOSD

Unified Infrastructure

Reduce the cost of maintaining secure

endpoints with unified management

and security infrastructure

System Center 2012 Endpoint Protection

Easy to setup and operate the management infrastructure

Easy client install and migration

Automated deployment of updates using ConfigMgr infrastructure

Simplified deployment of antimalware policies

Infrastructure Changes from FEP 2010

EP CLIENT on

ConfigMgr Server

FEPSERVICE

FEPDW

FEPDB

CMDB

CONFIGURATION MANAGER

SITE SERVER

MANAGEMENTPOINT

CM CLIENT

DISTRIBUTIONPOINT

EP CLIENT

EXCELTEMPLATE

REPORTS

FEPEXTENSIONS

EP DEPLOYMENTEP OPERATIONS

EP POLICY

SE

RV

ER

CLI

EN

T

CONFIGURATION MANAGER 2007FOREFRONT ENDPOINT PROTECTION 2010

EP SITEROLE

CONFIGURATION MANAGER 2012ENDPOINT PROTECTION 2012

Pre-Packaged EP

CLIENT

FEP DEPLOYMENT

FEP OPERATIONSFEP POLICY

Definition Catalogs

Simplified Deployment of AM Policies

Centralized management for AM and Firewall Policy

AM and FW policy delivered as ConfigMgr policy – no package/program dependency

Out of box templates

Import, Export, Merge

Prioritization of policies by collection

Simplified UI for customizing policy

Signature Update DistributionEasier distribution process Automatic deployment rules within ConfigMgr software updates

Minimizes WAN impact Uses distribution points and reduced definition size

Ensures always up-to-date security regardless of the client location Multiple update sources (ConfigMgr, WSUS, Microsoft Update, Windows File Share)

MICROSOFT UPDATE

ON THE ROADFallback to

online update

Corporate Network

Updates distributed through ConfigMgr, WSUS

or Windows File Share

DELTA UPDATE SIZE: 50-2048 KBUPDATE FREQUENCY: 3 TIMES/DAY

Signature update

Configure Policy

EP client install

Silent removal of third-

party products

EP enabled in the console-

EP installation

starts on the device

EP agent installer deployed with

ConfigMgr Client

Simplified Client Setup

Ease of client setup and deployment No separate deployment needed for endpoint protection client Endpoint Protection agent installer deployed with Configuration Manager client setup Endpoint Protection client and definitions easily integrated with OSD

Flexible administrative control Administrator can force or suppress any required reboots Configurable option for automatic removal of existing AV client

Easy migration from existing solutions and automatic removal of existing clients Symantec McAfee TrendMicro Forefront Client Security or Forefront Endpoint Protection

Client Installation Flow

Client Deployment

System Center 2012 Endpoint Protection

Single interface for client management and security

Improved alerting, client to admin within 5 minutes, and reporting, with real-time and user-centric data views

Simplified Administration

Single administrator experience for simplified endpoint protection and

management

Single Interface For Management And Security

Single interface for client management and security Dashboard integrated with

ConfigMgr console Simplified cross-feature

integration

Quick identification and remediation of client security issues Dashboard focused

on actionable events

Flexibility to separate security admin role Role-based administration Access to only relevant

security information

Monitoring Client Security

Quick alerts and event notification in the console Uses high speed data channel

to notify events in real time High speed data channel

prioritizes EP messages in state system, and no client “wait” to send messages up

Integrated monitoring for client health and antimalware status

Email subscription for alerts

Rich Reporting And Analysis

Rich reporting on client security SQL Reporting Services-based

reports on many categories User-centric reports enable

identification of commonly impacted users

Customizable reports simplified through database integration

Management and Real-time Monitoring

System Center 2012Endpoint Protection SP1

Automatically deploy definition update 3 times per dayCategory based scan from client to WSUSDelta syncs between SUP and WSUS

Real-time administrative actions:Run Definition UpdatesRun Quick ScanRun Full ScanAllow threatsExclude paths and/or filesRestore files quarantined by threat

Client side merge of antimalware policies

What’s new in SP1

Real-time Administrative Actions

Administrator

“Dial tone”• Active TCP Session

with the MP• Client Checking for

urgent tasks

1

2

In administrative console selects “Run Full Scan” on a collection

“Call is placed”• Client via this TCP

connection is told there are urgent tasks to run

• Client then connects to the MP to get policy

• Client runs the Full Scan Task

4

Client

Task = “Run Full Scan”

• A task is created• MP is told that new

urgent task has been requested

3

Site Server and MP

All this happens within seconds

What’s new in SP1

Real-time Administrative Actions in Endpoint Protection SP1

System Center 2012 Endpoint Protection

Comprehensive protection stack building on Windows Security

Proactive protection against known and unknown threats

Reduced complexity while protecting clients

Enhanced Protection

Protect against known and unknown threats with

endpoint inspection at behavior, application, and

network levels

Comprehensive Protection Stack Building on Windows Platform security

Proactive Techniques (Against Unknown Threats)

APPLICATION

FILE SYSTEM

NETWORK

Reactive Techniques (Against Known Threats)

Behavior Monitoring

Vulnerability Shielding (Network Inspection System)

Windows Firewall Centralized Management

DYNAMIC CLOUD UPDATES

Mic

roso

ft M

alw

are

Pro

tect

ion C

ente

r

Dynam

ic S

ignatu

re S

erv

ice

System Center Endpoint Protection

Windows 7

Data Execution

Prevention

Address Space Layout

Randomization

Windows Resource Protection

User Account Control

AntimalwareDynamic Translation and

Emulation

Internet Explorer® 8 SmartScreen Microsoft BitLockerMicrosoft AppLocker

Dynamic Translation With Heuristics

Real Time Protection

Driver Intercepts

Industry-leading proactive detection Emulation based detection

helps provide better protection

Safe translation in a virtual environment for analysis

Enables faster scanning and response to threats Heuristics enable one

signature to detect thousands of variants

Potential Malware Execution attempt on the system

VIRTUALIZED RESOURCES

Safe Translation Using DT

Malware Detecte

d

Malicious File

Blocked

Behavior Monitoring And Dynamic Signatures

Live system monitoring identifies new threats Tracks behavior of unknown

processes and known bad processes

Multiple sensors to detect OS anomaly

Updates for new threats delivered through the cloud in real time Real time signature delivery with

Microsoft Active Protection Service

Immediate protection against new threats without waiting for scheduled updates

RESEARCHERS REPUTATIONREAL-TIME SIGNATURE DELIVERY

BEHAVIOR CLASSIFIERS

Microsoft Active Protection Service

Properties/Behavior

Real-time signature

Samplerequest

Samplesubmit

1 2 3 4

Protect Clients With Reduced Complexity

Simple interface Minimal, high-level

user interactions

Administrative Control User configurability options Central policy enforcement

Maintains high productivity CPU throttling during scans Faster scans through

advanced caching

Best Usability 2011 – AV Test

Heterogeneous Antimalware Clients

Mac OS XLinux

What’s new in SP1

Summary

Key Scenarios Forefront Endpoint Protection 2010

System Center 2012 Endpoint Protection

Unified infrastructure System Center Configuration Manager 2007

System Center 2012 Configuration Manager

Server setup Separate install Unified setup

Client deployment ConfigMgr distribution process Integrated

Signature updates Multiple sources (WSUS, File Share, Microsoft Update)

Multiple sources with automatic deployment rules from ConfigMgr console

Proactive protection

Firewall management

Role based administration

New

Alerts and monitoring Real time alerts

Reports Additional user centric reports

Unify

Pro

tect

Sim

plif

y

Online Resources

Launching a Windows Defender Offline Scan with Configuration Manager 2012 OSDOperating System Deployment and Endpoint Protection Client InstallationSoftware Update Content Cleanup in System Center 2012 Configuration ManagerBuilding Custom Endpoint Protection Reports in System Center 2012 Configuration ManagerManaging Software Updates in Configuration Manager 2012  How-to-Videos  Product Documentation Security and Compliance Manager – Configuration Packs

Related Content

Breakout SessionsMGT309 | Microsoft System Center 2012 Configuration Manager OverviewMGT311 | Microsoft System Center 2012 Configuration Manager Deployment and Infrastructure Technical OverviewMGT312 | Deep Application Management with Microsoft System Center 2012 Configuration ManagerMGT313 | Microsoft System Center 2012 Configuration Manager: Plan, Deploy, and Migrate from Configuration Manager 2007 to 2012MGT318 | Patch and Settings Management in Microsoft System Center 2012 Configuration ManagerWCL388 | Client Management Scenarios in the Windows 8 Timeframe

Related Content

Hands-on Labs:MGT23-HOL | Deploying Windows 7 to Bare Metal Systems with Microsoft System Center 2012 Configuration ManagerMGT24-HOL | Implementing Endpoint Protection 2012 in Microsoft System Center 2012 Configuration ManagerMGT12-HOL | Compliance and Settings Management in Microsoft System Center 2012 Configuration ManagerMGT25-HOL | Deep Dive: Microsoft System Center 2012 Configuration Manager SQL Replication LabsMGT21-HOL | Basic Software Distribution in Microsoft System Center 2012 Configuration ManagerMGT16-HOL | Migrating from Microsoft System Center Configuration Manager 2007 to System Center 2012 Configuration ManagerMGT14-HOL | Implementing Role Based Administration in Microsoft System Center 2012 Configuration ManagerMGT15-HOL | Deploying a Microsoft System Center 2012 Configuration Manager HierarchyMGT11-HOL | Introduction to Microsoft System Center 2012 Configuration Manager

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.