OSL150 – Get Hands on with Ivanti Endpoint Security David Murray Rob Kelsall

What is Ivanti Endpoint Security? Ivanti Endpoint Security is a single platform that is endpoint security focused offering best of breed solutions for: Patch Management Application Control Device Control AntiVirus One suite solution Single, Modular, Extensible Architecture Single Workflow-based Console Asset Discovery and Agent Deployment Installation Manager AD Integration and Synchronization Role-based Access Control Reporting and Notification

A single suite that covers it all…

Lab Agenda Discover endpoints and install agents Create custom groups and add endpoints to these groups Create AntiVirus policies and scan for malware Patch vulnerable applications Application Control blocking and Denied Applications Install an application with Trusted Updater Create a Local Authorization policy Protect against memory-based attacks Protect data with device control Dashboard widgets & reports

Orientation Ivanti Endpoint Security Workflow Let’s get started Work from left to right Discover – Assets, Malware Review – Vulnerabilities, Virus Alerts, Discovered Assets, Logs Manage – Endpoints, Groups, Users, Policies, Libraries, Quarantine Reports – Standard & Enhanced Reports Tools – Roles, Installers, Subscriptions, DB maintenance, Notifications, Options Help – which hopefully you don’t need to use too much Let’s get started Logon credentials contained in your lab guide Turn off Windows Defender on Windows 10 endpoint

Exercise 1 – Discover Endpoints & Install Agents Goal The goal of this exercise is to discover new endpoints and to bring them under control Discover > Assets Select “Immediate” under scheduling Use IP address range 192.168.100.10 to 192.168.100.99 Review > Job Results Go to Completed tab when job is finished (page auto-refreshes) Manage Agents > Install Agents, for any assets (Win7) with “No Agent Found”

Exercise 2 – Create Groups & Add Endpoints Goal As we generally manage by groups rather than endpoints, the goal of this exercise is to create a number of custom groups so we can use these groups in subsequent exercises Create three custom groups Manage > Groups > Group Membership view Select “Custom Groups” from panel on left Delete/ignore any existing groups (I forgot to do so!) Create the following groups – Server, Desktop, All Systems Add endpoints to each group Manage > Groups > Endpoint Membership view Use Membership button or right-click on group Server – Ivanti Endpoint Server & CentOS Desktop – Win10 and Win7 All systems – all four endpoints

Exercise 3 – Create AV policies & scan for malware Goal Discover and remove any malware that exists Create policies to provide ongoing protection Scan for malware Discover > Scan Now – Virus and Malware Scan Select Immediate scan option and assign to the Desktop group Add a “folder” exclude for C:\ drive to minimize scan duration Follow progress on Win10 endpoint via Agent Control Panel Review “Centralized Quarantine” when completed Create policies for ongoing protection Manage > AntiVirus Policies Create Real time Monitoring Policy Create Recurring Virus and Malware Scan Policy Set policy to run at the weekend (not during Interchange!)

Exercise 4 – Patch Vulnerable Applications Goal Understand what vulnerabilities exist Apply patches to remediate (some of) these vulnerabilities Understand vulnerabilities Navigate to Manage > Endpoints Select Endpoint and select Vulnerabilities/Patch Content tab Select filters (Detection Status = Not Patched) Select (1 or 2) cached packages and “Add to List” called Interchange Remediate Vulnerabilities Manage > Groups (Vulnerabilities/Patch Content view) Select All Systems group Select Interchange Custom Patch List (and select all content) Click “Deploy” Cached Not cached

Exercise 4 – Patch Vulnerable Applications

Exercise 5 – App Control Blocking and Denied Apps Goal Demonstrate that non-whitelisted applications are blocked Deny a whitelisted application Non-whitelisted applications Log on to Win10 endpoint Open “Test Files” folder on the desktop (added after lockdown) Try to run any of these applications -> receive blocked dialog Deny whitelisted application Open Mozilla Firefox and confirm that it opens correctly Go to Manage > Application Library and search for Firefox.exe in “Ungrouped files” Move file to “Prohibited Applications” Go to Manage > Application Control policies Create Denied Applications policy and add “Prohibited Applications” application to it Assign to Desktop group and confirm Mozilla Firefox is blocked (once policy delivered)

Exercise 6 – Install an application with Trusted Updater Goal Install a blocked application on a locked-down endpoint Try to install application on locked-down endpoint Open Test Files folder on Win10 desktop Try to launch one or more of the installers (you may already have completed this step earlier) Add installer to a Trusted Updater policy Go to Review > Application Control Log Queries Create “All Denied Application Events” log query for Desktop group Review results and locate denied installer (refresh the query if it is not there yet) Select the installer in the log query results and click on “Trust” button Assign to Desktop group Once policy delivered, confirm that application gets installed correctly and can be opened

Exercise 7 – Local Authorization Goal Enable endpoint users to decide whether to launch/install application on their endpoint Create Local Authorization policy Go to Manage > Application Control policies and select “Trusted Change” tab Create Local Authorization policy and assign to Desktop group Locally authorize an application Once policy is delivered, go the Test Files folder on the Win10 endpoint Select an application or an installer and try to open it You should now receive a local authorization dialog and can decide whether to allow or deny

Exercise 8 – Protect against Memory-based attacks Goal Implement a Memory Protection policy to detect and block a memory injection Create Memory Protection Policy in Audit Mode Go to Manage > Application Control policies and select Memory Protection tab Create a Memory Protection policy in Audit Mode and assign to the Desktop group Launch application and inject into memory Follow lab guide to launch target application (view in Task Manager) Launch injector application and inject into process of target application Go to Review > Application Control log queries and create All Memory Injection Events query Convert Memory Protection Policy to Enforcement Mode Edit Memory Protection policy and switch to Enforce from Audit mode Confirm Target Application is terminated (via logs and Task Manager)

Exercise 9 – Protect data with Device Control Goal Create policies to protect data when copied to removable media (e.g. USB sticks) Confirm current read/write behaviour Copy files to and from E:\ and F:\ drives on Win10 endpoint and confirm both read & write work Create Unencrypted and Encrypted drives policy Go to Manage > Device Control policies and create policies per lab guide Test Device Control policies Disable default policy for Removable Storage Devices and set Global policy to Enforce Attempt to copy files to (unencrypted) E:\ or F:\ drives and confirm that they are read-only Encrypt F:\ drive and confirm both read and write work on encrypted drive Reboot Win10 endpoint to see behaviour when E:\ and F:\ drives connected Option provided to encrypt E:\ drive Need to enter encryption password for F:\ drive

Exercise 10 – Dashboard Widgets and Reports Goal Enable Dashboard widgets to provide overall system summary on login Create reports for more detailed analysis or for management Dashboard widgets Go to Home page on console Select “Configure Dashboard Settings” and select dashboards to display Drag and drop dashboards as needed Reports Go to Reports > Enhanced Reports Run reports to report on earlier exercises and review results

Thank you Don’t forget to provide feedback Go get some lunch