This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2010 Gartner, Inc. and/or its affiliates. All rights reserved. Terrence Cosgrove Security and Management Convergence on the Desktop

Defending Against Targeted Attacks Find and fix system vulnerabilities Shield vulnerable applications Network defenses Find and fix application vulnerabilities Shield vulnerable systems Steal data Compromise accounts Target User Install malware Surveillance Steal user's credentials Compromise servers Compromise applications Perfect defenses not achievable

Malware Trends Volume increasing ,000/month, accelerating Infection rates increasing -3% to 5% of enterprise PCs Web-enabled Easily customizable Ransomware Trojans Lower level (BIOS, RAM, driver) Conflicker was an exception, not the trend Unique Malware Threats (in Millions) Source: Symantec Threat Report, 2009

Security and IT Operations: Dependent but Different Service Quality Lower TCO Risk Identification Risk Mitigation Compliance Desktop Lockdown Configuration Standards SW/Patch Distribution Infrastructure HW/SW Inventory Operations Security Compliance Different Goals … But Common Methods

90% of successful attacks occurred against previously known vulnerabilities where a patch or secure configuration standard was already available. Fix the Root Cause of Security Problems Apps installed Patches installed Settings /configurations Agents/Services Block apps Deploy patches Change mis-configured settings Reinstall missing agents Reduce the attack surface Reduce the time to security Rogue apps Missing patches Configuration errors Encryption not installed

The Mobile User: A Growing Security and Management Problem Issues : They are beyond the perimeter Visibility: Will they get patches; how do I ensure compliance? They probably have admin rights Organizations often have separate security metrics for notebooks and desktops Mobile PC Unit Share, 1Q03-4Q11 Telework Growth: 27% of U.S. workers telework at least one day per month By 2011, 46.6 million employees globally will telework at least one day a week, and 112 million will telework at least one day per month Source: "Dataquest Telebriefing: Preliminary PC Forecast and Market Scenarios, 3Q09" (G ) Source: "Gartner's Telework Action Plan Is Key to Successful Implementations" (G )

Vulnerability Management Weak Spots: Patch Management Strategy Tightly manage configuration diversity Automate quality assurance (QA) testing Network isolation and deployment of intrusion prevention technology Invest in monitoring technology (breach discovery) Patch management over the Internet (a few products support it) Activate and manage personal firewalls, consider host intrusion protection software (HIPS) Encrypt laptop data Strategy Not accessible for rapid patching from the internal network Threat exposure (outside perimeter protection) Loss exposure (sensitive data) Mobile PCs

Patch Management: A Maturing Discipline Group Responsible for PC Patch Management Maturity LevelCharacteristics 1Awareness Inconsistent standardization Ad hoc testing Crisis/deadline driven Results ~80% 6-8 weeks 2Committed Some standardization Resources assigned, but not dedicated Results: ~85% patched in 6 weeks 3Proactive Standardization Formal testing Ongoing assessments Few crises 95% patched in 2-3 weeks 4Business Aligned Service orientation Proactive assessment No crises Continuous business assessment for risk Source Gartner 2010 Patch Management Maturity Analysis

Security Configuration Assessment Group Responsible For Security Configuration Assessment Early, but moving over to desktop Many do Security Configuration Assessment within both Security and Ops Source Gartner 2010 Why It's Needed Vulnerability reporting not oriented toward remediation. The root cause of many vulnerabilities can be eliminated through changes in provisioning and administration processes. Advice Security orgs should orient mitigation initiatives with IT ops around security configuration assessments (as opposed to vulnerability assessments).

Endpoint Protection and Operations Integration: Why? Group Responsible for Antivirus Deployment and Management Source Gartner 2010 Rapid benchmark capability What assets do we have? What software is on them? -Is the software malicious, nonproductive, unlicensed, redundant, nonstandard, vulnerable? Is the software/machine configured correctly? Are we compliant with the regulation du jour? How do we move seamlessly from problem detection to remediation?

User Owns and Manages PC Company Owns PC Application Control PolicySettings No Control Basic Application Control Software Control No app control Only blacklisted apps can't run Per-app system resource control Only permitted apps use network No policy Written policy Technology- enforced policy Users can change any settings Users cannot change certain settings Users cannot change any settings Users can add any software Users can add and run apps not on blacklist Users cannot add software Users can add and run apps on whitelist Per-app port control Only whitelisted apps can run Full Control Windows Application Control Solutions: An Alternative to Desktop Lockdown

Lock Down Most, but Not All, Users Through 2015, IT organizations will continue to deploy lockdown policies on the majority of PCs. Reasons this will be true: 52% of organizations increasing the number of locked-down users; 31% keeping the same levels "Standard user" increasingly recognized as best practice Apps are increasingly written to run as a standard user Reasons this will be false: Mutiny: the new generation of worker will not allow it Application control tools will do a better job of locking down the PC while giving users some freedom User's workspace will be hosted in the data center; we don't care what's on the device

Data Leakage Threats: Encrypt Data, Track Usage and Disposal Source: Source: hard drive Group Responsible for the Operations of PC Data Encryption

Convergence: Host Intrusion Prevention, Configuration Management, Software Distribution Vulnerability Assessment Security Inventories Operational Configuration Policy Anti-spyware Operational Inventories Security Configuration Policy Audit Personal Firewall Antivirus Software Distribution HIPS Patch Management Consolidated Inventory Endpoint Suites PC Intrusion Prevention (AV, AS, HIPS, PFW, Others) PC Intrusion Prevention (AV, AS, HIPS, PFW, Others) Software Distribution (Including Patches) Software Distribution (Including Patches) Configuration Management Vulnerability Assessment Endpoint Suites

Security and Operations — Integrated Processes with Segregation of Duties Identity and Access Policies Security Configuration Policies Threat/Vulnerability Assessment Security Network and System Compliance Audit Monitor Privileged Access Implement Configuration Changes Software Distribution/Patch Install Network Operations System Administration Desktop Support Availability/Change Management Provision Systems Privileged Users Database Administration Internal Audit/Compliance

Recommendations Actions are set in italics. Adopt a process-centric approach to security. Develop mitigation processes on the assumption that content and software will be: -Used in unexpected ways -Abused -Stolen -Attacked by outsiders and insiders Move routine security processes to IT operations groups. Balance spending among mitigation, shielding and monitoring based on practical limitations of mitigation for specific IT components.

Resources More information about “Convergence”: For upcoming and previously live webcasts: Got webcast content ideas? Contact us at: