Yusuf Joosub Security Management SSP Microsoft Session Code: SIA302
Business Ready Security Help securely enable business by managing risk and empowering people Highly Secure & Interoperable Platform Block from: Enable CostValue SiloedSeamless to:
Current Security & Access Challenges Even best-of-breed stand-alone protection is not enough With current silo technologies, data breaches still occur They come from combinations of events They can take months to discover and weeks to mitigate Source: 2008 Data Breach Investigations Report. Verizon Business Life-cycle of a data breach attack
Central Management Server Central Management Server Forefront Code Name "Stirling" Network Edge Server Applications Client & Server OS An integrated security s uite that delivers comprehensive protection across endpoint, application servers, and the edge that is easier to manage and control. Code Name “Stirling” Third-Party Partner Solutions Other Microsoft Solutions Active Directory Network Access Protection Unified Management In-Depth Investigation Enterprise-Wide Visibility Security Assessment Sharing (SAS)
Comprehensive Protection Multiple industry-leading detection technologies for advanced protection against viruses, spyware, spam, and web-based threats End to end coordinated protection across multiple products with correlated analytics and health assessment Support from industry-leading malware research and response Code Name “Stirling” Simplified Management Single console for managing endpoint, collaboration, on-premise and cloud messaging server security for policy configuration Enterprise-wide visibility and reporting of threats and vulnerabilities to enable compliance Automated risk assessment with prioritized view of threats for easy investigation, auditing and faster responses Integrated Security Integrated multilayered protection that optimizes performance and resource efficiency Integrates with existing Microsoft Infrastructure for operational efficiency Enables third party technology partners to interoperate for improved real time visibility
Comprehensive Protection Simplified Management Integrated Security
Stirling Server Roles Stirling Core Role Stirling Core DB Hosts the Stirling Core service Policy and rules engine Stirling CDA Role Collection, Distribution and Assessments Stirling CDA DB Installed on the System Center Operations Manager 2007/R2 server Stirling Reporting Role Stirling Data Warehouse (DWH) DB Hosts Stirling reports
Protecting Stirling End Points Forefront Client Security v2 Antimalware Windows Firewall (FW) management Security State Assessments (SSA) Forefront Server Security for Exchange Forefront Server Security for SharePoint Forefront Threat Management Gateway Forefront Stirling Agent Allows protection technologies to plug in “adapters” (APTA’s) to the Agent
Stirling End Point Agent Operations Manager Agent Stirling Agent AM APTA FW APTA SSA APTA FSE APTA FSSP APTA TMG APTA AM Engine WindowsFWWindowsFW SSA Engine FSE Engine TMG Engine
Comprehensive Protection Simplified Management Integrated Security
Unified Management Model Single policy management model One policy management experience that covers multiple policy targets Single policy engine RSOP calculation engine Single asset management experience Flexible grouping Targeting Centralized discovery Users from AD Machines from System Center Common wizards for complex tasks Group 1 Group 2 Group 3 RSOP Policy
Microsoft Confidential Get-FSysGroup [-Ref ] [-AssetTypeRef ] [-SessionRef ] Set-FSysGroup -Ref [-Definition ] [-Description ] [-Name ] [-Notes ] [-SessionRef ] [-Tag ] Remove-FSysGroup -Ref [-Force ] [-SessionRef ] Stirling console 100% built on Powershell Everything available in the UI is scriptable Delivers even greater manageability Enable automation of tasks 100+ Cmdlets in the system Create, modify, delete groups Trigger reports Example: A Powershell script can automatically create reports on a regular basis to meet compliance requirements
Stirling Server Roles Stirling Core Stirling Console Stirling SQL DB SCOM Root Management Server (RMS) SCOM SQL DB SQL Reporting Server SQL Reporting DB Software/Signature Deployment e.g. WSUS or SCCM (TYPICALLY ALREADY DEPLOYED BEFORE STIRLING) 250 – 2,500 Assets Up to 25,000 Assets Stirling Console Stirling Core SCOM (RMS) SQL Reporting Server Stirling SQL DB SCOM SQL DB SQL Reporting DB An asset is a computer with one of the Stirling protection technologies (FCS, FSE, FSSP and/or TMG) Up to 50,000 Assets Stirling Console Stirling Core SQL Reporting Server SCOM RMS + SCOM SQL DB 25,000 Assets 25,000 Assets Stirling SQL DB SQL Reporting DB 1 Server Topology 2 Server Topology 6 Server Topology 25,000 Assets 25,000 Assets SCOM RMS + SCOM SQL DB
Stirling Architecture
Comprehensive Protection Simplified Management Integrated Security
Forefront Security for SharePoint Forefront Security for Exchange Forefront Client Security Forefront Threat Management Gateway (ISA) Management Console Network Edge Server Applications Client & Server OS Third-PartySolutions ActiveDirectory NAP SHARED INFORMATION ACTION ACTION SAS Shared Assessments
Trusted Services Technologies (protection & other) part of the system Generate Security Assessments Based on domain specific data Based on assessments from others Generate Security Assessments Based on domain specific data Based on assessments from others Take local actions Consume Assessments from others Provide visibility for monitoring & investigation SAS Third Party Solutions Secure Communication Channel Who: User, Computer (IT Asset) What: Compromised / Vulnerable What else: Confidence Level, Severity, Temporary Security Assessment A conclusion about the observed security state on an IT asset Layered Protection across the organization Protection technologies that work together Protection technologies that share security information Protection technologies that take action together
DNS Reverse Lookup Edge Protection Log Network Admin Edge Protection Client Security Hours? Days? Weeks? Client Computer User Desktop Admin Manual Action: Launch a scan WEB Phone and Manual Action: Disconnect the computer Silo Approach Slows Response Example Malicious Web Site Solution silos slow response, increase exposure
Admin Client Security Client ComputerEnd User Admin WEB The Answer: Security Assessment Sharing (SAS) How "Stirling" delivers integrated and coordinated protection Respond and mitigate in just minutes Malicious Web Site 2-3 min Admin Security Assessments Sharing Alert Forefront TMG Stirling Core Automated Response Scan Quarantine Block IM Block No admin intervention required TMG identifies malware on DEMO-CLT1 computer attempting to propagate (Port Scan) FCS identifies User has logged on to Laptop NAP Active Directory Forefront Server for: Exchange SharePoint OCS
Security investigation Specific period of time On specific computers or users Allow investigator to drill in to appropriate level of detail SASSAS Third Party Solutions Risk Assessments Additional information Raw data Distributed query Raw data
Monitoring and Reporting Monitoring dashboard Rich graphical controls Alerts Security Status at a Glance Fully customizable Drill down model Rich reporting infrastructure In the box reports SRS infrastructure for custom reporting DW model
Microsoft Confidential Firewall: Port Exception Forefront for SharePoint: Malware Incidents Forefront for Exchange: Quarantine Items NAP: Computers with restricted network access Policy Deployment: User Status Authorized Software Management: Unknown Applications Security Updates: Approved and Missing Client Antimalware: Protection Coverage Security Assessment Check: Failed Remediation Client Antimalware: Affected Assets One stop shop to know if “you are secure” Measure Secure risk across all assets Risk = Security State X Asset Value Across protection technologies Clients, Servers, Network Granular visibility deep into each layer Drill down into every report and control 60+ customizable controls:
Microsoft Confidential Install Missing Security Updates Force Reboot NAP Evict a computer Trigger a quick scan FSE: Update Signatures FSSP: Add user to block list Block unknown application FSSP: Delete Quarantine File Get Public Folders Get Exchange Role Turn on UAC FSE Start Scan Alerts: events requiring administrator’s attention Via , page, IM or alert view in the console Generated by Managed Assets (e.g., FSE engine failed to update) Generated by “Stirling” core System (e.g., System hasn’t been configured) Generated by SAS (e.g. Computer is compromised Granular visibility deep into each layer) Resolutions: “Stirling” can automatically cancel alerts that have been Automatically mitigated Stopped occurring Administrator can manually execute tasks to remediate alerts Tasks can be triggered from alerts view or any other report/control 50+ tasks can be remotely triggered in the system
Partnering with Stirling
Partner Interfaces SDK.NET Framework classes Microsoft platforms only Manages state, communications Protocol Web service protocol Allows cross-platform interoperability
Forefront "Stirling" Partners
Summary Stirling is an integrated enterprise security system that delivers comprehensive, coordinated protection with simplified management and critical visibility across clients, servers, and the network edge.
International Content & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Tech ·Ed Africa 2009 sessions will be made available for download the week after the event from:
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.