Download presentation
Presentation is loading. Please wait.
Published byPeter Underwood Modified over 9 years ago
1
Dominik Zemp TSP Security Microsoft Switzerland dominik.zemp@microsoft.com
2
Forefront Codename “Stirling” Overview Security Assessment Sharing Infrastructure and Architecture Deployment and Scalability Monitoring “Stirling” Protection Technologies Forefront Client Security Forefront Server Security Live Demo New Roadmap
3
Integrated Identity & Security offerings to help customers: Raise Productivity Improve Protection Lower Cost of Ownership Increase Visibility
4
Management Console Management Console Network Edge Server Applications Client and Server OS Management Console Comprehensive line of business security products that helps you gain greater protection and secure access through deep integration and simplified management
5
Technical Overview
6
Multiple industry-leading detection technologies for advanced protection against viruses, spyware, spam, and web-based threats End to end coordinated protection across multiple products with correlated analytics and health assessment Support from industry-leading malware research and response Multiple industry-leading detection technologies for advanced protection against viruses, spyware, spam, and web-based threats End to end coordinated protection across multiple products with correlated analytics and health assessment Support from industry-leading malware research and response Single console for managing endpoint, collaboration, on-premise and cloud messaging server security for policy configuration for faster responses Enterprise-wide visibility and reporting into threats and vulnerabilities to enable compliance Automated risk assessment with prioritized view of threats for easy investigation and auditing Single console for managing endpoint, collaboration, on-premise and cloud messaging server security for policy configuration for faster responses Enterprise-wide visibility and reporting into threats and vulnerabilities to enable compliance Automated risk assessment with prioritized view of threats for easy investigation and auditing Integrated multilayered protection that optimizes performance and resource efficiency Integrates with existing Microsoft Infrastructure for integrated security and operational efficiency Enables third party technology partners to interoperate for improved real time visibility of enterprise security risk assessment Integrated multilayered protection that optimizes performance and resource efficiency Integrates with existing Microsoft Infrastructure for integrated security and operational efficiency Enables third party technology partners to interoperate for improved real time visibility of enterprise security risk assessment ComprehensiveProtectionComprehensiveProtection SimplifiedManagementSimplifiedManagement Integrated Security An integrated security suite that delivers comprehensive protection across endpoint, application servers and the edge that is easier to manage and control
7
“Stirling” Central Mgmt Server Network Edge Server Applications Client and Server OS vNext Shared Assessment Sharing (SAS) 3 rd Party Partner Solutions Other Microsoft Solutions Unified Management In Depth Investigation Enterprise-wide Visibility An integrated security suite that delivers comprehensive protection across endpoint, application servers and the edge that is easier to manage and control Active Directory NAP
8
DNS Reverse Lookup Client Event Log Edge Protection Log Network Admin Edge Protection Client Security DEMO-CLT1 Andy Desktop Admin Manual: Launch a scan WEB Malicious Web Site Phone Manual: Disconnect the Computer Hours? Days?
9
Security Assessments Sharing TMG identifies malware on DEMO-CLT1 computer attempting to propagate (Port Scan) Security Admin Network Admin DEMO-CLT1 Andy Desktop Admin Malicious Web Site WEB Forefront TMG Client Security Compromised Computer DEMO-CLT1 High Confidence High Severity Expire: Wed Compromised Computer DEMO-CLT1 High Confidence High Severity Expire: Wed Compromised User: Andy Low Confidence High Severity Expire: Wed Compromised User: Andy Low Confidence High Severity Expire: Wed Stirling Core NAP Active Directory Forefront Server for: Exchange, SharePoint OCS FCS identifies Andy has logged on to DEMO-CLT1 Alert Scan Computer Block Email Block IM Reset Account Quarantine Minutes
10
Trusted Services Technologies (protection & other) part of the system Generate Security Assessments Based on domain specific data Based on assessments from others Generate Security Assessments Based on domain specific data Based on assessments from others Take local actions Consume Assessments from others Provide visibility for monitoring & investigation SASSAS Who: User, Computer (IT Asset) What: Compromised / Vulnerable What else: Confidence Level, Severity, Temporary Security Assessment A conclusion about the observed security state on an IT asset Layered Protection across the organization Protection technologies that work together Protection technologies that share security information Protection technologies that take action together
11
REPORTS POLICYPOLICY GROUPSGROUPS POLICY EVENTS Network Access Protection (NAP) Forefront Client Security, Forefront Security for Exchange, Forefront Security for SharePoint, Forefront Threat Management Gateway Required Infrastructure INTEGRATION INFRASTRUCTURE CORE INFRASTRUCTURE SIGNATURE, UPDATES Microsoft Update
12
Policy 66 ` Managed Asset Agent Protection Technology Policy 9 10 11 Stirling Core Service 4
13
Telemetry 4 4 4 4 4 55 6 7
14
Stirling Core Stirling Console Stirling SQL DB SCOM Root Management Server (RMS) SCOM SQL DB SQL Reporting Server SQL Reporting DB Stirling Server Roles Software/Signature Deployment e.g. WSUS or SCCM (TYPICALLY ALREADY DEPLOYED BEFORE STIRLING) 250 – 2,500 Assets Up to 25,000 Assets Stirling Console Stirling Core SCOM (RMS) SQL Reporting Server Stirling SQL DB SCOM SQL DB SQL Reporting DB WSUS 4 1 2 1 Scaling Up…. Stirling Console Stirling Core SQL Reporting Server SCOM RMS SCOM SQL DB + Per 25,000 Assets Per 20,000 Assets 1 1 WSUS 1 1 Stirling SQL DB SQL Reporting DB 1 An asset is a computer with one of the Stirling protection technologies (FCS, FSE, FSSP and/or TMG) 1
15
Antivirus / Antispyware Dynamic Signature Service Device Control NAP Integration Vulnerability Assessment & Remediation Exchange Protection New Antimalware Capabilities New Antimalware Capabilities Advanced Antispam Sharepoint Protection Content Filtering Firewall Web (URL) Filtering HTTP/FTP AV Network Intrusion Prevention Remote Access NAP Integration Security Assessment Sharing Correlated Assessments Investigation Information Sharing Forefront Online Security for Exchange Mgmt Forefront “Stirling” Management Server & Console Host Firewall Mgmt New Antimalware Capabilities New Antimalware Capabilities
16
Next Version Codename „Stirling“
17
Integrated anti-virus/anti-spyware agent delivering real- time protection Uses Windows Filter Manager Maintains stable operation Scans viruses and spyware in real-time Dynamic Translation Unique to Microsoft agent Maximizes scanning speed: Decryption and code emulation of malware with speed of native code execution Other protection features: Tunneling signatures for detecting & removing rooktits Advanced system cleaning: Customized remediation (recreating registry entries, restoring settings) Event Flood Protection: Shields reporting infrastructure during outbreak from infected clients Heuristics for classifying programs based on behavior
18
Dynamic Signature Service Client and back end infrastructure Used when FCS detects an “interesting” and unknown program Enables customer to receive real time signatures via SpyNet This will narrow the FCS protection gap … of unknown threats without waiting for signature updates. for suspicious new binaries, without having to wait for regularly-scheduled signature updates.
19
CheckAssess Remediate NEW Detect common vulnerabilities and missing security updates Discover mis-configuration exposures Configure security checks parameter New checks: IE Security Setting, DEP, IIS Setting, and more… Compare system configuration against security best practices Assign score based on associated risk Surface issues found across the enterprise in real time Automatically remediate based on policy Integrate with NAP for compliance enforcement Remotely remediate from the management console
20
Firewall Management: Centralized management of the Windows Firewall Windows XP/2003, Windows Vista/2008 and Windows 7 Support Inbound and Outbound Filtering Configure Firewall Exceptions for Ports, Applications, Services Configure Network Location Profiles for Roaming Users Centralized Visibility: Firewall State in the Enterprise Sensors for Security Incident Detection Activity Monitoring Statistics
21
Next Version Codename „Stirling“
22
FSE-protected Exchange server DNSBL Service Provider Connecting Client 5. If hash fails or request comes in clear, NXDOMAIN will be returned back, DNS Query format example: Connecting IP address: 131.107.88.67 Hashed query format: 123ASD098LKJ0192 -131.107.88.67.blocklist.messaging.microsoft.com 123ASD098LKJ0192 – hashed token 131.107.88.67 – original IP address blocklist.messaging.microsoft.com – DNSBL service provider 2.FSE DNSBL agent constructs a DNS query with attached hashed token and sends the query to the DNSBL service provider, 3. DNSBL service provider validates the hash and responds to the query, 4. DNSBL provider will send the response in clear: If a match found, it will return 127.0.0.x code If no match found, NXDOMAIN will be returned INTERNET 1. DNSBL agents triggered by Connection request from the Internet, 6. DNSBL is totally transparent to administration – there is nothing to configure!
23
Fingerprinting algorithms applied to every incoming message Relevant parts of the message are fingerprinted Message reduced to anonymous fingerprints Fingerprints do not indicate whether message is legitimate or spam Fingerprints compared to local cache of known bad fingerprints Cache data updated every 45 seconds Match: message is identified as abuse No match: Heuristics are applied. No match & No heuristics: message is identified as legitimate Spam Legit. FSE-protected Exchange recipient Fingerprint Cache Reject
24
Monitoring
25
Firewall: Port Exception Forefront for SharePoint: Malware Incidents Forefront for Exchange: Quarantine Items NAP: Computers with restricted network access Policy Deployment: User Status Authorized Software Management: Unknown Applications Security Updates: Approved and Missing Client Antimalware: Protection Coverage Security Assessment Check: Failed Remediation Client Antimalware: Affected Assets One stop shop to know if “you are secure” Measure Secure risk across all assets Risk = Security State X Asset Value Across protection technologies Clients, Servers, Network Granular visibility deep into each layer Drill down into every report and control 60+ customizable controls
26
Dominik Zemp TSP Security Microsoft Switzerland
27
H1 2009 Client and Server OS ServerApplications Network Edge Integrated Security System NEW NEXT NEW BETA 1 H1 2008 Q4 2009 NEXT BETA 1 BETA 2 H1 2010 NEXT
28
Forefront Team Blog http://blogs.technet.com/forefront Microsoft Forefront Server Security Blog http://blogs.technet.com/fss Forefront Server Security Support Blog http://blogs.technet.com/fssnerds/ Forefront Client Security Team Blog http://blogs.technet.com/clientsecurity Forefront Client Security Support Blog http://blogs.technet.com/fcsnerds Microsoft Malware Protection Center Blog http://blogs.technet.com/mmpc The Microsoft Security Response Center (MSRC) http://blogs.technet.com/msrc/ Security Research & Defense http://blogs.technet.com/srd/
30
Presentations TechDays: www.techdays.ch MSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspx MSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspxwww.techdays.chhttp://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxhttp://www.microsoft.com/switzerland/msdn/de/finder/default.mspx MSDN Events MSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspx Save the date: TechEd 2009 Europe, 9-13 November 2009, Berlinhttp://www.microsoft.com/switzerland/msdn/de/events/default.mspx MSDN Flash (our by weekly newsletter) Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspxhttp://www.microsoft.com/switzerland/msdn/de/flash.mspx MSDN Team Blog RSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspxhttp://blogs.msdn.com/swiss_dpe_team/Default.aspx Developer User Groups & Communities Mobile Devices: http://www.pocketpc.ch/ Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.ch FoxPro User Group Switzerland: www.fugs.chhttp://www.pocketpc.ch/www.msugs.chwww.dotmugs.chwww.fugs.ch
31
Presentations TechDays: www.techdays.chwww.techdays.ch TechNet Events TechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: TechEd 2009 Europe, 9-13 November 2009, Berlinhttp://technet.microsoft.com/de-ch/bb291010.aspx TechNet Flash (our by weekly newsletter) Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspxhttp://technet.microsoft.com/de-ch/bb898852.aspx Schweizer IT Professional und TechNet Blog RSS: http://blogs.technet.com/chitpro-de/http://blogs.technet.com/chitpro-de/ IT Professional User Groups & Communities SwissITPro User Group: www.swissitpro.ch NT Anwendergruppe Schweiz: www.nt-ag.ch PASS (Professional Association for SQL Server): www.sqlpass.chwww.swissitpro.chwww.nt-ag.chwww.sqlpass.ch
32
7. – 8. April 2010 Congress Center Basel
33
Classic Sponsoring Partners Media Partner Premium Sponsoring Partners
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.