Introducing Microsoft Forefront Client Security

Introducing Microsoft Introducing Microsoft Forefront Client SecurityForefront Client Security

Steve LambSteve Lamb

Technical Security Advisor, Microsoft LtdTechnical Security Advisor, Microsoft [email protected]

http://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb

IntroductionIntroduction

Infrastructure OverviewInfrastructure Overview

Defining Security Steady StateDefining Security Steady State

Keeping Systems Up to DateKeeping Systems Up to Date

Reporting and AlertingReporting and Alerting

SummarySummary

Threats are moreThreats are moredangerous than everdangerous than ever

Fragmentation ofFragmentation ofsecurity technologysecurity technology

Difficult to use,Difficult to use,deploy and managedeploy and manage

More advancedMore advanced

Profit motivatedProfit motivated

More frequentMore frequent

Application-orientedApplication-oriented

Too many point Too many point products products

Poor interoperability Poor interoperability among security among security productsproducts

Lack of integration Lack of integration with IT infrastructurewith IT infrastructure

Multiple consolesMultiple consoles

Uncoordinated event Uncoordinated event reporting & analysisreporting & analysis

Cost and complexityCost and complexity

Security Solution RequirementsSecurity Solution RequirementsSecurity Solution RequirementsSecurity Solution Requirements

““All security frameworks All security frameworks should include a should include a comprehensive, comprehensive, layered approach...” layered approach...”

Understanding the Nine Protection Understanding the Nine Protection Styles of Host-Based Intrusion Styles of Host-Based Intrusion PreventionPreventionGartner – May 2005Gartner – May 2005

““Integration and simplified manageabilityIntegration and simplified manageabilityare important drivers when purchasing are important drivers when purchasing security” security”

The State of Security in SMB & Enterprises,The State of Security in SMB & Enterprises,Forrester Research, Inc. – Sept. 21, 2005Forrester Research, Inc. – Sept. 21, 2005

Microsoft Forefront’s comprehensive line of

business security products helps you gain

greater protection through deep integration

and simplified management

Remove most Remove most prevalent viruses prevalent viruses

Remove all Remove all known known

viruses viruses Real-time Real-time antivirusantivirus

Remove all Remove all known known

spywarespywareReal-time Real-time antispywareantispyware

Central reporting Central reporting and alertingand alerting

CustomizationCustomization

MicrosoftMicrosoftForefront Forefront

ClientClientSecuritySecurity

MSRT MSRT Windows Windows DefenderDefender

Windows Windows Live Safety Live Safety

Center Center

Windows Windows Live Live

OneCare OneCare

IT Infrastructure IT Infrastructure IntegrationIntegration

FOR INDIVIDUAL USERSFOR INDIVIDUAL USERSFOR FOR

BUSINESSESBUSINESSES

One solution for spyware and virus protectionBuilt on protection technology used by millions worldwideEffective threat responseComplements other Microsoft security products

One console for simplified security administrationDefine one policy to manage client protection agent settings Deploy signatures and software fasterIntegrates with your existing infrastructure

One dashboard for visibility into threats and vulnerabilitiesView insightful reportsStay informed with state assessment scans and security alerts

Unified malware protection for business

desktops, laptops and server operating

systems that is easier to manage and

control

One engine for virus and spyware protectionOne engine for virus and spyware protection

Also used in Windows Defender, OneCare, Antigen, MSRT, etc.Also used in Windows Defender, OneCare, Antigen, MSRT, etc.

Comprehensive system cleaning for viruses and spyware, with Comprehensive system cleaning for viruses and spyware, with checks to ensure system is fully functional after cleaningchecks to ensure system is fully functional after cleaning

Real-time, scheduled or on-demand detection & removal Real-time, scheduled or on-demand detection & removal

Checks to ensure system is fully functional after cleaningChecks to ensure system is fully functional after cleaning

Tenets of a unified designTenets of a unified design

Security, accuracy & performance: Core engine metricsSecurity, accuracy & performance: Core engine metrics

Scale: Usage drives sample submissions and signature creationScale: Usage drives sample submissions and signature creation

Multi-user or limited user supportMulti-user or limited user support

Consistent UX for detection & protection from malwareConsistent UX for detection & protection from malware

Detection and removal capabilities include:Detection and removal capabilities include:

Scanning dozens of archives and packersScanning dozens of archives and packers

Using tunneling signatures that bypass user mode rootkitsUsing tunneling signatures that bypass user mode rootkits

Code emulation for behavior analysis and polymorphic virusesCode emulation for behavior analysis and polymorphic viruses

Heuristic or generic detections for new malware and variantsHeuristic or generic detections for new malware and variants

Directed quick-scanDirected quick-scan

Identifies latent registry keys and files that reference the scan target filesIdentifies latent registry keys and files that reference the scan target files

Quarantines/removes ClassIDs, RunKeys, and the infected files as one unitQuarantines/removes ClassIDs, RunKeys, and the infected files as one unit

Cleaning scriptsCleaning scripts

Custom script language for cleaning difficult threatsCustom script language for cleaning difficult threats

Flexible engine design enablesFlexible engine design enables

Frequent updates for new format support and detection featuresFrequent updates for new format support and detection features

Engine to be delivered as part of the signature packageEngine to be delivered as part of the signature package

Define security steady stateDefine security steady stateSpecify the ongoing security behavior of my clientsSpecify the ongoing security behavior of my clients

Keep systems up-to-dateKeep systems up-to-dateEnsure that clients have the latest signaturesEnsure that clients have the latest signatures

View reportsView reportsDetermine the security state, now and over timeDetermine the security state, now and over time

Respond to alertsRespond to alertsWhat critical security events require my attention?What critical security events require my attention?

Console deploys policy through use of Console deploys policy through use of Active Directory Group Policy ObjectsActive Directory Group Policy Objects

Granularity at OU-level with exceptions Granularity at OU-level with exceptions using security groupsusing security groups

If:If:

Policy A Policy A Redmond OURedmond OU

Policy B Policy B Marketing Security GroupMarketing Security Group

ThenThen

Marketing in the Redmond OU will get Policy BMarketing in the Redmond OU will get Policy B

Console creates GPO, sends to Sysvol, GP Console creates GPO, sends to Sysvol, GP deploys profiledeploys profile

Policy applied on host per AD defaultPolicy applied on host per AD default

READ,READ,SAVESAVEGPOGPO

*Agents deployed via existing software distribution system*Agents deployed via existing software distribution system

Client Client Security Security ConsoleConsole

GPMCGPMC Existing SW Existing SW Dist SystemDist System

Infrastructure Infrastructure used used

Targeting Targeting granularity granularity

Create and edit Create and edit profileprofile

Profile Profile exceptionsexceptions

Enables profile Enables profile compliance compliance

reportreport

AD/GPAD/GP AD/GPAD/GP SW dist SW dist systemsystem

OU-levelOU-level Single Single machinemachine

Single Single machinemachine

Security Security GroupsGroups UnlimitedUnlimited UnlimitedUnlimited

YesYes NoNo NoNo

In ConsoleIn Console GPMC, using GPMC, using ADM fileADM file

ExportedExportedfilesfiles

Tightly integrated Tightly integrated with industry with industry leading MSRC leading MSRC

response processresponse process

Dedicated team, Dedicated team, analysis analysis

automation and automation and testingtesting

Multiple data Multiple data sources enabling sources enabling

advanced advanced telemetry on telemetry on

threatsthreats

Security Research OrganizationSecurity Research Organization• Identify malware and create signature definitionsIdentify malware and create signature definitions

• Develop Windows Defender (25+ million users) & MSRTDevelop Windows Defender (25+ million users) & MSRT

• Achieved VB 100% award, West Coast Labs & ICSA CertificationAchieved VB 100% award, West Coast Labs & ICSA Certification

• With protection engine implementation in Windows Live With protection engine implementation in Windows Live OneCareOneCare

• MSRT whitepaper: In-depth perspective of the malware MSRT whitepaper: In-depth perspective of the malware landscapelandscape

Signature deployment optimized for Signature deployment optimized for Windows Server Update Services (WSUS)Windows Server Update Services (WSUS)

Can use any software distribution systemCan use any software distribution system

Auto and manual approval of definitionsAuto and manual approval of definitions

Client Security installs an Update Assistant Client Security installs an Update Assistant service to:service to:

Increase sync frequency between WSUS and Increase sync frequency between WSUS and Microsoft Update (MU) for definitionsMicrosoft Update (MU) for definitions

Notify console when new signatures require Notify console when new signatures require approvalapproval

Support for roaming usersSupport for roaming users

Failover from WSUS to Microsoft updateFailover from WSUS to Microsoft update

Malware Malware ResearchResearchMUMU

WSUS + WSUS + Update Update AssistantAssistant

Desktops, Desktops, Laptops and Laptops and ServersServers

SyncSync

SyncSync

One dashboard for visibility One dashboard for visibility into threats and into threats and vulnerabilitiesvulnerabilities

Insightful reportsInsightful reportsReal-time and emerging Real-time and emerging trendstrends

Focus on critical informationFocus on critical information

Executive reports Executive reports

Drill down for detailDrill down for detail

Linked within the consoleLinked within the console

Built on MOM 2005 technologyBuilt on MOM 2005 technology

Uses SQL Reporting ServicesUses SQL Reporting Services

Enables focus on threats and possible vulnerabilitiesEnables focus on threats and possible vulnerabilities

State assessment scans determine which machines:State assessment scans determine which machines:Need to be patchedNeed to be patched

Are configured insecurely Are configured insecurely

Report categories include:Report categories include:Malware Threat(s)Malware Threat(s)

Vulnerability SummaryVulnerability Summary

Scan ResultsScan Results

Historical InformationHistorical Information

Summary ReportSummary Report

Deployment Deployment

AlertsAlerts

ComputersComputers

Security SummarySecurity Summary

Alert Alert SummarySummary

Computer Computer SummarySummary

Threat SummaryThreat Summary

Vulnerability Vulnerability SummarySummary

Deployment Deployment SummarySummary

Alert configuration is policy specificAlert configuration is policy specific

Alerts notify admin of high-value incidents, Alerts notify admin of high-value incidents, including:including:

Alert levels control type & volume of alerts Alert levels control type & volume of alerts generatedgenerated

11 55443322

OutbreakOutbreak Malware Malware removal removal

failedfailed

Signature Signature update update failedfailed

Malware Malware detected and detected and

removedremoved

Signature Signature update failed update failed

(per min)(per min)

Rich Data,Rich Data,High Value AssetsHigh Value Assets

Critical Issues Only,Critical Issues Only,Low Value Assets Low Value Assets

Malware detectedMalware detected

Malware failed to removeMalware failed to removeMalware outbreakMalware outbreak

Malware protection Malware protection disableddisabled

Currently in private beta with select customersCurrently in private beta with select customers

Public beta planned for Q4 CY2006Public beta planned for Q4 CY2006

Release to manufacturing planned for 1H CY2007Release to manufacturing planned for 1H CY2007

Unified malware protection for business desktops, laptops Unified malware protection for business desktops, laptops and server operating systemsand server operating systems that is easier to manage and that is easier to manage and control control

Unified ProtectionUnified Protection

Simplified AdministrationSimplified Administration

Critical Visibility & ControlCritical Visibility & Control

An integral part of Microsoft ForefrontAn integral part of Microsoft Forefront

For more informationFor more information

Visit:Visit:http://www.microsoft.com/clientsecurityhttp://www.microsoft.com/clientsecurity to learn about to learn about Forefront Client Security and register for beta Forefront Client Security and register for beta informationinformation

http://www.microsoft.com/forefronthttp://www.microsoft.com/forefront to learn more to learn more about other Microsoft Forefront offeringsabout other Microsoft Forefront offerings