Outsourcing SEPM Tony Asher
SEPM Outsourcing
Jun 08, 2015
Here is a presentation I recently have to the a Midwest security user group on how to manage multiple environments, or clients, with Symantec Endpoint Protection.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Outsourcing SEPM
Tony Asher
Agenda• Goal: Successfully manage endpoint security for
outsourced clients, while minimizing time and resources.
• Requirements / Challenges
• Solutions– 3 Unique ‘features’ we leveraged.
• Issues
Requirements1. Single point of:
• Management• Visibility• Alerts• Reporting• Reporting
2 Neutral from client environments2. Neutral from client environments
3 A t ti ti k t ti3. Automatic ticket generation
Challenges – 1) Independent secure network, allow client communication
Challenges – 1) Independent secure network, allow client communication
Challenges – 2) Updates to enclave without Internet connection
Challenges – 2) Updates to enclave without Internet connection
Challenges – 3) Clients ability 'go-away'
Challenges – 4) Ticket generation
Steps Towards Solutions
Solutions – 1) Replication• Choices: Site Replication vs. GUPs
– GUPs: Can’t manage independent client admins, won’t centrally collect logs, open ports.Domains vs Groups– Domains vs. Groups
Replication Process
Replication Process (cont.)
Replication Process (cont.)
Steps:Steps:1. Verify ‘Additional Site’ in SEPM
2. Edit Properties of Replication
3. Replicate Now
4. Check Log
5. Setup ‘Limited Admin’p
Edit Replication Properties
Issues:1 SEPM S V i1. SEPM = Same Version
2. Shut down replication during upgradepg
3. Remember to turn back on
4 Easily ‘Deleted’4. Easily Deleted
Solutions – 2) Live Update ServerC• Challenge:– Couldn't communicate with Internet.
• Solution: Live Update Server on Tier 3 with– Live Update Server on Tier 3 with Internet connectivity
– Pushes out to 'Distribution share' on a server within the Secureon a server within the Secure Enclave (use for 4th box!).
LUA = Def Pusher
Live Update Server
Live Update Server (cont.)
Live Update Server (cont.)
Live Update Server (cont.)
LUA Issues
1. Postgres.exe 100%
2 T bl h ti d f’ (3 42. Troubleshooting def’s (3-4 spots)
3 Patch’s more difficult3. Patch s more difficult
4. 12/31 disaster
5. No ‘delta’ benefit
Solutions – 3) Ticket Automation• Challenge:
– No ‘flip switch’ options to escalate alerts.L h d t f t h i SEM/SIM l ti– Laughed at for not having SEM/SIM solution.
• Solution: – Syslog serverSyslog server– Remedy server reads Syslog
Steps:
1. Configure ‘External Logging’
2. Point to Syslog server IP/porto t to Sys og se e /po t
3. SLOWLY turn on Log Filters
4 Request tickets be pulled4. Request tickets be pulled
5. Verified ticket generation
6. Solid Security Incident Response Process in place.
External Logging - Config
External Logging Ticket
Other Issues• Firewall Change Requests = > 80% of time
Cli t P k ti h ld ‘ t ’ SEPM• Client Packages sometimes held ‘master’ SEPM in Sylink.xml file. • Opened ticket – Due to TS installation.
• Use CD Package with custom Sylink
Sylink Issue
Sylink Issue
Resources: Exclusion Process
Resources: Exclusion Form
Related Documents
