Outsourcing SEPM

Tony Asher

Agenda• Goal: Successfully manage endpoint security for

outsourced clients, while minimizing time and resources.

• Requirements / Challenges

• Solutions– 3 Unique ‘features’ we leveraged.

• Issues

Requirements1. Single point of:

• Management• Visibility• Alerts• Reporting• Reporting

2 Neutral from client environments2. Neutral from client environments

3 A t ti ti k t ti3. Automatic ticket generation

Challenges – 1) Independent secure network, allow client communication

Challenges – 1) Independent secure network, allow client communication

Challenges – 2) Updates to enclave without Internet connection

Challenges – 2) Updates to enclave without Internet connection

Challenges – 3) Clients ability 'go-away'

Challenges – 4) Ticket generation

Steps Towards Solutions

Solutions – 1) Replication• Choices: Site Replication vs. GUPs

– GUPs: Can’t manage independent client admins, won’t centrally collect logs, open ports.Domains vs Groups– Domains vs. Groups

Replication Process

Replication Process (cont.)

Replication Process (cont.)

Steps:Steps:1. Verify ‘Additional Site’ in SEPM

2. Edit Properties of Replication

3. Replicate Now

4. Check Log

5. Setup ‘Limited Admin’p

Edit Replication Properties

Issues:1 SEPM S V i1. SEPM = Same Version

2. Shut down replication during upgradepg

3. Remember to turn back on

4 Easily ‘Deleted’4. Easily Deleted

Solutions – 2) Live Update ServerC• Challenge:– Couldn't communicate with Internet.

• Solution: Live Update Server on Tier 3 with– Live Update Server on Tier 3 with Internet connectivity

– Pushes out to 'Distribution share' on a server within the Secureon a server within the Secure Enclave (use for 4th box!).

LUA = Def Pusher

Live Update Server

Live Update Server (cont.)

Live Update Server (cont.)

Live Update Server (cont.)

LUA Issues

1. Postgres.exe 100%

2 T bl h ti d f’ (3 42. Troubleshooting def’s (3-4 spots)

3 Patch’s more difficult3. Patch s more difficult

4. 12/31 disaster

5. No ‘delta’ benefit

Solutions – 3) Ticket Automation• Challenge:

– No ‘flip switch’ options to escalate alerts.L h d t f t h i SEM/SIM l ti– Laughed at for not having SEM/SIM solution.

• Solution: – Syslog serverSyslog server– Remedy server reads Syslog

Steps:

1. Configure ‘External Logging’

2. Point to Syslog server IP/porto t to Sys og se e /po t

3. SLOWLY turn on Log Filters

4 Request tickets be pulled4. Request tickets be pulled

5. Verified ticket generation

6. Solid Security Incident Response Process in place.

External Logging - Config

External Logging Ticket

Other Issues• Firewall Change Requests = > 80% of time

Cli t P k ti h ld ‘ t ’ SEPM• Client Packages sometimes held ‘master’ SEPM in Sylink.xml file. • Opened ticket – Due to TS installation.

• Use CD Package with custom Sylink

Sylink Issue

Sylink Issue

Resources: Exclusion Process

Resources: Exclusion Form