Ved Christian Stahl, Microsoft Enterprise Services

Forefront Codenname ”Stirling”

Agenda

• Introduktion til Security Management• Introduktion til ForeFront Codename

”Stirling”• Stirling funktionalitet• Stirling arkitektur

Security Management today

Jumping between consoles waste time

Each console has its own policy paradigm

Product’s are in silos with no integration

Lack of integration with infrastructure generate inefficiencies

Difficult to know if solutions are protecting from emerging threats

Management Console Management Console Management Console

Reporting Console Reporting Console Reporting Console

Console

Endpoint ProtectionServer Application

Protection Network EdgeVulnerability Assessment

• One console for simplified, role-based security management

• Define one security policy for your assets across protection technologies

• Deploy signatures, policies and software quickly

• Integrates with your existing infrastructure: SCOM, SQL, WSUS, AD, NAP, SCCM

Simplified Management with Stirling

Network EdgeServer ApplicationsClient and Server OS

Comprehensive line of business security

products that helps you gain greater protection

and secure access through deep integration

and simplified management

Poll

Hvor mange anvender:

• ForeFront Client?• ISA Server?• ForeFront for Exchange eller MOSS?

Forefront codename "Stirling"

Next GenerationForefront

Client Security

Antivirus / Antispyware

Host Firewall & NAP

Others – To be announced at a later date

Next GenerationForefront

Server Security

Exchange Protection

SharePoint Protection

Others – To be announced at a later date

Next Generation

Edge Security

and Access

Firewall

VPN

Others – To be announced at a later date

• Comprehensive, coordinated protection with dynamic responses to complex threats

• Unified management across client, server application, & edge security in one console

• Critical visibility into overall security state including threats and vulnerabilities

Management & Visibility

Dynamic Response

Network EdgeServer ApplicationsClient and Server OS vNext

An Integrated Security System

• Integrated protection across clients, server and edge

• Dynamic responses to emerging threats

• Next generation protection technologies

• Manage from a single role-based console

• Asset and policy centric model

• Integrates with your existing infrastructure

• Know your security state in real-time

• View insightful reports

• Investigate & remediate security issues

An Integrated Security System that delivers comprehensive,

coordinated protection with simplified management and critical

visibility across clients, servers, and the network edge

ComprehensiveProtection

Simplified Management

CriticalVisibility

Silo'd best of breed solution are not enough

• Breaches came from a combination of event:– 62% were attributed to a significant error– 59% resulted from hacking and intrusions– 31% incorporated malicious code– 22% exploited a vulnerability– 15% were due to physical threats

Time span of data breach events

Source: 2008 Data Breach Investigations Report. Verizon Businesshttp://www.verizonbusiness.com/resources/security/databreachreport.pdf

DNS Reverse Lookup

Client Event Log

Edge Protection

Log

Network Admin

Edge Protection

Client Security

DEMO-CLT1 Andy

DesktopAdmin

Manual: Launch a scan

WEB

Malicious Web Site

Phone

Manual: Disconnect the Computer

Example: Zero Day Scenario

Security Assessments Channel

TMG identifies malware on DEMO-CLT1 computer attempting to propagate (Port Scan)

Security Admin

Network Admin

DEMO-CLT1 Andy

DesktopAdmin

Malicious Web Site

WEB

Forefront TMG

Client Security

CompromisedComputer DEMO-CLT1High FidelityHigh SeverityExpire: Wed

CompromisedUser: AndyLow FidelityHigh SeverityExpire: Wed

Stirling Core

NAPActive

Directory

Forefront Server

for:Exchange

, SharePoi

ntOCS

FCS identifies Andy has logged on to DEMO-CLT1

Alert

Scan Computer

Block Email

Block IM

Reset Account

Quarantine

Example: Zero Day ScenarioWith Stirling and Dynamic Response

Shared Information…Assessment Severity Definition

Compromised Computer

High Malware gains admin-level control over the computer or the computer imposes active and immediate threat to other computers.Example - Rootkit, bot, fast self-propagating worm

Med Malware has user-level control on the computer; malware might affect the computer moderately.Example - Virus with user account privileges; virus requiring humans to propagate

Low Malware has minimal control over the computer, similar to the control obtained by a guest account. Example - spyware

Vulnerable Computer

High The computer is more likely to be compromised in the very near future with a potential damage that corresponds to a high severity compromised computer. Example - Can be exploited by self-propagating worm

Med The computer is more likely to be compromised eventually, but there is no immediate threat.Example – missing patch mitigated by default configuration

Low The computer can be compromised with major effort such as a full blown dictionary attack, or having a n intruder gain physical access to the computer) The potential damage is expected to be low. Example – weak password, miss-configured IE

Compromised User

High Attacker is the legal owner of the account. (Intended to be used as a manual injected assessment) Example - clear insider threat

Med The attacker has full control over the accountExample – attacker obtains users password

Low The attacker has limited control of the account, usually the attacker does not have account privileges. Example - email worm that propagates only when user is logged-in

70+ assessments across are coming with Stirling Beta 2.

Console Sneak Peak

Know your security state

View insightful reports

Investigate and remediate

security risks

Critical Visibility & Control

Risk Management Dashboard

• Risk = Security State X Asset Value • Asset value via Stirling policies• Overall security risk driven by actionable rules• Single number to sort assets by• Enterprise security status reports

Security Risk Summary

Security Risk Trend during the Last Month

8/308/228/158/88/1

HighMediumLowMinimal

Security Risk Level during the Last Day

12am12pm12am 6am 6pm

x xx x xx

xx

x

x

x

x

x xx xx x x xx

Groups at Highest Risk during the Last Day 10 Groups out of 39 Total

Security Risk Level at <last sample timestamp> High

HR_Servers

Asset / Users Group Percentage of Time at the Risk Level

Production_ServersHR ServersRedmond Bldg 43 ServersHaifa Sensitive ServersLong Island ServersTestlab1 ServersSensitive Client ComputersDefault Computers GroupDefault Servers Group

50% 20% 20% 10%

Asset Asset Last Highest Reason Active Response(s) Investigation Name Value Risk Level Risk Level Assessment(s) Applied Opened

Srv-DC1 Multiple... (3) 3 ü -

Srv-Prn1 Virus infection found 1 - ü

Red\JohnDoe Port scan found 1 ü -Spam found 1 - -

Security Risk per Group

HR Servers Risk Total Assets at Risk: 3-

Group Security Risk Trend during the Last Month

8/308/228/158/88/1

Group Security Risk Level during the Last Day

HighMediumLowMinimal

12am12pm12am 6am 6pm

x xx x xx

x x

x x xx

x xx x

x

x

xx

x

x x

x

Security Risk Level at <last sample timestamp> High

50% 20% 20% 10%

+

-

Exchange Protection Activity

Total Message Scanned: 550

Message trend

Malware Discovery Rate: 90%

Detail Report

Filter Hit Rate: 20%

TypeMalwareFiltering HitQuarantinedTotal

12am12pm12am 6pm6am

50403020100

Incident Rate trend during the last day

12am12pm12am 6pm6am

100%80%

40%

Malware Discovery rate trend

Detail ReportFilter hit rate trend

Incident Rate trend during the last day

12am12pm12am 6pm6am

20%

10%

5%

HighLowMinimal

HighLowMinimal

Detail Report

Total Message Quarantined: 300

Detail ReportSpam rate trend

6pm6am

100%80%

40%

Type

Block by IPBlock by contentSPAM rate

SPAM Rate:Total SPAM Found: 30000 90%

Acitivity Reporting

• Technology specific • Complementing security and health

monitoring• Visibility into

– Security Effectiveness– Resource consumption– Productivity Impact

• Planning and measuring

Contribution of FSE Protection Service to the Security Risk Detection and Mitigation

FSE Contribution to detection of Compromised Users during the Last Day

FSE Contribution to detection of Compromised Users during the Last Month

Compromised Users Trend during the Last MonthCompromised Users during the Last Day

Security Risk Trend during the Last Month

8/308/228/158/88/1

Security Risk Level during the Last Day

SeverityHigh MedLow

8/308/228/158/88/1

50403020100

Severity

High MedLow

8/308/228/158/88/1

50403020100

12am12pm12am 6pm6am

50403020100

HighMediumLowMinimal

12am12pm12am 6am 6pmx xx x xx

xx

xx

x

x

x xx xx x x xx

FSE Contribution to Security Risk detection during the Last Day FSE Contribution to Security Risk detection during the Last Month

8/308/228/158/88/1

HighMediumLowMinimal

12am12pm12am 6am 6pmx xx x xx

xx

xx

x

x

x xx xx x x xx

50403020100 12am12pm12am 6pm6am

Security Responses Trend during the Last MonthSecurity Responses during the Last Day50403020100 8/308/228/158/88/1

ResponsesAlertsAppliedCancelled

5040302010012am12pm12am 6pm6am

FSE Contribution to Security Responses Trend during the Last MonthFSE Contribution to Security Responses during the Last Day50403020100 8/308/228/158/88/1

ResponsesAlertsAppliedCancelled

5040302010012am12pm12am 6pm6am

TMG: Connect to "Stirling"

Provided by Stirling Admin

Stirling: TMG connectivity state

19

Stirling: Response Plan (Policy)

TMG Assessment / Response

TMG: Response Implementation

Poll

Hvor mange anvender:

• SCOM?• WSUS?

Desktops, Laptops and Servers

Stirling Core Server

Exchange Servers

SharePoint Servers

Threat Management

Gateway Servers

Microsoft Update

Virus &Spyware Definitions

Events

Settings

Events

Settings

Events

Settings

Stirling Console

Systems Center

Operations

Manager

Windows Server Update Services (WSUS)

Stirling Data Analysis & Collection Servers Events

Settings

Forefront Security Assessment Channel

3rd party protection

service

Stirling Conceptual Architecture

Stirling Server Roles

• Stirling defines several roles that make up the overall system– Stirling Core – central processing– Stirling Core DB – Stirling databases– “DAC”

• DAC-RMS – System Center Operations Manager – Root Management Server

• DAC-MS – Management Server• DAC-DB – SCOM databases

– Stirling Reporting– Stirling NPS (Network Policy Server)– Stirling Console

1-Box Configuration

2-Box Configuration

Scaling Your Deployment

Stirling Common Questions

• Q: Can I use my existing SCOM infrastructure for Stirling?

• A: Yes, but unless it’s already managing all your desktops too, you’ll have to add more servers to scale it out

• Q: Can I use .. – Clusters?– Virtualization?

• A: Yes

Stirling Common Questions

• Q: How many clients can each SCOM server support?• A: Performance testing is well underway , but I’ll cover

some of our scale goals coming up