System Center Endpoint Protection 2012 R2

Management Consulting | IAM and Data Protection | Governance Risk and Compliance

© 2014 Edgile, Inc. – All Rights Reserved

System Center Endpoint Protection 2012 R2

Norman W. Mayes CISSP, MCSE: Private Cloud, ITIL-F

February 2014

Table of Contents


Key Features and Benefits

Competitive Protection

1

2

2

© 2014 Edgile, Inc. – All Rights Reserved 3

Simplified Administration

Single administrator experience for simplified endpoint protection and

management

System Center Endpoint Protection


Real time Endpoint Protection operations from console

Simplified, 3X delivery of definitions through software updates

Malware-driven operations from the console

Client-side merge of antimalware policies

New and improved Endpoint Protection client

Comprehensive Protection Stack


Building on Windows Platform Security


Comprehensive Protection Stack

Management

Antimalware

Platform

System Center Configuration Manager and Endpoint Protection

System Center 2012 Endpoint Protection

Windows

SoftwareUpdates +

SCUP

EndpointProtection

Management

SettingsManagement

OperatingSystem

Deployment

SoftwareDistribution MDM

InternetExplorer AppLocker BitLocker

DataExecutionPrevention

Address SpaceLayout

Randomization

User AccessControl

WindowsResourceProtection

Secure BootThrough UEFI

Early LaunchAntimalware

(ELAM)

MeasuredBoot

Antimalware BehaviorMonitoring

DynamicTranslation

VulnerabilityShielding

WindowsDefender

Offline

Cloud CleanRestore

ELAM andMeasured

Boot

Available only in Windows 8.x


Endpoint protection operations to clients in<1 minute

Available Endpointprotection operations:

– Run definition updates– Run quick scan– Run full scan– Allow threats– Exclude paths and/or files– Restore files quarantined by

threat


Real-Time Operations


Admin can easily view and take follow up actions on specific malware by type, and remediation status


Malware Driven Operations



Client-Side Merge

Endpoint Protection Policies Create granular policies

for specific scenarios and have those merged onthe clients

Removes overheadof redundant policies

Policies still honors relative priority, and merge when possible (exclusions, for example)

© 2014 Edgile, Inc. – All Rights Reserved

Architectural Changes to Support Updates 3X per Day Category-based scans from clients Delta synchs between Software Update Point (SUP) and WSUS

Architectural Changes to Simplify SUP Setup Source top-level SUP from internal WSUS server Simplified, fault tolerant software update point setup (add multiple

SUPs as needed, up to 8 per Primary Site no NLB or active SUP requirements)

– Multiple SUP model is built for fault tolerance– Best performance comes from using a shared SUSDB for your software update

points– Clients are optimized to NOT switch SUPs, and only do so after 4 failures (@ 30

minute intervals)– Full cross-forest support of SUPs including untrusted forests– Clients optimized to fallback to SUPs within their own forest first– Use Group Policy preferences if setting a WSUS server for client deployments


Software Update Integration

8


Primary Site

Hierarchy (Forest1) Hierarchy (Forest2)

ClientClient

Client.Forest1 Client.Forest2

4X


Software Update Overview

Software Update Point 1





Enhanced Protection

Protect against known and unknown threats

with endpoint inspection at behavior, application,

and network levels

Common antimalware platform across Microsoft AM clients

Proactive protection against known and unknown threats

Reduced complexity while protecting clients

Integration with UEFI Trusted Boot, early-launch antimalware


Enhanced Protection

Competitive protection: Endpoint Protection vs. Trend Micro

Heterogeneous antimalware clients



Common Antimalware PlatformPlatform Overview Common platform for all of Microsoft’s antimalware clients Security Essentials alone has +100 million users (#1 in North

America) +660 million executions of Malicious Software Removal Tool per

month All of these clients service Microsoft’s protection services

research and response

Diagnosticand Recovery

Toolkit

MaliciousSoftware

Removal Tool

WindowsDefender

Windows 8

MicrosoftSecurity

Essentials

WindowsDefender

Offline

WindowsIntune

System Center2012 Endpoint

Protection

ForefrontEndpoint

Protection 2010

Windows AzureEndpointProtection


Simple Interface Minimal, high-level user

interactions

Administrative Control User configurability options Central policy enforcement UI Lockdown and disable

Maintains High Productivity CPU throttling during scans Faster scans through

advanced caching Minimal network and client


Reduced Complexity


Features Anti-virus and anti-malware support Machines connect directly to internet service for security

content Client UI for user visibility and control SCOM monitoring pack for Linux with management control

Platforms Native support for Windows 8.1 and Windows Server 2012

R2 Apple Mac (10.6-10.7) Linux Server: RedHat Enterprise 6, SuSE Linux 11


Heterogeneous Antimalware Clients

Table of Contents




1

2

14


Endpoint Protection Microsoft's malware lab benefits from a

vast installation of the consumer version of the SCEP engine and its online system check utilities, which provide a large distribution of malware samples

System Center Configuration Manager supports a dedicated endpoint protection role configuration. SCEP also allows on-demand signature updates from the cloud for suspicious files and previously unknown malware

Organizations licensed under Microsoft's Enterprise CAL or Core CAL program receive SCEP at no additional cost. Approximately one-third of enterprise customers are actively considering Microsoft, during their next renewal periods

Microsoft offers advanced system file cleaning, which replaces infected system files with clean versions from a trusted Microsoft cloud



Check PointSoftware Technologies

Microsoft

BeyondTrustThreatTrack

Security

F-Secure

Bitdefender

Eset

LANDesk

LumensionSecurity

ArkoonNetworkSecurity

Panda Security

IBMWebroot

NICHE PLAYERS VISIONARIES

CHALLENGERS LEADERS

Completeness of Vision

Ab

ility

to E

xecu

te

As of January 2014

Sophos

Kaspersky Lab

McAfee

Symantec

TrendMicro


Endpoint Protection Challenges Microsoft System Center Configuration Manager is

a prerequisite to SCEP Microsoft's client anti-malware protection

approach:– Industry test scores are not has high as some

competitors – Focused on reducing the impact of prevalent malware in

the Windows installed base with the lowest false-positive rates inthe industry

SCEP does not have some advanced features other endpoint security solutions include

– Microsoft leverages other Windows security features: Windows Firewall, BitLocker, AppLocker and Group Policy Objects




Trend Micro’s Challenges Historically, Trend Micro has been very conservative with new EPP

capabilities, such as encryption and application control The core endpoint offerings – OfficeScan and Deep Security – are

two separate products from separate teams with separate consoles. Deep Security has not been integrated into TMCM for deployment and policy management, but it has been integrated from a security reporting perspective

Some capabilities (like encryption) that have been integrated into TMCM still require their native consoles to be deployed, but from that point forward, they can be managed within TMCM

Trend Micro's installed base and market share in North America and EMEAare not as strong as in Asia/Pacific

There is no out-of-the-box security state assessment beyond the EPP agent status, and no significant integration with operations tools, such as vulnerability assessments




Cost Avoidance PotentialSystem Center 2012 R2 server management licensing maximizes value while simplifying purchasing. All server management licenses (SMLs) include the same components and the ability to manage any workload. System Center 2012 R2 SMLs are available in two editions differentiated by virtualization rights only: Datacenter: Maximizes cloud

capacity with unlimited virtualization for high density private clouds

Standard: For lightly or non-virtualized private cloud workloads.


Competitive ProtectionEdition Components Included

Microsoft System Center 2012 R2 Datacenter

Operations Manager

Configuration Manager

Data Protection Manager

Service Manager

Virtual Machine Manager

Endpoint Protection

Orchestrator

App Controller

Microsoft System Center 2012 R2 Standard


Cost Avoidance Potential Server Management Licenses are required

for managed devices that run server Operating System Environments (OSEs). Licenses are processor-based, with each license covering up to two physical processors.

The number of Server MLs required for each managed server is determined by the number of physical processor in the server for Datacenter Edition and either number of physical processors in the server or number of OSEs being managed for Standard Edition (whichever is greater).

Example 4 Servers with 4 Cores

Each to Support System Center Roles

4 Servers * 4 Cores / 2 = 6 Server ML Licenses



Datacenter Standard

# of physical processors per license

2 2

# of Managed Operating System Environments (OSEs) per license

Unlimited 2

Includes all System Center server management components

Yes Yes

Right to run management server software and supporting SQL Server Runtime (SQL Server Standard Edition)

Yes Yes

Manage any type of supported workload

Yes Yes

Open No Level (NL) License and Software Assurance (L&SA) 2-year price

$3,607 $1,323

Server ML Edition Comparison:


Cost Avoidance PotentialClient Management Licenses (MLs) are required for managed devices that run non-server OSEs. There are three System Center 2012 R2 Client ML offerings:

Configuration Manager Client ML

Endpoint Protection Subscription

Client Management Suite Client ML

Core CAL and Enterprise CAL Suites will continue to be the most cost effective way to purchase client management products.



Configuration

Manager Client ML

Endpoint Protection Subscription

Client Managemen

t Suite Client

ML

Components Included

Configuration Manager

Virtual Machine Manager

Endpoint Protection

Service Manager

Operations Manager

Data Protection Manager

Orchestrator

Included in Core CAL Suite

Yes Yes No

Included in Enterprise CAL Suite

Yes Yes Yes

Open NL L&SA 2-year price

$62 $22 $121


Wrap Up | Questions and Answers

Norman W. [email protected]

Technology

System Center Endpoint Protection 2012 R2