MGT310

Microsoft System
Center 2012 Endpoint
Protection Overview

Session Objectives And Takeaways

Session Objectives:
The evolution of malware
Overview of System Center 2012 Endpoint Protection
Demos on EP client installation and
management+security
Overview of the Endpoint Protection client

The Evolution Of Malware

In 1991, 1000 known threats, in 2001 there were
60,000
Today there are millions, and its growing every day
Sophistication and production rates continue to
evolve
Anybody can do itfull malware suites available
online
Your stuff is worth money, and they want it!

Nefarious Personas
National Interest

Spy

Personal Gain

Thief

Tools created by
experts now
used by less
skilled attackers
and criminals

Trespasser

Personal Fame

Curiosity

Fastest
growing
segment

Vandal

Script-Kiddy

Author

Hobbyist
Hacker

Expert

Specialist

System Center 2012 Endpoint Protection

Next generation of Forefront Endpoint Protection
2010
Unified
Infrastructure

Reduce the cost of

maintaining secure
endpoints with
unified management
and security
infrastructure

Simplified
Administration

Single administrator
experience for simplified
endpoint protection and
management

Enhanced
Protection

Protect against known

and unknown threats with
endpoint inspection at
behavior, application, and
network levels

Mgmt + Security In Configuration Manager

2012

OSD

Endpoint Protection

Software Updates +
SCUP
Settings Management
Exchange Connector

SWD

System Center 2012 Endpoint Protection

Unified
Infrastructure

Easy to setup and operate the management

infrastructure
Simplified deployment of antimalware policies

Reduce the cost of

maintaining secure
endpoints with
unified management
and security
infrastructure

Automated deployment of updates using ConfigMgr

infrastructure
Easy client install and migration

Infrastructure Changes from FEP 2010

CONFIGURATION MANAGER 2007
CONFIGURATION MANAGER 2012
FOREFRONT ENDPOINT PROTECTION
ENDPOINT PROTECTION 2012
2010
Definition Catalogs

FEP
DW

FEP
DB

EP SITE
ROLE

MANAGEMENT
POINT

CM
DB
CONFIGURATION
MANAGER
SITE SERVER

FEP
EXTENSIONS
EXCEL REPORTS
TEMPLATE

FEP
DEPLOYMENT
FEP
OPERATIONS
FEP POLICY

EP DEPLOYMENT
EP OPERATIONS
EP POLICY

DISTRIBUTION
POINT

CLIENT

FEP
SERVICE

SERVER

EP CLIENT
on
ConfigMgr
Server

CM CLIENT
PrePackaged EP
CLIENT

EP CLIENT

Simplified Deployment of AM Policies

Centralized management
for AM and Firewall Policy
AM and FW policy
delivered as ConfigMgr
policy no
package/program
dependency
Out of box templates
Import, Export, Merge
Prioritization of policies
by collection
Simplified UI for
customizing policy

Signature Update Distribution

Easier distribution process
Automatic deployment rules within ConfigMgr software updates
Minimizes WAN impact
Uses distribution points and reduced definition size
Ensures always up-to-date security regardless of the client location
Multiple update sources (ConfigMgr, WSUS, Microsoft Update, Windows File Share)

Corporate Network

MICROSOFT UPDATE
DELTA UPDATE SIZE: 50-2048 KB
UPDATE FREQUENCY: 3 TIMES/DAY

ON THE ROAD
Fallback to
online update

Updates distributed
through ConfigMgr, WSUS
or Windows File Share

Simplified Client Setup

Ease of client setup and deployment

No separate deployment needed for endpoint protection client

Endpoint Protection agent installer deployed with Configuration Manager client setup
Endpoint Protection client and definitions easily integrated with OSD

Flexible administrative control

Administrator can force or suppress any required reboots

Configurable option for automatic removal of existing AV client

Easy migration from existing solutions and automatic removal of existing clients

Symantec
McAfee
TrendMicro
Forefront Client Security or Forefront Endpoint Protection

EP agent installer
deployed with
ConfigMgr Client

EP enabled in
the consoleEP
installation
starts on the
device

Client Installation Flow

Silent
removal
of thirdparty
products

EP client
install

Configure
Policy

Signature
update

System Center 2012 Endpoint Protection

Simplified
Administration
Single interface for client management and security

Single administrator
experience for simplified
endpoint protection and
management

Improved alerting, client to admin within 5 minutes,

and reporting, with real-time and user-centric data
views

Single Interface For Management And Security

Single interface for client
management and security
Dashboard integrated with
ConfigMgr console
Simplified cross-feature
integration

Quick identification
and remediation of client
security issues
Dashboard focused
on actionable events

Flexibility to separate
security admin role
Role-based administration
Access to only relevant
security information

Monitoring Client Security

Quick alerts and event
notification in the console
Uses high speed data channel
to notify events in real time
High speed data channel
prioritizes EP messages in state
system, and
no client wait to send
messages up
Integrated monitoring for client
health and antimalware status
Email subscription for alerts

Rich Reporting And Analysis

Rich reporting
on client security
SQL Reporting Services-based
reports on many categories
User-centric reports enable
identification of commonly
impacted users
Customizable reports simplified
through database integration

System Center 2012

Endpoint Protection SP1

Whats
new in SP1

Automatically deploy definition update 3 times per day

Category based scan from client to WSUS
Delta syncs between SUP and WSUS

Real-time administrative actions:

Run Definition Updates
Run Quick Scan
Run Full Scan
Allow threats
Exclude paths and/or files
Restore files quarantined by threat

Client side merge of antimalware policies

Real-time Administrative Actions

In administrative console
selects Run Full Scan
on a collection

A task is created 3
MP is told that new
urgent task has been
requested
Task = Run Full
Scan

Administrator
Site Server and MP
Call is placed
Client via this TCP
connection is told there are
urgent tasks to run
Client then connects to the
MP to get policy
Client runs the Full Scan
Task

Client

1
4

Dial tone
Active TCP Session
with the MP
Client Checking for
urgent tasks

All this happens

within seconds

Whats
new in SP1

System Center 2012 Endpoint Protection

Enhanced
Protection

Comprehensive protection stack building on Windows

Security
Proactive protection against known and unknown threats
Reduced complexity while protecting clients

Protect against known

and unknown threats with
endpoint inspection at
behavior, application, and
network levels

Comprehensive Protection Stack

Building on Windows Platform security
Reactive Techniques

Proactive Techniques

(Against Known Threats)

(Against Unknown Threats)

DYNAMIC CLOUD UPDATES

Behavior Monitoring

Antimalware

FILE SYSTEM

NETWORK

Internet Explorer 8
SmartScreen

User Account
Control

Windows
Resource
Protection

Dynamic Translation and

Emulation

Microsoft AppLocker

Microsoft BitLocker

Vulnerability Shielding (Network Inspection System)

Windows Firewall Centralized Management

System Center Endpoint Protection

Windows 7

Microsoft Malware
Protection Center

Data Execution Address Space

Layout
Prevention
Randomization

Dynamic Signature
Service

APPLICATION

Dynamic Translation With Heuristics

Industry-leading
proactive detection
Emulation based detection
helps provide better
protection
Safe translation in a virtual
environment for analysis

Potential
Malware
Execution
attempt
on the system

Real Time
Protection
Driver
Intercepts

Safe
Translation
Using DT

Malicious
File
Blocked

Enables faster scanning

and response to threats
Heuristics enable one
signature to detect
thousands of variants

Malware
Detecte
d

VIRTUALIZED
RESOURCES

Behavior Monitoring And Dynamic Signatures

Live system monitoring
identifies new threats

RESEARCHERS

REAL-TIME
SIGNATURE
DELIVERY

BEHAVIOR
CLASSIFIERS

REPUTATION

Tracks behavior of unknown

processes and known bad
processes
Multiple sensors to detect
OS anomaly

Updates for new threats

delivered through the cloud in
real time
Real time signature delivery with
Microsoft Active Protection
Service
Immediate protection against
new threats without waiting for
scheduled updates

Microsoft Active Prote

ction Service
Properties/
Behavior

Sample
request

Sample
submit

Real-time
signature

Protect Clients With Reduced Complexity

Simple interface
Minimal, high-level
user interactions

Administrative Control
User configurability options
Central policy enforcement

Maintains high productivity

CPU throttling during scans
Faster scans through
advanced caching

Best Usability 2011

AV Test

Heterogeneous Antimalware Clients

Mac OS X
Linux

Whats
new in SP1

Unify

Summary
Key Scenarios

Forefront Endpoint Protection

2010

System Center 2012 Endpoint

Protection

Unified infrastructure

System Center Configuration Manager

2007

System Center 2012 Configuration Manager

Server setup

Separate install

Unified setup

Client deployment

ConfigMgr distribution process

Integrated

Signature updates

Multiple sources (WSUS, File Share,

Microsoft Update)

Multiple sources with automatic deployment

rules from ConfigMgr console

Simplify

Protect

Proactive protection
Firewall management
Role based
administration

New

Alerts and monitoring

Real time alerts

Reports

Additional user centric reports

Online Resources

Launching
a Windows Defender Offline Scan with Configuration Manager 2012 OSD
Operating System Deployment and Endpoint Protection Client Installation
Software Update Content Cleanup in System Center 2012 Configuration Man
ager
Building Custom Endpoint Protection Reports in System Center 2012 Configu
ration Manager
Managing Software Updates in Configuration Manager 2012

How-to-Videos
Product Documentation
Security and Compliance Manager Configuration Packs

Resources
Learnin
g
Connect. Share. Discuss.

Microsoft Certification & Training Resources

http://northamerica.msteched.com

www.microsoft.com/learning

TechNe
t
Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn