Convergence of Desktop Security and Management: System Center 2012 Endpoint Protection and System Center 2012 Configuration Manager

Transcription

1 Convergence of Desktop Security and Management: System Center 2012 Endpoint Protection and System Center 2012 Configuration Manager Contents INTRODUCTION: UNDERSTANDING HOW ALIGNING DESKTOP SECURITY AND MANAGEMENT REDUCES BOTH COST AND RISK... 2 IMPROVING SECURITY WITH STREAMLINED MANAGEMENT... 3 UNDERSTANDING SYSTEM CENTER 2012 CONFIGURATION MANAGER... 3 UNDERSTANDING SYSTEM CENTER 2012 ENDPOINT PROTECTION... 3 ASSESSING THE RISK INHERENT IN CONFIGURATION MANAGEMENT... 3 IMPROVING POLICY MANAGEMENT... 4 RESPONDING TO OUTBREAKS... 4 AUTOMATING INCIDENT CLEANUP... 5 PROVIDING FOR INTEGRATED SECURITY INCIDENT MANAGEMENT... 5 LOWERING INFRASTRUCTURE COSTS BY CONSOLIDATING SECURITY AND MANAGEMENT... 5 CONSOLIDATING TOOLS AND PROCESSES WITHIN A SINGLE INFRASTRUCTURE... 5 CREATING A SINGLE MANAGEMENT VIEW ACROSS ENDPOINTS... 6 CREATING MORE EFFICIENT PROCESSES... 6 SIMPLIFYING CLIENT DEPLOYMENT... 6 SUMMARY: ATTAINING MANAGEMENT AND SECURITY ADVANTAGES BY MERGING SECURITY AND CLIENT MANAGEMENT TOOLS... 7

2 Introduction: Understanding How Aligning Desktop Security and Management Reduces Both Cost and Risk Over the years, client management and endpoint security have traditionally been separate disciplines within IT organizations, each with their own teams and tools. As each discipline matured to address increasingly sophisticated threats to user productivity, system complexity increased, functionality and processes began to overlap, and ownership costs crept steadily upward. Despite recognizing inefficiencies, many organizations have been forced to maintain the status quo because of limited options. Security and management solutions continue to be sold separately, forcing IT to purchase, deploy, and manage two entirely separate infrastructures despite each playing a critical role in reducing risk inherent in desktop environments. Microsoft has fundamentally changed this approach with System Center 2012 Endpoint Protection (SCEP), built on System Center 2012 Configuration Manager. SCEP provides organizations with comprehensive endpoint security to protect operating systems against malware and exploits. By combining this protection with the client management capabilities of Configuration Manager 2012, organizations can use a single tool set to increase security and lower infrastructure costs. This white paper focuses on understanding what the inclusion of SCEP into Configuration Manager 2012 means for organizations, and how combining security and client management into a single, streamlined work stream breaks down the unnatural barriers and silos traditionally created between these two practices. In the process, organizations can use the integration between client and security management to reduce process friction, increase effectiveness, and improve overall management capabilities.

3 Improving Security with Streamlined Management Understanding System Center 2012 Configuration Manager System Center 2012 Configuration Manager helps IT empower people to use the devices and applications they need to be productive, while maintaining corporate compliance and control. As an enterprise-class systems management solution, it is used by a wide range of organizations to help manage the entire lifecycle of clients and servers from provisioning, to maintenance and patch management, to security and vulnerability management. It also has a long history of helping organizations better manage their client and server systems, providing for capabilities such as: Hardware and software inventory Patch management Configuration management Operating system deployment Endpoint vulnerability management Understanding System Center 2012 Endpoint Protection System Center 2012 Endpoint Protection (SCEP) is a highly accurate and reliable endpoint protection product that provides comprehensive threat protection for clients and servers, including: Virus and spyware detection and removal Windows firewall management Behavioral monitoring SCEP provides a departure from the administrative experience offered by other industry client security tools. Because SCEP builds directly on the Configuration Manager infrastructure, the joint solution provides centralized reporting, administration, deployment, and management for both client security and management. Assessing the Risk Inherent in Configuration Management In modern computing environments, it is impossible to separate protecting client computers against threats and vulnerabilities from configuring and managing those systems. Indeed, configuration management itself is the primary agent for quickly ensuring that computers are immune to security incidents, since the number one cause of security issues is actually the result of client misconfiguration. Focusing solely on security outbreaks, spyware, and viruses can lead to tunnel-vision in dealing with the overarching problems of endpoint management. For example, some organizations have found that users with local admin rights will often disable services, turn off the Windows firewall, and overwrite critical system files that affect the security of the client itself. Therefore, configuration management is an integral part of desktop security.

4 Improving Policy Management In organizations with separate security and client management, management of policies themselves becomes a serious challenge. The two sets of namespaces within the two toolsets can have the effect of introducing inconsistency in results, such as duplication of the names of computers, devices, and users, and the chance that policies will be haphazardly applied. In addition, security personnel do not have access to critical information about each client, including hardware and software inventory, patch levels, and the users using the platform. Without this critical information, logical decisions about how to handle security events are often a challenge. SCEP improves on policy management by automatically inheriting the users and device collections that have been created in Configuration Manager 2012 and allows for policies to be automatically applied to those collections. Policy decisions can be made quickly and accurately based on information provided in a single view. For example, a Configuration Manager 2012 Collection that contains members that all have a specific application installed can be easily targeted if a virus outbreak targets that specific application. An additional advantage is that users or systems can belong to multiple groups, and priorities can be established between these groups, so that an executive users group takes precedent over a generic mobile users group. Responding to Outbreaks Responding appropriately to outbreaks is a common issue for all organizations regardless of what security and client management tools they use. For organizations with separate security and client management tools, information flow is impacted by the unnatural barrier placed between the two disciplines, and the security team does not know which systems are vulnerable or at the highest risk. This lack of visibility allows threats to spread more quickly as the security team cannot triage effectively. In addition, during an event after initial triage, it is often the desktop team that is tasked with responding to infected machines, which requires coordination between teams and tools. This can be challenging as there may often be friction between the teams in terms of communications. Finally, responding to outbreaks also requires an in-depth knowledge of which systems failed to automatically clean themselves. SCEP with Configuration Manager 2012 improves the outbreak response situation greatly by aggregating all pertinent information into one unified view. The security team receives an alert that there is an outbreak by a configurable threshold of machines. If enough systems are infected in a short period of time, alerts are sent to the security team, allowing them to quickly react to a significant outbreak. Likewise, if a high-priority machine is infected with high-risk malware, it is escalated to the security team, who can then triage the situation. However, if it does not meet the criteria for notifying the security team, such as an infection of a single low-risk computer with low-risk malware, only the desktop management team is informed. Following the incident, the security team can then identify potentially vulnerable systems quickly and see which systems failed to be automatically remediated.

5 Automating Incident Cleanup Automating the cleanup of incidents can be a complicated task. Setting thresholds for security response requires accurate information about the number of infections, but also insight into whether a system is being constantly re-infected a sign of a more serious problem such as a rootkit infection. While many security platforms have the ability to set thresholds, they lack visibility into the history of the client. SCEP places all the information required to automate incident cleanup into a single view. This allows security administrators to quickly determine whether re-infections are taking place and to immediately take proactive steps such as re-formatting and re-building a problem system directly from the console. In addition, this process can be automated, in the case of large-scale infections. Providing for Integrated Security Incident Management Use of configuration management concepts is one of the primary tools that can be used for remediation of IT security vulnerabilities, as the majority of vulnerabilities are often configuration-related. For example, a large portion of system weaknesses is due to poor system configuration and another large percentage can be easily resolved through proper patch management. Simply by tying configuration management into the equation, a large percentage of security vulnerabilities and issues can be removed before they even occur. Lowering Infrastructure Costs by Consolidating Security and Management Consolidating Tools and Processes Within a Single Infrastructure Maintaining and managing multiple sets of tools for client management can be significantly more expensive than deploying a strategy that integrates those tools into a single infrastructure. Products that address one specific need, such as security, can be much more expensive to operate in the long run as they require parallel sets of server infrastructure, client agents, training, and administration. Consolidation of these tools into a single platform is ideal, as it allows for the security infrastructure to piggyback off of an established client and configuration management environment such as that provided by System Center 2012 Configuration Manager. This allows for the entire lifecycle, including the security aspects of clients to be managed from a single tool built on a common infrastructure and with a single set of processes. For clients with an investment in System Center 2012 Configuration Manager or its previous versions, integrating SCEP with the Configuration Manager platform is even more appealing. Existing infrastructure and organizational knowledge in Configuration Manager Collections can be leveraged. This helps to encourage infrastructure consolidation. In addition, administrators already trained on Configuration Manager can quickly determine how to manage and administer SCEP as part of the environment, further leveraging organizational knowledge.

6 Creating a Single Management View Across Endpoints Consolidating security, client, and configuration management into a single toolset has the additional advantage of providing for a single management view to be possible across all systems. Administrators can take a comprehensive approach to client management, viewing all layers of client health, from security to patch management to configuration management. By creating a common management view across all endpoints, SCEP and Configuration Manager 2012 together allow for dissolution of the barriers that may exist between security and desktop teams, but at the same time provides for delegation of administration in the instances where the separation of team duties is maintained. Creating More Efficient Processes SCEP as part of Configuration Manager 2012 can help organizations to become more efficient with client management, through the reduction of costs associated with management, such as administrative overhead and tasks, analysis, and reporting. Rather than having competing reporting and administration consoles, all information is gathered from one unified console. For example, administrators could identify that deployment of a new software application is directly correlated with an increase in security incidents. They could use the consolidated console to quickly determine that the software itself opens new vulnerabilities in their clients and could quickly move to slow or stop deployment until the situation has been resolved. By reducing factors that are related to management costs, such as end-user and administrator error, help desk calls, and other overhead, SCEP can result in significantly less cost than what would be incurred by running a separate security platform from the client management platform. Simplifying Client Deployment Deployment of the client components required for security management can be a significant undertaking, and can be complex and cumbersome. In addition, using a separate tool requires additional infrastructure to be dedicated to the task of client deployment. Deploying the client can also require the endpoint protection strategy be merged into current deployment technologies and maintained with a separate set of policies that are manually kept in sync all factors that can lead to additional overhead costs. Because SCEP builds directly on top of Configuration Manager 2012, organizations have a single deployment mechanism to maintain and deploy, and a single set of infrastructure that can be used for both client and security management. To make things even easier, SCEP creates base software packages as part of the installation process that can be instantly deployed via Configuration Manager to provide for the client components required for SCEP. Uninstallation of legacy security solutions is streamlined with SCEP and Configuration Manager 2012 as well, as the Configuration Manager agent coordinates the client uninstall with the new installation of SCEP, eliminating the window in which the system could potentially be unprotected.

7 Summary: Attaining Management and Security Advantages by Merging Security and Client Management Tools SCEP allows organizations to take advantage of the natural efficiencies that are involved in combining management of both security and clients in a single toolset. By combining these functions, it helps to break down unnatural barriers between security and client management that have developed over time in many organizations. SCEP helps to improve overall security with better response times, better information about incidents, patch levels, and client health, and improved cleanup capabilities. It does this through the integration with Configuration Manager 2012 and the visibility that it gives into client patch levels, hardware, software, and other client history. In addition, SCEP and Configuration Manager 2012 together help to reduce overall infrastructure costs by allowing organizations to deploy with a single set of agents, deployment methodologies, reporting, and management infrastructure. Organizations with existing investments in Configuration Manager 2012 and its previous versions have a unique ability to take advantage of their existing architecture and skill sets to deploy and administer the security of their client systems.