INTRODUCTION: UNDERSTANDING HOW ALIGNING DESKTOP SECURITY AND MANAGEMENT REDUCES BOTH
MAINTENANCE AND PATCH MANAGEMENT , TO SECURITY AND VULNERABILITY MANAGEMENT .
I T HAS A LONG HISTORY OF HELPING
SUMMARY: ATTAINING MANAGEMENT AND SECURITY ADVANTAGES BY MERGING SECURITY AND CLIENT
Over the years, client management and endpoint security have traditionally been separate disciplines within IT organizations, each with their own teams and tools. As each discipline matured to address increasingly sophisticated threats to user productivity, system complexity increased, functionality and processes began to overlap, and ownership costs crept steadily upward. Despite recognizing inefficiencies, many organizations have been forced to maintain the status quo because of limited options. Security and management solutions continue to be sold separately, forcing IT to purchase, deploy, and manage two entirely separate infrastructures despite each playing a critical role in reducing risk inherent in desktop environments.
Microsoft has fundamentally changed this approach with the release of Forefront Endpoint Protection
(FEP) 2010, built on System Center Configuration Manager. FEP provides organizations with comprehensive endpoint security to protect operating systems against malware and exploits. By combining this protection with the client management capabilities of Configuration Manager, organizations can use a single tool set to increase security and lower infrastructure costs.
This white paper focuses on understanding what the inclusion of FEP into Configuration Manager means for organizations, and how combining security and client management into a single, streamlined work stream breaks down the unnatural barriers and silos traditionally created between these two practices.
In the process, organizations can use the integration between client and security management to reduce process friction, increase effectiveness, and improve overall management capabilities.
Understanding System Center Configuration Manager
System Center Configuration Manager is a full-fledged and highly capable systems management tool that is used by a wide range of organizations to help manage the entire lifecycle of clients and servers— from provisioning, to maintenance and patch management, to security and vulnerability management. It has a long history of helping organizations better manage their client and server systems, providing for capabilities such as:
Hardware and software inventory
Patch management
Configuration management
Operating system deployment
Endpoint vulnerability management
Understanding Forefront Endpoint Protection
Forefront Endpoint Protection (FEP) is a highly accurate and reliable endpoint protection product that provides comprehensive threat protection for clients and servers, including:
Virus and spyware detection and removal
Network-layer intrusion prevention
Windows firewall management
Behavioral monitoring
FEP, the next generation release of Forefront Client Security, provides a departure from the administrative experience offered by other industry client security tools. Because FEP builds directly on the Configuration Manager infrastructure, the joint solution provides centralized reporting, administration, deployment, and management for both client security and management.
Assessing the Risk Inherent in Configuration Management
In modern computing environments, it is impossible to separate protecting client computers against threats and vulnerabilities from configuring and managing those systems. Indeed, configuration management itself is the primary agent for quickly ensuring that computers are “immune” to security incidents, since the number one cause of security issues is actually the result of client misconfiguration.
Focusing solely on security outbreaks, spyware, and viruses can lead to tunnel-vision in dealing with the overarching problems of endpoint management. For example, some organizations have found that users with local admin rights will often disable services, turn off the Windows firewall, and overwrite critical system files that affect the security of the client itself. Therefore, configuration management is an integral part of desktop security.
Remediating Vulnerabilities
Traditionally, with security and client management as part of separate disciplines, the security management team has no insight into which systems are patched and which are vulnerable to a specific outbreak or virus. These viruses or exploits are separate from misconfiguration vulnerabilities and involve malware developers who specifically seek to exploit known issues in the operating system.
Without knowing which systems may be affected by a zero day attack, security administrators may need to enable lockdowns of all client systems en masse via the local Host Intrusion Prevention System (HIPS), which can severely restrict client activity and subsequently interfere with productivity.
Using FEP with Configuration Manager can improve on this situation by allowing administrators to quickly determine whether a particular patch is deployed and which systems it has been successfully installed on. If a patch has been installed, FEP does not enable vulnerability shielding—a form of HIPS, which allows end users to remain productive without locking them down. If the patch has not been installed, vulnerability shielding can be enabled until the point in which it is put into place, at which time it is shut down again. This allows for zero day threats to be mitigated by quickly clamping down on client security, but only for those systems that are truly vulnerable.
Improving Policy Management
In organizations with separate security and client management, management of policies themselves becomes a serious challenge. The two sets of namespaces within the two toolsets can have the effect of introducing inconsistency in results, such as duplication of the names of computers, devices, and users, and the chance that policies will be haphazardly applied. In addition, security personnel do not have access to critical information about each client, including hardware and software inventory, patch levels, and the users using the platform.
Without this critical information, logical decisions about how to handle security events are often a challenge.
FEP improves on policy management by automatically inheriting the users and device collections that have been created in
Configuration Manager and allows for policies to be automatically applied to those collections.
Policy decisions can be made quickly and accurately based on information provided in a
single view. For example, a Configuration Manager Collection that contains members that all have a specific application installed can be easily targeted if a virus outbreak targets that specific application.
An additional advantage is that users or systems can belong to multiple groups, and priorities can be established between these groups, so that an ‘executive users’ group takes precedent over a generic
‘mobile users’ group.
Responding to Outbreaks
Responding appropriately to outbreaks is a common issue for all organizations regardless of what security and client management tools they use. For organizations with separate security and client management tools, information flow is impacted by the unnatural barrier placed between the two disciplines, and the security team does not know which systems are vulnerable or at the highest risk.
This lack of visibility allows threats to spread more quickly as the security team cannot triage effectively.
In addition, during an event after initial triage, it is often the desktop team that is tasked with responding to infected machines, which requires coordination between teams and tools. This can be challenging as there may often be friction between the teams in terms of communications. Finally, responding to outbreaks also requires an in-depth knowledge of which systems failed to automatically clean themselves.
FEP with Configuration Manager improves the outbreak response situation greatly by aggregating all pertinent information into one unified view. The security team receives an alert that there is an outbreak by a configurable threshold of machines. If enough systems are infected in a short period of time, e-mail alerts are sent to the security team, allowing them to quickly react to a significant outbreak.
Likewise, if a high-priority machine is infected with high-risk malware, it is escalated to the security team, who can then triage the situation. However, if it does not meet the criteria for notifying the security team, such as an infection of a single low-risk computer with low-risk malware, only the desktop management team is informed. Following the incident, the security team can then identify potentially vulnerable systems quickly and see which systems failed to be automatically remediated.
Automating Incident Cleanup
Automating the cleanup of incidents can be a complicated task. Setting thresholds for security response requires accurate information about the number of infections, but also insight into whether a system is being constantly re-infected—a sign of a more serious problem such as a rootkit infection. While many security platforms have the ability to set thresholds, they lack visibility into the history of the client.
FEP places all the information required to automate incident cleanup into a single view. This allows security administrators to quickly determine whether re-infections are taking place and to immediately take proactive steps such as re-formatting and re-building a problem system directly from the console.
In addition, this process can be automated, in the case of large-scale infections.
Providing for Integrated Security Incident Management
Use of Configuration Management concepts is one of the primary tools that can be used for remediation of IT security vulnerabilities, as the majority of vulnerabilities are often configuration-related. For example, a large portion of system weaknesses is due to poor system configuration and another large percentage can be easily resolved through proper patch management. Simply by tying Configuration
Management into the equation, a large percentage of security vulnerabilities and issues can be removed before they even occur.
Consolidating Tools and Processes Within a Single Infrastructure
Maintaining and managing multiple sets of tools for client management can be significantly more expensive than deploying a strategy that integrates those tools into a single infrastructure. Products that address one specific need, such as security, can be much more expensive to operate in the long run as they require parallel sets of server infrastructure, client agents, training, and administration.
Consolidation of these tools into a single platform is ideal, as it allows for the security infrastructure to piggyback off of an established client and configuration management environment such as that provided by System Center Configuration
Manager. This allows for the entire lifecycle, including the security aspects of clients to be managed from a single tool built on a common infrastructure and with a single set of processes.
For clients with an investment in System
Center Configuration Manager, integrating FEP with the Configuration Manager platform is even more appealing. Existing infrastructure and organizational knowledge in Configuration
Manager Collections can be leveraged. This helps to encourage infrastructure consolidation. In addition, administrators already trained on
Configuration Manager can quickly determine how to manage and administer FEP as part of the environment, further leveraging organizational knowledge.
Creating a Single Management View Across Endpoints
Consolidating security, client, and configuration management into a single toolset has the additional advantage of providing for a single management view to be possible across all systems. Administrators
can take a comprehensive approach to client management, viewing all layers of client health, from security to patch management to configuration management.
By creating a common management view across all endpoints, FEP and Configuration Manager together allow for dissolution of the barriers that may exist between security and desktop teams, but at the same time provides for delegation of administration in the instances where the separation of team duties is maintained.
Creating More Efficient Processes
FEP as part of Configuration Manager can help organizations to become more efficient with client management, through the reduction of costs associated with management, such as administrative overhead and tasks, analysis, and reporting. Rather than having competing reporting and administration consoles, all information is gathered from one unified console. For example, administrators could identify that deployment of a new software application is directly correlated with an increase in security incidents. They could use the consolidated console to quickly determine that the software itself opens new vulnerabilities in their clients and could quickly move to slow or stop deployment until the situation has been resolved.
By reducing factors that are related to management costs, such as end-user and administrator error, help desk calls, and other overhead, FEP can result in significantly less cost than what would be incurred by running a separate security platform from the client management platform.
Simplifying Client Deployment
Deployment of the client components required for security management can be a significant undertaking, and can be complex and cumbersome. In addition, using a separate tool requires additional infrastructure to be dedicated to the task of client deployment. Deploying the client can also require the endpoint protection strategy be merged into current deployment technologies and maintained with a separate set of policies that are manually kept in sync—all factors that can lead to additional overhead costs.
Because FEP builds directly on top of Configuration Manager infrastructure, organizations have a single deployment mechanism to maintain and deploy, and a single set of infrastructure that can be used for both client and security management. To make things even easier, FEP creates base software packages as part of the installation process that can be instantly deployed via Configuration Manager to provide for the client components required for FEP.
Uninstallation of legacy security solutions is streamlined with FEP and Configuration Manager as well, as the Configuration Manager agent coordinates the client uninstall with the new installation of FEP, eliminating the window in which the system could potentially be unprotected.
FEP allows organizations to take advantage of the natural efficiencies that are involved in combining management of both security and clients in a single toolset. By combining these functions, it helps to break down unnatural barriers between security and client management that have developed over time in many organizations.
FEP helps to improve overall security with better response times, better information about incidents, patch levels, and client health, and improved cleanup capabilities. It does this through the integration with Configuration Manager and the visibility that it gives into client patch levels, hardware, software, and other client history.
In addition, FEP and Configuration Manager together help to reduce overall infrastructure costs by allowing organizations to deploy with a single set of agents, deployment methodologies, reporting, and management infrastructure. Organizations with existing investments in Configuration Manager, in particular, can take advantage of their existing architecture to deploy and administer the security of their client systems.