System Center Endpoint Protection 2012 R2

1. Management Consulting | IAM and Data Protection | Governance Risk and Compliance
System Center
Endpoint Protection 2012 R2
Norman W. Mayes CISSP, MCSE: Private Cloud, ITIL-F
February 2014
© 2014 Edgile, Inc. – All Rights Reserved

2. Table of Contents
System Center Endpoint
Protection 2012 R2
1
Key Features and Benefits
2
Competitive Protection
2

3. System Center Endpoint Protection
Key Features and Benefits
Simplified
Administration
Comprehensive Protection Stack
Real time Endpoint Protection operations from console
Malware-driven operations from the console
Client-side merge of antimalware policies
Single administrator
experience for simplified
endpoint protection and
management
© 2014 Edgile, Inc. – All Rights Reserved
Simplified, 3X delivery of definitions through software updates
New and improved Endpoint Protection client
3

4. System Center Endpoint Protection
Comprehensive Protection Stack
Building on Windows Platform Security
System Center Configuration Manager and Endpoint Protection
Management
Software
Updates +
SCUP
Endpoint
Protection
Management
Settings
Management
Operating
System
Deployment
Software
Distribution
MDM
System Center 2012 Endpoint Protection
Antimalware
Antimalware
Behavior
Monitoring
Dynamic
Translation
Vulnerability
Shielding
Windows
Defender
Offline
Cloud Clean
Restore
ELAM and
Measured
Boot
Windows
AppLocker
BitLocker
Data
Execution
Prevention
Address Space
Layout
Randomization
Windows
Resource
Protection
Platform
Internet
Explorer
Secure Boot
Through UEFI
Early Launch
Antimalware
(ELAM)
Measured
Boot
User Access
Control
Available only in Windows 8.x
© 2014 Edgile, Inc. – All Rights Reserved
4

5. System Center Endpoint Protection
Real-Time Operations
 Endpoint protection operations
to clients in
<1 minute
 Available Endpoint
protection operations:
–
–
–
–
–
–
Run definition updates
Run quick scan
Run full scan
Allow threats
Exclude paths and/or files
Restore files quarantined by
threat
© 2014 Edgile, Inc. – All Rights Reserved
5

6. System Center Endpoint Protection
Malware Driven Operations
Admin can easily view and take follow up actions on
specific malware by type, and remediation status
© 2014 Edgile, Inc. – All Rights Reserved
6

7. System Center Endpoint Protection
Client-Side Merge
Endpoint Protection Policies
 Create granular policies
for specific scenarios and
have those merged on
the clients
 Removes overhead
of redundant policies
 Policies still honors relative
priority, and merge when
possible (exclusions, for
example)
© 2014 Edgile, Inc. – All Rights Reserved
7

8. System Center Endpoint Protection
Software Update Integration
Architectural Changes to Support Updates 3X per Day
 Category-based scans from clients
 Delta synchs between Software Update Point (SUP) and WSUS
Architectural Changes to Simplify SUP Setup
 Source top-level SUP from internal WSUS server
 Simplified, fault tolerant software update point setup (add multiple SUPs
as needed, up to 8 per Primary Site no NLB or active SUP requirements)
– Multiple SUP model is built for fault tolerance
– Best performance comes from using a shared SUSDB for your software update points
– Clients are optimized to NOT switch SUPs, and only do so after 4 failures (@ 30 minute
intervals)
– Full cross-forest support of SUPs including untrusted forests
– Clients optimized to fallback to SUPs within their own forest first
– Use Group Policy preferences if setting a WSUS server for client deployments
© 2014 Edgile, Inc. – All Rights Reserved
8

9. System Center Endpoint Protection
Software Update Overview
Hierarchy (Forest1)
Hierarchy (Forest2)
Primary Site
Software
Update Point 1
Software
Update Point 2
Software
Update Point 3
Software
Update Point 4
4X
Client
Client
Client.Forest1
© 2014 Edgile, Inc. – All Rights Reserved
Client.Forest2
9

10. System Center Endpoint Protection
Enhanced Protection
Enhanced Protection
Common antimalware platform across Microsoft AM clients
Proactive protection against known and unknown threats
Integration with UEFI Trusted Boot, early-launch antimalware
Reduced complexity while protecting clients
Protect against known and
unknown threats with
endpoint inspection at
behavior, application, and
network levels
© 2014 Edgile, Inc. – All Rights Reserved
Heterogeneous antimalware clients
Competitive protection: Endpoint Protection vs. Trend Micro
10

11. System Center Endpoint Protection
Common Antimalware Platform
Platform Overview
 Common platform for all of Microsoft’s antimalware clients
 Security Essentials alone has +100 million users (#1 in North America)
 +660 million executions of Malicious Software Removal Tool per month
 All of these clients service Microsoft’s protection services research
and response
Diagnostic
and Recovery
Toolkit
© 2014 Edgile, Inc. – All Rights Reserved
Windows
Defender
Offline
11

12. System Center Endpoint Protection
Reduced Complexity
Simple Interface
 Minimal, high-level user
interactions
Administrative Control
 User configurability options
 Central policy enforcement
 UI Lockdown and disable
Maintains High Productivity
 CPU throttling during scans
 Faster scans through
advanced caching
 Minimal network and client
© 2014 Edgile, Inc. – All Rights Reserved
12

13. System Center Endpoint Protection
Heterogeneous Antimalware Clients
Features
 Anti-virus and anti-malware support
 Machines connect directly to internet service for security content
 Client UI for user visibility and control
 SCOM monitoring pack for Linux with management control
Platforms
 Native support for Windows 8.1 and Windows Server 2012 R2
 Apple Mac (10.6-10.7)
 Linux Server: RedHat Enterprise 6, SuSE Linux 11
© 2014 Edgile, Inc. – All Rights Reserved
13

14. Table of Contents
System Center Endpoint
Protection 2012 R2
1
Key Features and Benefits
2
Competitive Protection
14

15. System Center Endpoint Protection
Competitive Protection
CHALLENGERS
Endpoint Protection
LEADERS
Symantec
McAfee
Trend
Micro
Kaspersky Lab
Sophos
Microsoft
Eset
Bitdefender
Ability to Execute
F-Secure
Panda Security
Webroot
IBM
Check Point
Software Technologies
LANDesk
Lumension
Security
ThreatTrack
Security
BeyondTrust
NICHE PLAYERS
Completeness of Vision
© 2014 Edgile, Inc. – All Rights Reserved
Arkoon
Network
Security
VISIONARIES
As of January 2014
 Microsoft's malware lab benefits from a vast
installation of the consumer version of the SCEP
engine and its online system check utilities,
which provide a large distribution of malware
samples
 System Center Configuration Manager
supports a dedicated endpoint protection role
configuration. SCEP also allows on-demand
signature updates from the cloud for suspicious
files and previously unknown malware
 Organizations licensed under Microsoft's
Enterprise CAL or Core CAL program receive
SCEP at no additional cost. Approximately onethird of enterprise customers are actively
considering Microsoft, during their next renewal
periods
 Microsoft offers advanced system file cleaning,
which replaces infected system files with clean
versions from a trusted Microsoft cloud
15

16. System Center Endpoint Protection
Competitive Protection
Endpoint Protection Challenges
 Microsoft System Center Configuration Manager is
a prerequisite to SCEP
 Microsoft's client anti-malware protection approach:
– Industry test scores are not has high as some competitors
– Focused on reducing the impact of prevalent malware in the
Windows installed base with the lowest false-positive rates in
the industry
 SCEP does not have some advanced features other
endpoint security solutions include
– Microsoft leverages other Windows security features: Windows
Firewall, BitLocker, AppLocker and Group Policy Objects
© 2014 Edgile, Inc. – All Rights Reserved
16

17. System Center Endpoint Protection
Competitive Protection
Trend Micro’s Challenges
 Historically, Trend Micro has been very conservative with new EPP
capabilities, such as encryption and application control
 The core endpoint offerings – OfficeScan and Deep Security – are two
separate products from separate teams with separate consoles. Deep Security
has not been integrated into TMCM for deployment and policy management,
but it has been integrated from a security reporting perspective
 Some capabilities (like encryption) that have been integrated into TMCM still
require their native consoles to be deployed, but from that point forward,
they can be managed within TMCM
 Trend Micro's installed base and market share in North America and EMEA
are not as strong as in Asia/Pacific
 There is no out-of-the-box security state assessment beyond the EPP agent
status, and no significant integration with operations tools, such as
vulnerability assessments
© 2014 Edgile, Inc. – All Rights Reserved
17

18. System Center Endpoint Protection
Competitive Protection
Cost Avoidance Potential
System Center 2012 R2 server
management licensing maximizes value
while simplifying purchasing. All server
management licenses (SMLs) include the
same components and the ability to
manage any workload. System Center
2012 R2 SMLs are available in two
editions differentiated by virtualization
rights only:
 Datacenter: Maximizes cloud capacity
with unlimited virtualization for high
density private clouds
 Standard: For lightly or non-virtualized
private cloud workloads.
© 2014 Edgile, Inc. – All Rights Reserved
Edition
Components Included
Operations Manager
Microsoft
System Center
2012 R2
Datacenter
Configuration Manager
Data Protection Manager
Service Manager
Virtual Machine Manager
Microsoft
System Center
2012 R2
Standard
Endpoint Protection
Orchestrator
App Controller
18

19. System Center Endpoint Protection
Competitive Protection
Cost Avoidance Potential
 Server Management Licenses are required for
managed devices that run server Operating
System Environments (OSEs). Licenses are
processor-based, with each license covering up
to two physical processors.
 The number of Server MLs required for each
managed server is determined by the number of
physical processor in the server for Datacenter
Edition and either number of physical processors
in the server or number of OSEs being managed
for Standard Edition (whichever is greater).
Example
4 Servers with 4 Cores
Each to Support System Center Roles
4 Servers * 4 Cores / 2 = 6 Server ML Licenses
© 2014 Edgile, Inc. – All Rights Reserved
Server ML Edition Comparison:
Datacenter
Standard
# of physical processors
per license
2
2
# of Managed Operating
System Environments
(OSEs) per license
Unlimited
2
Includes all System Center
server management
components
Yes
Yes
Right to run management
server software and
supporting SQL Server
Runtime (SQL Server
Standard Edition)
Yes
Yes
Manage any type of
supported workload
Yes
Yes
$3,607
$1,323
Open No Level (NL) License
and Software Assurance
(L&SA) 2-year price
19

20. System Center Endpoint Protection
Competitive Protection
Configuration
Manager
Client ML
Cost Avoidance Potential
Client Management Licenses (MLs)
are required for managed devices
that run non-server OSEs. There are
three System Center 2012 R2 Client
ML offerings:
Components
Included
Endpoint
Protection
Subscription
Client
Management
Suite Client
ML
Configuration
Manager
Endpoint
Protection
Service
Manager
Virtual
Machine
Manager
Operations
Manager
Data
Protection
Manager
 Configuration Manager Client ML
Orchestrator
 Endpoint Protection Subscription
 Client Management Suite Client
ML
Included in
Core CAL
Suite
Yes
Yes
No
Core CAL and Enterprise CAL Suites
will continue to be the most cost
effective way to purchase client
management products.
Included in
Enterprise
CAL Suite
Yes
Yes
Yes
Open NL
L&SA 2-year
price
$62
$22
$121
© 2014 Edgile, Inc. – All Rights Reserved
20

21. Wrap Up | Questions and Answers
Norman W. Mayes
425.749.7447
Norman.Mayes@Edgile.com
© 2014 Edgile, Inc. – All Rights Reserved
21