yaniv feldman microsoft security regional director infrastructure & security lead db@net israel
TRANSCRIPT
TWC
SDL
SystemsManagementActive Directory Active Directory
Federation Services Federation Services (ADFS)(ADFS)
Identity Management
Services
Information Protection
Encrypting File System (EFS)
Encrypting File System (EFS)
BitLocker™
BitLocker™
Client and Server OS
Server Applications
Edge
Network Access Protection (NAP)
Client and Server OS
Server Applications
Edge
Forefront Stirling Management
One solution for spyware and virus protection
Built on protection technology used by millions worldwide
Effective threat response
Complements other Microsoft security products
One console for simplified security administration
Define one policy to manage client protection agent settings
Deploy signatures and software faster
Integrates with your existing infrastructure
One dashboard for visibility into threats and vulnerabilities
View insightful reports
Stay informed with state assessment scans and security alerts
Unified malware protection for business
desktops, laptops and server operating
systems that is easier to manage and
control
Unified agent for virus and spyware protectionCommon engine used by Windows Defender, OneCare, Forefront Server Security
On-access protection via kernel mode mini-filter Built on Windows Filter Manager platformMalware prevented from executing entirely – anti-virus and anti-spyware
User mode scanningSystem Configuration, IE Add-ons & ConfigurationIE and Office downloadsServices & driversApp execution & registration
Scheduled and on-demand scansQuick scan - In memory processes, targeted directories, common malware extensibility points Full scan – Quick scan + local drives
Agent behavior manageable by IT administratorFlexible scan scheduling (time & interval based)Signature update frequency, roaming user fail-overExclusions – file extensions, directoriesSignature overrides
By specific malware
By malware category
Local end-user interfacePolicy aware – i.e. locked-down settings will be grayed out
Lockdown user interface completely
SpyNet reporting
Compatible with Windows Security Center and Vista NAP
Anti-virus and anti-spyware status – on/off and signatures up-to-date
Research & response organization delivers malware signatures for:
Forefront Client Security, Forefront Server Security, Windows Live OneCare, Windows Defender, Malicious Software Removal Tool (MSRT)
Currently protecting millions of systems
Research team uses multiple data sources to identify threats
Released products: Windows Defender, OneCare, MSRT, etc.
Other sources: PSS, Hotmail, web crawling, customer submissions
Partnerships with industry
Top priority is responding to active threats in the wild
Automation in analysis: Automatic malware submission storage and retrieval, resolving of duplicate submissions, prioritization of sample analysis
Building out global 24x7 organization (US, Europe, Asia Pacific)
Industry certifications (OneCare currently, expect same for FCS)ICSA Labs, West Coast Labs
“Is my environment compliant with security best practices?”
“Has my level of vulnerability
exposure changed over time?”
“What portion of my environment is at
high risk?”
Problem Single Point of Failure
SharePointSharePoint
ISA ISA ServerServer
SMTP SMTP ServerServer
Internet
Viruses
ExchangExchangee
ExchangExchangee
Single VendorSingle Engine
Worms
Spam
A A
A A A
A
A A
Problem Management/Cost
SharePointSharePoint
ISA ISA ServerServer
SMTP SMTP ServerServer
Internet
Viruses
ExchangExchangee
ExchangExchangee
Multi-vendorMulti-engine
Worms
Spam
A B
C
A
ED
B C
Forefront Server Security products integrate and ship with industry-leading antivirus scan engines from
Each scan job in a Forefront Server Security product can run up to five engines simultaneously
Internal Messaging and Collaboration Servers
A B C ED
ComprehensiveProtection
Optimized Performance
Simplified Management
Ships with & manages multiple antivirus enginesFile Filtering and premium anti-spam protectionFile & Content Keyword Filtering for SharePoint
Deep integration with platformScanning innovations and performance controlsMaintains uptime and optimizes performance.
Easily manage configuration and operationAutomated signature updatesReporting, Notifications and Alerts
Response time1 (in hours)Forefront Server
Securitymultiple-engine
advantageWildList Number
MalwareName
Forefront
Set 1
Forefront
Set 2
Forefront
Set 3
Vendor 1*
Vendor 2*
Vendor 3*
10/2006 Areses!Itw30 0.00** 0.00 0.00 0.00 0.00 0.0010/2006 Areses!Itw36 0.00 0.00 0.00 1598.78 0.00 0.0010/2006 Areses!Itw37 0.00 0.00 0.00 0.00 52.30 175.4510/2006 Areses!Itw41 0.00 0.00 0.00 0.00 13.15 194.3510/2006 Mytob!Itw590 0.00 0.00 0.00 1332.17 0.00 0.0010/2006 Rontokbro!Itw36 0.00 0.00 0.00 0.00 0.00 613.4010/2006 Sdbot!Itw1809 0.00 0.00 0.00 9.97 166.07 270.3910/2006 Stration!Itw101 0.00 0.00 0.00 93.88 23.46 96.8510/2006 Stration!Itw102 0.00 0.00 0.00 26.00 28.05 30.8310/2006 Stration!Itw42 0.92 0.92 0.92 3.72 3.12 7.0510/2006 Stration!Itw43 2.00 2.00 2.00 4.80 4.20 8.1310/2006 Stration!Itw44 0.00 0.00 0.00 5.60 2.00 7.5810/2006 Stration!Itw45 0.00 0.00 0.00 3.55 2.00 7.5810/2006 Stration!Itw46 0.00 0.00 0.00 2.75 2.20 6.7810/2006 Stration!Itw47 0.00 0.00 0.00 3.72 3.12 7.0510/2006 Stration!Itw60 0.00 0.00 0.00 0.00 4.64 6.3211/2006 Rbot!Itw2090 0.00 0.00 0.00 1739.10 0.00 298.6411/2006 Sdbot!Itw1814 0.00 0.00 0.00 1.00 0.00 0.0011/2006 Sdbot!Itw1866 0.00 0.00 0.00 26.80 1.00 35.2711/2006 Sdbot!Itw1867 0.00 0.00 0.00 14.00 12.84 23.1411/2006 Sdbot!Itw1876 0.00 0.00 0.00 468.60 306.82 430.8011/2006 Stration!Itw124 0.00 0.00 0.38 0.66 1.88 8.8012/2006 Bagle!Itw137 0.00 0.00 0.00 4.01 0.00 13.8312/2006 Bagle!Itw141 0.00 0.00 0.00 17.15 0.00 13.8312/2006 Puce!Itw1 0.00 0.00 0.00 0.00 0.00 1.0012/2006 Rbot!Itw2038 0.00 0.00 0.00 1026.27 0.00 0.0012/2006 Sdbot!Itw1889 0.00 0.00 0.00 128.28 255.20 63.96
* Includes beta signatures** 0.00 denotes proactive detection
1 Source: AV-Test.org 2007 (www.av-test.org)
Single-engine competitors
= Less than 5 hours
= 5 to 24 hours = More than 24 hours
Key Value PropositionLeverage multiple antivirus research labs
Diversity of Diversity of antivirus engines antivirus engines and heuristicsand heuristicsRapid responseRapid responseRedundancyRedundancy
Response time
Bias
Engines used are not always the same. They are dynamically allocated from the available pool.
A
B
Max Certainty: uses all engines (100%) Favor Certainty: uses approximately 75% of available engines*Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*
C
D
Bias
Engines used are not always the same. They are dynamically allocated from the available pool.
Max Certainty: uses all engines (100%) Favor Certainty: uses approximately` 75% of available engines*
Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*
A
B
Central management console Deploys and configures Forefront/Antigen Security for Exchange and SharePoint environmentsAutomates signature updates across the enterprise
SharePoint Servers
Exchange Servers
Over 100 Events, Performance Counters, and Services Monitored
Monitors the state of Forefront.Collects statistical data on scanning, detection, and removal of messages and attachmentsPolls Forefront Services - Provides timed events to
poll systems for critical process health
Key TasksTriggers scan engine updatesCentralizes storage and deployment of license filesImports, exports and deploys setting changesInitiates and/or schedules manual scan jobsStarts/Stops control of Forefront services
Mailbox
ClientAccess
Unified Messaging
EdgeTransport
HubTransport
Enterprise networkOtherSMTP
Servers
•Mailbox
Routing Hygiene Routing Policy
Voice Messaging
PBX or VoIP
PublicFolders
Fax
Applications:OWA
Protocols:ActiveSync, POP, IMAP, RPC / HTTP …
Programmability:Web services, Web parts
INTERNET
New intelligent scanning does not scan email that has already been scanned
By default, email scanned at Edge Transport or Hub Transport does not get scanned again when routed or deposited into mailboxes
Minimizes AV scanning overhead to maximize mail system performance
Significantly reduces scanning impact at the storeCan be turned off to allow scanning at all points
I
N
T
E
R
N
E
T
Edge Server Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN and STAMP
NO SCAN NO SCAN
• Mail scanned only once at the Edge• Saves processing load on Hub and
Mailbox servers
Transport ScanningInbound Mail
Edge Server Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN and STAMP
NO SCAN NO SCAN
NO SCAN
Internal mail is routed through Hub roleProactive scanning at the Mailbox server (store) is turned off by defaultSaves processing load on Mailbox servers
Internet
Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007Deployed on Exchange Edge or Hub server role
Edge server can be deployed in front of Exchange 2003 mailboxes
Built upon base anti-spam in Exchange 2007, premium anti-spam protection adds:
Microsoft IP reputation filter service and automated updatesAutomated updates for Microsoft Smartscreen spam heuristics, phishing Web sites and Intelligent Message Filter (IMF)Targeted spam signature data and automatic updates to identify latest spam campaigns
SQL Document Library
Document
Users
Document
SharePoint Server
Virus Protection for Document Libraries- Real-time scanning of documents uploaded
and downloaded from document library- Manual and scheduled scanning of
document library
Content Policy Enforcement- File filtering to block documents from
being posted based on name match, file type or file extension
- Content filtering by keywords withindocuments for inappropriate words and phrases
ISA Server
Public IM Networks
External Users Perimeter Network Internal Network
Remote User
Access Edge Server
Front-End Server
Director Server
(VPN)
Federated (Trusted) Organization
FSOCS scans IM Messages & file transfers flowing through OCS 2007 by protecting each instance of a Standard Edition, Front End, Director and Access Edge server role.
ISA Server
PastPast
Client
Server
Edge
CurrentCurrent Future
Next Generation Client Security
Next Generation Client Security
Next Generation Server Security
Next Generation Server Security
Next Generation Edge Security
Next Generation Edge Security
Integrated Protection &Management
Codename‘Stirling’Codename‘Stirling’
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Yaniv [email protected]
Thanks for Listening