Microsoft Forefront Protection Manager

Understanding the Security Assessment Sharing Framework Technology

Hello Forefront Protection Manager users,

In this and the next one posts I will describe the FPM capability for simplified and centralized security monitoring based on the Security Assessment Sharing (SAS) framework technology.

Forefront Protection Manager 2010 (FPM) manages several diverse protection technologies. This enables the security administrator to both set a security policy for various security technologies, and monitor those technologies from a single console. We in the FPM team believe that this uniformity and simplicity enables security and IT organizations to function more efficiently.

The Security Assessment Sharing framework (SAS) forms the heart of the Forefront Protection Manager 2010 management and monitoring vision. This framework unites different protection technologies.

Out of the box, Forefront Protection Manager 2010 enables the administrator to monitor security incidents from Forefront Endpoint Protection 2010, Forefront Threat Management Gateway (TMG), Forefront Protection 2010 for Exchange Server, Forefront Protection 2010 for SharePoint, and Forefront Active Directory Protection.

To allow simple monitoring and response generation, a protection technology that joins FPM must conform to the SAS architecture and protocol. Each protection technology reports its security findings by publishing a security assessment to the SAS channel. The assessment is broadcast to all other participants in the channel; the other technologies can use the assessment either to enhance their detection capabilities (we will elaborate on this capability in the future) or to issue a mitigating response. SAS enables the administrator to define how each technology reacts to a certain assessment type (Figure 1). For example, when Forefront Endpoint Protection detects active malware on a computer, it publishes a compromised computer assessment, and then Forefront TMG blocks access to the Internet for that computer (if such a policy is defined by the administrator).

The SAS protocol is a not MS product specific. Hence, any security device that conforms to the protocol can join Forefront Protection Manager 2010 centralized monitoring. As part of Microsoft Business Ready Security Strategy, we have partnered with key security leaders to enable their products to be part of the FPM security ecosystem. For example, TippingPoint, a leader in the provision of intrusion prevention systems, recently announced that they would support FPM integration.

Figure 1: Assessment sharing architecture and concepts. Every FPM participant (including the FPM administrator) can consume and publish security assessments on every asset in the organization. A participant can respond to security assessments based on the response policy defined by the FPM administrator.

In the next post, I will demonstrate how FPM centrally presents the various security incident coming from the different security technologies in a simplified and unified view. 

What other protection technologies would you like to see integrated with Forefront Protection Manager 2010?

Shai Rubin

What’s Your (IT Security Monitoring) Cup o’ Tea?

The very basic notion of security products and technologies is to protect your organization. However, most of them require some kind of ongoing monitoring. Each product introduces a model for monitoring built on the threats it deals with as well as the protection it provides - whether it is malware, network signature hits, abnormal behavior performed by users - the result is the same. The administrator faces lists of security events presented in different flavors (alerts, reports, logs) using different terminologies (and, BTW, these are in different consoles if you really want to master them). On the other hand, some systems, like Microsoft Forefront Stirling, encapsulate all this data into a single a risk level per each asset in the organization (users, computers and data).

So what’s the best way? Observing the operation of your protection systems OR watching the security risk impact on your user accounts and computers?  We vote for the latter here in the Security Assessment Sharing group in Microsoft.  Our perspective is that the protection systems should be utilized and viewed from the projected risk perspective.  We have been fortunate to bring the risk perspective from the various enterprise security technologies of Microsoft (from TMG, Forefront Server for Exchange and SharePoint, Forefront Client Security and recently with some 3^rd party vendors) – all of this work though is not to monitor the security systems but to bring the most concise and comprehensive angle - what our marketing folks now push as Microsoft business ready offering.

So how does this fit in Microsoft codename Stirling?  Pretty much like on the below screenshot (it's a screen-capture from our very own dogfood that we "eat" here regularly).  No one can really run around, check various consoles and manually correlate log files..  Stirling allows easy viewing and drilling down into IT assets according to their risk level. In the screenshot below, Stirling calculates the risk associated with each computer. On some of the computers the risk is medium, and on some of them the risk is low. Stirling enables the administrator to identify security incidents on computers with a higher risk, and start by handling those.

How's the risk calculated?

1. Stirling's Security Assessment Sharing framework (SAS) allows all security solutions to talk in one common language: the security assessment sharing.  Each assessment is described by its type (e.g. compromised computer), severity (e.g. high for an active malware that cannot be cleaned) and confidence (e.g. high for a 100% certain security issue observed) – all targeted to describe a specific computer or user-account. 

2. We apply the asset value of the subject of the assessment; this is a 3-level value that describes the asset’s worth to the organization (e.g. Normal for a plain desktop vs. Critical for a mission critical line-of-business server).  Once we have these data points (active assessments + asset value) we can classify the security risk on an individual computer or user account. 

In the screenshot example above we see 3 security assessments on a computer: one describes an active malware issue and two others describe vulnerabilities from missing security updates. These assessments contribute to the risk on that asset and cause it to be in a Medium risk level.

Why is security risk monitoring better from viewing lists of active malware infections log in the enterprise?  Simply because it aggregates the various security incidents (input points from different protection technologies, but this is a subject for a different post) into a comprehensive risk-based view that presents a prioritized assets in risk (instead of chasing around the active security events in the enterprise).

When we designed Stirling we saw the interest from customers to also get a concise understanding on the security risk for some specific Stirling groups and for the entire enterprise.  And so we designed to this scenario with the risk gauge and risk pie-charts in the main Stirling Security Dashboard (another screenshot from our dogfood is here):

What you can see here is that you have a quick at-a-glance view on whether you have a burning-risk enterprise situation (or a relatively peaceful day).  Each of the dashboard elements allows one-click drilldown navigation to see the exact set of computers and user-accounts that pose risk on the enterprise.

How's the enterprise risk presented in the gauge is calculated?

Our algorithm is calculating the amount and percentage of IT assets at risk in the enterprise, and then, according to some thresholds, presents the overall enterprise risk.  A risk rule example could be the high enterprise when in case 20% of the enterprise computers are found at high risk.

Like a consumer confidence economic indicator, the approach here is to report on the current overall situation (Stirling reports allow comparing to previous risk levels).  And the main benefit is again the broadest possible perspective on IT assets that need to be protected.

I'm not suggesting by any means that monitoring the actual security devices is not needed.  It's absolutely a must to check on the health of these systems and sometimes needed in order to analyze the security risk posed on protection targets that is spotted using the security device itself.  However, if you care about being the most effective when it comes to security monitoring I suggest you consider my cup of tea – asset-based security monitoring.  Feedback on that anyone?

TechEd 2009

Hey folks – we’ve got an exciting line up of sessions about FCS and Stirling that you will want to add to your TechEd schedule – come see the product group talk about our new exciting features!

I’ve listed all the sessions available for all Forefront products below. Come visit us at the product booths for more details, and to speak with the product group members!

We’ve also got Hands on Labs (HOL) available for you to work with the Forefront products while you are at TechEd:

Hope to see you there!

Announcing Microsoft Forefront codename Stirling Beta 2!

Hello everyone,

I am happy to announce the availability of evaluation HyperV-based virtual machines for Stirling B2. We’ve set up a VHD environment for you to download and test in your lab environments. Complete instructions on how to download the virtual machines is available here (http://technet.microsoft.com/en-us/evalcenter/cc339029.aspx).

Stirling B2 provides:

Comprehensive Protection: Stirling integrates leading protection technologies to better guard against viruses, spyware, and spam across clients, application servers, messaging servers, collaboration servers and edge protection.

Simplified Management: Stirling provides a central management console for configuring security policies for all Stirling-protected technologies, and provides enterprise-wide visibility and reporting on threats, vulnerabilities and configuration risks.

Integrated Security: Stirling integrates with existing Microsoft infrastructure for integrated security and operational efficiency.

You can read more about Stirling on the Forefront blog (http://blogs.technet.com/forefront/), our TechNet TechCenter (http://technet.microsoft.com/en-us/forefront/stirling/default.aspx), and the documentation for Stirling Beta 2 available on TechNet (http://technet.microsoft.com/en-us/library/cc483122.aspx).

Download the VHDs and give it a whirl! And come visit us at TechEd – we’d love to hear your feedback in person!

Thanks!

Social bookmarking and you!

Hello IT experts! You know who you are - you've figured out tips and tricks for every situation, have found the most interesting and relevant TechNet or MSDN info, and I'd wager that your favorites list tops at least the 25 mark (and I'll bet you even have a folder or two organizing that list).

The TechNet team wants to make it easier for experts like you to share their favorite TechNet articles and links, so they’ve release their v1 of social bookmarking - and you can use it to share your best or favorite links on TechNet or MSDN with others.

Available in two flavors – TechNet (social.technet.microsoft.com) and MSDN (social.msdn.microsoft.com). Chris Slemp has a bunch of info on how to use this great new tool on his blog (http://blogs.msdn.com/cslemp/archive/2008/09/09/launched-social-bookmarking-v1-on-msdn-and-technet-video.aspx).

A tip: use the tags! It makes the relevant content easier to for others to find based on category…

Enjoy!

Stirling Resources

Greetings from Redmond!

Now that Stirling's been out for a while, it's time to make sure you know the resources available to you when testing Stirling in your lab environment.

TechNet: Stirling information can be accessed from the Stirling TechNet Web site.

Deployment: The Stirling Deployment Guide steps you through installing Stirling and deploying the Stirling client software to the client computers in your lab environment.

Operations: The Stirling Operations Guide has documentation on day-to-day management tasks, as well as feature walkthroughs that you can use in your lab to explore the Stirling features. 

Stirling and PowerShell: Stirling utilizes PowerShell for its features, and the cmdlets available with Beta 1 are documented in the PowerShell console and on TechNet. Also - a brief introduction on how Stirling uses PowerShell is included in the Operations guide.

Newsgroups: You can post questions and get more information about Stirling on the Stirling TechNet Community Forums.

Can't emphasize this last one enough - let us know your questions, and what you think!

Thanks!

Me Too

Today we are shipping a new security suite from Microsoft, to help Enterprise customers protect and manage their IT security. One of the questions we know we are going to be asked is: “So what new does Microsoft have to bring to the table?”

I have been in and near the security business for almost two decades now, and I remember once how in the early 90’s when I was proud of the code I wrote… a colleague came to me and told me how security is about ‘Assessing, Detecting, Protecting, and re-evaluating policy’ in a typical circular arrows graph. Of course, at the time it had no clear meaning to me. I did recognize that the process in which our customers deal with security at the enterprise level is such that goes over these steps in an everlasting battle against malicious software with various intents, and new technologies that are adopted at the enterprise.

Do we really expect customers to work with  dozens of security technologies with very little in common? It was quite clear to the industry, even back then, that no single protection technology in the world exists to address all security risks. It was then that I realized that for a security solution to be effective and adopted, the overall approach must be more of a suite that manages a life-cycle and allows administrators to interact with different protection technologies from one console and in very similar way.

Well, that was a worthy goal, but the reality was that each domain in enterprise-IT brought a set of challenges and vocabulary that was not easy to simply glue together in one console. Clearly, the thought and consideration of administrators in the enterprise that deal with security for desktops, servers, applications, and network protection needs to be part of the design of the solution from the ground up. Such a solution should have the right balance that allows aggregating data, policy, and configuration from all sources, while keeping the roles of people with their own set of authorities and administration capabilities segregated correctly. Stirling is offering exactly that.

But then again, you might be asking yourself: “Well, all protection technologies can now be managed from one location and allow the different IT teams to work, but is that enough of a value? Do we get more than just one console?” The answer to that is that Stirling is actually taking a much more comprehensive approach for connecting different protection technologies than just a management console.  So, we came up with a concept to connect all protection technologies in a way that one technology can benefit from the findings of the other, or the findings of one technology can cause an action (blocking, isolation, or increased logging) to be taken elsewhere. The beauty of assessment sharing is the fact we can abstract the findings from each protection technology in such a way that hides the details of each technology.  All the protection technologies that connect would be able to understand each other, with no need for special domain knowledge about the other participating technologies. Let’s look at the following scenario:

Forefront Security for Exchange Server, an Exchange protection service, determines that a mail sent to or from a corporate client computer has malicious content. Forefront Security for Exchange Server issues an assessment about the client computer, and through Stirling policy it triggers a malware scan on the client computer that detects malware on that computer. Not only that, but the edge protection (Forefront “TMG”) that also subscribes to the assessment sharing channel of Stirling notices this assessment about the computer and increases internal thresholds for detecting port scans from this computer - and detects port scans from the client computer. The security administrator is notified with this chain of events, and the relationship between them in one single console. Sounds like a tale? Well, this is actually a real life scenario with Stirling.

Zakie Mashiah,

Principal Product Unit Manager, SAS

Introducing Stirling

In June of 2007 we announced a new project, Forefront codenamed “Stirling”, to the world.  Now the moment you’ve been waiting for: our first public beta of the product!   Today we release Beta 1 of Stirling to give everyone a small taste of what an integrated security system can really be.  We hope you enjoy taking a first look and walking through some of the scenarios enabled by this release. 

Why Stirling you may ask?  In many organizations, the IT environment is protected by standalone, often incompatible solutions that only show part of the security picture at any one time. To minimize threats to endpoints, messaging and collaboration servers, and the network edge, security administrators are forced to navigate through multiple management consoles and vendor-specific processes as they define policies, configure technologies, and manage security throughout the network.

The lack of a single, integrated, and comprehensive security solution continually undermines the security state, resulting in costly hours in which IT organizations struggle to safeguard the business from threats, outbreaks, and debilitating attacks.

In contrast, Stirling’s comprehensive, built-in protection technologies span the entire IT environment — from endpoints to messaging and collaboration servers to the network edge — collectively sharing information, assessing vulnerability, and responding automatically based on pre-defined policies. Simplified configuration and management tasks are handled through a single, centralized console, whose dashboard opens to a real-time, network-wide snapshot of your security state.

In this release you get a taste for some of this technology.  As we go forward with future beta releases you will see more and more protection technologies come online.  All driving toward our vision of an Integrated Enterprise Security System that provides:

·         Comprehensive, Coordinated Protection

o        Automatically identify and dynamically respond to threats

o        Deploy integrated protection technologies

o        Benefit from global malware research and response

·         Simplified Management

o        Manage from a single role-based console

o        Optimize your security policy

o        Integrate with existing infrastructure

·         Critical Visibility

o        Know your security state

o        View insightful reports

o        Investigate and remediate

I look forward to seeing everyone’s feedback on the product thus far.  Only through engagement with our customers and partners such as you can we make the vision a reality.

Regards,

Brad Wright