Understanding the Security Assessment Sharing Framework Technology

Understanding the Security Assessment Sharing Framework Technology

  • Comments 1
  • Likes

Hello Forefront Protection Manager users,

In this and the next one posts I will describe the FPM capability for simplified and centralized security monitoring based on the Security Assessment Sharing (SAS) framework technology.

Forefront Protection Manager 2010 (FPM) manages several diverse protection technologies. This enables the security administrator to both set a security policy for various security technologies, and monitor those technologies from a single console. We in the FPM team believe that this uniformity and simplicity enables security and IT organizations to function more efficiently.

The Security Assessment Sharing framework (SAS) forms the heart of the Forefront Protection Manager 2010 management and monitoring vision. This framework unites different protection technologies.

Out of the box, Forefront Protection Manager 2010 enables the administrator to monitor security incidents from Forefront Endpoint Protection 2010, Forefront Threat Management Gateway (TMG), Forefront Protection 2010 for Exchange Server, Forefront Protection 2010 for SharePoint, and Forefront Active Directory Protection.

To allow simple monitoring and response generation, a protection technology that joins FPM must conform to the SAS architecture and protocol. Each protection technology reports its security findings by publishing a security assessment to the SAS channel. The assessment is broadcast to all other participants in the channel; the other technologies can use the assessment either to enhance their detection capabilities (we will elaborate on this capability in the future) or to issue a mitigating response. SAS enables the administrator to define how each technology reacts to a certain assessment type (Figure 1). For example, when Forefront Endpoint Protection detects active malware on a computer, it publishes a compromised computer assessment, and then Forefront TMG blocks access to the Internet for that computer (if such a policy is defined by the administrator).

The SAS protocol is a not MS product specific. Hence, any security device that conforms to the protocol can join Forefront Protection Manager 2010 centralized monitoring. As part of Microsoft Business Ready Security Strategy, we have partnered with key security leaders to enable their products to be part of the FPM security ecosystem. For example, TippingPoint, a leader in the provision of intrusion prevention systems, recently announced that they would support FPM integration.

syslogsgif

Figure 1: Assessment sharing architecture and concepts. Every FPM participant (including the FPM administrator) can consume and publish security assessments on every asset in the organization. A participant can respond to security assessments based on the response policy defined by the FPM administrator.

In the next post, I will demonstrate how FPM centrally presents the various security incident coming from the different security technologies in a simplified and unified view. 

What other protection technologies would you like to see integrated with Forefront Protection Manager 2010?

Shai Rubin

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment