Customer Solution Case Study
/ Manufacturer Recharges Endpoint Protection with Integrated PC Security Solution
Overview
Country or Region:United States
Industry:Manufacturing—Consumer goods
Customer Profile
Energizer Holdings, headquartered in St. Louis, Missouri, offers household and consumer care products. It employs 15,000 people.
Business Situation
Energizer wanted to upgrade its antimalware solution to gain better reporting on endpoint security. IT staff also wanted more flexibility in defining security policies and deploying antivirus signature updates.
Solution
Energizer achieved these goals with Microsoft Forefront Endpoint Protection 2010, which works with Microsoft System Center Configuration Manager 2007 R3 to consolidate PC management and security functions.
Benefits
- Improved reporting expedited incident resolution
- Increased IT productivity by 70 percent
- Signature update compliance grew from 95 to 98 percent
- Expedited antimalware policy deployment
Chuck Henderson, Manager, IT Department, Energizer Holdings
Energizer Holdings, a global manufacturer of household and consumer products, wanted to improve its malware reporting to better secure and manage its 7,700 employee desktops. It also sought flexibility in updating security polices and deploying antivirus signature updates. Energizer worked with Microsoft Managed Platform and Solution Delivery (MPSD) to deploy and manage Microsoft Forefront Endpoint Protection 2010, built on Microsoft System Center Configuration Manager 2007 R3. Reporting now detects malware before it invades the network, boosting the MPSD team‘s productivity by up to 70 percent, as it no longer needs to manually extract data from computers. With three ways to deploy antivirus signatures, Energizer benefits from signature update compliance to 99 percent of its desktops. The MPSD team can also respond quickly to the businessby deploying new security policies as needed.
Situation
Incorporated in 1999, Energizer Holdings is a consumer goods company operating globally in the broad categories of household and personal care products. Energizer’s Household Products Division offers consumers a wide range of portable power solutions, anchored by the Energizer and Eveready brands.Energizer’s Personal Care Division offers a diversified range of consumer products, carrying brand names such as Schick, Playtex, Banana Boat, Hawaiian Tropic, and Wet Ones.
With commercial and production operations in 49 countries and distribution in another 131 countries, the company relies on its IT department to maintain a highly secure network and protect the more than 7,700 desktop and portable computers used by employees around the world. Energizer is standardizing its desktops on the Windows 7 Enterprise operating system, with 80 percent of them already upgraded from Windows XP Professional. The company expects to complete that rollout by July 2011.
Because Energizer has so many computer users in so many locations, battling the continual onslaught of sophisticated Trojan horses, viruses, and rootkits—collectively known as malware—is a critical function for the IT department. “In the last four or five years, with the increasing number of mobile employees using laptops outside of the corporate domain and opening up the potential to bring malware back inside the firewall, we are thinking about the desktop as ‘the new edge of network,’ and we are focusing our attention more and more on endpoint protection,” says Chuck Henderson, Manager of the IT Department at Energizer Holdings.
So in March 2010, Energizer and the Microsoft Managed Platform and Solution Delivery (MPSD), a division of the Management and Security Product Division at Microsoft, deployed Microsoft Forefront Client Security endpoint protection technology to scan for malware. MPSD has provided a desktop management service to Energizer for more than five years. Forefront Client Security worked well, and MPSDliked the easy-to-use tool and familiar user interface to the Microsoft System Center management products it used to manage the company’s infrastructure. However, Energizer began identifying some room for improvement.
First, Energizer wanted better out of-the-box reporting capabilities with data collection and drill-down into infected computers so IT staff could see when a particular computer became affected by malware and immediately take action. “We are a manufacturing company, so many of our employees are not particularly computer-savvy,” says Henderson. “If their machine starts acting strangely, they may just continue working until it bothers them enough to call help desk and we send out a technician. Meanwhile, a virus could have spread throughout our network.”
To improve reporting on the health and antivirus signature status of the company’s client computing environment, the MPSDteam wrote its own scripts and tools to retrieve data from the desktops, but this was costly and time-consuming. For example, while troubleshooting an issue, if Henderson wanted to find out how many machines had not been receiving signature updates for the last five days, the MPSDteam would have to develop a custom query; even then, the accuracy of the data retrieved was never 100 percent.
Second, Energizer wanted to improve upon its existing 95 percent signature compliance rate. With Forefront Client Security, the MPSDteam had only one way to deploy daily antivirus signature updates to all computers: using Microsoft System Center Configuration Manager 2007. While the Microsoft team had devised a custom solution that ensured updates reached computers even in the event of a System Center Configuration Manager 2007 server issue, it was an expensive, manual workaround. Having multiple ways to deploy signature updates would reduce the chance that a single point of failure could negatively impact the compliance on signature updates and would help boost the compliance rate.
Third, as malware policies were embedded in the installation package of Forefront Client Security, it was difficult for Energizer to introduce interim policy changes subsequent to installation. Though Energizer had a singular policy for its entire desktop, the MPSD team wanted more flexibility in its endpoint protection solution so it could quickly respond to unforeseen circumstances by creating new security policies as needed. For example, if Energizer wanted to create a specific policy for a set of critical computers in Human Resources that contain personal employee data, it would require some effort for the MPSD team to configure that policy by creating new Group Policy Objects in Active Directory Domain Services, the directory service integral to the Windows operating system.
So, when Energizer heard that Microsoft was about to release Forefront Endpoint Protection 2010, the company was interested to see if the new solution offered improved reporting, more options for signature update distribution, and increased flexibility for introducing interim policy changes.
Solution
In January 2011, Energizer began talking with members of the MPSD about upgrading to Microsoft Forefront Endpoint Protection 2010, which is the next version of Forefront Client Security. The new version offers a compelling new development that could fulfill Energizer’s requirements by reducing the cost and complexity of managing and securing the desktop. Up to this point, Energizer had been using System Center Configuration Manager 2007 R3 to ensure proper system configuration and to deploy necessary security updates, and Forefront Client Security for threat detection and remediation. But with Forefront Endpoint Protection 2010, these two functions—management and security—are combined into a single infrastructure.
Built on System Center Configuration Manager 2007 R2 and R3, Forefront Endpoint Protection 2010 would give the MPSD team a single view of both configuration and security information on every desktop through a simple console. MPSD would need only one tool to ensure up-to-date desktop configuration, deploy client software and security updates, administer security policies as needed, detect and remediate malware, collect computer health data, report on the health status of the entire desktop environment, or analyze the health status of individual computers. With consolidated tools and a new insight into security information, Energizer could more quickly and easily detect desktop vulnerabilities and take steps to eradicate malware.
Energizer first worked with the Microsoft team to update the System Center Configuration Manager 2007 R3 Central site with the Microsoft Forefront Endpoint Protection 2010 Site Server Extension for Configuration Manager. Then,the MPSD team fine-tuned a standard policy configuration for its desktop environment before launching a small pilot project involving 40 computers running both Windows 7 and Windows XP to test the upgrade process from Forefront Client Security to Forefront Endpoint Protection. Next, the MPSD team began distributing the Forefront Endpoint Protection 2010 client software packet to all clients located in St. Louis, using System Center Configuration Manager software distribution capabilities. The team then expanded the deployment by replicating the client software packet to the three primary site System Center Configuration Manager 2007 R3 servers around the world. After package replication was completed to all the secondary site servers, the client software packet was deployed to groups of 500 computers until all computers were targeted. Once all the computers were running the Forefront Endpoint Protection 2010 client, the team deployed the Energizer standard security policy globally.
In just one and a half months, the MPSD team deployed Forefront Endpoint Protection 2010 to 97 percent of Energizer’s 7,700 managed computers, using existing computing resources to minimize costs. The only hardware investment required was a dedicated server running Microsoft SQL Server 2008 Reporting Services, which was needed by the Forefront Endpoint Protection 2010 reporting database. During the whole deployment process, no backlogs occurred on any of the servers, and no degradation of daily System Center Configuration Manager operations was detected.
Benefits
For Energizer, choosing Forefront Endpoint Protection 2010 as its latest antimalware solution means the company has an easy-to-use tool to monitor and report on the company’s desktop environment. Thanks to improved out-of-the-box capabilities and the ability to manage everything from a single console, the IT staff is saving time managing the desktop while expediting incident resolution. And, with additional ways to deploy signature updates and more flexible means of applying policies, the IT department can also respond more quickly to business needs.
“With Forefront Endpoint Protection 2010, Energizer has a more secure, better managed desktop than before,” says Henderson. “I’m empowered to react faster, because I see everything I need to know through the reports. And the MPSD team is working less hours with improved results. It’s a definite improvement for everyone.”
Improved Reporting for Expedited Incident Resolution
Today, Henderson and his colleagues are getting regular Forefront Endpoint Protection health reports that offer unprecedented insight into what Henderson calls “the new edge of network.” The new information helps to pinpoint trouble spots long before an employee decides to call the help desk, so the company can respond quickly to any threats and minimize damage.
“We were really excited about the new reporting capabilities of Forefront Endpoint Protection 2010,” confirms Henderson. “For Energizer, the most immediate value of the reporting and notification is that we can now see when a particular computer is affected. This allows us a much faster reaction time and reduces the damage. Now, we are not hearing about a virus from a frustrated employee, we’re jumping on it right away before they even notice their machine is compromised and before it can spread through the network. This makes for happier, more productive employees, saves us a lot of headaches, and avoids desktop support costs.”
Increased IT Productivity by up to 70 Percent
The integration of Forefront Endpoint Protection 2010 with System Center Configuration Manager 2007 R3 means that MPSDteam membersno longer have to write their own scripts to extract data from the client computers, as they did with Forefront Client Security. Improved out-of-the-box reporting and drill-down capabilities also expedite troubleshooting; for example, MPSDteam members no longer need to devise their own solutions to find out exactly how many computers haven’t received signature updates and for how many days. The team estimates that the more robust reporting and the instant information available through the central console have reduced this administrative busywork by up to 70 percent.
Signature Update Compliance Improved from 95 to 99 Percent
By using Forefront Endpoint Protection 2010, the MPSDteam has more than one way to deliver antivirus signature updates to Energizer client computers, thereby eliminating the single point of failure scenario of the product’s predecessor. Today, the MPSDteam can continue to use System Center Configuration Manager as its default conduit for delivering signature updates, but should anything happen, there is a parallel independent path available for updating the signatures by using a shared folder. The team could also deliver updates over the Internet using Windows Server Update Services. Having three update-delivery options available instead of one has improved average signature compliance rates on Energizer desktops from 95 percent to 99 percent.
Expedited Antimalware Policy Deployment
With Forefront Endpoint Protection 2010, Energizer also gains a more flexible way to apply new antimalware policies, should the need arise. For example, if Energizer wants to create a new security policy that targets a specific group of computers, the MPSDteam can configure and deploy that policy in just hours—where it used to take days—from the shared System Center Configuration Manager 2007 console. This flexibility is also useful if Energizer decides to exclude a group of computers from its existing global security policy; for example, if it finds that the global policy affects that group’s performance unduly because of a newly deployed application.
“While the technical case for upgrading to Forefront Endpoint Protection 2010 was clear, the product once again ratified our existing business policy of going with Microsoft first and everyone else second,” concludes Henderson.
Microsoft Infrastructure Optimization
With infrastructure optimization, you can build a secure, well-managed, and dynamic core IT infrastructure that can reduce overall IT costs, make better use of resources, and become a strategic asset for the business. The Infrastructure Optimization model—with basic, standardized, rationalized, and dynamic levels—was developed by Microsoft using industry best practices and Microsoft’s own experiences with enterprise customers. The Infrastructure Optimization model provides a maturity framework that is flexible and easily used as a benchmark for technical capability and business value.
For more information about Microsoft infrastructure optimization, go to: