(FEP)Forefront Endpoint Protection 2010 Proposal
Objectives
To envision, plan, build, stabilize, and deploy an endpoint protection solution that uses Forefront Endpoint Protection – enabling MOFA to improve the efficiency and reduce the costs of protecting their Windows 7 desktops and laptops from malicious code threats.
Benefit Analysis
By deploying an endpoint protection solution based on Forefront Endpoint Protection, MOFA aims to realize the following benefits:
Highly Accurate and Efficient Threat Detection
The new anti-malware engine protects against the latest malware and rootkits with a low false positive rate, and keeps employees productive with scanning that has a low impact on performance.
Furthermore, FEP uses system behavior and file reputation data to identify and block attacks on client systems from previously unknown threats. Detection methods include behavior monitoring, emulation, and dynamic translation.
Reduced Management Infrastructure
Instead of deploying dedicated servers and software to manage the endpoint protection clients, existing Microsoft System Center Configuration Manager infrastructure will be used to manage the endpoint protection solution – cutting the cost of ownership and reducing duplication of effort.
Windows 7 desktops and laptops that are currently managed using Microsoft System Center Configuration Manager (SCCM) will use this infrastructure to deploy the endpoint protection client, distribute policy and collect data for use in reporting.
New build of Microsoft System Center Operations Manager (SCOM) will use the FEP Management Pack to extend real-time monitoring of managed clients.
Lower Management Costs
By consolidating endpoint and security management into a single infrastructure and common set of tasks, duplication of effort is greatly reduced. The FEP client and its definition updates will be deployed using the mechanisms already in place for managing other software and update deployments.
Lower Switching Costs
Switching from one endpoint protection product to another can be labor intensive, and can leave endpoints vulnerable after removal of the old and before installation of the new. FEP greatly reduces these costs and risk by replacing the existing protection product in a single, highly integrated process.
Lower Training Costs
As the management infrastructure and associated processes are already in place, existing personnel can begin managing and monitoring the protection status of endpoints with minimal training – further reducing ownership costs.
Lower Licensing Costs
With their Microsoft Enterprise Client Access License (ECAL), MOFA can purchase all of the components they need to manage and secure their endpoints at lower cost compared to multiple, single-purpose licenses.
Rapid Correlation between Infections and Configuration
Endpoints are at greatest risk when they are missing security updates or their configurations deviate from an established baseline. By integrating the monitoring of configuration with malware monitoring via a single interface, relationships can be quickly established, and the conditions that increase malware risk remediated.
Reduced Burden on Security Personnel
With traditional endpoint protection products, security personnel spend a great deal of time managing the infrastructure and resolving issues on individual clients. By delegating the management of the FEP client to the same administrators responsible for other aspects of their configuration, security personnel have more time to focus on root cause analysis, identifying trends and proactive measures to reduce malware incidents across the organization.
Project Scope
The revisions of this document going into the future provide the detailed scope of what will and will not be accomplished to meet the vision. That said the core features to be enabled by the solution can be characterized by the following specific goals and objectives.
In Scope
Assessment of:
The organization’s endpoint protection requirement, including policies from their existing anti-malware solution
Solution envisioning; including:
Definition of endpoint “profiles” – describing the common management, monitoring, and client configuration requirements shared by endpoints across the organization
Management (SCCM / Group Policy / Script) and monitoring (SCCM / SCOM) strategy for each of the defined endpoint profiles
Strategy for integration of FEP components into the organization’s SCCM 2007 R2 or R3 hierarchy
Detailed design and documentation of the following elements:
FEP server deployment topology
FEP client deployment methodology
FEP policies, including policy settings and enforcement mechanisms
Definition update design
FEP Desired Configuration Management (DCM) design, including creation and targeting of baselines. Note that this will be limited to compliance checking of FEP-related attributes only
FEP alert design
FEP reporting overview
FEP Security Management Pack setup
SCOM infrastructure and agents deployment to FEP endpoints
Creation of test plan and test cases
Deployment and configuration of Proof of Concept (PoC) environment and run pilot
Implementation and reporting of test cases against PoC environment
Identification of operational roles and tasks, and creation of deployment guidance
Creation of deployment plan
Deployment of solution components into Production environment
Out of Scope
Design, design review, deployment or upgrade of the organization’s SCCM infrastructure, or deployment of its agents
Design, design review, deployment or upgrade of the organization’s Windows Server Update Service (WSUS) infrastructure – whether used by the SCCM infrastructure or deployed standalone
Design, design review, deployment or upgrade of file shares or Microsoft WindowsDistributed File System (DFS) shares to be used for hosting FEP definition updates
Design of DCM configuration items or baselines not specifically related to FEP
Customization of FEP reports
Customization of the FEP Security Management Pack
Design of any methodology or actual installation of the FEP client using any means other than SCCM software deployment (such as deployment by script or third-party tools, manual installation etc.)
Design of any methodology or actual implementation of policy via command-line script where neither SCCM nor Group Policy can be used for policy deployment
Design or implementation of Windows Firewall exceptions via script or Group Policy not specifically related to FEP
Deployment or configuration of a test environment for the proof of concept
Removal of any existing endpoint security products on desktops, laptops, and servers with the exception of Microsoft Forefront Client Security
FEP client deployment on Windows XP endpoints
Assumptions
Based on the answers received during this project and information collected during the Solution Envisioning phase, the following technical assumptions have been made:
The customer will make available a non-production, proof of concept environment that faithfully simulates the production Active Directory and SCCM deployment, and (optionally) the SCOM monitoring infrastructure. It must also have Internet access, and have deployed a number of instances of each operating system configuration that will be protected by FEP.
The SCCM 2007 infrastructure (with SP2 and R2 or R3) is fully deployed, operational, and in good health. It is also operating below its maximum capacity in terms of CPU, memory and disk IO performance, and the database servers have adequate free disk space.
WSUS will be used to deploy FEP definition updates (either as part of the SCCM infrastructure or standalone), and it is fully deployed, operational, and in good health. Any remediation to the WSUS infrastructure will incur additional customer effort.
Active Directory is designed, deployed, and in good operational health. Any remediation to the Active Directory infrastructure will incur additional customer effort.
Customer personnel and resources will be available in a timely manner to support the milestones of this engagement.
Constraints
The solution will be designed under the following constraints:
FEP client will be deployed to support Operating Systems.
SCCM clients should be in good operational health on Windows 7 endpoints. Any SCCM client remediation should be fixed by customer personnel.
All endpoints should be part of Active Directory forest
FEP solution will be sized up to 2000 endpoints