IBM Endpoint Manager Francesco Censi WW ATG IEM consultant francesco.censi@it.ibm.com Optimizing the World s Infrastructure Moscow, Oct 24 th, 2012 2012 IBM Corporation
Endpoint complexity continues to increase Speed, severity and complexity of malware attacks Endpoint device counts, devices and platforms Compliance requirements to establish, prove and maintain continuous compliance Patch O/S and application vulnerabilities with hours Rapid, agile, automated remediation is needed Mobile/roaming endpoints New form factors and platforms Employee-owned devices Establish, prove and maintain continuous compliance 1
IBM Endpoint Manager continuously monitors the health and security of all enterprise computers in real-time via a single, policy-driven agent Endpoints Common management agent Desktop / laptop / server endpoint Mobile Purpose specific Unified management console Common infrastructure Patch Management Lifecycle Management Software Use Analysis Mobile Devices Single server Power Management Core Protection Security and Compliance Systems Management Security Management IBM Endpoint Manager 2
How it Works Lightweight, Robust Infrastructure Use existing systems as Relays Built-in redundancy Support/secure roaming endpoints Cloud-based Content Delivery Highly extensible Automatic, on-demand functionality Single Server & Console Highly secure, highly scalable Aggregates data, analyzes & reports Pushes out pre-defined/custom policies Single Intelligent Agent Performs multiple functions Continuous self-assessment & policy enforcement Minimal system impact (< 2% CPU) 3
Patch Management Services: IBM Cloud content delivery service (operating systems and 3rd party applications) Patch capabilities for multiple platforms: Windows, Mac OS X, Linux and UNIX Intelligent agent Benefits: Reduction in patch and update times from weeks and days to hours and minutes Increase first pass success rates from 60 75% to 95 99+% Real time reporting Automated self assessment, no centralised or remote scanning required "We compressed our patch process from 6 weeks to 4 hours" "We consolidated eight tools/infrastructures to one" "We reduced our endpoint support issues by 78%" "We freed up tens of admins to work on higher value projects" 4
Overview of Patch Management See any New Content here Application vendor patches The patches dashboard provides a real-time view on Windows patches requirement across your environment and operating system patches Adobe Acrobat Adobe Reader Apple itunes Apple QuickTime Adobe Flash Player Adobe Shockwave Player Mozilla Firefox RealPlayer Skype Oracle Java Runtime Environment WinAmp WinZip Start with the Patch Management domain 5
Lifecycle Management Services: Asset Discovery Patch Management Inventory Management Software Distribution OS Deployment Remote Desktop Control Benefits: Dramatically reduced patch cycles and increased first pass success rates Closed loop validation in real time Massive scalability and support for remote and intermittently connected devices Detection and resolution of corrupted patches Multi platform support (Unix, Linux, Windows, Mac OS X) Dramatically reduced patch cycles and increased first-pass success rates Multi-platform support (Unix, Linux, Windows, Mac OS X) 6
Software Usage Analysis Services: For Windows Servers and PCs Software Asset Discovery Software Use Metering Software Use Reporting Benefits: Near real time software inventory Near real time software usage reporting Search, browse, and edit the Endpoint Manager software identification catalogue, which contains over 105,000 signatures out of the box Periodic catalogue updates are released regularly Easily customize the software identification catalogue to include tracking of home grown and proprietary applications 5000+ Software publishers 105,000+ Application signatures out of the box 7
Mobile Device Management Services: Providing enterprise wide visibility (eg. device details, apps installed, device location) Ensuring data security and compliance Device configuration Support devices on the Apple ios, Google Android, Nokia Symbian, Microsoft Windows Mobile and Microsoft Windows Phone platforms Benefits: Address business and technology issues of security, complexity and bring your own device (BYOD) in mobile environments Manage enterprise and personal data separately with capabilities such as selective wipe Leverage a single infrastructure to manage all enterprise devices smartphones, tablets, desktops, laptops and servers Apple ios Google Android IBM's MDM capability is very complementary to that of PCs, and it is one of the few vendors in this Magic Quadrant that can support PCs and mobile devices Gartner, MQ for Mobile Device Management Software, 2012 Nokia Symbian Windows Phone and Windows Mobile 8
Managing Mobile Devices The Problem Security & Management Challenges Potential unauthorized access (lost, stolen) Disabled encryption Insecure devices connecting to network Corporate data leakage End User Mail / Calendar / Contacts Access (VPN / WiFi) Apps (app store) Enterprise Apps Encryption not enforced VPN / WiFi Corporate Network Access icloud itunes Sync icloud Sync 9 9
Managing Mobile Devices The Solution Endpoint Manager for Mobile Devices Enable password policies Enable device encryption Disable icloud sync Access to corporate email, apps, VPN, WiFi contingent on policy compliance! Selectively wipe corporate data if employee leaves company Fully wipe if lost or stolen End User Personal Mail / Calendar Personal Apps Corporate Profile Enterprise Mail / Calendar Enterprise Access (VPN/WiFi) Enterprise Apps (App store or Custom) Encryption Enabled VPN / WiFi Secured by BigFix policy Corporate Network Access icloud itunes Sync icloud Sync 10
IEM approach for Mobile Device Management Advanced management on ios through Apple s MDM APIs Advanced management on Android through a BigFix agent Email-based management through Exchange (ActiveSync) and Lotus Traveler (IBMSync) ios Android Windows Phone Windows Mobile Symbian Apple ios Google Android Nokia Symbian Windows Phone and Windows Mobile 11
Security and Compliance Asset Discovery and Visibility Patch Management Security Configuration Management Vulnerability Management Multi Vendor Endpoint Protection Network Self Quarantine Anti Malware & Web Reputation Continuous enforcement of security policies, regardless of network connection status Host-based vulnerability assessment with severity scoring and a 99.9% accuracy rate Define and assess client compliance to security configuration baselines SCAP certified for FDCC Windows, UNIX, Linux, and Mac OS X 12
Key SCM concepts It s simple: checks, checklists, and computers. Check = a fixlet that: Checks for a condition (relevant = true = fails the check (needs to be remediated)) Might allow a check parameter to be set (e.g. maximum password age) Usually includes a remediation option (i.e. take action ) References an analysis property that returns the value(s) of the thing being checked. Referred to as measured values Checklist = a content site containing checks. (Aka benchmark, policy ) Computers contain check results data, analysis results, computer properties 13 2011 IBM Corporation
Security and Compliance Client Manager for Endpoint Protection Manages the health of a variety of endpoint protection products from McAfee, Symantec, Trend Micro, Sophos, Microsoft Deployment overview for endpoint protection products (service health, virus definition) Allows quick centralized virus definition update 14
Core Protection Services: Prevents viruses, Trojans, worms, and other new malware Available for Windows and Mac Deep cleans malware with Trend Micro SysClean Catches and cleans spyware, rootkits and remnants completely Includes an enterprise client firewall for network safety Blocks users and applications from malicious web content Integrates Web Reputation and File Reputation services powered by the Trend Micro Smart Protection Network Add On: Data Loss Prevention and Advanced Device Control Single Console Cloud-based Protection Anti-virus Anti-malware Personal Firewall Data Protection 15
Data Loss Prevention Prevent Data Loss at the Endpoint Real time content scanning of sensitive data Protection of structured data Multi channel monitoring and enforcement Minimal incremental impact on client performance Place limits on user devices Limit removable devices by make/model/serial Limit applications that can use devices Control behaviour of removable media (USB drives) Best of breed content aware DLP solutions have a deserved reputation for being expensive, difficult to implement and generally possessing capabilities exceeding most companies requirements... the majority of organizations (approximately 70%) may be able to deploy "good enough" DLP capabilities in evolving non E DLP solutions. Gartner, MQ for Mobile Device Management Software, 2012 Protect privacy Secure Intellectual Property Comply with regulations 16
Multiple Methods for Protecting your Digital Assets Patterns Regular Expressions ( credit card, social insurance, account numbers) Keywords Lists of terms (confidential, internal, project/product names ) File Attributes File Name, File Size, File Type (threshold of acceptable use) 17
Data loss prevention: example 18
Power Management Services: For Windows and Mac OS X Comprehensive executive reports Client side dashboard option to create personalized reports Customize power consumption information to match corporate environments Scheduled wake on LAN to wake up endpoints Auto save open files before shutdown/restart Benefits: Cost savings through reduction in energy usage and utility rebates where applicable Obtain max power savings while avoiding disruption to IT system management Project potential savings using what if scenario calculator Single tool to identify misconfiguration and automatic remediation Reduce power costs Centralize energy savings policies What-if scenarios 19
Power Consumption Summary Total Power Consumption for all devices is summarised on this dashboard Which includes your Total Current Power Usage (kwh, Cost and Green House) Potential savings are also identified The breakdown of power usage for workdays and weekends is now available 20
Summary IBM Endpoint Manager enables unified management of all enterprise devices desktops, laptops, servers, smartphones, and tablets Real-time/proactive endpoint management: Patch management, anti-virus/malware, power management and device location information Continuous compliance reduces costs and risk Power management Management of assets 21
Спасибо!
Acknowledgements, disclaimers and trademarks Copyright IBM Corporation 2012. All rights reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information concerning non-ibm products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-ibm products and services. Questions on the capabilities of non-ibm products and services should be addressed to the supplier of those products and services. All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography. IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml 23