IBM Endpoint ManagerFrancesco Censi – WW ATG IEM consultant

francesco.censi@it.ibm.com

© 2012 IBM Corporation

Optimizing the World’s InfrastructureMoscow, Oct 24th, 2012

1

Endpoint complexity continues to increase

Endpoint device counts,

devices and platforms

Compliance requirements to establish, prove and maintain

continuous compliance

Speed, severity and complexity of malware

attacks

Patch O/S and application vulnerabilities with hours

Rapid, agile, automated remediation is needed

Mobile/roaming endpoints

New form factors and platforms

Employee-owned devices

Establish, prove and maintain continuous

compliance

2

IBM Endpoint Manager continuously monitors the health and security of all enterprise computers in real-time via a single, policy-driven agent

• Common management agent

• Unified management console

• Common infrastructure

• Single server

Endpoints

IBM Endpoint Manager

Patch Management

Lifecycle Management

Software Use Analysis

Power Management

Mobile Devices

Security and Compliance

Core Protection

Desktop / laptop / server endpoint

Mobile Purpose specific

Systems Management Security Management

3

Single Server & Console• Highly secure, highly scalable• Aggregates data, analyzes & reports• Pushes out pre-defined/custom policies

Cloud-based Content Delivery• Highly extensible• Automatic, on-demand functionality

Single Intelligent Agent• Performs multiple functions• Continuous self-assessment & policy enforcement• Minimal system impact (< 2% CPU)

Lightweight, Robust Infrastructure• Use existing systems as Relays• Built-in redundancy • Support/secure roaming endpoints

How it Works

4

Patch Management

• IBM Cloud content delivery service  (operating systems and 3rd party applications)

• Patch capabilities for multiple platforms:   Windows, Mac OS X, Linux and UNIX

• Intelligent agent

• Reduction in patch and update times from weeks and days to hours and minutes

• Increase first‐pass success rates from 60‐75% to 95‐99+%

• Real‐time reporting

• Automated self‐assessment, no centralised or remote scanning required

Benefits:Services:

"We compressed our patch process from 6 weeks to 4 hours" "We consolidated eight tools/infrastructures to one" "We reduced our endpoint support issues by 78%" "We freed up tens of admins to work on higher value projects" 

5

Overview of Patch Management

Start with the Patch Management domain

The patches dashboard provides a real-time view on Windows patches

requirement across your environment

See any New Content here

Application vendor patches

•Adobe Acrobat•Adobe Reader•Apple iTunes•Apple QuickTime•Adobe Flash Player•Adobe Shockwave Player•Mozilla Firefox•RealPlayer•Skype•Oracle Java Runtime Environment•WinAmp•WinZip

…and operating system patches

6

Lifecycle Management

• Asset Discovery 

• Patch Management

• Inventory Management

• Software Distribution

• OS Deployment

• Remote Desktop Control

• Dramatically reduced patch cycles and increased first‐pass success rates

• Closed loop validation in real‐time 

• Massive scalability and support for remote and intermittently connected devices

• Detection and resolution of corrupted patches

• Multi‐platform support (Unix, Linux, Windows, Mac OS X)

Benefits:Services:

Dramatically reduced patch cycles and

increased first-pass success rates

Multi-platform support (Unix, Linux, Windows,

Mac OS X)

7

• For Windows Servers and PCs

• Software Asset Discovery

• Software Use Metering

• Software Use Reporting

• Near real time software inventory

• Near real time software usage reporting

• Search, browse, and edit the Endpoint Manager software identification catalogue, which contains over 105,000 signatures out of the box

• Periodic catalogue updates are  released regularly

• Easily customize the software identification catalogue to include tracking of home‐grown and proprietary applications

Benefits:Services:

Software Usage Analysis

Software publishers

5000+

Application signatures out of the box

105,000+

8

• Providing enterprise‐wide visibility (eg. device details, apps installed, device location)

• Ensuring data security and compliance

• Device configuration

• Support devices on the Apple iOS, Google Android, Nokia Symbian, Microsoft Windows Mobile and Microsoft Windows Phone platforms

• Address business and technology issues of security, complexity and bring your own device (BYOD) in mobile environments

• Manage enterprise and personal data separately with capabilities such as selective wipe

• Leverage a single infrastructure to manage all enterprise devices—smartphones, tablets, desktops, laptops and servers

Benefits:Services:

Apple iOSGoogle Android

“IBM's MDM capability is very complementary to that of PCs, and it is one of the few vendors in this Magic Quadrant that can support PCs and mobile devices”Gartner, MQ for Mobile Device Management Software, 2012

Mobile Device Management

Nokia Symbian Windows Phone

and Windows Mobile

9

Security & Management Challenges Potential unauthorized

access (lost, stolen) Disabled encryption Insecure devices

connecting to network Corporate data leakage

9

• Mail / Calendar / Contacts• Access (VPN / WiFi)• Apps (app store)• Enterprise Apps

iCloud

iCloud Sync

iTunes Sync

Encryption not enforced

End User

VPN / WiFi Corporate Network Access

Managing Mobile Devices – The Problem

10

iCloud

iCloud Sync

iTunes Sync

End User

VPN / WiFi Corporate Network Access

• Personal Mail / Calendar• Personal Apps

Corporate Profile• Enterprise Mail / Calendar• Enterprise Access (VPN/WiFi)• Enterprise Apps (App store or

Custom)

Secured by BigFix policy

Encryption Enabled

Endpoint Manager for Mobile Devices• Enable password policies• Enable device encryption• Disable iCloud sync• Access to corporate email,

apps, VPN, WiFi contingent on policy compliance!

• Selectively wipe corporate data if employee leaves company

• Fully wipe if lost or stolen

Managing Mobile Devices – The Solution

11

Apple iOSGoogle Android

IEM approach for Mobile Device Management

Nokia Symbian Windows Phone

and Windows Mobile

• Advanced management on iOS through Apple’s MDM APIs

• Advanced management on Android through a BigFix agent

• Email-based management through Exchange (ActiveSync) and Lotus Traveler (IBMSync)• iOS• Android• Windows Phone• Windows Mobile• Symbian

12

• Asset Discovery and Visibility

• Patch Management

• Security Configuration Management

• Vulnerability ManagementContinuous

enforcement of security policies,

regardless of network connection status

Host-based vulnerability

assessment withseverity scoring and a 99.9% accuracy rate

Define and assess client compliance to

securityconfiguration

baselines

SCAP certified for FDCC

Windows, UNIX, Linux, and Mac OS X

Security and Compliance

• Multi‐Vendor Endpoint Protection

• Network Self Quarantine

• Anti‐Malware & Web Reputation

13© 2011 IBM Corporation

Key SCM concepts

• It’s simple: checks, checklists, and computers.• Check = a fixlet that:

• Checks for a condition (relevant = true = fails the check (needs to be remediated))• Might allow a check parameter to be set (e.g. maximum password age)• Usually includes a remediation option (i.e. “take action”)• References an analysis property that returns the value(s) of the thing being checked.

Referred to as “measured values”• Checklist = a content site containing checks. (Aka “benchmark”, “policy”)• Computers contain check results data, analysis results, computer properties

14

Security and ComplianceClient Manager for Endpoint Protection

• Manages the “health” of a variety of endpoint protection products from McAfee, Symantec, Trend Micro, Sophos, Microsoft

• Deployment overview for endpoint protection products (service health, virus definition)

• Allows quick centralized virus definition update

15

• Prevents viruses, Trojans, worms, and other new malware 

• Available for Windows and Mac

• Deep‐cleans malware with Trend Micro SysClean

• Catches and cleans spyware, rootkits and remnants completely

• Includes an enterprise client firewall for network safety

• Blocks users and applications from malicious web content

• Integrates Web Reputation and File Reputation services powered by the Trend Micro Smart Protection Network

• Add‐On:  Data Loss Prevention and Advanced Device Control

Services:

Core Protection

Single Console

Cloud-basedProtection

Anti-virusAnti-malware

Personal Firewall

Data Protection

16

Data Loss Prevention

Protect privacy

Secure Intellectual

Property

Comply with regulations

• Limit removable devices by make/model/serial• Limit applications that can use devices• Control behaviour of removable media (USB drives)

• Real‐time content scanning of sensitive data • Protection of structured data• Multi‐channel monitoring and enforcement• Minimal incremental impact on client  performance

Prevent Data Loss at the Endpoint

Place limits on user devices

“Best‐of‐breed content‐aware DLP solutions have a deserved reputation for being expensive, difficult to implement and generally possessing capabilities exceeding most companies‘ requirements. .. the majority of organizations (approximately 70%) may be able to deploy "good enough" DLP capabilities in evolving non‐E‐DLP solutions.”Gartner, MQ for Mobile Device Management Software, 2012

17

Multiple Methods for Protecting your Digital Assets

Patterns ‐ Regular Expressions( credit card, social insurance, account numbers)

Keywords – Lists of terms(confidential, internal, project/product names…) 

File Attributes – File Name, File Size, File Type(threshold of acceptable use)

18

Data loss prevention: example

19

• For Windows and Mac OS X

• Comprehensive executive reports

• Client‐side dashboard option to create personalized reports

• Customize power consumption information to match corporate environments

• Scheduled wake‐on‐LAN to wake up endpoints

• Auto‐save open files before shutdown/restart

• Cost savings through reduction in energy usage and utility rebates where applicable

• Obtain max power savings while avoiding disruption to IT system management

• Project potential savings using “what‐if” scenario calculator

• Single tool to identify misconfiguration and automatic remediation

Benefits:Services:

Power Management

Reduce power costs

Centralize energy savings

policies

What-if scenarios

20

Power Consumption Summary Total Power Consumption for all devices is summarised on

this dashboard

Which includes your Total Current Power Usage (kWh, Cost and Green

House)

Potential savings are also identified

The breakdown of power usage for workdays and weekends is now

available

21

Summary

• IBM Endpoint Manager enables unified management of all enterprise devices – desktops, laptops, servers, smartphones, and tablets

• Real-time/proactive endpoint management: Patch management, anti-virus/malware, power management and device location information

• Continuous compliance reduces costs and risk• Power management • Management of assets

Спасибо!

23

Acknowledgements, disclaimers and trademarks© Copyright IBM Corporation 2012. All rights reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBMproducts and services. Questions on the capabilities of non-IBM products and services should be addressed to the supplier of those products and services.

All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography.

IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml