1. technology and computing
2. computer security
3. network security

Ironside Group
Solutions
Your success is what drives us.
Dev Ops | Security | Reporting | Software Dev
DevOps Enterprise Architecture
Ronda Kiser-Oakes – [email protected]
IBM Endpoint Manager
Overview Presentation
Bob Schmidt – [email protected]
2
Visibility is key in a constantly changing, distributed world
Critical systems are globally distributed and in constant flux
Find all assets on your
network – NOW!
Patch hundreds of thousands
of workstations, laptops and
servers in minutes.
Deploy a software
application worldwide in
days.
Patch anywhere, anytime over any
network.
4
Continuously enforce security
configuration baselines, even on
mobile and off-network devices.
IEM Service Delivery Platform & Solutions
Desktop & Server Management
IT Policy Enforcement
Patch
Management
Software
Distribution
Power
Management
Asset
Discovery
OS Deployment
Software
Inventory &
Metering
Remote Desktop
Client
Manager for
AV
Patch
Management
Vulnerability
Assessment
Security Config
Management
Data Leak
Prevention
BigFix Platform
See
Change
Enforce
5
AntiThreat
NAC
Antivirus
Antispyware
Endpoint
Firewall
Client Manager
for AV
Endpoint complexity continues to increase
Speed,
severity and
complexity of
malware
attacks
Endpoint
device counts,
devices and
platforms
Compliance
requirements
to establish,
prove and
maintain
continuous
compliance
Patch O/S and application
vulnerabilities with hours
Mobile/roaming endpoints
Establish, prove and
maintain continuous
compliance
Rapid, agile, automated
remediation is needed
New form factors and
platforms
Employee-owned devices
6
IBM Unified Device and Persona based Mgmt
Smartphones & Tablets
Mobile
Devices
Mobile
Apps
SaaS, On-premise, or MSP
Integrated Reporting
Comprehensive Security
PC’s, Macs, POS, ATMs
Lowest TCO
Distributed Data Centers
On and off-network
Patch
Management
Lifecycle
Management
SW Usage
& Analysis
Physical and Virtual
Security &
Compliance
Core
Protection
Power
Management
Server
Datacenters
Automation
Find and Fix problems in minutes across all enterprise computers and mobile devices
7
IBM Endpoint Manager continuously monitors the health and
security of all enterprise computers in real-time via a single,
policy-driven agent
Endpoints
• Common management agent
Desktop / laptop / server endpoint
Purpose specific
• Unified management console
• Common infrastructure
• Single server
Patch
Management
Lifecycle
Management
Software Use
Analysis
Datacenters
Power
Management
Core
Protection
Server
Automation
Security and
Compliance
Systems Management
Security Management
IBM Endpoint Manager
8
IBM Endpoint Manager offers a unified
management platform
Desktop and Server Administration
Delivers patch, inventory, software distribution, OS deployment,
remote control capabilities and near real-time visibility into the
state of endpoints including advanced capabilities to support
server endpoints.
Software Asset Management
Track software usage patterns and trends across Windows,
UNIX and Linux endpoints with always on asset management
to enhance license compliance. Manages software assets from
procurement to retirement using control desk integration.
Endpoint Security, Protection & Compliance
Provides unified, real-time visibility and enforcement to protect
distributed environments against threats that target endpoints
and helps organizations to comply with regulatory standards on
security.
9
IBM Endpoint Manager elements
Single intelligent agent
• Continuous self-assessment
• Continuous policy enforcement
• Minimal system impact (<2% CPU, <10MB RAM)
Flexible policy language (Fixlets)
•
•
•
•
10
Thousands of out-of-the-box policies
Best practices for operations and security
Simple custom policy authoring
Highly extensible/applicable across all platforms
Single server and console
• Highly secure, highly available
• Aggregates data, analyses and reports
• Manages up to 250K endpoints per server
Virtual infrastructure
• Designate Endpoint Manager agents as a relay or
discovery point in minutes
• Provides built-in redundancy
• Leverages existing systems/shared infrastructure
How it Works
Identify unmanaged assets
Lightweight, Robust Infrastructure
Remote Offices
• Use existing systems as Relays
• Built-in redundancy
• Support/secure roaming endpoints
Cloud-based Content Delivery
• Highly extensible
• Automatic, on-demand functionality
Single Server & Console
• Highly secure, highly scalable
• Aggregates data, analyzes & reports
• Pushes out pre-defined/custom policies
Single Intelligent Agent
• Performs multiple functions
• Continuous self-assessment & policy enforcement
• Minimal system impact (< 2% CPU)
11
Manage roaming
devices
The Changing Nature of Endpoint Management
•
•
•
Multiple tools and differentiated skill sets (Silos) are required to manage distributed and
datacenter servers across all platforms increasing costs
Customers can’t move to cloud without the ability to automate the lifecycle of both physical
and virtual systems
How can I manage the Lifecycle of EVERY ENDPOINT?
Sequenced Server Build:
1.
2.
3.
4.
5.
6.
7.
8.
Right OS version?
IP addressing scheme?
DNS settings?
Hostname?
RAID settings?
Disk partitions?
Secured OS & Firewall
settings?
Supporting software
(Corporate SW, Agents, etc)
Lifecycle management
of Datacenter servers?
Patch
Security and
Management Lifecycle Compliance
Management
• Coordinated Server Builds ?
• Server Cluster Patching?
• Custom tasks across related endpoints?
Distributed
Devices
12
Unified Device Management
?
Datacenter
Distributed
Servers &
Servers
Virtual Servers
IBM Endpoint Manager, built on BigFix technology
Network-friendly architecture
delivers large packages
without disrupting critical
business applications
Cloud-based service
continuously provides
new patch, policy
updates
Content Update
Service
Support for a wide variety of
devices: iOS, Android,
Blackberry, Windows, Mac,
Unix, Linux, mobile
Home
Headquarters
Stores / Kiosks
56k
3G
WAN
Single, intelligent
agent uses <2%
CPU, <10MB RAM
T1 line
T1 line
Coffee shop
Internet
WiFi
Satellite
Data center
WiFi
Hotel
Airport
Remote offices
Distribution center
One management server per
250,000 endpoints
Full command and
control of Internetconnected devices
Use existing computers
as Relays to minimize
network traffic
Whether it’s a Mac connecting from hotel WiFi, a Windows laptop at 30K feet or a Red Hat Linux Server in your data
center, IBM Endpoint Manager has it covered. In real time, at any scale.
13
Closed Loop Speed is Our Advantage
Traditional Solutions
TEM Software Policies
Report
Report
Publish
Publish
Evaluate
Evaluate
Enforce
Decide
Evaluate
Decide
Enforce
Challenge
14
Traditional client/server tools
TEM Platform
Complete the policy enforcement
loop
Everything is controlled by the
server, which is slow
A new way to do systems and
security management
Increase the accuracy and speed of
your knowledge
It can take days to accurately close
the enforcement loop
Policy enforcement is accomplished
and proven in minutes instead of
days
Scalability cannot be attained
without large infrastructure
investments
Administrators are still managing
tools instead of being productive
Distributed processing means
scalability is unlimited
Adjust system policies depending on
environment, location
Scan-based assessment, leading to
stale data false sense of awareness
Real-time situational awareness
Patch Management
Services:
Benefits:
• IBM Cloud content delivery
service (operating systems and
3rd party applications)
• Reduction in patch and update times
from weeks and days to hours and
minutes
• Patch capabilities for multiple
platforms: Windows, Mac OS X,
Linux and UNIX
• Increase first-pass success rates from
60-75% to 95-99+%
• Intelligent agent
• Automated self-assessment, no
centralised or remote scanning required
• Real-time reporting
"We compressed our patch process from 6 weeks to 4 hours"
"We consolidated eight tools/infrastructures to one"
"We reduced our endpoint support issues by 78%"
"We freed up tens of admins to work on higher value projects"
15
Overview of Patch Management
The patches dashboard provides a
real-time view on Windows patches
requirement across your environment
See any New
Content here
Application vendor patches
…and operating
system patches
•
•
•
•
•
•
•
•
•
•
•
•
Adobe Acrobat
Adobe Reader
Apple iTunes
Apple QuickTime
Adobe Flash Player
Adobe Shockwave Player
Mozilla Firefox
RealPlayer
Skype
Oracle Java Runtime Environment
WinAmp
WinZip
Start with the Patch
Management domain
16
Patch Management Video - link
Patch Management for Windows now supports nonsecurity updates, specifically critical updates and
service packs for the Microsoft Windows product family
17
Patch Overview Dashboard
18
Lifecycle Management
Services:
• Asset Discovery
Benefits:
• Patch Management
• Dramatically reduced patch cycles and
increased first-pass success rates
• Inventory Management
• Closed loop validation in real-time
• Software Distribution
• Massive scalability and support for remote
and intermittently connected devices
• OS Deployment
• Remote Desktop Control
• Detection and resolution of corrupted
patches
• Multi-platform support (Unix, Linux,
Windows, Mac OS X)
Dramatically reduced
patch cycles and
increased first-pass
success rates
Multi-platform support
(Unix, Linux, Windows,
Mac OS X)
19
Lifecycle Management
Windows 7 Operating System Deployment (OSD)
 Streamlined deployment
process with centralised
control and automation
 User profiles are saved,
migrated to Windows 7
and restored in order to
retain valuable data, all
in one easy step
 Scheduled migration
IBM Endpoint Manager provides a graphical view of Windows 7 operating systems migration.
Its unified console enables management of source images from a single location
20
 Bandwidth throttling
Lifecycle Management
Software Distribution via IBM Endpoint Manager
IEM Server
Existing
Software Library
IEM Console
IEM Relay
1. Admin imports
library from network
storage
3. IEM Server and Relays
manage and cache
downloads for
workstations
2. Admin imports
library, customizes
packages, and
initiates policies
5. Completed actions are
immediately reported to
the IEM Server
21
4. Eligible IEM agents act
on the policy, installing
prerequisites and offering
installations to users
Software Usage Analysis
Services:
Benefits:
• For Windows Servers and PCs
• Near real time software inventory
• Unix/Linux Servers
• Near real time software usage
reporting
• Software Asset Discovery
• Software Use Metering
• Software Use Reporting
• Search, browse, and edit the
Endpoint Manager software
identification catalogue, which
contains over 105,000 signatures
out of the box
• Periodic catalogue updates are
released regularly
• Easily customize the software
identification catalogue to include
tracking of home-grown and
proprietary applications
8000+
Software publishers
40,000+
Software products
22
Asset Discovery
Identify all un-managed endpoints in your organization
 Identification of network
assets – including
devices such as routers,
printers, switches,
wireless access points,
or anything with an IP
address
 Identification of
unmanaged and rogue
computers
 Defined Nmap scanners
23
Software Usage Analysis 2.x
24
Power Management
Services:
• For Windows and Mac OS X
• Comprehensive executive
reports
• Client-side dashboard option
to create personalized reports
• Customize power
consumption information to
match corporate
environments
• Scheduled wake-on-LAN to
wake up endpoints
• Auto-save open files before
shutdown/restart
25
Benefits:
• Cost savings through reduction in
energy usage and utility rebates
where applicable
• Obtain max power savings while
avoiding disruption to IT system
management
• Project potential savings using
“what-if” scenario calculator
• Single tool to identify
misconfiguration and automatic
remediation
Bendigo Bank
The bank saved $175,000 off
its power bill within 12
months and avoid 2190
tonnes of carbon emissions
by using the advanced
power management
features of IBM Endpoint
Manager
See - http://bit.ly/xQxUdd
Power Consumption Summary
Total Power Consumption for
all devices is summarised on
this dashboard
Which includes your Total Current
Power Usage (kWh, Cost and Green
House)
Potential savings are also
identified
The breakdown of power usage for
workdays and weekends is now
available
26
Core Protection
Services:
• Prevents viruses, Trojans, worms, and other new malware
• Available for Windows and Mac
• Deep-cleans malware with Trend Micro SysClean
• Catches and cleans spyware, rootkits and remnants completely
• Includes an enterprise client firewall for network safety
• Blocks users and applications from malicious web content
• Integrates Web Reputation and File Reputation services powered
by the Trend Micro Smart Protection Network
• Add-On: Data Loss Prevention and Advanced Device Control
Single Console
Cloud-based
Protection
Anti-virus
Anti-malware
Personal
Firewall
Data Protection
27
What is IBM Endpoint Manager – Core Protection?
IBM Endpoint Manager
Server and Console
+ IEM-CP
Relay
SmartScan Fail-Over
Server(s)
Endpoints
28
Data Loss Prevention
Prevent Data Loss at the Endpoint
•
Real-time content scanning of sensitive data
•
Protection of structured data
•
Multi-channel monitoring and enforcement
•
Minimal incremental impact on client performance
Place limits on user devices
•
Limit removable devices by make/model/serial
•
Limit applications that can use devices
•
Control behaviour of removable media (USB drives)
“Best-of-breed content-aware DLP solutions have a deserved reputation
for being expensive, difficult to implement and generally possessing
capabilities exceeding most companies‘ requirements. .. the majority of
organizations (approximately 70%) may be able to deploy "good enough"
DLP capabilities in evolving non-E-DLP solutions.”
Gartner, MQ for Mobile Device Management Software, 2012
29
Protect privacy
Secure
Intellectual
Property
Comply with
regulations
Multiple Methods for Protecting your Digital Assets
Patterns - Regular Expressions
( credit card, social insurance, account numbers)
Keywords – Lists of terms
(confidential, internal, project/product names…)
File Attributes – File Name, File Size, File Type
(threshold of acceptable use)
30
Server Automation
Services:
Benefits:
• Task Sequencing
• Reduce tools required to manage
distributed and datacenter servers
• Advanced Server Patching support
• Coordinated Server Builds (OS through
Middleware)
• Middleware Management
• Automate lifecycle management of
both physical and virtual servers.
• Enables users to perform advanced
automation tasks across servers without the need for programming
skills
• Out of the box automation and
simple customization
Reduce costs
through higher
levels of
automation
Reduce human
errors and
accelerate server
updates by
extending
automation to
groups of related
servers
31
Lifecycle Management with Server Automation
Lifecycle
Management
Lifecycle Manager with Server
Automation
OS Deployment
Windows
PLUS Server OS* (Windows & Linux)
Hardware & Software Inventory
Physical
PLUS Virtual
Patch Management
Simple Patching (e.g. Individual
and groups of endpoints)
PLUS Advanced Patching (e.g.
Patch a server cluster)
Software Distribution
Simple Software (e.g. email client,
browser, pdf reader, msft office, etc)
PLUS Complex Software*
(Web/app/db software like WAS, DB2,
MS SQL)
Custom Task Automation
Simple Automation (On individual
endpoints)
PLUS Complex Software (Across
groups of related endpoints)
32
*Server OS support - est. 2Q, 2013, Middleware install – est. 3Q, 2013
Security and Compliance
• Asset Discovery and Visibility
• Multi-Vendor Anti-Malware Management
• Patch Management
• Vulnerability Management
• Security Configuration Management
• Network Self Quarantine
Continuous
enforcement of
security policies,
regardless of network
connection status
Host-based
vulnerability
assessment with
severity scoring and a
99.9% accuracy rate
Define and assess
client compliance to
security
configuration
baselines
SCAP certified for
FDCC
Local Video File (9:58)
33
Windows, UNIX, Linux,
and Mac OS X
Security and Compliance
Vulnerability Management
• Enables vulnerability discovery, assessment and remediation before endpoints are affected.
• Assesses systems against standardised OVAL vulnerability definitions and reports on noncompliant
policies in real time.
34
Security and Compliance
Client Manager for Endpoint Protection
35
Security and Compliance
Client Manager for Endpoint Protection
• Manages the “health” of a variety of endpoint protection products from
McAfee, Symantec, Trend Micro, Sophos, Microsoft
• Deployment overview for endpoint protection products
• CMEP Open Framework - Designed allow external users to add reporting
capabilities for any AV product
36
IBM’s experience using IBM Endpoint Manager
IBM gained real-time visibility into endpoints, and automatically remediates issues across over
500,000 endpoints and supports multiple policies based on employee role and data access
Before
Patch availability typically 3-14+ days
After
Patch availability within 24 hours
92% compliance within 5 days (ACPM only) 98% within 48 hours
EZUpdate sometimes misses application of
patches on required machines
Detected about 35% of participants missing
at least one previous patch
Compliance model, completely reliant on
user
90% of Windows requirements can be
automatically remediated
Exceptions at machine level
Exceptions at setting level
Reference - http://ibm.co/Ikm5xR
37
Summary
•
IBM Endpoint Manager enables unified management of all
enterprise devices – desktops, laptops, servers, smartphones,
and tablets
•
Real-time/proactive endpoint management: Patch
management, anti-virus/malware, power management and
device location information
•
Continuous compliance reduces costs and risk
Power management
Management of assets
•
•
38
IEM provides integrated web based reporting (1/2)
39
IEM provides integrated web based reporting (2/2)
40
IEM provides detailed asset management reporting
Hardware and Software information across a range of server and workstation platforms: Windows, AIX,
HP-UX, Linux, Mac, Solaris and Mobile devices!
41
IBM Endpoint Manager delivers a number
services for Windows 7 migration
• Asset Discovery
• Windows 7 Migration Assessment
• Software Usage Analysis
• Operating System Deployment
• Software Distribution
• Patch Management
Patch
Management
• Security and Compliance
Security and
Compliance
42
Leaders Quadrant- Client Management Solutions
Gartner does not endorse any vendor, product or service depicted in its
research publications, and does not advise technology users to select
only those vendors with the highest ratings. Gartner research publications
consist of the opinions of Gartner's research organization and should not
be construed as statements of fact. Gartner disclaims all warranties,
expressed or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose
43
IBM Confidential