introduction to kaspersky endpoint security for businesss

| 51KESB Launch | Hong Kong | March 7-8, 2013

See it – Control it – Protect it– An into of Kaspersky Endpoint Security for Business

Nathan Wang, VP of Tech Divisions Kaspersky APAC

[email protected]

| 51

Others: KSV 2.0, KS-Exchange and KLMS 8

MDM: a convenient alternative?

System Manager: what’s new?

Encryption: a difficult play or an easy game?

Topics of discussion

Business demands and IT challenges

Kaspersky Endpoint Security for Business

Kaspersky Lab datasheet

1

2

3

| 51

Business drivers and their impact on IT

Move fast, be nimble and flexibleAGILITY66% of business owners

identify business agility as a

priority

Cut costs

Consolidate and streamlineEFFICIENCY

54% of organizations say that

their business processes

could be improved

Maximise the value of existing resources

Do more with less PRODUCTIVITY

81% of business owners cite

operational efficiencies as

their top strategic priority

IMPACT on IT

IT complexity: more data, more systems, more technology

Pressure on resources and budgets

| 51

1999 2001 2003 2005 2007 2009 2011

Malware files in Kaspersky Lab collection Jan 2013 >100m

New threats every day 200K

Malicious programs specifically targeting mobile devices >35K

2013

And then, there’s the rise of malware…

| 51

The impact on IT security

Malware

Mobile / BYOD

Your data is onthe move!

The #1 target: applications!

YOUR DATA

Response:

Anti-malware plus management

tool / dashboard

Response:

Systems / patch

management

Response:

Data encryption

Response:

Mobile device

management (MDM)

| 51

What if?

Malware

Mobile / BYOD

Your data is onthe move!

The #1 target: applications!

YOUR DATA1PLATFORM

MANAGEMENT CONSOLE

COST

| 51









1

3

2

| 51

A high level glance of KES/KSC10

Physical, virtual, mobile

Identify vulnerabilities

Inventory HW and SW

Take action with clear

reporting

SEEConfigure and deploy

Set and enforce IT

policies

Manage employee-

owned devices

Prioritize patches

License Management

NAC

CONTROLEvolve beyond anti-

virus

Meet security demands

Protect data and

devices anywhere

Rely on Kaspersky

expertise

PROTECT

| 51

•Smartphones

•Tablets

•Server

•Workstation

•Laptop

Kaspersky

Endpoint Security

•Anti-malware

•Control Tools

•Encryption

•Mail and Web

•Collaboration Server

•Image Mgmnt

•NAC

•SW/HW Mgmnt

Kaspersky

Security Center

•Security policy mgmnt

•Mobile Device Mgmnt

•Systems Management

•Vulnerability Scan

•Patch Mgmnt

•License Mgmnt


| 51


Anti Malware + Firewall

Kasp

ers

ky S

ecu

rity C

en

ter

Web ControlDevice ControlApplication

Control

File Server Security

Systems Management (SMS)

GatewayCollaboration Mail

License Management

Vulnerability Scan

PatchManagement

Image

Management

Software

Installation

Network Admission (NAC)

Mobile Device Management (MDM)

Cloud protection is enabled for business users via the

Kaspersky Security Network (KSN)

Core

Select

Advanced

Total

Mobile Endpoint Security

Data Protection (Encryption)

EndpointManagement Infrastructure

| 51









1

3

2

| 51

Encryption – quite difficult mechanism---- Who is listening and what to do?

0 01 2

0+1 0+2

0+2 0+1 21

0+1+2 0+1+2

0+1+2

0+2

0+1

0

eVe BobAlice

| 51

Encryption – quite difficult mechanism

BobAlice

---- Color trick & numerical arithmetic with one-way function

eVe

| 51

Encryption offering

Full Disk Encryption (FDE)

File Level Encryption (FLE)

Removable Media data Encryption (RME)

Asymmetric encryption — protection for data in transit

Secure connection between EP and KSC (SSL)

User and computer keys’ management exchange

Protection for recovery data

Symmetric encryption — protection for data at rest

Full disk encryption

File level encryption

Removable media data encryption

AES encryption module

256-bit

56-bit


| 51

Encryption – quite difficult mechanism---- Keys used in encryption

An individual master key for each computer

An individual key for each user

The computer key is encrypted using the public key of the Security Center

The user’s key is encrypted using the personal key

Master key

Master keyMS DPAPI

User’s key

Master keyComputer key

store User key store

| 51

Encrypted file (Master key ID)

Computer #1

Master key #2

Master key #1

User key store

1 3

2

4

Computer #2

Encryption – quite difficult mechanism---- Document exchange inside a corp network

| 51

---- Boot order when FDE is used

Authentication Agent starts before the operating system

Key for decrypting the system boot sector

Special drivers are responsible for decrypting disk files

during and after the operating system start

MBRPre-boot Environment(Authentication Agent)

Operating system boot record File system

Password

Open data Encrypted data


| 51

Authentication AgentUsername/Password

WindowsUsername/Password

Next start

Passwords do not match

Authentication Agent changes the password

Passwordsmatch

Encryption – an easy operation---- Single Sign-On for end users

| 51

Encryption – an easy operation---- SSO, a routine policy configuration for IT guys

| 51

Encryption – an easy operation---- Enable encryption and policy configuration

| 51

Encryption – an easy operation---- “Tough” requirements for FLE and data recovery

The only requirement for FLE is the accessibility of KSC

• The File Level Encryption is integrated to Windows’ authentication;

• The key exchange is materialized automatically;

• The Kaspersky encryption implementation is seamless to end

users and applications, a great example of ease of use;

The data recovery requirement is simple

• The computer to which the damaged disk connected can not have

FDE enabled;

• Just connect the damaged disk and run the recovery utility;

No FDE enabled Old hard disk

| 51

Encryption – an easy operation---- Data sent to external parties

| 51

Encryption – an easy operation---- Removable Media data Encryption in clicks

| 51









1

3

2

| 51

Software monitoring/inventory

Hardware monitoring/inventory

License Management

Vulnerability detection

Update management

Installation of 3rd party’s applications

Network Access Control (NAC)

Deployment of operating system images

System Management: What’s new?---- SM function via KSC and Network Agent

| 51

System Management: What’s new?---- Licensed management (remember software inventory?)

| 51

System Management: What’s new?---- Licensed management (NOT licensing enforcement)

Examples of use cases:

Error, the number of licenses is exceeded;

Warning, license will expire soon (in 14 days);

Info, 95% of the available licenses are used up

| 51

System Management: What’s new?---- New update management

Vulnerability Scan Task

1. Missing

Windows

updates

2. Vulnerabilities

from KL

database

Windows Update

KL Expertise

KL Vulnerability DB

| 51

System Management: What’s new?---- Patching vulnerabilities

| 51

System Management: What’s new?---- Testing tasks patch and update installation

| 51

System Management: What’s new?---- SM features in KSC9 and in the new KSC10 The previous implementation in KSC 9 are available:

• Find vulnerabilities and Microsoft application updates (via the local

WU service);

• Installation of selected Microsoft updates (via the local WU service);

• Installation of updates manually created and assigned by

the administrator;

The new licensed capabilities added to KSC 10:

• Automatic installation of updates and patches according to

the specified rules;

• Using of the KSC Server as a WSUS server;

• Installation of updates and patches for the applications; included in

the Kaspersky Lab database;

• Other new features;

| 51

System Management: What’s new?---- Network Access/Admission Control (NAC)

NAC basics

• Usually people think NAC is an appliance using SNMP;

• NAC can be used to securely control authenticated/unauthenticated; user traffic according policies (based on port, protocol, subnet);

Capabilities of KL software based NAC

• Block Internet access for computers having «bad» protection status;

• Redirect unmanaged computers to the authorization portal;

• Block any network activity for new devices;

• Allow new computers accessing a special isolated subnet;

KL NAC architecture

• Enforcers, Policy server, Access policy and Network devices;

• Simple deployment and requires no changes on DHCP, DC;

| 51

System Management: What’s new?---- Network Access/Admission Control (NAC)

| 51

System Management: What’s new?---- Remote deployment of operating system images

Capturing an Operating System image

• Install and use Windows Automated Installation Kit;

• Enable representation of the OS image capture and distribution

functionality;

• Capture a computer image, say a Windows 8 operating system,

with application pre-installed;

Deploying the image

• Remote install the Windows 8 image to managed computers;

• Remote install the Windows 8 image to ―bare metal‖ computers;

| 51






Business demands and IT chandleries



1

3

2

| 51

MDM: a convenient alternative?---- What we have been doing manually

| 51

MDM: a convenient alternative?---- KL MDM architecture

| 51

Apple Push Notification Service

iOS

AndroidWindows MobileWindows PhonePalm (WebOS)Nokia (Symbian, Maemo)

MDM: a convenient alternative?---- KL MDM architecture

| 51

MDM: a convenient alternative?---- KL Mobile Devices Server installation

Adding Exchange ActiveSync Mobile Devices Server

• Install Agent and MDM server on an Exchange Server;*

• Testing the connection with a KSC Server;

• Exchange ActiveSync configuration;

Profile creation and policy configuration

• On the KSC, configures profiles and polices for selected mailbox of the

Exchange

• Sync the profile and policy with the Exchange

Mobile devices receive profiles and polices**

• Direct Push is used for pushing notifications (MS Exchange ActiveSync)

• Users receive it during the synchronization with the Exchange server

| 51

Mobile Devices

MDM: a convenient alternative?---- Synchronizing Mobile Devices with KSC

| 51

Kaspersky Mobile Endpoint Security---- Centrally managed by the KSC

Via SMS, email or

tether

CONFIGURE/DEPLOY

Anti-malware

Anti-phishing

Anti-spam

SECURITY

GPS find

Remote block

ANTI-THEFT

Set password

Jailbreak / Root

notice

Force settings

POLICY COMPLIANCE

Containerization

Data access

restriction

APPLICATIONS

Data Encryption

Remote wipe

DATA ACCESS

| 51

MDM: a convenient alternative?---- Still want to go back to the old manual operation?

| 51

Control it

Console

Platform

Cost

KES/KSC10 in a nutshell

See it Protect it

| 51









1

3

2

| 51

KSV 2, KS-Exchange 8, KLMS 8, SPE 10…

Kaspersky Security for Virtualization

• Effectively integrated with vShield, an agentless solution to deliver cloud/local anti-malware, network protection under KSC management;

• Materialize the mission for VMware to enhance security via an effective agentless approach;

Mail, collaboration and gateway security

• Email, SharePoint and gateway security are always the essential;

• Multi-layered spam filtering plus the best anti-malware for security elevation and resource optimization;

Service Provider Edition

• A web application designed for ISPs to provide anti-malware security control/monitoring service for corporate network;

• Coupled with KSV, it delivers cloud based security products and services;

---- Kaspersky comprehensive security offering

| 51









1

2

3

| 51


| 51

Thank You!

Nathan Wang, VP of Tech Divisions Kaspersky APAC

[email protected]

introduction to kaspersky endpoint security for businesss

Technology