Ironside Group
Solutions
Your success is what drives us.
Dev Ops | Security | Reporting | Software Dev
DevOps Enterprise Architecture
2
IBM Endpoint Manager
Overview Presentation
4
Critical systems are globally distributed and in constant flux
Visibility is key in a constantly changing, distributed world
Find all assets on your network – NOW!
Deploy a software application worldwide in
days.
Patch hundreds of thousands of workstations, laptops and
servers in minutes.
Continuously enforce security configuration baselines, even on
mobile and off-network devices. Patch anywhere, anytime over any
5
AntiThreat
Desktop & Server Management
Patch Management NAC Security Config Management Vulnerability Assessment Data Leak Prevention OS Deployment Remote Desktop Software Inventory & Metering Asset Discovery Software
Distribution Power Management Patch Management
IT Policy Enforcement
BigFix Platform
See
Change
Enforce
Anti-spywareAnti-virus Endpoint Firewall
Client Manager for AV
IEM Service Delivery Platform & Solutions
Client Manager for AV
6
Endpoint complexity continues to increase
Endpoint
device counts,
devices and
platforms
Compliance
requirements
to establish,
prove and
maintain
continuous
compliance
Speed,
severity and
complexity of
malware
attacks
Patch O/S and application
vulnerabilities with hours
Rapid, agile, automated
remediation is needed
Mobile/roaming endpoints
New form factors and
platforms
Employee-owned devices
Establish, prove and
maintain continuous
7
IBM Unified Device and Persona based Mgmt
Smartphones & Tablets
PC’s, Macs, POS, ATMs
On and off-network
Distributed Data Centers
Physical and Virtual
SaaS, On-premise, or MSP Integrated Reporting Comprehensive Security Lowest TCO Patch
Management Management Lifecycle Protection Core
Mobile Devices Security & Compliance Power Management SW Usage & Analysis Mobile Apps
Find and Fix problems in minutes across all enterprise computers and mobile devices
Datacenters Server
8
IBM Endpoint Manager
continuously monitors the health and
security of all enterprise computers in real-time via a single,
policy-driven agent
Endpoints
•
Common management agent
•
Unified management console
•
Common infrastructure
•
Single server
IBM Endpoint Manager
Patch Management Lifecycle Management Software Use Analysis Power Management Security and Compliance Core Protection
Desktop / laptop / server endpoint Purpose specific
Systems Management Security Management
Server Automation
9
IBM Endpoint Manager offers a unified
management platform
Desktop and Server Administration
Delivers patch, inventory, software distribution, OS deployment,
remote control capabilities and near real-time visibility into the
state of endpoints including advanced capabilities to support
server endpoints.
Software Asset Management
Track software usage patterns and trends across Windows,
UNIX and Linux endpoints with always on asset management
to enhance license compliance. Manages software assets from
procurement to retirement using control desk integration.
Endpoint Security, Protection & Compliance
Provides unified, real-time visibility and enforcement to protect
distributed environments against threats that target endpoints
and helps organizations to comply with regulatory standards on
security.
10
IBM Endpoint Manager elements
Single intelligent agent
• Continuous self-assessment • Continuous policy enforcement• Minimal system impact (<2% CPU, <10MB RAM)
Single server and console
• Highly secure, highly available• Aggregates data, analyses and reports • Manages up to 250K endpoints per server
Flexible policy language (Fixlets)
• Thousands of out-of-the-box policies • Best practices for operations and security • Simple custom policy authoring• Highly extensible/applicable across all platforms
Virtual infrastructure
•
Designate Endpoint Manager agents as a relay or discovery point in minutes• Provides built-in redundancy
11
Single Server & Console
• Highly secure, highly scalable • Aggregates data, analyzes & reports • Pushes out pre-defined/custom policies
Cloud-based Content Delivery
• Highly extensible
• Automatic, on-demand functionality
Single Intelligent Agent
• Performs multiple functions
• Continuous self-assessment & policy enforcement • Minimal system impact (< 2% CPU)
Lightweight, Robust Infrastructure
• Use existing systems as Relays • Built-in redundancy
• Support/secure roaming endpoints
How it Works
Remote Offices
Manage roaming
devices
12
The Changing Nature of Endpoint Management
Datacenter Servers & Virtual Servers Security and Compliance Patch Management Lifecycle Management Distributed Devices Distributed Servers
• Coordinated Server Builds ?
• Server Cluster Patching?
• Custom tasks across related endpoints?
•
Multiple tools and differentiated skill sets (Silos) are required to manage distributed and
datacenter servers across all platforms increasing costs
•
Customers can’t move to cloud without the ability to automate the lifecycle of both physical
and virtual systems
•
How can I manage the Lifecycle of EVERY ENDPOINT?
Unified Device Management
Sequenced Server Build:
1. Right OS version? 2. IP addressing scheme? 3. DNS settings? 4. Hostname? 5. RAID settings? 6. Disk partitions? 7. Secured OS & Firewall
settings?
8. Supporting software (Corporate SW, Agents, etc)
Lifecycle management of Datacenter servers?
13 Stores / Kiosks WAN Data center 56k Headquarters Remote offices Distribution center Internet WiFi Airport Hotel Coffee shop Home T1 line T1 line 3G WiFi
Whether it’s a Mac connecting from hotel WiFi, a Windows laptop at 30K feet or a Red Hat Linux Server in your data center, IBM Endpoint Manager has it covered. In real time, at any scale.
Satellite
Network-friendly architecture delivers large packages without disrupting critical business applications
One management server per 250,000 endpoints Single, intelligent agent uses <2% CPU, <10MB RAM Cloud-based service continuously provides new patch, policy updates
Full command and control of Internet-connected devices Use existing computers
as Relays to minimize network traffic
Content Update Service
IBM Endpoint Manager, built on BigFix technology
Support for a wide variety of devices: iOS, Android, Blackberry, Windows, Mac, Unix, Linux, mobile
14
Closed Loop Speed is Our Advantage
Report Publish Evaluate
Traditional Solutions
TEM Software Policies
Evaluate Enforce
Publish Report
Challenge
Traditional client/server tools
TEM Platform
Complete the policy enforcement loop
Everything is controlled by the server, which is slow
A new way to do systems and security management
Increase the accuracy and speed of your knowledge
It can take days to accurately close the enforcement loop
Policy enforcement is accomplished and proven in minutes instead of days
Scalability cannot be attained without large infrastructure investments
Administrators are still managing tools instead of being productive
Distributed processing means scalability is unlimited
Adjust system policies depending on environment, location
Scan-based assessment, leading to stale data false sense of awareness
Real-time situational awareness Decide
Evaluate
Enforce Decide
15
Patch Management
•
IBM Cloud content delivery
service (operating systems and
3rd party applications)
•
Patch capabilities for multiple
platforms: Windows, Mac OS X,
Linux and UNIX
•
Intelligent agent
•
Reduction in patch and update times
from weeks and days to hours and
minutes
•
Increase first-pass success rates from
60-75% to 95-99+%
•
Real-time reporting
•
Automated self-assessment, no
centralised or remote scanning required
Benefits:
Services:
"We compressed our patch process from 6 weeks to 4 hours"
"We consolidated eight tools/infrastructures to one"
"We reduced our endpoint support issues by 78%"
16
Overview of Patch Management
Start with the Patch Management domain
The patches dashboard provides a
real-time view on Windows patches requirement across your environment See any New
Content here
Application vendor patches • Adobe Acrobat
• Adobe Reader • Apple iTunes • Apple QuickTime • Adobe Flash Player • Adobe Shockwave Player • Mozilla Firefox
• RealPlayer • Skype
• Oracle Java Runtime Environment • WinAmp
• WinZip …and operating
system patches
17
Patch Management for Windows now supports
non-security updates, specifically critical updates and
service packs for the Microsoft Windows product family
18
19
Lifecycle Management
•
Asset Discovery
•
Patch Management
•
Inventory Management
•
Software Distribution
•
OS Deployment
•
Remote Desktop Control
•
Dramatically reduced patch cycles and
increased first-pass success rates
•
Closed loop validation in real-time
•
Massive scalability and support for remote
and intermittently connected devices
•
Detection and resolution of corrupted
patches
•
Multi-platform support (Unix, Linux,
Windows, Mac OS X)
Benefits:
Services:
Dramatically reduced
patch cycles and
increased first-pass
success rates
Multi-platform support
(Unix, Linux, Windows,
20
Lifecycle Management
Windows 7 Operating System Deployment (OSD)
Streamlined deployment
process with centralised
control and automation
User profiles are saved,
migrated to Windows 7
and restored in order to
retain valuable data, all
in one easy step
Scheduled migration
Bandwidth throttling
IBM Endpoint Manager provides a graphical view of Windows 7 operating systems migration. Its unified console enables management of source images from a single location
21
Lifecycle Management
Software Distribution via IBM Endpoint Manager
IEM Console
IEM Relay
2. Admin imports
library, customizes
packages, and
initiates policies
4. Eligible IEM agents act
on the policy, installing
prerequisites and offering
installations to users
5. Completed actions are
immediately reported to
the IEM Server
Existing
Software Library
IEM Server
1. Admin imports
library from network
storage
3. IEM Server and Relays
manage and cache
downloads for
workstations
22
•
For Windows Servers and PCs
•
Unix/Linux Servers
•
Software Asset Discovery
•
Software Use Metering
•
Software Use Reporting
•
Near real time software inventory
•
Near real time software usage
reporting
•
Search, browse, and edit the
Endpoint Manager software
identification catalogue, which
contains over 105,000 signatures
out of the box
•
Periodic catalogue updates are
released regularly
•
Easily customize the software
identification catalogue to include
tracking of home-grown and
proprietary applications
Benefits:
Services:
Software Usage Analysis
Software publishers
8000+
Software products
23
Asset Discovery
Identification of
network
assets
– including
devices such as routers,
printers, switches,
wireless access points,
or anything with an IP
address
Identification of
unmanaged and rogue
computers
Defined Nmap scanners
24
25
The bank saved $175,000 off
its power bill within 12
months and avoid 2190
tonnes of carbon emissions
by using the advanced
power management
features of IBM Endpoint
Manager
See -
http://bit.ly/xQxUdd
Bendigo Bank
•
For Windows and Mac OS X
•
Comprehensive executive
reports
•
Client-side dashboard option
to create personalized reports
•
Customize power
consumption information to
match corporate
environments
•
Scheduled wake-on-LAN to
wake up endpoints
•
Auto-save open files before
shutdown/restart
•
Cost savings through reduction in
energy usage and utility rebates
where applicable
•
Obtain max power savings while
avoiding disruption to IT system
management
•
Project potential savings using
“what-if” scenario calculator
•
Single tool to identify
misconfiguration and automatic
remediation
Benefits:
Services:
26
Power Consumption Summary
Total Power Consumption for all devices is summarised on
this dashboard
Which includes your Total Current Power Usage (kWh, Cost and Green
House)
Potential savings are also identified
The breakdown of power usage for workdays and weekends is now
27
•
Prevents viruses, Trojans, worms, and other new malware
•
Available for Windows and Mac
•
Deep-cleans malware with Trend Micro SysClean
•
Catches and cleans spyware, rootkits and remnants completely
•
Includes an enterprise client firewall for network safety
•
Blocks users and applications from malicious web content
•
Integrates Web Reputation and File Reputation services powered
by the Trend Micro Smart Protection Network
•
Add-On: Data Loss Prevention and Advanced Device Control
Services:
Core Protection
Single Console
Cloud-based
Protection
Anti-virus
Anti-malware
Personal
Firewall
Data Protection
28
What is IBM Endpoint Manager – Core Protection
?
IBM Endpoint ManagerServer and Console
Endpoints
Relay Fail-Over
+ IEM-CP
SmartScan Server(s)
29
Data Loss Prevention
Protect privacy
Secure
Intellectual
Property
Comply with
regulations
•
Limit removable devices by make/model/serial
•
Limit applications that can use devices
•
Control behaviour of removable media (USB drives)
•
Real-time content scanning of sensitive data
•
Protection of structured data
•
Multi-channel monitoring and enforcement
•
Minimal incremental impact on client performance
Prevent Data Loss at the Endpoint
Place limits on user devices
“Best-of-breed content-aware DLP solutions have a deserved reputation for being expensive, difficult to implement and generally possessing capabilities exceeding most companies‘ requirements. .. the majority of organizations (approximately 70%) may be able to deploy "good enough" DLP capabilities in evolving non-E-DLP solutions.”
30
Patterns - Regular Expressions
( credit card, social insurance, account numbers)
Keywords – Lists of terms
(confidential, internal, project/product names…)
File Attributes – File Name, File Size, File Type
(threshold of acceptable use)
31
Services:
•
Task Sequencing
•
Advanced Server Patching support
•
Coordinated Server Builds (OS through
Middleware)
•
Middleware Management
Server Automation
Reduce costs
through higher
levels of
automation
Reduce human
errors and
accelerate server
updates by
extending
automation to
groups of related
servers
Benefits:
•
Reduce tools required to manage
distributed and datacenter servers
•
Automate lifecycle management of
both physical and virtual servers.
•
Enables users to perform advanced
automation tasks across servers -
without the need for programming
skills
•
Out of the box automation and
simple customization
32
Lifecycle Management with Server Automation
Lifecycle Management
Lifecycle Manager with Server Automation
OS Deployment
Windows PLUS Server OS* (Windows & Linux)Hardware & Software Inventory
Physical PLUS VirtualPatch Management
Simple Patching (e.g. Individual and groups of endpoints)PLUS Advanced Patching (e.g. Patch a server cluster)
Software Distribution
Simple Software (e.g. email client, browser, pdf reader, msft office, etc)PLUS Complex Software*
(Web/app/db software like WAS, DB2, MS SQL)
Custom Task Automation
Simple Automation (On individualendpoints)
PLUS Complex Software (Across groups of related endpoints)
33
•
Asset Discovery and Visibility
•
Patch Management
•
Security Configuration Management
Continuous
enforcement of
security policies,
regardless of network
connection status
Host-based
vulnerability
assessment with
severity scoring and a
99.9% accuracy rate
Define and assess
client compliance to
security
configuration
baselines
SCAP certified for
FDCC
Windows, UNIX, Linux,
and Mac OS X
Security and Compliance
Local Video File (9:58)
•
Multi-Vendor Anti-Malware Management
•
Vulnerability Management
34
Security and Compliance
Vulnerability Management
•
Enables vulnerability discovery, assessment and remediation before endpoints are affected.
•
Assesses systems against standardised OVAL vulnerability definitions and reports on noncompliant
policies in real time.
35
Security and Compliance
36
Security and Compliance
Client Manager for Endpoint Protection
•
Manages the “health” of a variety of endpoint protection products from
McAfee, Symantec, Trend Micro, Sophos, Microsoft
•
Deployment overview for endpoint protection products
•
CMEP Open Framework - Designed allow external users to add reporting
capabilities for any AV product
37
IBM’s experience using IBM Endpoint Manager
Before
After
Patch availability typically 3-14+ days
Patch availability within 24 hours
92% compliance within 5 days (ACPM only)
98% within 48 hours
EZUpdate sometimes misses application of
patches on required machines
Detected about 35% of participants missing
at least one previous patch
Compliance model, completely reliant on
user
90% of Windows requirements can be
automatically remediated
Exceptions at machine level
Exceptions at setting level
IBM gained real-time visibility into endpoints, and automatically remediates issues across over
500,000 endpoints and supports multiple policies based on employee role and data access
38
Summary
•
IBM Endpoint Manager enables unified management of all
enterprise devices –
desktops
,
laptops
, servers,
smartphones
,
and tablets
•
Real-time/proactive endpoint management: Patch
management, anti-virus/malware, power management and
device location information
•
Continuous compliance reduces costs and risk
•
Power management
39
40
41
IEM provides detailed asset management reporting
Hardware and Software information across a range of server and workstation platforms: Windows, AIX,
HP-UX, Linux, Mac, Solaris and Mobile devices!
42
IBM Endpoint Manager delivers a number
services for Windows 7 migration
•
Asset Discovery
•
Windows 7 Migration Assessment
•
Software Usage Analysis
•
Operating System Deployment
•
Software Distribution
Patch Management•
Patch Management
Security and Compliance43
Leaders Quadrant- Client Management Solutions
IBM Confidential
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose