SCCM Endpoint Protection supports Removable Media (DLP)

Abstract overview

07/24/2015 UPDATE:  We have added even more SCCM integration!  Read more about it at this blog post.

Microsoft System Center Configuration Manager (SCCM) contains a component called Endpoint Protection.  Endpoint Protection here means protecting the organization assets.  Assets mean data, software and hardware (Windows workstations and servers) in your environment.  Out of the box, SCCM provides 2 features under Endpoint Protection:

1. Antimalware
2. Firewall

Antimalware is protecting the Endpoint by not allowing programs on the Windows Operating System from performing destructive operations.  The operations I want to call out here is a malware piece of software that takes sensitive data and sends it outside of the network to someone who should not have that data.

Firewall is protecting the Endpoint by not allowing unauthorized data packets from coming into or out of the network.  The Firewall deals with the data coming to/from the network.  For the scenario where data is being taken from the network to outside of the network, Antimalware and Firewall are working together, each covering a different scenario.

There is another security hole that is now covered by SCCM Endpoint Protection: Removable Media devices.  Removable Media devices are hardware devices that connect to the Windows computer with a Universal Serial Bus (USB) cable or a Bluetooth connection.  Removable Media devices contain file-system storage.  With file-system storage, data (files) can be read from and written to Removable Media devices.  Antimalware protects the organization from data being read from Removable Media devices.

What about data being written to Removable Media devices?  SCCM Endpoint Protection needs a feature that will protect sensitive data from leaving the organization.  Squadra Technologies Security Removable Media Manager (secRMM) is Windows security software that focuses on data being written to Removable Media devices (smart phones, tablets, usb drives/sticks, SD-Cards, CD/DVD, etc.).  secRMM lets you define authorization rules to prevent writing and also has the best monitoring (i.e. logging each write event) solution on the market today.  secRMM integrates into SCCM Endpoint Protection and provides this critical functionality.  In addition to protecting the organization from sensitive data leaving (stolen or mistakenly taken), any piece of data that does leave the organization is accounted for by secRMM.  This allows organizations to adhere to strict data regulations that are being required today (i.e. medical, legal, financial, etc.).

Technology overview

Integrating secRMM into SCCM did not require new technology.  SCCM has a feature called “Compliance Settings” (previously named Desired Configuration Management).  “Compliance Settings” allows you to specify values for software running within the organization.  The values you specify are the appropriate values for work to be performed within the organization.  Should the value(s) change, either by a person or programmatically, it will have an adverse impact to the organization.  When a value is set to the wrong value, it is said to be “out of compliance”.  Security settings within the organization typically protect the values from being changed.  For example, the file system (i.e. NTFS) and registry permissions can protect a majority of the values.  However, there are permissions assigned to personnel and programs that give update access to the values.  Given that the values do get changed either intentionally or not, an automated feature that checks the values and reports if they are “out of compliance” is needed to prevent improper values from causing adverse impacts.  This is exactly what SCCM “Compliance Settings” does.  It also includes a feature called remediation.  Remediation will set the value back to the correct value if it is found to be “out of compliance”.

The “Removable Media Policies” under SCCM “Endpoint Protection” makes it very easy to create SCCM “Compliance Settings” specifically for protecting sensitive data being written to Removable Media devices.  Within a large organization, you might want to define more than one “Removable Media Policy”.  SCCM allows you to do this.  Then, for each policy, you assign it to a collection of computers.

Technology specifics

The secRMM integration into SCCM Endpoint Protection is implemented as an SCCM Console Extension.  Each “Removable Media Policy” generates a collection of SCCM “Compliance Settings” “Configuration Items” (CI).  There is always one parent CI and one or more child CIs.  The parent CI performs the secRMM discovery and each child CI is responsible for a specific secRMM property (i.e. AllowedDirectories, AllowedSerialNumbers, AllowedUsers, etc.).  In addition to the CI collection, a single SCCM “Compliance Settings” “Configuration Baseline” (CB) is created and associated with the CI collection.  Both the CIs and CB reside in a console subfolder under the appropriate parent folder (i.e. CI or CB).  This makes the folder structure within the SCCM console very organized and easy to manage.  All management of the CIs and CBs can be performed with the “secRMM SCCM Console Extension” thereby abstracting the “Compliance Setting” user interface that comes with SCCM.  The SCCM Administrator is free to use either user interface though.  The “secRMM SCCM Console Extension” support SCCM “Compliance Settings” remediation.

Combining the powerful features of SCCM “Compliance Settings” (i.e. compliance monitoring, remediation, alerting and reporting) with secRMM is a very powerful solution for protecting an organizations data.  secRMM is deeply integrated into the Microsoft System Center suite and also has:

1. Operations Manager Management Pack (alerts, tasks)
2. Operations Manager Data-warehouse reports
3. Security Audit and Collection Services (ACS) reports
4. Orchestrator extension

   A free two week trial of secRMM is available at Squadra Technologies.