Microsoft introduced System Center EndPoint Protection 2012 (SCEP) (formerly known as ForeFront EndPoint Protection or FEP 🙂 ) at the Microsoft Management Summit (MMS) 2012 conference. What is really great about bringing SCEP into System Center is that now customers will get to protect their workstations and servers from malware by owning a System Center Enterprise license. This is going to let organizations run a pure Microsoft solution set without having to go to an outside vendor to get their malware protection.
I think SCEP is missing one key component that the other security vendors provide with their framework solutions. That missing component is broadly called Data Leak (or Loss) Prevention (DLP). Some tell me that Microsoft “BitLocker To Go” addresses that. This is not entirely true. DLP and encryption technology must both be present to address removable media (i.e. smart phones, usb/flash drives, external storage, bluetooth storage, SD-Cards, etc.). So while “BitLocker To Go” is necessary, it does not address DLP.
In the security space, we must take removable media seriously; especially if you need to show compliance with regulations such as HIPPA and/or PCI. Removable media devices allow complete end-users (those people who really don’t know much about IT) to be as powerful and destructive (from a company perspective) as the greatest hacker in the world! Why? Anyone can attach a removable media device to their workstations or server and copy local or network files to the device (given they have at least read access). The fact that they copied data to the device is not logged anywhere! I know alot of organizations simply lock-down the usb ports. However, this is counter-productive to the employees that are just trying to get their jobs done (especially the IT guys).
What would be ideal is if we could allow removable media to be used in the corporation and be guaranteed that whatever files were copied to a removable media device were tracked/audited. Something similar to the Windows security events when a user logins and logs out. Squadra Technologies Security Removable Media Manager (secRMM) does just that…and much more!
If you are the person responsible for security audits, you will want to know that when a file is written to a removable media device, secRMM records the user (and SID), the file (source and destination), the source file size, the source file last written, the removable media device serial number, model, description, logical drive, volume name, the program used to perform the copy and the program PID. If the program is CMD, Explorer, VBScript. JScript, PowerShell or (especially) the “Windows Explorer like” secRMM GUI named SafeCopy, you get additional details of what exactly the user did to invoke the copy. Other secRMM events (btw, secRMM logs events to both the security event log and its own “secRMM” event log) are online and offline removable media events, administration change events and authorization failure events (because secRMM also lets you control how removable media gets used).
secRMM’s architecture relies solely on the base Windows Operating System. It comes with a Microsoft Operations Manager (OpsMgr)Management Pack (MP) and has reports for both the OpsMgr Data Warehouse and the OpsMgr Audit Collection Services (ACS) databases. The auditing capabilities of secRMM surpasses all of the big name solutions in the DLP space. One other important feature that secRMM provides is the concept that is now provided in Configuration Manager which is policy that “follows the user”. secRMM is compatible with hardware and software encryption solutions (including Microsoft “BitLocker To Go”) and works with any removable media device. There are many more benefits to secRMM and I urge you to take 15 minutes to explore this great solution.
Combining Microsoft System Center EndPoint Protection 2012 with Squadra Technologies Security Removable Media Manager is a winning combination!
A free two week trial of secRMM is available at Squadra Technologies.