ibm endpoint manager

IBM Endpoint Manager

Meeting the challenges for Payment Card Industry Data Security Standard (PCI DSS) compliance January 2014

© 2013 International Business Machines Corporation 2

Presentation Overview

• Other clients using IBM Endpoint Manager (IEM)

• PCI DSS recap

•  IBM Endpoint Manager overview

• How IEM assists with PCI DSS compliance

• Case Study: The Co-‐operaEve Food

• Other IEM services

• Summary


Endpoint complexity continues to increase

Endpoint device counts,

devices and platforms

Compliance requirements to establish, prove and maintain

continuous compliance

Speed, severity and

complexity of malware attacks

Patch O/S and application vulnerabilities with hours

Rapid, agile, automated remediation is needed

Mobile/roaming endpoints

New form factors and platforms

Employee-owned devices

Establish, prove and maintain continuous

compliance


What is PCI DSS and why should you care?

•  PCI DSS – Payment Card Industry Data Security Services –  12 Requirements to Protect Credit Card Information –  3 Levels based on transactions per annum

1.  >6m transactions per annum 2.  150k to 6m transactions per annum 3.  <150k transactions per annum

–  Formed in September of 2005 •  By these five leading credit card vendors

•  Consequences of Non-Compliance

–  Steep monetary fines –  Revocation of credit card business trading privileges

American Express

Discover

JCB

MasterCard

VISA


IBM Endpoint Manager offers a unified management platform

Desktop and Server Administration Delivers patch, inventory, software distribution, OS deployment, remote control capabilities and near real-time visibility into the state of endpoints including advanced capabilities to support server endpoints.

Software Asset Management Track software usage patterns and trends across Windows, UNIX and Linux endpoints with always on asset management to enhance license compliance. Manages software assets from procurement to retirement using control desk integration.

Mobile Device Management & Security Address issues of security, complexity and bring-your-own-device (BYOD) policies across a unified platform that spans Apple iOS, Google Android, Blackberry, Nokia Symbian and Microsoft Windows Mobile platforms.

Endpoint Security, Protection & Compliance Provides unified, real-time visibility and enforcement to protect distributed environments against threats that target endpoints and helps organizations to comply with regulatory standards on security.


IBM Endpoint Manager (IEM) and PCI DSS The PCI DSS standard applies to network components, servers and applications that are included or connected to a cardholder data environment. The cardholder environment is considered to be made up of the people, processes and technology providing cardholder data services.

A great article by Orb Data on IEM and PCI DSS here

IBM Endpoint Manager can maintain compliance for 8 of the 12 PCI DSS requirements


PCI DSS: The six goals and twelve requirements

American Express

Discover

JCB

MasterCard

VISA

✔ ✔

✔ ✔

✔ ✔

✔

✔


IBM Endpoint Manager implements PCI via two key modules: Lifecycle and Security and Compliance

Vulnerability Management

Patch Management

Security Configuration Management

PCI


PC / Server Configuration Lifecycle Management


Security & Compliance / Endpoint Protection

IBM

End

poin

t Man

ager

Tech

nica

l Con

trols

P

CI

Policy and P

rocess Framew

ork


IBM Endpoint Manager for Security and Compliance: What It Does

•  SCM is a library of technical controls and tools based on industry best practices and standards produced by organizations such as DISA and NIST.

•  It allows organizations to achieve IT security compliance by detecting, remediating, enforcing, and reporting on security configuration policies across heterogeneous systems in centralized and distributed environments, including servers, desktops, notebooks, and mobile devices

Before… Lack of visibility, lack of standards enforcement, poor

success rates, insecure –  Ongoing failures to secure systems and miEgate

against threats

–  Systems highly suscepEble to internal abuse and external aKack

ANer… Con8nuous compliance, real-‐8me repor8ng –  Leverage out-‐of-‐the-‐box checklists to assess

compliance and automate remediaEon of non-‐compliant systems

–  Real-‐Eme security and compliance automaEon and reporEng

Policy libraries that enable detecEon, remediaEon, and conEnuous enforcement of security technical controls

IBM CONFIDENTAL – FOR INTERNAL IBM CORP USE ONLY


Over 5000 out of the box checks are applied for systems hardening, security, and compliance objectives.

PCI


PC / Server Configuration Lifecycle Management


Security & Compliance / Endpoint Protection

IBM

End

poin

t Man

ager

Tech

nica

l Con

trols

P

CI

Policy and P

rocess Framew

ork


Analytics tools enable flexible, easy to use, powerful compliance reporting


The Co-operative Food enhances PCI DSS compliance with IBM Endpoint Manager

The challenge Achieving PCI compliance across a vast retail estate of 70,000 staff and 2,800 stores across the UK. 18,500 endpoints across the UK.

The solution Implemented IBM’s Endpoint Manager to to provide patching and security and compliance: •  Patch Management •  Security and Compliance

“With IBM Endpoint Manager we will be able to guarantee that all of our endpoints are patched appropriately, and we will be able to provide solid proof that we have a regular, fully documented patch process in place. This will be a huge step in helping us to move closer to full PCI DSS compliance."

– Neil Wakefield, System and Process Change Manager, The Co-operative Food”

Benefits Will be able to provide solid proof that we have a regular, fully documented patch process in place for PCI DSS. See Case Study - http://ibm.co/1jDQlKQ


What else can IBM Endpoint Manager do?

Endpoints

•  Common management agent

•  Unified management console

•  Common infrastructure

•  Single server


Patch Management

Lifecycle Management

Software Use Analysis

Power Management

Mobile Devices

Security and Compliance

Core Protection

Desktop / laptop / server endpoint Mobile Purpose specific

Systems Management Security Management

Server Automation


IBM Endpoint Manager continuously monitors the health and security of all enterprise computers in real-time via a single, policy-driven agent

Desktop / laptop / server endpoint Mobile Purpose specific

Endpoints

•  Common management agent

•  Unified management console

•  Common infrastructure

•  Single server


Patch Management


Software Use Analysis

Power Management

Mobile Devices

Security and Compliance

Core Protection

Systems Management Security Management

Server Automation

Why IBM Endpoint Manager ?

Concord Hospital achieves 98% first-pass success in hours on their Microsoft

and 3rd party patches

Helped US Foods reduce patch deployment times by 80 percent, saving USD 500,000 on software licenses and avoiding more

than USD1 million in license noncompliance fines.

Bendigo Bank has saved $175,000 off its power bill within 12 months

and avoid 2190 tonnes of carbon emissions

IBM has deployed Endpoint Manager to over

700,000 endpoints on three servers. Expects to save over $10M in Year 1

Over 13,000 mobile devices enrolled in 72

hours!


Single Server & Console •  Highly secure, highly scalable •  Aggregates data, analyzes & reports •  Pushes out pre-defined/custom policies

Cloud-based Content Delivery •  Highly extensible •  Automatic, on-demand functionality

Single Intelligent Agent •  Performs multiple functions •  Continuous self-assessment & policy enforcement •  Minimal system impact (< 2% CPU)

Lightweight, Robust Infrastructure •  Use existing systems as Relays •  Built-in redundancy •  Support/secure roaming endpoints

How it Works Remote Offices

Manage roaming devices

Identify unmanaged assets


Summary

•  IBM Endpoint Manager enables unified management of all enterprise devices – desktops, laptops, servers, smartphones, and tablets

•  Real-time/proactive endpoint management: Patch

management, anti-virus/malware, security and compliance for PCI DSS compliance

•  Continuous compliance reduces costs and risk •  Avoid non-compliance penalties


ibm.com


Additional Information


Patch Management

•  IBM Cloud content delivery service (operaEng systems and 3rd party applicaEons)

•  Patch capabiliEes for mulEple plaSorms: Windows, Mac OS X, Linux and UNIX

•  Intelligent agent

•  ReducEon in patch and update Emes from weeks and days to hours and minutes

•  Increase first-‐pass success rates from 60-‐75% to 95-‐99+%

•  Real-‐Eme reporEng

•  Automated self-‐assessment, no centralised or remote scanning required

Benefits: Services:

"We compressed our patch process from 6 weeks to 4 hours" "We consolidated eight tools/infrastructures to one" "We reduced our endpoint support issues by 78%" "We freed up tens of admins to work on higher value projects"


Overview of Patch Management

Start with the Patch Management domain

The patches dashboard provides a real-time view on Windows patches

requirement across your environment

See any New Content here

Application vendor patches

•  Adobe Acrobat •  Adobe Reader •  Apple iTunes •  Apple QuickTime •  Adobe Flash Player •  Adobe Shockwave Player •  Mozilla Firefox •  RealPlayer •  Skype •  Oracle Java Runtime Environment •  WinAmp •  WinZip

…and operating system patches

Patch Management Video - link


Patch Management for Windows now supports non-security updates, specifically critical updates and service packs for the

Microsoft Windows product family


Patch Overview Dashboard


IBM Endpoint Manager License Overview

23

§  Remote Control

§  OS Deployment

§  TPMfOSD


Security & Compliance

§  Platform

§  Asset Discovery

§  Patch Management

§  Inventory

§  SW Distribution

Lifecycle Management Starter Kit

Patch

Power

§  Power

§  Platform

§  Asset Discovery SUA

§  Software Usage

§  Platform


§  Inventory

Core Protection

§  Platform

§  Core Protection

MDM §  MDM

§  Platform

•  DP Add-On

Server Automation

§  SA Add-On


§  CM for Endpoint Protection

§  Network Self Quarantine

§  Security Configuration

§  Vulnerability Management

§  DSS SCM

Security & Compliance Starter Kit


IBM Endpoint Manager elements

Single intelligent agent •  Continuous self-assessment •  Continuous policy enforcement •  Minimal system impact (<2% CPU, <10MB RAM)

Single server and console •  Highly secure, highly available •  Aggregates data, analyses and reports •  Manages up to 250K endpoints per server

Flexible policy language (Fixlets) •  Thousands of out-of-the-box policies •  Best practices for operations and security •  Simple custom policy authoring •  Highly extensible/applicable across all platforms

Virtual infrastructure •  Designate Endpoint Manager agents as a relay or

discovery point in minutes •  Provides built-in redundancy •  Leverages existing systems/shared infrastructure


Closed Loop Speed is Our Advantage

Report Publish

Evaluate

Traditional Solutions TEM Software Policies

Evaluate Enforce

Publish Report

Challenge Traditional client/server tools TEM Platform Complete the policy enforcement loop

Everything is controlled by the server, which is slow

A new way to do systems and security management

Increase the accuracy and speed of your knowledge

It can take days to accurately close the enforcement loop

Policy enforcement is accomplished and proven in minutes instead of days

Scalability cannot be attained without large infrastructure investments

Administrators are still managing tools instead of being productive

Distributed processing means scalability is unlimited

Adjust system policies depending on environment, location

Scan-based assessment, leading to stale data false sense of awareness

Real-time situational awareness

Decide

Evaluate

Enforce

Decide

ibm endpoint manager - meeting the challenges of pci dss compliance

Technology

endpoint complexity

continuous compliance

credit card information

endpoint device counts

application vulnerabilities

hours rapid

automated remediation