Here is a presentation I recently have to the a Midwest security user group on how to manage multiple environments, or clients, with Symantec Endpoint Protection.
2. Agenda
• Goal: Successfully manage endpoint security for
outsourced clients, while minimizing time and resources.
• Requirements / Challenges
• Solutions
– 3 Unique ‘features’ we leveraged.
• Issues
3. Requirements
1. Single point of:
• Management
• Visibility
• Alerts
• Reporting
2.
2 Neutral from client environments
3. Automatic ticket generation
3 A t ti ti k t ti
4. Challenges – 1) Independent secure
network, allow client communication
5. Challenges – 1) Independent secure
network, allow client communication
6. Challenges – 2) Updates to enclave
without Internet connection
7. Challenges – 2) Updates to enclave
without Internet connection
11. Solutions – 1) Replication
• Choices: Site Replication vs. GUPs
– GUPs: Can’t manage independent client
admins, won’t centrally collect logs, open
ports.
– Domains vs Groups
vs.
17. Issues:
1.
1 SEPM = Same Version
S V i
2. Shut down replication during
upgrade
pg
3. Remember to turn back on
4.
4 Easily ‘Deleted’
Deleted
18. Solutions – 2) Live Update Server
• C
Challenge:
– Couldn't communicate with Internet.
• Solution:
– Live Update Server on Tier 3 with
Internet connectivity
– Pushes out to 'Distribution share'
on a server within the Secure
Enclave (use for 4th box!).
24. LUA Issues
1. Postgres.exe 100%
2. Troubleshooting def’s (3-4
2 T bl h ti d f’ (3 4
spots)
3. Patch s
3 Patch’s more difficult
4. 12/31 disaster
5. No ‘delta’ benefit
25. Solutions – 3) Ticket Automation
• Challenge:
– No ‘flip switch’ options to escalate alerts.
– L
Laughed at for not having SEM/SIM solution.
h d tf th i l ti
• Solution:
– Syslog server
– Remedy server reads Syslog
26. Steps:
1. Configure ‘External Logging’
2. Point to Syslog server IP/port
o t Sys og se e /po t
3. SLOWLY turn on Log Filters
4.
4 Request tickets be pulled
5. Verified ticket generation
6. Solid Security Incident Response
Process in place.
29. Other Issues
• Firewall Change Requests = > 80% of time
• Client P k
Cli t Packages sometimes h ld ‘
ti held ‘master’ SEPM
t ’
in Sylink.xml file.
• Opened ticket – Due to TS installation.
• Use CD Package with custom Sylink