1 / 18

OSL150 – Get Hands on with Ivanti Endpoint Security David Murray Rob Kelsall

0. OSL150 – Get Hands on with Ivanti Endpoint Security David Murray Rob Kelsall. What is Ivanti Endpoint Security?. Ivanti Endpoint Security is a single platform that is endpoint security focused offering best of breed solutions for: Patch Ma nagement Application Control Device Control

duppstadt
Download Presentation

OSL150 – Get Hands on with Ivanti Endpoint Security David Murray Rob Kelsall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 0

  2. OSL150 – Get Hands on with Ivanti Endpoint Security David Murray Rob Kelsall

  3. What is Ivanti Endpoint Security? • Ivanti Endpoint Security is a single platform that is endpoint security focused offering best of breed solutions for: • Patch Management • Application Control • Device Control • AntiVirus • One suite solution • Single, Modular, Extensible Architecture • Single Workflow-based Console • Asset Discovery and Agent Deployment • Installation Manager • AD Integration and Synchronization • Role-based Access Control • Reporting and Notification

  4. A single suite that covers it all…

  5. Lab Agenda • Discover endpoints and install agents • Create custom groups and add endpoints to these groups • Create AntiVirus policies and scan for malware • Patch vulnerable applications • Application Control blocking and Denied Applications • Install an application with Trusted Updater • Create a Local Authorization policy • Protect against memory-based attacks • Protect data with device control • Dashboard widgets & reports

  6. Orientation • Ivanti Endpoint Security Workflow • Work from left to right • Discover – Assets, Malware • Review – Vulnerabilities, Virus Alerts, Discovered Assets, Logs • Manage – Endpoints, Groups, Users, Policies, Libraries, Quarantine • Reports – Standard & Enhanced Reports • Tools – Roles, Installers, Subscriptions, DB maintenance, Notifications, Options • Help – which hopefully you don’t need to use too much • Let’s get started • Logon credentials contained in your lab guide • Turn off Windows Defender on Windows 10 endpoint

  7. Exercise 1 – Discover Endpoints & Install Agents • Goal • The goal of this exercise is to discover new endpoints and to bring them under control • Discover > Assets • Select “Immediate” under scheduling • Use IP address range 192.168.100.10 to 192.168.100.99 • Review > Job Results • Go to Completed tab when job is finished (page auto-refreshes) • Manage Agents > Install Agents, for any assets (Win7) with “No Agent Found”

  8. Exercise 2 – Create Groups & Add Endpoints • Goal • As we generally manage by groups rather than endpoints, the goal of this exercise is to create a number of custom groups so we can use these groups in subsequent exercises • Create three custom groups • Manage > Groups > Group Membership view • Select “Custom Groups” from panel on left • Delete/ignore any existing groups (I forgot to do so!) • Create the following groups – Server, Desktop, All Systems • Add endpoints to each group • Manage > Groups > Endpoint Membership view • Use Membership button or right-click on group • Server – Ivanti Endpoint Server & CentOS • Desktop – Win10 and Win7 • All systems – all four endpoints

  9. Exercise 3 – Create AV policies & scan for malware • Goal • Discover and remove any malware that exists • Create policies to provide ongoing protection • Scan for malware • Discover > Scan Now – Virus and Malware Scan • Select Immediate scan option and assign to the Desktop group • Add a “folder” exclude for C:\ drive to minimize scan duration • Follow progress on Win10 endpoint via Agent Control Panel • Review “Centralized Quarantine” when completed • Create policies for ongoing protection • Manage > AntiVirus Policies • Create Real time Monitoring Policy • Create Recurring Virus and Malware Scan Policy • Set policy to run at the weekend (not during Interchange!)

  10. Exercise 4 – Patch Vulnerable Applications • Goal • Understand what vulnerabilities exist • Apply patches to remediate (some of) these vulnerabilities • Understand vulnerabilities • Navigate to Manage > Endpoints • Select Endpoint and select Vulnerabilities/Patch Content tab • Select filters (Detection Status = Not Patched) • Select (1 or 2) cached packages and “Add to List” called Interchange • Remediate Vulnerabilities • Manage > Groups (Vulnerabilities/Patch Content view) • Select All Systems group • Select Interchange Custom Patch List (and select all content) • Click “Deploy” Cached Not cached

  11. Exercise 4 – Patch Vulnerable Applications

  12. Exercise 5 – App Control Blocking and Denied Apps • Goal • Demonstrate that non-whitelisted applications are blocked • Deny a whitelisted application • Non-whitelisted applications • Log on to Win10 endpoint • Open “Test Files” folder on the desktop (added after lockdown) • Try to run any of these applications -> receive blocked dialog • Deny whitelisted application • Open Mozilla Firefox and confirm that it opens correctly • Go to Manage > Application Library and search for Firefox.exe in “Ungrouped files” • Move file to “Prohibited Applications” • Go to Manage > Application Control policies • Create Denied Applications policy and add “Prohibited Applications” application to it • Assign to Desktop group and confirm Mozilla Firefox is blocked (once policy delivered)

  13. Exercise 6 – Install an application with Trusted Updater • Goal • Install a blocked application on a locked-down endpoint • Try to install application on locked-down endpoint • Open Test Files folder on Win10 desktop • Try to launch one or more of the installers (you may already have completed this step earlier) • Add installer to a Trusted Updater policy • Go to Review > Application Control Log Queries • Create “All Denied Application Events” log query for Desktop group • Review results and locate denied installer (refresh the query if it is not there yet) • Select the installer in the log query results and click on “Trust” button • Assign to Desktop group • Once policy delivered, confirm that application gets installed correctly and can be opened

  14. Exercise 7 – Local Authorization • Goal • Enable endpoint users to decide whether to launch/install application on their endpoint • Create Local Authorization policy • Go to Manage > Application Control policies and select “Trusted Change” tab • Create Local Authorization policy and assign to Desktop group • Locally authorize an application • Once policy is delivered, go the Test Files folder on the Win10 endpoint • Select an application or an installer and try to open it • You should now receive a local authorization dialog and can decide whether to allow or deny

  15. Exercise 8 – Protect against Memory-based attacks • Goal • Implement a Memory Protection policy to detect and block a memory injection • Create Memory Protection Policy in Audit Mode • Go to Manage > Application Control policies and select Memory Protection tab • Create a Memory Protection policy in Audit Mode and assign to the Desktop group • Launch application and inject into memory • Follow lab guide to launch target application (view in Task Manager) • Launch injector application and inject into process of target application • Go to Review > Application Control log queries and create All Memory Injection Events query • Convert Memory Protection Policy to Enforcement Mode • Edit Memory Protection policy and switch to Enforce from Audit mode • Confirm Target Application is terminated (via logs and Task Manager)

  16. Exercise 9 – Protect data with Device Control • Goal • Create policies to protect data when copied to removable media (e.g. USB sticks) • Confirm current read/write behaviour • Copy files to and from E:\ and F:\ drives on Win10 endpoint and confirm both read & write work • Create Unencrypted and Encrypted drives policy • Go to Manage > Device Control policies and create policies per lab guide • Test Device Control policies • Disable default policy for Removable Storage Devices and set Global policy to Enforce • Attempt to copy files to (unencrypted) E:\ or F:\ drives and confirm that they are read-only • Encrypt F:\ drive and confirm both read and write work on encrypted drive • Reboot Win10 endpoint to see behaviour when E:\ and F:\ drives connected • Option provided to encrypt E:\ drive • Need to enter encryption password for F:\ drive

  17. Exercise 10 – Dashboard Widgets and Reports • Goal • Enable Dashboard widgets to provide overall system summary on login • Create reports for more detailed analysis or for management • Dashboard widgets • Go to Home page on console • Select “Configure Dashboard Settings” and select dashboards to display • Drag and drop dashboards as needed • Reports • Go to Reports > Enhanced Reports • Run reports to report on earlier exercises and review results

  18. Thank youDon’t forget to provide feedbackGo get some lunch

More Related