IT@Intel Blog : 2008 : September : 17

The third and last part of the video series discussing how you can make use of the vPro system defense capabilities the easy way is out, this video shows an example of how your existing security server can implement network quarantine using system defense on provisioned devices without having to know a thing about AMT.

The video follows on the second video which showed an example of using system defense through the Microsoft SCOM GUI and shows a proof of concept implementation that only requires the security server to input an event into the local windows event log which is easily doable with almost any programming/script language. Behind the scene the SCOM agent installed on the security server intercepts this event, sends notification to the SCOM server and as a result the SCOM server implements the blocking policy on the offending host.

http://www.podtech.net/home/5355/isolation-of-infected-pcs-and-remediation-with-intel-vpro-technology-part-3-of-3

The beauty of this is that now you can choose any server to collect and correlate your security events and take quarantine decisions and all that without this server having to be an AMT management server. the existing AMT manager (SCOM in this example) is doing the hard work for you.

as before I hope you find this useful, I would love to hear comments and answer any questions.

Cheers

Omer.

0 Comments Permalink Tags: amt, event_manager, filtering, it@intel, management, network_quarantine, omer_ben_shalom, quarantine, ron_miller, security, system_defense, video, virus, vpro

Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Here is my Fortune Cookie advice for September:

In information security, like in sports, knowing your adversary is far more important than knowing the condition of the field.

Information security is an adversarial pursuit. It all begins with threat agents, those people who will negatively affect your organization. Some are malicious, others are not. The key is they are living, breathing opponents whose motivations drive actions which cause loss. They learn, adapt, and change as they seek their objectives.

Know your threats. This is an important first step. Knowing all your vulnerabilities is fine, but secondary in importance.

For those who are malicious, understand what they target and the likely methods they will employ. Only then can the vulnerabilities be narrowed to show the most probable exposures. This prediction gives the security professional a focus on what to protect, how best to monitor, and preparations necessary to respond when needed.

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

Deconstructing Cyber Security Attacks - Threat Model

Defense in Depth Information Security Strategy

0 Comments Permalink Tags: threat, security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, policy, defense_in_depth

IT@Intel Blog

Defeating malware infections with Intel system defense part 3 - automation

Fortune Cookie Security Advice - September 2008

Recent Comments

Popular Blog Posts

Filter Blog