IBM deploys Tivoli Endpoint Manager internally

IBM’s Chief Information Security Office (CISO) has seen an increase in security risk to IBM’s internal infrastructure. As the company has grown through acquisitions and joint development activities with IBM business partners, there has been an increasing percentage of workers connecting from or working in an unprotected infrastructure, along with an increasing prevalence of non-Windows endpoints. The number, type, and sophistication of security threats in the industry has also risen, placing all corporations under greater risk.

The question for the CISO team was: How do we effectively manage and protect our endpoints under these changing operating conditions? For David Merrill, a strategist with the team, the answer was in a new security model.

“The old model was not sufficient for the changes that were occurring,” says Merrill. “We had approached endpoint management from a reactive correction perspective. Employees received workstation reports and if they were missing a patch or their anti-virus definitions were out of date, they were provided with links to information on how to resolve the issue. To better protect our infrastructure, we had to move to a model of continuous compliance with internal security policies that would automatically remediate issues.”

Continuous compliance with internal security policies

The CISO team focused on two key requirements. First, the team sought to deliver patches more quickly. The organization’s existing tools required that staff repackage security patches for deployment, which often delayed patch availability by up to 14 days.

“Any delays in delivering patches can lead to an increased vulnerability period,” says Merrill. “We had to get out of the business of repackaging patches because it was inefficient and costly.”

The second area the CISO team focused on was what Merrill refers to as “continuous compliance with internal security policies.”

“Our previous model provided a point-in-time view of an endpoint’s status when we ran the tools,” says Merrill. “So there were periods of time when the real status was unknown. Using Tivoli Endpoint Manager, we have real-time visibility into the status of endpoints and we can demonstrate that our infrastructure is continuously in compliance with our internal security policies.”

A pilot program builds the business case

Making a change that can support more than a half-million employees and partners required a strong business case. So the team launched a Proof of Concept (POC) with IBM® Tivoli® Endpoint Manager software.

“It was the POC that led me to say ‘this is the right answer for us,’” says Merrill. “We tested the solution to confirm that it did what it said it would do, and we walked away believers. Our next step was to launch a larger pilot, first to a few thousand endpoints, and then to about 18,000, to confirm scalability.”

These pilots also enabled staff to obtain the hard data needed to gain executive buy-in.

“The data from the pilot provided the tipping point,” says Merrill. “We estimated a 50 percent savings in endpoint support for security issues based on pilot results. Once everyone saw this, our directive was to ‘deploy this as fast as we can.’ We started in December 2010 and within six months had deployed Tivoli Endpoint Manager on more than 550,000 endpoints worldwide. This was the largest and fastest internal client deployment within IBM’s history.”

The IBM deployment has been organized into three geographic groupings: North America, Europe and Asia Pacific. Each geographic area is supported by one dedicated Tivoli Endpoint Manager physical management server—an IBM System x® server with redundant arrays of storage disks (RAIDs). “The System x platform provides the performance and optical storage to support high transaction rates and centralize management of about 250,000 endpoints for each geographic area,” says Merrill.

Tivoli Endpoint Manager “relays” enable the software to communicate with endpoints that don’t have regular connectivity into the network, such as support systems used by employees to support IBM customers.

“We want to cover everything from servers to smartphones,” says Merrill. “Our first focus is workstations; we started with Windows endpoints and are now moving to cover Mac and Linux systems. We’re also putting Tivoli Endpoint Manager in the standard build for any new IBM machine.”

A 78 percent decrease in endpoint security issues

Through the use of Tivoli Endpoint Manager, the team has reduced the time and cost to monitor endpoints, apply patches, and implement new configuration settings and security software, such as firewall and antivirus solutions. Upon deployment Tivoli Endpoint Manager identified which specific patches were missing for each individual endpoint, and automatically applied required patches. Tivoli Endpoint Manager can target specific actions to an exact type of endpoint configuration or user type.

Tivoli Endpoint Manager is also automatically remediating about 90 percent of the Windows requirements, which were previously addressed through workstation reports and manual employee corrective actions. And the Tivoli Endpoint Manager administrators have real-time visibility to verify the status of each endpoint.

Patches are now available within 24 hours (previously it could take up to 14 days for patch availability), and the company has realized a 60 percent reduction in patch cycle time with a higher rate of patch compliance (98 percent of required patches applied). While patches are available in 24 hours, Merrill is quick to point out that the team stages the distribution of new patches over a 48-hour period to minimize the risk of faulty patches.

“We could have 98 percent distribution within 24 hours but we’ve deliberately slowed the process down to confirm there aren’t any problems with the patches or potentially ‘poison patches’,” says Merrill. “Updating half a million systems too fast would make us a test site for software vendors, and we don’t want to incur that risk.”

Millions in savings

Since deployment, the savings measured in the pilot were found to be conservative.

“We had initially committed, based on the pilot, to a 50 percent decrease in internal security problems,” says Merrill. “This would result in about US$10 million in savings in just our internal support costs to deal with these security issues. After deploying Tivoli Endpoint Manager we have realized a 78 percent decrease in endpoint security problems in the first quarter of global use, which is significantly better than our pilot estimate. This should drive savings well above our initial US$10 million estimate—and I believe that we’ll see the savings increase as we complete the deployment to all 750,000 endpoints.”

In today’s market, where businesses are constantly seeking ways to increase staff productivity, also significant is that only three full-time equivalents (FTEs) are needed to support more than 500,000 endpoints.

“While our main focus is security, one of the important benefits is also the increased efficiency and the ability to effectively manage our endpoints with only three FTEs,” says Merrill.

Advanced investigations for sophisticated security challenges

While the project started with a focus on patch management, the CISO team has expanded its use of Tivoli Endpoint Manager software to help it investigate unique security problems. For example, recently, the team gathered intelligence regarding a threat to businesses using a combination of changes to both dynamic live link (DLL) files and registry entries. DLL files contain code that can be called on by programs to execute a specific function, such as printing. Registry entries are collections of system settings vital in the stability of the computer’s operating system. Changes to these files can place companies at considerable risk for security breaches and security related-outages so it’s imperative that the CISO team can quickly confirm IBM systems haven’t been compromised.

“One of the compelling things with Tivoli Endpoint Manager is that we can chain together a number of different conditions and see in minutes if any endpoints are at risk for a new security threat,” says Merrill. “You no longer have to search for each condition individually and then consolidate the results manually. And if we need to remediate an issue, we don’t have to physically track down the machine, which can be challenging and expensive with systems spread across locations in almost every country. Tivoli Endpoint Manager is flexible enough that we can use it to deliver or control technology for just about any problem.”

Solution components

Software

· IBM® Tivoli® Endpoint Manager, built on Bigfix® technology

Servers

· IBM System x®

For more information

To learn more about IBM endpoint management solutions, please contact your IBM sales representative or IBM Business Partner, or visit the following website: ibm.com/tivoli/endpoint

You can get even more out of Tivoli software by participating in independently run Tivoli User Groups around the world. Learn about opportunities near you at: www.tivoli-ug.org