Embed Size (px)
Citation preview
OMS, ATA AND AZURE
SECURITY CENTER MIXERBob Cornelissen | BICTTManaging Consultant
www.bictt.com/blogs
Cameron Fuller | Catapult SystemsSolution Director - Launch
@CFullerMVP
11 Year CDM MVP
20+ years in IT
Game of Thones & Skyrim
@Bob_Cornelissen
6 Year Microsoft MVP
17 years in IT
Dogs, ice-cream. Game: Stormfall
Cameron FullerBob Cornelissen
AGENDA
A Game of Security?
OMS Security features
Microsoft Advanced Threat Analysis
Azure Security Center
System Center Operations Manager?
Integrating OMS and Azure
Let’s put these into a blender!
A GAME OF SECURITY?
WHERE WE ARE AT TODAY
Advanced Threat Analytics
(ATA)
Azure AD & Azure AD
Premium
Azure AD Identity
Protection
Azure RMS, AIP
Azure Security Center
Bitlocker Administration
Cloud App Security
Configuration Manager
DSC
Exchange
Firewalls
Intune
Office 365
Log Analytics/OMS
Privileged Identity
Management
And more…
Security information exists everywhere…
WHERE WE ARE TODAY
Firewalls Advanced
Threat
Analytics
The
Wall
Eyrie
Azure
Security
Center
Operations
Management
Suite
OMS SECURITY FEATURES
OMS & SECURITY
How:
Microsoft Monitoring Agent reporting directly to OMS or through Operations Manager
Reports direct to OMS – bypasses OpsMgr (how it networks to get to OMS)
Where?
Any systems running the MMA agent and connected to OMS
Any location – including on-prem, Azure, AWS, or my cousin’s datacenter in his garage
What?
Security Domains
Notable Issues
Detections
Threat Intelligence (Botnet, darknet, etc)
Integrated with Service Map
OMS & Security
MICROSOFT ADVANCED THREAT
ANALYSIS
MICROSOFT ADVANCED THREAT ANALYSIS
How:
Installed into your on-prem environment
Part of EMS
Where:
Generally on prem, but can run in Azure or AWS
What?
How you can KNOW if you have been hacked
Detect threats fast with behavioral analytics
Adapt as quickly as malicious hackers
Zero in on the right alerts
Reduce false positive fatigue
Checks for reconnaissance, compromised credentials, lateral movement & domain dominance
Advanced Threat Analytics –
Integrating with OMS
BRUTE FORCE ATTACK ON HONEYTOKEN ACCOUNT
SYSLOG SERVER CONFIGURATION
ATA EVENTS IN OMS
AZURE SECURITY CENTER
AZURE SECURITY CENTER (ASC)
How: Part of Azure
Using Azure?
Turn it on for your subscription(s)
Where: Azure based systems
Not on-prem, or AWS, etc.
What? Revealing a Cyber attack
Virtual Machines
Networking
SQL & Data
What’s coming?
Preview of new enhancements
Azure Security Center (ASC)
SYSTEM CENTER OPERATIONS
MANAGER + SECURITY
KUDOS TO THE SCOM COMMUNITY!
The Security Management pack for SCOM!
“provide(s) real time notifications to events that are worth investigation”
Highlights:
App Locker rules
Key security group changes
Pass the hash, overpass the hash, pass the ticket
Cleared security events logs
Additional domain controller
Identifying known remote execution tools
Scheduled task creation
UseLogonCredentials registry key
Failed RDP attempts
And more!
INTEGRATING AZURE AND OMS
PRE-BUILT OMS SOLUTIONS
Analytics for:
Activity Log
Azure Application Gateway
Azure Network Security Group
Azure SQL
Azure Web Apps
Key vault
Service Fabric
Application Insights
Azure Site Recovery
BUILD YOUR OWN: CUSTOM SOLUTIONS
You can build your own with the View
Designer!
Add your own data with the HTTP API! (see
the “Publishing Anything you could imagine to
OMS using the API” session)
LOG ANALYTICS IN AZURE
Appears as a resource in Log Analytics in a resource group
(mms-eus by default for the East US location)
Full OMS portal accessible through “Overview”
Can use Log Search, see Solutions, and more!
Use “Azure resources” to connect your workspace to other
DASHBOARDING IN AZURE
Views in OMS can be pinned to the Azure Dashboard!
Right-click, and choose “Pin to Dashboard”
LET’S PUT THESE INTO A BLENDER!
WHERE DO WE WANT TO BE?
Firewalls
Advanced
Threat
Analytics
The
Wall
Eyrie
Azure
Security
Center
Operations Management Suite
Other Microsoft
Products
WHAT ABOUT MICROSOFT AZURE LOG INTEGRATION?
What about “AzLog” (no, not Aslan – that’s Narnia),
which feeds Security Information and Event
Management (SIEM)
Good links: Here & Here
“Azure log integration collects Windows events from
Windows Event Viewer Channels, Azure Activity Logs,
Azure Security Center alerts and Azure Diagnostic
logs from Azure resources.”
Use AzLog to populate OMS? Er… No… Er.. Not
yet?
Supports systems such as Splunk, ELK, ArcSight,
Qradar
Does not support OMS yet
WHY SHOULD OMS BE IN THE CENTER?
Gather data from all sources
Pre-built connectors for:
Windows Servers: Event logs, Performance Counters, IIS logs, File Tracking, Registry Tracking
Linux Servers: Performance Counters, File Tracking
Syslog
Azure Storage
System Center
Windows Telemetry
Custom fields, custom logs
Multiple Azure subscriptions can report to a single workspace
HTTP API
Two year retention
Easy to export data into Power BI!
HOUSE OF TAILS
Safety, food, water, health,
blankets, shade, love, fun
www.houseoftails.org/support-us
www.facebook.com/sthouseoftails
Dutch bank IBAN: NL87INGB0006669920
70 dogs!!!
Donation box near
registration area and participate
in the raffle for huge rewards!
$15 = 1 month food
Q&A / OPEN DISCUSSION / STUMP THE CHUMP
