OMS, ATA AND AZURE SECURITY CENTER MIXER

Transcription

1 OMS, ATA AND AZURE SECURITY CENTER MIXER Bob Cornelissen BICTT Managing Consultant Cameron Fuller Catapult Systems Solution Director - Launch blogs.catapultsystems.com Cameron.Fuller@catapultsystems.com

2 Bob Cornelissen 6 Year Microsoft MVP 11 Year CDM MVP 17 years in IT 20+ years in IT Dogs, ice-cream. Game: Stormfall Game of Thones & Skyrim

3 AGENDA A Game of Security? OMS Security features Microsoft Advanced Threat Analysis Azure Security Center System Center Operations Manager? Integrating OMS and Azure Let s put these into a blender!

4 A GAME OF SECURITY?

5 WHERE WE ARE AT TODAY Security information exists everywhere Advanced Threat Analytics (ATA) Azure AD & Azure AD Premium Azure AD Identity Protection Azure RMS, AIP Azure Security Center Bitlocker Administration Cloud App Security Configuration Manager DSC Exchange Firewalls Intune Office 365 Log Analytics/OMS Privileged Identity Management And more

6 WHERE WE ARE TODAY The Wall Eyrie Firewalls Advanced Threat Analytics Azure Security Center Operations Management Suite

7 OMS SECURITY FEATURES

8 OMS & SECURITY How: Microsoft Monitoring Agent reporting directly to OMS or through Operations Manager Reports direct to OMS bypasses OpsMgr (how it networks to get to OMS) Where? Any systems running the MMA agent and connected to OMS What? Any location including on-prem, Azure, AWS, or my cousin s datacenter in his garage Security Domains Notable Issues Detections Threat Intelligence (Botnet, darknet, etc) Integrated with Service Map

9 OMS & Security

10 MICROSOFT ADVANCED THREAT ANALYSIS

11 MICROSOFT ADVANCED THREAT ANALYSIS How: Where: What? Installed into your on-prem environment Part of EMS Generally on prem, but can run in Azure or AWS How you can KNOW if you have been hacked Detect threats fast with behavioral analytics Adapt as quickly as malicious hackers Zero in on the right alerts Reduce false positive fatigue Checks for reconnaissance, compromised credentials, lateral movement & domain dominance

12 Advanced Threat Analytics Integrating with OMS

13 BRUTE FORCE ATTACK ON HONEYTOKEN ACCOUNT

14 SYSLOG SERVER CONFIGURATION

15 ATA EVENTS IN OMS

16 AZURE SECURITY CENTER

17 AZURE SECURITY CENTER (ASC) How: Part of Azure Using Azure? Turn it on for your subscription(s) Where: Azure based systems Not on-prem, or AWS, etc. What? Revealing a Cyber attack Virtual Machines Networking SQL & Data What s coming? Preview of new enhancements

18 Azure Security Center (ASC)

19 SYSTEM CENTER OPERATIONS MANAGER + SECURITY

20 KUDOS TO THE SCOM COMMUNITY! The Security Management pack for SCOM! provide(s) real time notifications to events that are worth investigation Highlights: App Locker rules Key security group changes Pass the hash, overpass the hash, pass the ticket Cleared security events logs Additional domain controller Identifying known remote execution tools Scheduled task creation UseLogonCredentials registry key Failed RDP attempts And more!

21 INTEGRATING AZURE AND OMS

22 PRE-BUILT OMS SOLUTIONS Analytics for: Activity Log Azure Application Gateway Azure Network Security Group Azure SQL Azure Web Apps Key vault Service Fabric Application Insights Azure Site Recovery

23 BUILD YOUR OWN: CUSTOM SOLUTIONS You can build your own with the View Designer! Add your own data with the HTTP API! (see the Publishing Anything you could imagine to OMS using the API session)

24 LOG ANALYTICS IN AZURE Appears as a resource in Log Analytics in a resource group (mms-eus by default for the East US location) Full OMS portal accessible through Overview Can use Log Search, see Solutions, and more! Use Azure resources to connect your workspace to other

25 DASHBOARDING IN AZURE Views in OMS can be pinned to the Azure Dashboard! Right-click, and choose Pin to Dashboard

26 LET S PUT THESE INTO A BLENDER!

27 WHERE DO WE WANT TO BE? Firewalls Advanced Threat Analytics Azure Security Center Other Microsoft Products The Wall Eyrie Operations Management Suite

28 WHAT ABOUT MICROSOFT AZURE LOG INTEGRATION? What about AzLog (no, not Aslan that s Narnia), which feeds Security Information and Event Management (SIEM) Good links: Here & Here Azure log integration collects Windows events from Windows Event Viewer Channels, Azure Activity Logs, Azure Security Center alerts and Azure Diagnostic logs from Azure resources. Use AzLog to populate OMS? Er No Er.. Not yet? Supports systems such as Splunk, ELK, ArcSight, Qradar Does not support OMS yet

29 WHY SHOULD OMS BE IN THE CENTER? Gather data from all sources Pre-built connectors for: Windows Servers: Event logs, Performance Counters, IIS logs, File Tracking, Registry Tracking Linux Servers: Performance Counters, File Tracking Syslog Azure Storage System Center Windows Telemetry Custom fields, custom logs Multiple Azure subscriptions can report to a single workspace HTTP API Two year retention Easy to export data into Power BI!

30 Dutch bank IBAN: NL87INGB HOUSE OF TAILS 70 dogs!!! Safety, food, water, health, blankets, shade, love, fun $15 = 1 month food Donation box near registration area and participate in the raffle for huge rewards!

31 Q&A / OPEN DISCUSSION / STUMP THE CHUMP

32

33