oms, ata and azure security center mixer - schd.wsschd.ws/hosted_files/mms2017/b5/oms ata and azure...

OMS, ATA AND AZURE

SECURITY CENTER MIXERBob Cornelissen | BICTTManaging Consultant

www.bictt.com/blogs

bob@bictt.com

Cameron Fuller | Catapult SystemsSolution Director - Launch

blogs.catapultsystems.comCameron.Fuller@catapultsystems.com

@CFullerMVP

11 Year CDM MVP

20+ years in IT

Game of Thones & Skyrim

@Bob_Cornelissen

6 Year Microsoft MVP

17 years in IT

Dogs, ice-cream. Game: Stormfall

Cameron FullerBob Cornelissen

AGENDA

A Game of Security?

OMS Security features

Microsoft Advanced Threat Analysis

Azure Security Center

System Center Operations Manager?

Integrating OMS and Azure

Let’s put these into a blender!

A GAME OF SECURITY?

WHERE WE ARE AT TODAY

Advanced Threat Analytics

(ATA)

Azure AD & Azure AD

Premium

Azure AD Identity

Protection

Azure RMS, AIP

Azure Security Center

Bitlocker Administration

Cloud App Security

Configuration Manager

DSC

Exchange

Firewalls

Intune

Office 365

Log Analytics/OMS

Privileged Identity

Management

And more…

Security information exists everywhere…

WHERE WE ARE TODAY

Firewalls Advanced

Threat

Analytics

The

Wall

Eyrie

Azure

Security

Center

Operations

Management

Suite

OMS SECURITY FEATURES

OMS & SECURITY

How:

Microsoft Monitoring Agent reporting directly to OMS or through Operations Manager

Reports direct to OMS – bypasses OpsMgr (how it networks to get to OMS)

Where?

Any systems running the MMA agent and connected to OMS

Any location – including on-prem, Azure, AWS, or my cousin’s datacenter in his garage

What?

Security Domains

Notable Issues

Detections

Threat Intelligence (Botnet, darknet, etc)

Integrated with Service Map

OMS & Security

MICROSOFT ADVANCED THREAT

ANALYSIS

MICROSOFT ADVANCED THREAT ANALYSIS

How:

Installed into your on-prem environment

Part of EMS

Where:

Generally on prem, but can run in Azure or AWS

What?

How you can KNOW if you have been hacked

Detect threats fast with behavioral analytics

Adapt as quickly as malicious hackers

Zero in on the right alerts

Reduce false positive fatigue

Checks for reconnaissance, compromised credentials, lateral movement & domain dominance

Advanced Threat Analytics –

Integrating with OMS

BRUTE FORCE ATTACK ON HONEYTOKEN ACCOUNT

SYSLOG SERVER CONFIGURATION

ATA EVENTS IN OMS

AZURE SECURITY CENTER

AZURE SECURITY CENTER (ASC)

How: Part of Azure

Using Azure?

Turn it on for your subscription(s)

Where: Azure based systems

Not on-prem, or AWS, etc.

What? Revealing a Cyber attack

Virtual Machines

Networking

SQL & Data

What’s coming?

Preview of new enhancements

Azure Security Center (ASC)

SYSTEM CENTER OPERATIONS

MANAGER + SECURITY

KUDOS TO THE SCOM COMMUNITY!

The Security Management pack for SCOM!

“provide(s) real time notifications to events that are worth investigation”

Highlights:

App Locker rules

Key security group changes

Pass the hash, overpass the hash, pass the ticket

Cleared security events logs

Additional domain controller

Identifying known remote execution tools

Scheduled task creation

UseLogonCredentials registry key

Failed RDP attempts

And more!

INTEGRATING AZURE AND OMS

PRE-BUILT OMS SOLUTIONS

Analytics for:

Activity Log

Azure Application Gateway

Azure Network Security Group

Azure SQL

Azure Web Apps

Key vault

Service Fabric

Application Insights

Azure Site Recovery

BUILD YOUR OWN: CUSTOM SOLUTIONS

You can build your own with the View

Designer!

Add your own data with the HTTP API! (see

the “Publishing Anything you could imagine to

OMS using the API” session)

LOG ANALYTICS IN AZURE

Appears as a resource in Log Analytics in a resource group

(mms-eus by default for the East US location)

Full OMS portal accessible through “Overview”

Can use Log Search, see Solutions, and more!

Use “Azure resources” to connect your workspace to other

DASHBOARDING IN AZURE

Views in OMS can be pinned to the Azure Dashboard!

Right-click, and choose “Pin to Dashboard”

LET’S PUT THESE INTO A BLENDER!

WHERE DO WE WANT TO BE?

Firewalls

Advanced

Threat

Analytics

The

Wall

Eyrie

Azure

Security

Center

Operations Management Suite

Other Microsoft

Products

WHAT ABOUT MICROSOFT AZURE LOG INTEGRATION?

What about “AzLog” (no, not Aslan – that’s Narnia),

which feeds Security Information and Event

Management (SIEM)

Good links: Here & Here

“Azure log integration collects Windows events from

Windows Event Viewer Channels, Azure Activity Logs,

Azure Security Center alerts and Azure Diagnostic

logs from Azure resources.”

Use AzLog to populate OMS? Er… No… Er.. Not

yet?

Supports systems such as Splunk, ELK, ArcSight,

Qradar

Does not support OMS yet

WHY SHOULD OMS BE IN THE CENTER?

Gather data from all sources

Pre-built connectors for:

Windows Servers: Event logs, Performance Counters, IIS logs, File Tracking, Registry Tracking

Linux Servers: Performance Counters, File Tracking

Syslog

Azure Storage

System Center

Windows Telemetry

Custom fields, custom logs

Multiple Azure subscriptions can report to a single workspace

HTTP API

Two year retention

Easy to export data into Power BI!

HOUSE OF TAILS

Safety, food, water, health,

blankets, shade, love, fun

www.houseoftails.org/support-us

www.facebook.com/sthouseoftails

info@houseoftails.org

Dutch bank IBAN: NL87INGB0006669920

70 dogs!!!

Donation box near

registration area and participate

in the raffle for huge rewards!

$15 = 1 month food

Q&A / OPEN DISCUSSION / STUMP THE CHUMP