Jessica Payne Microsoft Global Incident Response and Recovery

Slides:

Advertisements

Similar presentations

Jan Peterson Microsoft Dynamics CRM Mobility Update - Productivity on the Go PRD24 1.

Advertisements

Pierre Sleep tight knowing you’re prepared for outages Protect your environment with Azure ARC32 4.

Cory Banks Beyond Deployment How IT Can Inspire, Motivate, and Drive Sustainable Adoption PRD32 5.

Jordan Knight Developing for the Microsoft Band MOB342.

Jessica Payne Microsoft Global Incident Response and Recovery

Karl Thomson, StorageCraft Product Evangelist True Disaster Recovery System recovery is not enough – get true resiliency to face disasters DAT226 B.

Luke Notley Migrating from AWS to Azure Seamlessly CLD32 1.

Andrew Hennessy Automating Server Application migrations to the Cloud – Goodbye Server INF21 3.

Kevin Francis Developing on Windows Devices ARC33 2.

Chris Hewitt Adding magic to your business with Perceptual Intelligence ARC323 B.

Matt McSpirit Software-defined Networking in Windows Server 2016 INF32 4.

Vakhtang Assatrian Asia Communications TSP Lead, Microsoft Architecture options for implementing Skype for Business PRD32 7.

Kevin Francis Azure Media Services Architecture Deep Dive CLD31 2.

Creating highly available and resilient Microservices on Microsoft Azure Service Fabric

Alessandro Cardoso, Microsoft MVP Creating your own “Private Cloud” with Windows 10 Hyper- V WIN443.

Michael Porfirio and Chris Gondek Beyond Backup The Next Generation Commvault Data Platform DAT22 5.

Reid Purvis – DC & Cloud Infrastructure Tech Specialist Shivam Garg – Principal PM Manager Backing up applications born in the Cloud: Deep Dive on IaaS.

Jeff Alexander & Andrew McMurray Runtime Provisioning in Windows 10 WIN327.

Chris Hewitt, Wild Mouse Male, Age 42, Happy ARC31 2.

Michael Niehaus Using the Windows Store for Business: New Capabilities for Managing Apps in the Enterprise WIN335.

Mahesh Krishnan Architecting highly resilient applications on Azure ARC42 7.

Dr Greg Low Working with SQL Server Spatial Data DAT33 3.

Mike James Building a cross-platform pedometer app with Xamarin & Azure MOB334.

Lars Klint Adaptive UX - A Single UI for Everything MOB234.

James Bannan Freddy vs JSON: Azure Resource Manager CLD44 3.

Warwick Rudd – Henry Rooney – How Available is SQL Server 2016? DAT33 6.

Pat Fetty – Principal PM Manager Securing your mobile assets with Microsoft Intune WIN33 1.

Nick Application Development for the Universal Windows Platform MOB225.

Matt McSpirit Understanding the Azure Stack INF33 2.

Alec Tucker An Introduction to Cross Platform Native App Development using Xamarin to Develop, Test and Monitor MOB227.

Orin Thomas 30 Bad Habits of Server Administrators INF32 3.

Fai Lai Global IoT Tech Specialist, C+E Specialist Sales Seamless communication between devices and Azure IoT Hub via Azure IoT Protocol Gateway MOB31.

Orin EDP, EFS, BitLocker, RMS, DAC, and IPsec: Protect your files at rest and in transit. WIN341 A.

Building a Microservices solution using Docker,

Basil Apostolou & Craig Pringle The why and how of hybrid cloud CLD22 3.

Ryan Newington From Fortran to FIM: Dragging your identity management system out of the dark ages WIN332 B.

Clint Wyckoff | Microsoft Product Strategy Veeam Software: Availability Strategies for Microsoft Azure and Hyper-V, A Deep Dive.

Kevin Francis Big Building Blocks – a tour of Dynamics ARC323 A.

Joe Clancy Deployment Lifecycles and New Policy Features with the Azure Resource Manager ARC22 1.

Marc Soester Project Visualization, Resource Management and Collaboration using Office 365 Project Online PRD32 6.

James Bannan The Cloud That Chuck Norris Built: Resilient Architecture in Azure ARC44 3.

Jake Ginnivan Git for TFS Version Control developers DEV32 4.

Free, online, technical courses Take a free online course. Microsoft Virtual Academy.

Jhong Catane Exchange Hybrid Deployment PRD34 2.

A deep dive into Azure AD B2C

30 Tips and Tricks for Managing and Running Ubuntu/Bash/Windows Subsystem for Linux WIN321B Orin Thomas.

Conversation As a Platform - Part 1

Building Business Application with Office 365 and Other Line Business Systems

Microsoft Ignite /19/2018 2:35 AM

Need for Speed: Why Applications With No Database and No Services are Fast ARC334 Nick Randolph – Built to Roam.

Building a Continuous Delivery Pipeline for ASP.NET Core Apps

Jenkins and Azure OPEN322 Michael Friedrich.

Darren Neimke and Jonathan Ruckert

Build vNext in VSO and TFS 2015

What’s new in Visual Studio in 2015?

Microsoft Edge for Developers

Rob Farley, LobsterPot Solutions

Application Insights:

Bare Metal Development for the Universal Windows Platform

Microsoft Ignite /2/2019 1:15 AM Power Up Your Cross Platform Mobile Code with Platform Specific Features using Xamarin Alec Tucker MOB331 © 2015.

The Power of a Great API Damian Brady

What is Visual Studio Code?

Deep Dive into Azure API Apps and Logic Apps

Jonathan Ruckert & Darren Neimke

UI test automation of MVC apps with Microsoft Edge WebDriver

Chris Henley & Ben DiQual

Empower your users with Azure Active Directory Premium

Securing ASP.NET in an Azure Environment

Presentation transcript:

Jessica Payne Microsoft Global Incident Response and Recovery Windows Event Forwarding – Centralized logging for everyone! Jessica Payne Microsoft Global Incident Response and Recovery INF327

Logging : The hardest simplest thing.

Venn Diagram of Common Monitoring Strategies All the things!!!!!! (too much data, no context) Very few/None of the things This space intentionally left blank.

Trends with logs during Incident Response No centralized logging Not monitoring endpoints/member servers (often just DCs) Spamming logs with extra data Not logging key events Logs roll too quickly Those with centralized logging still missing data, takes too long for IT admins to get reports

The Incident Response tools we wish we had Microsoft Ignite 2015 4/27/2017 12:07 AM The Incident Response tools we wish we had (Those are time machines.) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Event Forwarding Solution! Windows Event Forwarding

Fabulous Whitepapers! Spotting the Adversary with Windows Event Log Monitoring https://www.nsa.gov/ia/_files/app/s potting_the_adversary_with_window s_event_log_monitoring.pdf

Benefits Built in –we have amazing products, but you already have this one Configured via GPO Uses Windows Remote Management (Kerberos) Can (and should be) targeted to specific events Native evtx (xml) log format “Push” log mode – less attack surface IT admins control their own logging destiny

WEF Architecture 10 Subscription Request Subscription Request

Pre-reqs “Server” required GPO Local Network service needs to be granted read to the Security logs WinRM needs to be started on clients (just started, not configured)

Configuring WEF

What to monitor? Security logs being cleared Local group changes/High value domain group changes Creation of local accounts Password changes not done by LAPS (or other password management software) Lateral account movement (need protective controls to serve as detective controls) Application crashes Service installation

Configuring Monitoring

Extensibility Works great with other SIEM investments SCOM for alerting Azure Operational Insights Or . . . PowerBI!

PowerBI dashboards

Resources/Shoutout http://blogs.technet.com/b/kfalde/ Everything you need to create cool X-Path filters and PowerBI dashboards.

Questions? http://aka.ms/jessica @jepayneMSFT

Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

Continue your Ignite learning path Microsoft Ignite 2015 4/27/2017 12:07 AM Continue your Ignite learning path Visit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/ Head to the TechNet Eval Centre to download trials of the latest Microsoft products http://Microsoft.com/en-us/evalcenter/ © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.