Presentation is loading. Please wait.

Presentation is loading. Please wait.

OMS, ATA and Azure Security Center mixer

Published byIsaac Hawkins Modified over 6 years ago

Similar presentations

Presentation on theme: "OMS, ATA and Azure Security Center mixer"— Presentation transcript:

1 OMS, ATA and Azure Security Center mixer
Bob Cornelissen Managing Consultant BICTT John Barreto Senior Consultant BICTT

2 With thanks to Cameron Fuller for the theme, created for an earlier joint presentation

3 Agenda A Game of Security? OMS Security features
Microsoft Advanced Threat Analysis Azure Security Center System Center Operations Manager? Integrating OMS and Azure Cameron Level: 400 Security is an immensely important subject and keeping your environments up to speed and secure is essential. However often you do not see how your networks are under attack and what you can do to remediate these situations. This session will show you Microsoft Advanced Threat Analytics (ATA), Azure Security Center and more together with Microsoft OMS and mix them together in ways not seen before! Key points: OMS Security features Microsoft Advanced Threat Analytics (ATA) Azure Security Center And how we can mix things together!

4 A Game of Security? Cameron

5 Where we are at today Security information exists everywhere…
Advanced Threat Analytics (ATA) Azure AD & Azure AD Premium Azure AD Identity Protection Azure RMS, AIP Azure Security Center Bitlocker Administration Cloud App Security Configuration Manager DSC Exchange Firewalls Intune Office 365 Log Analytics/OMS Privileged Identity Management And more… Cameron

6 Where we are today The Wall Eyrie Firewalls Azure Advanced Operations
Threat Analytics Azure Security Center Operations Management Suite Cameron

7 OMS Security features

8 OMS & Security How: Where? What?
Microsoft Monitoring Agent reporting directly to OMS or through Operations Manager Reports direct to OMS – bypasses OpsMgr (how it networks to get to OMS) Where? Any systems running the MMA agent and connected to OMS Any location – including on-prem, Azure, AWS, or my cousin’s datacenter in his garage What? Security Domains Notable Issues Detections Threat Intelligence (Botnet, darknet, etc) Integrated with Service Map Bob

9 OMS & Security Bob demo here.

10 Microsoft Advanced Threat Analysis

11 Microsoft Advanced Threat Analysis
How: Installed into your on-prem environment Part of EMS Where: Generally on prem, but can run in Azure or AWS What? How you can KNOW if you have been hacked Detect threats fast with behavioral analytics Adapt as quickly as malicious hackers Zero in on the right alerts Reduce false positive fatigue Checks for reconnaissance, compromised credentials, lateral movement & domain dominance Cameron

12 Advanced Threat Analytics – Integrating with OMS
Cameron – Lab environment: We have ATA running in Azure (In IaaS – EMS-ATACenter1). Database in Azure. Agents (lightweight gateways) installed on the DC’s which provide information to ATA. Website: ata.cat.demo (RDP) ATA console: Using the Syslog server option (visible on the website), syslog only able to be monitored on Linux systems currently. DebianLinuxx64 (regular IaaS box) on prem. Cool button to send test log message! Linux: Omsagent.conf – used the defaults. Rsyslog.conf – enable “Provide UDP syslog reception” To turn on syslog – (rsyslog installed by default). Just uncomment. Sudo tail /var/log/syslog OMS: Settings, Data, Syslog. Type=Syslog Remember to close and re-open your OMS console Test never shows up but actual alerts do. That particular alert is Azure AD Connect doing a synchronization to Azure. Technically, you can run a powershell command on the DirSync server to force the synchronization, which in theory should generate the alert (Start-ADSyncSyncCycle -PolicyType Delta) The easiest “attack” to do is a zone transfer from a client that is not authorized: Open up CMD NSlookup ls –d cat.demo

13 Brute force attack on Honeytoken account
Bob

14 Syslog server configuration
Cameron

15 ATA events in OMS Cameron

16 Azure Security Center Cameron

17 Azure Security Center (ASC)
How: Part of Azure Using Azure? Turn it on for your subscription(s) Where: Azure based systems Not on-prem, or AWS, etc. What? Revealing a Cyber attack Virtual Machines Networking SQL & Data What’s coming? Preview of new enhancements Cameron

18 Azure Security Center (ASC)
Cameron In OMS show baselines, and comparing to Azure Security Center baselines. Discuss futures from the call we were on. Notes from the meeting we both attended related to this demo: OS baseline monitoring in OMS and ASC (Azure Security Center) Bottom right corner of the Security & Audit solution Remediate OS vulnerabilities (by Microsoft) in Azure Security Center Converging these to have the same experience for OMS and ASC

19 System Center Operations Manager + Security

20 Kudos to the SCOM community!
The Security Management pack for SCOM! “provide(s) real time notifications to events that are worth investigation” Highlights: App Locker rules Key security group changes Pass the hash, overpass the hash, pass the ticket Cleared security events logs Additional domain controller Identifying known remote execution tools Scheduled task creation UseLogonCredentials registry key Failed RDP attempts And more! + Cameron

21 Integrating Azure and OMS

22 Pre-built OMS solutions
Analytics for: Activity Log Azure Application Gateway Azure Network Security Group Azure SQL Azure Web Apps Key vault Service Fabric Application Insights Azure Site Recovery Bob

23 Build your own: Custom solutions
You can build your own with the View Designer! Add your own data with the HTTP API! (see the “Publishing Anything you could imagine to OMS using the API” session) Build your own: Custom solutions Bob

24 Log Analytics in Azure Appears as a resource in Log Analytics in a resource group (mms-eus by default for the East US location) Full OMS portal accessible through “Overview” Can use Log Search, see Solutions, and more! Use “Azure resources” to connect your workspace to other Cameron

25 Views in OMS can be pinned to the Azure Dashboard!
Right-click, and choose “Pin to Dashboard” Dashboarding in Azure Cameron

26 Operations Management Suite
Where do we want to be? Advanced Threat Analytics Azure Security Center Other Microsoft Products Firewalls The Wall Eyrie Cameron Operations Management Suite

27 what about Microsoft Azure Log integration?
What about “AzLog” (no, not Aslan – that’s Narnia), which feeds Security Information and Event Management (SIEM) Good links: Here & Here “Azure log integration collects Windows events from Windows Event Viewer Channels, Azure Activity Logs, Azure Security Center alerts and Azure Diagnostic logs from Azure resources.” Use AzLog to populate OMS? Er… No… Er.. Not yet? Supports systems such as Splunk, ELK, ArcSight, Qradar Does not support OMS yet Cameron

28 Why should OMS be in the center?
Gather data from all sources Pre-built connectors for: Windows Servers: Event logs, Performance Counters, IIS logs, File Tracking, Registry Tracking Linux Servers: Performance Counters, File Tracking Syslog Azure Storage System Center Windows Telemetry Custom fields, custom logs Multiple Azure subscriptions can report to a single workspace HTTP API Two year retention Easy to export data into Power BI! Both

29 Session Room Hour Speakers OMS: Where Are We and Where Are We Going Franciscan A Tuesday October 24 8AM – 9AM Bert Wolters Pete Zerger Securing your Azure Workloads with Security Center and OMS Franciscan D 11AM – 12:15PM Maarten Goet Embrace the Hybrid Power of OMS Supporting your Existing Processes Continental 7 Wednesday October 25 Dieter Wijckmans What’s New in Microsoft OMS? Continental 9 Cameron Fuller Azure Automation and OMS: Better Together Continental 5 3PM – 4:15PM Aleksandar Nikolic OMS and Configmgr Franciscan B Thursday October 26, 10:15AM – 11:30AM Greg Ramsey OMS your First Aid Kit to Stay Safe… Thursday October 26, 10:15AM – 11:30AM OMS, ATA and Azure Security Center Mixer Continental 8 Thursday October 26, 12:30PM – 1:45 PM Bob Cornelissen John Baretto Using OMS to Monitor P2P Content in the enterprise Continental 3 Thursday October 26, 12:30PM-1:45PM Andreas Hammarskjold Phil Wilcock In the Land of the Blind, OMS is King Thursday October 26, 2:15PM-3:30PM Want to learn more about OMS? Check out these sessions this week!

30 $15 = 1 month food House of Tails
Safety, food, water, health, blankets, shade, love, fun $15 = 1 month food Dutch bank IBAN: NL87INGB

31 Q&A is open No Config Mgr related questions
Previously asked questions: Q: Do the number of SCOM Devs fit in a phone booth? A: No, even though most are from India Q: Is there a pricing impact on running SC 2016 coming from 2012 R2? A: Ask your license vendor, I have never been able to figure out pricing Q: Is it allowed to feed the presenters? A: Yes it is Bob

Download ppt "OMS, ATA and Azure Security Center mixer"

Similar presentations

Enables enterprise operations teams to transform machine data into near real-time operational intelligence Microsoft Azure Operational Insights Preview.

Enables enterprise operations teams to transform machine data into near real-time operational intelligence Microsoft Azure Operational Insights Preview.
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
19 % System Center FY14 Revenue Growth +6700 Large enterprises actively using SC 63% SC customers actively using SCOM 30% SC customers still using.

19 % System Center FY14 Revenue Growth Large enterprises actively using SC 63% SC customers actively using SCOM 30% SC customers still using.
Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.

Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.
Module 7: Fundamentals of Administering Windows Server 2008.

Module 7: Fundamentals of Administering Windows Server 2008.
Module 10: Monitoring ISA Server 2004. Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Microsoft Azure Stack Basic Virtualization On-Premises/Hosted Public Cloud Cloud Platform System.

Microsoft Azure Stack Basic Virtualization On-Premises/Hosted Public Cloud Cloud Platform System.
Are you ready to combine the forces? ConfigMgr and OpsMgr better together? Let’s find out! Tim De Dieter Wijckmans.

Are you ready to combine the forces? ConfigMgr and OpsMgr better together? Let’s find out! Tim De Dieter Wijckmans.
Presenta – - +39 02 365738.11 - #wpc15it1 Monitoring Private, Public and Hybrid Clouds with SCOM and OMS Andrea Pogna Microsoft.

Presenta – #wpc15it1 Monitoring Private, Public and Hybrid Clouds with SCOM and OMS Andrea Pogna Microsoft.
Copyright © New Signature 2016. Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.

Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
Copyright © New Signature 2016. Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.

Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
What’s New in Configuration Manager Since RTM How to stay current with the new coolness available Aaron Czechowski Senior Program Manager Microsoft Wally.

What’s New in Configuration Manager Since RTM How to stay current with the new coolness available Aaron Czechowski Senior Program Manager Microsoft Wally.
Microsoft Azure Active Directory Identity Solutions

Microsoft Azure Active Directory Identity Solutions
The Ultimate SharePoint Admin Tool

The Ultimate SharePoint Admin Tool
Sophos Central for partners and customers: overview and new features

Sophos Central for partners and customers: overview and new features
IT Operations Management

IT Operations Management
Microsoft 365 Security and Compliance: Training and Resources

Microsoft 365 Security and Compliance: Training and Resources
Laura E. Hunter Principal Program Manager October 2016

Laura E. Hunter Principal Program Manager October 2016
IT06 – HAVE YOUR OWN DYNAMICS NAV TEST ENVIRONMENT IN 90 MINUTES

IT06 – HAVE YOUR OWN DYNAMICS NAV TEST ENVIRONMENT IN 90 MINUTES
LOCAL CLOUDINESS Dino Buljubašić Rijad Smajlović

LOCAL CLOUDINESS Dino Buljubašić Rijad Smajlović

Similar presentations

Ads by Google