Explore the synergy between Operations Management Suite (OMS) and Azure Security Center in this comprehensive guide designed for IT professionals and cloud administrators. Learn how to leverage the combined power of OMS's log analytics and Azure Security Center's enhanced security posture management to monitor, detect, and respond to threats in real-time across your Azure and hybrid environments. To Know more: https://stonefly.com/white-papers/demonstration-of-oms-and-azure-security/
2. Security in the Cloud OMS Demonstration
How many of you have a centralized pane of glass that tell you, you have
malicious traffic attacks, you have identity and access information that is
there? You have computers with security updates that are missing?. Do you
have all of this in a centralized pane of glass? Or do you have different tools
that you use to find out what’s what? Those are the benefits that you have
with Microsoft’s Operations Management Suite (OMS). We are going
to jump right into a demo, and we are going to go right into Microsoft’s OMS
(Operations Management Suit).
Operations Management Suite (OMS)
Inside of here you have different assessments and analysis that are running
for your organization. Now, because you are using this primarily for cloud
services, you can see that you have preventions and things like that, that are
here to assess your environment. But you also see that you have had a brute
force attack.
Page 1
3. Security in the Cloud OMS Demonstration
So, you can see that we have a brute force attack, and we also have double
extension files being executed and things like that. So, you have your systems
being attacked at your organization. Now, if we look at the process of how to
diagnose, assess, and things like that, this system, or this platform, is already
starting to diagnose intelligently in the background across all these different
assessments that you see here. So, you have your malware assessment that is
running, you have an update assessment that is running, you have network
security and distinct IP address assessment that is running. You also have
a threat intelligence assessment that is running. This is where it is going to
start to say, here are the malicious IPs in your organization, here is where
they are coming from, here is where you are, and here is where somebody
else is actually controlling your server and that is where we see the malicious
IP coming from. We will walk through this a little bit more in depth.
What To Do Once You Are Breached?
Now that you have been breached, you see that there is a brute force at-
tack or you see that there is a double extension on file. You have to click
into the attack link to find out what is going on, and what server has been
compromised and where things are happening. So, you can clearly see that
you have a domain controller that has been compromised. What happens
when a domain controller is compromised? Or is starting to have brute force
attacks on it? They take control of your entire environment. Right now it is
a warning, but before it becomes compromised, let us go ahead and fix this.
Page 2
4. Security in the Cloud OMS Demonstration
How Can You Fix It?
What you are going to do here is look at your query and your search results
where it tells you the type of alert and the severity. You want to go ahead
and setup an alert for your entire security team or for your IT team or for
your help desk team. This allows them to know what is happening to your
organization so that they can start to remediate it.
So, you have to click up at the “Alert” tap and you are going to add a
Page 3
5. Security in the Cloud OMS Demonstration
roll. Then you are going to say, ”We have a brute force attack in play” in
the Name box. Insert in the severity of the attack, then the description and
the time window (How often do I want this to run?). So for example you
want this to run every five minutes, or every two minutes, or wherever you
want that to be. You want the threshold to be greater than zero. So, even if
it happens once where you are being brute forced attacked and it is starting
to hit the system significantly, it lets you know. You also want to setup
an email notification, and this is where you would put your distribution list
of your help desk, of your security team, of your server team, etc. under
”Recipients”. Next you would put in a Webhook and a Webhook can be
used for things like Slack or ServiceNow if you have a help desk. Webhook
will translate and open up an incident, or open up a security incident within
your ITSM solution. What that means is any time you have this as a security
incident, it is recorded and if there is a change that is executed against it that
goes through your change management and service request process. So, you
actually have something that goes and tracks this as a postmortem closed
process as well. Once you have that, then you can also execute a Runbook
behind it. Now this Runbook would give you the automation to go ahead
and fix the issue. Now you have the ability to execute this in Azure only or to
execute this on-premise as well with your hybrid worker. In this demo we are
going to execute this across environments with a hybrid worker. Now in your
”Service Desk Actions”, what this is going to do is give you a connection to
your ServiceNow or your ITSM based solution that will automatically open
up an incident for you.
Page 4
6. Security in the Cloud OMS Demonstration
So you choose a ”Work Item” and you will choose a security incident.
And as you choose a security incident, you will say hey, how did you find out
about this in the ”Contact Type”. You will select ”the impact, the risk, the
severity, the priority and the category”. This is exactly what has happened,
is that confidential personal data loss, or was it a policy violation, was it a
rogue server or service, things like that. That is when you would go ahead
and save this. Once you save it, it now will tell you any time that there is
a brute force attack that is happening from that environment, you will get a
notification on it.
Now, the other thing that you also have is the ability to go ahead and
look at ”threat intelligence”. So as you are detecting, and as you are going
through your organization, you want to know where malicious traffic events
are. So you are looking at malicious traffic events, and you can see that there
are five botnets that are sitting within your organization, that are coming
from China.
Let’s See How This is Happening
You can see the computer. So, your SharePoint web front end has been
compromised. You can see your local IP, the malicious IP that is controlling
it and then the member of the botnet. You have the ability to set up a rule
on this as well, and then export that to see where things are coming from.
The idea is for you to be able to take different sources of information from
your Security and Audit.
Page 5
9. Security in the Cloud OMS Demonstration
Generally, most environments have separate disparate systems that don’t
have log analytics across the board. This is what gives you that capability
to centralize a lot of those things that you are having multiple people look
at, multiple very smart people look at, from different sources of technology.
It is actually combining that for you so that you have a single common pane
of glass. So that’s the idea.
Azure Security Center
In Azure Security Center, you have the ability to turn on security monitoring
for every single one of your virtual machines, your storage accounts, your
databases, whatever you have. And that will start to tell you, hey, your disk
is not encrypted, so go ahead and take this remediation action. The other
thing that you have in Azure Security Center is you also have the ability to
use third party technologies that are integrated for more protection or for
a remediation of a solution that you have. Those are the things that you
have with Operations Management Suite and Azure Security Center
combined.
Page 8