iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術

Technology Co.© 2017 WiAdvance Technology Co. All rights reserved. © 2017 WiAdvance Technology Co. All rights reserved.
Technology Co.
iThome
實戰Hybrid Cloud管理與安全技術
2017 Jun.

Technology Co.© 2017 WiAdvance Technology Co. All rights reserved.
I’m Charles 龔萬軒
Consultant of WiAdvance
• 組織 $2.8M USD 大型國際標案
• 執行產品行銷包括大型演講、形象影片、電銷計
劃等，增加300%客戶成長率
• 微軟雲架構技術顧問
• 研發管理顧問ACP (敏捷), PMP(瀑布式)
Professional Experience

• OMS Lab Instructions (OneNote)
https://goo.gl/pHaQYX
3
Lecture Material

企業面臨的挑戰
Azure Introduction
OMS Introduction
Case Study
OMS監控環境實作
緯謙解決方案介紹
Agenda

Pain Points of IT
5
Performance
Machine performance and
health monitor
Threat
Threat detection and
prevention through advanced
cloud security
Management
Cross-platform and hybrid
environment in reality

Supporting Statistic Data
6
+40%
time spent on
confirm root
cause1
+41%
Unlicensed
application
installed2
+75%
IT cost spent
on M&A3
1. Turner, Mary Johnston. IDC. “Automated, Integrated IT Operations Improve Effi ciency and Deliver Cost Savings”. January 2010.
2. Business Software Alliance, IDC. “Sixth Annual Global Software Piracy Report”. May 2009.
3. O’Donnell, Glenn. Forrester. “IT Operations 2009: An Automation Odyssey”. July 2009.
4. Berger, Brian. Enterprise Networks & Servers. “Putting Trust Back Into Computing: How Enterprises Can Secure Systems and Data”.
August 2007.
5. Gartner. “The Cost of Downtime”. July 2014.
+75%
Corporate PCs
are infected4
+60s
Unplanned downtime
costs 5,600 USD/min5

資訊系統意外隨時都可能發生…
當機或效率不佳
預期效能
Web Server
Systems
Mainframe
Database
Network
Application
End-User
Service
05:00 06:00 07:00 08:00 09:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00
99%
99%
99.999%
99.9%
99.99%
99.9%
% available
當所有獨立的意外發生的時候
?
誰測量真實的用戶體驗，
和管理的全程服務
及時遠端監視系統可以在意外發生時，通知 IT 人員或權責主管
，馬上進行障礙排除，恢復系統運作。

There are no cattle,
there is only the herd.

Technology Co.© 2017 WiAdvance Technology Co. All rights reserved.9
There are no cattle,
there is only the herd.

自動化
受控管的資源
彈性
以使用量為主
虛擬機器網站雲端服務 SQL資料庫 noSQL 資料庫 blob 儲存連線虛擬網路流量管理員
...
...
...
...
...
...
There are no cattle, there is only the herd.

OMS INTRODUCTION
12

The world of traditional IT
is under pressure
Source: Drive Digital Business Using Insights From Gartner Symposium’s Analyst Keynote
21 November 2014 G00270846
Analyst(s): David A. Willis I Peter Sondergaard I Richard Hunter I Daryl C. Plummer I Kurt Potter I Frank Buytendijk I Paul E. Proctor I Brian Prentice I Jenny Sussin

Straddling two worlds: challenges
for modern management
AND Cloud model is geared for speed
• Developers have a critical business role
• Micro-services and modern apps create new complexity
• The server is no longer the center point
• Application data is business data
Traditional systems
still require traditional
management

Private or hosted third-party cloud,
Rackspace, etc.
WINDOWS
LINUX
WINDOWS
LINUX
WINDOWS
LINUX
Public cloud
Azure or AWS
Microsoft hybrid IT managementSimplified guest and workload management, both on-premises and in the cloud
Microsoft
Operations
Management Suite
On-premises with System Center
WINDOWS
LINUX
HYPER-V
WINDOWS
LINUX
VMWare
WINDOWS
LINUX

Automation & ControlProtection & Recovery
OMS 四大功能
• 整合雲端備份
• 無縫災難復原和工作負載
移轉
• Hybrid runbook worker
• 撰寫圖形化 Workbook
和自動化 DSC
自動快速作業輕鬆保護資料
OMS 協助我們
延伸 System Center 的能力得到完整的管理解決方案!
Security & Compliance
• 惡意軟體評估
• 安全態勢和系統更新評估
即早辨識威脅
Insight & Analystics
• 輕鬆收集記錄檔
• 整合的快速搜尋和客製化
儀表板查詢
快速發現問題

Architecture

Problem
-40GB log per day
-Collecting log in hybrid environment
-Need data visualization tool for better experience
Solution
-OMS with AD Assessment, O365 Audit Log solutions
-6 months data retention
-OMS dash board & PowerBI
Case Study (1) – AD Log
18
 收集Log並觀察費用  搜尋與法調整
 建立警示規則
 客製化儀錶板
 客製化報表
D+14 D+21 D+25

Problem
-20+ Exchange server to be monitor
-Mail queue trending
-Failover event alerting
-Client access server fail record
Solution
-Customize scripts integrated w/OMS
-OMS dash board
Case Study (2) – DAG Status
19

Client access server fail record
RPC time latencyMail queue trending
Case Study (2) – DAG Status
Failover event

Problem
-Slow speed for file server
-Who accessed the file
Solution
-File server audit log and shipping to OMS
-Root cause analysis
Case Study (3) – File Server Audit
21

當日(瀏覽檔案)Top10 User
當日(新增檔案)Top10 User
當日(刪除檔案)Top10 User
Case Study (3) – File Server Audit

Problem
-How to audit Office 365 log
-Seeing the insights from legal operation
Solution
-Office 365 solution gallery with OMS
-Custom query string to see insights
Case Study (4) – O365 Behavior Audit
23

Case Study (4) – O365 Behavior Audit
合法行為但活動異常
深入問題核心

雲儲存空間
雲計算/搜尋能力(Billion)
節省維運成本
跨平台
SaaS服務
Custom Log
SCOM
按照使用量收費
無軟體授權費用
持續功能更新
法規遵循
資料無法被修改及刪除
無硬體損壞風險
Why We Use OMS

Lab 1
設定OMS Workspace
Task 1 - 開啟OMS Workspace
Task 2 - 設定OMS Workspace
Task 3 - 連結OMS與Windows VM
Task 4 - 直接安裝OMS Agent

Lab 2
安裝Linux Agent
Task 1 – 安裝Agent

Metrics Collection

OMS OVERVIEW
30

Landing Page Overview

Organization
Administrative users
Standard users
Groups
Microsoft Account
Administrative users
Standard users
Microsoft support
Microsoft.com users only
Standard users
User Management

Using and Management Log Search
Select * (all) from the last 1 days
Look for “Error” in all sources from the last 1 days
Look for all Event log in all sources from the last 7 days
https://technet.microsoft.com/en-us/library/mt450427.aspx
OMS Search Reference
General query syntax
 filterExpression | command1 | command2 |…..
Filter expressions
Logical operators
Aggregate using measure
Date and Time
Numbers
Strings and String literals

• Logical operators
• Aggregate using measure
• Date and Time
• Numbers
• Strings and String literals
Using and Management Log Search
system OR error
Type:Alert | measure count() interval 1HOUR
TimeGenerated>NOW-5MINUTES
Type=Perf ObjectName=Process CounterValue>10
The WMI Adapter
“The WMI Adapter”

Lab 3
Query Syntax
Task 1 - 網路介面五分鐘平均頻寬(GB)
Task 2 - 網路介面每小時最大頻寬(MB)
Task 3 -平均磁碟讀取趨勢

Security Challenges
網路攻擊事件
頻繁
IT環境日益複
雜
資安能力缺乏
巨量安全記錄
分析
功能完整的資
安機制
智能威脅偵測

What is OMS Security Threat Intelligence and why do I
need it?
From leading Threat Intelligence vendors
Real time data feeding

DEMO
41

Demo: Attack on Target Network
• Firewalls are turned off on all systems
• Windows Updates have not been
applied and have been turned off
• Remote Desktop is turned on
• WinRM is enabled
• File Sharing and Network Discovery are
turned on
• No Antivirus installed
• PowerShell scripts set to unrestricted
DC1
Windows Server 2008 R2 SP1
10.0.1.10
Domain Controller & DNS
Server1
10.0.1.5
ATA
Windows Server 2016
10.0.1.12
Client1
Windows 7 SP1
10.0.1.22
Client2
Windows 7 SP1
10.0.1.21
Kali Linux 2.0
10.0.1.15

• Firewalls are turned off on all systems
• Windows Updates have not been
applied and have been turned off
• Remote Desktop is turned on
• WinRM is enabled
• File Sharing and Network Discovery are
turned on
• No Antivirus installed
• PowerShell scripts set to unrestricted
Attack Box
DC1
10.0.1.10
Server1
10.0.1.5
ATA
Windows Server 2016
10.0.1.12
Client1
Windows 7 SP1
10.0.1.22
Client2
Windows 7 SP1
10.0.1.21
Kali Linux 2.0
10.0.1.15

1. Phishing Attack on Client2
DC1
10.0.1.10
Server1
10.0.1.5
ATA
Windows Server 2016
10.0.1.12
Client1
Windows 7 SP1
10.0.1.22
Client2
Windows 7 SP1
10.0.1.21
Kali Linux 2.0
10.0.1.15
1

2. Steal server admin credentials
DC1
10.0.1.10
Server1
10.0.1.5
ATA
Windows Server 2016
10.0.1.12
Client1
Windows 7 SP1
10.0.1.22
Client2
Windows 7 SP1
10.0.1.21
Kali Linux 2.0
10.0.1.15
2

3. Conduct Recon on Network
DC1
10.0.1.10
Server1
10.0.1.5
ATA
Windows Server 2016
10.0.1.12
Client1
Windows 7 SP1
10.0.1.22
Client2
Windows 7 SP1
10.0.1.21
Kali Linux 2.0
10.0.1.15
3

4. Pivot to Server1
4
DC1
10.0.1.10
Server1
10.0.1.5
ATA
Windows Server 2016
10.0.1.12
Client1
Windows 7 SP1
10.0.1.22
Client2
Windows 7 SP1
10.0.1.21
Kali Linux 2.0
10.0.1.15

4. Pivot to Server1
5. Steal domain admin credentials
5
DC1
10.0.1.10
Server1
10.0.1.5
ATA
Windows Server 2016
10.0.1.12
Client1
Windows 7 SP1
10.0.1.22
Client2
Windows 7 SP1
10.0.1.21
Kali Linux 2.0
10.0.1.15

4. Pivot to Server1
6. Pivot to DC1
6
DC1
10.0.1.10
Server1
10.0.1.5
ATA
Windows Server 2016
10.0.1.12
Client1
Windows 7 SP1
10.0.1.22
Client2
Windows 7 SP1
10.0.1.21
Kali Linux 2.0
10.0.1.15

What We Saw
4. Pivot to Server1
6. Pivot to DC1
7. Establish persistence in domain

Lab 4
使用Security and Compliance
for 增強SQL安全性

Lab 5
啟用Security and Audit
Solution in OMS

Microsoft Teams
協同溝通

Lab 6
Add Webhook to Microsoft
Teams

{
"text": "#alertrulename fired with #searchresultcount records which exceeds the over threshold of #thresholdvalue .",
"title": "#alertrulename",
"themeColor": "0072C6",
"sections": [{
"activityTitle": "Alert Rule Name - #alertrulename",
"activityText": "##Severity:<font color="#FFD700">Warning<font>",
"markdown": true
},{
"activityTitle": "Alert Rule Name - #alertrulename",
"activityText": "WorkspaceID: #workspaceid nnSearch Condition - *Threshold Operator:* #thresholdoperator,
*Threshold Value:* #thresholdvalue nnSearch Syntax: #searchquery",
"markdown": true
}, {
"activityTitle": "Search Time",
"activityText": "StartTime(UTC): #searchintervalstarttimeutc nnEndTime(UTC): #searchintervalendtimeutc nnInterval(Seconds): #searchinterva
"markdown": true
}],
"entities": [],
"potentialAction": [{
"@context": "http://schema.org",
"@type": "ViewAction",
"name": "Search Results: #searchresultcount result(s)",
"target": ["#linktosearchresults"]
}]
}

Lab 7
Insights From Dashboard

Which Dashboard We Care about Most

Peak Loading
EIP: 23:12, 4:30, 10:27, 15:37
ERP: 1:07, 3:07, 10:32

Lab 8
Deploy Template

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-template-workspace-configuration

Lab 9
SNMP Trap

Module
- Net-SNMP
- fluentd

緯謙全方位效能與資安監控解決方案

高可視化資料呈現
服務整合
事件告警
66
緯謙效能監控服務

深入問題核心，追蹤問題來源
67
資料蒐集分析問題採取行動
使用OMS代理程式及
Solution gallery整合企業
所使用的IT資源於單一平台
透過OMS平台自訂搜尋語法
功能，抽絲剝繭尋找問題根
本原因
透過高可視化儀表呈現資料
分布及趨勢，提供您作商業
決策的依據

ECS - 帳務管理服務
68

高可視化儀表版，輕易了解使用金額及每月趨勢
69
緯謙帳務管理服務

使用量圓餅圖，花費比率一目了然
70

輕鬆了解各資源群組使用金額及每月趨勢
71

iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術

Similar to iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術 (20)

Recently uploaded

Recently uploaded (20)

iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術

Editor's Notes