Today’s IT Security and Operations teams are tasked with managing highly complex, hybrid-cloud, cross-platform systems which are increasingly vulnerable to a growing number of sophisticated cyber-attacks. With this, IT Operations teams have a requirement to identify any threats to their environment as soon as possible to mitigate damages, as well as continue to cost-effectively meet SLAs.
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Azure Operation Management Suite - security and compliance
1. OMS Security
Asaf Nakash
CTO & P-TSP Azure
Microsoft MVP
Asaf@cloudvalley.io
054-9700780
Any cloud
Any platform
Cybersecurity Meetup
2. Threats are on
the rise
Environments
are more
complex
Security talent is
scarce
3. Why Security within IT Operations?
Issue: ‘IT Operations is responsible for managing datacenter infrastructure,
applications, and data, including the stability and security of these systems.
However, gaining security insights across increasing complex IT environments often
requires organizations to cobble together data from multiple security and
management systems - I need a solution that provides me with actionable security
insights for all my datacenter resources.’
With OMS,
• You can enable both IT ops and security professionals to effectively monitor
your entire environment for security vulnerabilities and active threats – all within
the context of operations management.
6. Holistic Security Posture
Issue: ‘Understanding the security posture of my hybrid-cloud environments is time-
consuming, especially as these environments are changing rapidly.’
With OMS,
• Quickly and easily understand the overall security posture of any environment,
all within the context of IT Operations, including: software update assessment,
antimalware assessment, and configuration baselines. Furthermore, security log
data is readily accessible to streamline security and compliance audit processes.
7. AuditOngoing AssessmentCross-Platform
• Actionable security insights –
network, identity, servers, …
• Prioritized notable issues
• Central collection of all security data
• Export to Excel and PowerBI or via
API for reporting
• Data retention
• Windows and Linux
• On premises, Azure, AWS
• Microsoft and 3rd party security
solutions
Holistic Security Posture
14. Threat Detection
Issue: ‘Cyber attacks are increasingly common and complex. Timely detection of
attacks and breaches is critical to defending your environment’
With OMS,
• You can leverage the power of Microsoft’s continuously updated security
intelligence to detect threats sooner and more accurately – across your entire
environment.
15. Continuous InnovationSecurity AnalyticsThreat Intelligence
• Rule-based detections
• Server and network behavioral
analytics
• Anomaly detections
• Ongoing threat monitoring
• Validation and tuning
• Automatic updates to detection
algorithms
• Intelligent security graph
• Global threat database
• Specialized security teams
Intelligent Detection
16. Threat Intelligence
• Microsoft security intelligence and
leading intelligence vendors
• Detects communication to known
malicious IP addresses
19. Threat Investigation
Issue: ‘Determining the nature and source of a security threat or breach is critical to
mitigating damage to the business, but is very difficult without leveraging
intelligence from security experts or the tools to cross reference data across security
domains, and time is critical’
With OMS,
• You can leverage the power of Microsoft’s security intelligence, as well as the
tools to search across your environment, to accelerate a comprehensive
investigation.
20. AutomationThreat IntelligenceSearch
• Geo tagging and interactive
maps
• Threat intelligence reports
• OMS automation capabilities• Easy search of all security
and operational data
Rapid Investigation
Security Challenges:
Threats are on the rise
160 million records exposed
229 days between compromise and detection
$3 MILLION of cost/business impact per breach
a new approach is required
Environments are more complex
hybrid, multi-cloud, hereogeneous, IaaS+PaaS
more than 30 security solutions
increasingly distributed and physical networks no longer define the perimeter
IT security talent is scarce
noisy alerts that have to be triaged, investigated, mitigated
lack of security expertise, especially as it relates to the cloud
Today’s IT Security and Operations teams are tasked with managing highly complex, hybrid-cloud, cross-platform systems which are increasingly vulnerable to a growing number of sophisticated cyber-attacks. With this, IT Operations teams have a requirement to identify any threats to their environment as soon as possible to mitigate damages, as well as continue to cost-effectively meet SLAs.
OMS Security provides an effective and easy-to-use cloud solution to detect security threats to an entire IT environment, from on-premises to cloud, and running both Windows and Linux OS.
With OMS Security, Microsoft has enabled IT Operations and Security teams to more quickly and easily understand overall security posture and detect and investigate security threats all within the context of IT Operations. OMS customers are able to leverage Microsoft’s own security data and analysis to perform a more intelligent and effective threat detection solution. With this intelligent threat detection, as well as guided investigations of security breaches and easily searchable security audit data, OMS Security enables customers to greatly mitigate damages when an attack takes place, and prevent damages to the business.
OMS Security provides an effective and easy-to-use cloud solution to detect security vulnerabilities and threats to an entire IT environment, from on-premises to cloud, and running both Windows and Linux OS.
With OMS Security, Microsoft has enabled IT Operations and Security teams to more quickly and easily understand overall security posture and detect and investigate security threats all within the context of IT Operations. OMS customers are able to leverage Microsoft’s own security data and analysis to perform a more intelligent and effective threat detection solution. With this intelligent threat detection, as well as guided investigations of security breaches and easily searchable security audit data, OMS Security enables customers to greatly mitigate damages when an attack takes place, and prevent damages to the business.
With OMS Security and Audit, customers are enabled to quickly and easily understand the overall security posture of their entire environment regardless of platform and from on-prem to cloud. This includes a comprehensive overview status of security updates, anti-malware patches, as well as security threat detection. The holistic approach to security posture enables IT operations to trigger investigation and audit directly, and in a comprehensive manner.
Update Assessments: Applying the most recent security updates is a security best practice and it should be incorporated in your update management strategy. Microsoft Monitoring Agent service (HealthService.exe) reads update information from monitored computers and then sends this updated information to the OMS service in the cloud for processing. The Microsoft Monitoring Agent service is configured as an automatic service and it should be always running in the target computer.
Antimalware Assessment: The new solution will also be able to detect all types of antimalware software using the Windows Security Center APIs. This covers most antimalware software that is running on Windows clients and Windows Servers that enabled their desktop experience. Datacenter and Standard editions of Windows Server 2016 will have Windows Security Center enabled by default. Using this mechanism, the solution will be able to detect the protection status of every antimalware that register its existence using this API which is the common practice by most antimalware vendors.
Identity and access: Identity should be the control plane for your enterprise, protecting your identity should be your top priority. While in the past there were perimeters around organizations and those perimeters were one of the primary defensive boundaries, nowadays with more data and more apps moving to the cloud the identity becomes the new perimeter.
By monitoring your identity activities you will be able to take proactive actions before an incident takes place or reactive actions to stop an attack attempt. The Identity and Access dashboard provides you an overview of your identity state, including the amount of failed attempts to logon, the user’s account that were used during those attempts, accounts that were locked out, accounts with changed or reset password and currently amount of accounts that are logged in.
Assess the security configuration of your servers compared to standard security configuration baseline
OMS Security Baseline automatically checks over 180 configurations of security best practices, and provides details and instructions for remediation of detects security configurations and setting
Notable Issues: highlights notable security issues. Administrators should be aware of and examine these issues. Some issues are common, such as standard configuration changes that can occur as part of the normal business cadence. Others are rare events that might indicate a malicious activity, such as detecting a security log deletion.
OMS Security and Audit solution has lots of built-in notable issues. While they are a good start, many organizations might like to extend and add their own notable issues that represent their specific logic or unique set of priorities
Like security attacks, Security Audits happen; and they can be very trying on resources of IT Operations and Security teams. As OMS is in born in the cloud, the ability to access, search and correlate data quickly is vital to the audit process. With OMS Security, you will have all of the data required to supply an audit quickly and easily.
OMS Security provides an effective and easy-to-use cloud solution to detect security threats to an entire IT environment, from on-premises to cloud, and running both Windows and Linux OS.
With OMS Security, Microsoft has enabled IT Operations and Security teams to more quickly and easily understand overall security posture and detect and investigate security threats all within the context of IT Operations. OMS customers are able to leverage Microsoft’s own security data and analysis to perform a more intelligent and effective threat detection solution. With this intelligent threat detection, as well as guided investigations of security breaches and easily searchable security audit data, OMS Security enables customers to greatly mitigate damages when an attack takes place, and prevent damages to the business.
Detection: OMS Security and Audit enables customers to detect threats earlier by leveraging Microsoft security intelligence of behavioral analytics, anomaly detection and fusion (connecting the dots) – all based in data analysis from servers and VMs, network traffic, PaaS services, SaaS, partner solutions, and more.
Customers can use things like operational intelligence and knowledge of attack methods used to target specific kinds of resources as well as advanced analytics and integrated threat intelligence to detect security threats sooner and more accurately.
Investigation and Recomendation: With the ability to identify threats and understand the scope and repercussions of security threats and attacks, OMS Security enables customers (even non-Security experts) to mitigate the damages of security breaches before they become more wide-spread.
OMS customers can use features such as: guided investigations based on advanced statistical and machine learning techniques; visual interactive kill-chain map; rapid investigation using ad hoc search, and visual correlations to determine malicious activities and develop threat context and track attacker steps.
Microsoft runs the biggest cloud services in the world, enabling us to achieve a unique view of the threat landscape. The insights we derive, informed by trillions of signals from billions of sources, create an intelligent security graph that we use to inform how we protect all endpoints, better detect attacks and accelerate our response. We know, for example, where attacks came from and able to identify malicious IP addresses. Our goal is to enable our customers to benefit from this knowledge to protect their resources.
The new threat intelligence section of the Security and Audit solution visualizes the possible attack patterns in several ways: the total number of servers with outbound malicious IP traffic, the malicious threat type and a map that shows where these IPs are coming from. You can interact with the map and click on the IPs for more information.
Yellow pushpins on the map indicate incoming traffic from malicious IPs. It is not uncommon for servers that are exposed to the internet to see incoming malicious traffic, but we recommend reviewing these attempts to make sure none of them was successful. These indicators are based on IIS logs, WireData and Windows Firewall logs.
Red pushpins on the map indicate outbound traffic from your servers to malicious IP addresses. This is less common and should be carefully examined. It means that someone or something on your servers is contacting suspicious destinations on the internet. This might be the result of a compromised machine communicating to a command and control center or exfiltration of data. Outbound traffic data is based on Windows Firewall and WireData logs.
Response/ Mitigation: One of the steps of a security incident response process is to identify the severity of the compromise system(s). In this phase you should perform the following tasks:
Determine the nature of the attack
Determine the attack point of origin
Determine the intent of the attack. Was the attack specifically directed at your organization to acquire specific information, or was it random?
Identify the systems that have been compromised
Identify the files that have been accessed and determine the sensitivity of those files
OMS Security provides an effective and easy-to-use cloud solution to detect security threats to an entire IT environment, from on-premises to cloud, and running both Windows and Linux OS.
With OMS Security, Microsoft has enabled IT Operations and Security teams to more quickly and easily understand overall security posture and detect and investigate security threats all within the context of IT Operations. OMS customers are able to leverage Microsoft’s own security data and analysis to perform a more intelligent and effective threat detection solution. With this intelligent threat detection, as well as guided investigations of security breaches and easily searchable security audit data, OMS Security enables customers to greatly mitigate damages when an attack takes place, and prevent damages to the business.
Detection: OMS Security and Audit enables customers to detect threats earlier by leveraging Microsoft security intelligence of behavioral analytics, anomaly detection and fusion (connecting the dots) – all based in data analysis from servers and VMs, network traffic, PaaS services, SaaS, partner solutions, and more.
Customers can use things like operational intelligence and knowledge of attack methods used to target specific kinds of resources as well as advanced analytics and integrated threat intelligence to detect security threats sooner and more accurately.
Investigation and Recomendation: With the ability to identify threats and understand the scope and repercussions of security threats and attacks, OMS Security enables customers (even non-Security experts) to mitigate the damages of security breaches before they become more wide-spread.
OMS customers can use features such as: guided investigations based on advanced statistical and machine learning techniques; visual interactive kill-chain map; rapid investigation using ad hoc search, and visual correlations to determine malicious activities and develop threat context and track attacker steps.
You can act alerts through pre-defined runbooks or Webhooks, that can be triggered from Azure or locally from your own datacenters
You can orchestrate disaster recovery and backups with proper planning and automated scripts customized to your needs
You can leverage an ecosystem of partners and third party vendors, in addition to first-party Microsoft provided automation scripts