Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azure Security Center
- 1. A DEMONSTRATION OF OMS AND AZURE SECURITY CENTER © 2023 StoneFly, Inc. | All rights reserved.
- 2. Security in the Cloud OMS Demonstration How many of you have a centralized pane of glass that tell you, you have malicious traffic attacks, you have identity and access information that is there? You have computers with security updates that are missing?. Do you have all of this in a centralized pane of glass? Or do you have different tools that you use to find out what’s what? Those are the benefits that you have with Microsoft’s Operations Management Suite (OMS). We are going to jump right into a demo, and we are going to go right into Microsoft’s OMS (Operations Management Suit). Operations Management Suite (OMS) Inside of here you have different assessments and analysis that are running for your organization. Now, because you are using this primarily for cloud services, you can see that you have preventions and things like that, that are here to assess your environment. But you also see that you have had a brute force attack. Page 1
- 3. Security in the Cloud OMS Demonstration So, you can see that we have a brute force attack, and we also have double extension files being executed and things like that. So, you have your systems being attacked at your organization. Now, if we look at the process of how to diagnose, assess, and things like that, this system, or this platform, is already starting to diagnose intelligently in the background across all these different assessments that you see here. So, you have your malware assessment that is running, you have an update assessment that is running, you have network security and distinct IP address assessment that is running. You also have a threat intelligence assessment that is running. This is where it is going to start to say, here are the malicious IPs in your organization, here is where they are coming from, here is where you are, and here is where somebody else is actually controlling your server and that is where we see the malicious IP coming from. We will walk through this a little bit more in depth. What To Do Once You Are Breached? Now that you have been breached, you see that there is a brute force at- tack or you see that there is a double extension on file. You have to click into the attack link to find out what is going on, and what server has been compromised and where things are happening. So, you can clearly see that you have a domain controller that has been compromised. What happens when a domain controller is compromised? Or is starting to have brute force attacks on it? They take control of your entire environment. Right now it is a warning, but before it becomes compromised, let us go ahead and fix this. Page 2
- 4. Security in the Cloud OMS Demonstration How Can You Fix It? What you are going to do here is look at your query and your search results where it tells you the type of alert and the severity. You want to go ahead and setup an alert for your entire security team or for your IT team or for your help desk team. This allows them to know what is happening to your organization so that they can start to remediate it. So, you have to click up at the “Alert” tap and you are going to add a Page 3
- 5. Security in the Cloud OMS Demonstration roll. Then you are going to say, ”We have a brute force attack in play” in the Name box. Insert in the severity of the attack, then the description and the time window (How often do I want this to run?). So for example you want this to run every five minutes, or every two minutes, or wherever you want that to be. You want the threshold to be greater than zero. So, even if it happens once where you are being brute forced attacked and it is starting to hit the system significantly, it lets you know. You also want to setup an email notification, and this is where you would put your distribution list of your help desk, of your security team, of your server team, etc. under ”Recipients”. Next you would put in a Webhook and a Webhook can be used for things like Slack or ServiceNow if you have a help desk. Webhook will translate and open up an incident, or open up a security incident within your ITSM solution. What that means is any time you have this as a security incident, it is recorded and if there is a change that is executed against it that goes through your change management and service request process. So, you actually have something that goes and tracks this as a postmortem closed process as well. Once you have that, then you can also execute a Runbook behind it. Now this Runbook would give you the automation to go ahead and fix the issue. Now you have the ability to execute this in Azure only or to execute this on-premise as well with your hybrid worker. In this demo we are going to execute this across environments with a hybrid worker. Now in your ”Service Desk Actions”, what this is going to do is give you a connection to your ServiceNow or your ITSM based solution that will automatically open up an incident for you. Page 4
- 6. Security in the Cloud OMS Demonstration So you choose a ”Work Item” and you will choose a security incident. And as you choose a security incident, you will say hey, how did you find out about this in the ”Contact Type”. You will select ”the impact, the risk, the severity, the priority and the category”. This is exactly what has happened, is that confidential personal data loss, or was it a policy violation, was it a rogue server or service, things like that. That is when you would go ahead and save this. Once you save it, it now will tell you any time that there is a brute force attack that is happening from that environment, you will get a notification on it. Now, the other thing that you also have is the ability to go ahead and look at ”threat intelligence”. So as you are detecting, and as you are going through your organization, you want to know where malicious traffic events are. So you are looking at malicious traffic events, and you can see that there are five botnets that are sitting within your organization, that are coming from China. Let’s See How This is Happening You can see the computer. So, your SharePoint web front end has been compromised. You can see your local IP, the malicious IP that is controlling it and then the member of the botnet. You have the ability to set up a rule on this as well, and then export that to see where things are coming from. The idea is for you to be able to take different sources of information from your Security and Audit. Page 5
- 7. Security in the Cloud OMS Demonstration Page 6
- 8. Security in the Cloud OMS Demonstration Page 7
- 9. Security in the Cloud OMS Demonstration Generally, most environments have separate disparate systems that don’t have log analytics across the board. This is what gives you that capability to centralize a lot of those things that you are having multiple people look at, multiple very smart people look at, from different sources of technology. It is actually combining that for you so that you have a single common pane of glass. So that’s the idea. Azure Security Center In Azure Security Center, you have the ability to turn on security monitoring for every single one of your virtual machines, your storage accounts, your databases, whatever you have. And that will start to tell you, hey, your disk is not encrypted, so go ahead and take this remediation action. The other thing that you have in Azure Security Center is you also have the ability to use third party technologies that are integrated for more protection or for a remediation of a solution that you have. Those are the things that you have with Operations Management Suite and Azure Security Center combined. Page 8
- 10. www.stonefly.com 2865, 2869 and 2879 Grove Way, Castro Valley, CA 94546 USA. +1 (510) 265-1616