Category Archives: Security & Compliance

How to connect third-party security solutions at OMS

Between the various features of Operations Management Suite (OMS) There is a possibility to collect events generated in standard form Common Event Format (CEF) and events generated by Cisco ASA devices. Many vendors of security solutions generate events and log files matching the syntax defined in the standard CEF for interoperability with other solutions. Configuring the sending of data in this format to who and adopting the solution OMS Security and Audit You can correlate the different information collected, leverage the powerful search engine of OMS to monitor your infrastructure, retrieve audit information, detect problems and use Threat Intelligence.

This article will be fleshed out the necessary steps to integrate the logs generated by Cisco Adaptive Security Appliance (ASA) within the who. Before you can configure this integration you must have a Linux machine with installed agent OMS (version 1.2.0-25 or later) and configure it to forward the logs are received by the who to the workspace. For installation and onboard Linux agent I refer you to the official Microsoft documentation: Steps to install the OMS Agent for Linux.

Figure 1 – Architecture for collecting logs from Cisco ASA in OMS

Cisco ASA apparatus must be configured to forward events to the Linux machine defined as collector. To do this you can use Cisco ASA device management tools such as Cisco Adaptive Security Device Manager:

Figure 2 – Syslog Server configuration example Cisco ASA

On the Linux machine must be running the syslog daemon will send events to UDP port 25226 local. The agent who is listening on this port for all incoming events.

For this configuration, you must create the file Security-config-omsagent. conf respecting the following specifications depending on the type of Syslog running on Linux machine. For example, a sample configuration to send all events with facility local4 the agent who is as follows:

  • If daemon rsyslog the file must be present in the directory /etc/d/rsyslog. with the following content:
#OMS_facility = local4

local4.* @ 127.0.0.1:25226
  • If daemon syslog-ng the file must be present in the directory /etc/syslog-ng/ with the following content:
#OMS_facility = local4  

filter f_local4_oms { facility(local4); };  

destination security_oms { TCP("127.0.0.1" port(25226)); };  

log { source(src); filter(f_local4_oms); destination(security_oms); };  

The next step is the creation of the configuration file Fluentd named security_events. conf that lets you collect and make parsing of events received by the agent who. The file you can download it from GitHub repository and must be copied into the directory /etc/opt/microsoft/omsagent/<workspace id>/conf/d/omsagent..

Figure 3 – Configuration file Fluentd the agent OMS

At this point, to make the changes, You must restart the syslog daemon and agent who through the following commands:

  • Restarting Syslog daemon:
sudo service rsyslog restart or sudo/etc/init.d/syslog-ng restart
  • Restart agent OMS:
sudo/opt/microsoft/omsagent/bin/service_control restart

Complete these steps the agent who should view the log to see if there are any errors using the command:

tail/var/opt/microsoft/omsagent/<workspace id>/logs/omsagent.log

After finishing the configuration from the who portal you can type in the query Log Search Type = CommonSecurityLog to analyze data collected from the Cisco ASA:

Figure 4 – Query to see Cisco ASA events collected at OMS

Log collection is enriched by Threat Intelligence present in solution Security & Compliance Thanks to an almost real-time correlation of data collected in the repository OMS with information from leading vendor of Threat Intelligence and with the data provided by the Microsoft security centers allows you to identify the nature and results of any attacks involving our systems, including the network equipment.

By accessing the solution Security And Audit from the OMS section appears Threat Intelligence:

Figure 5 – Information of Threat Intelligence

By selecting the tile Detected threat types You can see details about intrusion attempts that in the following case involving the Cisco ASA:

Figure 5 – Detected threat on Cisco ASA

In this article you entered the configuration details of Cisco ASA, but similar configurations you can make them for all solutions that support the generation of events in standard form Common Event Format (CEF). To configure the integration of Check Point Securtiy Gateway with who I refer you to the document Configuring your Check Point Security Gateways to send logs to Microsoft OMS.

Conclusions

Using Operations Management Suite there is a chance to consolidate and to correlate events from different products that provide security solutions allowing you to have a complete overview of your infrastructure and respond quickly and accurately to any incident of security.

OMS Log Analytics: the Update Management solution for Linux systems

Using the Operations Manager Update Management Solution Suite (OMS) you have the ability to centrally manage and control the update status of systems in heterogeneous environments both Windows and Linux machines and independently from their placement, on-premises rather than in the cloud. In this article, we explored aspects of solution regarding Linux systems.

The Update Management solution allows you to quickly assess the status of updates available on all servers with the OMS agent installed and is able to start the process of installing the missing updates. Linux systems are configured to use this solution require in addition to the presence of ’ agent who Powershell Desired State Configuration (DSC) for Linux andHybrid Runbook Automation Worker (installed automatically).

The solution currently supports the following Linux distributions:

  • CentOS 6 (x 86/x 64) and CentOS 7 (x64).
  • Red Hat Enterprise 6 (x 86/x 64) and Red Hat Enterprise 7 (x64).
  • SUSE Linux Enterprise Server 11 (x 86/x 64) and SUSE Linux Enterprise Server 12 (x64).
  • Ubuntu 12.04 LTS and later (x 86/x 64).

In addition to work correctly you need the Linux system has access to an update repository. In this regard it is worth noting that at the moment there is a chance by who to select which updates to apply, but ’ all available updates are available from the update repository configured on the machine. To have more control over updates to apply you may evaluate the ’ using a custom update repository created and contains only the updates that you want to approve.

The following diagram shows the flow of operations being carried out by the solution to move towards compliance status and the workspace who to apply the missing updates:

Figure 1 – Flow of operations performed on Linux systems

  1. The agent who for Linux scans each 3 hours to detect missing updates and reports the outcome of the scan to the workspace who.

Figure 2 – OMS Dashboard Update Management solution

  1. The operator using the dashboard OMS can refer to update assessments and define the schedule for deployment of updates:

Figure 3 – Management of Update Deployment

Figure 4 – OMS Dashboard Update Management solution

In creating the Update Deployment is defined a name, the list of systems to be involved, that can be provided explicitly or by using a query of Log Analytics, and scheduling.

  1. The component Hybrid Runbook Worker running on Linux systems checks for maintenance Windows and the availability of any deployment to apply. In this regard it is good to specify that enabling the solution to Update Management every Linux system connected to the workspace who is automatically configured as Hybrid Runbook Worker to perform runbook created to deploy updates. Also every system managed by the solution is a Hybrid Runbook Worker Group within the Automation OMS Account following the naming convention Hostname_GUID:

Figure 5 – Hybrid Worker Groups

  1. If a machine has an Update Deployment (as a direct member or because it belongs to a specific group of computers) on it starts the package manager (Yum, Apt, Zypper) to install updates. Installing updates is driven by who through specific runbook Automation within Azure. These are not visible in Azure runbook Automation and require no configuration by the administrator.

Figure 6 – Azure Automation Account used by the solution of Update Management

  1. After Setup OMS agent for Linux and the basic status of Update Deployment and compliance to the workspace who.

Conclusions

Microsoft Operations Management Suite is a tool that lets you manage and monitor heterogeneous environments. Still today, unfortunately, you are faced to the debate on the real need to maintain regularly updated Linux systems, but considering some recent security incident caused by outdated systems, It is evident that it is good to have a solution that allows you to manage updates for Linux machines. The solution to Update Management of OMS is constantly evolving, but already today enables us to control and manage the distribution of updates also on Linux systems in a simple and efficient way.

For more details, I invite you to consult Microsoft's official documentation Solution for Update Management of OMS.

To further explore this and other features you can activate free OMS.

 

OMS Security: Antimalware solution Assessment presentation

Microsoft Operations Management Suite (OMS) offers an interesting solution named Antimalware Assessment with which you can monitor the status of anti-malware protection on the entire infrastructure and easily detect potential threats.

In order to use the Antimalware solution Assessment you must subscribe to l ’ offer "Security & Compliance "OMS. The installation of the solution can be made by following the procedure described at the beginning of the article OMS Security: Threat Intelligence or by going directly to theAzure Marketplace. After having activated the OMS is not required no further configuration and is ready to be used.

La solution thanks to an easy-to-navigate dashboard shows real-time antimalware protection systems without active and is able to show a status in OMS antimalware for the following products:

  • Windows Defender on Windows 8, Windows 8.1, Windows 10 and Windows Server 2016.
  • Windows Security Center (WSC) on Windows 8, Windows 8.1, Windows 10, Windows Server 2016.
  • System Center Endpoint Protection (version 4.5.216 or later).
  • Antimalware extension and Windows Malicious Software Removal Tool (MSRT) activated on the VMS in Azure.
  • Symantec Endpoint 12. x and 14 x.
  • Trend Micro Deep 9.6.

At the moment only detects installations of some solutions of third party vendors such as Symantec and Trend Micro, but probably this list is set to increase.

On monitored systems by who is made an assessment about security by checking the status of the antimalware product, performing analysis on a regular basis, and if you are using signatures from as little as seven days.

The portal home page who is the tile that reports a summary Assessment of the State of anti-malware infrastructure:

Figure 1 – Antimalware Assessment tile

By selecting this tile leads to Antimalware solution dashboard Assessment that categorizes the information collected and reported in 4 different tile:

  • Threat Status
  • Detected Threats
  • Protection Status
  • Type of Protection

Figure 2 – Antimalware Dashboard Assessment

The first two tile focus on observations of infections with the type of malware intercepted, infected systems and highlighting situations where the antimalware ’ was not able to clean your system from ’ infection.

Selecting the infected machine or the name of the malware is returned on the page Log Search where you can see the details of the threat detected:

Figure 3 – Details of the threat detected

Selecting the link View next to the name of threat you are directed to the Microsoft malicious software encyclopedia:

Figure 4 – Search all internal Microsoft ’ encyclopedia of malware

By selecting the name of the malware you can consult the card with all details about all ’ infection:

Figure 5 – Card with malware information

The remaining tile shows useful information on the State of infrastructure security:

  • Which machines are not protected and why (agent disabled, signature not updated or not scan made recently) so you can take corrective action.
  • The list of machines detected on antimalware solutions.

From these tile you can easily do a drill down to see the list of affected machines, such as the list of machines without a real time protection enabled:

Figure 6 – Machines with no real time protection

Conclusions

You can count on a tool that can quickly identify systems with antimalware protection not sufficient or compromised machines from malware is crucial to mitigate attempts at compromise of corporate data and avoid major incidents of security. Microsoft Operations Management Suite (OMS) In addition to these features it includes other important solutions in this area making it a great tool to ensure the security and compliance of your infrastructure. To further explore this and other features you can try the OMS for free.

OMS Security: Threat Intelligence

Among the various features offered by Operations Management Suite (OMS) There is the possibility to activate the solution called Security & Compliance that identifies, evaluate and mitigate potential risks of security on our systems. The solution you can turn it on easily with just a few steps:

  1. I log into the portal who and I select the tile "Solutions Gallery"

Figure 1 – Step 1: activating solution Security & Compliance

  1. Among the various solutions offered have the ability to add "Security & Compliance " that currently includes the solution "Antimalware Assessment"e"Security and Audit"

Figure 2 – Step 2: activating solution Security & Compliance

  1. Select the Workspace who and by pressing the button Create the solution is added and made available for use

Figure 3 – Step 3: activating solution Security & Compliance

As a result of the activation of the ’ solution who will connect to systems with the agent installed to perform a security assessment that may initially require up to several hours, then return the processed data in the portal. The solution is able to examine both Windows and Linux machines and helps protect l ’ infrastructure be it on-premises or in the cloud. In this article we'll delve into the functioning of the mechanism of Threat Intelligence.

Figure 4 – Architecture Threat Intelligence

Threat Intelligence plays a vital role in ’ solution scope of security of OMS thanks to a nearly real-time correlation of data collected in the repository OMS with information from leading vendor of Threat Intelligence and with the data provided by the Microsoft security centers. Let us not forget that Microsoft is constantly working to protect their services in the cloud and therefore has a unique visibility and widespread threats that can potentially affect our systems. Providing this functionality Microsoft enables its customers to benefit easily of his knowledge to protect resources, detect attacks and act the same with a quick response without having to resort to complex integration scenarios.

Threat Intelligence is able to provide the following information that enable teams of security to make the necessary actions and to understand the possible level of impairment of their systems:

  • Detect the nature of the attack
  • Determines the intent of the attack, useful to understand if it is a targeted attack at your organization to acquire specific information or if it is a random and massive attack
  • Identifies where the attack
  • Intercepts any compromised systems and reports the server performing traffic considered malevolent outwards
  • Reports which files have been possibly accessed

To access the information in the main portal dashboard Threat Intelligence who select the tile "Security and Audit":

Figure 5 – Tile Security and Audit

On the dashboard "Security and Audit" is the section Threat Intelligence then reset:

Figure 6 – Information of Threat Intelligence

In tile Server with outbound malicious traffic monitored server systems are reported that are generating malicious traffic from the Internet. If they are reported immediately should undertake in this tile systems of remedies.

In tile Detected threat types shows a summary of threat detected recently:

Figure 7 – Tile Detected threat types

By selecting the tile you can also obtain more details about:

Figure 8 – Details about the threat detected

Threat Intelligence also provides the map display of the attacks which enables you to quickly identify which part of the globe are made. Orange arrows indicate the presence of incoming malicious traffic, While Red arrows indicate malicious traffic outbound to certain location. By selecting a specific arrow you will get more details about the source of the attack:

Figure 9 – Threat Intelligence map

Conclusions

Detect potential attacks and respond quickly and effectively to security incidents that occur in your environment is crucial. Activating the solution "Security & Compliance"the Microsoft Operations Management Suite (OMS) You can use Threat Intelligence to enhance the effectiveness of its strategies in security and have a powerful tool that can minimize the amount of potential incidents of security. For those interested to further deepen this and other features of the who remember that you can try the OMS for free.