Sponsored & Brought to you by

Enter The Matrix: Securing Azure’s AssetsMike Martin

http://www.twitter.com/techmike2kx

https://be.linkedin.com/in/techmike2kx

Enter the Matrix.Securing Azure’s Assets

Mike MARTIN, ArchitectCrosspoint Solutions

Mike MartinWho Am I

View more tips on my bloghttp://techmike2kx.wordpress.com

Crosspoint Solutions (part of Cronos)

Where I Work

Architect, Windows Azure MVP, MEET, Insider

What I Do

@Techmike2kxMike.Martin@csps.be

Where To Find Me

A little more about me

Azure

Journey to the CloudDIFFERENTIATIONAGILITYCOST

SaaS Solutions

Higher-level services

Cloud Infrastructure

Hyper-scalefootprint

AZURE REGIONS

28Azure regions around the world

More than AWS and Google Cloud combined

Latest launch was in October 2015-India – Central, India – South, India – WestGENERALLY AVAILABLE6 new regions announced: Canada Central, Canada East, Germany Central, Germany North East, United Kingdom (2 – regions TBD)

Platform Services

Infrastructure ServicesOS/Server Compute Storage

Datacenter Infrastructure (24 Regions, 22 Online)

Web and Mobile

Web Apps

MobileApps

APIManagement

API Apps

Logic Apps

Notification Hubs

Media & CDNContent DeliveryNetwork (CDN)

Media Services

IntegrationBizTalkServices

HybridConnections

Service Bus

StorageQueues

HybridOperations

Backup

StorSimple

Azure SiteRecovery

Import/Export

Networking

Data

SQL Database

DocumentDB

RedisCache Azure

SearchStorageTables

DataWarehouse Azure AD

Health Monitoring

Virtual Network

ExpressRouteBLOB

StorageAzureFiles

PremiumStorage

Virtual Machines

AD PrivilegedIdentity Management

Traffic Manager

AppGateway

OperationalAnalytics

Services ComputeCloud Services

Batch RemoteApp

ServiceFabric

Developer Services

Visual Studio

AppInsights

Azure SDK

VS Online

ContainerService

DNS VPN Gateway

Load Balancer

Domain Services

Analytics & IoT

HDInsight MachineLearning

StreamAnalytics

Data Factory

EventHubs

MobileEngagement

Data Lake

IoT Hub

Data Catalog

Security & Manageme

nt

Azure ActiveDirectory

Multi-FactorAuthentication

Automation

Portal

Key Vault

Store/Marketplace

VM Image Gallery& VM Depot

Azure ADB2C

Scheduler

The Matrix

Physical Defenses

Azure Edge Defenses

Your defenses

Your App / code

Trust

Microsoft Azure

Shared responsibilityREDUCES SECURITY COSTS + MAINTAINS FLEXIBILITY, ACCESS, & CONTROL

Customer Microsoft

On-Premises IaaS PaaS SaaS

NetworkingHardware

Physical Security

Operating System

Middleware

Virtualization

DataApplications

Users

Model Realworld Attacks

•Model Emerging Threats, Use Blended Threats•Exfiltrate & Leverage Compromised Data•Escape And Evade / Persistence

Identify Gaps In Security Story

•Measure Time To Compromise (Mttc) / Pwnage (Mttp)•Highlight Security Monitoring & Recovery Gaps•Improve Incident Response

Demonstrable Impact

•Prove Need For Assume Breach•Enumerate Business Risks•Justify Resources, Priorities & Investment Needs

Exercises Ability To Detect & Respond•Detect Attack & Penetration (MTTD)•Respond & Recover To Attack & Penetration (MTT)•Practiced Incident Response

Enhances Situational Awareness

•Produces Actionable Intelligence•Full Visibility Into Actual Conditions Within Environment•Data Analysis & Forensics For Attack & Breach Indicators

Measure Readiness &

Impact•Accurately Assesses Real-world Attacks•Identifies Gaps & Investment Needs•Focus On Slowing Down Attackers & Speeding Recovery•Hardening That Prevents Future Attacks

Trusted Cloud PrinciplesCommitment to principles worthy of your organization’s trust

We will provide you with control over your data to help keep it private.

Privacy & Control

We will implement strong security measures to safeguard your data.

Security

We will explain what we do with your data in clear, plain language.

Transparency

We will help you meet your specific compliance needs.

Compliance

Main Philosophy: Prevent and Assume Breach

Prevent breach—A methodical Secure Development Lifecycle and Operational Security minimizes probability of exposureAssume breach—Identifies and addresses potential gaps:• Ongoing live site testing of security response

plans improves mean time to detection and recovery

• Bug bounty program encourages security researchers in the industry to discover and report vulnerabilities

• Reduce exposure to internal attack (once inside, attackers do not have broad access)

Latest Threat Intelligence to prevent breaches and to test security response plansState of the art Security Monitoring and Response

Prevent and assume breach Security monitoring and response

Prevent breach• Secure Development Lifecycle• Operational Security

Assume breach• Bug Bounty Program• War game exercises• Live site penetration testing

Threat intelligence

Physical data center securityCameras24X7 security staffBarriersFencingAlarmsTwo-factor access control: Biometric readers & card readersSecurity operations center

Days of backup powerSeismic bracing

BuildingPerimeter

Computer room

Secure Multi-Tenancy Architecture

• Centrally manages the platform and helps isolate customer environments using the Fabric Controller

• Runs a configuration-hardened version of Windows Server as the Host OS

• Uses Hyper-V, a battle tested and enterprise proven hypervisor

• Runs Windows Server and Linux on Guest

VMs for platform services

• Manages their environment through service management interfaces and subscriptions

• Chooses from the gallery or brings their own OS for their Virtual Machines

Azure

CustomerSQL

Database

FabricController

Azure Storage

Guest VM Guest VM

Customer 2

Guest VM

Customer 1

CustomerAdmin

PortalSMAPI

Host OS

Hypervisor

Microsoft Azure

EndUsers

25

Data Segregation

Storage isolation:• Access is through Storage account keys and

Shared Access Signature (SAS) keys• Storage blocks are hashed by the hypervisor

to separate accountsSQL isolation:• SQL Database isolates separate databases

using SQL accountsNetwork isolation:• VM switch at the host level blocks inter-

tenant communication

• Design same principles for multi-tenancy

Azure

Customer

26

FabricController

CustomerAdmin

Guest VM Guest VM

Customer 2

Guest VM

Customer 1PortalSMAPI

EndUsers

Host OSHypervisor

Microsoft Azure

Azure Storage

SQL Database

AccessControl

Secure operations

Azure platform services infrastructure protection1. Azure Protection

Layer A: The Network Access Layer Layer B: Azure’s DDoS/DOS/IDS LayerLayer C: Host firewalls protect all the hosts, and the VLANs Layer D: Conformance with security and privacy requirements includes two-factor authentication for operators.

2. Customer protection: Layers 1-2: The distributed firewall isolates customer’s Layer 3: The virtual network can be managed similar to an on-premises private network.

i. Inside the VM: Firewalls, IDS, and DoS solutions.

ii. Virtual network appliances

Patching and Update ManagementAzure• Applies regularly

scheduled updates to the platform

• Releases critical patches immediately

• Rigorously reviews and tests all changes

• Uses a combination of third-party scanning tools for Azure environment

Customer• Applies similar patch management

strategies for their Virtual Machines

• Monitor 100,000+ vulnerability reports

• Sourced from customers and worldwide network of security researchers

• Prioritize critical updates

• Monthly OS releases with patches

• Reconciliation report

• Resolution summary

• Scanning & reporting of all Azure infrastructure VMs

• Track and remediate any findings

SCANNING AUDIT VALIDATION

PATCHING ROLLOUT

MONTHLY MSRC PATCH

REVIEW

DDoS System Protection Overview

MSFT Routing Layer

Detection Pipeline

Profile DB

Scrubbing Array

SLB

Application

Attack Traffic

Scrubbed Traffic

Flow Data

Routing Updates

Internet

• Traffic is re-routed to scrubbers via dynamic routing updates

• Traffic is SYN auth. and rate limited

MITIGATION PROCESS

• Traffic to a given /32 VIP Inbound or Outbound is tracked, recorded, and analyzed in real time to determine attack behavior

DETECTION PROCESS

• TCP SYN• UDP/ICMP/TCP Flood

SUPPORTED DDOS ATTACK PROFILES

30

Antivirus/Antimalware Protection

• Performs monitoring & alerting of anti-malware events for the platform

• Enables real time protection, on-demand scanning, and monitoring via Microsoft Anti-malware for Cloud Services and Virtual Machines

AZURE

• Configures Microsoft Anti-malware or an AV/AM solution from a partner

• Extracts events to SIEM• Monitors alerts & reports• Responds to alerts

CUSTOMER

Customer VMsMICROSOFT AZURE

!

Enable & configureanti-malware

Extract event information to SIEM or other reporting system

CustomerAdmin

PortalSMAPI

Events

Guest VM

AzureStorage

Alerting &reporting

Guest VM

Cloud Services

Threat Protection

• Performs big data analysis of logs for intrusion detection & prevention for the platform

• Employs denial of service attack prevention measures for the platform

• Regularly performs penetration testing

• Can add extra layers of protection by deploying additional controls, including DOS, IDS, web application firewalls

• Conducts authorized penetration testing of their application

Azure

CustomerCustomer Environment

Cloud Access & Firewall

Virtual network

Application tier

Logic tier

Database tier

VPNCorp 1

Internet End Users

443

443

Microsoft Azure

THREAT DETECTION: DOS/IDS Capabilities

32

Network Isolation

• Does not enable general internet access by default, except remote administration endpoints configured when Virtual Machines are created in the Portal

AZURE

• Configure endpoints for required access• Creates connections to other cloud and on-

premises resources

CUSTOMER

Customer 2

INTERNET

Isolated Virtual Networks

Customer 1

Isolated Virtual Network

Deployment X Deployment X Deployment Y

PortalSmart API

CustomerAdmin

VNET to VNET

Cloud Access Layer

Web Endpoint (public access)

RDP Endpoint(password access)

Client Client

VPNCorp 1

Microsoft AzurePortalSMAPI

Monitoring and Alerts

• Performs monitoring and alerting on security events for the platform

• Enables security data collection via Monitoring Agent or Windows Event Forwarding

AZURE

• Configures monitoring • Exports events to SQL Database,

HDInsight or a SIEM for analysis• Monitors alerts & reports• Responds to alerts

CUSTOMER

Customer VMsMICROSOFT AZURE

!

EnableMonitoringAgent

Extract event information to SIEM

or other reporting system

CustomerAdmin

PortalSMAPI

Events

Guest VM

Guest VM

Cloud Services

HDInsightAzureStorage

Alerting &reporting

Azure Active Directory 2FA Mandatory

Active DirectoryMicrosoft Azure Active

Directory

• Secure access management requires strong, centralized, identity management.

• Active Directory (AD) helps you with that on-premises.

• Azure Active Directory (AAD) helps you in Azure…and in Office 365, and in 1200+ apps.

• AD and AAD are tightly integrated, to enable single sign-on, a single directory, and centralized management.

• AD and AAD help address your compliance requirements.

Azure Active Directory (AAD) integration

• Two Factor Authentication can be implemented with Phone Factor or with AD on-premises.

Use Two Factor Authentication or DevOPsto access your production services

35

Threat Protection

• Uses password hashes for synchronization• Offers security reporting that tracks inconsistent

traffic patterns, including:• Sign ins from unknown sources• Multiple failed sign ins• Sign ins from multiple geographies in short

timeframes• Sign ins from suspicious IP addresses and

suspicious devices

• Reviews reports and mitigates potential threats

• Can enable Multi-Factor Authentication

Azure

Customer

X X X X XX X X X X

X X X X X

User Non-user

Transparency

Transparency & independent verificationAIDS CUSTOMERS IN MEETING SECURITY & COMPLIANCE OBLIGATIONS

Best practices and guidance

Third-party verification

Cloud Security Alliance

Security Intelligence

report

Compliance packages

Trust Center

Access to audit reports

Security Response

Center progress report

Customers know where and how their data is stored and used

Data storage and useCustomers control where customer data is stored

Microsoft doesn’t use customer data for advertising, marketing or share your data

Customers may delete their data or leave the service at any time

Global datacenter footprint

100+ Datacenters in over 40 countries

Data Location and Replication

• Microsoft will not store customer data outside the customer-specified geography

• Microsoft may only transfer customer data within a geo for redundancy of a geo

AZURE

• Chooses where data resides

• Configures data replication options

CUSTOMER

Privacy and Control

Microsoft Employee Access Management

Grants least privilegerequired to complete task

Multi-factor authentication required for all administration

Access requests areaudited, logged, and reviewed

No standing access to the customer data

Pre-screened admin

requests access

Leadership grantstemporary privilege

Just-in- Time &

Role-Based Access

Microsoft AzureBLOBS TABLES QUEUES DRIVES Microsoft

Corporate Network

Encryption in TransitAzure• Encrypts most communication between

Azure datacenters• Encrypts transactions through Azure

Portal using HTTPS• Supports FIPS 140-2 certified libraries and

algorithms

Customer• Can choose HTTPS for REST

API (recommended) • Configures HTTPS endpoints for

application running in Azure• Encrypts traffic between Web client and

server by implementing TLS on IIS

AzureDatacenter

AzureDatacenter

Azure Portal

Encryption at Rest

• Boot and Data drives—full disk encryption using BitLocker

• Public preview now available globally!• SQL Server—Transparent Data and Column Level

Encryption• Files & folders—EFS in Windows Server

VIRTUAL MACHINES

• Bitlocker encryption of drives using Azure Import/Export service

• StorSimple with AES-256 encryption

STORAGE

APPLICATIONS

• Client Side encryption through .NET Crypto API• RMS Service and SDK for file encryption by your

applications

RMS SDK.NET Crypto

SQL TDE Bitlocker Partners EFS

Bitlocker StorSimple

Virtual Machines

Applications

Storage

Compliance

Azure Compliance Framework

Microsoft maintains a team of experts focused on ensuring that Azure meets its own compliance obligations, which helps customers meet their own compliance requirements.

Compliance certifications

Compliance strategy helps customers address business objectives and industry standards and regulations, including ongoing evaluation and adoption of emerging standards and practices.

Continual evaluation, benchmarking, adoption, test, & audit

Ongoing verification by third-party audit firms.

Independent verification

Microsoft shares audit report findings and compliance packages with customers.

Access to audit reports

Extensive and growing experience

Operations Security

Assurance

HIPAA/HITECH

CJISSOC 1

201220112010

SOC 2

FedRAMPP-ATO

FISMAATO

UK G-Cloud OFFICIAL

2013 2014 2015ISO/IEC

27001:2005

CSA Cloud Controls Matrix

PCI DSS Level 1

AU IRAP Accreditatio

nSingapore

MCTS

ISO/IEC 27018EU Data

Protection Directive

CDSA

Data Deletion

Data destruction

•Wiping is NIST 800-88 compliant•Defective disks are destroyed

•Index immediately removed from primary location• Geo-replicated copy of the data (index) removed

asynchronously•Customers can only read from disk space they have written to

Disk Handling

Data use policies

Azure does not share data with its advertiser-supported servicesAzure does not mine Customer Data for advertising

Read the fine print of other cloud service provider’s privacy statements

VISUAL STUDIO ONLINE

2) Code Repository

3) Build 4) Test 5) Deploy to Azure

1) Code commit

6) Monitor and Improve

App

System Center / Application InsightsVisual

StudioEclipse / XCodeDE

VELO

PERS

DevOps - Microsoft’s solution

Mechanisms 4 u

• Portal access• Uses Live ID (Microsoft Account)• Go to http://manage.windowsazure.com

• Role: Service Administrator or Co-Administrator• Uses special REST API without providing certificate

•Management certificate• Certificate can be self-signed• Does not check certificate expiration• Used by PowerShell• Used by REST API

• Storage access• Uses secret key• Or anonymous share access

• RDP VM access• Uses username/password

Authentication and Access (4x)

• Portal access• Uses Live ID (Microsoft Account) –> Better have AAD / Org ID + MFA• Implement RBAC JEA principle

•Management certificate• ARE EVIL !!!!!• Only Use them in a management solution when that is the ONLY option!

• Storage access• I’v got the key … I’ve got ALL your Secrets• If needed? IMPLEMENT KEY VAULT!

•RDP VM access• Harden from the outside , and access through GW / S2S / ER• Better implement SSH / PoSh Remoting over SSL

Authentication and Access … BUT…!

•Network Security Groups• Firewalls before the Gateways• ACL’s• inside the guest OS

firewall • Network ACLs on public IP

addresses • Network ACLs at the

corporate firewall • IPsec inside the guest OS

•Network Isolation

Network Security

Role Based Access in Azure – aka RBAC • Role• Collection of actions• Role Assignment• Access is granted to AAD

users and services role assignment on the resources. • Azure AD Security Principals• Roles can be assigned to the

following types of Azure AD security principals:• Users• Groups• Service principals

RBAC in Azure•Portal Management •Powershell

foreach ($roledef in Get-AzureRMRoleDefinition) {

Write-Host 'Role: '$roledef.Name

Write-Host 'Actions'

(Get-AzureRMRoleDefinition -Name $roledef.Name).Actions

Write-Host 'NoActions'

(Get-AzureRoleRMDefinition -Name $roledef.Name).NoActions

Write-Host ([Environment]::NewLine)

}

Microsoft Azure

IaaS SaaSPaaS

Microsoft Azure Key Vault

Import keys

HSM

Key Vault

Safeguard cryptographic keys and other secrets used by cloud apps and services

• Increase security and control over keys and passwords

• Create and import encryption keys in minutes• Applications have no direct access to keys• Use FIPS 140-2 Level 2 certified HSMs• Reduce latency with cloud scale and global

redundancy

SQL Server Scenario

Applying to Azure - Infrastructure• Port scanning: the only open ports are those defined by us!•Denial of service:• External: depends on our settings, but the Fabric Controller tries to identify the attacks• Internal: all DOS attacks initiated from internal VMs will result in removing those VMs from the network

•Spoofing: compromised machines cannot impersonate VMs from the Fabric Controller (broadcast and multicast are blocked, https between VMs and FC)•Sniffing: the Hyper-V switch prevents sniffing from a VM to another VM on the same host; racks switches block it to other VMs•VMs are untrusted by the Root OS Hypervisor

•Endpoints•Antimalwae extensions•Storage access•Bitlocker Support on Disks

VM Security

Configuring Virtual Machine Security• Firewall rules• Leveraging public/private/domain profiles

•Access control lists (ACL)• Controls port access through at subnet level• IP address blacklisting• VM endpoint rules (up to 50 per endpoint)• Rule ordering

•Encryption• DPAPI not supported for cloud service• Secure key data with encryption keys• CloudLink

Endpoint ACL’sUsing Network ACLs, you can do the following:• Selectively permit or deny incoming traffic based on

remote subnet IPv4 address range to a virtual machine input endpoint. • Blacklist IP addresses• Create multiple rules per virtual machine endpoint• Specify up to 50 ACL rules per virtual machine

endpoint• Use rule ordering to ensure the correct set of rules

are applied on a given virtual machine endpoint (lowest to highest)• Specify an ACL for a specific remote subnet IPv4

address.

Network Security Groups (NSG)• Enables network segmentation &

DMZ scenarios • Access Control List

• Filter conditions with allow/deny• Individual addresses, address

prefixes, wildcards• Associate with VMs or subnets• ACLs can be updated independent

of VMs

Virtual Network

Backend10.3/16

Mid-tier10.2/16

Frontend10.1/16

VPN GW

Internet

On Premises 10.0/16

S2SVPNs

Internet

√ √

√ √

DMZ in a Virtual Network

Load Balancer

Internet

Web Proxy

App Servers

Database

VIRTUAL NETWORK

DMZ

InternalLoad

Balancer

DNS Servers

NSG

NSG

NSG

NSG

Security considerations when using NSG•Endpoint ACLs and Network Security Groups

don’t work together•Multi-NIC : for now the Network Security Group rules apply only to the traffic in primary NIC•For RDP endpoints for VM’s and Network Security Group : NSG does not allow access to any port from Internet, you have to create a specific rule to allow RDP traffic.

Azure Application Gateway Azure-managed,

first party virtual appliances

HTTP routing based on app-level policies

Cookies affinity URL hash

SSL termination and caching

Azure Disk Encryption – New VM or Running VM Workflow

ARM/PS cmdlets

HOST

1. Customer opt into enabling disk encryption2. Customer provide identity and other

encryption configuration to Azure Portal/API to provision encryption key material* in their key vault

3. Azure service management updates service model with encryption and key vault configuration and Azure platform push the encryption extension on the VM

4. Encryption extension initiate encryption on the VM

5. VM is encrypted

* Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux]

Azure Active Directory

AAD token

Azure Storage

Customer Key Vault

Virtual Machine

Service Managemen

t

Upload KeyEncryption Extension

Encryption

Extension

Encrypted Disks

Encryption Configuration

Applying to Azure - applications•Use custom domains instead of myapp.cloudapp.net and scope cookies to your custom domain; scripting!•Access to Azure Storage using Shared Access Signatures; attention to REST query injection• SQL Database: pay attention to SQL Injection; no TDE•Auditing -> Azure Tables•Authentication using Azure’s ACS, Azure AD, Windows Identity Foundation -> rely on existing patterns and user stores!

Azure Identy Management

Your identity goes with you

PCs and devices

3rd party clouds/hosting

Azure AD

You

Self-service Single sign on

•••••••••••Username

Identity as the control planeSimple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises

Microsoft Azure Active Directory

Microsoft Azure Active Directory Cloud App Discovery

10xSource: Help Net Security 2014

as many Cloud apps are in use than IT estimates

• SaaS app category• Number of users• Utilization volume

Comprehensivereporting

Discover all SaaS apps in use within your organization

Empower UsersCentrally managed identities and access.

Monitor and protect access to cloud applications.

Your Directory on the cloud

Empower UsersCentrally managed identities and access.

Monitor and protect access to cloud applications.

Your Directory on the cloud

Connect and Sync on-premises directories with Azure.

Your Directory on the cloud

Azure Active Directory Connect*

Microsoft AzureActive Directory

Other Directories

PowerShell

LDAP v3

SQL (ODBC)

Web Services ( SOAP, JAVA, REST)

*

SaaS appsCentralized access

administration for preintegrated SaaS apps and other Cloud-based apps.Secure business processes with advanced access management capabilities.

Comprehensive identity and access management console.

Centrally managed identities and access

Your cloud apps ready when you are.

IT professional

Security reporting that tracks inconsistent access patterns, analytics and alerts.

Built-in security features.

Monitor and protect access to enterprise apps

B2B: cross-organization collaboration B2B: cross-organization collaboration “I need to let my partners access my company’s apps using their own

credentials.”

Share without complex configuration or duplicate users.

A user at a large partner may log into my company’s apps with their Active Directory usernames and passwords.

A user at a smaller partner may log into my company’s apps with their Office 365 usernames and passwords.

Admin configures sharing for cloud apps.

“I can’t email my 25 MB file and need to share it with a partner using Box.com.”

Seamlessly provide Azure Active Directory to customers & partners

For example, a user at a partner can set up everyone in their company.

Users can bring their own email-based or social identities.

Azure Active Directory B2C offering is tailored for enterprises who serve large populations (100’s of thousands to millions) of individual customers, and whose business success depends upon consumer adoption of web applications for improving customer satisfaction and reducing operational costs.

Azure Active Directory B2C(Business-to-Consumer )

Azure Active Directory B2C will include :Self-Service User registrationLogin with Social IdP or create your own credentialsOptional MFABulk user import toolsSSO to multiple web sitesUser interface customization

Cloud Domain Join makes it possible to connect work-owned Windows devices to your company’s Azure Active Directory tenancy in the cloud. Users can sign-in to Windows with their cloud-hosted work credentials and enjoy modern Windows experiences.

Cloud Domain Joined Devices

Enterprise compliant ServicesRoaming Settings, Windows backup/Restore, Store access…Data stored in enterprise compliant backend services on Azure.No need to add a personal Microsoft account.

SSO from the desktop to org resources SSO from desktop to Office 365 and 1,000’s of enterprise apps, websites and resources.Access enterprise-curated Store and install apps using a work account.

ManagementAutomatic MDM enrollment during first-run experience.

Support for hybrid environmentsTraditional Domain Joined PCs also benefit from Cloud Domain Join functionality when the on-prem Active Directory is connected with an Azure Active Directory in the cloud.

Cloud Domain Join

Azure AD : Identity driven security

SSO + MFA

Conditional access

Cloud App Discovery

Advanced security reporting

Privileged Identity Management

Azure Operational Insightsaka Operations Management Suite aka Azure Log Analyticsaka System Center Advisor

Log Management – Collect, correlate and visualize all your machine data

OMS Log Analytics

Machine datafrom

on-premises and Cloud

InsightsOperational Insights

AZURE BLOB

SEARCH SERVICE

PORTALDATA

PROCESSING ENGINE

Troubleshooting

Correlate & Search data from multiple sources

Collect custom data types Build dashboards powered

by search queries

OperationInsights

Forecast future capacity needs and pinpoint performance bottlenecks

Check your update and malware protection status

Security Intelligence

Identify security breaches Meet compliance

requirements for auditing Analyze security data

REAL TIMEDASHBOARDS & REPORTING SCALABLESEARCH READY MADE

INTELLIGENCE

Key Benefits:

Event Logs | IIS Logs | Security LogsPerformance Counters | Syslog | & many more

Machine Data

Windows & Linux Server

Servers forwarding data through SCOM

Windows & Linux Server

Servers directly forwarding data

CloudVMs

OMS Security related matters• AD Assessment• Malware Assessment• System Update

Assesment• Change Tracking• Wire Data• Security and Audit

New in Preview : Security and Audit

OMS Agent For LinuxWhat sorts of data can I collect?•Syslog: Collect your choice of syslog events from rsyslog and syslog-ng•Performance Metrics:  We can collect 70+ performance metrics at a 30 second granularity using our new.  Get metrics from the following objects:  System, Processor, Memory & Swap space, Process, Logical Disk (File System) and Physical Disk.  Full list of Performance Counters.  •Docker container logs, metrics & inventory: We show information about where your containers and container hosts are, which containers are running or failed, and Docker dameon and container logs sent to stdout and stderr. We also show performance metrics such as CPU, memory, network and storage for the container and hosts to help you troubleshoot and find noisy neighbor containers.  We support Docker version 1.8+.•Alerts from Nagios + Zabbix: The agent can collect alerts from your most popular monitoring tools.  This allows you to view all your alerts from all your tools in a single pain of glass!  Combine this with our existing support for collection of alerts from Operations Manager.  We currently support Nagios 3+ and Zabbix 2.x.•Apache & MySQL performance metrics: Collect performance metrics about your MySQL/MariaDB server performance and databases and Apache HTTP Servers and Virtual Hosts.  

How Data Flows to OMS

Microsoft Operations Management Suite

agents mgmt server

Your Environment

Azure Storage

Portal

Certificate Based Authentication & SSL

Data Compression

4

Separate Azurefile partition for each customer’s workspaceUses Azure Secure Authentication Service to Storage communication

6 Certificate Based Authentication & SSL

Authenticate through Org Account or Microsoft Account

7

Service run by authorized personnel in operations teamAll activities are logged & can be audited

5

OpsMgr DBs

‘multiple’ mgmt groups1

2 Data being forward to OMS bypass on-premises databases; adds no load to them

proxy server

agents Agents directly connecting to OMS3

https://preview.systemcenteradvisor.com/Content/AdvisorCore/Resources/Security.pdf

Azure Security Center

Continuous security monitoringIntegrated security managementBuilt in threat detections and alertsWorks with broad ecosystem of security solutions

IntroducingAzure Security Center

Gain Visibility and Control

Unified view of all security related information, relevant threats and recommendations

Central management of security policies, network configuration, virtual machine baselines, etc.

Integrated security event logging and monitoring, including events from partner solutions

Unlock AgilityDefine policies for your Azure subscriptions according to your company security needs

Security recommendations guide resource owners through the process of implementing required controls

Rapidly deploy security services and appliances from Microsoft and partners, like firewalls and endpoint protection

Keep up with Cyber ThreatsConstantly collects, analyzes, and fuses security events from your Azure resources, the network, and integrated partner solutions

Leverages global threat intelligence from Microsoft products and services, Digital Crime and Incident Response Centers, and third party feeds

Creates prioritized security alerts with insight into the attack and recommendations on how to remediate

The power of analytics-driven threat detection

Compromised machines

Failed exploitation attempts

Brute force attacks

Data exfiltration

Web application vulnerabilities

Advanced malware

Staying connectedAzure Trust Center http://azure.microsoft.com/en-us/support/trust-center/

Azure Security Bloghttp://blogs.msdn.com/b/azuresecurity/

Azure Network Security Whitepaperhttps://azure.microsoft.com/en-us/blog/microsoft-azure-network-security-whitepaper-version-3-is-now-available/