On February 25th, 2016 Microsoft announced updates to their Operations Management Suite (OMS). The updates, in this particular iteration of the service, are focused on the security and audit portions of the suite and target user experience, additional capabilities and features.
Microsoft has introduced OMS to address customer needs in the areas of monitoring and managing their on-premises and cloud based workloads. The suite is a collection of tools that support the orchestration and deployment of applications, automation through the use of runbooks, audit and compliance, site backup, disaster recovery and analyzing threats. Technology journalist, Mary Branscombe, considers the suite to be more than just a collection of tools: “OMS is an Azure cloud service, rather than a tool you need to install in your own servers. And it's not just for managing Azure; it works with any instance in Amazon Web Services and other clouds, managing Windows Server, Linux, VMware and OpenStack. Plus, you can integrate your own servers, including Linux hosts, as well as PowerShell DSC nodes.”
In a recent blog post, the Microsoft Server and Cloud Platform Team have provided details on the new capabilities in the service.
New Security Dashboard
The entry point for Security and Audit information has changed. The dashboard contains an array of widgets which target the most recent 24 hours of activity. OMS is still collecting data beyond 24 hours and you can configure different time windows to better suit your needs. The widgets focus on Threat Intelligence, Notable Issues, Security Domains and other capabilities.
Image Source: https://blogs.technet.microsoft.com/systemcenter/2016/02/25/new-security-capabilities-in-operations-management-suite/
Threat Intelligence
Microsoft runs a lot of public and private cloud bases services. As a result, they have some insight into the global threat landscape. Microsoft feels that as a result of the amount of information they collect, they can provide additional value to their customers through this service: “the insights we derive, informed by trillions of signals from billions of sources, create an intelligent security graph that we use to inform how we protect all endpoints, better detect attacks and accelerate our response. We know, for example, where attacks came from and able to identify malicious IP addresses. Our goal is to enable our customers to benefit from this knowledge to protect their resources.”
Both inbound and outbound customer threats are highlighted on a map. A yellow pushpin is an indicator of inbound traffic coming from a malicious IP address. Red pushpins indicate outbound traffic to malicious IP addresses.
In both inbound and outbound traffic scenarios, Microsoft will use data collected from IIS, WireData and Windows Firewall logs to determine communication patterns. Using the information highlighted in on the map, security administrators can then blacklist, or prevent, communication to these malicious IP Addresses.
Image Source: https://blogs.technet.microsoft.com/systemcenter/2016/02/25/new-security-capabilities-in-operations-management-suite/
Notable Issues
Another feature, called Notable Issues, will display issues that aid in administrators enforcing compliance policies. For example, machines that do not have current security updates or are missing anti-malware software can be flagged.
Image Source: https://blogs.technet.microsoft.com/systemcenter/2016/02/25/new-security-capabilities-in-operations-management-suite/
Security Domains
In this feature, security logs are collected from machines in a customer's environment. Events such as key file operations, cryptographic operations, successful and unsuccessful login attempts and others will be tracked. Administrators also have the ability to query for specific events across a set of machines or users.
Microsoft plans to further evolve the service and is working on its next set of features that will be released, including:
- Harmonization with other Microsoft security offerings including Azure Security Center, Advanced Threat Analytics and Office Advanced Threat Production.
- Linux support currently exists in the areas of authentication and authorization event collection, but Microsoft will add additional collection capabilities to cover additional scenarios.
- Third-party Security Solutions data may be ingested into OMS which will allow customers to use a single pane of glass to monitor their overall security landscape.
- Additional domain dashboards will be added to OMS including dashboards focusing on identity and network.