Back to Resources

Shared ResponsibilityTechnical Resources


Deep Security Integration with Operations Management Suite (OMS)

The Ever-Changing Information Technology Management

Written by: Saif Chaudhry  November 11, 2016

Information Technology Management or simply IT Management is a broad term and there are many disciplines tied to it e.g. configuration management, service management, security management to name a few.

The one thing that is constant in life is CHANGE! The Information Technology world is no different, the digital transformation started decades ago but the speed at which these changes are happening now shows no sign of slowing down, it’s on rapid acceleration. It is just a start to the world of everything-is-connected-to-everything-else.

db5-skyfall

There was a reason when James Bond (In Skyfall) stopped by a garage, telling M that they would have to switch cars and opened the door to reveal the Aston Martin DB5 (1963), and they drove together to Scotland, M complaining the car was uncomfortable, and Bond jokingly threatening to use the ejector seat. Confused, why I’m bringing this here? The MI6 cars all have trackers!

This digital transformation is revolutionizing our businesses today because when you start migrating from the analog to the digital world you get your hands on the information that you didn’t have before! The growing volume of information collected as part of this transformation, as we call it “big-data”, opens up new set of opportunities for businesses that didn’t exist before.  Look at digital thermostat transformations these days (think nest and the likes). The businesses can now learn your temperature adjusting patterns and with this data at hand now they can create new business opportunities/model for them e.g. this information is used by the energy companies to plan and adjust their power plants capacity, peak rate billings and so forth.

These innovations and advancements in technology to create our connected world present new challenges to the management solutions and the need to have true “Single Pane of Glass” concept is a must in your IT strategy but is there a single pane of glass solution that can equip today’s information technology professionals with the tools they need to succeed?

Since this blog post is written for our Azure site, you have guessed it right, I’m talking about Microsoft Operations Management Suite (aka OMS). It is Microsoft’s cloud-based IT management solution. There are four solution areas offered under OMS;

OMS-offerings

We will focus our discussion for this blog to the Insight & Analytics offering. The Log Analytics helps you collect, correlate, search, and act on log and performance data generated by operating systems, network devices and applications, simply put you can collect and analyze machine data from virtually any source.

If this is indeed true, then let’s see how we can leverage OMS log Analytics service and bring Trend Micro Deep Security event data inside OMS to help identify and resolve security threats. The good news is Trend Micro Deep Security offers seamless integration with OMS data analytics service, thanks to OMS agent.

Architecture Components of OMS – Log Analytics

Before we look into how to integrate Trend Micro Deep Security with the OMS log analytic service, I like to share with you the architecture components of OMS.

OMS Repository is the key component of OMS; it is hosted in the Azure cloud. Data is collected into the repository from connected sources by configuring data sources and adding solutions to your subscription.

OMS Agent a customized version of the Microsoft Monitoring Agent (MMA). You need to install and connect agents for all of the computers that you want to onboard to OMS in order for them to send data to OMS.

Connected-Sources   Connected Sources are the locations where data can be retrieved for the OMS repository.

Data sources run on Connected Sources and define the specific data that’s collected. Data sources run on Connected Sources and define the specific data that’s collected.

Integration of Deep Security with OMS – Log Analytics

Now that we got some basic understanding about the components of OMS – Log Analytics Service, let’s see how the integration of Deep Security with OMS – Log Analytics works?

The integration of Deep Security with OMS is very simple; Deep Security can write its event data in CEF/syslog to one of the OMS connected sources and then they can be collected by the Syslog data source on this OMS Linux agent.  The one thing you need to know about OMS agent and syslog support is that either rsyslog or syslog-ng are required to collect syslog messages.

There are three main steps to this integration as illustrated here:

DS Integration

I’m going to skip the part of installation and configuring a syslog data source here, assuming you already know this part. However, when it comes to event forwarding choices in Deep Security, there are two integration options available to configure Deep Security Solution to forward security events to the OMS connected source.

Relay via Deep Security ManagerThis option sends the syslog messages from the Deep Security Manager after events are collected on heartbeats

Direct Forward This option sends the security events/messages in real time directly from the Agents

This choice decision is dependent on your deployment model, network design/topology, your bandwidth and policy design. The simplest and often used choice is to use Relay via Manager, as shown below.

01-Relay-via-Manager

Once the event data is collected and available in OMS you can leverage log searches where you construct queries to analyze collected data.  The raw syslog/CEF data that is sent by Deep Security to OMS can be extracted by using OMS’s Custom Field feature, This feature utilizes FlashExtract, a program-synthesis technology developed by Microsoft Research, to extract the fields you teach it to recognize.

syslog-data-extract

syslog-data-extract-example1

It’s little work upfront to extract fields of interest but once it’s is done then all your custom fields are now searchable field which you can use to aggregate & group data etc.

DS-Firewall-View-3 DS-Log-Query

The last thing that I want to touch base on is Designer View feature. With View Designer, you can create visualizations and dashboards using the event data available in OMS as Views e.g. you can use Custom Fields to build your view for what matters to you the most.

DS-Firewall-View

DS-Firewall-View-2  DS-Firewall-View-3 So here you have it, now you can use Deep Security to protect your workloads running across complex, hybrid infrastructures and use OMS to gain control and visibility to identify and resolve security threats rapidly. No need to worry about having multiple tools and interfaces,  and most importantly without needing to spend valuable time on software setup and complex integration options, thanks to OMS – all-in-one cloud IT management solution.  

Saif Chaudhry

  •  
  •  
  •