Information Technology Management or simply IT Management is a broad term and there are many disciplines tied to it e.g. configuration management, service management, security management to name a few.

The one thing that is constant in life is CHANGE! The Information Technology world is no different, the digital transformation started decades ago but the speed at which these changes are happening now shows no sign of slowing down, it’s on rapid acceleration. It is just a start to the world of everything-is-connected-to-everything-else.

db5-skyfall

There was a reason when James Bond (In Skyfall) stopped by a garage, telling M that they would have to switch cars and opened the door to reveal the Aston Martin DB5 (1963), and they drove together to Scotland, M complaining the car was uncomfortable, and Bond jokingly threatening to use the ejector seat. Confused, why I’m bringing this here? The MI6 cars all have trackers!

This digital transformation is revolutionizing our businesses today because when you start migrating from the analog to the digital world you get your hands on the information that you didn’t have before! The growing volume of information collected as part of this transformation, as we call it “big-data”, opens up new set of opportunities for businesses that didn’t exist before.  Look at digital thermostat transformations these days (think nest and the likes). The businesses can now learn your temperature adjusting patterns and with this data at hand now they can create new business opportunities/model for them e.g. this information is used by the energy companies to plan and adjust their power plants capacity, peak rate billings and so forth.

These innovations and advancements in technology to create our connected world present new challenges to the management solutions and the need to have true “Single Pane of Glass” concept is a must in your IT strategy but is there a single pane of glass solution that can equip today’s information technology professionals with the tools they need to succeed?

Since this blog post is written for our Azure site, you have guessed it right, I’m talking about Microsoft Operations Management Suite (aka OMS). It is Microsoft’s cloud-based IT management solution. There are four solution areas offered under OMS;

OMS-offerings

We will focus our discussion for this blog to the Insight & Analytics offering. The Log Analytics helps you collect, correlate, search, and act on log and performance data generated by operating systems, network devices and applications, simply put you can collect and analyze machine data from virtually any source.

If this is indeed true, then let’s see how we can leverage OMS log Analytics service and bring Trend Micro Deep Security event data inside OMS to help identify and resolve security threats. The good news is Trend Micro Deep Security offers seamless integration with OMS data analytics service, thanks to OMS agent.

Architecture Components of OMS – Log Analytics

Before we look into how to integrate Trend Micro Deep Security with the OMS log analytic service, I like to share with you the architecture components of OMS.

OMS Repository is the key component of OMS; it is hosted in the Azure cloud. Data is collected into the repository from connected sources by configuring data sources and adding solutions to your subscription.

OMS Agent a customized version of the Microsoft Monitoring Agent (MMA). You need to install and connect agents for all of the computers that you want to onboard to OMS in order for them to send data to OMS.

Connected-Sources   Connected Sources are the locations where data can be retrieved for the OMS repository.

Data sources run on Connected Sources and define the specific data that’s collected. Data sources run on Connected Sources and define the specific data that’s collected.

Integration of Deep Security with OMS – Log Analytics

Now that we got some basic understanding about the components of OMS – Log Analytics Service, let’s see how the integration of Deep Security with OMS – Log Analytics works?

The integration of Deep Security with OMS is very simple; Deep Security can write its event data in CEF/syslog to one of the OMS connected sources and then they can be collected by the Syslog data source on this OMS Linux agent.  The one thing you need to know about OMS agent and syslog support is that either rsyslog or syslog-ng are required to collect syslog messages.

There are three main steps to this integration as illustrated here:

DS Integration

I’m going to skip the part of installation and configuring a syslog data source here, assuming you already know this part. However, when it comes to event forwarding choices in Deep Security, there are two integration options available to configure Deep Security Solution to forward security events to the OMS connected source.

Relay via Deep Security ManagerThis option sends the syslog messages from the Deep Security Manager after events are collected on heartbeats

Direct Forward This option sends the security events/messages in real time directly from the Agents

This choice decision is dependent on your deployment model, network design/topology, your bandwidth and policy design. The simplest and often used choice is to use Relay via Manager, as shown below.

01-Relay-via-Manager

Once the event data is collected and available in OMS you can leverage log searches where you construct queries to analyze collected data.  The raw syslog/CEF data that is sent by Deep Security to OMS can be extracted by using OMS’s Custom Field feature, This feature utilizes FlashExtract, a program-synthesis technology developed by Microsoft Research, to extract the fields you teach it to recognize.

syslog-data-extract

syslog-data-extract-example1

It’s little work upfront to extract fields of interest but once it’s is done then all your custom fields are now searchable field which you can use to aggregate & group data etc.

DS-Firewall-View-3 DS-Log-Query

The last thing that I want to touch base on is Designer View feature. With View Designer, you can create visualizations and dashboards using the event data available in OMS as Views e.g. you can use Custom Fields to build your view for what matters to you the most.

DS-Firewall-View

DS-Firewall-View-2  DS-Firewall-View-3 So here you have it, now you can use Deep Security to protect your workloads running across complex, hybrid infrastructures and use OMS to gain control and visibility to identify and resolve security threats rapidly. No need to worry about having multiple tools and interfaces,  and most importantly without needing to spend valuable time on software setup and complex integration options, thanks to OMS – all-in-one cloud IT management solution.  

With Microsoft’s release of Application Gateway Web Application Firewall (or WAF), you now have an additional layer of defense built into your Application Gateway against network-based attacks.

When you’re looking to secure your workloads, you should build your defenses in layers to avoid any single weak point. The goal is to stop any attacks as far from your data as possible. This approach lowers your risk as it provides multiple controls the opportunity to detect and prevent an attack.

Protection for WAF is applied at each Application Gateway meaning that these attacks never reach your Azure VMs.

This is a great first line of defense for your web applications. It includes protection against malicious sessions, HTTP DoS sessions, and covers the majority of the OWASP Top 10.

Picture 2

Check out the Microsoft Azure Website for more information about WAF capabilities.

For more complex attacks, Deep Security’s intrusion prevention capabilities fit the bill. Deep Security monitors all network traffic to your instances and can detect and stop attacks before they reach your applications. Deep Security can also do protocol enforcement and drop unknown or non-conforming traffic which can help protect your workloads from new attacks.  Not just for web apps, your operating system is also protected from exploit and vulnerabilities as well.

Pasted image at 2016_11_14 11_34 AM

Working together, Microsoft Azure’s Application Gateway WAF and Deep Security provide your web applications a strong, layered defense.

To learn more about how Deep Security can help solve your security needs within Azure, contact us at azure@trendmicro.com

Learn about the important security how Trend Micro Deep Security is working hand in hand with Microsoft to provide customers a secure cloud to meet their business needs for the hybrid cloud reality of today, and tomorrow.

In this webinar you will learn:

  • Microsoft Ignite announcements for Azure
  • Maersk’s security journey to the cloud
  • How organizations should be thinking about security for the hybrid cloud
  • How to use Deep Security to manage and deploy security in the cloud
  • How to achieve cost effective compliance
Click the below image or follow this link to watch the on-demand webinar now!   Microsoft-Ignite-Trend-Micro  

Trend Micro has developed a security platform that is optimized for hybrid cloud deployments. It includes a wide range of security controls that help to address an organization’s server security responsibility  and simplify security management.

To learn more about Maersk and their journey to the cloud, listen to our Microsoft Ignite 2016 session featuring the Head of Security and Security Manager sharing what they learned and the role that security played in the migration from the data center to the cloud. Watch the full session here.

Are you a CISO in cloud or security operations and architecture? The decisions you make when migrating and securing workloads at scale in Azure have a large impact on your business. Trend Micro close and personal with the team at Maersk to better understand their Azure migration and how security played a role in the decisions they made.

This recorded session from Microsoft Ignite 2016 will help you jump-start your migration to Azure or, if you’re already running workloads in Azure, learn how companies just like you are using Azure to improve efficiency of their deployments. Maersk’s Head of Security and Security Manager share what the organization learned while tackling these issues at scale in their hybrid environment. You’ll hear about the security challenges that they faced and lessons learned in moving from on premise servers to a cloud environment in Azure.

The integration with Trend Micro Deep Security on Maersk’s Azure cloud platform resulted in several security and hybrid cloud benefits, including:
  • Visibility across their physical and cloud environments
  • A much more stable system and standardized environment on a supported platform
  • Analysis of security incidents from one central, unified location
  • Decreased time invested to analyze data
  • Real-time alerts for file integrity changes
  • Establish compliance in a streamlined and cost-effective manner
  • Efficient internal communication due to the holistic, single platform solution

The Maersk Group is a worldwide conglomerate operating in more than 130 countries with a workforce surpassing 89,000 employees. Owning the world’s largest container shipping company, Maersk is involved in a wide range of activities in the shipping, logistics and oil and gas industries. Due to Maersk’s breadth of business channels and global reach, it required an integrated system to manage its various data centers across the world for seamless flow of information.

maersk-group-core

To learn more about how Deep Security can protect your Azure migration and projects, read about our features or contact us for a quick demo today.