Using OMS and ASC for Threat Detection

Have you ever heard the phrase “Shoemaker’s kids go barefoot” or “Mechanic’s car never runs”? Well you can add a new one “IT consultant’s labs are insecure”. As a 25-year veteran of the IT industry I’m very familiar with limiting access and reducing the attack vectors for internet connected devices. I do this for customer’s ever day and have gotten pretty good at making sure bad actors cannot break into the systems I design and setup. As any good IT consultant, I also have access to a shared lab of servers to act as a sandbox for testing and understanding deployment scenarios. For convenience, the consultants at our company need to be able to access that lab from anywhere, anytime from any device. The lab is not something that contains anything of value or any customer data, so my thinking was to open it up for “convenience”. The lab has been running for many years with no issues, it was originally setup early on in Azure using ASM IaaS VMs.

Fast forward to May 2017 when I am attending the Azure Architect Bootcamp, 5 days packed full of more information than anyone should legally be allowed to consume. During the presentations, I was intrigued by the Capabilities of OMS and the analytics it captures. I was following along with the presenter for OMS when I noticed in service map that there were lots of “Terminal Services” connections to one of our lab machines from numerous external IP addresses that were not from our offices. The VMs were implemented with a classic Network Security Group that was allowing any-2-any connections over port 3389 to the machines. As soon as I saw the connections in OMS service map, which I had deployed in my lab the day earlier, I suspected a port scan or some type of intruder.

Screen shot

The next presenter started the presentation on Azure Security Center (ASC) so I switched over to Security Center and that is when I noticed this……… NSGs missing on subnets and VMs. The highlighted machines are production machines that are locked down separately, but all the others that start with “ISC365” are lab machines in this subscription and are rarely logged into.

Azure portal

I immediately logged into the lab system ISC365-AP1 to view the security event logs, and low and behold I was actively being attacked as every few seconds from an active connection guessing usernames and passwords.  This was some sort of password guessing bot using a database of well-known passwords, and even though we use strong passwords on the administrative accounts there is a chance some of the test user accounts could have known passwords.  Notice the number of security events in over 200 thousand entries so they had been doing this for a while.

Log Entries

I then went back to ASC to have it implement a NSG on the VNets to only allow RDP traffic from our offices. The time was 5:10EST and within three minutes the attack stopped dead in its tracks. As you can see below nothing happened after that time and I was relieved.

Audit failure

After a refresh of the screen ASC reported it as resolved from the actions it tool. I am impressed as how well it detected and remediated this, and that is hard to do.

Resolved screen shot

As IT professionals, we are asked to do so much with so little for so long that management thinks we can do anything with nothing forever. Project deadlines and business drivers are asking us to do more and more every day, but most companies don’t invest in threat detection or remediation software until there is an “event”.  For Azure, it’s baked into the platform and can be implemented in a way that secures resources by default and audits those resources over time. For all of those IT professionals out there who are apprehensive of using Azure because of security concerns, I say to you that Azure gives you the tools you need to implement practical security measures. Given their deep pockets and laser focus on security I believe Microsoft will move Azure to be more secure that any on-premise implementation even if the consultants miss something.

Related articles:

Security and Compliance

Information Protection


Leave a Reply

Your email address will not be published. Required fields are marked *