Virtual machines actually require more monitoring than physical servers. That’s no reason not to use virtualization but there’s no getting around that VMs are only as secure as the virtualization platform they run on. So, with on-prem VMs it’s super important to collect and monitor the audit logs of your virtualization hosts (ESXi, Hyper-V), virtualization management systems (e.g. vCenter or MS Virtual Machine Manager) and the storage systems hosting VM files. This is in addition of course to the audit logs inside the VM itself – such as the security, PowerShell and Sysmon logs and the logs of applications running inside the VM like SQL Server.
What about virtual machines in the cloud such as Azure? Virtual Machines in the cloud are just as vulnerable, just as important to monitor as VMs on-premise. But in this case, responsibility (and visibility) of auditing of the virtualization layer is divided between Microsoft and the customer. We assume (safely, I think) Microsoft is auditing and monitoring platform level logs of their Azure infrastructure. Let’s call this the cloud plane. But what about customer-level operations to VMs and related resources in the cloud? Events like provisioning a new virtual machine, making a copy of a VM disk drive file, changing virtual network restrictions. Microsoft captures that data in Azure audit logs but it’s up to us to collect, monitor and archive those logs – just like any other logs generated by IT assets. Microsoft calls these control and data planes. And of course, the same can be said for the audit logs inside the VM itself. Let’s call these logs, collectively, the guest plane.
In this webinar, we will take a comprehensive look at securely monitoring Azure Virtual Machines. I will show you what the audit logs look like for the Control and Data planes and your options for collecting those logs. We will examine actual samples of specific events from the control plane for security sensitive operations involving virtual machines and other Azure objects that VM security depends on such as virtual network objects.
But one thing you won’t find in Azure control plane logs is the security critical operation of when someone downloads a copy of a Virtual Machine. This is unfortunate because it’s one of the things you should worry about most with virtual machines. VM disk drive files are blobs in Azure storage accounts and a download is a simple data access operation which is viewed by Azure as a data plane operation. So, we’ll look at what it takes to audit data plane operations and how this maps to the audit the requirement of knowing when and who downloads an entire copy of one of your servers in the cloud.
Then we’ll discuss how to get logs from the Guest OS plane out of the VM. This includes event logs like Security, PowerShell and Sysmon and other text and application logs. It’s no secret how to collect these logs from on-prem VMs but VMs in the cloud may not have the same network connectivity.
My goal is for you to be able to track everything security relevant that happens to a VM at every level. AlienVault is our sponsor for this real training for free event and Sacha Dawes, Principal Product Marketing Manager at AlienVault will show you how easy it is to consolidate all your Azure logs into AlienVault USM Anywhere. You’ll also learn how USM Anywhere can help you detect new assets, identify and investigate threats and vulnerabilities, and ultimately protect your Azure subscription along with your other network & cloud environments through one unified security solution.