Has your organization’s security journey been hampered by environmental roadblocks in your infrastructure? Does your organization struggle to effectively measure the return on its security investment?
Hi, I’m Jon Shectman – one half of the SecurityPFE team along with my colleague, Brian Delaney. If you answered yes to either (or both) of the questions above, then the Visual Auditing Security Tool (VAST) can help. VAST provides a repeatable, scalable solution to quickly and cost-effectively help mitigate security blockers by visually representing specific infrastructure log and audit events. It also provides specific, actionable KPI-based metrics to measure your organization’s effectiveness in mitigating the risk of devastating credential theft.
Many organizations aggregate log data into query-able aggregation stores such as SIEMs. Even so, experience shows that combing through log files in an effort to correlate security events is typically a time-consuming activity from which you can draw limited conclusions and take limited action. VAST takes a different approach. VAST leverages powerful, relatively new Microsoft technologies – chiefly Azure Log Analytics and Power BI – to present your organization with a rich, visual representation of its security data in a single-pane-of-glass interface. VAST can work along-side your existing solutions – and it adds a dimension to your data that most enterprise SIEMs presently don’t: interactive data visualization.
Over the coming months, Brian and I – Project VAST’s creators as well as the team behind the SecurityPFE blog – will be sharing the capabilities of this new security product. The format will be pretty simple: once a month, we’ll feature a detailed discussion of one of Project VAST’s capabilities – what it can detect, what it can measure, and how it can help your organization achieve more on its security journey.
In this inaugural blog entry, we’ll introduce Project VAST and share a bit about what it can help you to accomplish. We’ll also provide some information about how your organization can partner with Microsoft Services to implement VAST in your environment.
How can Project VAST Help?
Project VAST grows directly out of our experiences working with security-conscious customers. Virtually all customers we work with struggle in various ways with activities like removing deprecated protocols, securing LDAP traffic, controlling their service accounts, enforcing compliant use of their Privileged Access Workstations (PAWs), safeguarding their privileged accounts, and understanding authentication patterns within their infrastructure. By not just aggregating big data such as log sets, but also by providing a rich, visual interface, Project VAST makes it easy to accomplish these activities – and a whole lot more.
How does Project VAST Work?
First, we work with you to capture the relevant event data into your Domain Controller logs – mainly Security and Directory Service. Then, using the Microsoft Monitoring Agent (MMA), we capture the log information and aggregate it into Azure Log Analytics. Using the relatively new Kusto query language, we can pinpoint exactly the data which is relevant for each of VAST’s detections or KPIs. Finally, we pull the data into Microsoft Power BI, where we can render security data in a rich, visual interface – empowering your organization to make intelligent, data-based decisions.
But as the consumer of Project VAST, you don’t really have to mess with any of the back-end technology once it’s set up. You will chiefly be consuming the data directly out of Power BI, so let’s have a look at the VAST interface.
The Project VAST Interface (Courtesy of Power BI 😊)
Above is a screen shot of Project VAST (a few details have been hidden or changed to protect the innocent). The first thing to notice is the series of tabs along the bottom. We call each of these a separate “detection” or “KPI” – essentially each represents a vulnerability being measured. When we set up Project VAST with customers, we stress a particular mindset. We encourage our customers to think about security not as something they can “get right,” but more as a continual journey. And this journey, as reflected in the interface of VAST, entails surfacing vulnerabilities and then taking concrete, specific, achievable steps to solve them. You might think of each tab, therefore, as representing a step on your organization’s ongoing security journey: User and Computer Hygiene, LAPS Deployment and Auditing, Insecure LDAP, Deprecated Protocols, Account Theft and Misuse, Privileged Group Hygiene, Authentication Posture, and more.
To view information about a detection or KIP, simply click on the tab at the bottom. In the example above (and we’ll talk a lot more about this in subsequent posts), I have clicked on the NTLM tab and am therefore able to view information about the organization’s NTLM usage. (Note: NTLM is a deprecated protocol consisting of several versions, chiefly V1 and V2. Click here for more details.) Let’s have a look at the measurements that are available in this particular tab.
Starting clockwise from the upper left:
- A traffic flow representing the client-server flow of NTLM traffic
- A filter boxes for client and then server
- A filter to view authentication traffic from administrative accounts only
- A filter for NTLM version (filtered to V1 in the example)
- Top 5 NTLM accounts by authentications
- A table displaying the data set
- And finally, a chart allowing for display and filtering by authentication time
One goal across many detection tabs is to help end the stalemate facing so many organizations: organizations know they have to turn off unsafe protocols like NTLM v1, but don’t know what they’ll break if they do. Here we show the exact sources of the traffic, so they can be addressed – and ultimately the authentication type can be turned off at the root level.
Where can I go to learn more about VAST?
Brian and I recorded a Microsoft Taste of Premier about VAST. Check it out here.
How do I sign up?
If you’re a Microsoft Premier customer, then we’d be delighted to work with you. Contact your Technical Account Manager (TAM) or account team.
If your organization is not yet a Premier customer, then click here for information on how to become one.
A Few FAQs
We’ve been asked several questions from multiple folks. Here are a few of the common ones
Q: Where do we have to install Microsoft Monitoring Agents?
A: On all of your domain controllers; nowhere else
Q: Can VAST co-exist with other SIEM products? What about integration?
A: Yes! VAST is a separate tool from SIEM products. Future enhancements may include SIEM integration.
Q: How can we get started with VAST? Can we get a demo?
A: Contact your Technical Account Manager (TAM) or account team. At present, a limited number of demo slots are available.
Q: What are the costs for using Azure Log Analytics in VAST?
A: In short, it depends. That said, we have designed VAST to be very affordable for organizations of many different sizes. Factors that will influence Azure consumption costs are licensing type, organization size, number of domain controllers, and the amount of activity in your environment. Azure Security & Compliance pricing is available here.
Q: Is there a size limit for using VAST?
A: No, we have designed VAST to scale to organizations of many different sizes.
Q: I have an idea for an additional detection or KPI. Could I get it added?
A: At present, the best avenue is to talk with your TAM; he or she can pass your idea along. In the future, there may be a web-based feedback tool, such as UserVoice, available for VAST.
Q: Does VAST integrate with Microsoft Advanced Threat Analytics (ATA)?
A: Yes! VAST will query and display both health and suspicious activity (SA) events from ATA in its dashboard.
That wraps up the inaugural edition of the SecurityPFE blog and our VAST overview. Keep an eye out each month for detailed information about each of Project VAST’s detection capabilities.
Until then, happy auditing.
4/25/18 - Edit: Added the link to the Taste of Premier video.