Monitoring Active Directory: Both Azure Sponsored by .AD and On-Premise AD –and How Synchronization

  • View
    212

  • Download
    0

Embed Size (px)

Text of Monitoring Active Directory: Both Azure Sponsored by .AD and On-Premise AD –and How...

  • Sponsored byMonitoring Active Directory: Both Azure AD and On-Premise AD and How

    Synchronization and Federation Play In

    2016 Monterey Technology Group Inc.

  • Thanks to

    Made possible by

  • Preview of key points

    Todays hybrid Active Directory environment

    On-Prem AD

    Azure AD

    Synchronization with Azure AD Connect

    Federation

    Audit log management On prem

    Cloud

    Connecting it all together

    Enterprise audit and monitoring for the entry hybrid environment

  • Active Directory in todays hybrid environment Azure AD Connect

  • On-Prem AD auditing

    System level Windows on Domain

    Controllers

    User rights

    Security policies

    System operations

    Logons

    Audit categories

    All except those below

    Active Directory Users, groups, computers,

    OUs, Group Policy Objects

    Audit categories

    Account Management

    Directory Service Access

    Directory Service Changes

    Destination Security log on each

    domain controller

    Domain controllersand their local Security Logs

    Security Log

    Windows

    AD

    Windows

    AD

    Windows

    AD

    Security Log

    Security Log

    Audit policies User management Group management Computer

    management

    Audit policies User management Group management Computer

    management

    Account Management Audit policies User management Group management Computer

    managementDirectory Service Categories Audit Directory

    Changes

    Audit policies User management Group management Computer management

    Audit policies User management Group management Computer management

    Audit policies All others

  • Azure AD auditing

    System level Not applicable

    Active Directory Users, groups, computers

    Audit categories Not applicable on by default

    Destination Initial

    Graph API

    All Azure events

    Office 365 Unified Audit Log Azure AD events

    Azure Active Directory

    GraphGraph API

    O365Mgt Activity API

  • Do you need to audit Azure AD?

    In almost all cases you are synchronizing on-prem AD to Azure AD

    So if Azure AD is just a projection of on-prem AD why monitor?

    Synchd objects from on-prem is only a subset of the objects in Azure AD

    Including very important tenant admin accounts

    Creating a blind spot against one of the most important risks

    Intruder gains privileged access to your tenant

    Objects

    Objects

    Sync'd

  • How does federation affect the story?

    Federation impacts authentication not account management and directory security

    You still have On-prem AD

    Azure AD

    Both can still suffer harm from mistakes, unauthorized changes and intrusion

    Federation Centralizes more of your

    authentication/logon audit log

    Provides a central chokepoint at which

    Enforce policies

    Observe access patterns and anomalies

    Deny access

    ADFS, et al

    Objects

    Objects

    Sync'd

  • Audit log management

    On-Prem Active Directory Audit log policy

    Log collection

    Interpreting events

    Domain controllersand their local Security Logs

    Security Log

    Windows

    AD

    Windows

    AD

    Windows

    AD

    Security Log

    Security Log

    ?

  • Audit log management

    Azure AD Audit policy

    Log collection Office 365

    Management Activity API

    Azure Graph API

    Interpreting events

    Azure Active Directory

    Graph

    O365

    ?

  • The big pictureA

    ttacks

    Attacks

  • Bottom line

    Active Directory is the foundation of security On-prem

    In the cloud

    Impossible to be compliant and secure without monitoring it On-prem

    In the cloud

    On-prem AD and Azure AD both do a fair job of generating audit events

    But what about Collection

    Search

    Reporting

    Secure archival

    Correlation

    Alerting

    Check out Netwrix

    2016 Monterey Technology Group Inc.

  • Netwrix Auditor

    A visibility and governance platform that enables control over

    changes, configurations, and access in hybrid cloud IT environments by

    providing security analytics to detect anomalies in user behavior and

    investigate threat pattern before a data breach occurs.

    About Netwrix Auditor

  • Netwrix Auditor Applications

    Netwrix Auditor for Office 365

    Netwrix Auditor for EMC

    Netwrix Auditor for Active Directory

    Netwrix Auditor for Windows File Servers

    Netwrix Auditor for Windows Server

    Netwrix Auditor for VMware

    Netwrix Auditor for Exchange

    Netwrix Auditor for SQL Server

    Netwrix Auditor for SharePoint

    Netwrix Auditor for NetApp

    Netwrix Auditor Platform

    Netwrix Auditor for Azure AD

    Netwrix Auditor for Oracle Database

  • Why Netwrix Auditor?

    Sharp focus on visibility and governance

    Broadest coverage of on-premises and cloud systems

    Truly integrated as opposed to multiple hard-to-integrate standalone tools from other vendors

    Noise-free security analytics

    Non-intrusive architecture

    API-enabled ecosystem integrations

    Cost-effective two-tiered storage (file-based + SQL database) holding consolidated audit data for more than

    10 years

    Fast, 15-minute deployment, with no professional services required

    First-class, U.S.-based customer support with 97% customer satisfaction

  • Next Steps

    Free Trial: setup in your own test environment

    netwrix.com/freetrial

    Virtual Appliance: get Netwrix Auditor up and running in minutes

    netwrix.com/go/appliance

    Test Drive: virtual POC, try in a Netwrix-hosted test lab

    netwrix.com/testdrive

    Live One-to-One Demo: product tour with Netwrix expert

    netwrix.com/livedemo

    Contact Sales to obtain more information

    netwrix.com/contactsales

    Upcoming and On-Demand Netwrix Webinars:

    join upcoming webinars or watch the recorded sessions

    netwrix.com/webinars

    netwrix.com/webinars#featured

    http://netwrix.com/freetrialhttps://www.netwrix.com/virtual_appliances.htmlhttp://netwrix.com/testdrivehttp://netwrix.com/livedemohttp://netwrix.com/contactsaleshttp://netwrix.com/webinarshttp://netwrix.com/webinars#featured