Monitoring Active Directory: Both Azure AD and On-Premise AD and How Synchronization and Federation Play In Sponsored by 2016 Monterey Technology Group Inc.
Thanks to Made possible by
Preview of key points Today s hybrid Active Directory environment On-Prem AD Azure AD Synchronization with Azure AD Connect Federation Audit log management On prem Cloud Connecting it all together Enterprise audit and monitoring for the entry hybrid environment
Active Directory in today s hybrid environment Azure AD Connect
On-Prem AD auditing System level Windows on Domain Controllers User rights Security policies System operations Logons Audit categories All except those below Active Directory Users, groups, computers, OUs, Group Policy Objects Audit categories Account Management Directory Service Access Directory Service Changes Destination Security log on each domain controller Security Log Security Log Security Log Domain controllers and their local Security Logs Windows AD Windows AD Windows AD Account Management Audit policies User management Audit policies Group management User management Computer Group management management Computer Directory Service management Categories Audit Directory Changes Audit policies Audit User policies management Group All others management Computer management
Azure AD auditing System level Not applicable Active Directory Users, groups, computers Audit categories Not applicable on by default Destination Initial Graph API All Azure events Office 365 Unified Audit Log Azure AD events Graph API Mgt Activity API Azure Active Directory Graph O365
Do you need to audit Azure AD? In almost all cases you are synchronizing on-prem AD to Azure AD So if Azure AD is just a projection of on-prem AD why monitor? Synch d objects from onprem is only a subset of the objects in Azure AD Including very important tenant admin accounts Creating a blind spot against one of the most important risks Intruder gains privileged access to your tenant Objects Sync'd Objects
Federation impacts authentication not account management and directory security How does federation affect the story? You still have On-prem AD Azure AD Both can still suffer harm from mistakes, unauthorized changes and intrusion Federation Centralizes more of your authentication/logon audit log Provides a central chokepoint at which Enforce policies Observe access patterns and anomalies Deny access ADFS, et al Objects Sync'd Objects
Domain controllers and their local Security Logs Audit log management On-Prem Active Directory Audit log policy Log collection Interpreting events? Security Log Security Log Windows AD Windows AD Security Log Windows AD
Azure Active Directory Audit log management Azure AD Audit policy Log collection Office 365 Management Activity API Azure Graph API Interpreting events? Graph O365
Attacks Attacks The big picture
Bottom line Active Directory is the foundation of security On-prem In the cloud Impossible to be compliant and secure without monitoring it On-prem In the cloud On-prem AD and Azure AD both do a fair job of generating audit events But what about Collection Search Reporting Secure archival Correlation Alerting Check out Netwrix 2016 Monterey Technology Group Inc.
About Netwrix Auditor Netwrix Auditor A visibility and governance platform that enables control over changes, configurations, and access in hybrid cloud IT environments by providing security analytics to detect anomalies in user behavior and investigate threat pattern before a data breach occurs.
Netwrix Auditor Applications Netwrix Auditor Platform Active Directory Azure AD Exchange Office 365 Windows File Servers EMC NetApp SharePoint Oracle Database SQL Server Windows Server VMware
Why Netwrix Auditor? Sharp focus on visibility and governance Broadest coverage of on-premises and cloud systems Truly integrated as opposed to multiple hard-to-integrate standalone tools from other vendors Noise-free security analytics Non-intrusive architecture API-enabled ecosystem integrations Cost-effective two-tiered storage (file-based + SQL database) holding consolidated audit data for more than 10 years Fast, 15-minute deployment, with no professional services required First-class, U.S.-based customer support with 97% customer satisfaction
Next Steps Free Trial: setup in your own test environment netwrix.com/freetrial Virtual Appliance: get Netwrix Auditor up and running in minutes netwrix.com/go/appliance Test Drive: virtual POC, try in a Netwrix-hosted test lab netwrix.com/testdrive Live One-to-One Demo: product tour with Netwrix expert netwrix.com/livedemo Contact Sales to obtain more information netwrix.com/contactsales Upcoming and On-Demand Netwrix Webinars: join upcoming webinars or watch the recorded sessions netwrix.com/webinars netwrix.com/webinars#featured