Sponsored byMonitoring Active Directory: Both Azure AD and On-Premise AD – and How

Synchronization and Federation Play In

© 2016 Monterey Technology Group Inc.

Thanks to

Made possible by

Preview of key points

Today’s hybrid Active Directory environment

On-Prem AD

Azure AD

Synchronization with Azure AD Connect

Federation

Audit log management On prem

Cloud

Connecting it all together

Enterprise audit and monitoring for the entry hybrid environment

Active Directory in today’s hybrid environment Azure AD Connect

On-Prem AD auditing

System level Windows on Domain

Controllers

User rights

Security policies

System operations

Logons

Audit categories

All except those below

Active Directory Users, groups, computers,

OUs, Group Policy Objects

Audit categories

Account Management

Directory Service Access

Directory Service Changes

Destination Security log on each

domain controller

Domain controllersand their local Security Logs

Security Log

Windows

AD

Windows

AD

Windows

AD

Security Log

Security Log

Audit policies• User management• Group management• Computer

management

Audit policies• User management• Group management• Computer

management

Account Management Audit policies• User management• Group management• Computer

managementDirectory Service Categories• Audit Directory

Changes

Audit policies• User management• Group management• Computer management

Audit policies• User management• Group management• Computer management

Audit policies• All others

Azure AD auditing

System level Not applicable

Active Directory Users, groups, computers

Audit categories Not applicable – on by default

Destination Initial

Graph API

All Azure events

Office 365 Unified Audit Log Azure AD events

Azure Active Directory

GraphGraph API

O365Mgt Activity API

Do you need to audit Azure AD?

In almost all cases you are synchronizing on-prem AD to Azure AD

So if Azure AD is just a projection of on-prem AD why monitor?

Synch’d objects from on-prem is only a subset of the objects in Azure AD

Including very important tenant admin accounts

Creating a blind spot against one of the most important risks

Intruder gains privileged access to your tenant

Objects

Objects

Sync'd

How does federation affect the story?

Federation impacts authentication not account management and directory security

You still have On-prem AD

Azure AD

Both can still suffer harm from mistakes, unauthorized changes and intrusion

Federation Centralizes more of your

authentication/logon audit log

Provides a central chokepoint at which

Enforce policies

Observe access patterns and anomalies

Deny access

ADFS, et al

Objects

Objects

Sync'd

Audit log management

On-Prem Active Directory Audit log policy

Log collection

Interpreting events

Domain controllersand their local Security Logs

Security Log

Windows

AD

Windows

AD

Windows

AD

Security Log

Security Log

?

Audit log management

Azure AD Audit policy

Log collection Office 365

Management Activity API

Azure Graph API

Interpreting events

Azure Active Directory

Graph

O365

?

The big pictureA

ttacks

Attacks

Bottom line

Active Directory is the foundation of security On-prem

In the cloud

Impossible to be compliant and secure without monitoring it On-prem

In the cloud

On-prem AD and Azure AD both do a fair job of generating audit events

But what about Collection

Search

Reporting

Secure archival

Correlation

Alerting

Check out Netwrix

© 2016 Monterey Technology Group Inc.

Netwrix Auditor

A visibility and governance platform that enables control over

changes, configurations, and access in hybrid cloud IT environments by

providing security analytics to detect anomalies in user behavior and

investigate threat pattern before a data breach occurs.

About Netwrix Auditor

Netwrix Auditor Applications

Netwrix Auditor for Office 365

Netwrix Auditor for EMC

Netwrix Auditor for Active Directory

Netwrix Auditor for Windows File Servers

Netwrix Auditor for Windows Server

Netwrix Auditor for VMware

Netwrix Auditor for Exchange

Netwrix Auditor for SQL Server

Netwrix Auditor for SharePoint

Netwrix Auditor for NetApp

Netwrix Auditor Platform

Netwrix Auditor for Azure AD

Netwrix Auditor for Oracle Database

Why Netwrix Auditor?

Sharp focus on visibility and governance

Broadest coverage of on-premises and cloud systems

Truly integrated as opposed to multiple hard-to-integrate standalone tools from other vendors

Noise-free security analytics

Non-intrusive architecture

API-enabled ecosystem integrations

Cost-effective two-tiered storage (file-based + SQL database) holding consolidated audit data for more than

10 years

Fast, 15-minute deployment, with no professional services required

First-class, U.S.-based customer support with 97% customer satisfaction

Next Steps

Free Trial: setup in your own test environment

netwrix.com/freetrial

Virtual Appliance: get Netwrix Auditor up and running in minutes

netwrix.com/go/appliance

Test Drive: virtual POC, try in a Netwrix-hosted test lab

netwrix.com/testdrive

Live One-to-One Demo: product tour with Netwrix expert

netwrix.com/livedemo

Contact Sales to obtain more information

netwrix.com/contactsales

Upcoming and On-Demand Netwrix Webinars:

join upcoming webinars or watch the recorded sessions

netwrix.com/webinars

netwrix.com/webinars#featured