Simplifying Virtualization and Cloud Management

Download Report

Transcript Simplifying Virtualization and Cloud Management

Protecting and Auditing Windows Networks

Adrian DUMITRESCU

Senior Technical Consultant |

Q-East Software www.quest.com

© 2010 Quest Software, Inc. ALL RIGHTS RESERVED

Why Protect and Audit Active Directory  Active Directory is the core of enterprise IT; for this reason, comprehensive protection and auditing of AD changes is critical  Key components for protection and auditing of Active Directory  Third-party systems integration (Identity and Access Management)  Change tracking (real-time monitoring, reporting, secure audit trail, security event management and correlation) 2

Third-party Systems Integration (IAM) 3

What is IAM?

People

Permanent employees Contractors Temporary employees Partners Customers Suppliers

ACCESS ACCESS ACCESS

Resources

File data Car/phone/PC Door access Software Installs Application access Projects

4

The Seven IAM Projects

Directory Consolidation Directory Content Management & Provisioning Password Management Single Sign On Strong Authentication Privileged Account Management Audit & Compliance

5

Directory Consolidation

6

So, you’ve got AD Auth.

Roles Policy Access 7

Add some UNIX and Linux Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access 8

Mix in Macintosh and Java apps Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access 9

Sprinkle in SAP and Databases Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access 10

Finish with Mainframes and cloud Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access 11

Integrate where you can Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access 12 Auth.

Roles Policy Access

But what about the others? … Auth.

Roles Policy Access Auth.

Roles Policy Access Auth.

Roles Policy Access 13 Auth.

Roles Policy Access

Directory Content Management & Provisioning

14

Password Management

15

Single Sign On

16

Strong Authentication

17

Privileged Account Management

18

Audit & Compliance

• • • • Everything audited Actionable items OOTB reporting Plug-in Solution 19

• • •

The “strategic” approach Platform agnostic approach – meta-directory Business tool for use by business people Supplying business

intelligence

– Who works for me?

– What do they do?

– What can they see?

– What do they have?

– What have they done?

– How much do they cost?

such as …

20

Web IT-Shop – Built for the “business”

21

Self-service Shopping Cart

22

Attestation

23

What Does This Mean For You?

Identity and Access Management means different things to different people.

• It requires different approaches based on YOUR customer’s needs – Help your customers with “tactical” solutions to their IT problems.

– Put them on a trusted path to grow with the Quest One Identity Management Solution.

– Provide their business with a “strategic” IAM solution for their business problem.

– Extend this with the “tactical” tools to provide unparalleled, complete, coverage.

• Developing tools and solutions for your customer’s needs today, and also for the future.

24

Informatii Active Directory Servere, Statii si alte Echipamente Manageri Auditori Ofiteri de Securitate Administratori SOX, FISMA, ITIL

Compliance Lifecycle

Alertare Real-Time Aplicatii Baze de date Server de fisiere

25

Change Tracking  AD change tracking can be implemented using a uniform process that works no matter what type of object is changed  The key elements to any AD change event should include the:  Time of change       Object modified User that modified the object Operation performed Propertied modified and their values before and after the change Domain controller where the change was made IP address of the workstation or client machine from which the change originated 26

Providing Comprehensive Audit and Protection for Active Directory 27

Integrated Audit and Compliance

G

athering

C

orrelation

R

eporting

IT Management

“Powered by Quest InTrust©” 28

The solution must cover the entire infrastructure 1. All operating system in the enterprise 2. AD and integrated platforms 3. Messaging systems 4. Database platforms 5. Web servers and enterprise applications 6. Hardware and software firewall infrastructures 7. Network equipments and workstations 29

A unified console for all audit requirements 30

Built-in compliance with audit standards  Structured reports  “Out-of-the-box” compliance 31

Covering the entire IAM environment

Identity Management and ODBC compliant systems tracking reports

32

Covering the entire IAM environment

Custom applications reports

33

Agregated reports 34

To address additional change audit requirements 1. Extended audit for Active Directory and AD LDS Tracking the entire AD activity: who, what, where, when and how produced the change, plus changed value before and after the change 2. Extended audit for Microsoft Exchange Tracking the entire Exchange activity: non-owner access, configuration and permissions changes for mail servers and mailboxes 3. Extended audit for File Access Tracking user and administrator activity on folders, files and shared resources, without the need to activate native audit 35

Native Audit Limitations  Audit events are not centralized  There is no support for analysis and reporting  High volumes of audit data  Performance risks  Missing or limited information  There is no real-time monitoring engine  There is no protection against privileged administrators 36

Criptic data in Windows access events  Who is “Logon ID 0x3e7”?

 Which file was accessed?

 What action was performed on the file?

 What other actions performed that Logon ID?

Conclusion:

Although event logs exist and follow everything happening inside the file system, they cannot be used for internal or external security requirements

37

Providing Unified Security over Boundary

Detect / Monitor / Enforce Enterprise Security

  

Detection:

NIDS, WIDS, HIDS

Vulnerability Scanning

Anomaly Monitoring:

Network Profiling

Availability

Inventory

y

Enforcement:

NAC, IPS, DLP

 

Enterprise Security

Correlation

Risk Assessment

IDM

Reporting

• •

Dashboard Compliance Log Management

Unlimited Storage

Legal Evidence

38

Boundary Audit and Compliance

 SIEM appliances provides real-time analysis of security alerts generated by network hardware and applications  SIEM appliances are a valuable asset for monitoring boundaries against attacks and intrusions  Integrating AD/IAM audit and compliance capabilities with SIEM adds to overall protection against threats:  Real-time analysis, risk measurement and correlation of boundary threat evidences  Situational intelligence for intrusion attempts (cross correlation, contextual analysis  Extended detection of threats (IDS, vulnerability scanning, HIDS) 39

Integration with SIEM architectures

– SIEM appliances process data and produce Intelligence – Sensor appliances collect and produce data – Logger appliances forensically store data 40

Multi Dimensional Threat Identification

A complete analysis of a threat must include all available information defining the context of the attack!

• Integrated capture, normalization and correlation of events for deep security analysis

Vulnerabilities Threats !

Alerts Inventory Network

41

42