Neo4j GraphDay - Securing and Auditing Active Directory - Kees Vegter, Neo4j

1. Active Directory !
securing and auditing
GraphDay Amsterdam June 6 2017!
Kees Vegter – Field Engineer!

2. IAM and Neo4j
Securing and Auditing Active Directory
AGENDA:
Demo

3. The Business Impact!

4. The Business Impact: SONY!
• Stocks tumbled 10%!
• Estimated loss of $100 million!
• Employees forced to use fax, snail-mail and
phones only for weeks!
• Public reputations tarnished!

5. Problem statement from a Fortune 50
Customer!
“Our IAM analysts are unable to accurately
identify and manage security risks in an
acceptable timeframe using tools that rely on our
existing Active Directory implementation.”!
!

6. Ac#ve Directory Implementa#on
Common Prac*ces

7. AD Solely managed by IT
• IAM is typically the responsibility of IT
• IT personnel rarely have insight into overall organiza8onal
structure.
• Group and account naming, as well as policy and permission
associa8on become confusing or cryp8c and lingo-laden.
• Group and account descrip8ons neglected.
Account:
HR_DEF_BAS02
Group:
HR_RW_NOIT_1A
Account:
HRSOM01

8. Managing groups without understanding AD structure
and rela#onships
• Unmanaged AD growth leads to unintended or
misunderstood group nes8ng.
• Nested groups inherit permissions and policies.
• Deeply nested groups increase the risk of unexpected
unintended inheritance.
• All leads to unnecessary and / or unauthorized access

9. Unmanaged growth and limited monitoring
• AD structure is constantly evolving to reflect the reality of
your IAM effort.
• Groups and account management is a demanding, ongoing
process that requires an in-depth, and up-to-date
understanding of content and structure.

10. Rigid hierarchies have
defined how we have built
IAM-tools in the past

11. Ideal organic growth

12. Real organic growth

13. Audi#ng AD in Neo4j
Real customer ques*ons

14. Business ques#ons of a Fortune 50 customer
“How many accounts have ‘Local Admin’ access to a
par8cular resource at a par8cular 8me?”

15. Business ques#ons of a Fortune 50 customer
“How can I define and determine which groups,
accounts and servers have the highest risk?”

16. Business ques#ons of a Fortune 50 customer
“How can I understand the impact of pruning groups
from my domains?”

17. Business ques#ons of a Fortune 50 customer
“What is the most efficient way to assign access to a
par8cular resource?”

18. Audi#ng AD in Neo4j
An actual audit: Risk Measures

19. Defining Risk: Accounts

20. Defining Risk: Servers

21. Defining Risk: Groups
What’s the business impact if an
account in this group is compromised?

22. Drilling Down: Exploring Risk Through Traversal

23. Drilling Down: Exploring Risk Through Traversal

24. Drilling Down: Exploring Risk Through Traversal

25. Quick Start: Plan Your Project

26. Quick Start: Plan Your Project
Expired guest account with
local admin access via 7
rela8onships and 5 nested
groups

27. Path Risk

28. Path Risk

29. Customer Example: Neo4j AD Audit feedback loop
Ac#ve
Directory
Graph Database Cluster
Neo4j Neo4j Neo4j
AD Audit and
Visualiza#on
Dashboard
Dat
Scien#st
End User
Neo4j AD
Graph ETL
Engine
AD data processed in batch or in real-#me

30. IAM and Neo4j
Securing and Auditing Active Directory
AGENDA:
Demo

31. Show case an example AD monitor.
• Analyze AD structure and event data
in the databse
• Solu8on architecture
• An example applica8on showing the power of graph
visualiza8on in your business applica8on.
• There are a lot of visualiza8on products available today...
Neo4j
AD Data Demo
Applica8on

32. Demo

33. Demo 2
• The size of the database is not affec8ng your
(local) query performance
• It is possible to add data, which will give new
possibili8es
• For this demo it is 'Logon data', but in theory it
can be anything.

34. IAM and Neo4j
Securing and Auditing Active Directory
AGENDA:
Demo

35. GRAPH THINKING:
Identity And Access Management
TRUSTS
TRUSTS
AUTHENTICATES
NEO4j USE CASES
Real Time Recommendations
Master Data Management
Fraud Detection
Identity & Access Management
Graph Based Search
Network & IT-Operations
CAN_READ

36. and for the right reason
at the right time,
Who gets access to what,
Identity & Access Management (IAM)

37. & Access Management
Identity
Defining Iden8ty

38. & Access Management
Identity
The structure of organisa8ons

39. Traditional IAM-systems
2) Underlying assumption
that organisations are
hierarchal
1) Static idea of Identity

40. Emerging Complexity of Identity

41. Complexity of Digital Identities
Serial # Unique idPersonal Customer Partner
Consumer Citizen
User identities
Identity of Things

42. Device <-> Service
Security End to EndIdentity of users
Identity of things
Applications
and services
Complexity of Digital Identities

43. Access Management is traditionally
designed with the underlying assumption
that everything is hierarchal

44. Rigid hierarchies have
defined how we have built
IAM-systems in the past

45. Representing your organisation as a
graph, enables you to build stronger
and more accurate IAM

46. Parent-Child rela8onships
Ideal World
Query complex rela8onships in real-8me
Real World

47. Identity Relationship ManagementIdentity Access Management
Applications
and data
Endpoints
People
Customers
(millions)
Partners and
Suppliers
Workforce
(thousands)
PCs
Tablets
On-premises
Private Cloud
Public Cloud
Things
(Tens of
millions)
Wearables
Phones
PCs
Customers
(millions)
On-premises
Applications
and data
Endpoints
People

48. 1. Build your IAM as a Graph
2. Augment your existing IAM with Neo4j
Different ways of adop8ng Neo4j for IAM

49. Q & A
!
Kees Vegter, kees@neotechnology.com!

50. Neo4j!AD Data!
Tomcat!
Web App!
Browser App!
Software Architecture
Demo!