What’s Really Going on in Your Microsoft Active Directory and Azure AD Infrastructure

Welcome to our KuppingerCole webinar "What's really going on in your Microsoft active directory and Azure AD infrastructure: auditing and responding to security challenges in today's common hybrid IT infrastructure". This webinar is supported by Cygna Labs. The speakers today are Morgan Holm, who's vice president of products at Cygna Labs and me, Martin Kuppinger, I'm principal analyst at KuppingerCole. Before we get started, let me quickly tell you of some of our upcoming events.

The week after next week, we will run our cybersecurity leadership summit was a really a serious, very interesting talk don't miss to register for the event. And as part of that, we also will run our KC life tools. Troy's on endpoint protection detection and response, where we will give you information on how to select tools in that specific area. And then in November, we will have our cybernetics world, which looks at how AI and decentralized identity and IOT, and a lot of our emerging technologies relate to each other. So really more the future and emerging trends went.

Listen, I believe it will be super, super interesting as well. Some housekeeping. Audio control. You are muted centrally, so you don't have to control this features recording. We are recording the webinar and we will make the podcast recording available short term, usually today after the webinar. And with that, we also will provide the slide decks for download. So you will have access to the slides as well done, no need to copy down everything. And we will have as usual in our webinars, we will have a Q and a session by the end of the webinar.

However, you can enter questions at any time and they go to webinar control panel, which usually pops up at the right side of your screen. You can enter questions at any time. The more questions we have, the more interesting and lively or a Q and a session will be with that. Let's have a look at the agenda for today in the first part, I'll look at the need for audits.

So using the various solutions in various scenarios with a specific focus on AD and Azure AD, and at some also required capabilities following me, Morang, we'll talk about, look at a detailed, so how such a solution could look like. And he also looked at the signal audit or platforms and hold that allows a seamless transition for him to be on trust, audit, or solutions. And he also will give you all the background on how these two product groups or products relate to each other. And lastly, Lisa, that's all, that's already half mentioned.

We will do our Q and a session and provide answers to the questions you raise. We settled let's get started with the content of our webinar. And when we talk about audit, I want to start with simple. That's really an equation it's sort of a non equation in some way. And that is compliance does not equal audit. And the audit does not equal security and security compliance.

So you, if you look at these terms, I think you need to be very careful. What do you want to achieve? And at the end, I believe we definitely must be secure for sure. We also must be compliance. We must pass audits, and we need to understand what helps when, and we'll say at the end, security is martyrdom trust, checkbooks compliance. It's about taking the right actions, but let's get started. This does it all starts as compliance. So compliance essentially is the fulfillment of requirements of laws and other regulations.

So we comply with these and then we are compliant and that might be proved by an audit. So the audit dentists, really our ability to prove that we are doing what we are saying that we are doing. So if you can pass an audit, then, then we confirmed.

Or we, we proved that we are able to deliver on our promises when it comes to that. And that might be the audit regarding a compliance regarding a regulation. And that is what audit effectually does.

However, then they also the actions and that is what factually are doing. That might be exactly the same. We are proving to the audits, or it might be more, it might be sometimes, probably even less. So sometimes that might really differ. So that is really actually standard. When we look at all these topics, we need to take a holistic approach. So compliance on the accents are tightly related. Audit might look at only parts of what we need to do from a regulatory perspective. Actions might be significantly more at the end.

What we always need to keep in mind is actions are the San Francisco because actions are what make us secure. So these are compliance nor the formal audit makers secure is to taking the actions for taking the actions. On the other side, we need so to speak another type of audit, which is the data, which is the data, which allows us to understand what's happening in our systems. So to understand what's the VR really secure.

We again, need to look at lock data at our types of data, to understand where do we really stand with what we are doing and our it, So when you, We need to pass our audits, we need to take right actions at the end to be secure and really to understand how this all relates. And don't stop too early, because if you're still too early, you will not be secure. And for security, we need data. We need inside. We need inflammation. And I want to look a little bit at some of the common patterns we find around ITM specifically around IGA.

So the identity governance and administration, so creating user accounts, doing access governance, et cetera. And this is a very high level and very simplified, big picture of how identity lifecycle cycles, exoskeletons and audit with respect to that part of our it commonly are down. So we have certain systems where use our cons come from the going to DHA system. We have foreclosed, we manage the identities. We understand the data quality. If he connects to target systems, we do access reviews, might use roles for that.

We have some use assess service, which might align with an integrated with CIT service management tool. And then we use it service management for manual fulfillment, to the systems which are not directly connected. We have systems that are directly connected, why our connectors, we have indirect approaches that might be for instance, going Y S a P X has control into the world of business applications.

Specifically the SAP business applications, and most organizations have active directory, Microsoft active directory, or Azure active directory, or both today, most have bows and certain systems that rely on x-ray D for the users, a manager. Why are the groups in 80 and also active directory? care to some extent for mailboxes integrated with office 365, et cetera.

And then in a larger organization where everything is set up well, should be the security operation center, but also be called cyber defense center or something along these lines, because Ryan's has seems system and to theme the security information and event management and collect data at a very across a lot of systems. Well, beyond what we see here, it does collect a lot of other security data runs, analyzes, and enables people to take certain actions.

And so Dennis, once we Very commonly find in some way or another instance, some at some level of sophistication, sometimes the more sophisticated, sophisticated, sometimes a little less sophisticated. So when we look at this picture, there's not a perspective. And that is, we also have done the teams, the larger organizations, which are responsible for certain parts of that. So there are teams that my focus for today, there are teams which are for instance, responsible for the entire business applications, such as the SAP applications.

They care for SAP access control for the fine grain access management into the SAP environments and there, and that's what I've highlighted here. There are teams Which are looking at The details of what happens in active directory and Azure active directory, et cetera. And while the seam on the right-hand side provides an overview across a lot of this in depth perspective also is required. And that comes very common, is separate twos that are highly specialized for the world of 80 ASHRAE D and all the directly related systems.

So we need this in-depth understanding of these core systems and the, and FRA D our core systems, probably for many organizations these days, even more than ever before, because so many other services such as office 365 and teams, and so on, all depend on that. And so we need the inside here, and that is what we need to provide. So we need additional solutions for auditing, for understanding what's happening to take the right actions to secure these environments, which are essential for a lot of, a lot of things we are doing within our it.

So what is this Quite common for, for larger organizations? It also might look a little different and not look like that. So when we look at Marty, the SMB world, so the small and medium sized business, this is then it might be that there's no ITA. Peder that narrow sense? There's trust, active directory and Azure active directory have a job managed in vitro connect to some systems that directly integrate with a D so managed by groups. And we have a couple of on the top, a couple of not connected systems, which are trust manually managed when it comes to users.

I mean, it comes to the entitled ones of death. And then we have to exchange with history 65 world, which also in some ways, linked to the active directory, the Azure active directory. So this picture is a far more simplistic, But again, It requires insight of what happens. And here the inside is about really what happens for in these environments, which are core. So you need some audits, you need some audit tool here, which helps the people running that environment.

And a lot of this is centered around ADA and Frid that helps the people running that environment to understand what is happening there and to enable them to take the right actions to secure these environments. So this is a different pattern. And so it is, we need at the end of the day, the tool that adds the security as it is audit tool, Emmanuel respect, same, which is revenue for the departments in larger organizations that are responsible for this rural of 80 and area.

Again, there need for specialized tools, tools that help us in these very specific environments. That's very common.

You know, when we go back to the mainframes, there always were specialized tools for these environments. When we look at SAP and I touched this before, it ended as specialized tools for the business applications, and we did them for other central elements in that different for large organizations, to what we have centrally, for instance, a security operation center, we need the deep insight to understand what is going on decent environments.

Are we, are we, well, we want to be from a security perspective and can we take the right actions to secure and to react on things that are happening. So we Need to audit capabilities for core environments and they should be Integrated in some Way they should work across core systems. So it should be, it shouldn't be too many, but we need the specialization for the detailed view. And that is what we need to balance.

So for a small and a small and medium business, it might be that I say, okay, this is where you do one set of, or the one audit tool, which works with the maturity of our systems, or they might have, if they have a little bit of a business application, maybe two of these for a larger organization, it is that they say, okay, we have to security operation center across everything. And we have four different environments. We have a couple of tools, the art as to, to balance the, the need for have you across everything with the need for a detailed view. And don't end up with two big Sue off tools.

So having a, really, a few element for the main areas, not too many, but the right ones you really need, which deliver both the overview and the detailed view, and four 80 a dash a D. It is something, it is an essential, it is a central element of what we do in it. A lot of things are going through that environment, starting with commonly the primary authentication we are. So Daryl needs to be also focused on that Palacci businesses is more department level that cares for these environments.

And that sounds the part of the, it, which cares for ready for some as a BCIT might be the main element. And it also should look at specifically O 365 office 365 these days, because this is where for, for many, many businesses, most of the unstructured data resets, most of the collaboration happens. And so for our organizations, which boot on x-ray D and office 365, there clearly also need to have these things. So what Should such tools then Provide? So what are the essential capabilities that are required here?

One is The system support support for the systems, which are, is our focus off the overall it in a smaller organization, or in focus of the specific department, including the newer solution, such as x-ray D Microsoft office 365. It requires dashboards. I think we all got to use to having dashboards, which give us a good overview of the most critical aspects, which immediately provide us inside with what, which what we need to understand, which hinder us on the most critical things currently happening, but also allow us to drill down into the details.

So we need to these dashboards, we need the ability then for the in-depth analyzes. So drilling down and really understanding what is this happening is another, from my perspective, key requirement and Sanford capability, they must be easy to use no steep learning curve. And that's even more true In the scenarios where auditing and, and securities trusted part of a trough, an it administrator. So when you go to a smaller, medium sized organization, that might be very, very few people in the I D T T department, we should need to do a lot of things.

And so they Can only spend part of their time for an audit thing. So it must be easy. It must be very powerful, but still easy to use and easy to deploy, and it must work across the hybrid environment. So they must be easy to set up across all of these environments and Delivered or salts out Of the box, out of the box, analyzes this reporting dashboarding. Today's a milestone. A sick day requirements really have changed when I go back to, to the early days of my career in it, where we have the best case to construct reports are on our own behalf.

A lot of things have changed and modern tools must support it. So I see a need first best realized. So you implement IGA, which compliment SEMA associ, depending on the type of organization, because these are key elements of it. And as you have something like SAP access control or another solution for managing access to your business applications, you need something for these key elements, which are 80 Frid, O365. And so on with that, I'd like to hand over tomorrow, who right now we'll go more into detail and also look at the specific solutions Cygna Labs delivers here.

So, Morgan, it's your turn. Thank you very much, Martin. So just a little quick, who is Cygna Labs background? So we're a privately held organization, relatively a newer organization founded in 2017, but with a lot of experience in the audit specialty, we, we developed originally a solution set at a company called Blackbird management. And we ended up selling that solution set to a company called beyondtrust back in 2012. And my personal experience on the audit front predates that to a company called net pro as well, which has audit solution sets that were later acquired by quest.

We actually have for a relatively new organization of fairly substantial customer base that spans the globe. And as Martin was mentioning before, a lot of the it's not vertical specific for these kinds of solutions that are required as long as there's it involved in the, in the company, there is a need. So we really do span all verticals. And the solution set also really spans the size of organization from very small to extremely large back in December, 2018 Cygna Labs was acquired by a company called N3K out of Germany.

And we're currently headquartered out of Miami beach in Florida with research and development offices in Halifax, Nova Scotia, Canada. And the interesting thing about the, the fact that we developed the Blackbird solution set was that beyondtrust, decided to focus back in on Pam solution sets. And we took over the, the solution set that we had sold to them back in 2012. And we now have that product set back in house, and there's a lot of the same people that were at Blackbird that are now at Cygna Labs.

So I wanted to start with like the why, why audit Martin really kind of covered a lot of these points here, but really to efficiently manage your and security manager, your it systems. You really need to understand what is happening in that environment. What kind of activities are going on? What kind of modifications are being made, any changes that are made to identities.

Now, Martin talked about governance, identity systems being automatically provisioning out whether that's done automatically or manually as those identities reside in the various different systems, such as active directory or Azure active directory, there may be modifications made to them after the fact. And that is something that you need to, to keep track of, to understand what kind of access changes or privileged changes are occurring to them. And this is also true for group membership, especially ones for privileged access.

This is a key thing that a lot of regulations require people to understand who has administrative access into the systems who can make modifications. And that's something that the need to report on. And this is also true for connected other connected applications and systems that these organizations are leveraging. You also need to understand any sort of modifications to, to policies in the environment and or configuration. And of course you need to also look at what privileged counts are doing in the environment.

You want to make sure there's no malice on any of the intent of the actions that those, those people could be taking. And that they're only looking at the information that they need to in order to do their job. So from our discussions with customers, isn't the SMB space. As Martin was mentioning, the, the teams look different than they do in larger organizations. They typically have active directory that as their identity store and leverage Microsoft 365 for productivity, applications, collaborations, and other services, and they also manage the overall security.

So when the SMB, the admin teams are generally more generalists that have a lot of responsibilities across many different systems, they also need to understand like what has happened in their environment.

If they need to go through and do some troubleshooting, if they're experiencing any sort of downtime, they want to first understand what is it, has there been any modifications or changes that may be causing it, or they need to understand who's making particular changes, whether that's for accountability on understanding why that person was making those changes, maybe it's a, an educational or training thing that needs to be required. Somebody may not realize the impact of a modification that they're making, but you need to understand.

And human nature is people tend not to want to, to own up to all the modification that may have caused a significant interruption to the, to the business. Some of the other activities, these it admin teams are taking on is the need to report and to management. What kind of, what kind of actions are going on some may also need to provide compliance reporting to auditors. So that largely depends on the organization. If any regulations are applicable to their business. And the real challenge here is events can be really difficult to find the proverbial needle in a haystack comes to mind.

There's a lot of events that get generated on the various different systems and trying to find one, try to find them can be very difficult. And of course, the events that are written out to the native event logs aren't necessarily written there to be, to satisfy compliance mandates. They're there to, to provide information about the specific activities, but it also may require a single action may produce multiple events, and you may need to string multiples together to really get a complete picture of what's happening.

So that's a very time consuming to go through, to figure out and correlate those events. And it may go across multiple systems as well in order to really understand what's happened. And if you have to present any of this information to folks that aren't specialists or technical being, you have to go through and translate that information so that it's more readable by non-technical personnel. So that is also a very time consuming. And as a result of that, they tend not to look and do these kinds of activities, but only for very important events that have may have occurred.

And another challenge with leveraging just native logging is these logs are typically configured to roll over once they reach a maximum size or age. So what ends up happening is maybe by the time you get around to and doing an investigator investigation, that information may no longer be there because it's been purged out or rolled over in the logs themselves. Challenges for enterprises, as Martin was talking about earlier, this whole little admin teams are really typically specialized by system or platform.

So there you'll, for example, in a larger organization, you'll have a team that's responsible for active directory, as it is a key identity store within the environment, providing an authentication for multiple applications. This one is typically well-staffed, but has a large team that goes through and does the, all the management on that from an architectural and an operational standpoint. And they also, in order to effectively manage that need to have detailed information about what's going on in their environment. And this may be to help tweak performance.

If there's poor responsiveness from various different elements that comprise these different systems, they have to understand what's going on. There is it setting modification that may have caused it, same for troubleshooting capabilities. If something's not working. The first thing you want to understand is has there been any changes made recently to those systems that may be causing that outcome? And they also have the accountability items here as well.

So for people that are making changes in the environment, they need to understand who's doing what so that if there's any modification that may have caused an interruption, those feet, those people will be able to understand who made those modifications and can figure out if that was done because of maybe not the correct knowledge about the modification that was being made, or the fact that that may be something that was done in malice or could be a compromised account.

So there's, there's various different reasons why you need to understand who's making those different modifications in the environment. But being able to find that information is, is paramount to making sure you can effectively manage and make sure that you keep your systems secure.

Also from the enterprise side, they are all tasked with creating activity reports so they can make sure that they can tell the managers who have what kind of modifications, how many changes are being done in the case of additions to the environment, or changes to policies that those things have done had been done and implemented. And they also need most likely on an enterprise side, provide reports to auditors.

And this can be a very time consuming task for enterprises to generate that information so that the, the auditors can verify that they're, they're fulfilling the regulatory compliance mandates that are set out for that organization. As Martin was saying earlier, that's one of the, the things that kind of starts at the bottom of their, their activity sets their bow towards security, but they also need to provide that information and typically spend a lot of effort and time gathering that information up.

They also have that same challenge of being required to translate those events into a, not for non-technical personnel. And they also may need to very quickly act upon audit information to minimize impact to security. So if they can see an event that's, that's generated that may they understand that that may cause an, an interruption to service, or it may provide privileged access access for a user that shouldn't have it, that they should need that information right away.

In fact, I was on with a customer just the other day that had done a proof of concept and installed our solution set and their production environment. And I was doing a follow-up after the installation, and they were looking at some audit information and on the dashboard, we could see there was an account that had a unusually high activity, and this account was not known to them. So that was something that they identified right, and said, Hey, we need to go figure out what this particular account is and why it's doing so many different transactions that was unexpected for them.

So this is a scenario where they actually didn't know that was occurring, not sure of what the actual result was on that investigation there, but they, after our call, we're going to look at that right away. It could have been a, I don't know if shadow it, where somebody set up an application that has an account that goes off and does a bunch of activities that the, the it admin department did not know about, or it could be something where somebody is running a bunch of scripts, but anyways, they had to, that was a surprise to them to see that kind of activity going on in their environment.

And without looking at that kind of information, they would have had no idea that was occurring. So the other thing that the enterprises organizations are looking for is a way to reduce the complexity, to get at that information and analyze it. Certainly all the different systems that they may need to look at can be very time consuming to go to each one, to, to gather that information and the stringing together, multiple events to really understand what kind of modifications occurred.

So, for example, if you're looking at something up in Microsoft 365, that may come down to a modification that was made in active directory, and then later sinked up. So following that trail back can be very challenging and time consuming. Another interesting thing is that we sometimes see administration teams may not even have access to the SIEM systems.

Now, this is not true with every organization, but we have seen that to be the case. Cause that's typically managed by a security department at a large enterprise. So they're not even able to go in and look at the logs that were gathered by the centralized team system. So it makes their doing their job very challenging when they need to, again, try to understand what modifications have happened, what settings have changed in their environment. So here's some of the, the other challenges on the enterprise front, the native analogs are not sufficient.

For example, in active directory, you have to go out and set policies to collect events into the native event logs in the first place. So not all policies may be set to gather a certain types of events. So in this case, that stuff will never end up into a scene because it's never even been written to the native event logs. So that information would be lost. Also policies can also be shut off. So if you have somebody that does have bad intentions on some of the modifications that they're going to make, they can go in and shut off the policy to gather that information.

Of course, that activity would be logged by the native event logs, but then whatever they've done after the fact, after turning that audit information off, they could go ahead and make some changes and then come back and turn it back on. And you'd be none the wiser to what has occurred while that auditing was, was shut off and other things that native event logs simply don't have all the details. So this is especially true. When you look at group policy, lots of organizations are still leveraging group policy to do configurations across their environment.

Some still use it for software distribution and so extremely powerful tool set. And depending on the organization that can be leveraged. I had a customer the other day with over 450 group policies, I would imagine that would be very challenging to understand what policy affects, which individuals and which groups and what settings are going to be put, put down there.

But when you have a native event log that just specifies a particular policy has changed, it would be very challenging to then understand what's changed inside of the policy and time-consuming to go back and forth and figure out which of the settings inside of that group policy has been modified. So locking that kind of detail really puts the onus on investigation again, and that really makes it challenging for, or an organization.

It must be a fairly critical or have a significant impact for them to want to go through and do, for example, a manual compare between a backup of a group policy and a, the current group policy to understand which individual setting has changed and what the old value was and what the new value is. The also the, the other challenge around native logging is that it does increase the loads on your active directory domain controllers, and therefore also the result result in size of the logs on those machines.

So th that's a, that's also a challenge for enterprises and they also have that same issue of where they need to look and analyze several events to get at the details that that's there, if, if they're even available in the native event logs. So the same systems that are running in the security operation center, they're dependent on consolidating that of event logs as Martin was indicating. It really is very broad coverage, right down to a lot of hardware devices, multiple different systems pulling all of that information together.

SIEM systems are also typically priced by event storage size, so that can get fairly pricey very quickly. So what, what we see with some organizations is they tend to turn down their policies on, on gathering native events, to only things that are fairly relevant from a security standpoint, that way they're missing say a lot of native events around operational or configurational changes that don't necessarily have an immediate impact on security.

So again, if that's the case, there's no that information, none of that information in the native event, logs around the things that a specialist team may require to understand for performance or of service availability, et cetera. So that's a, that's why the SIEM systems, when they're being managed by the security teams, like I said, some organizations, they don't even provide access to people outside of the security organization. So they may be really not set up to cap capture those operational type of events.

So what we've done at Cygna, we've tailored our solutions at to address these challenges for both the small and very large organizations. What we've done with our solution set is we have a global reporting web based UI, and this is to really consolidate and streamline your viewing of audit data. So you don't have to bounce around to multiple different consoles or look at information in a, in a siloed manner. You can see audit events from the, the various connected systems, all in one place and search across all of them at the same time.

And that is very important as well as with a lot of companies going to a, a hybrid cloud implementations where they have Microsoft 365 as well as multi-cloud. So when they're expanding out to Azure arm, AWS, and, and the other different vendors that are out there, but being able to see all that and analyze that information in a single screen is really a time-saving and insightful way to look at that information.

Now, we we've been talking a lot about looking at audit data, so what's happened in the environment, but what if you're looking at a change or a modification that's occurred that's bad or unwanted, or has in fact caused downtime? One of the things that a lot of our customers want to do is be able to quickly and immediately undo that modification. So all familiar with and Microsoft word, when you're typing away, you can go on ahead and say, you highlighted a paragraph in your document and you meant to change the font size and you ended up deleting it and we'll thank goodness.

You can simply undo that change and bring it back well, we've applied that same sort of notion for modifications in to active directory as well. So you can go ahead and say, Hey, this change is bad. I'm going to click the rollback button here and put it back to its prior values. But at the same time, you may want to put it back to a prior point in time. So if from the admin team say they've gone through and done some updates where they need to run some PowerShell scripts, they've gone out and set telephone numbers for a particular office, as they've migrated over to a new phone system.

And you want to maybe go back and roll that back to a specific point in time and say like, oops, we put in the wrong phone number. So let's roll it back to, as it was last week as a, instead of any object that may have changed since that update has happened. So that gives you ability to go back to a point in time as well. And then there's, there's times where you want to say, well, instead of trying to like understand what's going on or roll back, recover from that modification.

There's certain critical items in my environment where I really want to stop and protect changes from happening to the first place. So privileged groups, such as domain admins, enterprise admins, those are really provide the keys to the kingdom. If you will, in an active directory, you can may want to actually stop or prevent a modification for happening even for a user that has the native rights to do so. So we have a protection capability that allows that change to actually be stopped from, from occurring in the first place. And of course, alerting. So this is where you need to understand.

Maybe you don't want to stop changes from happening to these kinds of objects, but you want to understand when, when there is a modification there, so you can set up an alert to notify team members or distribution lists that, Hey, this are, there's been a modification here that you should have a look at and make a decision very quickly. Is this bad, or is this a acceptable or known also within our solution set, we've implemented role-based access control with scoping.

So depending on how the organizations are, if you're very small and they may not require anything from a scoping standpoint, but they may only want a particular people to be able to view items others, to create items. And then you have somebody responsible for managing that whole data source. But as you get into larger enterprise organizations, their administration models may be based on regional and functional or combination of the two.

So being able to scope down saying, well, this person can report an active directory, but they can only do it for the European domain or the European or whatever the requirement is based on how the administration models for those organizations are set up. And of course, understanding what's gone on that detailed information is critical as well across all of those systems that are being monitored. So here's a quick screen cap of our web console access.

And in here you can see on the top users, this is actually the, the dashboard item I was talking about where a customer had a look at it and then noticed an account there that was, had a lot of different activity within the environment.

And they wanted to go investigate what was going on there, but being, having a nice HTML five gives you that any device, anywhere capability, should you want it being able to go in and look at very high level overview and be able to quickly drill down to the kinds of information that you want from a Cygna model standpoint, we're, we're in the hybrid and, and moving into multi-cloud. These are the, the core it systems right now that we're covering with our detailed audit solution set auditor for Ady. We have recovery for Ady 365 with information regarding Azure Ady auditor for teams.

We moved also into VMware. A lot of the customers that are running on prem for virtualization are using VMware as well. And then from a multi-cloud standpoint, we're moving out to AWS. And this is based on the interactions that we've had with our clients and the kinds of systems they want to want us to support. And then on the unstructured data that we have auditing for file system NetApp and exchange and SQL. So these are the, the systems that Cygna honor has modules for, as I mentioned, the key key thing about the console is being able to put data all that data sets in across.

So if I want to look for, you know, what kind of activities I'm performing in, in the environment, I don't have to look at it by only one. Am I doing an active directory, or what have I done in Azure Ady or what have I done in VMware? I can pull and search that information interactively all from a single web console. And of course, if you need to dive into a specific data source, you can just look at that information.

One of the things we've also done is with the us taking over the code from beyond trust for power broker or the beyond trust auditor suite, depending on which name you're using for it, we have added that as a data source within the solution set so that you can use this HTML five web console to look at that information as well. And then if you choose, you can also choose to combine that with the cloud versions of say, for example, Microsoft 365 is a very common scenario for a lot of our customers. Also the simplicity of managing and installing the solution set.

So we have a web based console that gets, we have a wizard that steps you through the configuration process and, and around an hour's timeframe, you have the ability to step through those configuration and have audit data by the time you're through it. So it's up and running very quickly. It's not a lengthy professional services implementation that requires a lot of time and effort to get it installed. So it can be installed very quickly, as well as when there's any sort of upgrades that require it's all centralized on management as well.

So that process is also not very time consuming, very easy to push out the components that you need for the data sources that are running in that environment. So from the change auditing and the learning standpoint, you really want to be able to have complete visibility as to, you know, who's making those modifications. When did they do it? Where was this change applied, what was modified? And you can come in and see the values of the, of that change. In this case, we're looking at an enterprise admin edition.

And if that is something that is not wanted, you can immediately click on roll back and undo that modification. So you get that complete visibility and you see that modification in plain language and how that integration across audit and recovery. You can see in this case before and after values, aren't this particular event aren't relevant because it was in addition to the, the group membership, but in the case where it's a configuration setting where you're changing a modification on, say a phone number, you could change, you could see that before phone number versus the after phone number.

So that would give you a, an easy idea of what the value was before. It's not something that you need to go and research being able to have that continuously backed up. So you're not reliant on just point in time. So you can do point in time, but you can also see all of the events as they're occurring in the environment, and then go in and very granularly search alert and report on those modifications and have this all happen in real time. So that's really where the critical part of our solution set is that this is all integrated and happening in real time. So the recovery capability.

So once you click on that roll back button, you can choose to say, Hey, I want to return it back to those prior values, or I can say, I want to go in and look at those values in the various different snapshots that I have in the environment. And really this helps you to minimize any potential downtime to, from accidental deletions or modifications that have been made to Ady or group policy or typical ones that could have a very significant impact in a hurry. And you have that single click to go ahead and do that rollback.

And it's, it's always online and available. So it's not like you're having to go into a storage, unpack a backup, launched another application, find the information that you're looking for, the particular item you want to restore, and then go through that restoration. So it's very quick and instant for you to do that rollback and be able to also support multiple forests from a single console so that you can manage the complete environment no matter what your configuration is.

So, one of the things that we mentioned earlier is that we took over the beyond trust auditor suite as well. So we are, we have that particular solution set back into the signal auditor. When we went off and generated a Cygna Labs, one of our first focuses was to, to go to the cloud because the, the beyond trust solution set was mostly on prem solutions. And we definitely recognize that most of our customers were running in a hybrid environment. But what we're going to do is really provide those beyond trust customers, a smooth trans transition between those organizations.

So even though the on trust is end of life, the product, we were able to take it over because we have that deep expertise within the, or our organization of the people that actually created the solution that beyond trust bought back in 2012, we have the ability to pick that up and continue to provide maintenance and fixes for the code. And then the ability to transition across into the full Cygna solution. And that integration into our web UI was one of the first points we did. We also have done some rebranding and done some fixes for it.

So what, what this will allow is like these beyond trust customers can actually look at that audit data with their, the hybrid cloud sources from Cygna right now today, and, and they can continue to do so. And there's no rip and replace required for those solutions. They don't have to rebuy that they continue maintenance and purchase that through Cygna labs will they'll continue on with their solutions. They can use it as it is today. And then we'll through an in-place upgrade. We'll transition across into the Cygna Cygna equivalent versions of the products that they have.

And Cygna is also solely focused on those audit and recovery capabilities. So this is what we're doing with those, those product sets is also not just bringing them across, but we're enhancing them as well to provide better solutions for them. Okay.

So that's, that's the end of my, my presentation. Thank you, Morgan. Let's directly Trump into the Q and a session. We have a few minutes left, a couple of questions here, and I'd like to, to start with, what's the question which came in from the audience plus reasonably, is there a possibility from Cygna can forward data to a centralized look as well? So can you collect data and then provides to other solutions? Yeah.

Good, great question. Yes. We can actually, through the, currently in the, in the PowerBroker solutions that we have the capability to forward into a SIEM solution set, and that is actually a feature that's going into the Cygna solution as we speak, that'll be out before the end of the calendar year. So forwarding out to, to seam is, is definitely on our roadmap. A lot of our customers have requested that capability and they want it either from just an alert.

So those conditions where a specific modification has occurred or to a specific object, they want to receive an alert to actually forwarding all of the, the log information that we've provided instead of gathering the native event logs. So we are going to offer both of those kinds of capabilities here before the end of this year. Yeah. Okay. Another question. And also Aronda road madness.

It's also, it's a G suite also on the roadmap, so Google's environment. So you have office 365, and one is asking about G suite. Hmm. Not currently, but certainly as we talk, we're a very adaptable organization. And as we talk to clients and get those kinds of requirements, that, and then that's something we would certainly consider. Okay.

I think you already touched an interesting point around licensing before, and that was about SIEM solutions frequently being licensed based on the amount of data that is held in the logs and the database, which I believe is not a very smart idea, honestly, because at the end of the penalties is good security, which is not very good. So how is you are so you from licensed? Yeah.

So w we, we chose not to do it that way. Cause you know, the, basically the, the more you want to use the, the solution set, the more expensive it gets, what we've done is we've licensed our product based on the modules that you're using and the number of people in your organization. So an HR count, if you will, not a count of the number of say user accounts within the directory, we see lots of customers where maybe an admin has, you know, five different accounts. They have their regular user account, they have an admin account for domain one and another one for domain two, et cetera.

So w we base it on an HR account and also then, you know, also paying for service accounts, et cetera. So that's how we licensed the solution set.

And, and of course, as you, the more you want to use it, they actually will. The, the better the, the terms will be Okay, so what we're looking at your sleep, this is a SAS solution or on-premise, and, and if, if it's SAS and every treatment, is it available?

Yeah, actually, that's a very common question because of course we have a modern web UI and it's not an actually a SAS solution set. We have designed it, so it could be, but right now we actually have several clients that are in highly regulated verticals, such as financial and insurance, and some of the jurisdictions they're working in require that their data not be stored in the cloud.

We, you certainly could implement our solution where you put your database up in the cloud. There's no problems for that, but it is actually on prem. So we will go out to the cloud, pull data in and put it into sequel so that it can be searched on. And this is also good because then you're not subject to the retention policies with those providers. So depending on the kind of audit data, it may be sometimes as little as seven 30 or 90 days where that information is no longer available.

And depending on the, the organization regulatory compliance requirements, they may need to keep that data I've heard as long as 20 years in some case, but that it's been on the extreme most are in that seven year timeframe that they need to keep that data set around. Yeah. So all the data is stored on your premises tracked in Microsoft SQL. Okay. So about scale, listen out a question. So what is the size of your biggest customer?

It's the, how, how big does it scale? Yeah, so, so One of the things that over the years, we really w worked very, very hard on making sure that the solutions that does scale up to the largest of environments, we have some customers as small as 200 users. So that also speaks to these of implementation and maintenance for the product set, but from our largest customer, the largest one has 27 active directory domains with over 450 domain controllers. So they're an over 220 countries. So they're quite large quite dispersed globally organization. Okay. So it counts Caitlyn quite a bit.

So at the end of the day, how long does it take to install the signal web UI? Yeah. Yeah. It doesn't take very much at all.

What we, we designed the solution to have a very minimal install. You, you run the, the MSI and it goes ahead and launches into a, a web-based configuration wizard. So it's typically around an under an hour if all the pre-recs are there. And like I said, we're saying basically by the time you finished stepping through the wizard, you're actually already getting events into your inbox.

Okay, Great. So I think we are very close to the top of the hour already. So we are at the end of our webinar for today. Thank you very much Morang for your presentation for you insights for all the assets during the QA, thank you to all the participants of this KuppingerCole webinar for being part of listening to our webinar, hope to see you soon. And a lot of our upcoming events, there's a ton of these events over the next couple of weeks and months. So thank you. Stay well and hope to have you back. Thank you, Martin. And thanks everyone for your time.