Toughen Up Your AD
Request for Comments (RFC) 1823 from August 1995 introduced the Lightweight Directory Access Protocol (LDAP) Application Programming Interface (API). One could argue that this important work served as the foundation for modern identity management. And yet, surprisingly, the word identity does not appear even once in the entire RFC. (The word directory shows up fourteen times and the word access appears six times).
Microsoft’s Active Directory (AD), which first appeared in Windows 2000, traces its roots to this early LDAP work. The collection of services in Microsoft’s AD has since improved continuously, and few would argue that AD serves as the structural under-pinning for most enterprise domain and identity-related services. As one would expect, however, such vital role positions AD as an attractive target for destructive campaigns against an enterprise.
With this in mind, I spent time this week with a security start-up called Semperis. Founded in 2014 with headquarters in the World Trade Center (just a stone toss from our Fulton Street Office) and an additional R&D center in Israel, the company focuses on helping enterprise teams make their AD infrastructure more robust and resilient to cyber-attacks and other disasters. The discussion was fascinating – and here’s a summary of what I learned:
“We refer to our security solution as identity-driven cyber resilience,” explained Mickey Bresman, Co-founder of Semperis. “What we do specifically is offer customers a means for addressing blind spots in the AD auditing system, for automating the AD recovery process in the event of ransomware or some other attack, and providing rapid restoration of AD objects and attributes often cutting recovery from days or weeks to hours.”
One decision driving the Semperis model involves decoupling AD from the Windows OS during recovery, which allows for clean restoration in the event that a compromised executable might re-infect the recovered system. An additional technical insight involves decoupling the restoration from the dependency of the underlying hardware. This allows for recovery to a less constrained hosting environment, including public cloud systems.
“Automation is a valuable aspect of our solution,” said Bresman, “because so many current recovery and restoration processes – if they even exist – are manual, and thus require a great deal of time and effort, not to mention introducing the high probability of human error. We’ve helped our customers cut the time of AD recovery, which results in greater resilience to cyber threats and disasters.”
I asked Bresman why enterprise teams wait until they’ve been attacked before taking risk reductive action on their directory infrastructure. His response was interesting – that is, since Semperis focuses on proactive response, they accept that attacks and disasters are inevitable. But the nuance is that Semperis helps enterprise teams prepare in advance for their response. The result is a nice balance between preparation and response.
The company’s flagship product offering is called Semperis Active Directory Forest Recovery (ADFR), which includes domain controller restoration, partition recovery, and forest recovery. The restoration can be done to any server, virtual or physical, both on-premise and in cloud. Semperis also offers a Directory Services Protection (DSP) platform which allows for real-time visibility, tracking of changes to AD, and auto remediation.
During our discussion, Bresman took me through an impressive list of enterprise teams who are using Semperis now to deal with their AD operational and security risks. One company apparently reduced their restoration time from days (which was unfortunately tested through a large-scale ransomware attack that degraded their operation), to a new restoration time that is clocked at roughly three hours. That’s quite an improvement.
If you run an enterprise infrastructure with dependence on AD for domain and identity-related services, and you are concerned about the very real possibility that something destructive might go wrong – either maliciously or accidentally – then you are strongly urged to give the Semperis team a call. Ask them to share with you their use-cases for automated, rapid restoration. I suspect you will be impressed – and hopefully, swayed.
As always, after your discussion, please share with all of us what you’ve learned.