Jenseits der Verteidigung: Active Directory-Wiederherstellung und Business Resilience

Hi there. I’m Tom Field. I’m Senior Vice President of Editorial with Information Security Media Room. Very pleased to welcome you to our webinar today. Topic, Beyond Defense: Active Directory Recovery and Business Resilience. Joining me is James Ravenell. He’s a Senior Solutions Architect with Semperis. But before I bring James onto the big stage here, a little bit of background on our session. Endpoint security, cyber insurance, generalized disaster recovery plans, all important, but they will not save your business from a major cyberattack. To keep operations running smoothly despite cyber threats, analysts and cybersecurity leaders recommend a focus on resilience. So in joining us today, we will understand why the ability to quickly and securely respond to and recover from threats to your core identity systems is the key to both cyber disaster recovery and business resilience. First, a little bit about my organization, Information Security Media Group is a global education and intelligence firm. We’re based in the US in Princeton, New Jersey, and you may know us by any number of our thirty eight media properties. We reach an audience of over one point eight million security and technology leaders globally and give them a daily diet of news, analysis, research, events, and educational programs just like this one. Just a few notes of housekeeping. You have any questions for James? Submit them anytime by the chat window on your screen. We may not get to every question. Those that we don’t get to today, we’ll answer via email. Should you encounter technical issues, take down that email address. Write to webinars at I s m g dot I o. We’ve got support staff waiting to help you. And a reminder, today’s webinar is copyrighted material meant for today’s session in individual study purposes only. If you would like to use any of the information presented tonight or if you were looking for your own customized training solutions, contact us. Let’s meet our sponsor, Semperis, the cybersecurity leaders and Active Directory experts, they know that identity first security is a key to operational resilience. For more than ninety percent of today’s enterprise organizations, if AD isn’t secure, well, nothing is. Many of the world’s leading businesses trust Semperis to help them protect AD and Azure AD from escalating cyber threats. Nothing is off limits to today’s cyber attackers, including emergency services, hospitals and health care providers, schools and financial institutions. So whether your business is building businesses, saving lives, or serving citizens, Semperis helps you operate with confidence by protecting your critical identity infrastructure. You can learn more at Semperis dot com. And now let’s meet James. James Ravenell is a seasoned technologist. He’s got more than thirty years of experience in infrastructure operations and architecture. He has worked with organizations ranging from start ups to Fortune Fifty companies. He’s passionate about safeguarding identity and enhancing organizational resilience. And with that, let’s welcome James Ravenell. James, thank you so much for being part of this discussion today. Pleasure to see you. Pleasure to see you again. Tom, I think I remember telling you that, the first time I met you was at a conference here in New York City, so it’s good to meet you again. Exactly right. Well, we’re gonna start here because identity is such a a critical topic today. Why would you say identity systems now are the top targets? And to whom? Who is targeting the identity systems? Well, threat actors, of course, are always looking to attack identity systems. I like to to tell this story. I consider myself like a young dinosaur. I was around before we had, Active Directory, back in the Banyan Vines days and the, the, Nobel network days. Right? And when we were starting to figure out what we were gonna do with accounts and user management, and then we said, oh, let’s move over to this Windows NT thing. And then we started moving from there and then into into AD. When I was a junior sysadmin, we started to really start figuring out what what AD was going to be. I don’t remember us thinking that it would be around this long. Because other years. Am I right? Twenty five years. Yeah. Right? I mean so, you know, it’s looking at what identity has now become. But what has changed? The people who were knowledgeable about it are starting to move out of the workforce. And now you have people who use identity every day. It’s always in our face. We’re constantly using it, consuming it, but we don’t realize it for what it is. We don’t see its importance. We don’t see how critically involved it is in everything we do. So I think, you know, threat actors are realizing this. They’re realizing just how many of those settings we made back in the, you know, early two thousands are still in place in so many organizations. You know, we did our best back then, but here we are. Well, you make a good point because AD has become the de facto identity management system for so many organizations. And yes. It’s twenty five years old. The threats are more sophisticated. The threat adversaries are. What would you say are some of the inherent vulnerabilities in AD? Unfortunately, there’s so many. Right? I you know, one of you know, we use different products to scan AD here at Semperis. And if you just run a vulnerability scan right out of the box against your AD, so many vulnerabilities pop up. And I’m talking with, Windows twenty twenty two. Right? And so when you look at what you would have assumed have been some lessons learned from previous, you know, additions of Windows and Windows Server, and, you would expect that there would be some, like, major steps forward. The reality is some of the same vulnerabilities still exist. But, a really easy one is RC four encryption is still, like, by default, installed when you deploy ED. That’s problematic. I mean, great. We have AES two fifty six as well. So you still have a high level of encryption, but the fact that so many default settings, are opening people up to vulnerability is still very problematic. The operative word is resilience. How and why can enterprises start to adopt a resilience mindset even when they’re working with this foundation of AD? I wanna start with the with the why on that. So many businesses, if they are experienced a breach, it’s a threat to their finances. It’s a threat to their reputation. That alone should make you think about what you need to do and that you should be doing something to be resilient against threat actors that are constantly trying to find a way to breaching your system. So given that, James, speed really has to be of the essence when it comes to AD recovery because your customers don’t understand recovery. They understand resilience. They understand you’re still in business. Yeah. You know, I speak to CEOs, CISOs, security engineers, you know, IT ops engineers, and the whole from every level, every day, that those are the folks that I speak to. And I think that many of them understand that they need something. They don’t always understand just the nuances of AD and why it’s important, but they realize they need something to to protect them. They need something that allows them to be able to, you know, to know when something is going to happen, to be aware when something is happening. And then if all of those things fail you know, these these threat actors are very sophisticated. They’re using AI now. They’re using very, a lot of these, freely available tools to, try to breach, your environment. You need to be able to get back into business in a way that is not only, hey. I had a backup, and I recovered from it. You have to be able to use what you have recovered, and you need to be able to do that very quickly. I always ask people when when they tell me, and I don’t like to use scare tactics tactics with folks, but I want them to think about what is the what is their responsibility to their customers? What’s their responsibility to their employees, and to their greater community? And if you think that it’s okay to be out of business for five minutes, completely have no access, ten minutes, an hour, a day, a week. Like, what is the value to you and your business if you have to completely shut down operations or if operations are completely shut down because you cannot access your identity. So, yes, speed is very critical. The tools and the people and the processes that you have around that are all really critical. There needs to be some meshing of those in a way that makes sense. But the real problem for a lot of organizations is is that they think, I got a backup. I can just recover from that, and I’m okay. But your backup may may not be of value to you. Right. Can you boil it down? Is there a single most important factor in recovering AD. Trusting it. Trusting your AD after recovery. If you tell me that you have a backup of your AD and that backup you said, you know what? We realized we got breached on Monday. It’s Friday. Right? You didn’t realize that you were breached on Monday, and it’s now Friday. Now you have lost access to your domain controllers. So then you tell me, well, I’m gonna go back to last Tuesday before that Friday, and I’m gonna use that. Okay? Well, the the first thing is depending on the size of your organization, you could have had thousands or millions of transactions in that amount of time. So is what you have usable? It’s available to you, but is it usable? But more importantly, how do you know that the threat actor wasn’t already dwelling in there? Right? You would want to have some assurance that what you are restoring is actually usable. It is actually safe, and you can trust it. And that’s a problem for, for many organizations with the way that they’re doing their backup now. Oh, and given what you hear about dwell time of being two hundred plus days in a lot of these organizations. Sure. Yeah. Now how does one build resilience in hybrid AD? Well, again, there there are a lot of ways to do it. Right? But first thinking about how are you using your hybrid environment? I always ask people when they say that they’re hybrid, what do you mean? But if you’re using, for instance, on premise AD and you’re, using, you’re syncing up to your Entra tenant, for instance, well, if the threat actor gets into your on prem or, you know, depends on how you have your syncing. Is it one way? But if you’re if you’re if they’re getting into your your on premise and you’re syncing all of those identities up to your Entra tenant, well, now you have the a great probability that that threat actor is also in your Entra tenant. And you wanna start thinking about even aside from threats. Right? Because sometimes listen. I’ve been in this business, about thirty five years now. Well, just shy at thirty five years. And I’ve made mistakes. So sometimes, you know, we just fat finger things. Right? Building your resiliency shouldn’t just be about the fear and the threat. It should also be what are you what are your contingencies if someone makes a mistake, someone deploys a package, some software, some change that has threatened your environment. So building resiliency says, yes. You wanna be able to, one, see what is happening in the the chain of events in your Active Directory. Is there a problem? You wanna be aware of what’s happening before, so you wanna do constant scans of your AD. If you are under attack, you wanna know what’s happening. And if you have been attacked, how do you recover in a secure manner, in a usable manner, and also be able to communicate with the people on your teams that have to be responsible for bringing your business back online. And that’s whether or not you know, if you when you when you’re in a recovery mode, it almost doesn’t matter how it happened. Unless you’re using manual processes, then it can matter. Right? Because if you’re using manual processes, you may be relegated to using the exact same equipment that you started with. And with so many of these, these government security reporting frameworks, you may or may not have the opportunity until you do some, mitigation, until you do some research into how you got to this problem, you may not even be able to move forward until you figure that out before you start your recovery. Makes sense. James, I just wanna bring it back to Semperis. You folks are my go to. I wanna know more about AD and security. How would you describe the way you’re helping your customers ensure AD recovery and to be truly resilient? Yeah. When I talk to our customers, I always, you know, I’m on the presales team as a Security, Senior Solutions Architect. And a lot of times, the people that are coming to us, they’re they’re asking questions. They’re trying to figure out what is it that we can do. What are our offerings that can actually help them? And, you know, because you said we’re your go to. The first thing is our people. We have probably more I believe that we have more Microsoft MVPs in our space than anyone else. And we just had another another one just before we had our company kickoff, earlier last month. Good. So we have a lot of experience. I think, like, the the average, tenure of people who do what what we do, it’s like twenty, twenty five years. Right? So we bring a lot of experience in the AD space. And then grew up with AD. We can say grew up with. Literally grew up with AD. You know? And then we have, our tools, our technology. It works, man. Our Active Directory Forest Recovery. I smile every time I use it because I’ve been on the customer side when I was a AD ops engineer. And one of the solutions that we use was our was a competitor. It was a competitor. And it was a it was a struggle. Our Active Directory Forest Recovery, it follows the Microsoft playbook, but it automates it. So, you know, it’s a couple of clicks to get from starting a recovery to being recovered, in, like, ninety percent faster than you would if you were doing a manual process. Like, that’s huge. Right? Sure. And then the processes around securing your identity after recovery. Again, we have the people and experience, but then we also have a way to clean these we work with you just to recover to clean installs of your Windows. We have already separated when we did your backup, we separated the service of Active Directory from the server, your your domain controller. Right? So we we we’re grabbing only what is critical. That’s part of the tech. And then when we recover you, you’ll have the the faith and the and the confidence that you are recovering to an environment that you know is free of malware. And then when you’re recovered, we scan your environment again. We have a community tool called Purple Knight. It’s our public tool, but we have a what we call a post breach version of that that we will then scan your newly recovered AD before you go back live. So now we’re looking in again for those vulnerabilities that probably got you in the in the position you’re in, and then we’re looking for those threat actors. We’ve already eliminated because you’ve stood up some new machines. We already eliminated the possibility of some bad payloads, some malware when you stood up those new, installs. But we also are making sure that we are working with you to make sure that you don’t have those threat actors who will attack you again after you’ve recovered. Oh, that’s great information. James, where can our attendees go to learn even more about AD recovery and resilience? What do you recommend? Well, absolutely go to our website, Semperis dot com. We have, many videos where you can learn all about what we do, why we do it. We’re also gonna be launching our Ready1 coming up soon. So you can go to ready one dot com to talk about what happens in when you have to have to do, incident response. And those are two sites that you can check that are from Semperis. You can also we have our HIP Conference that’s coming up. You’ll see information about that on Semperis dot com. But those are the three places that you can go. You we also have, like, YouTube channel and Semperis. So check in those resources. We have we’re constantly, adding content because we are trying to be a force for good. That is our motto, from, our CEO, Mickey. He’s he’s a brilliant mind. I love what he has done with trying to really take care of the community. We have a lot of really good people, and we’re doing these types of talks. Like, I’m talking to you. We’re oing to conferences. We have our HIP Conference. So we’re constantly trying to provide content for people to really understand that there’s a need for the buy in to to be resilient in this space. Very well said. James, I appreciate your time and insight. Thank you so much. Thank you. Appreciate you. Of course, I wanna thank our attendees as well. We know you took time out of your day to attend this session. We’re grateful for that, and I know you’re walking away with some excellent new insight about AD recovery and business resilience. As always, I look forward to seeing one of our upcoming events. And until then, for information security media group, I’m Tom Field. Thank you so much for your time and attention today.