Foulston Siefkin LLP, the largest Kansas-based law firm, transitioned from a fully on-premises Active Directory (AD) environment to a hybrid AD/Entra ID cloud identity environment in 2018. While working through the process of securing the hybrid environment, the company reviewed its business continuity practices and looked for a solution that would help the firm meet its identity system recovery and security posture goals.
Implementing Semperis Active Directory Forest Recovery (ADFR) and Directory Services Protector (DSP) were key to the firm’s cyber resilience strategy, said Matt Spurlock, Foulston Siefkin CTO.
“We see increased phishing attacks,” he said. “Every day there’s billions of threats, and we’re just trying to find ways to circumvent that.”
“I’m just really glad ADFR is … there for us. … We have the right tools and the right partners and people that … if we ever had to recover [AD], we would be able to in a timely manner and meet those objectives for recovery times.
Matt Spurlock, CTO, Foulston Siefkin LLP
Spurlock knew that the identity system was a prime target for attackers, who could enter the system through an endpoint and move laterally to the identity system.
“If you’re down from a full-on ransomware attack, how are you going to recover from that?” he said. “Your domain controllers and AD are going to be first.”
Improved security posture and disaster recovery planning
Foulston Siefkin chose ADFR and DSP to help meet their security and recovery objectives, including:
- Guard against industry-wide increases in phishing attacks and other compromises that start at the endpoint and move laterally to the identity system
- Automate security posture reports to ensure the team can continuously assess and remediate vulnerabilities
- Streamline AD disaster recovery testing to meet recovery time objectives
DSP has streamlined identifying and remediating identity system vulnerabilities as they arise, Spurlock said. He receives automated DSP security reports daily.
“It helps my team stay on top of keeping our environment clean,” he said. “I definitely feel good about where we’re at.”
ADFR is a core component of Foulston Siefkin’s systematic AD disaster recovery testing. Although they haven’t had a scenario in which they had to recover AD, having ADFR in place gives Spurlock confidence that they can recover quickly.
“I’m just really glad [ADFR] is … there for us,” he said. “I think we have the right tools and the right partners and people in place that, God forbid, if we ever had to recover from something like that, we would be able to in a timely manner and meet those objectives for recovery times. I can’t say enough about the product.”.
Speaker: Matt Spurlock, Chief Technology officer, Foulston Siefkin LLP Like many organizations, we used to be on prem. Around 2018 or so, we moved to a hybrid cloud through Azure, now Entra ID. So we’ve been through those trials and tribulations as Microsoft has made changes over those years. I think everybody’s paying attention to AI, where we’re at in that hype cycle. We’re not sure, but we already see increased phishing attacks. So to counter that, there’s a lot more phishing awareness, to users, the different attack vectors, how they can trick somebody. Every day is billions of threats, and we’re just trying to find ways to circumvent that. So we have ADFR and DSP. Through my business continuity planning, I’m more on the managerial side, so I’m writing business continuity plans—the really fun stuff that IT techies love to do. If you’re down from, let’s say, a full-on ransomware attack, how are you gonna recover from that? You know, your domain controllers and AD are gonna be first. And when you have years and years and years of work and layers of AD, layers of security, obviously, Microsoft hasn’t updated AD in a long time as far as on-prem and in the cloud. So that product complements that very well. We run an exercise every year to do a recovery and they ask, “Oh, have you used it?” And I always say, “Oh, yeah.” I’m the tech, but I don’t hope to ever have to use it. I’m just really glad it’s break-the-glass and it’s there for us. I send automated email reports to make sure, and I still use our account report. I get one every day. That helps me keep my team on top of keeping our environment clean. Definitely feel good about where we’re at. I think we have the right tools and the right partners and people in place that, God forbid, if we ever had to recover from something like that, we would be able to so in a timely manner and meet those objectives for recovery times. We test that every year through our continuity planning. We do penetration testing, of those fallout scenarios. But it was good to go through those exercises even with my team and my peers, and I was like, our clients. You know, I get calls from them and they ask, “What should we be thinking about? What would we do?” And so, I even mentioned that a lot of people sometimes are shocked that there’s even a product out there that does do what Semperis does. Which is really good. I’m glad because, like I said at the beginning, if they’re down, we feel it. And, our municipality even went down from a ransomware attack—it was in this calendar year—and, you know, nobody could pay their water bill. Nobody could pay a ticket. And so the whole city felt that. And so, being a smaller city, I have those conversations with my peers, all around. We talk through it, and hopefully, everybody’s better for it. So, I can’t say enough for that product.
