Recognizing the critical importance of operational resilience, the IT team at American Airlines sought a solution to protect their Active Directory (AD) environment and ensure uninterrupted business performance in case of an attack that targeted the identity system.
“Resilience is very high on our agenda,” said Jonathan Elledge, Senior IAM Engineer at American Airlines. “We have to monitor our applications and services, automate recovery wherever possible, and catch problems before clients or end users even notice.”
Traditional backup solutions had pitfalls—particularly if the backup services themselves were affected—so Elledge said the team turned to Semperis Active Directory Forest Recovery (ADFR) to close those gaps.
With ADFR, I can just hit a button and it goes. If I were using standard Windows backup and restore, there would be so much to do manually. ADFR makes recovery easy and reliable.
Jonathan Elledge, Senior Engineer, Identity & Access Management, American Airlines
He also noted a major improvement in security monitoring with Semperis Directory Services Protector (DSP).
“Instead of running manual scans or relying on separate tools, I set up all my exposure indicators in DSP,” Elledge said. “But even more important are the notification rules. If someone gains access to a sensitive group, I get paged immediately—even in the middle of the night. DSP will roll that person right back out before they can do harm.”
This proactive approach allows Elledge and the SOC team to respond within minutes, often before attackers can entrench themselves.
“It’s all about speed,” he said. “If you don’t catch an incident early, you risk persistent threats lurking for months—by then, it’s too late. With Semperis, we can catch and contain issues fast, which is now a business requirement for us.”
Ensuring business resilience with comprehensive identity protection
American Airlines uses Directory Services Protector and Active Directory Forest Recovery to:
- Receive real-time alerts on unwanted changes to Active Directory or Entra ID
- Ensure the ability to meet AD recovery time objectives (RTOs)
- Accelerate response to incidents
Speaker: Jonathan Elledge, Senior Engineer, IAM, American Airlines Resilience is very high on our top. That means monitoring, watching the telemetry coming from your applications and your services to make sure that they’re up and performing as expected, to recovering—automated as much as possible, and if not, making sure that you’re notified that there’s something going on so you can start to react to it. And do it hopefully before the client, before the end users, are even aware that there’s something going on. What good does it do to say you have a backup if the backup service, something happens to it? And then something happens to AD and you can’t recover AD? Or it’s gonna take you some time to get your backup service back online so you can restore. That’s would be a big impact to the company. And that’s where ADFR comes in handy. Things that if I were just doing a Windows backup and restore—which I’d still have so much to do manually—with ADFR, I hit a button and hit go…and it goes. DSP got to the point where it had so many indicators when you go to the intelligent—you know, the high level of it—that nowadays, rather than downloading Purple Knight and running time and place with Purple Knight, I just set up all my indicators and of exposure and stuff in my reporting with DSP. The better thing and even more important is I have got notification rules out there. So that, like, if somebody were to access a group that they shouldn’t that’s high risk and stuff, I’ve got them set up. Some of them, they just page me out on. Some of them I would get an immediate page-out, even in the middle of the night. And then DSP would roll the people right back out of it. So they might have gained their access for about a minute before they’re back out. And I’m being paged—so within minutes, I’m on it, and I’m opening a case with my SOC team. And once we show them what’s going on with them, they’re gonna be bringing the threat hunters in. How do we close this all off? The issue is they gain access, then they recon to see who really are their targets. Once they have those targets and they’ve gained access to them—in other words, promoted themselves to the level that they need—then they set it up for persistence. And then they’re liable to sit there for—I think Gartner a couple years ago put out and said that a breach like that normally takes up to six months before the company is aware of it. By that point, do you have still have backups that are clean, or are you gonna be spending the next six months rebuilding your company? So catching it fast and quick so you never get to that point—you just can’t avoid it. You have to do it. It’s a requirement.
