So, welcome to this webinar, where we're going to talk about cyber resiliency and actually about Identity as a key component to cyber resiliency. My name is Jan Horsager. I'm Research Director at IDC, and I'm joined here today by Alistair Holmes from Quest. Personally, I have been spending the last 30 years covering information technology and digital transformation. And Alistair, could you maybe introduce yourself and tell us a little bit about yourself and your role in Quest?
Yeah, how are you and thanks for the welcome. My name is Alistair Holmes. I work for Quest Software. I'm a Principal Solutions Architect. I work across the whole of Ahmedia and my specialization is, I think what we call today, cyber resilience. I've been with Quest for about 10 years, and prior to that, I spent about 20 years with a Microsoft Certified training company, so I live and breathe Active Directory.
Excellent. Thank you very much, Alistair. And let's start just by looking at the cybersecurity trends right now in 2021, or the new normal or how you would like to label the year that we are in right now. And no matter how you want to label it, the fact is that we are seeing new trends and we are seeing a new pressure on the digital infrastructure and that means that the cybersecurity in reality, of course, is changing and under pressure. Digital business is, of course, not a new thing.
But the point is that, even though we were moving fast towards true digital transformation before 2020 and the COVID-19 pandemic, well, the digital business has really taken off, turbocharging the development into new businesses, new ways of creating not only markets, but also new ways of doing services and doing them remote and doing them online is the new trend. And that puts the customer experience in as a priority, which opens even new sort of pressure when it comes to cybersecurity and handling data and not least handling identities.
And that, of course, creates these evolving IT systems, meaning that, even though that digital transformation was going fast, well, again, there's been a speed up when it comes to the infrastructure and the IT systems either need to be either replaced or upgraded or even invented from the bottom up right now, and automation is an important part of that. And again, the automation, new risks, new pressure on the security part. So the COVID-19 has actually been rewriting the rules here.
And again, back to-- we have speeded up in 2020. And on top of that, the working from home and remote trends has created, also from day one, a new pressure on most organizations. So, what we see right now and what we have been discussing together with Quest, we have produced an analyst perspective where we are looking at the need to actually monitor your digital infrastructure. This is a key to create the fast solution if security incidents, or should I say when security incidents, is actually occurring, like hacking ransomware or any other incidents.
So, organizations must, of course, put the tools in place to monitor and audit identities as well as recovering and restoring data. When we are looking at IDC's European security survey and drill into the United Kingdom, and ask the organizations in the United Kingdom of the factors that significantly limits the ability to improve IT security capabilities, well, there's one answer that actually tops the list of answers here. Well, the security team spends time maintaining and managing security tools rather than performing Security Investigations.
And 68% of organizations say that this is a significant limits to their ability to improve IT security capabilities. But if we look at what the new needs are, because, yes, you need to actually work with the tools. You need to balance the time, you need to balance the automation, you need to work with the audits and the ability to get what we call visibility of activities, vulnerabilities, and threats, you need to control device's access and identities. And, of course, there's a need for the orchestration of multiple truth sets to improve that resilience.
But that does not mean that the team needs to spend all the time in that place. That's what solutions are for. That's what security solutions are for these days. And that talks us directly into or up to, I need to say, our digital trust picture at IDC. This is not about trust as such. This is about trustworthiness. This is about any organization today and in the time moving forward. We need to ensure customers, stakeholders, that they are actually on top of that digital trust, and the IT security is a compulsory part here, so it's a compliance.
So, it's a given thing. Your stakeholders need to believe that you are actually taking care of this, that you are working with these things, because they want to discuss privacy strategies, ethics, and social responsibilities, and other stuff that has to do with your digital solutions, but the security need to be something that you are on top of. And how you get there, Alistair, I'll actually leave to you to talk a bit more about that.
Yeah, thanks, Jan. So, I want to talk about cyber security the way that the Quest actually see it. And we've been in the cybersecurity business for quite a long time now. We're back up recovery, auditing-type products. I don't think that whether that we sort of really classified it as a cybersecurity as such. But we, like most organizations, have had to change and adapt. And one of the things that I spend a lot of time talking to customers about is that cybersecurity is all encompassing.
But really, in the event that you get hit with a ransomware or some sort of malware attack, identity is absolutely everything. You can have the best backups in the world, but if you've got no identity to restore them against, you're probably going to find that recovery is going to take you longer than maybe it should do, et cetera. But there's some home truths that we need to put on the table first, and that is that cybersecurity really genuinely, today, it's a business, just like Quest is a software business or Shell is an energy company or PWC is an accountancy firm.
It's a business. These guys are in business to make money. The days of the, what I would like to refer to as, the pimply faced youth, sat at home in his bedroom, seeing how far he could get into a network, that was the beginning. But then, very quickly, people decided that, you know what, there's a whole load of money to be made available here. And, we, as organizations, have had to respond to that. So let's not kid ourselves, OK? You are under attack, OK? Because people want to make some serious money out of this. It is well-resourced.
If you look at some of the bottlenecks that have been tightened down recently, if you look at some of the arrests have been made relating to cyber security, these guys are absolutely professionals. They can call on potentially even nation states if they need. In fact, there is an argument that a lot of the hacks actually come and emanate from nation states. And we have seen during the past 15, 16, 17 months of the pandemic as, you know, I acknowledge it, that they have increased and their targets have also changed. They are really, really well organized.
Like I say, they are running them like business. When we look at some of the tools that are available to these bad actors, let's call them what they are, who would have thought, even three, four, five years ago, that you would have had ransomware as a service, or RAS, as we refer to it. They're writing tools and they're making those tools available for their franchises to utilize them. They're going to be getting a cut out of that, and they are absolutely, financially motivated.
I was reading an article about a fairly recent hack that had occurred. I think it was all over the press not too long ago. And what actually happened, as part of this takedown, this ransomware, was that the bad actors got into the system, and they actually went looking for the organization's, not intellectual property, nothing like that. They went looking for the cyber insurance documents. And once they had actually got them back and they worked out how much it was going to cost them in premiums and penalties and access, they actually put their, shall we say, digital tax, because that's what they look at it as.
They put a digital tax which was sufficiently high enough for them to justify all their efforts of breaking in, but low enough so the customer would probably feel the need to pay. , And that is a business absolutely a business. And the other thing that we've seen is that the bad actors have been able to change tact. Just as Quest, if I concentrate on Quest because it's a company I know really, really well.
Just as we were back in pre-2000s concentrating on Novell Directory services as the main Directory, and, oh, there was a little thing called Windows NT out there and we developed tools to allow us to migrate. When Microsoft changed their focus towards Active Directory, we changed our focus. And, as they've changed from on premise to cloud, we too have adapted to those new marketplaces. And it's interesting because we can sort of see exactly the same thing from the bad actors. You know, they really didn't care who they were going after up until about March 2020.
And then all of a sudden, they start focusing their attention on health care, health care providers, pharmaceutical companies, and it's everything to do related to COVID. You know, whether that was potentially some spies sat outside some pharmaceutical company in the Netherlands or it was taking down sections of pharmaceutical providers through an internet or a spoofing-type attack, you know, there were some serious issues that needed to be addressed and we have to respond to these.
So, it's interesting, as I say, that we noticed that now that sort of COVID is hopefully on the wane, it looks like though they're sort of focusing their attention back onto the likes of, shall we say, critical national infrastructure and large well-known scalps. If you can put a scalp like that in your bag, you're probably set for life. You know you've certainly developed a high level of credibility in there. And as I mentioned, we're looking at evolving techniques.
You know, in the past week alone, the amount of text messages that I've received purporting to come from my bank or from some other organization that I actually have nothing to do with, and it's about trying to gain access to my information. Now, that's a personal attack. But what about if we were to focus that attack on, for example, a CEO's mobile phone? Would it be possible to compromise that phone and actually go into a corporate network at a fairly high level using information that's been harvested off that?
So, we're sort of seeing attacks not only focused on the actual targets of the attack, but almost like a shotgun, spray, approach. You know, let's go for the biggest audience we can. We refer to it as a supply chain. It's the customers that you do business with, it's your suppliers, it's your users. And one of the big issues that I've certainly seen was at the beginning of the COVID pandemic. Organizations, they weren't ready. They were used to working in an office.
You would drive into the office or you'd commute into the office, you'd sit down at work station, you do your day's work, you'd log off, and you'd go home, and that was sort of pretty much it. You may occasionally respond to an email or do a little bit of work in the evening. But now, you're sat at home, and companies were not ready for that. I remember one particular attack, where it was due to a VPN server that the organization had actually switched off a number of years ago.
They just hadn't decommissioned and they powered it back on, and immediately this thing just lit up of come and get me because it hadn't been patched. And that was that the opportunistic approach that these organizations are using. But as I also mentioned, it's almost become like a big business now. You don't need any potential hacking skills to make money from malware. You just simply pay a percentage to whoever your ransomware as a service provider is. And that's a model that I think a lot of security departments there yet to potentially get their head around.
So, when we look at security in the remote workforce, this was a massive upheaval. In fact, you know, we've got a quote here on the screen from Satya at Microsoft and, we've seen two years worth of digital transformation in two months. Now, how many people, whether you were the CEO or the IT department, I don't care what level you were, how many people would have predicted, say January 2020, that everybody on the face of the planet, if it's all possible, would ultimately end up from working from home within three months?
A year living in cuckoo land, it's not going to happen. I'm just going to continue the way I am, and I'm going to look at the new technologies out there. I'm going to look at the likes of Office 365, because it looks like it could be good for my organization, and I'm going to slowly sort of adopt that. I'll look at other organizations. I'll look at how they're adapting it. I'll look at what cost savings or extra costs may be incurred, but I'm going to slow, this slowly. I'm going to slowly absorb that into my organization, because organizations don't like root and branch change. It upsets them.
It upsets our shareholders. But then, literally, bam. Three months later, everyone's working from home. I mean, you probably even learned, Jan, that last year, there was a world shortage of laptops. You know, because people were just not equipped for it. How many of those laptops got shipped directly to the end user? Yeah, because you couldn't go in an office to go and pick it up your IT department weren't there to configure it for you. So you were literally taking an off the shelf laptop.
And my big fear for when all this is over and we start to move back to the office, is how many of those laptops were sat on home networks with maybe not the best security in the world, maybe not the best encryption technology, maybe fairly loose security out of the box. How many of those laptops are going to wander back to an office and get plugged into a corporate LAN and all hell's going to break loose? We literally are going to be inviting the bad actors into our network, and we have to recognize that.
We have to effectively-- and I'm going to drag out an old phrase from years ago, which seems to have fallen into disuse. We are literally going to have to sheep dip everything before it comes anywhere near our office to make sure that it's still fit for the security model that we actually want to implement. And this is what the industry is referring to as zero trust, OK? You cannot trust anything. You can't trust that text message that you've just received purporting to be from your bank.
You can't trust the email from the CEO that says, can you please give me access because I need to do a bank transfer? You can't trust the laptop. You can't even trust your users. You don't know if they've been compromised. And that's a really, really bad place to be. But if we recognize that we are in that place, I'm sure we can work around it. So you have to assume that everything that you're dealing with has some degree of risk. Now, even if it's not necessarily coming from your organization, you're dealing with other organizations.
Can you put your hand on your heart and honestly say that they run their networks and their security regime as well as we'd like to think we run ours? That's a big problem for companies and we need to pay some attention to it. And when we look at the big squidgy thing behind the keyboard, the human? That's where really the vast majority of issues tend to arise from. You know, these de-stressors that increase this insider threats. You know, you've got minimal social interaction. We're humans, we love touchy feely. We love talking to people. We love shaking hands.
This elbow pump, it's not natural to us. We want to trust our colleagues, our fellow humans, and hackers and bad actors know that. And they will potentially sort of social engineer you. You are working probably longer and harder than you have done in a long time, and you don't have that support. It's not as easy as walking down the office and going and having a quick chat with the guy in IT. You know, hey, I've just received this. Does it look OK? A lot of people, they can't do that, so they're going to have to make a judgment call on their own.
And unfortunately, that's just one of the problems with a remote workforce. Because, like I say, a lot of organizations, they did not have the support mechanisms in place from an IT perspective to adapt quickly enough to this new remote working model. It was new for them as well. And there's other issues, you know. I mean, unfortunately, we've seen mass redundancies, potential job losses. You know, do I really like the company I work for? Have I had enough? Am I going to take them down?
And remember, we're not just talking when we say about bad actors, about the classic pimply-faced youth sat in his bedroom. We're actually talking about people like you and me, and that's a sad thing, because I may have a grudge because I've not had a pay rise for a long time, or I got turned down by for a promotion. I've been with Quest for about 10 years now and I've done various roles. What's the chances that I actually still have access to old information? Because, maybe, for example, when I started, I didn't start working in marketing, but imagine I did.
I started working in marketing. A few years later, I moved into sales. Have I still got access to that marketing information that I worked, started working in IT? Do I still have access to the sales information? What we would typically refer to as excessive privileges, group of blokes. Do we actually still need to have all this group memberships, or should I take a look at it minimizing the risk associated with not just me, as a user, to do harm or a disgruntled employee to do harm, but also the bad actor that's attempting to impersonate me?
If I've got those permissions, the bad actors got the permissions. If I get compromised, we're in the network. That's what those people are looking for. So, social engineering, privacy, insider threats. These are all things that you absolutely need to be taken into account. And with the pandemic, terrible things have happened, but I think great things have happened as well. If you do look at, hopefully, the good impact on people's work-life balance, you know, that's a good thing. I used to commute two hours every day to just to go in an office to talk to colleagues.
Yeah, I miss shaking hands with them and having a laugh and maybe talking about football, but I can still potentially do that on the internet. But the problem is, is that that security boundary when I walked into the office, physically walked in, don't forget I was logically walking into a security boundary that was protected by firewalls and demilitarized zones and all sorts of state of the art security, that security boundary now extends to my house and, of course, potentially all the other devices connected in my house.
And IT departments have very, very little control over that and we need to recognize it. OK, so here's a quick quiz for you, Jan. Any ideas on these numbers? Because I know I can just keep talking forever and ever.
Yeah, but for that, so far, no.
OK, so, let's just take a quick look at these, because these are numbers that Microsoft are actually publishing, and some of them are just terrifying. Yeah, if I was an IT administrator or a CISO or something like that, I'd be losing sleep over these. And when we look at, for example, just Azure, 1.2 million Azure accounts compromised each month, you know what, that's a terrifying number, but I actually think it's wrong. I think that's a really, really low number. It wouldn't surprise me if that number has shifted considerably or whether we're-- not necessarily, I wouldn't say not telling the truth, but maybe we're being a little bit-- maybe we're underestimating that a little bit.
Especially when you compare it to the next number, 95. 95 million Active Directory attacks, user accounts are under attack each day. OK, hang on a minute. That's 95% million accounts that are typically on-premise based, but only 1.2 million, which are in the cloud. And, of course, don't forget, on premise, you usually need to have some sort of access to it. Whereas on the cloud, you just need an internet connection. So these are terrifying numbers and we have to take them really, really seriously.
This is another really, really interesting one, because going on over the past number of years, we've seen a massive shift in the way that people work. And I suppose, in one way, thank goodness, because without this shift, the pandemic, it would have wiped out a lot more companies and that is the shift to a hybrid environment. It amazes me even today, when I talk to customers, that a lot of them don't realize they're in a hybrid environment. And you say, no, we don't use Azure. Well, actually, have you got Office 365? Oh, yeah, yeah, yeah we use it. We couldn't have survived without it.
Hey, guess what, you're more likely than not have a hybrid environment. If you've got Azure AD Connect synchronizing your on-premise Active Directory accounts open to the cloud, you're hybrid. Depending on how that Azure AD Connect is synchronized and the sort of functionality that you want to give to your users, this is a fantastic route back into that on-premise Active Directory. Because if I can gain access to an Azure account and I have the ability to reset its password and you've managed to configure your Azure AD to synchronize back passwords, back into on-prem, that's half the battle won.
I don't need to be in your physical boundaries anymore. I can literally be anywhere in the world, utilizing that potentially compromised account from the cloud to launch that attack into your inner sanctum, if you will. And then, this one, I don't know. Is this going to go up, or is it going to go down? Who knows? But a ransomware attack every 14 seconds somewhere in the world. OK, it's a matter of scale. It might be one person clicking on a link, initiating some sort of download of a malware. It might be a small network. It might be a one man band.
But then, equally, it might be very similar to some of the terrifying attacks that we have seen perpetrated on security, critical national infrastructure, health care, et cetera. So it's something that we absolutely have to be aware of. We have to accept it. So, if we start drilling into a little bit of more detail about this stuff, it's really simple, OK? You have to be prepared. I'm an ex-scout, OK? It was our motto, was be prepared. You know, I don't think Lord Baden Powell had industrial espionage in mind when he came up with the motto, but it is certainly a good one.
So what are we being prepared for? Well, we have to face the reality. It is not if you get attacked, it is when, OK? And once you accept that you are a potential attack, whether that is direct or via a supply chain, you can start to prepare for it, and It's pretty simple. You have to have, literally, your finger has to on the pulse of what's going on, and it all starts with the Identity. So you're looking for anomalies within the usual day to day activity. It's about, you know, a user failing, for example, to join a group.
Why is Alice, in marketing, attempting to join our domain administrators group? You know, that is not Alice that's trying to do that. That's somebody pretending to be Alice, because we always start off with very low level access, and we then traverse across our network and our Active Directory looking for those little weak spots with probing all the time, and I'm trying to do it in such a way that I'm not going to set your alarms off, OK? I don't want to raise suspicion because you'll know I'm there. So it's about putting tools in place that will proactively alert you.
Not only when things happen, more importantly when things fail to happen. So that's the detect and the prevent. If they get through that, and regardless of if they get through that or not, you have to have a recovery plan. You think about your Active Directory. If I took your Active Directory off you, think about what you're able to do and not able to do, because everything good in life, within 95% of the world's organizations, is somehow or other connected to Active Directory, because that's the current rate of AD adoption throughout these organizations.
So if I took your Active Directory off you, what can you do? Well, I was talking to a customer the other day and they said, actually, when you put it like that, Alistair, we can't even get in our building because AD is integrated into-- or rather that the door entry systems are integrated into AD, our security swipe cards, everything. We are literally locked out of our building. So, you have to have some sort of recovery plan. And as part of that recovery plan, you also need what I would refer to as a response plan, and that is a priority list.
So what is the most critical component to you? What is it that you, as an organization, can't live without? The clock is ticking on your organization's survival. If you were, for example, an e-commerce retailer, is it the ability to still take orders? Because without a website, you're not going to be able to produce any money. If you're into your customer relations, is it your call center, so that at least you can take and respond to any sort of phone call queries that may be coming in? So, look at what is the most important thing and draw a schematic, if you will.
Get yourself a big whiteboard and draw all your critical systems, and then draw the little lines, and you'll find that somewhere, Active Directory is absolutely in the middle of that, OK? The response plan, however, does not necessarily include these last bullet points that I've brought up, OK? Paying a ransom does not remove the attacker. Now, most attackers, they've been lingering around in your systems for a long time, looking for what is really, really of interest to you. They probably know more about your company than you do.
You know, they've got access to pretty much everything. And one of the key points of an attacker is because it does happen over such an extended period of time, they don't want to have to start from the beginning again every morning at 9:00 and work their way in. They want to maintain persistence, so they have got a back door in there. There will be a back door an Active Directory. Whether there will be or back doors in other critical systems, I don't know. I suspect there probably is, but simply restoring everything is just going to simply restore that back door as well.
Paying a ransom doesn't remove those back doors. Yes, you might get your data back if you're really, really lucky, assuming you're dealing with a hacker who actually has a conscience. I've yet to personally come across any of them. And remember, once again, back in March last year, when they were talking about-- we won't attack pharmaceuticals. We won't attack anything connected to health care. Yeah, that lasted about 10 minutes before somebody went, well, if they're not going to, I may as well because I'll get some money out of it.
And focusing on preventing encryption, it's just not enough, OK? So you have to have an all encompassing plan. You have to be prepared for potentially every possibility and every permutation.
So, thank you, Alistair, for your insights on how the threats are actually developing and how you see the threat landscape right now in 2021. So let's talk a bit more about digital resilience and actually continue, hopefully, where you ended here, Alistair because, well, as we see it from IDC, we see it security also, at least in the perception of businesses becoming an enabler for the business.
So even though we see the threat landscape change, and we see the threats are growing, we also see when we look at our security survey from 2020 that at least 44% of organizations is in Europe, these numbers are from, see security as a driver of competitive advantage or differentiation. And also, and I think that's the key here, 40% is an enabler of patient business efficiency. And this is where it becomes really interesting, because when you know that a security function is also an enabler for the business efficiency, you need to ensure that you pay attention and investments into your digital resilience.
And when we look at what the priorities are for your organization or the main priorities when you talk about IT security, we can see that these terms that we are mentioning when we are talking about, ensuring visibility across the IT environment, data privacy and compliance, managing users identities and access. So now, we are actually having this as a main priority. And delivering digital trust, you were talking about zero trust. And as we see it, to create that it's a trust and the trustworthiness of your organization, you need zero trust in your IT security. That's absolutely paramount.
So, the cyber resilience strategy to enable the digital business is actually about the real time monitoring. It is about the complete visibility, the intelligence, analytics, visualization, fully integrated support, speed of recovery, and automation, and actually create that feedback, that loop, that creates a process. Not just a strategy that you have written and that you need to revise at some point, but they actually work with digital and resilience in your business on a day to day basis. So, Alistair, back to you, and a bit more focus on some of, well, let's call it hands on how do you do?
Sure, OK. So when we look at, in particular, the Microsoft ecosystem from a cyber resilience perspective, you know, it falls into a number of different areas. So, I'll just whiz through these slides. The first thing is awareness, OK? You are a target. You're not a potential target, you are a target. Whether they are coming directly after you or whether you're going to get caught in the crossfire of part of a supply chain attack, it is irrelevant. You need to be aware that the threat is absolutely real. You need to be prepared, OK?
As I mentioned before, it is not a case of if. It is most definitely a case of when it happens. The only thing that's going to be really a question here of when it happens is scale. Is it going to be a inconvenience because a couple of laptops have been hit by malware, because of some download? But it's OK because I was able to react very quickly, disconnect the systems, disinfect anything that they have that may have potentially been touched, or is it going to completely and utterly take me out and put my organization flat on its back?
I'm going to lose credibility in the market. My share price is going to be affected. I'm never going to have any of the customers ever again. It's scale, OK? Like I say, it's not if, it's when. The only question is, how do you respond to it? Critical to that is identification. You have to know, as you quite rightly said, Jan, who is doing what. Whether that is a user at a workstation at home, logging on, accessing data, running particular programs, locking the workstation for lunch, coming back an hour later.
Whether it's that or whether it is people authenticating, people changing group memberships, people traversing around the network. So let's just say, it's really important to know who is doing what successfully, but it's probably more important to know who is failing to do certain things and having a good view of that. A response, OK? It's about having a plan. Now, as I say, it's really difficult because you don't know when it's coming at you and you don't know what's coming at you. You just know it's coming at you. And the problem is that, it's not a case of one size fits all.
You have to test different scenarios because different things are going to happen. But one of the things that I am pretty certain is going to happen is that your Active Directory or your Azure Active Directory is going to take a hit. And if it's going to take a hit, you have to sit back for one moment and say, do I trust it? Do I believe that it is clear of back doors? Do I believe it is still fit for the center of my digital authentication? And if you can say that, that's fine, but you need to be able to recover it. So, have a plan. And for goodness sake, test that plan.
Recovery, OK? When you swing that plan into action, you have to be able to do it. And you've got to do it in such a way that it is going to produce the results you want, and that you can pretty much guarantee you need, in a time which is acceptable not only to the business but to your users, whether those are your customers or whether those are your employees. And detection, OK? It sort of ties in with the identification. It's about knowing who's doing what, but it's being able to look for those anomalies.
What I would refer to as, for example, the impossible log on. You know, the guy who normally logs on at 9:00 in the morning in an office in London. He does it day in, he does it day out. He logs in. There's a pattern to it. He logs in, he logs off. If he logs in at 9:00 in the morning on London, in London on a Tuesday, and then 15 minutes later, logs in from an office in St. Petersburg or Beijing, does that normally happen? Is it physically possible to do this? Does somebody got his credentials?
We want something somewhere to literally just light up. The sort of the comedy alarm goes off if I can describe it as such, and we want people to swing that response plan into action. So when we move into the identification and the detection, remember that if you're in a hybrid world, you know, where you've got an on-premise Active Directory and you've also got on Azure Active Directory, and just to remind you guys, even small organizations. We don't Azure AD, we've got Office 365. Yeah, actually you do.
You just never see it because you go into the Office 365 portal and you create a user account. Guess what, you've got Azure AD in the background. It's just not necessarily being exposed to you. Larger organizations, they will go into the Azure ID portal and they will populate it with users and groups or they will set up a connection between their on-premise Active Directory, and there is your AD tenant, and they'll simply synchronize information up. Remember, you've got a complex environment. Before, you have one directory. It was on premise. It was behind your firewalls.
Now, you've got two. Part of it is on-premise, part of it is up in this cloud-based hybrid world. And it's just as critical, if not more critical that you're Azure AD is inspected and checked on a regular basis and backed up as if it was an on-prem. It is your crown jewels. I can't emphasize this enough. Without your on-prem or your Azure AD, you're not going anywhere fast. So from a hacker's perspective, that's the crown jewels. The more applications that you start to add in, Sharepoint, exchange, and, of course, the prevalence of Teams, this is just going to start growing and growing and growing.
A lot of customers, once again, they're not necessarily aware of what is in Azure AD, but trust me, you know, I mean, everybody uses Teams. But a lot of customers don't understand that every time a user creates a new team, what's actually happening in Azure AD is you're getting a new group, complete with membership. So, is that group being protected? Is the membership of that group correct? So we just open this group up to everybody. Could I potentially use that as a foothold into your environment?
So it's about the control and the management of these groups, and it is just going to continue to grow and grow and grow. And when that team is no longer needed, when that virtual team is no longer needed for a project or whatever reason it was created, delete it, get rid of it. It's not needed. And by deleting it, you'll actually delete the group inside Azure AD. And it could well go in the bin, it may well be halfway deleted, the point is it's one less group to carry around. It's one less entity for a potential bad actor to start prodding around him.
So auditing is absolutely key, and we're going to talk about what Quest can do for you. So when we were purely on-premise, we had a-- well, we still do have a fantastic product called Change Auditor. And the great thing about Change Auditor is, first of all, it does not utilize native event logs. You know, I always look at native event logs. And even after like 30, 35 years of working with Microsoft, I have to Google, or if I'm going to be Microsoft, I have to Bing what the event's idea is to find out what happened. I don't have the time to do that.
If I'm under attack, I need to know now. So where Change Auditor is great is, first of all, it doesn't utilize native event logs. Because when scanned as a hacker, once I've done something, I'm going to delete clear your event logs. So we take the information about these events and we store it independently. We put it into what we call normalized multiple W for you and I. We show you, in plain English, who made the change, what was affected, when it was affected, date and time, where that change occurred.
And we can reach down into workstations and we can show what people are doing, and we can also collect those native logs, and were very, very intelligent in what we do with them. You know, so, for example, it's not going to cost you a fortune to store them. It just goes into a bog standard sequel database, and will compress them, depending on, obviously, what it is that you're actually looking at. But Change Auditor was always inherently on-premise, but then, we moved into this bright new world of cloud-based technology and we needed to take our technology and cloudify it.
So we developed our On Demand suite of products. And one, in particular, called On Demand Audit is designed to give you that same, rich, multiple W, plain English information, but this time, associated with everything that's happening in the cloud and your cloud workloads. So we monitor Office 365, group membership changes, we'll do your SharePoint, we'll do your Teams and your exchange. We'll monitor the underlying Azure Active Directory and we'll show you exactly what's going on.
And we'll store that information for you for up to about 10 years, depending on the subscription that you would take from us. We'll allow you to visualize what's actually happening and we'll present, in a normalized view, what we would refer to as a human readable view, rather than some nondescript event log. But we went more than that. Because, once again, we don't want to have our customers going into one interface to see what's happening in the cloud, going into a different interface to see what's happening on-prem. We want to try and make this as simple as we possibly can.
So what we did was, we integrated our Change Auditor, Rumba, historically on-premise with our cloud On Demand Audits. So what we now do is, we actually send all the information from our on-premise incidents, and we send it up into our On Demand Audit. Now, that has a benefit for the customer because they no longer need to maintain the on-premise sequel database in order to store these events, plus, they now get a normalized view. So they'll see on-premise events, followed by cloud-based events, followed by et cetera. So you get to sort of tell the story of what's actually occurring.
And if you can follow a story and you can follow that in your native language, you've got to be able to react quicker and understand what's happening a lot better. Just a couple of screenshots here. So, once again, what we're trying to do, as part of this data visualization, is draw your attention to things which we think are important. So this that is actually the home screen for On Demand Audit and you can see, for example, the number of events and where those events are coming from and in classic heat map fashion, the bigger the event the bigger, the proportion of the pie chart or the square that it takes up.
You can also see spikes and you can then click on those and you can start to drill down into a little bit more detail. And continuation of that visualizations, this is one of my favorites whenever I'm talking to a customer, I always tend to demo this particular one. But very, very quickly, you can say failed and successful. You obviously want to focus on the failed ones. You can see who's logging on as almost like a pie chart, and we've integrated into the maps from Microsoft. So you can actually see where people are logging on from.
I'm not going to do it, but trust me, it's interesting because when I demo this to my customer, it actually lands within about 300 yards of where I physically live. It's quite impressive. So, yeah. So it's all about having your finger on that pulse, knowing exactly what's happening. Once you've worked out what's happening, you then need to be able to respond. And in my mind, things tend to fall into one of three categories. There's the oops moment, as I refer to it. This is not malicious, necessarily.
This is an overconfident, level one, help desk guy who's just deleted a group, but he didn't read the group description or he didn't read the group name closely enough and he's just deleted it. And, of course, if that was on-prem and we was using a Azure AD Connect, well, hey, guess what, that oops moment has just been replicated opens with Azure. So we need to be able to put that back because, potentially, users are not doing what they're supposed to be doing, i.e. producing work and accessing data because of a group membership. So it's an whoops. It's a mistake.
Corruptions, you know, it happens, when we look back at what Quest have done with our Active Directory recovery tools. Around about sort of 2007, 2008, we actually found, interestingly enough, a big increase in the number of corruptions that were occurring in Active Directory. It wasn't malicious. It just happened. And it was actually because people were beginning to get a little bit overconfident with Active Directory. You know, oh, yeah, sure, I can make a scheme a modification. Just give me two minutes, it'll work.
It was also because people were actually upgrading versions from one version of exchange to another. And if their Active Directory, you know, didn't quite replicate in time, it typically ended up in a corruption. So we came up with a tool that would allow us to follow Microsoft's best practice for forest recovery, but in an automated manner. The major feature, however, about it that I love is its automation, you know. There's no fat finger syndrome. There's no bad password to in because it's all stored in a project.
And if you can automate, you can massively reduce down the amount of time taken to get rid of that issue, to recover and get back to normal. And we have also responded, again, because of the massive increase in malware attacks. So we developed our disaster recovery addition for Recovery Manager for Active Directory. And this is designed to give you choices. You know, whether you put the whole operating system, complete with Active Directory back using a bare metal recovery, or whether you actually, I don't trust that backup that I had because it may have been compromised.
In fact, I may have even backed it up in a compromised back state. So, what we'll do is we'll build some new operating systems for our domain controllers, and then we'll simply do a restoration of our Active Directory onto that clean operating system, and we're giving you a lot of choices about how to respond. I mentioned before about having a plan working out what is absolutely critical to your organization and what can come later. Well, how about what we refer to as a phased recovery?
Now, I must get my minimum number of domain controllers up and running so at least my telephone system work and I'll worry about the others later. So, why not restore those five domain controllers and, because I don't trust the compromised hardware, maybe I'll restore them into Azure. So I'm effectively building up my Active Directory, so that I can recover from the potential disaster. I've got my minimal systems up and running, and then what I'll do is, when I'm happy, I will simply scale out.
So we'll use bulk install from media or different recovery methods to bring that Active Directory back. And as part of that bringing back, don't forget, that's on-prem. You've also got Azure AD, so we can look at the different approaches of, maybe, restoring objects and group memberships and attributes that may have been affected within the Azure AD, or maybe, we'll just look at doing a mass synchronization from on-prem, backup to the cloud, and then put back the bits where we maybe have an issue.
So we look at fully automating, and this is something that I really, really do suggest that customers do. You know, the more that you can remove a fat finger or a decision out of the recovery process, the better. You don't want people sat there scratching their head going, umm, do you think we should do this? You don't want that when your house is on fire. You need to know how the fire extinguisher works. And that's where Quest have been really, really good. We've included absolutely everything that we can think of.
In fact, quite some time ago, we even included within our disaster recovery tools a sandbox environment, which clones your production Active Directory over into a virtual environment, unless you go away to your heart's content and play. You don't want to run a scheme or modification or some PowerShell script that you've never tested before, so run it in a sandbox. And, once again, don't forget, we still have Azure AD. I've talked about this, and this is why we've got our On Demand Recovery program.
And it's designed to look after all the little nuances, all those things that Microsoft told you not to worry about. Well, guess what, those are the things that you should be worrying about, hard deleted groups, cloud-only attributes. Now, think about if you deleted a user. Azure will look at that user as a new user, not as a replacement. It'll look at it as a new user. So, therefore, it will get a new mailbox. What you've now got to do is manually go in and reconnect that user to their mailbox, and that's not something that a lot of customers actually think about.
OK, so thank you very much, Alistair, for taking us through some of what you actually can do here. And we we're talking about resilience, cyber resilience, digital resilience. So, to wrap it up, what's next? Well, at IDC, well, we look at this picture. So we are in times where we are seeing business and digital being not only integrated, but actually woven together into this infrastructure, into one process that's actually moving on. So digital transformation and businesses, actually, we are at the point where these parts are integrating.
So, from our analysts perspective, the key takeaways, well, monitor who is doing what in your digital infrastructure. This is key to create the fast and relevant solutions. Well, and cyber resilience, not only as a label but as a process, is indispensable factor to ensure your operational excellence moving forward and to actually create effective business in the future. And then, automate the recovery tasks of all IT environments. So, Alistair Holmes, from Quest, thank you very much for being here today.
Thanks very much, Jan.