Show Transcript
Hide Transcript
[MUSIC PLAYING] Hello, everyone. we were going to call this show The Brian and Bryan Show. But let me start by saying, my name is Ghazwan Khairi. I'm a principal systems consultant for Quest. And I'm joined by Bryan Patton, Principal Systems Consultant, and Brian Hymer, Strategic Solutions Architect for Quest.
Today's short topic will be and should be the focus for every single organization that depends on Active Directory for its authentication or authorization. We will cover Active Directory, Disaster Recovery Edition for Quest. So we're going to introduce Quest's Recovery Manager for Active Directory.
Mr. Hymer, we're going to start with you. The last figure I have in front of me is 10 million daily attempts on hacking Azure Active Directory accounts. And I know the figure last time I checked was like 95 million or 100 million daily attempts on on-prem Active Directory accounts. How can Quest help?
Active Directory is key to the industry, right? It is the primary authentication method across most corporations and organizations today. And if Active Directory is down, everybody is down. It doesn't matter. As a matter of fact, I even remember hearing that in the Maersk attack back in 2017. If Active Directory can't get recovered, we can't recover anything.
Quest has built unique solutions around Active Directory recovery for a long time. And the Disaster Recovery Edition, our latest addition in that scheme of tools, allows you to recover Active Directory even from a ransomware attack.
Yeah. Then, why do you think that's important for customers to have a disaster recovery plan in place? And also, you work with a lot of customers, a lot of national customers. What's the percentage of customers who actually have a disaster recovery plan in place, in case they get attacked by ransomware or other attacks?
Well, I think it really depends on-- I think a lot of customers have a plan. But I don't think it's necessarily a fully developed plan. They traditionally will talk to a different backup vendor who they say can do restoration of all these different systems. But the system relies on Active Directory to authenticate via either on-premise or in Azure Active Directory. Do you have a plan in place to get that up and be able to authenticate prior to be able to restore all their applications and data, which use that authentication to begin with?
So you have to do the first step before you can get to the second stop. A lot of people think that they're covered, but they only really realize they're not covered after practicing. Once you practice, you realize the different caveats of what it really takes to do a full Active Directory restoration, or even about just like an Azure AD misconfiguration with-- a conditional access policy is an example.
Yeah, Bryan actually brought up a really good point. And I can't tell you how many times I've talked to a client that says, you know, we're moving a domain controller into our disaster recovery area so that they can do their disaster recovery testing. I came back and said, well, have you tested recovering Active Directory? And they go, what? Why would I need to do that, right?
And in a physical disaster, that's not an issue at all. But in today's area of cyber warfare and cyber criminals, ransomware is infecting domain controllers across the corporation. So it's no longer a geographic physical location type disaster. It is a cyber disaster across your entire forest.
And by default, Active Directory is highly available, again, to multiple different domain controllers. But to your point, Brian, the likelihood of a Red Square attack happening is at an all-time high. These types of attacks not happening 10 years ago, they've really kind of surfaced in the last three or four years. And now everybody can see that the likelihood is a lot more likely in their organization. So you have to have a plan to respond in the event that situation does occur to you.
It's true, so true, Bryan. And like you said earlier, being able to test that recovery is key.
Well, let's talk about that. So let's tie all that into-- Hymer, what's your top two features in the newly released Disaster Recovery Edition that allows customers to achieve that kind of coverage against their Active Directory effects?
Yeah, good question, Ghaz. So we just released 10.1 last month. And my two favorite features there, the first is clean OS recovery, an absolutely paramount way to recover your Active Directory. And I'll explain why. And the other is the ability to phase your recovery, whereas we used to do just a single forest, everything at once type recovery. Now you can do recovery in phases. We have a new mode called repromotion, which allows you to promote new domain controllers to replace your existing domain controllers in a forest during a disaster.
And you know what? And Bryan Patton, I know you mention this all the time. You always say, oh, flexibility and options. Either one of you, what's flexibility and restore options from a Quest standpoint?
Well, every customer is different. Some still want to restore using bare metal recovery. Others you'll want to restore using a non-tainted operating system they can validate is clean. So we give you the option and ability to do whatever twist as you need, not only on-premise, but even out to Azure AD. Because if you're talking about disaster recovery, you also have to consider all the different stuff that's located in Azure Active Directory, as well as the attack surface is really expanded out with a proliferation of Office 365.
Right, so beyond the perimeter of your own corporate network, for sure. Clean OS recovery is great. Because what we do is we take an Active Directory system state backup. And if you don't know, it only includes the NTDS directory and your sysvol, and then a few registry keys, not the whole registry, but just things pertinent to Active Directory. It's not a system state backup as you would on a server, which really includes everything.
We call them RMAD backups, R-M-A-D, Recovery Manager for Active Directory. That's our internal name. But if you use those to do your recovery, the footprint where malware could sit is greatly reduced from a bare metal backup. And that's great because, what's to say you weren't infiltrated with some sort of 0 day exploit? A 0 day exploit, it's kind of like the coronavirus was in the beginning. No human had ever seen it before and so it's not detectable in the cyber world.
So your antivirus isn't going to see it. And what if that exploit sat dormant on your systems for quite a while, say a month, say two months? Maybe the backups that you have have even got that same exploit sitting on them now. And any backups you had that were clean from before that exploit was laid down, they've rolled off. You're not even retaining them anymore. When you go to recover, you might be restoring that 0 day exploit right back into your environment.
And Bryan Patton, I think you and I have talked about this. A lot of companies that are having infiltration, ransomware isn't being used for you to pay the ransom. It's kind of being used like a hand grenade thrown over your shoulder as you leave. You blow everything up, and that obfuscates your attack vector so people don't know how you got in or what you did while you were in.
Yeah, a good portion of the people that pay the ransom don't get their data back. And it's interesting, like even looking at the NIST Cybersecurity Framework, they had an update, back I think in 2017, around supply chain and risk management. Understand your supply chain, because a lot of times, that can actually reintroduce some kind of infection as well.
Yeah, true.
[MUSIC PLAYING]
Cool. Thank you guys both for your time, and until next time.
Thank you.
Cheers.
