Welcome. This is Quest Unscripted, a vlog series on trending topics--
And Quest solutions related to Active Directory--
Oh, and don't forget Azure AD.
You are here because you have questions.
We're here because we have answers.
We will address questions we've received from customers--
Who experience the same challenges as you--
All with the goal of helping you confidently move--
And secure your Microsoft environment.
We call the show Quest Unscripted because--
Except for this intro--
Nothing we say is scripted or rehearsed.
And we're pretty sure you'll notice that right away.
Hello, everyone. We were going to call this show The Bryan and Brian Show, but let me start by saying my name is Ghazwan Khairi. I'm a principal systems consultant for Quest, and I'm joined by Bryan Patton, principal systems consultant, and Brian Hymer, strategic solutions architect for Quest.
Today's short topic will be-- and it should be the focus for every single organization that depends on Active Directory for its authentication or authorization-- we will cover Active Directory Disaster Recovery Edition from Quest. So we're going to introduce Quest Recovery Manager for Active Directory. Mr. Hymer, we're going to start with you.
The last figure I have in front of me is 10 million daily attempts on hacking Azure Active Directory accounts. And I know the figure, last time I checked, was like 95 million or 100 million daily attempts on on-prem Active Directory--
--accounts. How can Quest help?
Active Directory is key to the industry. It is the primary authentication method across most corporations and organizations today. And if Active Directory is down, everybody is down. It doesn't matter. As a matter of fact, I even remember hearing that in the Maersk attack back in 2017. If Active Directory can't get recovered, we can't recover anything.
Quest has built unique solutions around Active Directory recovery for a long time, and the Disaster Recovery Edition, our latest edition in that scheme of tools, allows you to recover Active Directory even from a ransomware attack.
Yeah. And, Patton, why do you think it's important for customers to have a disaster recovery plan in place? And also, do you think like-- you work with a lot of customers, a lot of national customers-- what's the percentage of customers who actually have a disaster recovery plan in place in case they get attacked by ransomware or other attacks?
Well, I think it really depends on-- I think a lot of customers have a plan, but I don't think it's necessarily a fully developed plan. They traditionally will talk to a different backup vendor who they say can do restoration of all these different systems, but the system relies on Active Directory to authenticate, be it either on-premise or in Azure Active Directory. Do you have a plan in place to get that up and be able to authenticate prior to be able to restore their applications and data, which use that authentication to begin with? So it's-- you have to do the first step before you can get to the second step.
A lot of people think that they're covered, but they only really realize they're not covered after practicing. Once you practice, you realize the different caveats, what it really takes to do a full Active Directory restoration, or even about just like an Azure AD misconfiguration with-- a conditional access policy is an example.
Yeah. Bryan actually brought up a really good point, and I can't tell you how many times I've talked to a client that says, "We're moving a domain controller into our disaster recovery area so that they can do their disaster recovery testing."
And I've come back and said, "Well, have you tested recovering Active Directory?" And they go, "What? Why would I need to do that?"
And in a physical disaster, that's not an issue at all. But in today's area of cyber warfare and cyber criminals, ransomware is infecting domain controllers across their corporation. So it's no longer a geographic, physical location-type disaster. It is a cyber disaster across your entire forest.
And by default, Active Directory is highly available, again, to multiple different domain controllers. But to your point, Brian, the likelihood of a ransomware attack happening is at an all-time high.
These types of attacks not happening 10 years ago, they have really surfaced in the last three or four years. And now everybody can see that the likelihood is a lot more likely in their organization, so you have to have a plan to respond in the event that situation does occur to you.
It's true. It's so true, Bryan. And like you said earlier, being able to test that recovery is key.
Well, let's talk about that. So let's tie all that into-- Hymer, what's your top two features in the newly released Disaster Recovery Edition that allows customers to achieve that kind of coverage against their Active Directory attacks?
Yeah, good question, Ghaz. So we just released 10.1 last month, and my two favorite features there are-- the first is clean OS recovery, absolutely a paramount way to recover your Active Directory, and I'll explain why. And the other is the ability to phase your recovery. Whereas we used to do just a single-forest, everything-at-once type recovery, now you can do recovery in phases. We have a new mode called Repromotion, which allows you to promote new domain controllers to replace your existing domain controllers in a forest during a disaster.
Yeah. And you know what? And, Bryan Patton, I know you mention this all the time. You always say, "Oh, flexibility in options." I mean, either one of you, what's flexibility in restore options from a Quest standpoint?
Well, every customer is different. Some still want to restore using bare-metal recovery. Others, you'll want to restore using a non-tainted operating system they can validate is clean.
So we give the option and ability to do whatever choices you need, not only on-premise but even out to Azure AD, because if you're talking about disaster recovery, you also have to consider all the different stuff that's located in Azure Active Directory, as well as the attack surface is really expanded out with the proliferation of Office 365.
Right. So beyond the perimeter of your own corporate network, for sure. Clean OS recovery is great because what we do is we take an Active Directory system state backup, and that only includes-- if you don't know, it only includes the NTDS Directory and your SYSVOL and then a few registry keys, not the whole registry but just things pertinent to Active Directory. It's not a system state backup as you would on a server which really includes everything. We call them RMAD backups, R-M-A-D, Recovery Manager for Active Directory. That's our internal name.
But if you use those to do your recovery, the footprint where malware could sit is greatly reduced from a bare-metal backup, and that's great because what's to say you weren't infiltrated with some sort of zero-day exploit? A zero-day exploit is a-- it's like the coronavirus was in the beginning. No human had ever seen it before, and so it's not detectable in the cyber world. So your antivirus isn't going to see it.
And what if that exploit sat dormant on your systems for quite a while, say a month, say two months? Maybe the backups that you have, have even got that same exploit sitting on them now, and any backups you had that were clean from before that exploit was laid down, they've rolled off. You're not even retaining them anymore. When you go to recover, you might be restoring that zero-day exploit right back into your environment.
And, Bryan Patton, you're-- I think you and I have talked about this. A lot of companies that are having infiltration, ransomware isn't being used for you to pay the ransom. It's kind of being used like a hand grenade thrown over your shoulder as you leave. You blow everything up, and that obfuscates your attack vector, so people don't know how you got in or what you did while you were in.
Yeah. A good portion of people that pay the ransom don't get their data back.
And it's interesting. Even looking at the NIST Cybersecurity Framework, they had an update back, I think, in 2017, around supply chain risk management. Understand your supply chain, because a lot of times, that can actually re-introduce some kind of infection as well.
Cool. Thank you guys both for your time, and until next time.