Why Active Directory backup and recovery is critical to cyber resiliency

Hi, I'm Paul Robichaux, one of the senior product managers at Quest Software, and with me is Mike Weaver. Hi, Mike. Hi. So we want to talk about Active Directory recovery, why it's important, and what you should be thinking about as you wonder whether your Active Directory is recoverable or not. What do people care about that, Mike? You know, it's interesting? With ransomware, a lot of people focus on their files being encrypted or websites or certain actions. But what a lot of people lose track of, a huge target, is actually Active Directory. And for a lot of people, you think they can say, oh, not a big deal. I'll just pull an employee list and reactivate it. But when you think of everything that's in AD these days, I mean, you can't even get in the front door of the building without Active Directory up for most organizations, and you can't get to files. So really, Active Directory has become a really successful target for ransomware and what we're seeing, this great acceleration of these threats in the last few years. So you're absolutely right. Attackers are going to always look for the most vulnerable part of an enterprise network, and the truth is, identity is-- it's so key to everything that people do in a modern enterprise. Microsoft has been very successful at getting people to buy into the notion of having a hybrid directory. And that's great for Microsoft. It's been good for enterprises. But it also means that you now have maybe bigger point of vulnerability than you've had before. One request, support engineers, talks about the notion of Active Directory as being sort of like the keystone in the arch that holds up your bridge. If you pull that keystone out, everything collapses, and you have nothing but rubble. Yep. And that's true of Active Directory. So if you're thinking about whether or not you need to secure it, I think the answer is an unequivocal yes. But then the question becomes what does it mean to secure it, right? A lot of people focus on the security aspects of, oh, I'm going to harden it. I'm going to have better controls. I'm going to use MFA. But let's talk about how you recover it after an attacker successfully attacks you because there are those who have been attacked, and there are those who will be attacked, right? Absolutely, and that's where obviously with any backup plan, it's practicing a recovery. But it's very difficult to do that. In a lot of cases too, you have to remember you're going to have to rebuild these servers from scratch in those cases. And in a crisis situation where your directory is down, so you can't get to everything, and people can't log in, and administrators are really struggling that's where a lot of these bare metal recovery options come in to help you really as quickly as possible get a base recovery up and running so that you can keep moving through the rest of your recovery plan. That's absolutely true. One way that I like to think about it-- or maybe like it's not the right word. But one way that I think you can think about it, any hospital can deal with one person who is in an auto crash. But if you have a crash that involves 50 vehicles all at the same time and all 50 of those patients go to the same hospital, it's much more difficult for the hospital to keep up. And the same thing is true with AD recoveries. If you have one domain controller that fails or is compromised or becomes corrupted, OK. Everybody knows how to restore that, right? That's a time-tested, well-understood process. Everybody knows you take that one machine offline. And that's fine because you have other machines that can back propagate or replicate their data back to that failed DC. But what happens when they're all bad? All of your doses go bad at the same time or within a very short window. It's completely-- Or with ransomware, the bad data gets replicated-- Right, and that's exactly what I'm talking about. The spread of that badness, if you will, makes it much more difficult to troubleshoot the problem because unless you are able to very quickly isolate some segment of the network that you know is good, how do you recover? Well, one way to do that is to create a known good branch using a recovery tool like Quest's Recovery Manager for Active Directory, in particular the Disaster Recovery Edition. Or we call it DRE because Recovery Manager for Active Directory Disaster Recovery Edition is a lot to say. So let's talk about what makes DRE unique in its abilities. Why would you want to use DRE to solve this kind of ransomware problem instead of just doing a manual restore process like the one Microsoft documents? I think a lot of it is you're in a crisis. It's a lot less steps. And when you're dealing with a crisis, you're having all these other problems going on. This handles nearly all the recovery steps to bring that directory back. Obviously, you need to train professionals to help you do it. But the amount of steps that it takes to recover is far, far less with a third party tool like the Quest recovery product. Right. DRE has some capabilities that a lot of people don't know about, and why would you? If you haven't had a disaster, then you wouldn't necessarily be Au Courant with all the things that Disaster Recovery Edition can do. But just to give you one example, you can take your recovery images and store them in secure storage. It's not on your network. So you don't have to worry that if your network is compromised and your domain controllers are compromised that, oops, I have a backup, but I can't use it. You