#301 - IDAC Sponsor Spotlight - Semperis

But where you, you could like have a lower privilege user that maybe has group policy rights on a domain controller or an OU that holds domain controllers, I should say. And effectively you're a domain admin, right 'cause you could go put, you know, wagon scripts and other things or startup scripts

in that, that GPO. And that's right thing and get complex because right like we're all, we're focused on identity, but there's also attacks on like the other components of Active Directory that can lead to identity compromise, even though right like group policy isn't like a component of identity and access management aside from like being stuck into Active Directory. So.

This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. This is Jim McDonald. I'm here without Jeff today, but I'm here with a special guest, Eric Woodruff, who we've had on the podcast in the past. It's time for another Sponsor Spotlight episode now.

Eric was on with us as a credentialed expert in the field in the past on episode 191. Glad to have him back This time of a Sponsor Spotlight episode and the sponsor spot related episodes are special episodes that are created in collaboration with our sponsor, in this case, a company called Semperis to delve more deeply into their viewpoints on specific security solutions in the IM market.

Now to make this crystal clear, the fully sponsored episode, this allows us to what I like to say is take the handcuffs off in terms of go, you know, understanding these deep insights with the expert, but also understanding how their solution solves specific problems in the industry. So with all that being said, let's get going and uncover the latest ideas and innovations with our digital in within the

digital identity industry and our sponsor, Semperos. So welcome to the show, Eric Woodruff, senior security researcher with Semperos. Hey, Eric. Hey, Jim, No thanks. Thanks for having me on here. Yeah. Glad to have you today. So we spoke with you way back on Episode 191. That was in December of 2022. And I'm wondering, what have you been up to since we recorded that episode? I'd, I'd say a lot. I mean, honestly, that was the, the first podcast I was ever on and, and why I was nervous.

So I, I hope I come across less anxious these days, but yeah, I, you know, just chugging away still at Sempress working in our security research team these days, focusing on, you know, Active Directory and enter ID sort of security so. But. Out speaking about which I

enjoy. Pretty heavy title that you got a senior security researcher at St. Paris. So tell us a little bit about what you do in your day-to-day and then for people who maybe aren't as familiar with St. Paris, what the company does. Yeah, No, I, I mean, so for myself I'd say, but there's always kind of new emerging threats around Active Directory entry ID. I mean, I in particular am more focused on ENTRA because that's kind of my area of expertise.

But we've got a team of, you know, handful of us where you were just sort of, you know, tracking the trends in, in security around identity, new threats, doing our own research on on potential vulnerabilities, things like that. Yeah, that's, that's what I'm up to and, and do.

And eventually the things, the stuff that we work on is released in both Purple Knight, which is one of our, our free products for assessing Active Directory and Entra security and also used within our commercial product DSP, which is Directory

Services protector. And I mean, as far as Sempress, you know, we're probably most known for Active Directory Forest Recovery or ADFR, which is our sort of like Dr. product for Active Directory. But I, I think these days, you know, we'd be sort of in the category of IDDR companies again focused primarily on Active Directory and Entra right now. We got a little Okta mixed in there, but. Yeah, I mean, like pretty much most organizations are running

AD and then try D at some level. He was like, and usually it's it's about, you know, as important of a platform as there is in most enterprises. And you know, I think that ADFR tools probably saved a lot of people's bacon in terms of being able to recover a forest that has been corrupted intentionally or unintentionally. Either one can happen, but I

wanted to ask you so I kind of said my piece in terms of why I think AD is so important in terms of being a focal point for your identity security. What are your thoughts? Yeah. I mean, I think it's hard to find a enterprise out there that that doesn't have Active Directory, right? Sort of like putting your opinion about Active Directory and Microsoft aside, like, but everyone's kind of got it. You know, there's, there's other components in Active Directory like group policy, right?

Like it's not just identity, which also makes it more complex because but if you have a huge Windows Server farm or you're not in the cloud yet and you're managing client devices, right? Like, yeah, it just has its fingers and sort of so many things that if Active Directory is is gone, you know, intentionally, unintentionally, even for a brief period of time, right? I mean, a lot of organizations, I mean business just grinds to a complete halt, so.

Yeah, I mean that's your, your e-mail system, your login system for your desktop networking capabilities is a lot of your applications wind up being integrated with it as well for authentication, sometimes authorization.

So I mean, I want to talk about some of the specific threats you as a senior security researcher know about, but I also want to just generally make the comment that it seems like a ransomware on Active Directory could have devastating effects for an enterprise. Yeah, no, absolutely. And I'm, I'm not good at retaining like specific cases or statistics in my head. But I mean, organizations, right, will lose millions of dollars a day. We have folks that work in incident response, right?

So if, if companies are having like an Active Directory ransomware incident, we have our breach preparedness and response team that you can call and, you know, we'll kind of come in and, and help try to kick the threat actor out. But you know, in, in talking to them and sort of hearing like their their war stories and what they've seen. Yeah, I mean, it can be very devastating.

I mean, there there's cases of companies just like going out of business from, you know, Active Directory becoming ransomware. So it goes back to the case and available. Yeah, nothing. Nothing works. We saw some cases, I mean in the last couple years where ransoms got paid in the 10s of millions of dollars.

I guess the alternative is like if you're, if you're Active Directory is completely owned and you can't get e-mail, you can't communicate with the outside world, access any of your files or your applications, you're pretty much at the mercy of those ransomware actors, right? Yeah, I mean, you're at their mercy, but also they're not always right. The most trustworthy folks, 'cause there's there's times where organizations will get ransomed and they'll pay the ransom and they'll be like

double extorted. They'll also be a target, right? So you may be fixed one, you know, you, you plugged up one hole in the dam. But if there's other things open also, like other ransomware groups may start to come after you knowing that you'll, you'll pay right. So there's, there's a lot of scenarios where it can get dicey whether whether you pay the ransom or not 'cause you're, you're probably going to become a higher target for, for these folks out there the the threat actors.

Absolutely. I mean, once you kind of show that you'll pay the ransom, then it's kind of like damned if you do, damned if you don't, I guess.

But I think the, you know, at least from what I've seen, the ransomware actors, typically they rely on just getting in the front door and then running some exploits that are kind of like known within Active Directory. And you know, I can, you know, the pasta #1 is one that people talk about all the time and the me me cats, which I think is just basically the tool that's

used for that. But I used to be an Active Directory administrator, believe it or not, way back in NT4 in the early days of Active Directory after Windows 2000. And I just think of all the times I logged into and devices, laptops and workstations with my administrator account and left that hash sitting there on the on the hard drive. How relevant is pass the hash and what are some of the other exploits that are popular these days?

Yeah, I mean, I'd say pass the hash is still relevant, right? It's, it's really as much of A, you know, a, a technique, right, where you're, you're harvesting the, the hash for, you know, user credentials on a Windows device usually. And right, depending on what privileges that user has, you may then try to use it to, to sort of move into other systems. I mean, there's a lot of attacks out there.

Probably the more sort of talked about ones are things like a golden ticket attack, you know, DC shadow, DC sync attacks. But I think the thing that's sort of interesting is most of these attacks are sort of like late stage post compromise, like a domain admin's already been owned. Like Golden Ticket in particular is effectively that the the KRBTGT password has been compromised and that's sort of used for everything else in Active Directory. So like when can you explain that for SO?

There's so there's, there's the Kerberos ticket granting ticket. So basically there's an account in Active Directory that is used for granting tickets for everything else in Active Directory. And, and this, this account is like a special account in AD. That's the KRBTGT, right? Again, if if say I, I own a domain admin or I work my way up on to like ADC and I can get the, the password essentially

for that account. I mean, at that point I kind of, I, I am like Active Directory. I can do sort of whatever I want and it becomes really difficult to really trust right Active Directory. Like even if you were to detect a golden ticket attack happening, you really should also be like concerned about the overall the the bigger state of AD cause, right? Say that attack it was

legitimate. And maybe say you have an EDR that sort of like tried to isolate the end point that it was detected on, you probably still have bigger problems because you don't necessarily know what else the threat actor has done at that point. So. Right, right. That's what you you had mentioned to me in the past about not being in a position where you don't trust your Active Directory. That's a scary thought. What does that stem from?

Well, I mean, so ultimately, like the, the, the problem I'd say is that there's certain types of with attacks on Active Directory that right, they require high privilege, but they allow the attacker to basically do things like where they, they can issue tickets for basically any, any service or any server, right. When the, the ticket is effectively like you can, you can be anyone do anything with like a, a golden ticket type attack.

You know, there are things like DC shadow where you are effectively sort of participating in Active Directory replication and that can become tricky because a lot of your event lodge and things that like a SIM or C may use can't pick up on that stuff because it's actually in like the replication stream. But where this all kind of goes from a trust perspective, right? Is like, right, like you don't necessarily know what other mechanisms of persistence that

have been installed. And I guess kind of bringing this back to some of the ransomware type things is one of the other issues that like IR teams will have is they'll, they'll be brought in in a decently compromised Active Directory. They'll they'll try to kick the threat actor out, but then they've installed like five other back doors at that point, right? And so now they're, they're coming back in a different way.

And, and sometimes this comes down to where, where you have this back and forth because Active Directory is really critical for, you know, authentication.

And in both 80 and these days also, you know, out into like entry ID, you know, Azure AD, your, your best bet really is to try to go back to like a known good state with Active Directory using something like ADFR where right you, you can go back to before the incident happened and basically bring Active Directory back up to a point in time where it's a known good state. And there there's some, there's some like work kind of involved,

right? Because usually it's like staging it isolated where you verify that it's like clean and good. And then you sort of open the doors to let other infrastructure kind of talk back to it, so. It's a scary thought, right? I mean, you know, this EDFR to me has always been like the Holy Grail. But you also hear about threat actors who, you know, they get in and then they sit silently

for long periods of time. And how would you know if basically they compromise the a legitimate user's credentials six months ago, right? Yeah, I mean, I think that gets into definitely also other aspects of more like proactive, you know, monitoring and and I guess I would learn more into like DSP and and some of it would be in in Purple Knight, which is our, our free, you know, AD and enter ID security

assessment tool. But there, there's other things, right, where it's more like proactively monitoring, especially your, your privileged accounts. And, and that kind of dovetails though into, right, that some of these identity attacks are complex or they're chained or there's things that, right, you may not think of.

And I, I think a great example cause 'cause honestly, like you, I, I managed Active Directory back in the day and sort of like my eyes became open even more when I joined Sempress. But where you, you could like have a lower privileged user that maybe has group policy rights on a domain controller or an OU that holds domain controllers, I should say. And effectively you're a domain admin, right?

'cause you could go put, you know, wagon scripts and other things or start up scripts in that, that GPO. And that's right thing and get complex because right like we're all we're focused on identity, but there's also attacks on like the other components of Active Directory that can lead to identity compromise, even though right like Drew policy isn't like a component of identity and access management aside from like being stuck into Active Directory.

So so. Eric, you said one word that really triggered my ears to go up and that's Word free. You mentioned a tool and it's kind of like, because where I wanted to go is was what are some of the tools that can save your bacon in a scenario or hopefully prior to this all taking place? You mentioned the restore tool. You also had mentioned a few other tools. So why don't you kind of go over what those tools are? We've got you guys are setting up a link. It's in paris.com/idac, all the caps.

If you go to that URL, you should be able to find everything that Eric's talking about. We'll put that link in the show notes as well. But Eric, could you kind of go over those tools again? Yeah, so the the soup of things, I guess I'll, I'll start off with a couple free tools that we have. So there, there's Purple Knight and this has and I, I should know this number 'cause it's the group I work in, but it's continually growing between ENTRA and Active Directory.

I think we're up to around 100 and 7000 and 80 security indicators, right? And so these are individual things that are, are measuring the security configuration or sort of lack thereof around Active Directory. Enter ID. The other tool is, is Forest Druid that's free, which is a attack path analysis, attack

path mapping tool, right? So that that will also help, right, you sort of visualize and, and, and see like how chained attacks could happen where, right, like I am in our help desk and I have the ability to reset the password on someone who is in our knock and that person in the knock. That's like a sort of higher tier has the ability to maybe manage through policies on your ADFS servers, right?

And that's as I'm speaking this, right, It's kind of a path, but like something like forest Druid will help you visualize that stuff. You know, that's in the realm of other tools. Like probably the most, I guess, say, well known would be the things like Bloodhound or whatnot. We we have a bit of a different take where we try to focus on the last sort of stage in the in

the path, right? That if you you cut off the last line before getting like domain admin, I mean, you still may have other clean up, but right, wanting to focus on, well, how do we protect like that tier zero that the keys to the Kingdom. But these are tools that can take you above and beyond what Bloodhound could do, right? Yeah. I mean, so like I would say Forest Druid and Bloodhound, they're they're very related.

We kind of a different take on how we go about analysis 'cause sometimes, right, you could look in Bloodhound and I mean, I think it's a great tool, but generally it's more red team sort of oriented where you really need to know a lot of the underpinnings. Forest Druid is designed to be more like for an IT pro, a defender and I, an identity person who maybe isn't super familiar with like all the nuances of attack path management, right?

They just want to see like, what are the things they need to get rid of to like protect my domain admins. So, OK, that's really. Cool. Yeah, Well, good. So there's a length that people can go out to, they'll be able to navigate their way to either free tools as well as, you know, I I'm assuming that per the business model of building free tools is that people see all these problems on there, willing to go and spend a little money

to prevent being attacked. Yep. Yep. So and, and that's absolutely like again for the, for the paid products that we have Active Directory Forest recovery, which is ADFR is that I, I think maybe mentioned earlier, it's, it's what we're probably most well known for and that's bringing Active Directory back from, you know, being burned to the ground.

There's a lot of organizations that will also, so I think a point you made earlier can have catastrophic sort of oopsies where there's an operational sort of benefit to ADFR to, to bring AD back. Some organizations use it for, you know, Dr. testing and like going through those, those Dr. drills where it's like, right, what's it actually take to bring

Active Directory back? And, and I'll actually say as someone who again used to manage AD, not until I worked here did I realize how complex it is to manually try to bring Active Directory back from like a system state restore. And unless you want to enjoy doing nothing for like the next couple weeks it it can. It can be a nightmare probably

when you say that. When you say enjoy doing nothing, you're talking about you're going to be working 80 hours a week for the next few weeks and getting yelled at probably, Yeah. I, I don't mind the people who are stuck in that. Now. We've been talking about AD as in classic AD primarily.

You guys are really focused on the future as well, this hybrid identity world. In fact, you've got a conference coming up called the Hybrid Identity Protection AKA HIP, the HIP conference. We have a, a discount code for the HIP conf. It's HIP conf.com discount code is IDAC POD. That'll get you 20% off. But Eric, could you tell people what they can kind of expect out

of that conference? Yeah. Absolutely. So the, I mean the conference is actually rooted in Gil Kirkpatrick who you folks actually had on quit a long time ago who had started the Directory Experts conference. And it's an evolution of that where it's a lot of the bigger names and Active Directory identity security that are going to be there, as well as interest security. I can't remember the roster, but like Sean Metcalf over at Trimark is like a a pretty well

known person. I think we're we're well, I'll start to ramble on the Microsoft. MVPS and stuff like that, right? Yep. Yeah, Thomas Noenheim, who's actually a very well known MVP in the interest space is, is going to be talking about I think enterprise applications and service principles and and

all that sort of stuff. So you know, and this is where I guess to the hybrid piece, right, we're really trying to cover both Active Directory and the Entra ID side of the house sort of everything under the Microsoft ecosystem. So yeah, I mean it's. So big right now. So you know, hybrid identity is I think it's the new thing or the next thing, but it's also the current thing.

I mean, if people haven't moved to Entra ID already for a lot of the Active Directory services, they're moving to it. I don't see an end of life or Active Directory on Prem anytime soon, but I see a lot of folks, a lot of organizations moving toward kind of this hybrid scenario where they have both, they're staying In Sync. I'm kind of wondering though, what kind of new threats does that create as well as what kind of opportunities it creates? Yeah.

I mean from a threat perspective, it can get interesting in again organizations sort of unknowingly will perhaps have a user that's not privileged in Active Directory, but privileged in ENTRA, right. And so from an Active Directory sort of protection perspective, the user sort of falls out of that, that privileged scope.

And, and sort of the Long story short is scenarios of a user being compromised like in Active Directory and then the, you know, whoever has compromised them being able to do stuff in, in Entra. There's also some interesting scenarios where you can almost have this like almost like loop back where you could compromise someone that has some privileges in entry, usually around something like Azure.

Like you have an Azure subscription and maybe you're running domain controllers that are virtualized out in Azure. You compromise someone that has some amount of rights over a domain controller from like a management plane perspective. And you can then go run commands sort of against the domain controller because right, they're virtualized, there's an agent on them as there isn't pretty much any sort of virtualization scenario that the agent has system level access.

And next thing you know, you've given yourself like, you know, domain admin through some, some cloud route. So yeah, there there's a lot of like these weird complex paths that just it's like spaghetti almost with the, the number of potential ways that you can compromise in these these hybrid scenarios. So. Yeah. If you don't really know what you're doing or even if you do, that's the problem, right?

It's like even if you do know what you're doing, you can still wind up creating one of these scenarios. And I think that's a big part of like the tooling that you guys at Sempers, what you provide to people is the ability to kind of identify those scenarios where you create an opening.

Yeah, absolutely. I mean, I think that, but you you definitely encounter people at times who will, you know, sort of say they can just roll their own or their their Sentinel or their Splunk or their Q radar is kind of good enough. But right. It's, it's I'd say not just a Semper's argument that any, any company working in in the ITDR space, right?

Like most of us, as different companies have a group of identity security nerds sitting there all day trying to work on this stuff full time and just seeing the things out there that actually happened, right? Because we, we have feedback from our IR team, right? Who they're like, you know, here are things we've seen, right? So we're not just like sitting there making stuff up as sort of like theoretical attack pass. Yeah, it can, it can be quite, quite scary.

And, and I'll just say to your point, like, yeah, even if you know what you're doing, everything just moves so quick these days that I think it's really hard for organizations to keep on top of things, right. And, and again, that's where like for, for, you know, our other product DSP, that's more like looking at the proactive security of Active Directory and Intra as well as some, some indicators of compromise or

attacks in flight. We're, we're working on this thing every month, we have a monthly release of, of new indicators or updates for indicators all based on, right, the data we're seeing, the research that we're, we're doing. And, and so I'd, I'd sort of politely argue to the role of your own people, right? Like how can you sort of keep up like this, right? I mean, you're if you are, you have to be investing a ton of time and money and resources into doing it.

It's rare. When I first started in this identity industry, it's much more common that organizations will start off with the build versus buy analysis. It's very rare these days. Once in a blue moon, somebody will want to look at it. Usually it's having to do with customer identity, but the assumption is we're not in the business of secure of security, information security. We're the byproducts and run them. And then there is a major trust level in the partners that

organizations choose. I think what I what I really like about what you guys are doing is it seems like you've got to focus while the products have to evolve. It's been centered on this AD and Tri D platform and you're continuing to grow into that. Now, one of the other areas that I know you guys have been growing into, and to me it seems like it's the right direction, is ITDR. Millet asks you first, like how do you define ITDR and then ask you who needs it? Yeah, I mean.

I, I would say, I'll answer the second question 1st and saying I think everyone needs it, but across, I mean, right, that's kind of an answer that's that I used to console. It's like, and it depends within as to what that, that spectrum of needs it is. But to the, the first thing, I actually like Gartner's ITTR sort of model that they have, right? And it's identity threat

detection and response. I think in the industry, though, it's a bit all over the place as to how people actually interpret it. And, and I actually think that probably two of the most important pieces, the the prevention, which isn't in the name, but it isn't the, the Gartner model and the, the response piece are the ones that

kind of kind of get left out. And everyone just like focused on right, like the, the detection or if it's prevention, it's more like, how can we, how can we obfuscate something? How can we like throw the threat actor off instead of, I don't know, to me, to me, prevention's like how can we go in as, as the IT pros or the people managing identity and right turn the knobs and dials to just make Active Directory more secure?

Or instead of trying to throw a bunch of like fancy sounding things at it to sort of not actually harden Active Directory, but just try to interfere with an attack. So so I had some maybe I got I think. That no, no, no, I think that was a good, good start to the conversation. And I think the, you know, ITDR could be like many other tools in identity where they focus on the, the enterprise and all the different systems that could be

compromised. But I find so many organizations are so heavily Microsoft centric that they're using AD or entry ID including MFA system all through Microsoft. So that's the best where most of your eggs are, you know, having a tool that's hyper focused on that seems like it could make sense. Yeah. That kind of. Well what is where is going with that was you know that seems like I may be answering this next question which is why does it matter what vendor I choose

for my STDR solution? Yeah, I mean, obviously I think right, I'm, I'm here here being sponsored right bias towards Sempress, but I also think that that that being hyper focused piece is where we excel. And right like I'm, I'm all about having layers of security. So it's certainly nothing against like XDR platforms. I think what I tend to find and previously I I was on our product team and I was involved in a lot of our competitive analysis.

So I've also like looked at all the other competitors like XDRS tend to be really focused on like again, like a tax in flight and there isn't really a component in them like, well, what if something gets through right? It kind of feels like you're betting a lot of money on like that. They will absolutely 100% stop anything and everything. Like no questions they asked.

You know, I, I think with Sempers in particular, like looking at how we interpret response is really like that trying to get Active Directory or intro back to a place that, that you trust, right? Like where you can feel confident that the directory service that you're looking at isn't, isn't something that's been tampered with.

And that's where there's fewer companies out there kind of working in that space to providing like forest recovery or or now we also have tooling that we're working on for, you know, bring in like Entra sort of back and objects back into Entra. So that I feel like it's a big question. So I could just probably keep on on going. No, no for.

Sure. I mean, you know, a lot of organizations have made a big investment in their SIM solution over the years and a lot of times folks just ask the question, what can ITDR do that my SIM solution can't do? And, you know, they kind of see the SIM solution as identifying events that have taken place. My answer has always been it's the R Well, it's the detection should detect more things, right? So it's kind of like you think of like the Iron Dome analogy, right?

Shooting missiles out of the out of the sky or whatever. It's identifying more missiles. And then the response is that it can take them out. Just an analogy I made-up, but how do you respond when people kind of come to you is can they just get by the Splunk? Yeah, I'd say it's, it's back to I, I think there's, there's three components is one.

I, I think like I, I was saying earlier that you'll probably have a hard time sort of going one for one against a company that focuses in the space and having all the detections. I think the response piece is also the huge one because again, like it's one of those things where it's tough because you don't know until it happens to you what it can look like, but whether it's like object level recovery, right?

And there's scenarios where the Active Directory recycling bin like is not necessarily good enough. So there's, there's some again, but we're mostly focused on security operational benefits to the response portion. But again, like I, I would just argue to any company who's sort of like we've got the response covered would ask them to actually go try to bring Active Directory back from, from the

grave, right? And I'm not talking about pretending to bring one domain controller back, like bring Active Directory back, bring it up so that your enterprise could actually use it for whatever it is that you do and measure how long that takes, how many resources it takes, right? Like, you know, sort of what the, the cost is there, because a lot of organizations don't go through a real sort of almost like tabletop of that or, or actually go through the process,

right? They just look at their Dr. plan and they're like, well, we've got, you know, a genetic, a general backup solution or we've got system state restore and check and like, right, we're on to the next thing. And then when something actually happens, yeah, to my point earlier about you sort of hate and life as the person who has to bring things back. Yeah, we think. Guests on come on and talk about getting cyber insurance and the

keys to getting cyber insurance. There were three things from an infosec perspective or I should say from an IT perspective. So it was ZDR, it was MFA and backups. And so to me the question around backups is not just do you have backups, but could you restore in a given scenario. So I mean in my earlier days in IT, whenever I was responsible for disaster recovery, the idea was some 9/11 type event or some natural disaster takes off data center. To me, that's not the most likely scenario.

To me, the most likely scenario is some threat actor who gets a credential and then tries to take down your key infrastructure. And if Active Directory is part of your key infrastructure and they get a hold of it, you know, just restoring from tape, it's, it's not like that, right? And so that's where what you're saying comes into play.

I think EDR kind of feels a lot like well, I mean EDR is EDR, but from an identity perspective it feels a lot like ITDR, you know, and I think MFA is, is expected best part of this hybrid identity protection because I was going to talk a little bit earlier about opportunities with the hybrid cloud. Well, it seems to me if you are in a situation where you're going to continue to have an on Prem AD, which I think a lot of organizations are in that booth, they just don't see. They don't.

See a time until they close all of their offices. They don't. See a time where an on Prem AD is not going to be part of the picture. Then having the MFA come from ENTRA is going to be a big key. So I mean this this ability to recover from an intentional disaster a lot different than the hurricane or something like that happening anyway. Yeah.

So I think to your point, like if you use a cyber insurance model, this is in the top three. Any any closing thoughts just to kind of summarize everything we talked about. Yeah, I have a couple. I guess I was just going to say too, I, I think one point in with with the backup piece you encounter a lot of enterprises where their their enterprise backup software relies on Active Directory, right.

And nobody really notices or thinks that until, right, they can't get into backup platform because active directory's down. They've built that dependency and and now you're in the right, the chicken and egg sort of scenario, except in a bad way because you could, you don't have one to bootstrap the other. No, I mean, I think as far as like, I mean, the, the points I, I personally have like to drive with customers is, you know, on, on the prevention piece of things.

So earlier this year there was like, you know, Windows Server 2025 coming out and, and you know, that actually kind of goes to your point of Active Directory not really going anywhere anytime soon. But Microsoft had this virtual conference and I, I did a session that I called, you know, an ounce of prevention is worth a pound of detection.

And the whole point I was trying to make in it was like, wait, a lot of security people are so hyper focused on the detection of attacks, which I, I won't argue that it's not important, but there's so many ways we could just like prevent a golden ticket from from happening, right? And that's the part where I wish, like, I wish security infrastructure, you know, whoever owns identity, that there was more of an investment in the proactive security piece

of things, right? Because honestly, then I'm not saying you don't need cyber insurance, but if you harden the exterior, if you make it more difficult for a threat actor to really, you know, pass the hash or perform a golden ticket attack, like they're, they're also opportunistic, right?

So there are there are also scenarios where it might just be right, a threat actor is going after five different people like, well, the two that they can get domain admin in are the ones that they're going to focus on and the others where maybe it's unfruitful, right? They're just kind of move on. And yeah, I probably already, I guess I'd say hit on it somewhat. But I think the other part is

that that response, right? Because a lot of times again, like I'd say kind of in the security industry, the feeling is like response is like we've detected an attack and we're going to like isolate the node, right? Like again, I, I think from a layered approach, this is all good. We've detected golden ticket and we're going to use EDR to like isolate where we saw it coming from, but written in those scenarios where it might be actually too late based on the type of attack that you've

detected. But I think response really is getting into that almost like Dr. piece of things like response needing to be how do we get Active Directory back to a place or a state where we can trust everything in it? Because if you, if you can't honestly trust the state of Active Directory, then you, you honestly can't like absolutely say, how do we know that there isn't something from a threat actor still lingering in here, right?

And as again, we we see in reality out there that these scenarios happen where they'll they'll get you and then they'll get you again after, after you've paid up or not paid up. So. You, you made a great point earlier where you're talking about layers of security. It sounds to me like somebody says the prevention.

So in other words, examining your Active Directory and providing a map, and this is the Druid tool I think you talked about providing a map of here's where your vulnerabilities are. And I love that point about an ounce of prevention worth a pound of detection because if you can cut off, here's the way I see it, most organizations are not going to be the target of a

day zero vulnerability, right? So that it's the attackers tried to get in the door and then run scripts and they run scripts and they run scripts. Well, those scripts essentially are vulnerabilities that have been found and tools and scripts have been created to leverage those vulnerabilities, right? So if you have proper tooling in place, you cut off those vulnerabilities, the scripts will work in your environment.

And so I think that's great. Now detection potentially would detect something that is new that is novel, right? And that, you know, there isn't really a pattern for. And I think if you are the FBI or some organization where it's like, you know, that's a really high value target and we're going to use day zero attacks if we can get our hands on them, nation state actors and things like that, that's a different ball game. And I still think you have to be

in the prevention side. You have to prevent what you can prevent, but you also have to be able to to detect more. I think that you're making the case that for most organizations, prevention is going to be the key. So it's, you know, scanning your environment, setting up the prevention. It's also, it's also the detections. You have an ITDR system that is detecting, it's giving you another layer of defense.

And then finally, if you are compromised, if all else fails and you get, you get owned, you still have the the ability to restore your Active Directory. What I like? Is that you guys are so focused on the AD area, It's not a small area by any means, but. It's a. Focal point and for a lot of organizations, that's where the, that's where they're, you know, their crown jewels lie and their ability to control their environment lies within that realm. Absolutely.

Absolutely, yeah. And I, I think in general, at least it's Sempress like that's where, you know, we, we would generally say that we're, we're complimentary to like XDR platforms, right? Like 'cause, 'cause I think in, in that layered approach, right? We all kind of bring our, our, you know, benefits to protecting identity. I mean, in the bigger picture, right? I think especially from the layered piece of things, because we just continue to see right sort of any identity attack.

It is so crucial, right? I mean, I, I, I have other talks that I've done about right identity being the new security perimeter. And we've been saying this since 2012 is as far back as I could find articles. But to me it's like sort of like when are we going to drop the new part of identity is the new security perimeter.

And just like say right it, it is the security perimeter these days and actually treat identity security as like the sort of first class sort of customer it should, it should be in the enterprise. So, but I mean, I could again, I could go on tangents about you all for years. About that, right, but it's a great point. We've been calling it the new perimeter for so long like why don't we just call it the perimeter? And it's because the layered security approach, there still

are firewalls. Oh, yeah. They don't catch everything, but they block a lot, yeah. Yeah, block a lot they are, but well, I would just say, I would just say that's where it gets sticky with, right, the cloud, because a lot of the more traditional defenses that we have, we can't easily apply to like, you know, SAS applications

and and all that sort of stuff. Because, right, the interface that all of our end users log into or authenticate through, right, is the same one that, you know, threat actors can go hit.

And I, I won't ramble about it too much, but just I think to the point you made earlier about, you know, sort of time, money, resources and and how it's tough on people who even know what they're doing It it it kind of goes back to that there's just everything's so fast these days that you can be the best of the best and still have trouble sort of keeping up with it all. So yeah. Absolutely. So Eric, any other closing thoughts? No, I think good because I I've.

Been wanting to ask you, I know, I know you're really into hiking and you had mentioned to me that you blew out your ACL was in April. We're sitting here in in August at this point recording this episode. And I wanted to hear more about that. Like what was the recovery like? Oh, it was. It was, it was not fun. So, so actually my my son is huge in the skiing and I never skied even though I've grown up in the Northeast in my life. And this winter in January, I

was taking skiing lessons. My instructor had me going on a slope that was a little too adventurous. I got my skis caught up, heard a pop in my knee. And then going to the orthopedic doctor, it was kind of a bit of time. I had some fracture in my leg that they had to let heal. So yeah, end of April, I had surgery. Man, that was that. That was rough. And I actually had a, a podcast recording like my surgery was like on a Thursday. And I think it was that next Monday I had some sort of

podcast recording set. And I, I didn't realize how intense even the first week of healing would be because man, I, I saw myself on that recording and I, I, I feel like I looked and sounded like a hot mess from still being on meds and a lot. Of opioids and stuff like that, Yeah, and. I couldn't. My leg was completely like, I had it propped up like under the desk it was. But the, the recovery's been, it has been tough, man. Like I, I'm still not allowed to run or jump.

And I, I can't believe just how the how little bit of surgery it is in a way on your leg, how much it, it sets you back 'cause it is, it is a tough thing to recover from so. Yeah. Did you wind up gaining any weight while you've been off your feet? Oh yeah. Yeah, absolutely. I mean, I'm, I'm up and walking around and, and if you saw me walking down the street, you'd probably think nothing is sort of wrong with my leg at this point.

But no, because also when I'm, when I'm feeling down, I love binge eating. So it's, it's just been cyclical. I can't go out and hike. Join the club Join the. Club. Well, yeah, I never actually had any kind of surgery on my knees or anything, but I did have a a hernia a couple years ago now. And like people said, oh, you have to sell your feet for a few days. I didn't realize like this first 48 hours or so. How? Because it was outpatient surgery.

So you go in and get the surgery, they knock you out, you wake up five minutes later and the surgery's all in the past. But then the recovery winds up taking a couple of months, and it's the first couple of days they're the worst. Oh yeah. Yeah, it is, it is brutal, right. And I'm, I'm not a spring chicken anymore or whatnot. So but yeah, it's, it's made for a less than ideal summer in some ways.

But we're, we're going on vacation actually tomorrow with the family for about a week to the Netherlands and, you know, looking forward to still doing summary things and, you know, enjoying life away from Netherlands is. One of my favorite countries, you know, what I would recommend if you can, is get outside of Amsterdam a little bit. Amsterdam is like super cool, but it's also like touristy and

it's a big city. And if you get out into the, you know, going from city to the city or maybe get into some of the smaller towns, you're really going to enjoy it. I mean, it's a beautiful country. And, you know, I think all most people know they have a dike system that pumps water out. Otherwise it would be most of the country would be below water. And so. It creates like there's all these, I guess they're dikes that, that, you know, channel the water out and the, the windmill.

The purpose was to operate the pumps to pump the water out. Pretty ingenious and, yeah, just a beautiful country, a lot of farmland. Yeah. So try to get out there and explore. I was. I spent a lot of time in Leiden. It's a city that you can take a train from Amsterdam right there. So anyway, you, you enjoy that? Yeah. I will. Eric, is there anything else or I guess we can wrap up this episode? I think it's been a really educational good good. I'm, I'm glad now.

I think if you, if you let me go too long, I'll just keep going forever. So I'd I'd say we could probably wrap it all right. Well, good. I think the first thing I wanted to do is remind everybody about the HIP conference. You can go to hipconf.com. I was out at the website already. The the conference is what, December or November 13th and 14th? I think it's, it's, it's in November now. I can't remember if it's 12th, 13th or 13th, 14th. It's it says that the the site,

it says it on the website. That's right. So if you go to hipconf.com, if you do decide to register, if you look at the awesome speaker list, use the the discount code IDAC pod, IDACPOD. We'll get you 20% off as the best discount code that's out there and available. You also find this podcast on any podcast platform that you want to listen to Apple Podcasts or Spotify or there's a million others that are much smaller and we're available in all of them. We are also available on YouTube.

If you go to idacpodcast.tv, they'll take you right to our YouTube page. We would appreciate if you enjoy the podcast to go out there and subscribe. Check us out. We're putting up new content at least every week and we're trying to do even more than that with like stories and outtakes. We also on we have our own website idacpodcast.com and we're on Twitter or X at with the at symbol IDAC podcast. We're also on Mastodon. Now I've never been to that myself, but it's at IDAC podcast

at Infosec dot exchange. And our sponsor for this week is Sempress or Sempress. I was told by Eric before the episode that both are used pretty commonly and interchangeably. And so it's at Semperis or semperis.com, SEMPERI s.com and we'll have all those notes in the show note. So for this week, thanks everyone for tuning in and we'll catch you on the next one. You've been. Listening to Identity at the Center? We hope you've enjoyed the show.

Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.