#314 - Sponsor Spotlight - Semperis

That was another one that I thought was surprising. And there were a few things underlying that one. One is the nature of ransomware attacks has changed. It used to be, you know, sort of like not Petcha, we're just going to encrypt all your machines and then we we'll sell you the decryption keys. But now what's happening is, is attackers are exfiltrating sensitive data or data that they can get their hands on anyway and holding that for ransom.

They're, they're saying things like we're going to publicize all this information and, and if you don't pay US money for the, for the data. So you've got two things you have to buy now. You've got decryption keys and the get rid of my data key if you will. But how do you really know that they're deleting the data? Well, yeah. Is there, is there such a thing as honor to say, OK, well, I promise as as you're, you know, assigned criminals that I will, that I will delete the data that

you get that you paid me for. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the

Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good. I'm excited to talk about ransomware. How about you? It's always a good time to talk about ransomware and that's why we that's why we do this right, is to protect people from ransomware, hopefully mitigate the risks associated with it. So yeah, let's get into it. We've got a sponsored episode today. This one's brought to us by Semperis.

You can visit them on the web at SEMPERI s.com.

And I want to welcome back Gil Kirkpatrick. He's the chief architect at Semperis. Gil, welcome back to Identity Center 'cause you've been with us before. Yeah. Thanks, Jeff. I really appreciate it. It's good to see you again too, Jeff. So we were talking before we hit record and it was like, Oh yeah, it was just on like maybe a year ago. And then we looked it up. I was like, oh, it was actually three years ago, September of 2021. So, you know, people can go back and list of that.

I'm not sure where this episode will be 315, somewhere in that area maybe, but you were on episode 110 like way back in the day. So people can go check that out, see what's changed. But let's talk a little bit

about, you know, you and the identity space. Rick, Bruce Lee, how did you get into the identity space? Because I don't even know if we asked that questions back then. Yeah. I don't remember if we talked about it or not, but it it. So I've been in, I've been building commercial software products for just about 50 years, which is kind of a long career. And my first, the first platform I really worked on in the PC

networking environment. So in the, in the, you know, late 80s, early 90s was, was Banya, Banya networks. Now not too many people remember Banya, but it was the, the only legitimate enterprise scale PC network at the time. There was no bell and Microsoft was sort of off on the side. By the few lines. Yeah, exactly right. And the the interesting thing about Banyan Vines was it had an integrated directory, distributed directory for griebs and users and I think computers as well.

And that was a concept that nobody had really thought about before, or at least not commercially anyway. And it was largely invented by Jim Altchin, who later became AVP in the technology side of Microsoft and drove a lot of what became Active Directory. So that's, that's really where I started. I build products to help people manage their Banyan Vines environment and then did similar kinds of things for Netware NDSE Directory.

And then that's sort of when Microsoft came out with Active Directory. I was at a company called Netpro. And in fact, we've been working with Microsoft for several years before they shipped Active Directory in 2000. And we had, we built management and yeah, management products primarily for for Active Directory. And then since then it's, it's been, you know, Active Directory related stuff.

And then I was the CTO at identity management company in Australia that built sort of industrial scale X500 directories. We did a fair amount of work with Open ID Connect and Oauth and those those newer web protocols. And then came to some Paris in 2017, I think it was twenty. Yeah, that sounds about right. So do you consider yourself an I? Do you consider yourself an identity person or a software developer or somewhere in the middle? Yeah, somewhere in the middle, I would say.

I, I, I'm, yeah, I mean, definitely a software guy. I think my, my sweet spot is in software design and development, but my focus has been on identity related issues for the last 20 years, you know, something like that. So I'm, I'm very in tune with all of the issues around managing enterprise identity and in the last, you know, four or five years on all of the ways that identity can be attacked and misused. So I've become, you know, pretty, pretty knowledgeable in that area as well.

Well, I'm glad you're here with us. And you know, this is a sponsored episode. So Sempress is sponsoring this episode. So make that very clear. So let's learn more about Sempress. I know we we just had an episode not too long ago where we talked with Eric Woodruff. But let's get your take on, you know, tell us what Sempress is, what it does and and that good stuff.

Sure. So, so Sempress builds products for enterprises to improve the security and resilience of their hybrid identity platform. So typically that's Active Directory and Azure, our entry ID now And the, the basic idea is if, if you've seen the missed cybersecurity framework, you know, you got those five phases of, of managing a cyberattack of identify, protect, detect, respond and recover. We try to cover all of those activities related to the

identity system. So we've got as an example and identify and protect, we have a free tool called Purple Knight, which is people love this thing. It's astounding how how many people have downloaded it and use it all the time.

But it does a comprehensive analysis of your Active Directory environment and your security posture along with entry ID and gives you a really easy to use report card about how you're doing in different segments of configuration and management and gives you suggestive remediations and all of that. So people end up, they download it, they run it, a lot of people run it monthly.

They make that part of their monthly reporting activity to either IT or security that shows how they're doing as far as securing their Active Directory. So that's that's one end of the spectrum. Then we have a product called the Directory Service Protector DSP, which has that same sort of evaluation of your Active Directory configuration, but it

does it continuously. So you know immediately if there's some aspect of your security posture that's degraded in some way and you can respond to that. And it also logs, it keeps track of all of the changes that have made been made to your Active Directory. And it does it in a way that doesn't rely on the logging system because the event logs are one of the things that attackers turn off almost the first thing.

It actually monitors the replication activity in AD and uses that to essentially construct a timeline of of your Active Directory history so you can see what things are being changed and roll those changes back if you want to do that. And then in the most recent version of DSP, we've added

activity monitoring. So it's actually tracking authentication of users and computers against AD and what services they're referencing and detects things like brute force attacks or password spray attacks or any kind of anomalous authentication behavior. Again, with the idea of trying to detect attacks that are in progress so that you can then, you know, start your incident response and, and remediate to isolate the machines or, or disable the users, that sort of

thing. Then finally we have a product called ADFR, Active Directory Forest Recovery. And this is, this is probably the product that most customers start with, or this is the, this is the product that most customers come to us about because recovering Active Directory, the entire forest for backup is really, really hard. And the likelihood of success if you're just following the, the Microsoft playbook is less than 20%.

I used back in the day, I used to run a workshop where we would walk people through the recovery process for AD. It gave them a virtual environment with four domain controllers and two domains and a a checklist of every single command you had to type in to actually make that happen. And it was a sort of a 2/3 of a day, 6 hour kind of thing. And the success rate was about 20%.

Even with all of the commands that you need to know that you have to type in, sometimes it just doesn't work and you don't know why. So you have to start over again. So that recovering AD from backup is hard and 84 automates that whole process. So it turns what might be a a, you know, a many day recovery process for a, for a larger enterprise into a couple of hours and six clicks.

So I think now you're now hopefully people listening are starting to understand why we're talking to you and specifically about ransomware, right? Because these are these are typically the things get broken during that kind of of attack. I know we want to go through a ransomware report that you guys have, but I have, you know, my own questions around Sempress. Where does the company name come from like came up with Sempress and what does it mean? Does it mean anything?

Yeah, so, so it, it, I think so. I was a part of the conversation that led to that name. But it came from, you know, the Latin, you know, always, always watching. And that's, that's sort of the ideas is that that our products are always watching your environment to make sure it stays safe. And it also sort of relates to the Semper Fi and the Marine Corps and, and, and all of that.

It's, it's not an explicit DoD reference, but it's, it's definitely trying to convey the fact that we're, we're always there and always faithful and always watching. So what is it that you think makes your solution unique in the space? Because I imagine you probably run into a lot of, you know, jaded IT security people out there that are like, Oh yeah, great. Another tool right In this type of cyber security space.

What is it, do you think, that keeps, you know, people coming back and why you've been so successful? It's our focus on the identity system. 90% of cyber attacks go through the identity system in one way or another, either through stolen credentials or otherwise compromised account session hijacking, doing reconnaissance in Active Directory, trying to find potentially sensitive resources or, or privileged accounts, elevation of privileges. All of that goes through the identity system.

And for 90% of the world that's Active Directory. And we have a, a, you know, a complete focus on securing and, and improving the resilience of Active Directory. I think that's why we've been successful. That combined with we've managed to build a ridiculously good and smart team of Active Directory experts.

I mean, I, I think somebody, somebody calculated this Sean Doobie who who runs our, our hip hop podcast and is one of our technical experts, I think he calculated we have like 200 years of Microsoft MVP experience, you know, something like that, all focused on Active Directory. Plus we've got several guys who came from Microsoft, you know, the PFE professional field engineer or Premier field engineer environment. So we have lots of very, very

smart ADP. So 200 years, that's either one really old guy or a couple, a couple of old couple, sort of old hogs. What is it that you know, the question we get a lot is, OK, well, that's great. I've got a tool. How do I get the return on investment on it? Like what's the way that you measure success? Is it, I guess, how do your customers measure the success of of the of the purchase of the investment that they've made in your tools?

So, so a really easy description or easy way to explain that is with ADFR and forest recovery and you just the simplest way to measure it is how, how long does it take you to how much effort do you spend backing up Active Directory? How long does it take you to recover from backup in a new environment? So as if you had a cyber attack, how long does it take you to do it now? And how long does it take you to do that? And now reliably after you have ADFR and it's, you know, the,

the differences start. Mostly organizations have never recovered AD from backup or the ones that have did it in sort of a test environment or they did it by taking virtual machine snapshots and then, you know, resetting to those which, you know, none of those are effective when you're recovering from a cyber attack. So that's really all it takes.

And when we demo ADFR for people who have had the experience trying to recover AD from a cyber attack and they just see it happen sort of automatically, that's, that's the value proposition right there. If you look at something like purple lighter directory service protector DSP, you get a, a sort of continuous feedback of your security posture in AD. So it, it provides you a way of measuring how well you're doing and you can use that to basically measuring your

success. So a lot of people say, well, I used to be my authentication security was AD and now it's AB. So you know, that's awesome. So I think that's that's another way that customers use to to measure their success. It's nice to have like, that tangible, tangible scorecard, right? Look, mom, I got an A. Yep. Yeah, exactly.

It's, it's exactly right. You'd think it it's kind of silly, but if if you're in the identity space or in IT security and you need to explain to senior management, you know, how are you doing now and how would you improve things like kill card's first and and people get it right. They they they can understand that AD is bad and AB is, you know, not too bad, but it could be an A. So yeah, maybe work a little harder that sort of let.

Me ask you a side question here because I want to talk about hip comp next, but is it realistic to get an A? Because I, I see a lot of times it's like there are risk decisions that get made and maybe something gets sacrificed in the name of like a user experience or, you know, a business process and there's like risk acceptance. But do you think it's realistic to say yes to get all A's on

that sort of analysis? Probably not I I'd say probably not A's across the board probably doesn't make sense because the the cost to do that probably not worth the risk that it it mitigates. Meaning like the remediation steps to like get to that pay on that next level. Yeah. Yeah, exactly. But I think it's, it's really important to understand where you're at. And that way you can make those trade off decisions cautiously and say, yeah, we could.

This this application is kind of a risk because of the way Java's handling credentials. But we know that we've protected the server. It's on an isolated network. So you know, that's OK. We'll, we'll do that. Yeah, other layers right to help descend whatever it may be. Exactly. Let's talk about hip comp because this is something that's taking place in November, November 13th of 14. It's in New Orleans, so that's exciting. We actually have a discount code

IDAC POD. We'll get you 20% off of that. I've never been to hip comp and it stands for Hybrid Identity Protection Conference. What's it like to be there? What is it and how many chicken and waffles can I get in New Orleans? So I'm going to, I'm going to come back to the chicken question because there's actually more to that question than you might think. So Hip Conf is a conference that we've been sponsoring for probably four or five years. We organize it as well.

It's non, non vendor specific. It's this is not a Sumperas user group, it's not Sumperas product pitch. It's really all about educating practitioners on the insurance and outs of securing your hybrid identity infrastructure. And that primarily is Active Directory and and, and try deep. We get the the speakers are all either highly experienced managers of technical teams in our actual practitioners.

But the goal is for all these sessions that you go in, you learn something and you can take it home and use that's, that's sort of what we're shooting for all the sessions. Some of the people we've got. So we have a couple of people from Microsoft. So Alex Weiner too, runs their identity security effort for Azure or well, Azure and enter ID is going to be keynoting it. Marty Mobgian's a guy, He's a simperis guy now, but he runs our a lot of our incident

response. He used to run incident response for healthcare at CDW and so he has a lot of background on what what recovering from a real ransomware attack looks like. And other people are we got like Joe Kaplan from Accenture who has, he's done everything with identity and Accenture starting from, you know, ADFR Active Directory, not the ADFS Active Directory federation services through rolling out passwordless authentication and etcetera. So you're talking about 809

hundred thousand people. So managing those kinds of transformations of large enterprises, he's got great insight into how that process works and where all the, all the potholes are. So that's the kind of material that we're, we're presenting at hip hop. As far as the experiences, it's, it's, it's very technical, you know, we, we like to say. You know, 304 hundred level kinds of kinds of stuff. It's very welcoming in the sense that we've built a great cadre, a great community around hip

conf. And if you're in the identity space, it's not sort of like all the speakers are over there and you're sitting over here. It's very it's a very engaging atmosphere. So you get to talk with all the speakers. We make lots of time for, for networking, finding, finding peer groups and, and talking

with them. And of course, a place like New Orleans has a few places that you can go to afterwards, you know, and, and after you've met a few people that you want to get to know a little bit better so that, that, that works out as well. Hey Gil, I'm going to transition us into the discussion around the ransomware report, but we've

talked a lot about Active Directory. It's in my perspective that theoretically is true. And unfortunately I've seen this in the real world as well, which is that Active Directory is kind of the honeypot. That's what, you know, getting full control over the Active Directory is what the ransomware actors are looking for. Or you could say it's they're, you know, it's the chicken and waffles recipe all in one. Don't take my chicken and waffles, man. Come on, Gillard.

I mean, why is that true? So for a couple of reasons, what is you know, I mentioned earlier that cyber attacks invariably, well almost invariably have to compromise the identity system in some way. You have to either pretend you're someone who you're not and you're be able to get the privileges of someone who you're not. And it almost doesn't matter which identity platform it is. Whichever 1 you have is the one that you have to compromise to

get unfettered access. The other other reason is Active Directory isn't just a catalogue of users, it's it's got information about all of the computers and services that are running on your network. So it's a great reconnaissance

tool. So first thing an attacker's going to do once they land on somebody's machine that happens to be domain joined is is run a query on AD get all the computers outlook for all the ones that say, you know, top secret sequel server or something like that, you know, because that tells them the machine they want to go after

next. And then the third thing, and this is this is something that is kind of interesting, but Active Directory is actually a great malware distribution tool using using group policy in SYSFALL. So you can as an attacker, if you're trying to deploy ransomware, you know, globally on the network, one way you could do it is drop it in SYSFALL and change everybody's log on script to download the the malware.

So that's, I mean, those are sort of the primary reasons that people go after AD. It's it's the keys to the Kingdom. It's a great. Description without going into all the details and there's many ways that people can conduct an attack, but a lot of times they're trying to laterally move into different accounts that are more powerful. I think they've helped us counts, I think service accounts. That seems to me to be a major vulnerability.

I love the idea of somebody listening to the podcast, hopefully not driving their car and listening and taking notes as they're listening to Gil. So what maybe is a take away of something someone can do today to, you know, take a step toward being less vulnerable? Tell you the truth, the very first thing I would do is download Purple Night.

It's free and rather than in your environment and I'm, I'm going to guess that since most well, your audience is all interested in identity, that good number of your audience has done that already. Does it require any special privileges? You just put it on a workstation that's domain joined and run it and get your report card and take a look at the, the grades that it it assigns to you. I mean, they're just grades, right?

They're just, you're out there. A is sort of an evaluation that we made-up that sort of makes sense. But then look at the, the details underneath that about things that that purple like found about like delegations, insecure delegations. That's a favorite one that would enable an attacker to elevate their privileges by compromising a member of a group, for instance. You know, there's all kinds of things in that report. It's it's, it's pretty impressive.

I'm I'm really pleased with that product. You know, one other thing I think about with when it comes to why takeover, if an Active Directory is such a beneficial thing for a ransomware actor, is that it's so hard to restore Active Directory, right? And a lot of times ransomware accounts can be taken over, you know, before the event.

So not having a good backup and restore methodology, like I'm not trying to just serve things up easy to you, but this is just the basics of running an IT environment is you need to be able to have backups that you can rely on at a restore policy that you can test on a periodic basis so that you're sure it's going to work when you need it. I mean, this could literally be the ability for your business to do business the next day.

I mean, that's exactly right. Control of the Active Directory, you can wipe out the e-mail system, You, you can do all kinds of things. I mean, there have been real world examples of companies unable to operate for a week. I mean, Can you imagine your organization being unable to operate for a week? So I'm not trying to just make it fear, uncertainty and doubt, but these are real risks and if they happen on your watch, it's going to be a very uncomfortable position. Yep, it's you.

You pretty much nailed it. It's not. Not only is Active Directory a great thing for attackers to go after because of what it lets them do, but if they compromise, for instance, if they flatmile your domain controllers, you've got a real projection on your hands because recovering AD from backup is hard. And you can't just, you can't just go back to the last backups, right? Because those are probably compromised as well.

You know, they're, they're going to have changes in ACL's, they're going to have changes in grid membership. So I'll have back door, back door accounts that have been added. And you have basically you have to do the and even be other changes in Active Directory. But there's going to be malware on the servers in Windows. They're going to be hacked DLLS and executables that sit on those backed up backup images as well.

So you'd need to recover in an isolated environment on fresh installs of Windows that you know are good. And you have to be able to recover just the data of Active Directory, not the entire binary environment of Windows. And if you can't do that, then you can't really rely on the system that you recovered. So let's talk about the

ransomware risk report. We'll finally get to that and it's available on some Prince's website, but we'll have a link to it in our show notes. And I made, you know, I kind of made notes for some of the statistics that really jumped out at me. The first one was ransomware attacks are frequent and severe. Organizations are facing a constant threat of ransomware attacks, with 74% of victims experiencing multiple attacks sometime within the same day. Tell us a little bit more about that one.

So the the I shouldn't have been shocked, but when I read it the first time, I was. But essentially all organizations are being attacked by ransomware a couple of times a year. I mean, it just happens continuously. It's not, it's not a notable event anymore really. It's just one of those continuous things that security teams are dealing with, which I didn't quite, I hadn't internalized that before.

So that was surprising. The the other one about, you know, suffering multiple attacks in a day was a new one. And and then there's also the, you know, paying, paying multiple ransoms as well for a single attack, which we can talk about. What does that mean to have multiple texts? Can you explain it? Is it is it literally like different? Is it different attackers or is it part of the same attack as just multi stage or something like that?

So it's, it's, it's both. So I know we, we did, we helped the company with their incident response and they had four separate threat actors in the environment that were attacking them in their AD. It was a, it was a disaster. It was a complete mess, but I think what happens now that, that, that, that, you know, raise aware and, and cyber, the cyber attacks in general have been commoditized and

commercialized. You, you know, as soon as an endpoint gets compromised or, and, and there's some back door inserted on, on that, on that machine, that IP address gets published and sold to whoever wants to buy it to insert their own, you know, for another attacker to insert their own

software. And I think that's, that's one of the reasons why you see multiple attacks is, is that same IP address has been purchased by, you know, half a dozen attackers and whoever gets around to doing it will be in the network. And you have multiple attacks

going on simultaneously. There used to be that I think a company would report a ransomware attack or some sort of a cyber attack and it'd be in the news and then all the attackers would pile on once they saw that in the news because you figure, oh, they could compromise and we we probably can't too. But now I think it's because all that stuff's just being sold, not on the dark web. You can. You could buy a 10,000 IP addresses and start working on it.

Yeah, and it also seems to me like, so the, there's a, a sub plane that which was around paying multiple ransoms. I'm wondering is that you're paying multiple ransoms to different people or is it just that you can't really trust you the the people that are holding you for ransom? Give us $100,000. You give it to them. No, we want more. We want $200,000. So there there that was another one that I thought was surprising and there are a few things underlying that.

One, what is the nature of ransom where a tax has changed? It used to be, you know, sort of like not Petcha, we're just going to encrypt all your machines and then we, we'll sell you the decryption keys. But now what's happening is, is attackers are exfiltrating sensitive data or data that they can get their hands on anyway and holding that for ransom. They're, they're saying things like we're going to publicize all this information and, and if you don't pay US money for the,

for the data. So you've got two things you have to buy now. You've got decryption keys and

the get rid of my data key if you will. But how do you really know that they're deleting the data? Well, you mean. Is it, is it such a thing as honor to say, OK, well, I promise as as you're, you know, assigned criminals that I will, that I will delete the data that

you get that you paid me for. And that's, that's, I think the thing that companies are maybe missing, I think the, the hit rate on, on the decryption keys is I think those either fail to work or they don't actually get keys like 30 or 40% of the time roughly. So already you have to add a premium to whatever ransom you're, you're paying for that. And even if the attacker say, OK, well, we, we deleted the, the data that we had stole it, they've sold it to somebody

else. And then so now somebody else has it. So maybe they're not going to publicize it, but somebody else will or somebody else would use that and spend more time grinding through it to see what's interesting in there and then sell that data. It's there is is no honor in this in this scenario. So, Gil, I was going to ask about that issue of decryption keys. You mentioned that sometimes

they don't work. I've heard that a lot of cases they start they they actually work, but they operate so slowly that performing the decryption would take months. And so if companies fall back to some other way to get their data back. Yeah, there it takes, it can take a long time. And the other thing is that in a lot of cases when binaries have been encrypted, the way the encryption works is it it can actually add a bunch of random

bits to the end of the file. And when it's decrypted, those random bits are still there, they've just been decrypted. And so you've got binaries that you've quote decrypted, but they still don't load, so you can't run them. So even though you've you've unransomed your your your Windows machine, it won't boot. OK, so now that we've figured

out there's no honor amongst thieves, the second, the second point that it kind of jumped out to me was I'm going to read it off. Business disruption is widespread. Ransomware attacks cause significant business disruption with 87% of attacks leads to disruption like data loss or system downtime, even when organizations have disaster recovery and backup systems in place and IT. So what is the? What is the case is that they have the backup systems in place, but they can't restore them.

Yeah, a lot of times the backups themselves have been encrypted. That's, that's one of the mistakes that companies still make to this day as they store their backup images on a server someplace. And that's, if not the first thing the attackers go after, it's maybe the second or third. So that's, that's kind of a fail when people do that. The other thing is, is a lot of times IT orgs have not gone not thought carefully through the process of recovery.

They think, OK, I've got a backup of the SQL Server so I can recover it. Well, it turns out it's not just the SQL Server, but there's a whole file system on another server that's necessary for this application to run. And you don't back that up very often, or you back that up on a different schedule. So you've got a database for one day in a file system from a different day, and now the application's confused and it doesn't work.

So the whole whole problem of, of recovery from the sort of an attack is, is hard. And you, you, you have to work through it and work out all the details and actually and actually test it. So I think that's another reason that people can't recover. So the next one I found was was I found the other one that was really interesting. Gil, if I could, most companies pay the ransom.

So 70 and 78% percent end up paying the ransom, 32% paid it four or more times. So here's my question. Should companies pay the ransom? I I think we get this idea that when a ransom is being held because a human being is being held hostage, the advice is and I've never been. In, of course no. No, don't, don't. Screw the hostage. I think what I see on TV is they

say don't pay the ransom, right. And from what I've heard, most public sector organizations don't pay the ransom and receive less ransomware attacks maybe because of that. But can we really blame companies for paying the ransom? I heard there were two casino, large casino operators in Las Vegas. I think it was last year the faith were hit by the same and I it was more like a social engineering. I think it ultimately led to ransomware, but one paid the ransom, the other did not.

The one that paid the ransom never suffered any downtime or issues. The one that that did not pay the ransom got owned and had a lot of very public side effects because of that. So are companies wise or unwise to pay the ransom? It's, it's a, it's tough if you try to judge it as a, as a mural decision because you can argue both, both sides pretty effectively, I think.

But if you look at it from an economics point of view, what's the most effective response for the, you know, the life of your company? That's maybe a little easier decision to manage because if you have an idea of what it's going to take to recover from backup and you have an idea of what what the ransom is and what the risk is or what the likelihood is that the the threat actors will actually give you valid, you know, decryption keys and get rid of the data

that they stole. Yeah. Then you can sort of, you have a framework to make a decision. And I certainly wouldn't blame anybody for making the decision to pay the ransom, but I think they also don't aren't looking carefully at the costs that they're going to incur either way they go. And the, and the solution, you

know which, which is an idealistic solution, but I think it's the way it's the way forward is you need to be able to recover your systems. And so if somebody you know, attacks your environment, well, you just thumb your nose out. I mean, you just recover from knowing good backups and, and off you go. I mean, if you think about it, if you could, if you could recover your entire IT estate in 15 minutes by pushing a button, well, ransomware is totally

irrelevant. Then you know who cares, right? You don't care. Who cares? So I think that's that's the direction you want to move in as you want to make your, and this is and this actually brings in, this is where the term resilience comes in. You can't prevent the attack. I think we're, we're pretty,

pretty clear on that. But you can make it harder for the attack to take on full sort of network wide scale and you can make your environment more resilient, which means you can recover from that attack more easily and more quickly and more effectively. So I think that's how I tend to look at that, that decision making process. So I wanna, I wanna pick on the second part.

I mean, 78% paying a can of get. And I think there might be even something in the US from like a government, either policy or even a law that that they're not allowed to pay. And maybe that helps. But 32% paid it four or more times in the past. How bad is your security if you're like, oh, this is our 4th ransomware event of the year. I mean, one is bad enough. Yeah. I mean, are these just repeat things? I I mean, how do you, how do you quantify something like that?

Is it the same attack or is there a way to? Is it really separate attacks that kind of weak that number? I have to look at the at the details of that question and the responses because I don't understand that really myself. I, I know there are cases where the threat actors are asking for

multiple ransoms. I know that happens, but I didn't think it happened that often and it's mind boggling that the same company would be paying multiple threat actors for what looks like the same, you know, multiple attacks at the same time. That line item, the budget, oh, that's our ransomware budget. We know we're going to get hit, so we're just going to put money into it.

Geez, we could, we could spend some time talking about cyber insurance and, and how that all relates to this as well, because that's, that's part of the story too.

This next point that I pulled from the report, I thought it was interesting it gets into organizations like Active Directory Specific Protection. I just wanted to highlight a point which is if you are using non AD or non Microsoft systems for IGA or privilege Access management or an IDP, but you have Active Directory in your environment, perhaps your e-mail system is tied to it. You, you know, you still have

the same risk. So it goes on to say, while many organizations have identity recovery plans, only 27% have dedicated systems for recovering AD and prime targets for attackers. So to me, you know, this is one of the points that I've kind of felt for a long time is that when you're doing your disaster recovery plan, you not only need to think of it in terms of, OK, an asteroid, his heart data center or there's some kind of fire that that takes us out of

business. You really need to be thinking about the intentional targeting of your organization and bring down your IT systems security. Your Active Directory, Yep, that's, that's something that I think IT orgs are getting their heads or have gotten their heads around that the, you know, the the classic data center fire or, you know, ran a backhoe over the fiber kind of disaster recovery scenario. That's that's one class of of thing. But but cyber attacks are entirely different.

They're not they're not defined by physical boundaries. They're they're it's a logical attack essentially. And once you know, even if you're a globally distributed company, you know what's I laying on a domain controller, I can get rid of all the domain controllers. I can do it pretty quick. So it's a different is the nature of the attack is entirely different.

Yeah. And Gil, what I wanted to wrap up with was, I kind of feel like from a, if you watch the news, we're hearing less about ransomware attacks than maybe we were hearing about in previous years. Is that the case? I mean, why is that? Why do you think it's less than the headlines? Yeah, I'm, I'm not sure I, I know why that would be the case because certainly the number of attacks based on our survey has, has gone up. It's not gone down at all.

Part of it, it probably has to do with the, the, the, the detrimental PR around it that you would rather not say anything about it if you don't have to. But I think also that's that's going to change in the near future because there there's there's some regulations that are that have come out of seesaw that effect a broad swath of verticals. So I mean, there's probably about 15 different vertical verticals for companies that that are affected by these regulations.

What's it called? Cersea the the cyber, Yeah. There's like a notification law, right? Yeah. So notification if it's a certain number of users and certain number of financial impact if. You're in a certain industry, Cersea, Yeah. And so I think we're going to see a lot more reports coming out because of that when that regulation goes into effect and that's coming up imminently, I

think you know, pretty soon. But to ask you to answer your question, I, I don't really know why we don't hear about it. Maybe it's just not interesting anymore. So that's what. I was thinking, that's my theory. And you know, I want, I'm, I'm glad that Jimmy asked this question because my theory is this is we've become desensitized to it. Oh, it's ransomware. And unless it's like a major 1, like, you know, a pipeline, a hospital or something that has

like a major impact. I mean, there's clearly a lot of attacks happening. They're just not newsworthy. And it's like, kind of like, oh, who cares? You know, unless it affects me and it's a critical, you know, infrastructure thing that kind of makes the news. That's my feelings. Like, I feel like this we're just become desensitized. And it's just, it's not, they're not worth the 15 minutes of fame that they're getting.

Yeah, and I, I think there's a lot to that because, you know, the the news that gets published is the news that gets clicked on. And you know, Joe's Animal Hospital in in Salt Lake City being ransomware, it is not something people are going to click on unless you happen to have a pet that you take to Joe's Animal Hospital, you know, so that. Even then, I think I like I get desensitized like, OK, another breach. My data was in it. What am I going to do?

Change my Social Security number, you know, change my name, you know, it's just it's it's some place like, OK, cool. Like I'm sure, you know, at this point I would, I would find it very hard to believe that at least in the US that no American has never been had any of their data in any breach and ever, right. Like I think something has been leaked. Yeah. And what can you do about it? And so much of your data is, is owned by, by marketing companies now in some way or another.

Anyhow, it's, you know, it's, you're probably not saving yourself a lot of grief if you, if you go through that, you know, try to hide my identity stuff. So nobody wants to give the answer. So nobody wants to give the answer that enterprises have invested in reducing the risk of ransomware attacks and that's why they've gone down. OK, they have spent a truckload on it and the problem is that it's it's sort of you know, the attackers are are, are evolving at the same rate that the that

the defenders are. It's, it's, you know, and you if you look in the future with with the introduction of AI based attacks and AI based defense, that at some point we're just going to sit back and let the AIS do Duke it out and, and we'll see who wins the. Argument. Tell me who won. Yeah, and and the and the winners will be either NVIDIA or the the power generating companies. Yeah, that's a circles down to

basic blocking and tackling in identity access management. It's fishing, it's social engineering of the help desk to get me in the front door, reset someone's cred so I can come in. And I I sometimes shake my head that we're still here. The blocking and tackling thing is, is really, really important. I've, I've been saying this for years that if you just do the basics well and and diligently, that gets you a long ways.

You know that that makes it much harder for for you either to get compromised or for the attackers to do anything once they've compromised an account. That's also one of the things that purple light can help you with because it's it's essentially a catalogue of all the block, blocks and tackles that you need to make. Yeah, here's what you should do. Do this. It's like literally a playbook, right? Exactly. I mean, you really don't have an excuse at that point.

It's like, well, I didn't know what to do. Well, here's a free tool that will tell you that. So we'll have a link to that in our show notes. I got one thing I want to wrap up on before we shift to piloting because I want to ask you about piloting is do you think so? I remember which one you guys said it, but just now was the investment, there's huge investment being made in cybersecurity and specifically against this. Is this a case where may not

everybody's investing in it? So does a big company who makes a big splash to say we're going to spend $10 million or $10 billion skew a number like that to say, oh, yeah, there's more, there's more investment that's ever been made. But are there, I guess, are there big companies that have massive investments that sort of drive that into a false sense of, of a rising tide lifts all boats? I'm just curious what you guys think.

'Cause I can't imagine. The the veterinarian, right that you, that you use an example, right, The pet hospital, they're probably not spending $10 million on cybersecurity tools. But for sure a large. Company is, you know, does the spend equate to the overall risk reduction to the?

Industry, it might, it might, you know I mean, I, I, I don't think I know enough about the, the the economics of cybersecurity spend enough to really say for sure, but that's entirely plausible that that some, you know, a relatively few companies have spent a truckload of money and that sort of skews the, the numbers. Yeah. That's that's, I would say likely. I do believe that it could be somewhat a case of you don't have to be the fastest, you you just have to not be the slowest.

You have to be faster than the other guy. Right. I mean, we both live in the mountains, Gale, right? It's it's to outrun the bear. You don't have to be the fastest 1, you know, just be fastest with your friends that you're camping with. Exactly right. Yeah, there's there's something to that, I imagine. All right, let's talk piloting

because you mentioned before we hit record that you've got a Cessna bird dog for the idea of piloting. I would love to get a pilot's license and just fly all over the place. I'm a big fan of it. So you're doing what I hope to be doing. So if we get more sponsored episodes, we need a whole lot more for me to get a 20, that's for sure. So I'm gonna, I'm gonna fanboy out over here and say, OK, tell me about what it's like. Like you've got a plane, how did

you get into it? How often do you fly? Like what's I think the range of that's probably what, a couple 100 miles, maybe 3 or 400 miles or more than that. Yeah, it's so the. Cruising, it's holding back up a little bit. The the bird dog is is a military airplane that was designed to built really in the Korean War, but used extensively in Vietnam. And it was built for forward air control and reconnaissance.

So it was built to fly low and slow so that pilot and observer could see what was going on on the ground and report back either to direct an air strike or to direct artillery or just to report back on on enemy troop of that. So that that was its mission. It's not what you would call a travelling airplane. Like it's not going to, you know, if you, if you need to make a week weekly commute from North Carolina to Dallas, that's not the airplane you'd want to

do because that would be true. Is that what you're saying exactly? But what? Actually one of the reasons I moved to Idaho is Idaho is really well known for the mountains and rivers and the fact that a lot of the rivers have almost no access to them either by well, no, no Rd. access for sure. But they do have lots of little grass strips that have been built either by the Forest Service or BLM or Idaho Fish and Game, so that those people can go out and service the areas.

And those are available for, for pilots to use. And the bird dogs, an ideal Backcountry airplane for that because it can get in and out of very short, unprepared strips very easily. And so that's, that's one of the reasons I'm here in Idaho. And one of the reasons I, I got the bird dog is, is to spend more time flying in the Backcountry, which is, is just wonderful. I mean, to answer your other question, I started flying in the 80s, but it started out in gliders and ended up doing a lot

of commercial rides in gliders. So I'd fly people out over Massachusetts Bay in a glider. And then, you know, we were flying in and out of Plymouth at that time and I got my power rating in 95, I think, and been flying ever since. So I, I typically, I probably fly every other weekend somewhere not, I mean, generally it's maybe within an hour, hour

and a half, something like that. But there are so many little Backcountry strips of Idaho. There's endless places to go explore and you land someplace there's nobody around. You have a, you know, you know, beautiful Creek, or maybe you have the Middle Fork of the Salmon River, the Snake River, one of those those kinds of wild rivers. You're a trout fisherman. You know, you're all set.

You're set for life. And you can just you could camp or you could just hang out, stick your feet in the water and and commute with nature for a while and then wild. That sounds so so. Awesome. So you mentioned. Being able to like. Drop into like a scenario like that, I mean short runway you mentioned sort of the short landing and take off like what's the I guess give me a sense for like how many yards or feet or whatever it is like do you of space, do you actually need to

take off and land in this plane? So so probably. If I'm on grass or gravel, yeah, sort of in the 500 to 1000 feet is plenty. If I'm on asphalt, it can be a little bit shorter, but none of the Backcountry strips are asphalt. So and and the the bird dog that I have has has had some modifications made to it. So as a, as a, as more horsepower and wings that have been specially modified for extra lift and, and for slow

flight. So it can, it can get down like once the wheels touch the ground, I'm probably stopped within 100 feet. Wow. And a racing. Strike, maybe for speed. Aerodynamics. Yeah, there you go. That's pretty. Cool, What's the worst weather? You've flown in. Give me a hair raising, hair raising story. Let's ramp up the drama. OK, so the. I So I haven't had any weather related incidents other than once flying in a glider.

I, I used to race gliders when I lived in Arizona and the idea would be that you, you launch a bunch of gliders at the same time and then you have a, a designated race course. So you go to Wickenburg and then go to Prescott and then go to, you know, some other place and then you come back and whoever goes around the fastest went. So that's the idea.

And it was a day where there were some big cumulus build UPS that we were, we're, we're eventually going to turn into thunderstorms, but those also have amazing lift those big cumulus clouds. So I was cruising along in, in my glider getting closer and closer to the bottom of the cloud. And we have the regulations that say you have to maintain a distance from the bottom of the cloud. So I put the stick forward to start descending and going faster.

But the thing just started sucking me up into it. And I was really struggling to not get sucked up into the cloud. And once you get into the cloud, you have no visual reference and you can't tell up from down or left to right. And you end up losing control within. Yeah, within 30 seconds or so. And I had I pulled the spoilers out to descend, I had the nose down. I was probably going 130 or 140. And it was just barely creeping down.

And all of a sudden you hear this huge bang, No idea what that was. And I have this rush of ice cold water running down my back. And it turns out that it just started to rain. It was, you know, a thunderstorm that just started. The crack I heard was a thunder's clap somewhere. And that water was just leaking in through the canopy because it it hit so hard. It just poured in through the canopy and got sucked right down

the back of my shirt. So the bang you're worrying about trying to get out of this cloud, the bang and the ice cold water running down my back all of the same time was terrifying for about 10 seconds. 15 seconds. Then I realized what happened and it was OK, so and then you got that one well. Enough to be out of the lift. From. The from the cloud, I basically just, you know, gunned it. Out from underneath the cloud, and once I got outside the cloud, it was fine.

When did you fly again after that or yeah, that? Point was lighter, but like, did you like, all right, I'm going to take a break for a couple minutes. I, I I. Actually didn't fly for a couple of weeks after that. Yeah, OK. Yeah, Jim, can we? Get an IDAC plane like we'll go on it and like is, is that an appropriate business expense? I don't see. Why not? You'll have to check the. IRS guide for that though, Jeff, I have a feeling they wouldn't go for that. Sure. Come on.

All right, Well, let's go ahead and. Write it off, though we probably couldn't find. That. So unless you do a lot more sponsors spotless, yeah, like one every day, that's probably the way we have to. Do that. So I'll, I'll, I'll talk to our marketing people and. And see what we can do to help you out. Yeah, Well, well, I'd say let's get let's.

Get the plug in, then you know, semperissemperis.com, SEMPERI s.com. GAIL, thank you so much for spending time with us. We're going to have a bunch of links in our show notes. Definitely encourage people to go check it out. I mean, this is something that's almost like a no brainer. You need to have something to protect your environment and this is a good solution to do that. So with that, we'll go ahead and wrap it up for this week. You can find Jim and I on the

web, idacpodcast.com. And of course, we're always on LinkedIn. And then, yeah, our YouTube channel, idacpodcast.tv. We'll take you straight to it. So want to thank everybody for watching and or listening. Gil, thank you so much for your time. And we'll talk with everyone else in the next one. You've been listening to Identity. At the Center, we hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at

identity@thecenter.com. See you next time on Identity at the Center.