Name: Public Sector Identity Recovery Lunch & Learn
Uploaded: 2025-10-16T19:04:14.646Z
Duration: 21 min 56 s
Description: Public Sector Identity Recovery Lunch & Learn

Transcript for "Public Sector Identity Recovery Lunch & Learn": Alright. We are live. Hello, everybody. My name is James Purvis, and I'm with Rubrik. And with me, I've got Brian Smith, who's my technical counterpart. I head up the go to market for our identity resilience and recovery solutions. And, I'm I'm super excited today to talk to you about, Rubrik's unique approach to, identity, which is a the the identity market, the, identity threat landscape is really just evolving pretty, heavily right now. So, we'll give a a quick overview of our approach, and then I'll kick it over to Brian. We'll actually show you this in action, and then, we'll take some time at the end here to do some, q and a. So let's jump, right into it here. Awesome. So, you know, like I was mentioning, the this threat landscape, it it it isn't just growing, it's evolving. So identity has really become the bull's eye for these attackers. And these attackers, they've got it really figured out. Why break in through the firewall when they could just log in? And in fact, 90% of identity related attacks, are targeting active directory specifically, which is because it's the backbone of enterprise identity. 600,000,000 attacks, per day are happening, to Entra ID for all of those of you out there who are running in a hybrid world. And and if the worst happens, really what's required is a full 80 force recovery, and this is taking folks a minimum of three days up to seven. We've seen some even beyond that. And that means three days of downtime, disruption, exposure before your users' systems and business really can even come back online. And it doesn't stop there. Like I mentioned, there's Entre ID, the modern identity layer that many of you have. This is being hammered, right now, every single day to, really because they know from a a cloud identity perspective, this is the cloud identity perimeter. And if they get you there, there could be many, many SaaS applications that folks can authenticate, into. So, I think, everyone would agree that's on the line here. Identity really is the control plane. It's the set of keys to your kingdom. And if these services like AD or ENTRE are to go down, really everything goes down. That means users can't log in, apps won't run, even your security tools may become unreachable. And so that's why attackers, are targeting identity first. They know if they can control your directory, they can control your business or better yet, they can shut it down completely. And in a real attack, you're not just worried about stopping the threat, you're racing to recover identity so the business can, really function again. So I wanna walk through a a real world scenario here. I'm guessing many of you are already following Microsoft's best practices. So you've done things like you have your domain controllers that are geographically distributed, Your privileged accounts are segmented. FSMO roles are all properly assigned. But here's the harsh reality, an attacker, they only need to win one time. So a single compromised credential that could be, maybe in an employee clicking on a malicious link can let bad actors slip past your firewall. And then over days or weeks, they're going to systematically plant malware on every one of your domain controllers. Then in an instant, they're gonna strike, and and they will simultaneously, encrypt or wipe out every one of these domain controllers. They're gonna destroy your replication, nuke your SysVol, break DNS, your FSMO roles, they don't matter anymore. Your failover model, it's completely toast. So your once redundant, resilient, and highly resilient active directory is now reduced to nothing but a smoking crater. It's completely literally wiped out. And now if you're just recovering from a breach, you're actually rebuilding your identity infrastructure from scratch. So when I ask customers what they would do in this situation, and maybe you're thinking of this it's going through your mind as we speak, I get a lot of funny answers, some not so funny, but, here's a lot of what I hear. You know? I had a gal, just last week I was talking to literally just tell me I would crawl into the fetal position and I would just stay there. And then I'm like, well, then what? And she's like, no. I'd literally just stay there in the fetal position. Most folks say this is a resume, generating event, because it's that, impactful to the organization. So what are the what are your alternatives here? Like, what can you do in this situation? So let's say the worst happens. Your domain controllers are wiped out and you need to perform what's called a full forced recovery. So Microsoft does have a guide for this. It's a beast. You're talking about a 150 pages. There's 20 plus manual steps, and it's a ton of dependency sequencing, super cumbersome, time consuming, and it's high risk. It fails literally, 80% of the time. And you have to do this per domain that you have in the environment. So if you're a multi domain, customer, then, you know, this just becomes that more complicated. Even the most experienced 80 admins sweat when they have to follow this playbook. If anyone on this, webinar has had to do this before, I promise you they would say that this was not a fun, experience. It's not their favorite thing to do, hence why the previous slides, some of the answers I get. And to be honest, in the middle of a ransomware attack, you're not just calmly flipping through this document. It's you're in a high stress situation. You're on some sort of bridge call. Your execs are asking for timelines. Your team is scrambling to script recoveries, reimage DMs, and then it's really just a guess as to what the last known good state, is. Even small mistakes like missing a replication step or restoring an infected controller, that can extend downtime, by days. So, the other option is, you know, a lot of you might be thinking, well, hey, I'm actually I'm backing up my domain controllers, and, you know, so, maybe I'm I'm good there. Well, that's just a traditional backup method. Simply backing up the domain controllers is not enough. If malware is already on that domain controller before the backup, all you're doing is restoring the same infection right back into your production environment. So that that's not gonna work. So then there's alternatives that, they do actually, help you out with orchestrating this full force recovery. There's several tools out there, and but what we've noticed here in in some of the biggest differentiators between us and competitors that do a full force recovery, well, one, a, there many of them, they're just a point solution where Rubrik is a full encompassing cyber resilient platform that's not only just protecting identity in this case, but all of your data as well, as well as your cloud environment and SaaS applications. But, these point solutions out there, and the the competing forest recovery solutions, they're all running on Windows. So that's the very same operating system that attackers are targeting. So this creates a huge attack surface with all the familiar vulnerabilities. And worse, many of these tools are deployed as VMs inside your own hypervisor stack. That's a huge risk. In fact, for those of you who are a Rubrik customer, you may be familiar with our Rubrik ransomware response team. And what they've found is and and basically that team for those who don't know it, is there a friend in the fight in the case that there's a ransomware attack, to any of our customers? And they successfully, completed over 300, help customers, get back to normal. Over 300 of them have called in in this scenario, and 100% of them have fully recovered. But what they found is that 83% of these ransomware campaigns, they're targeting the hypervisor itself. So if you caught that with the the, competing solutions running, as VMs inside your own hypervisor stack, so now your recovery platform is sitting inside of the blast radius. And and then here's a big one that customers often miss with some of these other tools as well, is they license and it's a separate product or separate UI when it comes to Entre IV. So, if you have one of these solutions in place, you should go check your licensing, and see if you're even protected from an ENTRA I v standpoint, because that's super important as well. So with Rubrik, it it's a much better way in the sense of starting just with the architecture itself. We do not run on Windows. There's no patching. There's no domain joins. There's no privilege escalation vectors. It's built on a Arden Linux operating system, which is specifically engineered to minimize the attack surface and avoid operational drag of constant updates. And then second, we're physically isolated from your production environment. So Rubrik doesn't sit inside of your hypervisor. That's a that's a critical piece to this. This means if your infrastructure is compromised, Rubrik still stands. It's completely immutable by default. That means backups can't be altered, deleted, or encrypted by ransomware, and it's all wrapped in a zero trust architecture. So what does that mean? We're layering in things like MFA to block credentials fees, there's retention lock to make data truly immutable, and then we have things like quorum authorization demanding that there's a multi admin sign off for any risky moves. In other words, we're not just protecting your identity data, we're protecting the system that protects your data. And then unlike the the competition, we are a hybrid recovery solution for both on prem active directory and Entre ID, all from the same single platform with the just one single license. There's no bolt on. There's no extra UIs. There's no surprise SKU. The, benefits of this and what we do and what, David's gonna show you here is, breaking it down first with giving you a fully automated force recovery capability. So Rubrik's gonna handle sequencing of domain controllers, FSMO roles, DNS, replication, all of it. So you can restore fast, under pressure, and do this all without guessing. Secondly, like I mentioned, your backups here are immutable by by design, so ransomware cannot touch them. And before you ever bring 80 back online, you can spin up a clean room environment to test and validate recovery points. Again, all free from malware. You're not ever going to reinfect the environment. And if you need to bring back just a GPO or a deleted user or an accidentally modified group, Rubrik, it will give you the capability to granular granularly recover down to individual AD objects. And that's doing this with full visibility into who changed what and then when. So you can restore only what you need and not everything else. Again, it's a single pane of glass for both AD, on prem and for ENTRE ID. The last piece here, you know, what what I wanna go through is our resilience capabilities. And this is important because we wanna actually our goal here is to help you avoid from ever having to do that full force recovery in the in the first place. And that all starts with knowing what's in your environment. So we're gonna give you full visibility into users, service accounts, group memberships, privileged tasks across both on prem AD and Entre, and then help you detect misconfigurations, excessive privileges, dormant accounts, risky delegations. This is so we can all give you, built in workflows to remediate that before the attackers ever get in. So we're gonna help you take actions so you can reduce your identity blast radius before anything were to go wrong. Again, our goal is to make sure you never have to go through that full force recovery because that should really be your absolute last resort. So instead, Rubrik's gonna help you roll back. We're gonna help, you know, capture alerts. We integrate with, other, solutions out there as well like a a CrowdStrike ITDR, and then capture these alerts and activity in real time. And we can identify exactly what changed, what was malicious, and what needs to be restored. So this gives you precision to really surgically recover without undoing any of the good work that your teams have done since the attack. And then, of course, if you unfortunately do have to do a full force recovery, that's where our recovery engine kicks in. You'll have that clean, you'll get an orchestrated clean recovery of your 80 forest, fully automated, tested in a clean room, and hardened against reinfection. So whether it's a single GPO or a full blown forest, you're back in control fast. The bottom line here is, Rubrik, you know, we're we're taking you, helping you go from being reactive in this situation to completely resilient. So you're no no longer just hoping, you know, fingers crossed that your backups work. You're proactively protecting your identity infrastructure, and that's before, during, and then after the attack. So I will, stop sharing, my screen here. Let's see this in action. David's gonna take control here and we'll actually show a demo of these capabilities. David, I'll turn it over to you. Perfect. Thanks, James. Yeah. Alright. Can you all see my screen popping in? Sometime soon. There it is. There we go. Awesome. So like like we said earlier, we're gonna go out and we're gonna map your entire environment. We're gonna look at all of the identities, human and nonhuman within your environment, not only in active directory, but on Entre as well and, as well as with on Okta. And then what we're gonna do is we're gonna go through and try to look at the posture of your environment and understand how much we can harden your environment so that during an attack, your attack surface is much smaller. So we're gonna look for things like delegation enabled for AD privileges or weak or no MFA or service principal names defined for accounts and let you see exactly where those are within your environment and give you the ability from within the platform to do the remediation. Like like James said, giving you the ability to do this all from a single pane of glass so that you can do these remediation actions from within the platform without having to go through an ITSM, system if you don't want to. And then like we said earlier, we're also gonna look for things, to to roll back. So we're gonna look at, events within your environment as well as, alerts and understand what's going on within your environment live as it's happening to be able to tell you things like, hey. We had a GPO change within the environment that we would like to roll back. We can see what's going on and see, like, okay. We need to see what this one is, understand what the changes are within the environment, and giving you that same ability, like we saw with those policies, to roll these changes back to be as surgical as possible within your environment to make sure that we don't have to do a full force recovery if we don't have to. And then we're gonna take a look real quick at active directory and give you the ability, like we said earlier, to do that granular recovery. So we can go back as far back as we need to and understand what the changes are with, certain accounts. So we can go down, take a full view of your active directory environment, and then compare the attributes, understand what's changed with these accounts from that point in time to now. We'll say, like, yep. I want to do these, do these, changes here, save it, and then actually publish that back to active directory. So we can roll back and do a granular recovery of single, users within active directory as well. And then what we're also able to do is do a full forced recovery. So if something is going wrong, you know, we've had a an incident within the environment and we have to do a full forest recovery back to, you know, an independent or isolated recovery environment, what we're able to do is actually recover the whole forest. Like we mentioned earlier, without something like Rubrik, this is the, you know, 100 plus step process. It builds 80% of the time. One of my favorite things is you actually have to pull a calculator out and, do math during this whole situation. That's very stressful. With Rubrik, you don't have to do any of that. We boiled that down to just five easy steps and saying, like, okay. When do we need to do this with our view into the, IOCs as well as our threat hunting and threat monitoring? We're able to tell you when to go back in time to. For the interest of this, I'm just gonna say latest. And then we can recover to alternative Windows hosts where we're going to recover to that IRE environment. And then this is really where we do most of the configuration. Do we wanna let, do we wanna configure DNS automatically through the platform? Do we wanna use something like, an Infoblox or a DNS provider to put those in, or we can leave it intact? We also do things, through the best practices of Microsoft, like rebuilding the global catalog. We also reset the KRBTGT password twice. In that instance, we do that so that it's not cached. If you only do it once, it becomes cached, then you're just reinfected. So we'll just configure DNS automatically. And then we just say what alternative host do we wanna send these to. Right? And then that's gonna push all the FSMO roles in the way we want to. It's gonna do the root domain first and then all the subsequent domains, secondary, but all at once. And then what we just need is our, domain admin credentials from that point in time that we've, recovered from, put the domain username and password in there. And then, basically, it will go through and actually do the recovery. And it will give you a a little banner right here telling you exactly all the steps that it took, go through all those steps that we saw from Microsoft best practice and do those for you, and then do health checks as well to make sure that it's it's ready to go. And then what we also do is we also can restitch your, view back into Entre. And we can actually go back in here and do similarly similar recovery like what we did for Active Directory. We can do a granular recovery or we can do a full tenant recovery. And what this allows us to do is go beyond just the, the Entre recycle bin of just users and groups to be able to restore things like enterprise apps or app registrations and even things like conditional access, understanding how people can connect to our environment and what kind of conditions they need to be able to access that. An attacker can go into your Entre tenant, make changes to all this, and basically lock you out. With Rubrik, what you can do is actually revert that back and say, like, yep. This is how we want things to go back to, and then do that recovery. And what that allows you to do is, you know, recovering individual op registrations and enterprise apps can conservatively take, you know, like, five minutes an app, and most of your organizations here will have hundreds of apps. And what that'll allow you to do you know, with that, that's gonna take hours to to do that recovery. With this Entre recovery, it really bring boils that down to just a, you know, few clicks here to be able to say which ones you want to restore and then go back through and do that restoration. And so with that, what we're able to do is actually stitch that connection back with Entre and AD and get you fully back online between your two, you know, identity providers within, you know, a matter of a couple of hours. Without something like Rubrik, this can take days to actually do that forest recovery and then start stitching back Entre. And like I said with Rubrik, it just takes a couple of hours. Okay. So that's the sort of the the demo. Kick it back over to to everyone here for the q and a. Were there any other questions? So one about having more than one appliance, like, yes. What this whole point of our forced recovery is being able to recover back into a a Doctor area or, you know, an an IRE so that you can actually restore and and be good and leave the compromised environment for forensics and and anything like that. Awesome. Alright. If there's no more questions, we can, go ahead and close this out. Please reach out to us if you wanna get a deeper dive demo, and we're happy to schedule that. And we look forward to talking to some of you again here in the near future. Thanks, everybody. Awesome. Thanks, everyone. Bye.