Name: Going Beyond Recovery with Rubrik Identity Resilience
Uploaded: 2025-08-13T19:38:01.123Z
Duration: 48 min 30 s
Description: Going Beyond Recovery with Rubrik Identity Resilience

Transcript for "Going Beyond Recovery with Rubrik Identity Resilience": Alright, everyone. Great to meet everybody. Thank you so much for making time, to attend this, Identity Week, I guess, for that podcast. What what are we doing? It it definitely feels like a a podcast, but it's it's a webinar. Yeah. I have Joe Rogan's haircut. So, we're winning there. Thank you so much, for the patience there. We were, getting our ducks in a row over here. First of all, let me introduce myself. My name is Carl Norrish. I'm the director of go to marketer for identity portfolio here at Rubrik, and I'm joined by Noam. Why don't you introduce yourself real quick? Yeah. Sure. So, hey, I'm Ron Pharrell. I I work with Karl and our go to market teams on anything we're building around our security products. I actually joined Rubrik from an acquisition they made in the DSPM space, and I'm I'm loving what we're doing. So truly excited to to for our conversation today. Honestly, we wanna have a conversation with anyone, so please keep the the q and a's coming. The questions coming, we'll provide the answers hopefully. But, yeah, let's get started. Yeah. Absolutely. So before we even get into the slides, I think a little bit of context is really important. How do we arrive in identity? Because everyone commonly knows the Rubrik brand around something we've dubbed as data resilience. And that's the idea of if you get have any kind of an outage, whether it be malicious in nature or operational in nature, we give you an assured ability to recover. And that's everything spanning from VMware to SQL databases, cloud, SAS, and so on. And if you think about the old NIST model, it was about seven years ago. I believe the nomenclature was it was hard outside in a soft chewy center. You can almost think of Rubrik's evolution as the inverse of that. Our entire company culture, product innovation, and and what we do now has been really focused on that center part, which is the data, and hardening ourselves outward as we work all the way out to the edge ultimately. And identity is a great example of that strategy kinda coming into a practical play in terms of products. As we get into this, to give you a quick history on Rubrik's, you know, experience with identity, I think that's really important, is that we've been obviously working with identities for a long time. We've been protecting active directory and entrepreneur, for example, for almost three years now. Have well over 2,000 customers who use that offering. And then in, late last year, we launched something that we called identity recovery. This is the idea of expediting a recovery if you had some sort of an outage around your IDPs specifically focused on active directory and entra and a hybrid deployment. So solutioning around how can we minimize your outage time in the case of a bad actor attacking and that there's, unfortunately, lots of examples of that. And this is the next logical turn to the crank for us is resilience. So really what we're gonna discuss today is that you're always gonna require a capability because of for pragmatic reasons of how can I assure the business an ability to recover the IDP? But now what we're gonna talk about today is how can we make it so you never have to hit that big scary red button. Yeah. I I'd like to quickly add. When we say resilience, I think a lot of people in the industry are trying to use this term. For us, resilience is simply assuming breach. Yep. That's the mindset you should operate as part of and and have that preparedness of you're assuming breach. How do you minimize impact, minimize downtime? And that's what we'll cover. Yeah. Absolutely. And that's exactly the goal here is that everything's oriented around recovery time effectively. And, again, goal here is how can we make it so RTO isn't really in play as much as how can we just make it so you don't have to hit the big button. So with that, let's, kinda start off with every, sales guy's favorite thing, a stat slide. But I think this is really important. And so a couple of data points here just, you know, there's a lot of busyness on the screen, but I think this is the important part. Is that if you think about the idea of any kind of incident that you have in cyber natures that over 90% of the time, it was an identity driven vector in terms of how they gained access. Now the actions thereafter could span from IDP disruption to data exfiltration and the like. But again, the vector is typically identity related incidents, and that's normally the beginning point. Gone are the days, and I'll date myself, Sneakers. I don't think you've ever seen that movie. Robert Redford, pretty good. Okay. Physically breaking into a data center. Okay. I'm sure that still happens to some extent, but I think we can all agree phishing, social engineering, and the alike are really the drivers. Right? Now the other stat that's really interesting though that I think is very relevant, joking aside, is that we've seen a huge uptick in bad actors attacking IDPs specifically in terms of business disruption to cause maximal pain. In fact, Gartner at their IAM conference in Grapevine, this last year added resilience to their framework to acknowledge the impact that the IDP under attack could have on the business overall. And the last graph here, I don't wanna it'd be too hyperbolic or anything like that, but I think this is kind of the reality is that you, the customers, at the end of the day are spending more and more on preventing, you know, intrusions whether it be incident related or they like. But, unfortunately, the attacks themselves are still on the rise no matter how much money we tend to throw at it. So this is really kind of a real crossroads of I'm making the financial investments. I'm acknowledging the problem, yet the outcomes aren't as ideal. And we're hoping that we'll have a good spin on how can we give you convergence for reduction of vendors, but also give you a better outcome. And that's really gonna be our goal here. I think it's important to talk about this though even though it may be extremely obvious to everybody. But did you know that when active directory is goes down that, you're having a really bad day at work? You hear that, Noel? I I hit that. It's a rumor. Yeah. It's a Yeah. And and and, truthfully, when we speak to customers, this could be if they've been through this, some some of them might as be worst day of their careers. And if they're not, then then when you see this, this this could be a disruptive day. Yeah. Absolutely. And and so, really, again, the focus here is is that we have great solution, great success around the recovery aspect of this, but we wanna get it to a place where we're not having to go through this. So really what I wanna do initially as we orient ourselves around this talk is, or actually, I think, Noam, you're gonna go and orient us around this. That's, that's very good transitions there. We plan this. Yeah. No worries. But you know what, Carl? I think I think in just one comment about about what we're seeing in the industry as a whole, with with Palo acquiring CyberArk. And and it's not just just us talking identity and and identity being top of mind for Rubrik. It's actually top of mind for the entire industry. Yeah. And and so the stats, it's it's literally Nikesh, CEO of Palo, also used that this stat to mention on how security and and we said identity is a new security perimeter. I would like to add a a thought here. Identity is a new talking point when it comes to accessing all the services. And because of that access, because the IDP is a key part of the infrastructure today, when it's compromised, it allows the attacker to quickly and easily disrupt other services. So what are we seeing today? If if we're under the assumption that we're assuming breach, right, Rubrik is the assumed breach vendor. We encourage you to operate under that mindset. So once the attackers gain control of your environment, they could, at the hypervisor level, deploy malware. And now you have your domain controller. You have replications. You have redundancy. But sometimes attackers use that redundancy to actually replicate their malware. And then when they want, they could detonate and take down compromise your entire AD environment. And that's the scenario that takes your AD down, takes your identity services down, and nothing's reachable. Ultimately, your business is down, I think, is a fair statement. Yeah. Fair. Yeah. I agree. But but that's that's that's the disruptive end. How did it start? Oh, sorry. How did it how did it get there? First, the attackers needed to be inside of your environment. They needed to be persistent. So if you had some reset, some changes over time, they needed to still stay in the environment. They had to escalate privileges to be able to deploy that malware. So it's not just I go in and I can deploy malware. It's not it's not that easy. So they had to escalate privileges. And the way they could do it is GPO changes, changing a script, creating more privileged accounts so it's not just that initial user. And then they could if you get rid of one account, they could halt to different accounts, different users, and then they could move on to the attack and disrupt. But how did they get here? Right? It is a fair question. So it always always always started with some initial risks and exposures. Attackers are using stolen credentials a lot of times. And with those stolen credentials, they will look for accounts with no MFAs. Yeah. Some misconfigurations or IOE's indicators of exposure where you have delegation enabled, for example, where you have some weak tokens for service accounts. They will need one entry point here, And then they will look on how they could expand and assist in the environment to eventually disrupt. Yeah. I mean, I actually had an opportunity at the same grapevine, the Gartner I'm conference, which I highly recommend. I learned a lot myself. I talked to another vendor in the ITDR space, and they had mentioned an example where they identified a certificate that was for sale on the dark net, went to their client. Client's, SOC said, ah, we got it. We have the same feed. No big deal. Yeah. But upon researching, they realized that it spawned 300 additional privilege certificates. So even though they had to kinda whack a mold, the that that certificate that was identified, there was 300 points of persistence and backdoors that they'd left themselves. So, I mean, it's a real thing. They want you playing whack a mole, essentially. Yeah. Exactly. So the the initial compromise is is super important, but it's what the attacker does. Once they compromise that initial identity that is very difficult to track, they can then gain that persistence so that they can move on. Right? Absolutely. So what I'll do is I wanna orient us around, something here. And this is a product statement. It's not just a fun marketing slide, but we call it the three r's internally. So, again, my job and Noam's job is to really read the market, talk to folks like yourselves, and identify places where we can impact change. Right? So we wanna be valuable. We don't want to be just kind of something you buy or get throw shove down your throat or in an ELA or whatever. So we have to be really nuanced in our thought process here. And, really, our North Star in terms of everything we're talking about in this assume breach type of an approach is actionability. We call it internally the three r's. So this idea of remediate, roll back, and recover. What I mean by that is and Biffle even, our CEO, by the way. So hey. That guy at the bar, Biffle. No. He's actually our he's our CEO, founded the company. Kind of an important guy, at least for us. Yeah. An inspirational figure, honestly, for us. Yeah. He's a really good guy. I could go on talking about Biffle, but we have to talk about products. But the idea was that when we first pitched this to him, is he said there needs to be a logical outcome to all the signals that we wanna provide. And I thought that was really good orientation for us as a product team and a go to market team. So in this case, what I would like you to do is as we go through the slides and talk about some of the things that we're trying to impact, understand that everything we talk about in terms of signaling or acknowledging some sort of an issue is gonna have an a logical outcome or an action associated, whether it be a remediation action to lower risk, roll back to undue damage, or ultimately, if you needed to to actually execute a recovery. So, again, I just wanna kind of orient everybody around this three r's because it would be a good cheat code in your mind, and you can actually skip to the end as we're describing some of the things that are going on. So I'll also add from from, you know, coming from a start up joining Rubrik, what I love about Rubrik is is that we have to have an action Yep. Mindset. We have to provide some tooling and actionability for our customers. It's not just about alerting. It's it's what can we do to provide action. So this is the framework, that that we really encourage you all to to think as as we present, this these, concepts of remediating rollback and being able to recover. Yeah. Absolutely. Why don't we just dive in and and explain what what remediation is? Yeah. I I think, I think it's the time, for everybody to I'll before you go Yeah. I I helped, Noam, he and I brainstormed on this slide. I'm not gonna ask you anybody to virtually raise your hand in front of your peer group, but this is one of those, scary questions where I think everybody's guilty. If you can't tell, I have an operations background, so does no one. But so we thought this would be an interesting way to frame this, I think. Yeah. So go ahead. Yeah. I mean I mean, for me, the webinar is is here to to get us thinking, knowing new products, understanding industry terms. So just a quick question to everyone. Have you ever set this command? Right? Have you ever called to set SPN defining this, Whether you needed to migrate a service account, whether you needed to troubleshoot some authentication issues. Just do a quick fix, and then we'll get back to it later. Right? So so that's one one change in SPN setting an SPN. Have you ever enabled delegation? And, yes, we see the pop up in the window saying that delegation is a security sensitive action. But just temporarily, let's just do this change, get back to it later. Right? So we've we've all done this. We've all needed to get on with our job, fix something, troubleshoot something, and then we said we'll get back to it. Right? We we've all done this. I believe most of us have not actually done this, so this is allowing anonymous access for AD, but this is just just to put it out there and say, yeah. We we've seen some some crazy things happening and some crazy, misconfigurations. Can I add there real quick before we move on? Because Well Just to give you an idea of how ridiculous this may sound, one of our early clients, we, we we support ENTRE as well. And, we actually saw an Alexa app in their enterprise apps. Oh, wow. Okay. Just saying. I mean Alexa as in someone's home in Alexa? Yeah. In inside of a health care's, ENTRE. Wow. I didn't know that. Yeah. Fun fact. So that this is all meant to say is that I think the acknowledgment I wanna provide here is that this is not meant to dare you guys or challenge anybody, but I think we all deal with constraints and our bosses are all asking more of all of us. Right? You have backlogs, you have change management, you have GRC telling you you need to do this, you have other people you need to do that. Yeah. And sometimes you have to make pragmatic decisions in the moment. But the thing I would say is that any variance of all of the things you're describing and well beyond this is, like, it's not necessarily the one thing. It's a combination of two to three to four things plus time. Right? So, anyways, that's why I thought I'd add is a little bit of color here. So No. Correct. I I love how you put this. It's it's the combination. Sometimes one change doesn't lead to to complete compromise and persistence, but it actually it it's a combination of those misconfigurations. The example that we give her is the real one. Attackers can can use the SPN in delegation change in combination Yep. To actually compromise, your AD. Right? The the example is they would get control of an SDN, then they would use Kerberos to crack the password, or they could actually grab a cash TTD, the ticket granting ticket, for a path to ticket attack. So it's it's actually a real example that we see attackers using a combination of misconfigurations and and continuous changes to your AD environment to actually use that initial compromise to then try to further expand and persist. Yeah. So what can we do about this? Again, immediately, what we want to achieve with this webinar is not just go on about industry changes, but immediately provide actionability and and and show you the product that we built. So with Rubrik risk remediation, we show you IDP misconfigurations, identity, hygiene issues, overprivileged accounts, also separating users and and and, nonhuman identities, your your service accounts. So bringing it all into one place, giving you a risk score. And as we mentioned before, actually being able to remediate this, and we'll show it in the demo. Yeah. Absolutely. And I think that's, again, is it I think, isn't there a term, you're more security than I am getting better? I'm I'm I'm on a recovery path to get off of infrastructure, but, signal fatigue Yeah. I think is a real term. And and, you know, again, while we're providing signaling here in peace time, so to speak, but the actionability is really what we feel like is gonna be the differentiator here because think about what Rubrik is. Again, I talked about the idea of data. We're a system of record. So we understand configuration drift because we have the benefit of capturing these recovery points for the purposes of backup recovery. So we understand heuristics. We understand historicals, and we can understand drift. But more importantly, we can also instill change. And that's the biggest thing is that being able to not only flag these risks that may be there and saying, okay. Great. Now I gotta log in AD. I gotta go Google and use AI. What command do I run? Or you could simply click a button inside a Rubrik. We'll go into your production IDP and go actively lower your risk is really the win or the outcome that we're trying to convey here. Yeah. I agree. Awesome. So checkbox number one. I'm very proud of that. I found that check all by myself. So, my PowerPoint skills are, beyond. Yeah. So We got it. Check number one. Alright. So keep on going here. So when we think about rollbacks, we right. First, we move from the initial compromise, moving to expand and persist. We think of the signal that you're getting from your alerting system, whether it be from your SIM, from Defender, or from any other tools that you have. When you get that signal, that system, that tool needed to correlate a lot of different changes that the attacker did. So when I get the signal that, yes, Carl is compromised identity, Carl might have done several changes to your to to your IDP so that they could gain the systems, the SLED privileges, etcetera. Right? So once you gain that given signal, what were all the changes that were made before Yeah. You got that signal? I'm a storage guy, so I'm gonna use a storage reference. But the the I I make fun of vendors too because, again, I was I was on the customer side for a short spell, so to speak. But I'm always pragmatic because I take cheesy sales. And everybody over uses this term real time. And, let me just say, on the vendor side now is, you know, a builder and, you know, like, real time is real hard. And it's not really practical in a lot of cases. So I think what we're conveying here is is the reality is that you've got again, this is not challenging your approach whatsoever. Mhmm. You're doing the right things. If you have an ITDR solution that's looking at certain things, you have a SIM that's correlating logs. All of that stuff takes time for us to reverse your ecosystem, get correlated, and then for it ultimately to give you a signal that's high fidelity in nature. Because the reality is too, you might have a very noisy system where you miss stuff and all those types of things, and then that means your backlog. So that means your response to the signal, even if you have a sore in place, could be somewhat delayed. So all of these things are important to understand that we're not challenging the ecosystem and the SOC. Then I'm assuming they're doing the right things, but the real the aspect of saying real time, I think in practicality is not really practical. And I think that that's what we're trying to kind of, insinuate here is that you're gonna get a signal. You're gonna take containment action. You're gonna follow your store, and I'm sure any mature shop would do so. But the bigger question is is at what point in this timeline that you see on the screen did that signal come? I think that's a fair way to kinda summarize it. Absolutely. We would encourage you to have your tools in place, have your SIN, have your ITDR tools in place so that you can contain Yeah. That breach. Right? Again, rubric mindset, we assume breach. Yeah. So when we assume breach, when we given that signal, we can see all the actions that the attacker did. And then we'll again, actionability. What we want to be able to provide is being able to roll back all these changes that were made to the IDP. So that's the key takeaway that that we we ask everyone here to to think of Rubrik. Rubrik can roll back all the changes that that specific compromised identity did. It's not just about containing the identity, isolating their endpoint, isolating their identity, or even refreshing the token. That's key to containing. Yeah. But for Rubrik, as Carl mentioned, for a system of record, we can roll back to a known good state of your IDP. Yeah. Right? It's surgically being able to look at these changes and rolling them back. Yeah. And I think the thing that I would say convey here in a in a everything that I'm said is spot on. But think about what drives a a forest recovery, which is a product that we've done very well with. We have over 200 customers now, I believe, which is kind of mind blowing. They're using that and many more to come, hopefully. But if I'm being really honest and we'll talk more about forced recovery, we will make it as easy as we possibly can. But the reality is rebuilding your IDP is a thrashy thing operationally. There's a lot of, like, things that we can't control that are just gonna be part part and positive. So our goal, again, as I said at the onset is you need to have that backstop. It's pragmatic. It's important. You have to be able to recover your business. But a lot of the times when your soft team declares zero trust, I no longer trust anything. It's because they can't figure out what happened or they're not confident they can unwind the damage. And that's what we're trying to provide. It may not be a silver bullet, but what it is gonna allow for you to do is that's clear insights and understanding and also levering your ecosystem. I can't speak to some of it now, but it just occurred to me there's a name of a company on the screen. Somebody zooms in. You can get an idea of what we might be up to. We're not trying to replace your ecosystem. We're trying to be a participant in it. And by converging signals from other providers plus our own signals, if we can give you high fidelity understanding of all those changes in that timeline where it took place prior to that signal and give you the ability to surgically unwind that, maybe you'll be in a position where you don't have to hit that big red button, so to speak. And that's the goal here. It's all around actionability, getting to the last known state, but doing it in the least with the least amount of friction operationally. Yeah. And, again, that big red button is is key, and we'll see how we built it in a very fairly simple manner and able to actually hit hit that button. But still, when you hit it, there are some changes that could have been legit that you don't wanna roll back. You don't wanna revert to. Right? And the rollback feature allows you to only take out carve out the changes that are undesired, that are potentially malicious. So that's what we we think is is a huge differentiator here. Absolutely. So and then moving on here. Another checkbox. Again, real proud of finding that on Google. That we're obviously on to the end of this, but also the beginning as we started to talk, is the idea of, that last big red box. Right? So the the thing that I would say is that I I got asked to lead the identity group, almost a year. August. Yeah. It's been a year. Look at me go. Right. I'm very proud of myself. But I remember when that I got approached, I was thinking and I feel like it's a everybody in IT has touched 80 at some point in their career. You just can't kinda get away from it, including myself. And I was thinking to myself, oh my gosh. I'm a have to learn what's changed. And then I started reading a little bit and getting I was like, oh, that's good. It hasn't changed that much at all. It's still AD. And as I got into that, I started thinking about, you know, obviously, the forestry recovery, which is a recommended response to a zero trust. And even then, I was thinking, like, they had to solve that. And then I logged in to Microsoft and saw how they want to inform your I'm folks on how they execute a full recovery from a system state backup. So, again, what we're describing here in terms of pain is not the backup mechanism. Now the thing I would challenge everybody on this phone is maybe our webcast. So yeah. So hold on and hang do one of those anyways. Is that, you know, we're very good at getting a system state backup. But what the value from where we get is this this assured ability to recover. The data is gonna be lost in time for the immutability. We've layered the entire system in such a way that we can assure the data is there. But at the end of the day, if I get a good system state backup of your active directory using w b admin, VSS, everything's dialed, this is still what you're gonna have to refer to fundamentally is you're gonna have a 175 page somewhat document that you have to execute serially, and you probably have limited amount of folks who are able to execute this. Now what we wanted to do here in our key value that I do wanna cloud because the idea of doing automated forest recovery is not novel. But, again, our differentiator is the fact of our assurance to ensure the ability availability of the data for the recovery itself. Now within that, we did try to make it a little bit better than some of our contemporaries in the identity space. And in that regard, what we've done is taken a 175 page document and reduced it down to essentially a five step wizard. Now the reason I called this out is that if first and foremost, if we can automate our way into this, but not skip anything that is required by Microsoft, and I do wanna call that out, we're not short circuiting anything in terms of, like, it's all Microsoft supported. In other words, in terms of the the steps that we take, we follow all best practices, but we wanted to reduce the steps down because that does two things. It eliminates human error because, presumably, if you're using this tool, it's a high stress situation, because it's probably the beginning of the recovery, presumably. And secondarily, this empowers more people within your organization to be able to execute the recovery. So when people are on PTO vacation because this is the other thing. Happers will disrupt business at the worst times on purpose. Fourth of July, Christmas, so on and so forth is they're gonna do things. So you need to be able to empower more people. So that simplicity drives a tangible outcome, and that's what we were going for here. Yeah. I wanna touch on it. I had a customer ask because because they haven't been through it, and we we're seeing a lot of organizations do panic. I think that's okay. But, again, with the assume breach mindset, you can have a plan. First thing is is your backup avail available? Yeah. Is your recovery system, can it survive the attack? That's that's key. And then, as Carl mentioned, do people know their roles Yeah. When they will need to respond to a ransomware event? Right. And then even if you know your roles, what happens if called out the office? Yes. It's because we're here on a Sunday. Right? So it's knowing that role is having a real plan, understanding that things will go wrong, and making sure that your tools can be able to recover and assist you in that case. And that's maybe a best practice. Maybe you could share outside of the product. I had a client who was funny. They actually went through all the tabletops and everything. Okay. They had it all documented. I was actually really impressed. Do you know where they store them? No. SharePoint. Okay. If a if a d and if a d and Entre go away Can't access You can't. You said there's a little things where I would nuance and encourage you to really smoke test some of your processes Yeah. In an operational way. So anyway so but but back to this, I mean, again, first and foremost, we gotta get a anything that's Kubernetes authentication driven. You're gonna need active directory back online. And the reality is is most of those are hybrid deployed. Right? Using both active directory and Entra as the IDPs of choice for your on premise versus your three six five Azure resources. Now I got a little bit of a cheat code because a lot of times being a again, a builder, like, a zero to one guy or whatever term you wanna use for what I do is that I talk about this a lot is that I can interview everybody on this webcast, but no matter what I end up we end up building, it's gonna be an opinion based decision in the v one. Right? Mhmm. And then you wanna pivot if you're me into what I call a data driven decision. Meaning, people are actively using the product. They're informing me on what I'm missing. I got the cheat code because we've been backing up active directory and Entra for over two years. I had almost 2,000 sample sizes to see how folks were deployed. I mean, others, of course, I'm not taking all credit. There's people much smarter than I in my ecosystem. But we identified very early on, like, hey. Most of the world's hybrid deployed. They have both AD and Entra, and whether they have an ADDC appliance or whether they're using EntraSync, There's an interdependency there that wasn't being addressed again with some of the contemporaries in the market, and that's really what we drove towards, a single offering that could address the where you're at today, hybrid deployed. Now for those who were, uninitiated here, let me give you a quick little reason of why a part of why we're talking about AD. We're how do you arrive at ENTRE. Right? Here's the thing. AD and ENTRE are disparate IDPs. We agree on that? They're from Microsoft, but they're disparate. A AD doesn't talk ENTRE. ENTRE doesn't talk AD. So this ENTRE sync are the ADDC up lines. What it's doing is there's a database essentially in the middle. It'll take a SID from AD because he uses SSIDs, old school. Right? And it's hierarchical. You have ENTRE, it's flat and it uses GUIDs. Right? And what that database is doing is it's mapping the SID back to a GUID, back to the ultimately, the enterprise apps, app That's what gives your users permissions to access their SharePoint, OneDrive, and so on. Right? Yep. Here's the run. You get a text. You have the worst day, the hyperbolic thing that Noam and I are talking about, and you have to do a forest recovery. Your entree might have survived. In fact, it probably did. Here's the thing. You rebuild your forest. You have a SID reset. You do the the the dreaded resync. And then by resyncing and changing all of the SIDs, you now get new GUIDs, and you've now broken Entre. Yeah. When we say broken Entre, I think it's your conditional access policies. Right? Our our enterprise apps. Like, just initial access. Yeah. Much less conditional. Right? You can't you literally have a new GUI, so you don't have the relationships there any longer. Agree. So what we built to complement this or to address that, I should say, is that not only do we back up the data and user groups roles, enterprise apps, app reg, conditional access, but we also back up the via UPN. And that's important because that is persistent even in the case of a GUI change. Mhmm. And we also back up the relationships themselves. So that was mapping from Carl Norwood back to enterprise apps to the SharePoint, back to the SharePoint for access. We back all those relationships up. So what you're able to effectively do is not only restore active directory in two hours or less is what we roughly see regardless of your size. Mhmm. And again, that having that assured ability to recover with immutability, both in a box, whatever term you wanna use. But we're also able, after you resync what you're gonna have to do, to go in and restore all of the permissions that were in position in your Entre environment at that at that point as well. So it is truly a full end to end hyper deployed recovery solution that's meant to drive down your outage time. Yeah. A customer actually gave me this idea when when when we talked about the relationship. He said, oh, so Rubrik maintains the label of the identity. So, essentially, if I think of of a car as an identity, how how do I maintain the relationship between the two IDPs and that label that car is just car? It's a car. Right? Like, they don't care about that dependency and how you make sure that that when when one IDP is down or compromised, how how you maintain, the recoverability of both. So Absolutely. A good a good term to say. I like that. Yeah. A lot of the things I say, I've stolen from into the conversations from practitioners like everybody on this webcast. So thank you for that. So ultimately, I got my last checkbox there. And, again, this is all oriented on the action. That's what I want you to walk away with is that we're not trying to displace your ITDR solution. We're not saying don't buy Defender across. Right? We're not that's not it. What we're trying to do is figure out how can we give you practical chain practical value in terms of the white spaces out there. And the action appears to us to be beyond containment again. The action, the rollback, all the surgical nitty gritty stuff, lowering risk going into the IDP. How about we easy button all of that for you, which again again, ultimately, we're hoping will relieve backlog and, just make you more secure in general. So just to kinda round this off is that what I'd like to leave you with, then we're gonna hop into no one's gonna drive a quick demo here. Is that, like rolling back to these three r's again? Again, we're gonna identify risk in your IDPs, both active directory and Entre. We're gonna give you the ability to do in app remediation, meaning you click a button when you see something you don't like. We're gonna be able to actively reduce your risk. And every time you take a backup of your your Entre, we're interrogating it, and we're updating every 30 days. We have dedicated threat intel engineers that are hard coding these rules into our platform. So this is not static. We're updating actively based on the attacks that we see out in the market. New zero days, we're able to start updating ourselves. So it's something we're continuously doing. So not only we continuously inspecting your environment, we're continuously making ourselves better. Now the rollback part of it, again, is that we we are doing tamper proof monitoring of both GPO, privilege escalation, privilege creation, delegation, and the alike. But, again, there may be some overlap there. What I would challenge everybody on the phone with though is that if you need me to have a service running just for the basic function of recovery, what's wrong with two systems looking at your GPO? That's terrifying. Right? So first and foremost, we have our own signals that we can provide into your ecosystem through SIM integration. Again, some third party integrations direct. But the thing I want you to take away here is is that we're gonna give you the ability to surgically go back, compare, and roll back all the bad actions that happened prior to the signal, which is really the important part. Again, the signal real time is real hard is the thing I would leave you with there again. And so we feel like there's a real opportunity for us to make you more secure and make everything more actionable. And then the last part is that you can always rely on rubric. Again, we're we we assume breaches, no one was saying. And in that regard, pragmatically, we all have to have it a big red button that we can hit if all else has failed. And we're always gonna be here to provide that for, for you in terms of the orchestration, reducing downtime, and ensured ability to recover. So the last thing I'd leave you with before we do the demo is it's not just us. As I mentioned, we have, over 3,000 identity folks who are customers who are using identity in one way or the other. Rubrik has a very strong practice here, and we're continuing to invest very heavily. So with that, I'm gonna stop, talking, which I'm sure everybody's, ready for. And, Noah, why don't you go ahead and let me get you set up here to, do the do the demo. There we go. Sorry. But quick, shout out to our customers, really. This, continuous innovation wouldn't be available without without the the feedback that we've been getting and and the amazing traction. So it's been it's been absolutely brilliant. So thank you. So let's actually see see just just two, three quick examples of of this actionability. Right? So we can see Rubrik is introducing the concepts of an identity resilience room. And the first thing is I can see the protection overview. Do I have my forest protected? Do I have my domain protected? Which tenants in Entre bring this all together into one place so that I can see and give a risk score of my identity posture? So we cut it down into separate categories of your IDP configuration, your identity hygiene, if you have excessive or over permissive rights, and how does your authentication, for example, MFA, configured. So the way you can go at this is if you want to look at it from a risk perspective if you wanna look at it from a risk perspective one sec. Yeah. Let's see here. If you wanna look at it from a risk perspective, then you can see we bring it here, accumulate it into a risk page where it's it's filtered by what's absolutely critical. So you can quickly focus on that. So we talked about the delegation example. Right? We we showed how easily you can just change AD. So with Rubrik today, you can actually see all those identities that are violating this policy that we found an indicator of exposure. And then if you want, you can click directly from here on the remediate button. Click on actions. You can create a ticket. But, obviously, providing actionability, disable the delegation, select the domain controller, and disable the delegation. So that's that's one aspect that you can you can do this with. The other is if you wanna look at your identities. Okay. It's Same file. Sorry, guys. My laptop is a little quirky. Yeah. And there we go again. I think, there's no nobody has ever, had a really good, successful live demo. You have to do this at least once. This isn't new. This isn't new. Yeah. It's a it's not it's it's a feature, not a bug. Yeah. Let's see here. Oh my gosh, guys. It's okay. We will get there. Yeah. We'll figure it out. Yeah. Let's see here. I think We're on a roll. That is, impressive. We may need to flip over to Noam's computer because mine has, decided ah, got it. You got it? Yeah. So Okay. Perfect. Okay. So, again, a quick recap. I can look I can view this from the identity perspective as well. So looking at the identities, if I want an auditing perspective, what do I have in active directory? What do I have in Entre? Separating it into users, group, service accounts. So this is what we call the ID three sixty view, where I want to focus on a group of analysts and say, how are these configured? Do are they are they overly privileged? Do they have MFA configured? In this example, look to your right. These are the indicators of exposures, or in this case, our risk engine will flag this as policy violations where I can click on the privileged identities and disable the delegation from here. So two views of looking at risk and exposure. One, from an auditing perspective, looking at your identities or quickly focus on your on your high high risk IOEs. Yeah. And how we're mapping all of this out is really important is that how we're creating it. We're using the MITRE framework, the industry standard as well. Yeah. But we're also juxtaposing that with the privilege of the identities themselves. So we're trying to there's gonna be a lot of noise, of course, right, initially. We wanna make it in by how to eat a whale one bite at a time. So we're truly trying to give you the priority and understand where's the most risk, and you can work your way backwards effectively. Yep. Again, using MITRE, but also using insights, using our signals, and again, ultimately using third party signals as well. Another example is that one of the other example. When we say alerts, this is when we think about the rollback. So Yeah. What we show with risk is you want to remediate risk. You want to minimize your exposure. You want to make it difficult for the attacker to actually compromise and get inside of your environment. But if something is happening, if they're in and you see changes happening, we have a way of looking at the file system comparing specific attributes, specific changes. And when we want to look at that so for example, here, we see a GPO change, and we show you the exact change that happened here. I normally, by the way, know him when I'm doing this. I ask, but I it's impossible on a webcast. But Yeah. I'm curious in q and a if anybody knows what what the what kind of attack this has got called, because it's meant to be kind of obvious. But, alright. We'll count to five, and I'll give them the answer just for funsies. Gold Agger Bros Golden Ticket Attack. You can see the time out got put to effectively infinity here. Now the other thing I wanna provide here is that, again, you probably have solutions ITDR. I'm sure most of the folks here are richer practitioners. First, again, what's harming? Nobody bats a thousand. I think that's fair. Backup and recovery wouldn't be in business. Yeah. But, secondarily, when we're looking at it, we are doing this independent of the Yeah. Any good hacker is gonna know to either flap the activity logs on and off or, you know, it did ultimately could mount it and even edit themselves out what they have seen in some cases. But, I mean, why don't you finish that? I didn't mean to interrupt. No. A 100%. This is important. Right? How we get this change and making sure that it's time proof. But then with Rubrik, actionability, three r framework, What's the major takeaway? Rolling back that change. Right? So when we see the change, look at all the changes that happened to your GPOs. And then from here, you can you can roll it back. Just at the bottom. Yeah. I'm There you go. Thank you, Carl. There you go. And then from here, roll back the change. It's amazing that changes when you don't have it in on your own laptop. But yeah. So this is this is key. And then as we mentioned before, you have the remediate rollback. Yeah. But with Rubrik, if you need to do the entire change, you can recover as well. Absolutely. And the last thing I would hit on here again, this is a pardon my laptop is probably not set up well because you are smarter than me. But, like I said, that's him agreeing. But, ultimately, we were talking about privilege escalation monitoring. You see here in this example, because we're taking all the attributes from the identity and inputting them as well as part of our indexing process, we have this term in sales called time to value. That means how long does it take for my clients to get value if they decide to move forward? And in this case, especially if you have a Rubrik in house house today, your time to value is nearly instantaneous because these features are inherently. We just gotta turn them on. Yeah. So, you know, beyond that, what I'm why I say all that is I've already got your backups. I've already indexed them. I know your attributes. You just need the feature to expose them. So you get another alert here. Again, all this stuff can be integrated in your SIM. We're not trying to replace it. We don't expect your the I'm folks on the phone to live in our dashboard. That's not realistic. But if we send this over to SIM and I just saw the chief design officer has now got it added to the domain admin groups, I gotta believe that might peak some interest to say. Yeah. And probably, you're probably gonna look at that and go, yeah. No. And then again, all around this three r's is all the actionability, being able to remove them from the group membership, and then going back and ultimately making and stealing change in production, which is practically, in this case, rolling back the threat. Now the thing I would mention is that you saw on the slides that we showed a little bit of this convergence and that will be getting out of the product in the very near term, in the next thirty days or so. So we will be taking we wanted to show you our capability in terms of the actionability in a very in a tactical way. But, yeah, why don't we just go back just to kind of put our now that everyone has a little bit of that context. As you can see here, once again, is that this is our ultimate goal, which is we have all the data. We just gotta build the front end and all that. But you see this revert all button. Is that this is the idea of being able to look at an identity or a grouping of identities or a cohort identifying all the changes with inputs from, you know, third party providers as well as our own signaling, collapsing it all into a single view and giving you an undo button, essentially. And again, and when you think of time to value now from you guys servicing your end users and your business and your employers and the alike, I think there's an impure I think I can make an empirical statement saying this is real value because of the meticulous pain of con juxtaposing and doing swivel chair investigations, looking at different logs. Converging a lot of our visibility is value, but, again, signals alone are not good enough. This is also giving you the ability to may take action in a very aggressive way, and that is very, very much the goal of this entire product set. Yeah. And one last thing that I leave, it's rolling back to a known good state. Yeah. I think that's key, and I think we can wrap it up. Yeah. I think, I think we got it we'll stay on for a little bit of q and a. Just so you know, you're gonna be stuck with me. No. I'm, booked this flight right on top of a webcast, and I will talk about that later. But but, thank you so much for the time, everyone. If you have questions, I'll be hanging out here and, answering your questions. And, I think, with that in mind, Chase, back to you, I believe. Yeah. Sure. So, Carl, if you're able to see the screen here, I'm just gonna start bringing up some of the questions that we got while y'all were rolling through. So first, we've got one here from Matt. Does Rubrik support any BYO threat intelligence feeds or just your own? It's just our own for now, but we are changing that. So there's gonna be two different things that we're doing. So I am talking over the horizon, but I do wanna say commercially, this would be inclusive. It's just time time to market. We'll be doing two things. First, you'll be able to build your own IOEs or your indicators of exposure based on your needs. So that'll give you that lower posture as maybe suited to your your your particular needs, GRC requirements, and the alike. Secondarily, we are gonna be engaging with a third party to bring, the threat, threat intelligence feeds in while we're looking for credentials and identities that are for sale and juxtaposing those with the inventory. So those are the two ways. So this is a directly answer to the threat feed, I think, was a question there, Matt. But if you're referring to the IOEs, we are gonna make it so you can, build your own if that was the context. And as I mentioned, in terms of feeds, we are planning, again, a bit over the horizon, hopefully, at the end of this year to bring a a threat dark dark net monitoring into the system as well. Cool. Yeah. Let's bring up another question here. Do you restore roles on domain controllers? We do. That's an easy one. Keep the easy ones coming, Chase. Great. I like you Let's move on to another one. I shouldn't have said that. Can you select the DC that host the FSMO role holders or is it the first DC that is hit used to hold our roles? So you can do it either way. So, so we think about it from a context of just recovery and backups. We recommend you deploy our service on all your domain controllers because if FSMA roles are so seized by another domain controller, you never have a gap and we're always looking for the PDC. So from a standpoint of hitting or alerting, we can look at as many of the domain controllers as you deploy our service, and then we can verge all of that into our stack. So I guess, inherently, yes, we'll be able to find the first one that was hit, whether it was the one with Bismar or was a BDC. But typically, they're gonna target the PDC, I would think. Hopefully, that answered your question, Alexandra. Alright. Yes. She had she had a follow-up too. How do you restore DNS? So we do that course, but we are also, so there's a couple of things that we do in terms of recovery. Just to check that box, I know it's not the the direct question. If you do a forced recovery and have an IP change, if you're running DNS services within the domain controllers, we do update the entries to accommodate the IP changes. We also have the capability to restore DNS to streetly as a service or, of course, it's it's also recovered in the case of that of a forest recovery for an example. Great. Do I get a thumbs up for that, Alexandra? Did I get did I get it? I need that real feedback. That's kinda like the social media thing. Name is. Popping up the person to say yes. So Oh, cool. There we go. Yeah. All good. Alright. A couple other questions here. Let's pop this one on the screen. Does it work with OneLogic IDP? It does not yet. We are expanding our IDP coverage. To give you a little bit of a teaser, even though I'm not supposed to do this, is that, our next IDP we're onboarding is Okta. They'll be announced here upcoming here. So that that's much they'll say there. And And then we are gonna be expanding. Our goal is to expand East West across as many of the IDPs as we can to give that convergence. And really candidly, Eduardo is like, we're trying to target the biggest ones as you can imagine for the bell curve of the market, and we're working our way kind of East West based on that. Cool. Couple other questions here. Another actually, another several from Eduardo, so I'll bring those up. Alright. Let me read through them. Okay. So how does licensing work? It's based on active heartbeats, and it's one instance regardless of if you have a, you know, AD and Entre. So it's one license for both. And it's only heartbeat. So it's active users. So we don't license service accounts, disabled accounts, deprecated, and you like. When will it be available to MSP? It is available now. We have a couple of providers, but I don't think it's my right to advertise for one versus the other. But the the offering at Rubrik in general has an MSP program. So I'm not sure who your provider is, but this should be available to them as well. Third, is there any demo available on Rubrik Explorer? It is getting, uploaded to DoorDash. I'm glad you brought that up. Yeah. So we actually wrote it and wrote it as loud. I believe it's deploying here pretty quickly. Lastly, we're not gonna share the depth per se, but we will get you additional information to get. And if you wanna go deeper dive those types of things, we're I have an entire team that it works for me, they'll be happy to answer any questions. But we will give you some collateral for sure, sir. That's efficient. Or full on the door, though. Thanks. Making me look good. K. Last question here is, when can when can we get our hands on it, basically? When can we try it out? Today, on. So, yeah. So we can deploy it into your production. I find that's a little bit challenging with products like this, but we are we do have live environments where we deploy live a day on Windows and the alike. Can inject, alerts, risks, and the alike and see it in action up to and including doing a full and complete forest recovery. So we have all those capabilities today, via thermal labs that we can provide. So you just need to reach out to us and, we can set that up and it'd be our pleasure on. Cool. Folks, we'll hang on here another couple of minutes. If you got any other questions, sneak them in now. But I'll go ahead and say that over to the right of your screen, there's that docs tab I mentioned in the chat. But if you've not clicked over there and seen any of the resources that we have available to you, there's a couple good ones, including just learning more about identity resilience, getting a demo from us. There's a bit about where we rank in Gartner, so definitely worth reading up on. And we have a couple other webinars for this identity week. We had one yesterday that I meant. We have one, obviously, right now and two more tomorrow. So click that second link. Check out the other webinars, see if they're relevant to you. We're happy to talk to you more about our products. And any other questions coming in, now's your now's your last chance. And I'm also gonna bring up a survey, so just tell us what you thought of the webinar and what we can do for you in the future. But you have to say the presenter was amazing. Well, that goes without saying, Carl. Again, I work on that feedback. I'm too such a child. Well, if there are any other questions, we will be hanging out. But again, I just wanna say again, I know these things can be a drain. I hope that everybody found value in this. I I really enjoy it. Getting your active feedback makes me better. So I thank you everyone for that. And, again, I hope that, you found this information valuable, and we're happy to engage with you in whatever facility or way that you need us to. Well said. And wherever you are in the world, have a great rest of your day. Take care. We'll see you again. Thank you.