Cybercriminals are always searching for the weakest link in an organisation’s defences, and when they find it, the consequences can be catastrophic.
In recent years, Active Directory (AD) has emerged as a critical area of concern for enterprises, particularly with the rise of ransomware attacks. Semperis, a solutions provider focused on safeguarding AD, has been working to address these challenges. After raising US$125 million in funding last June, the company is now expanding its presence in Asia-Pacific (APAC), with its regional base of operations in Singapore.
Mickey Bresman, Semperis’ Chief Executive Officer, spoke with Frontier Enterprise about the evolving threat landscape surrounding Active Directory, the company’s holistic approach to AD security, and its growth strategy in APAC.
Active Directory has been around for a couple of decades, but over the years it required specialised cyber protection on a large scale. What changed?
The overall tech stack of the enterprise changed. If you think about where we were 20 years ago compared to today — especially over the last five years — three major trends have emerged that have completely changed the dynamics.
The first is the shift towards remote work. Working from home became widely accepted, and the traditional concept of a closed perimeter secured by a firewall largely disappeared, particularly during the COVID-19 pandemic.
The second trend is cloud adoption. With the rise of SaaS applications, organisations no longer control the infrastructure as they did before. This makes it difficult, if not impossible, to apply the same security policies as in the past.
The third is the adoption of bring-your-own-device (BYOD) policies. Organisations began allowing employees to use personal devices, like mobile phones, to access cloud applications. Previously, everything was centralised: an organisation’s device, network, and application were all under its control. Now, in a landscape where the network, application, and device often fall outside organisational boundaries, it’s critical to secure the connections between identity, resources, and access.
In the industry, we’ve heard a lot about identity becoming the new perimeter. This reflects the reality of modern IT architecture. Twenty-five years ago, the cloud wasn’t a factor, virtualisation was barely being discussed, and BYOD wasn’t something we heard about even remotely. Fast forward to today, and nearly every organisation depends on its tech stack to some degree. In many respects, all companies have become IT companies. For example, Singapore Airlines can be seen as an IT company that happens to provide transportation.
AD has become embedded in everything an organisation does. From an attacker’s perspective, taking down AD is an effective way to take down an organisation. Therefore, if I’m launching a ransomware attack, taking AD down is a very interesting strategy. We saw this with every company that didn’t have a dedicated solution for recovering AD — it took them days or even weeks to restore it. But recovery needs to happen in hours, not days.
AD holds the keys to the kingdom. If I, as an adversary, breach your AD environment, I gain control over your organisation. If I’m stealing data, the fact that I have AD under my control allows me to do whatever I want. All of those different pieces are creating the perfect storm, which is why people specifically target the AD environment.
From an external perspective, wouldn’t Microsoft already have enough safeguards for AD already built in?
That goes back to when AD was created. It was developed in 1999 and released to the general population in 2000. At the time, the big issue was that servers were catching fire — disks would melt. The challenges were focused on ensuring that if, for example, I had 20 machines and one stopped operating for whatever reason, I could continue to operate. Or, if a data centre became unavailable, how could I maintain operations in that scenario?
AD can easily handle each of those scenarios. What’s changed is the cyber approach to disaster recovery and the types of threats organisations now face. The old approach to business continuity planning revolved around ensuring that if one data centre went down, there was enough capacity to continue operating until the issue was resolved. People weren’t thinking about what would happen if all their data centres went down at once — which is essentially what ransomware causes in most cases.
When Microsoft created AD, they addressed the challenge of handling individual data centres. But they weren’t considering a scenario where everything could fail simultaneously.
Today, I would argue that organisations are more likely to face a ransomware-type situation than a power outage at a single data centre. The replication mechanism in AD, which is meant to ensure continuity, can actually work against you in these scenarios. It makes the recovery process far more hidden and complex. Without dedicated tools, we’ve seen companies in the industry spend days or even weeks trying to recover their environments.
Let’s talk about your distribution strategy. What’s your approach in Asia-Pacific?
We’ve always been a channel-first company, and we work with different types of partners in various regions. From that perspective, our strategy in APAC is a bit different from the rest of the world. In APAC, we use more of a distribution model, where we have a distributor who works with resellers, as opposed to the United States, where distribution isn’t always necessary, as it’s common for companies to work directly with resellers.
But it’s not just resellers or systems integrators that we’re partnering with. For instance, we recently announced a big partnership with Cohesity in the backup and recovery space, where our backups integrate into the Cohesity platform. During the recovery process, Cohesity first recovers us, then proceeds to recover the rest of the applications. On the other side of this partnership, we also provide a security assessment offering for Cohesity. If an organisation has deployed Cohesity and wants to ensure that only the right people have access to their systems, we can help with that.
The whole idea here is transfer prevention. In politically motivated attacks, for instance, we’ve seen that bad actors often encrypt backup and recovery systems just before encrypting the production environment. By doing this, they make the recovery process extremely painful.
A lot of organisations are having a hard time dealing with the complexity of their security solutions stitched together. How do you deal with that?
First of all, when it comes to AD security, it’s not just one thing. In many cases, when a customer deploys an assembly of solutions, we end up replacing five different tools they were using. Semperis takes a holistic approach to protecting AD, covering the pre-attack phase, during the attack, and post-attack phase, as well as recovery in all of these stages.
In some organisations, each of these stages can involve two different solutions. By deploying Semperis, you simplify the overall management and security of your environment.
You always want the best solution available. Take backup and recovery as an example: Can you use a general backup and recovery solution for AD? Of course, but you need to consider that the recovery time could be 20 hours or more. If you’re okay with a recovery time that long, along with the risk of reinfection during recovery, then go for it. But if you want a solution dedicated to AD — one that can reduce recovery time to two hours, or even 30 minutes in some cases, while ensuring no reinfection — then that’s where we come in.
We’re also focused on integrating with the other solutions that organisations already have. For instance, we’ve created a dedicated application for Microsoft Sentinel. We’ve also announced partnerships with endpoint protection solutions like Trellix, and we’re about to announce several others as well.