NEW TECH: How Semperis came to close a huge gap in Active Directory disaster preparedness

By Byron V. Acohido

In today’s complex IT environments, a million things can go wrong, though only a few systems touch everything.

Related: Why Active Directory is so heavily targeted

For companies running Microsoft Windows, one such touch-all system is Active Directory, or AD, the software that organizes and provides access to information across the breadth of Windows systems. Over 80 percent of recent headline-grabbing attacks have involved breaking into  AD — the “keys to the kingdom” if you will.

Semperis is a security company, launched in 2014, that is entirely focused on AD – or, to put it more precisely, on delivering state-of-art AD cyber resilience, threat mitigation and rapid recovery from cyber breaches.

I had the chance at RSA 2019 to visit with Semperis CEO Mickey Bresman. He filled me in on how the company, based in the new World Trade Center in Lower Manhattan, got started; and I learned more about why Semperis is thriving. To hear our full conversation, please give the accompanying podcast a listen. Here are a few key takeaways:

The beginning

Active Directory is a critical part of a vast majority of enterprise networks; some 90 percent of all companies rely on AD. It holds the keys to pretty much everything in your company, as it stores all of the company’s user information. Downtime can result in loss of access to line-of-business applications, lost revenue and, in some cases, a complete organizational shutdown.

With so much at stake, it’s a marvel that AD disaster recovery protocol traditionally has been based on a 60-page white paper that needs to be manually followed. This clunky solution to a potentially catastrophic failure, typically has required bringing in a specialist troubleshooter to get the company up and running again.

This, in fact, was the service Semperis set out to provide when it launched in 2014. At the time, most AD attacks were the work of a malicious insider. In one situation, prior to forming Semperis, Semperis co-founders  parachuted into a live, unfolding disaster recovery assignment: a telecom company saw its business operations suddenly shut down via a corruption circulated through AD.


The team followed best-practices and used the white paper recovery solution to get the company back up and running, but 12 hours after the recovery, a call came – the system was down again. They went back in, recovered the system again, but this time changed the passwords for every privileged account in the AD. Later, it was revealed that a former SQL admin had been let go, without revoking his high privilege access. This is the moment that  Semperis co-founders realized there had to be a better way and Semperis was born.

The wake-up call

For a long time, rogue employees manipulating the network via AD represented the primary threat. But then came a wave of ransomware attacks like WannaCry and cyber weapons like  NotPetya, the ransomware spreading worm that encrypted AD, locking out company control — permanently, without a distinction as to whether its extortion demands went unmet or not.

Whoever was behind NotPetya leveraged cyber weapons stolen from the NSA. “The ransomware will often use the EternalBlue and EternalRomance exploits to propagate. Once executed on a vulnerable Windows machine, the malware will reboot the system and overwrite the master boot record (MBR) with a custom loader and a ransomware note which demands $300 in Bitcoin,” ZDNet explained.

Hundreds of companies that got hit paid a steep price. One of the hardest hit  was easily global shipping company Maersk, which saw its network obliterated. The company’s IT team got the basic network back online in a record 10 days, costing Maersk between $250 million and $300 million.

Maersk’s 150 or so domain controllers were programmed to sync their data with one another, so that, in theory, any of them could function as a backup for all the others. But that decentralized backup strategy hadn’t accounted for one scenario: where every domain controller is wiped simultaneously. “If we can’t recover our domain controllers,” a Maersk IT staffer remembers thinking, “we can’t recover anything.”

Numerous other companies in the Ukraine, Russia, Denmark, the UK and the United States suffered heavy damage. Another company that got hit was U.S. pharmaceutical giant Merck; the crippling of its AD tool resulted in suffering drug shortages and losing hundreds of millions of dollars (latest estimation is 870 million). U.S. food giant Mondalez International, similarly reported losing more than $80 million (latest estimation is $188 million).

Days after NotPetya hit, companies reached out to Semperis, after looking at the infrastructure they had, they worried about what would happen if they became a victim of the ransomware. What would their recovery process look like?

Semperis’s solution

Semperis’s solution today fully automates the AD recovery process. “With three clicks you can rebuild an entire environment,” said Bresman. “We simply have very smart algorithms that learn the environment configuration before the backup.”

That way, if and when a restoration becomes necessary, the company can compare what the environment used to looked like, very recently, to what it actually looks like in real time.

The second issue was to make sure rootkits and malware didn’t get into the newly cleaned environment. To accomplish this, Semperis decoupled the AD layer from the Windows layer.

They did this in a way so as to make it impossible for backups to bring in any executables from the old Windows environment. A side benefit of this safety-net approach was to reduce overall reliance on the Windows layer, thereby freeing up the company to move more freely between different types of environments, like data center to cloud, Bresman told me.

Kudos for Semperis for its foresight in identifying this huge a gap in disaster preparedness and disaster recovery – and then throwing its energies into assembling a comprehensive solution, one that fits the current threat landscape. It’s this kind of innovation that will help make digital commerce as secure as it needs to be. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone