1 00:00:00,160 --> 00:00:02,840 But where you, you could like have a lower privilege user that 2 00:00:02,840 --> 00:00:09,160 maybe has group policy rights on a domain controller or an OU 3 00:00:09,280 --> 00:00:11,400 that holds domain controllers, I should say. 4 00:00:11,400 --> 00:00:14,640 And effectively you're a domain admin, right 'cause you could go 5 00:00:14,640 --> 00:00:19,160 put, you know, wagon scripts and other things or startup scripts 6 00:00:19,440 --> 00:00:22,520 in that, that GPO. And that's right thing and get 7 00:00:22,520 --> 00:00:25,800 complex because right like we're all, we're focused on identity, 8 00:00:25,800 --> 00:00:30,560 but there's also attacks on like the other components of Active 9 00:00:30,560 --> 00:00:33,440 Directory that can lead to identity compromise, even though 10 00:00:33,440 --> 00:00:38,480 right like group policy isn't like a component of identity and 11 00:00:38,480 --> 00:00:42,880 access management aside from like being stuck into Active 12 00:00:42,880 --> 00:00:43,960 Directory. So. 13 00:00:49,520 --> 00:00:54,560 This is identity at the center. If it has anything to do with 14 00:00:54,680 --> 00:01:02,080 IAM, this is the go to podcast now your hosts Jim McDonald and 15 00:01:02,080 --> 00:01:10,520 Jeff Stedman. Welcome to the Identity at the 16 00:01:10,520 --> 00:01:12,680 Center podcast. This is Jim McDonald. 17 00:01:12,920 --> 00:01:15,920 I'm here without Jeff today, but I'm here with a special guest, 18 00:01:15,920 --> 00:01:19,040 Eric Woodruff, who we've had on the podcast in the past. 19 00:01:19,640 --> 00:01:22,960 It's time for another Sponsor Spotlight episode now. 20 00:01:22,960 --> 00:01:27,320 Eric was on with us as a credentialed expert in the field 21 00:01:27,480 --> 00:01:31,520 in the past on episode 191. Glad to have him back This time 22 00:01:31,520 --> 00:01:34,880 of a Sponsor Spotlight episode and the sponsor spot related 23 00:01:34,880 --> 00:01:38,040 episodes are special episodes that are created in 24 00:01:38,040 --> 00:01:41,920 collaboration with our sponsor, in this case, a company called 25 00:01:41,920 --> 00:01:47,520 Semperis to delve more deeply into their viewpoints on 26 00:01:47,520 --> 00:01:50,480 specific security solutions in the IM market. 27 00:01:50,840 --> 00:01:54,360 Now to make this crystal clear, the fully sponsored episode, 28 00:01:54,640 --> 00:01:58,880 this allows us to what I like to say is take the handcuffs off in 29 00:01:58,880 --> 00:02:01,560 terms of go, you know, understanding these deep 30 00:02:01,560 --> 00:02:04,760 insights with the expert, but also understanding how their 31 00:02:04,760 --> 00:02:07,800 solution solves specific problems in the industry. 32 00:02:08,160 --> 00:02:11,400 So with all that being said, let's get going and uncover the 33 00:02:11,400 --> 00:02:15,520 latest ideas and innovations with our digital in within the 34 00:02:15,520 --> 00:02:19,200 digital identity industry and our sponsor, Semperos. 35 00:02:19,640 --> 00:02:23,400 So welcome to the show, Eric Woodruff, senior security 36 00:02:23,840 --> 00:02:26,000 researcher with Semperos. Hey, Eric. 37 00:02:26,600 --> 00:02:29,560 Hey, Jim, No thanks. Thanks for having me on here. 38 00:02:30,680 --> 00:02:32,040 Yeah. Glad to have you today. 39 00:02:32,040 --> 00:02:37,200 So we spoke with you way back on Episode 191. 40 00:02:37,520 --> 00:02:41,640 That was in December of 2022. And I'm wondering, what have you 41 00:02:41,640 --> 00:02:43,800 been up to since we recorded that episode? 42 00:02:44,440 --> 00:02:47,280 I'd, I'd say a lot. I mean, honestly, that was the, 43 00:02:47,440 --> 00:02:51,400 the first podcast I was ever on and, and why I was nervous. 44 00:02:51,400 --> 00:02:57,600 So I, I hope I come across less anxious these days, but yeah, I, 45 00:02:58,120 --> 00:03:01,960 you know, just chugging away still at Sempress working in our 46 00:03:02,040 --> 00:03:06,840 security research team these days, focusing on, you know, 47 00:03:06,840 --> 00:03:11,600 Active Directory and enter ID sort of security so. 48 00:03:12,240 --> 00:03:14,560 But. Out speaking about which I 49 00:03:14,560 --> 00:03:17,480 enjoy. Pretty heavy title that you got 50 00:03:17,480 --> 00:03:20,160 a senior security researcher at St. 51 00:03:20,160 --> 00:03:22,280 Paris. So tell us a little bit about 52 00:03:22,280 --> 00:03:27,240 what you do in your day-to-day and then for people who maybe 53 00:03:27,240 --> 00:03:31,360 aren't as familiar with St. Paris, what the company does. 54 00:03:31,960 --> 00:03:35,960 Yeah, No, I, I mean, so for myself I'd say, but there's 55 00:03:35,960 --> 00:03:40,160 always kind of new emerging threats around Active Directory 56 00:03:40,160 --> 00:03:42,920 entry ID. I mean, I in particular am more 57 00:03:42,920 --> 00:03:47,400 focused on ENTRA because that's kind of my area of expertise. 58 00:03:48,240 --> 00:03:54,480 But we've got a team of, you know, handful of us where you 59 00:03:54,480 --> 00:03:57,480 were just sort of, you know, tracking the trends in, in 60 00:03:57,480 --> 00:04:02,240 security around identity, new threats, doing our own research 61 00:04:02,240 --> 00:04:04,720 on on potential vulnerabilities, things like that. 62 00:04:06,680 --> 00:04:08,920 Yeah, that's, that's what I'm up to and, and do. 63 00:04:08,920 --> 00:04:12,800 And eventually the things, the stuff that we work on is 64 00:04:12,800 --> 00:04:15,240 released in both Purple Knight, which is one of our, our free 65 00:04:15,240 --> 00:04:19,760 products for assessing Active Directory and Entra security and 66 00:04:19,760 --> 00:04:25,080 also used within our commercial product DSP, which is Directory 67 00:04:25,080 --> 00:04:28,480 Services protector. And I mean, as far as Sempress, 68 00:04:29,240 --> 00:04:32,600 you know, we're probably most known for Active Directory 69 00:04:32,600 --> 00:04:36,680 Forest Recovery or ADFR, which is our sort of like Dr. product 70 00:04:36,680 --> 00:04:39,920 for Active Directory. But I, I think these days, you 71 00:04:39,920 --> 00:04:44,440 know, we'd be sort of in the category of IDDR companies again 72 00:04:44,440 --> 00:04:47,720 focused primarily on Active Directory and Entra right now. 73 00:04:47,720 --> 00:04:50,760 We got a little Okta mixed in there, but. 74 00:04:51,960 --> 00:04:56,280 Yeah, I mean, like pretty much most organizations are running 75 00:04:56,520 --> 00:05:01,680 AD and then try D at some level. He was like, and usually it's 76 00:05:02,320 --> 00:05:07,320 it's about, you know, as important of a platform as there 77 00:05:07,360 --> 00:05:11,920 is in most enterprises. And you know, I think that ADFR 78 00:05:11,920 --> 00:05:15,800 tools probably saved a lot of people's bacon in terms of being 79 00:05:15,800 --> 00:05:20,920 able to recover a forest that has been corrupted intentionally 80 00:05:20,920 --> 00:05:25,480 or unintentionally. Either one can happen, but I 81 00:05:25,480 --> 00:05:29,560 wanted to ask you so I kind of said my piece in terms of why I 82 00:05:29,560 --> 00:05:35,120 think AD is so important in terms of being a focal point for 83 00:05:35,120 --> 00:05:38,360 your identity security. What are your thoughts? 84 00:05:40,160 --> 00:05:42,360 Yeah. I mean, I think it's hard to 85 00:05:42,360 --> 00:05:46,240 find a enterprise out there that that doesn't have Active 86 00:05:46,240 --> 00:05:48,040 Directory, right? Sort of like putting your 87 00:05:48,040 --> 00:05:52,600 opinion about Active Directory and Microsoft aside, like, but 88 00:05:52,600 --> 00:05:56,640 everyone's kind of got it. You know, there's, there's other 89 00:05:56,640 --> 00:05:59,480 components in Active Directory like group policy, right? 90 00:05:59,480 --> 00:06:04,680 Like it's not just identity, which also makes it more complex 91 00:06:04,680 --> 00:06:08,560 because but if you have a huge Windows Server farm or you're 92 00:06:08,880 --> 00:06:11,760 not in the cloud yet and you're managing client devices, right? 93 00:06:11,760 --> 00:06:15,240 Like, yeah, it just has its fingers and sort of so many 94 00:06:15,240 --> 00:06:22,120 things that if Active Directory is is gone, you know, 95 00:06:22,120 --> 00:06:25,880 intentionally, unintentionally, even for a brief period of time, 96 00:06:25,880 --> 00:06:27,680 right? I mean, a lot of organizations, 97 00:06:27,960 --> 00:06:30,720 I mean business just grinds to a complete halt, so. 98 00:06:32,400 --> 00:06:35,840 Yeah, I mean that's your, your e-mail system, your login system 99 00:06:35,840 --> 00:06:40,200 for your desktop networking capabilities is a lot of your 100 00:06:40,200 --> 00:06:44,680 applications wind up being integrated with it as well for 101 00:06:44,680 --> 00:06:47,240 authentication, sometimes authorization. 102 00:06:47,600 --> 00:06:52,320 So I mean, I want to talk about some of the specific threats you 103 00:06:52,320 --> 00:06:56,920 as a senior security researcher know about, but I also want to 104 00:06:56,920 --> 00:07:01,480 just generally make the comment that it seems like a ransomware 105 00:07:01,480 --> 00:07:06,120 on Active Directory could have devastating effects for an 106 00:07:06,120 --> 00:07:09,160 enterprise. Yeah, no, absolutely. 107 00:07:09,160 --> 00:07:14,400 And I'm, I'm not good at retaining like specific cases or 108 00:07:14,520 --> 00:07:18,160 statistics in my head. But I mean, organizations, 109 00:07:18,240 --> 00:07:21,680 right, will lose millions of dollars a day. 110 00:07:21,840 --> 00:07:24,760 We have folks that work in incident response, right? 111 00:07:24,760 --> 00:07:27,720 So if, if companies are having like an Active Directory 112 00:07:27,720 --> 00:07:31,440 ransomware incident, we have our breach preparedness and response 113 00:07:31,440 --> 00:07:35,080 team that you can call and, you know, we'll kind of come in and, 114 00:07:35,080 --> 00:07:37,560 and help try to kick the threat actor out. 115 00:07:37,560 --> 00:07:40,640 But you know, in, in talking to them and sort of hearing like 116 00:07:40,640 --> 00:07:43,480 their their war stories and what they've seen. 117 00:07:44,480 --> 00:07:46,160 Yeah, I mean, it can be very devastating. 118 00:07:46,160 --> 00:07:49,880 I mean, there there's cases of companies just like going out of 119 00:07:49,880 --> 00:07:54,200 business from, you know, Active Directory becoming ransomware. 120 00:07:54,200 --> 00:07:57,000 So it goes back to the case and available. 121 00:07:57,080 --> 00:07:58,720 Yeah, nothing. Nothing works. 122 00:07:59,280 --> 00:08:02,320 We saw some cases, I mean in the last couple years where ransoms 123 00:08:02,320 --> 00:08:05,320 got paid in the 10s of millions of dollars. 124 00:08:06,000 --> 00:08:09,760 I guess the alternative is like if you're, if you're Active 125 00:08:09,760 --> 00:08:14,160 Directory is completely owned and you can't get e-mail, you 126 00:08:14,160 --> 00:08:17,760 can't communicate with the outside world, access any of 127 00:08:17,760 --> 00:08:22,200 your files or your applications, you're pretty much at the mercy 128 00:08:22,200 --> 00:08:24,360 of those ransomware actors, right? 129 00:08:25,240 --> 00:08:28,080 Yeah, I mean, you're at their mercy, but also they're not 130 00:08:28,080 --> 00:08:32,440 always right. The most trustworthy folks, 131 00:08:33,559 --> 00:08:36,000 'cause there's there's times where organizations will get 132 00:08:36,000 --> 00:08:39,120 ransomed and they'll pay the ransom and they'll be like 133 00:08:39,120 --> 00:08:43,320 double extorted. They'll also be a target, right? 134 00:08:43,320 --> 00:08:48,120 So you may be fixed one, you know, you, you plugged up one 135 00:08:48,120 --> 00:08:50,040 hole in the dam. But if there's other things open 136 00:08:50,040 --> 00:08:53,560 also, like other ransomware groups may start to come after 137 00:08:53,560 --> 00:08:57,040 you knowing that you'll, you'll pay right. 138 00:08:57,040 --> 00:09:02,360 So there's, there's a lot of scenarios where it can get dicey 139 00:09:02,360 --> 00:09:07,400 whether whether you pay the ransom or not 'cause you're, 140 00:09:07,400 --> 00:09:13,280 you're probably going to become a higher target for, for these 141 00:09:13,280 --> 00:09:15,080 folks out there the the threat actors. 142 00:09:15,120 --> 00:09:17,080 Absolutely. I mean, once you kind of show 143 00:09:17,120 --> 00:09:19,960 that you'll pay the ransom, then it's kind of like damned if you 144 00:09:19,960 --> 00:09:21,600 do, damned if you don't, I guess. 145 00:09:23,240 --> 00:09:26,280 But I think the, you know, at least from what I've seen, the 146 00:09:26,280 --> 00:09:31,560 ransomware actors, typically they rely on just getting in the 147 00:09:31,560 --> 00:09:37,080 front door and then running some exploits that are kind of like 148 00:09:37,080 --> 00:09:41,960 known within Active Directory. And you know, I can, you know, 149 00:09:41,960 --> 00:09:45,880 the pasta #1 is one that people talk about all the time and the 150 00:09:45,880 --> 00:09:49,280 me me cats, which I think is just basically the tool that's 151 00:09:49,280 --> 00:09:51,560 used for that. But I used to be an Active 152 00:09:51,560 --> 00:09:55,200 Directory administrator, believe it or not, way back in NT4 in 153 00:09:55,200 --> 00:09:59,320 the early days of Active Directory after Windows 2000. 154 00:09:59,680 --> 00:10:05,880 And I just think of all the times I logged into and devices, 155 00:10:05,880 --> 00:10:10,800 laptops and workstations with my administrator account and left 156 00:10:10,800 --> 00:10:14,720 that hash sitting there on the on the hard drive. 157 00:10:15,800 --> 00:10:19,080 How relevant is pass the hash and what are some of the other 158 00:10:19,280 --> 00:10:21,440 exploits that are popular these days? 159 00:10:22,440 --> 00:10:25,680 Yeah, I mean, I'd say pass the hash is still relevant, right? 160 00:10:25,680 --> 00:10:32,640 It's, it's really as much of A, you know, a, a technique, right, 161 00:10:32,640 --> 00:10:37,840 where you're, you're harvesting the, the hash for, you know, 162 00:10:38,040 --> 00:10:40,520 user credentials on a Windows device usually. 163 00:10:40,520 --> 00:10:44,160 And right, depending on what privileges that user has, you 164 00:10:44,160 --> 00:10:49,040 may then try to use it to, to sort of move into other systems. 165 00:10:49,040 --> 00:10:51,240 I mean, there's a lot of attacks out there. 166 00:10:51,520 --> 00:10:55,760 Probably the more sort of talked about ones are things like a 167 00:10:55,760 --> 00:11:00,840 golden ticket attack, you know, DC shadow, DC sync attacks. 168 00:11:01,800 --> 00:11:06,200 But I think the thing that's sort of interesting is most of 169 00:11:06,200 --> 00:11:11,560 these attacks are sort of like late stage post compromise, like 170 00:11:11,560 --> 00:11:13,400 a domain admin's already been owned. 171 00:11:13,600 --> 00:11:17,280 Like Golden Ticket in particular is effectively that the the 172 00:11:17,280 --> 00:11:21,480 KRBTGT password has been compromised and that's sort of 173 00:11:21,480 --> 00:11:25,000 used for everything else in Active Directory. 174 00:11:27,520 --> 00:11:30,480 So like when can you explain that for SO? 175 00:11:30,480 --> 00:11:33,720 There's so there's, there's the Kerberos ticket granting ticket. 176 00:11:33,720 --> 00:11:36,880 So basically there's an account in Active Directory that is used 177 00:11:36,880 --> 00:11:40,960 for granting tickets for everything else in Active 178 00:11:40,960 --> 00:11:42,880 Directory. And, and this, this account is 179 00:11:42,880 --> 00:11:47,640 like a special account in AD. That's the KRBTGT, right? 180 00:11:47,640 --> 00:11:51,920 Again, if if say I, I own a domain admin or I work my way up 181 00:11:51,920 --> 00:11:56,240 on to like ADC and I can get the, the password essentially 182 00:11:56,240 --> 00:11:59,560 for that account. I mean, at that point I kind of, 183 00:11:59,560 --> 00:12:05,640 I, I am like Active Directory. I can do sort of whatever I want 184 00:12:06,640 --> 00:12:11,600 and it becomes really difficult to really trust right Active 185 00:12:11,600 --> 00:12:13,520 Directory. Like even if you were to detect 186 00:12:13,520 --> 00:12:17,640 a golden ticket attack happening, you really should 187 00:12:17,640 --> 00:12:23,320 also be like concerned about the overall the the bigger state of 188 00:12:23,320 --> 00:12:27,920 AD cause, right? Say that attack it was 189 00:12:27,920 --> 00:12:31,280 legitimate. And maybe say you have an EDR 190 00:12:31,280 --> 00:12:33,800 that sort of like tried to isolate the end point that it 191 00:12:33,800 --> 00:12:37,640 was detected on, you probably still have bigger problems 192 00:12:37,640 --> 00:12:40,480 because you don't necessarily know what else the threat actor 193 00:12:40,480 --> 00:12:42,040 has done at that point. So. 194 00:12:42,520 --> 00:12:45,120 Right, right. That's what you you had 195 00:12:45,120 --> 00:12:49,480 mentioned to me in the past about not being in a position 196 00:12:49,480 --> 00:12:51,840 where you don't trust your Active Directory. 197 00:12:51,840 --> 00:12:55,280 That's a scary thought. What does that stem from? 198 00:12:56,400 --> 00:12:59,800 Well, I mean, so ultimately, like the, the, the problem I'd 199 00:12:59,800 --> 00:13:04,760 say is that there's certain types of with attacks on Active 200 00:13:04,760 --> 00:13:09,760 Directory that right, they require high privilege, but they 201 00:13:09,760 --> 00:13:15,280 allow the attacker to basically do things like where they, they 202 00:13:15,280 --> 00:13:19,400 can issue tickets for basically any, any service or any server, 203 00:13:20,000 --> 00:13:20,960 right. When the, the ticket is 204 00:13:20,960 --> 00:13:25,520 effectively like you can, you can be anyone do anything with 205 00:13:25,520 --> 00:13:27,360 like a, a golden ticket type attack. 206 00:13:28,080 --> 00:13:30,800 You know, there are things like DC shadow where you are 207 00:13:31,520 --> 00:13:34,720 effectively sort of participating in Active 208 00:13:34,720 --> 00:13:40,200 Directory replication and that can become tricky because a lot 209 00:13:40,200 --> 00:13:44,000 of your event lodge and things that like a SIM or C may use 210 00:13:44,800 --> 00:13:47,000 can't pick up on that stuff because it's actually in like 211 00:13:47,000 --> 00:13:50,720 the replication stream. But where this all kind of goes 212 00:13:50,720 --> 00:13:56,280 from a trust perspective, right? Is like, right, like you don't 213 00:13:56,280 --> 00:13:59,640 necessarily know what other mechanisms of persistence that 214 00:13:59,640 --> 00:14:01,720 have been installed. And I guess kind of bringing 215 00:14:01,720 --> 00:14:04,280 this back to some of the ransomware type things is one of 216 00:14:04,280 --> 00:14:07,840 the other issues that like IR teams will have is they'll, 217 00:14:07,840 --> 00:14:13,280 they'll be brought in in a decently compromised Active 218 00:14:13,280 --> 00:14:15,320 Directory. They'll they'll try to kick the 219 00:14:15,320 --> 00:14:18,320 threat actor out, but then they've installed like five 220 00:14:18,320 --> 00:14:20,480 other back doors at that point, right? 221 00:14:20,480 --> 00:14:23,040 And so now they're, they're coming back in a different way. 222 00:14:24,320 --> 00:14:29,160 And, and sometimes this comes down to where, where you have 223 00:14:29,160 --> 00:14:33,360 this back and forth because Active Directory is really 224 00:14:33,360 --> 00:14:36,160 critical for, you know, authentication. 225 00:14:36,160 --> 00:14:39,320 And in both 80 and these days also, you know, out into like 226 00:14:39,720 --> 00:14:45,440 entry ID, you know, Azure AD, your, your best bet really is to 227 00:14:45,440 --> 00:14:49,240 try to go back to like a known good state with Active Directory 228 00:14:49,240 --> 00:14:53,080 using something like ADFR where right you, you can go back to 229 00:14:53,080 --> 00:14:57,360 before the incident happened and basically bring Active Directory 230 00:14:57,360 --> 00:15:00,280 back up to a point in time where it's a known good state. 231 00:15:01,720 --> 00:15:04,760 And there there's some, there's some like work kind of involved, 232 00:15:04,760 --> 00:15:05,680 right? Because usually it's like 233 00:15:05,680 --> 00:15:09,960 staging it isolated where you verify that it's like clean and 234 00:15:09,960 --> 00:15:12,160 good. And then you sort of open the 235 00:15:12,160 --> 00:15:15,840 doors to let other infrastructure kind of talk back 236 00:15:15,840 --> 00:15:18,400 to it, so. It's a scary thought, right? 237 00:15:18,400 --> 00:15:23,200 I mean, you know, this EDFR to me has always been like the Holy 238 00:15:23,200 --> 00:15:25,360 Grail. But you also hear about threat 239 00:15:25,360 --> 00:15:30,200 actors who, you know, they get in and then they sit silently 240 00:15:30,200 --> 00:15:36,280 for long periods of time. And how would you know if 241 00:15:36,280 --> 00:15:41,440 basically they compromise the a legitimate user's credentials 242 00:15:42,640 --> 00:15:46,320 six months ago, right? Yeah, I mean, I think that gets 243 00:15:46,320 --> 00:15:52,240 into definitely also other aspects of more like proactive, 244 00:15:53,920 --> 00:15:56,760 you know, monitoring and and I guess I would learn more into 245 00:15:56,760 --> 00:15:59,720 like DSP and and some of it would be in in Purple Knight, 246 00:15:59,720 --> 00:16:04,360 which is our, our free, you know, AD and enter ID security 247 00:16:04,360 --> 00:16:08,040 assessment tool. But there, there's other things, 248 00:16:08,040 --> 00:16:12,280 right, where it's more like proactively monitoring, 249 00:16:12,280 --> 00:16:14,080 especially your, your privileged accounts. 250 00:16:14,080 --> 00:16:17,000 And, and that kind of dovetails though into, right, that some of 251 00:16:17,000 --> 00:16:21,120 these identity attacks are complex or they're chained or 252 00:16:21,120 --> 00:16:25,160 there's things that, right, you may not think of. 253 00:16:25,160 --> 00:16:27,960 And I, I think a great example cause 'cause honestly, like you, 254 00:16:27,960 --> 00:16:32,760 I, I managed Active Directory back in the day and sort of like 255 00:16:32,760 --> 00:16:36,920 my eyes became open even more when I joined Sempress. 256 00:16:38,360 --> 00:16:40,840 But where you, you could like have a lower privileged user 257 00:16:40,840 --> 00:16:47,040 that maybe has group policy rights on a domain controller or 258 00:16:47,040 --> 00:16:49,600 an OU that holds domain controllers, I should say. 259 00:16:49,600 --> 00:16:52,200 And effectively you're a domain admin, right? 260 00:16:52,200 --> 00:16:55,960 'cause you could go put, you know, wagon scripts and other 261 00:16:55,960 --> 00:16:58,920 things or start up scripts in that, that GPO. 262 00:16:59,880 --> 00:17:02,440 And that's right thing and get complex because right like we're 263 00:17:02,520 --> 00:17:06,520 all we're focused on identity, but there's also attacks on like 264 00:17:07,400 --> 00:17:09,960 the other components of Active Directory that can lead to 265 00:17:10,000 --> 00:17:14,599 identity compromise, even though right like Drew policy isn't 266 00:17:14,599 --> 00:17:18,760 like a component of identity and access management aside from 267 00:17:18,760 --> 00:17:21,599 like being stuck into Active Directory. 268 00:17:21,599 --> 00:17:25,119 So so. Eric, you said one word that 269 00:17:25,119 --> 00:17:28,840 really triggered my ears to go up and that's Word free. 270 00:17:29,560 --> 00:17:34,400 You mentioned a tool and it's kind of like, because where I 271 00:17:34,400 --> 00:17:38,160 wanted to go is was what are some of the tools that can save 272 00:17:38,160 --> 00:17:44,000 your bacon in a scenario or hopefully prior to this all 273 00:17:44,000 --> 00:17:48,520 taking place? You mentioned the restore tool. 274 00:17:49,480 --> 00:17:51,960 You also had mentioned a few other tools. 275 00:17:51,960 --> 00:17:54,320 So why don't you kind of go over what those tools are? 276 00:17:54,720 --> 00:17:56,640 We've got you guys are setting up a link. 277 00:17:56,640 --> 00:18:01,360 It's in paris.com/idac, all the caps. 278 00:18:02,600 --> 00:18:04,720 If you go to that URL, you should be able to find 279 00:18:04,720 --> 00:18:06,320 everything that Eric's talking about. 280 00:18:06,320 --> 00:18:08,960 We'll put that link in the show notes as well. 281 00:18:09,200 --> 00:18:12,440 But Eric, could you kind of go over those tools again? 282 00:18:13,240 --> 00:18:16,680 Yeah, so the the soup of things, I guess I'll, I'll start off 283 00:18:16,680 --> 00:18:19,080 with a couple free tools that we have. 284 00:18:19,440 --> 00:18:24,440 So there, there's Purple Knight and this has and I, I should 285 00:18:24,440 --> 00:18:26,640 know this number 'cause it's the group I work in, but it's 286 00:18:26,640 --> 00:18:31,160 continually growing between ENTRA and Active Directory. 287 00:18:31,160 --> 00:18:37,080 I think we're up to around 100 and 7000 and 80 security 288 00:18:37,080 --> 00:18:39,640 indicators, right? And so these are individual 289 00:18:39,640 --> 00:18:46,000 things that are, are measuring the security configuration or 290 00:18:46,160 --> 00:18:49,040 sort of lack thereof around Active Directory. 291 00:18:49,040 --> 00:18:52,840 Enter ID. The other tool is, is Forest 292 00:18:52,840 --> 00:18:56,440 Druid that's free, which is a attack path analysis, attack 293 00:18:56,440 --> 00:18:59,760 path mapping tool, right? So that that will also help, 294 00:18:59,800 --> 00:19:03,320 right, you sort of visualize and, and, and see like how 295 00:19:03,520 --> 00:19:08,480 chained attacks could happen where, right, like I am in our 296 00:19:08,480 --> 00:19:13,480 help desk and I have the ability to reset the password on someone 297 00:19:13,480 --> 00:19:15,920 who is in our knock and that person in the knock. 298 00:19:15,920 --> 00:19:18,320 That's like a sort of higher tier has the ability to maybe 299 00:19:18,320 --> 00:19:23,280 manage through policies on your ADFS servers, right? 300 00:19:23,280 --> 00:19:26,560 And that's as I'm speaking this, right, It's kind of a path, but 301 00:19:26,560 --> 00:19:29,040 like something like forest Druid will help you visualize that 302 00:19:29,040 --> 00:19:32,040 stuff. You know, that's in the realm of 303 00:19:32,040 --> 00:19:34,120 other tools. Like probably the most, I guess, 304 00:19:34,560 --> 00:19:36,480 say, well known would be the things like Bloodhound or 305 00:19:36,480 --> 00:19:38,640 whatnot. We we have a bit of a different 306 00:19:38,640 --> 00:19:44,440 take where we try to focus on the last sort of stage in the in 307 00:19:44,440 --> 00:19:47,280 the path, right? That if you you cut off the last 308 00:19:47,280 --> 00:19:50,840 line before getting like domain admin, I mean, you still may 309 00:19:50,840 --> 00:19:55,840 have other clean up, but right, wanting to focus on, well, how 310 00:19:55,840 --> 00:19:58,840 do we protect like that tier zero that the keys to the 311 00:19:58,840 --> 00:20:02,880 Kingdom. But these are tools that can 312 00:20:02,880 --> 00:20:05,480 take you above and beyond what Bloodhound could do, right? 313 00:20:06,640 --> 00:20:09,160 Yeah. I mean, so like I would say 314 00:20:09,160 --> 00:20:11,560 Forest Druid and Bloodhound, they're they're very related. 315 00:20:11,560 --> 00:20:15,840 We kind of a different take on how we go about analysis 'cause 316 00:20:15,840 --> 00:20:18,120 sometimes, right, you could look in Bloodhound and I mean, I 317 00:20:18,120 --> 00:20:21,000 think it's a great tool, but generally it's more red team 318 00:20:21,000 --> 00:20:24,280 sort of oriented where you really need to know a lot of the 319 00:20:24,280 --> 00:20:27,880 underpinnings. Forest Druid is designed to be 320 00:20:27,880 --> 00:20:31,880 more like for an IT pro, a defender and I, an identity 321 00:20:31,880 --> 00:20:35,280 person who maybe isn't super familiar with like all the 322 00:20:35,280 --> 00:20:37,200 nuances of attack path management, right? 323 00:20:37,200 --> 00:20:39,960 They just want to see like, what are the things they need to get 324 00:20:39,960 --> 00:20:42,400 rid of to like protect my domain admins. 325 00:20:42,640 --> 00:20:45,560 So, OK, that's really. Cool. 326 00:20:45,680 --> 00:20:49,000 Yeah, Well, good. So there's a length that people 327 00:20:49,000 --> 00:20:53,360 can go out to, they'll be able to navigate their way to either 328 00:20:53,360 --> 00:20:57,440 free tools as well as, you know, I I'm assuming that per the 329 00:20:57,440 --> 00:21:00,680 business model of building free tools is that people see all 330 00:21:00,680 --> 00:21:03,800 these problems on there, willing to go and spend a little money 331 00:21:03,800 --> 00:21:08,080 to prevent being attacked. Yep. 332 00:21:08,400 --> 00:21:10,240 Yep. So and, and that's absolutely 333 00:21:10,240 --> 00:21:14,040 like again for the, for the paid products that we have Active 334 00:21:14,040 --> 00:21:20,200 Directory Forest recovery, which is ADFR is that I, I think maybe 335 00:21:20,200 --> 00:21:22,720 mentioned earlier, it's, it's what we're probably most well 336 00:21:22,720 --> 00:21:27,640 known for and that's bringing Active Directory back from, you 337 00:21:27,640 --> 00:21:29,080 know, being burned to the ground. 338 00:21:30,120 --> 00:21:33,160 There's a lot of organizations that will also, so I think a 339 00:21:33,160 --> 00:21:38,160 point you made earlier can have catastrophic sort of oopsies 340 00:21:38,160 --> 00:21:44,560 where there's an operational sort of benefit to ADFR to, to 341 00:21:44,560 --> 00:21:47,480 bring AD back. Some organizations use it for, 342 00:21:48,320 --> 00:21:51,920 you know, Dr. testing and like going through those, those Dr. 343 00:21:51,920 --> 00:21:55,400 drills where it's like, right, what's it actually take to bring 344 00:21:55,400 --> 00:21:57,680 Active Directory back? And, and I'll actually say as 345 00:21:57,680 --> 00:22:04,080 someone who again used to manage AD, not until I worked here did 346 00:22:04,080 --> 00:22:08,360 I realize how complex it is to manually try to bring Active 347 00:22:08,360 --> 00:22:11,520 Directory back from like a system state restore. 348 00:22:12,840 --> 00:22:18,160 And unless you want to enjoy doing nothing for like the next 349 00:22:18,240 --> 00:22:24,240 couple weeks it it can. It can be a nightmare probably 350 00:22:24,320 --> 00:22:26,240 when you say that. When you say enjoy doing 351 00:22:26,240 --> 00:22:29,560 nothing, you're talking about you're going to be working 80 352 00:22:29,560 --> 00:22:32,600 hours a week for the next few weeks and getting yelled at 353 00:22:32,600 --> 00:22:36,160 probably, Yeah. I, I don't mind the people who 354 00:22:36,160 --> 00:22:38,000 are stuck in that. Now. 355 00:22:38,240 --> 00:22:42,680 We've been talking about AD as in classic AD primarily. 356 00:22:42,840 --> 00:22:46,920 You guys are really focused on the future as well, this hybrid 357 00:22:46,920 --> 00:22:50,040 identity world. In fact, you've got a conference 358 00:22:50,040 --> 00:22:57,000 coming up called the Hybrid Identity Protection AKA HIP, the 359 00:22:57,000 --> 00:23:03,320 HIP conference. We have a, a discount code for 360 00:23:03,320 --> 00:23:07,200 the HIP conf. It's HIP conf.com discount code 361 00:23:07,200 --> 00:23:12,200 is IDAC POD. That'll get you 20% off. 362 00:23:12,440 --> 00:23:15,600 But Eric, could you tell people what they can kind of expect out 363 00:23:15,600 --> 00:23:17,760 of that conference? Yeah. 364 00:23:17,760 --> 00:23:20,120 Absolutely. So the, I mean the conference is 365 00:23:20,120 --> 00:23:24,360 actually rooted in Gil Kirkpatrick who you folks 366 00:23:24,360 --> 00:23:29,800 actually had on quit a long time ago who had started the 367 00:23:29,800 --> 00:23:32,800 Directory Experts conference. And it's an evolution of that 368 00:23:32,800 --> 00:23:39,840 where it's a lot of the bigger names and Active Directory 369 00:23:39,840 --> 00:23:44,320 identity security that are going to be there, as well as interest 370 00:23:44,320 --> 00:23:47,640 security. I can't remember the roster, but 371 00:23:47,640 --> 00:23:51,120 like Sean Metcalf over at Trimark is like a a pretty well 372 00:23:51,120 --> 00:23:57,080 known person. I think we're we're well, I'll 373 00:23:57,080 --> 00:23:58,560 start to ramble on the Microsoft. 374 00:23:58,560 --> 00:24:01,360 MVPS and stuff like that, right? Yep. 375 00:24:01,520 --> 00:24:07,720 Yeah, Thomas Noenheim, who's actually a very well known MVP 376 00:24:07,720 --> 00:24:11,000 in the interest space is, is going to be talking about I 377 00:24:11,000 --> 00:24:14,400 think enterprise applications and service principles and and 378 00:24:14,400 --> 00:24:18,040 all that sort of stuff. So you know, and this is where I 379 00:24:18,040 --> 00:24:20,720 guess to the hybrid piece, right, we're really trying to 380 00:24:20,720 --> 00:24:26,720 cover both Active Directory and the Entra ID side of the house 381 00:24:26,720 --> 00:24:29,120 sort of everything under the Microsoft ecosystem. 382 00:24:29,200 --> 00:24:32,160 So yeah, I mean it's. So big right now. 383 00:24:32,160 --> 00:24:39,800 So you know, hybrid identity is I think it's the new thing or 384 00:24:39,800 --> 00:24:41,800 the next thing, but it's also the current thing. 385 00:24:42,120 --> 00:24:46,720 I mean, if people haven't moved to Entra ID already for a lot of 386 00:24:46,720 --> 00:24:49,560 the Active Directory services, they're moving to it. 387 00:24:50,680 --> 00:24:54,520 I don't see an end of life or Active Directory on Prem anytime 388 00:24:54,520 --> 00:25:00,120 soon, but I see a lot of folks, a lot of organizations moving 389 00:25:00,120 --> 00:25:04,000 toward kind of this hybrid scenario where they have both, 390 00:25:04,000 --> 00:25:07,880 they're staying In Sync. I'm kind of wondering though, 391 00:25:07,880 --> 00:25:11,960 what kind of new threats does that create as well as what kind 392 00:25:11,960 --> 00:25:15,200 of opportunities it creates? Yeah. 393 00:25:15,200 --> 00:25:17,520 I mean from a threat perspective, it can get 394 00:25:18,280 --> 00:25:22,280 interesting in again organizations sort of 395 00:25:22,280 --> 00:25:28,240 unknowingly will perhaps have a user that's not privileged in 396 00:25:28,240 --> 00:25:32,120 Active Directory, but privileged in ENTRA, right. 397 00:25:32,120 --> 00:25:36,120 And so from an Active Directory sort of protection perspective, 398 00:25:37,280 --> 00:25:40,280 the user sort of falls out of that, that privileged scope. 399 00:25:40,280 --> 00:25:44,480 And, and sort of the Long story short is scenarios of a user 400 00:25:44,480 --> 00:25:49,720 being compromised like in Active Directory and then the, you 401 00:25:49,720 --> 00:25:52,360 know, whoever has compromised them being able to do stuff in, 402 00:25:52,680 --> 00:25:55,840 in Entra. There's also some interesting 403 00:25:55,840 --> 00:26:01,080 scenarios where you can almost have this like almost like loop 404 00:26:01,080 --> 00:26:06,320 back where you could compromise someone that has some privileges 405 00:26:06,320 --> 00:26:08,360 in entry, usually around something like Azure. 406 00:26:08,360 --> 00:26:10,600 Like you have an Azure subscription and maybe you're 407 00:26:10,600 --> 00:26:13,640 running domain controllers that are virtualized out in Azure. 408 00:26:14,840 --> 00:26:19,000 You compromise someone that has some amount of rights over a 409 00:26:19,000 --> 00:26:21,680 domain controller from like a management plane perspective. 410 00:26:22,200 --> 00:26:26,200 And you can then go run commands sort of against the domain 411 00:26:26,200 --> 00:26:28,800 controller because right, they're virtualized, there's an 412 00:26:28,800 --> 00:26:31,160 agent on them as there isn't pretty much any sort of 413 00:26:31,160 --> 00:26:35,280 virtualization scenario that the agent has system level access. 414 00:26:36,400 --> 00:26:39,520 And next thing you know, you've given yourself like, you know, 415 00:26:39,520 --> 00:26:42,200 domain admin through some, some cloud route. 416 00:26:43,440 --> 00:26:47,520 So yeah, there there's a lot of like these weird complex paths 417 00:26:47,520 --> 00:26:51,400 that just it's like spaghetti almost with the, the number of 418 00:26:53,320 --> 00:26:57,680 potential ways that you can compromise in these these hybrid 419 00:26:57,680 --> 00:26:58,920 scenarios. So. 420 00:27:00,520 --> 00:27:01,680 Yeah. If you don't really know what 421 00:27:01,680 --> 00:27:05,680 you're doing or even if you do, that's the problem, right? 422 00:27:05,680 --> 00:27:09,040 It's like even if you do know what you're doing, you can still 423 00:27:09,040 --> 00:27:11,320 wind up creating one of these scenarios. 424 00:27:11,640 --> 00:27:15,280 And I think that's a big part of like the tooling that you guys 425 00:27:15,600 --> 00:27:21,160 at Sempers, what you provide to people is the ability to kind of 426 00:27:21,360 --> 00:27:27,720 identify those scenarios where you create an opening. 427 00:27:28,920 --> 00:27:31,720 Yeah, absolutely. I mean, I think that, but you 428 00:27:31,760 --> 00:27:36,120 you definitely encounter people at times who will, you know, 429 00:27:36,320 --> 00:27:38,880 sort of say they can just roll their own or their their 430 00:27:38,880 --> 00:27:41,960 Sentinel or their Splunk or their Q radar is kind of good 431 00:27:41,960 --> 00:27:44,040 enough. But right. 432 00:27:44,040 --> 00:27:47,720 It's, it's I'd say not just a Semper's argument that any, any 433 00:27:47,720 --> 00:27:50,320 company working in in the ITDR space, right? 434 00:27:50,320 --> 00:27:54,760 Like most of us, as different companies have a group of 435 00:27:54,760 --> 00:27:58,000 identity security nerds sitting there all day trying to work on 436 00:27:58,000 --> 00:28:03,720 this stuff full time and just seeing the things out there that 437 00:28:03,720 --> 00:28:06,800 actually happened, right? Because we, we have feedback 438 00:28:06,800 --> 00:28:10,760 from our IR team, right? Who they're like, you know, here 439 00:28:10,760 --> 00:28:13,360 are things we've seen, right? So we're not just like sitting 440 00:28:13,360 --> 00:28:16,720 there making stuff up as sort of like theoretical attack pass. 441 00:28:18,120 --> 00:28:20,560 Yeah, it can, it can be quite, quite scary. 442 00:28:20,560 --> 00:28:23,440 And, and I'll just say to your point, like, yeah, even if you 443 00:28:24,160 --> 00:28:28,320 know what you're doing, everything just moves so quick 444 00:28:28,320 --> 00:28:31,600 these days that I think it's really hard for organizations to 445 00:28:32,720 --> 00:28:35,480 keep on top of things, right. And, and again, that's where 446 00:28:35,480 --> 00:28:40,280 like for, for, you know, our other product DSP, that's more 447 00:28:40,280 --> 00:28:45,560 like looking at the proactive security of Active Directory and 448 00:28:45,560 --> 00:28:49,480 Intra as well as some, some indicators of compromise or 449 00:28:49,480 --> 00:28:53,160 attacks in flight. We're, we're working on this 450 00:28:53,160 --> 00:28:56,840 thing every month, we have a monthly release of, of new 451 00:28:56,840 --> 00:29:00,760 indicators or updates for indicators all based on, right, 452 00:29:00,960 --> 00:29:03,200 the data we're seeing, the research that we're, we're 453 00:29:03,200 --> 00:29:06,280 doing. And, and so I'd, I'd sort of 454 00:29:07,200 --> 00:29:09,600 politely argue to the role of your own people, right? 455 00:29:09,600 --> 00:29:14,560 Like how can you sort of keep up like this, right? 456 00:29:14,840 --> 00:29:17,400 I mean, you're if you are, you have to be investing a ton of 457 00:29:17,400 --> 00:29:19,680 time and money and resources into doing it. 458 00:29:21,960 --> 00:29:24,560 It's rare. When I first started in this 459 00:29:24,640 --> 00:29:28,520 identity industry, it's much more common that organizations 460 00:29:28,520 --> 00:29:33,160 will start off with the build versus buy analysis. 461 00:29:34,160 --> 00:29:37,600 It's very rare these days. Once in a blue moon, somebody 462 00:29:37,600 --> 00:29:40,680 will want to look at it. Usually it's having to do with 463 00:29:41,000 --> 00:29:46,200 customer identity, but the assumption is we're not in the 464 00:29:46,200 --> 00:29:50,720 business of secure of security, information security. 465 00:29:50,920 --> 00:29:52,560 We're the byproducts and run them. 466 00:29:52,920 --> 00:29:57,240 And then there is a major trust level in the partners that 467 00:29:57,400 --> 00:30:01,480 organizations choose. I think what I what I really 468 00:30:01,480 --> 00:30:05,240 like about what you guys are doing is it seems like you've 469 00:30:05,240 --> 00:30:09,680 got to focus while the products have to evolve. 470 00:30:09,920 --> 00:30:15,800 It's been centered on this AD and Tri D platform and you're 471 00:30:15,800 --> 00:30:19,240 continuing to grow into that. Now, one of the other areas that 472 00:30:19,240 --> 00:30:22,280 I know you guys have been growing into, and to me it seems 473 00:30:22,280 --> 00:30:26,600 like it's the right direction, is ITDR. 474 00:30:27,840 --> 00:30:32,680 Millet asks you first, like how do you define ITDR and then ask 475 00:30:32,680 --> 00:30:36,280 you who needs it? Yeah, I mean. 476 00:30:36,280 --> 00:30:40,080 I, I would say, I'll answer the second question 1st and saying I 477 00:30:40,080 --> 00:30:44,480 think everyone needs it, but across, I mean, right, that's 478 00:30:44,480 --> 00:30:47,360 kind of an answer that's that I used to console. 479 00:30:47,360 --> 00:30:51,480 It's like, and it depends within as to what that, that spectrum 480 00:30:51,480 --> 00:30:53,680 of needs it is. But to the, the first thing, I 481 00:30:53,680 --> 00:30:57,640 actually like Gartner's ITTR sort of model that they have, 482 00:30:57,640 --> 00:30:58,880 right? And it's identity threat 483 00:30:58,880 --> 00:31:04,000 detection and response. I think in the industry, though, 484 00:31:05,040 --> 00:31:09,040 it's a bit all over the place as to how people actually interpret 485 00:31:09,040 --> 00:31:10,800 it. And, and I actually think that 486 00:31:11,320 --> 00:31:14,880 probably two of the most important pieces, the the 487 00:31:15,080 --> 00:31:18,120 prevention, which isn't in the name, but it isn't the, the 488 00:31:18,120 --> 00:31:22,520 Gartner model and the, the response piece are the ones that 489 00:31:22,520 --> 00:31:27,360 kind of kind of get left out. And everyone just like focused 490 00:31:27,360 --> 00:31:33,360 on right, like the, the detection or if it's prevention, 491 00:31:33,360 --> 00:31:37,200 it's more like, how can we, how can we obfuscate something? 492 00:31:37,200 --> 00:31:40,920 How can we like throw the threat actor off instead of, I don't 493 00:31:40,920 --> 00:31:45,160 know, to me, to me, prevention's like how can we go in as, as the 494 00:31:45,240 --> 00:31:49,680 IT pros or the people managing identity and right turn the 495 00:31:49,680 --> 00:31:52,480 knobs and dials to just make Active Directory more secure? 496 00:31:52,480 --> 00:31:57,280 Or instead of trying to throw a bunch of like fancy sounding 497 00:31:57,280 --> 00:32:02,840 things at it to sort of not actually harden Active 498 00:32:02,840 --> 00:32:06,160 Directory, but just try to interfere with an attack. 499 00:32:06,160 --> 00:32:09,240 So so I had some maybe I got I think. 500 00:32:09,240 --> 00:32:13,320 That no, no, no, I think that was a good, good start to the 501 00:32:13,320 --> 00:32:19,960 conversation. And I think the, you know, ITDR 502 00:32:20,440 --> 00:32:26,120 could be like many other tools in identity where they focus on 503 00:32:26,120 --> 00:32:31,280 the, the enterprise and all the different systems that could be 504 00:32:32,600 --> 00:32:36,000 compromised. But I find so many organizations 505 00:32:36,000 --> 00:32:41,560 are so heavily Microsoft centric that they're using AD or entry 506 00:32:41,560 --> 00:32:46,320 ID including MFA system all through Microsoft. 507 00:32:46,320 --> 00:32:51,320 So that's the best where most of your eggs are, you know, having 508 00:32:51,440 --> 00:32:55,120 a tool that's hyper focused on that seems like it could make 509 00:32:55,120 --> 00:32:57,040 sense. Yeah. 510 00:32:57,520 --> 00:33:00,760 That kind of. Well what is where is going with 511 00:33:00,760 --> 00:33:04,320 that was you know that seems like I may be answering this 512 00:33:04,320 --> 00:33:10,240 next question which is why does it matter what vendor I choose 513 00:33:10,240 --> 00:33:16,000 for my STDR solution? Yeah, I mean, obviously I think 514 00:33:16,120 --> 00:33:20,960 right, I'm, I'm here here being sponsored right bias towards 515 00:33:21,080 --> 00:33:26,360 Sempress, but I also think that that that being hyper focused 516 00:33:26,360 --> 00:33:32,280 piece is where we excel. And right like I'm, I'm all 517 00:33:32,280 --> 00:33:37,280 about having layers of security. So it's certainly nothing 518 00:33:37,280 --> 00:33:42,440 against like XDR platforms. I think what I tend to find and 519 00:33:43,240 --> 00:33:47,400 previously I I was on our product team and I was involved 520 00:33:47,400 --> 00:33:49,040 in a lot of our competitive analysis. 521 00:33:49,040 --> 00:33:53,560 So I've also like looked at all the other competitors like XDRS 522 00:33:53,560 --> 00:33:58,720 tend to be really focused on like again, like a tax in flight 523 00:33:59,280 --> 00:34:02,400 and there isn't really a component in them like, well, 524 00:34:02,400 --> 00:34:04,880 what if something gets through right? 525 00:34:04,880 --> 00:34:07,840 It kind of feels like you're betting a lot of money on like 526 00:34:07,840 --> 00:34:11,760 that. They will absolutely 100% stop 527 00:34:11,800 --> 00:34:15,639 anything and everything. Like no questions they asked. 528 00:34:17,239 --> 00:34:20,080 You know, I, I think with Sempers in particular, like 529 00:34:21,880 --> 00:34:26,920 looking at how we interpret response is really like that 530 00:34:27,520 --> 00:34:30,920 trying to get Active Directory or intro back to a place that, 531 00:34:30,920 --> 00:34:33,920 that you trust, right? Like where you can feel 532 00:34:33,920 --> 00:34:38,400 confident that the directory service that you're looking at 533 00:34:38,400 --> 00:34:40,560 isn't, isn't something that's been tampered with. 534 00:34:40,560 --> 00:34:46,560 And that's where there's fewer companies out there kind of 535 00:34:46,560 --> 00:34:49,679 working in that space to providing like forest recovery 536 00:34:49,679 --> 00:34:55,080 or or now we also have tooling that we're working on for, you 537 00:34:55,080 --> 00:34:58,560 know, bring in like Entra sort of back and objects back into 538 00:34:58,560 --> 00:35:02,760 Entra. So that I feel like it's a big 539 00:35:02,760 --> 00:35:04,720 question. So I could just probably keep on 540 00:35:05,440 --> 00:35:06,520 on going. No, no for. 541 00:35:06,520 --> 00:35:08,240 Sure. I mean, you know, a lot of 542 00:35:08,240 --> 00:35:12,280 organizations have made a big investment in their SIM solution 543 00:35:12,280 --> 00:35:16,080 over the years and a lot of times folks just ask the 544 00:35:16,080 --> 00:35:21,680 question, what can ITDR do that my SIM solution can't do? 545 00:35:22,040 --> 00:35:28,040 And, you know, they kind of see the SIM solution as identifying 546 00:35:28,080 --> 00:35:32,560 events that have taken place. My answer has always been it's 547 00:35:32,560 --> 00:35:37,600 the R Well, it's the detection should detect more things, 548 00:35:37,600 --> 00:35:39,320 right? So it's kind of like you think 549 00:35:39,320 --> 00:35:42,240 of like the Iron Dome analogy, right? 550 00:35:42,240 --> 00:35:45,600 Shooting missiles out of the out of the sky or whatever. 551 00:35:46,120 --> 00:35:50,680 It's identifying more missiles. And then the response is that it 552 00:35:50,680 --> 00:35:56,240 can take them out. Just an analogy I made-up, but 553 00:35:57,800 --> 00:36:01,480 how do you respond when people kind of come to you is can they 554 00:36:01,480 --> 00:36:06,000 just get by the Splunk? Yeah, I'd say it's, it's back to 555 00:36:07,040 --> 00:36:11,080 I, I think there's, there's three components is one. 556 00:36:11,080 --> 00:36:13,920 I, I think like I, I was saying earlier that you'll probably 557 00:36:13,920 --> 00:36:18,480 have a hard time sort of going one for one against a company 558 00:36:18,960 --> 00:36:22,280 that focuses in the space and having all the detections. 559 00:36:23,840 --> 00:36:26,880 I think the response piece is also the huge one because again, 560 00:36:26,880 --> 00:36:30,720 like it's one of those things where it's tough because you 561 00:36:30,720 --> 00:36:37,560 don't know until it happens to you what it can look like, but 562 00:36:39,120 --> 00:36:41,640 whether it's like object level recovery, right? 563 00:36:41,640 --> 00:36:44,960 And there's scenarios where the Active Directory recycling bin 564 00:36:44,960 --> 00:36:47,720 like is not necessarily good enough. 565 00:36:48,480 --> 00:36:51,480 So there's, there's some again, but we're mostly focused on 566 00:36:51,480 --> 00:36:55,880 security operational benefits to the response portion. 567 00:36:57,320 --> 00:37:00,320 But again, like I, I would just argue to any company who's sort 568 00:37:00,320 --> 00:37:03,640 of like we've got the response covered would ask them to 569 00:37:03,680 --> 00:37:07,720 actually go try to bring Active Directory back from, from the 570 00:37:07,720 --> 00:37:09,960 grave, right? And I'm not talking about 571 00:37:10,600 --> 00:37:13,960 pretending to bring one domain controller back, like bring 572 00:37:13,960 --> 00:37:17,560 Active Directory back, bring it up so that your enterprise could 573 00:37:17,560 --> 00:37:22,280 actually use it for whatever it is that you do and measure how 574 00:37:22,280 --> 00:37:25,160 long that takes, how many resources it takes, right? 575 00:37:25,160 --> 00:37:28,920 Like, you know, sort of what the, the cost is there, because 576 00:37:28,920 --> 00:37:34,280 a lot of organizations don't go through a real sort of almost 577 00:37:34,280 --> 00:37:37,920 like tabletop of that or, or actually go through the process, 578 00:37:37,920 --> 00:37:40,440 right? They just look at their Dr. plan 579 00:37:40,440 --> 00:37:44,160 and they're like, well, we've got, you know, a genetic, a 580 00:37:44,520 --> 00:37:48,040 general backup solution or we've got system state restore and 581 00:37:48,040 --> 00:37:50,880 check and like, right, we're on to the next thing. 582 00:37:50,880 --> 00:37:56,160 And then when something actually happens, yeah, to my point 583 00:37:56,160 --> 00:37:59,520 earlier about you sort of hate and life as the person who has 584 00:37:59,520 --> 00:38:03,240 to bring things back. Yeah, we think. 585 00:38:03,280 --> 00:38:07,880 Guests on come on and talk about getting cyber insurance and the 586 00:38:07,880 --> 00:38:11,200 keys to getting cyber insurance. There were three things from an 587 00:38:11,200 --> 00:38:15,680 infosec perspective or I should say from an IT perspective. 588 00:38:15,680 --> 00:38:21,640 So it was ZDR, it was MFA and backups. 589 00:38:22,400 --> 00:38:27,640 And so to me the question around backups is not just do you have 590 00:38:27,640 --> 00:38:33,160 backups, but could you restore in a given scenario. 591 00:38:33,160 --> 00:38:39,600 So I mean in my earlier days in IT, whenever I was responsible 592 00:38:39,600 --> 00:38:45,960 for disaster recovery, the idea was some 9/11 type event or some 593 00:38:45,960 --> 00:38:49,000 natural disaster takes off data center. 594 00:38:49,840 --> 00:38:52,920 To me, that's not the most likely scenario. 595 00:38:53,360 --> 00:38:58,320 To me, the most likely scenario is some threat actor who gets a 596 00:38:58,320 --> 00:39:01,840 credential and then tries to take down your key 597 00:39:01,840 --> 00:39:05,280 infrastructure. And if Active Directory is part 598 00:39:05,280 --> 00:39:09,280 of your key infrastructure and they get a hold of it, you know, 599 00:39:09,280 --> 00:39:12,480 just restoring from tape, it's, it's not like that, right? 600 00:39:12,480 --> 00:39:15,960 And so that's where what you're saying comes into play. 601 00:39:16,160 --> 00:39:21,400 I think EDR kind of feels a lot like well, I mean EDR is EDR, 602 00:39:21,400 --> 00:39:26,560 but from an identity perspective it feels a lot like ITDR, you 603 00:39:26,560 --> 00:39:31,400 know, and I think MFA is, is expected best part of this 604 00:39:31,400 --> 00:39:33,680 hybrid identity protection because I was going to talk a 605 00:39:33,680 --> 00:39:36,720 little bit earlier about opportunities with the hybrid 606 00:39:36,720 --> 00:39:39,000 cloud. Well, it seems to me if you are 607 00:39:39,000 --> 00:39:41,600 in a situation where you're going to continue to have an on 608 00:39:41,600 --> 00:39:45,400 Prem AD, which I think a lot of organizations are in that booth, 609 00:39:45,400 --> 00:39:47,480 they just don't see. They don't. 610 00:39:47,480 --> 00:39:51,400 See a time until they close all of their offices. 611 00:39:51,400 --> 00:39:53,800 They don't. See a time where an on Prem AD 612 00:39:53,800 --> 00:39:56,480 is not going to be part of the picture. 613 00:39:57,280 --> 00:40:02,960 Then having the MFA come from ENTRA is going to be a big key. 614 00:40:03,200 --> 00:40:08,440 So I mean this this ability to recover from an intentional 615 00:40:08,440 --> 00:40:12,480 disaster a lot different than the hurricane or something like 616 00:40:12,480 --> 00:40:16,000 that happening anyway. Yeah. 617 00:40:16,000 --> 00:40:21,160 So I think to your point, like if you use a cyber insurance 618 00:40:21,160 --> 00:40:29,040 model, this is in the top three. Any any closing thoughts just to 619 00:40:29,040 --> 00:40:31,000 kind of summarize everything we talked about. 620 00:40:32,640 --> 00:40:34,960 Yeah, I have a couple. I guess I was just going to say 621 00:40:34,960 --> 00:40:40,960 too, I, I think one point in with with the backup piece you 622 00:40:40,960 --> 00:40:44,520 encounter a lot of enterprises where their their enterprise 623 00:40:44,520 --> 00:40:47,840 backup software relies on Active Directory, right. 624 00:40:47,840 --> 00:40:53,360 And nobody really notices or thinks that until, right, they 625 00:40:53,360 --> 00:40:56,360 can't get into backup platform because active directory's down. 626 00:40:56,360 --> 00:41:00,000 They've built that dependency and and now you're in the right, 627 00:41:00,000 --> 00:41:03,680 the chicken and egg sort of scenario, except in a bad way 628 00:41:03,680 --> 00:41:06,920 because you could, you don't have one to bootstrap the other. 629 00:41:08,680 --> 00:41:12,080 No, I mean, I think as far as like, I mean, the, the points I, 630 00:41:12,080 --> 00:41:20,440 I personally have like to drive with customers is, you know, on, 631 00:41:20,440 --> 00:41:23,080 on the prevention piece of things. 632 00:41:23,560 --> 00:41:26,880 So earlier this year there was like, you know, Windows Server 633 00:41:26,880 --> 00:41:30,960 2025 coming out and, and you know, that actually kind of goes 634 00:41:30,960 --> 00:41:34,960 to your point of Active Directory not really going 635 00:41:34,960 --> 00:41:37,560 anywhere anytime soon. But Microsoft had this virtual 636 00:41:37,560 --> 00:41:40,920 conference and I, I did a session that I called, you know, 637 00:41:41,000 --> 00:41:43,760 an ounce of prevention is worth a pound of detection. 638 00:41:43,760 --> 00:41:49,120 And the whole point I was trying to make in it was like, wait, a 639 00:41:49,120 --> 00:41:54,040 lot of security people are so hyper focused on the detection 640 00:41:54,040 --> 00:41:57,400 of attacks, which I, I won't argue that it's not important, 641 00:41:58,040 --> 00:42:01,280 but there's so many ways we could just like prevent a golden 642 00:42:01,280 --> 00:42:03,120 ticket from from happening, right? 643 00:42:03,120 --> 00:42:07,440 And that's the part where I wish, like, I wish security 644 00:42:08,080 --> 00:42:11,400 infrastructure, you know, whoever owns identity, that 645 00:42:11,400 --> 00:42:16,760 there was more of an investment in the proactive security piece 646 00:42:16,760 --> 00:42:19,600 of things, right? Because honestly, then I'm not 647 00:42:19,600 --> 00:42:23,200 saying you don't need cyber insurance, but if you harden the 648 00:42:23,200 --> 00:42:27,040 exterior, if you make it more difficult for a threat actor to 649 00:42:27,040 --> 00:42:30,560 really, you know, pass the hash or perform a golden ticket 650 00:42:30,560 --> 00:42:33,840 attack, like they're, they're also opportunistic, right? 651 00:42:33,840 --> 00:42:36,960 So there are there are also scenarios where it might just be 652 00:42:38,080 --> 00:42:40,520 right, a threat actor is going after five different people 653 00:42:40,520 --> 00:42:44,120 like, well, the two that they can get domain admin in are the 654 00:42:44,120 --> 00:42:46,480 ones that they're going to focus on and the others where maybe 655 00:42:46,480 --> 00:42:49,520 it's unfruitful, right? They're just kind of move on. 656 00:42:51,560 --> 00:42:56,200 And yeah, I probably already, I guess I'd say hit on it 657 00:42:56,200 --> 00:42:57,800 somewhat. But I think the other part is 658 00:42:57,800 --> 00:43:01,400 that that response, right? Because a lot of times again, 659 00:43:01,400 --> 00:43:05,280 like I'd say kind of in the security industry, the feeling 660 00:43:05,280 --> 00:43:09,680 is like response is like we've detected an attack and we're 661 00:43:09,680 --> 00:43:11,520 going to like isolate the node, right? 662 00:43:11,520 --> 00:43:15,160 Like again, I, I think from a layered approach, this is all 663 00:43:15,160 --> 00:43:17,520 good. We've detected golden ticket and 664 00:43:17,520 --> 00:43:21,560 we're going to use EDR to like isolate where we saw it coming 665 00:43:21,560 --> 00:43:25,600 from, but written in those scenarios where it might be 666 00:43:25,680 --> 00:43:29,400 actually too late based on the type of attack that you've 667 00:43:29,400 --> 00:43:34,480 detected. But I think response really is 668 00:43:34,480 --> 00:43:39,200 getting into that almost like Dr. piece of things like 669 00:43:39,200 --> 00:43:43,360 response needing to be how do we get Active Directory back to a 670 00:43:43,880 --> 00:43:47,920 place or a state where we can trust everything in it? 671 00:43:48,720 --> 00:43:51,200 Because if you, if you can't honestly trust the state of 672 00:43:51,200 --> 00:43:54,920 Active Directory, then you, you honestly can't like absolutely 673 00:43:54,920 --> 00:44:00,200 say, how do we know that there isn't something from a threat 674 00:44:00,200 --> 00:44:03,040 actor still lingering in here, right? 675 00:44:06,720 --> 00:44:10,080 And as again, we we see in reality out there that these 676 00:44:10,080 --> 00:44:13,960 scenarios happen where they'll they'll get you and then they'll 677 00:44:13,960 --> 00:44:18,720 get you again after, after you've paid up or not paid up. 678 00:44:18,720 --> 00:44:21,720 So. You, you made a great point 679 00:44:21,720 --> 00:44:25,840 earlier where you're talking about layers of security. 680 00:44:25,840 --> 00:44:29,280 It sounds to me like somebody says the prevention. 681 00:44:29,280 --> 00:44:34,600 So in other words, examining your Active Directory and 682 00:44:34,600 --> 00:44:38,960 providing a map, and this is the Druid tool I think you talked 683 00:44:38,960 --> 00:44:43,720 about providing a map of here's where your vulnerabilities are. 684 00:44:44,320 --> 00:44:49,000 And I love that point about an ounce of prevention worth a 685 00:44:49,240 --> 00:44:55,240 pound of detection because if you can cut off, here's the way 686 00:44:55,240 --> 00:45:02,040 I see it, most organizations are not going to be the target of a 687 00:45:02,040 --> 00:45:07,760 day zero vulnerability, right? So that it's the attackers tried 688 00:45:07,760 --> 00:45:12,120 to get in the door and then run scripts and they run scripts and 689 00:45:12,120 --> 00:45:15,800 they run scripts. Well, those scripts essentially 690 00:45:15,800 --> 00:45:20,120 are vulnerabilities that have been found and tools and scripts 691 00:45:20,120 --> 00:45:23,680 have been created to leverage those vulnerabilities, right? 692 00:45:23,960 --> 00:45:29,440 So if you have proper tooling in place, you cut off those 693 00:45:30,200 --> 00:45:33,640 vulnerabilities, the scripts will work in your environment. 694 00:45:34,120 --> 00:45:38,560 And so I think that's great. Now detection potentially would 695 00:45:38,840 --> 00:45:43,080 detect something that is new that is novel, right? 696 00:45:43,080 --> 00:45:46,640 And that, you know, there isn't really a pattern for. 697 00:45:46,840 --> 00:45:52,120 And I think if you are the FBI or some organization where it's 698 00:45:52,120 --> 00:45:55,840 like, you know, that's a really high value target and we're 699 00:45:55,840 --> 00:45:59,720 going to use day zero attacks if we can get our hands on them, 700 00:46:00,560 --> 00:46:03,840 nation state actors and things like that, that's a different 701 00:46:03,840 --> 00:46:05,680 ball game. And I still think you have to be 702 00:46:05,680 --> 00:46:07,800 in the prevention side. You have to prevent what you can 703 00:46:07,840 --> 00:46:11,880 prevent, but you also have to be able to to detect more. 704 00:46:12,240 --> 00:46:14,600 I think that you're making the case that for most 705 00:46:14,600 --> 00:46:17,800 organizations, prevention is going to be the key. 706 00:46:17,800 --> 00:46:22,480 So it's, you know, scanning your environment, setting up the 707 00:46:22,480 --> 00:46:27,560 prevention. It's also, it's also the 708 00:46:27,560 --> 00:46:30,520 detections. You have an ITDR system that is 709 00:46:30,520 --> 00:46:33,480 detecting, it's giving you another layer of defense. 710 00:46:33,680 --> 00:46:38,160 And then finally, if you are compromised, if all else fails 711 00:46:39,840 --> 00:46:47,360 and you get, you get owned, you still have the the ability to 712 00:46:47,360 --> 00:46:51,240 restore your Active Directory. What I like? 713 00:46:51,240 --> 00:46:55,120 Is that you guys are so focused on the AD area, It's not a small 714 00:46:55,120 --> 00:46:57,960 area by any means, but. It's a. 715 00:46:57,960 --> 00:47:01,640 Focal point and for a lot of organizations, that's where the, 716 00:47:01,840 --> 00:47:07,560 that's where they're, you know, their crown jewels lie and their 717 00:47:07,560 --> 00:47:11,000 ability to control their environment lies within that 718 00:47:11,280 --> 00:47:13,080 realm. Absolutely. 719 00:47:13,360 --> 00:47:18,640 Absolutely, yeah. And I, I think in general, at 720 00:47:18,640 --> 00:47:21,680 least it's Sempress like that's where, you know, we, we would 721 00:47:21,680 --> 00:47:24,600 generally say that we're, we're complimentary to like XDR 722 00:47:24,600 --> 00:47:28,080 platforms, right? Like 'cause, 'cause I think in, 723 00:47:28,080 --> 00:47:32,680 in that layered approach, right? We all kind of bring our, our, 724 00:47:33,680 --> 00:47:36,720 you know, benefits to protecting identity. 725 00:47:36,880 --> 00:47:38,280 I mean, in the bigger picture, right? 726 00:47:38,280 --> 00:47:42,320 I think especially from the layered piece of things, because 727 00:47:42,320 --> 00:47:46,400 we just continue to see right sort of any identity attack. 728 00:47:46,400 --> 00:47:52,200 It is so crucial, right? I mean, I, I, I have other talks 729 00:47:52,200 --> 00:47:56,120 that I've done about right identity being the new security 730 00:47:56,120 --> 00:47:58,040 perimeter. And we've been saying this since 731 00:47:58,920 --> 00:48:02,120 2012 is as far back as I could find articles. 732 00:48:02,440 --> 00:48:04,760 But to me it's like sort of like when are we going to drop the 733 00:48:04,760 --> 00:48:07,640 new part of identity is the new security perimeter. 734 00:48:07,640 --> 00:48:11,560 And just like say right it, it is the security perimeter these 735 00:48:11,560 --> 00:48:18,920 days and actually treat identity security as like the sort of 736 00:48:19,280 --> 00:48:23,280 first class sort of customer it should, it should be in the 737 00:48:23,280 --> 00:48:27,520 enterprise. So, but I mean, I could again, I 738 00:48:27,520 --> 00:48:30,160 could go on tangents about you all for years. 739 00:48:30,160 --> 00:48:31,840 About that, right, but it's a great point. 740 00:48:32,160 --> 00:48:35,480 We've been calling it the new perimeter for so long like why 741 00:48:35,480 --> 00:48:37,240 don't we just call it the perimeter? 742 00:48:37,640 --> 00:48:40,840 And it's because the layered security approach, there still 743 00:48:40,840 --> 00:48:42,600 are firewalls. Oh, yeah. 744 00:48:42,600 --> 00:48:47,000 They don't catch everything, but they block a lot, yeah. 745 00:48:47,240 --> 00:48:50,720 Yeah, block a lot they are, but well, I would just say, I would 746 00:48:50,720 --> 00:48:54,360 just say that's where it gets sticky with, right, the cloud, 747 00:48:54,720 --> 00:48:58,080 because a lot of the more traditional defenses that we 748 00:48:58,080 --> 00:49:03,160 have, we can't easily apply to like, you know, SAS applications 749 00:49:03,160 --> 00:49:06,960 and and all that sort of stuff. Because, right, the interface 750 00:49:06,960 --> 00:49:10,000 that all of our end users log into or authenticate through, 751 00:49:10,000 --> 00:49:14,320 right, is the same one that, you know, threat actors can go hit. 752 00:49:14,320 --> 00:49:19,800 And I, I won't ramble about it too much, but just I think to 753 00:49:19,800 --> 00:49:23,080 the point you made earlier about, you know, sort of time, 754 00:49:23,080 --> 00:49:26,240 money, resources and and how it's tough on people who even 755 00:49:26,240 --> 00:49:28,440 know what they're doing It it it kind of goes back to that 756 00:49:28,440 --> 00:49:34,560 there's just everything's so fast these days that you can be 757 00:49:34,560 --> 00:49:37,680 the best of the best and still have trouble sort of keeping up 758 00:49:37,680 --> 00:49:40,760 with it all. So yeah. 759 00:49:40,760 --> 00:49:44,720 Absolutely. So Eric, any other closing 760 00:49:44,720 --> 00:49:48,680 thoughts? No, I think good because I I've. 761 00:49:48,680 --> 00:49:53,160 Been wanting to ask you, I know, I know you're really into hiking 762 00:49:53,640 --> 00:49:59,040 and you had mentioned to me that you blew out your ACL was in 763 00:49:59,040 --> 00:50:02,000 April. We're sitting here in in August 764 00:50:02,000 --> 00:50:04,120 at this point recording this episode. 765 00:50:04,520 --> 00:50:07,040 And I wanted to hear more about that. 766 00:50:07,040 --> 00:50:10,040 Like what was the recovery like? Oh, it was. 767 00:50:10,760 --> 00:50:15,080 It was, it was not fun. So, so actually my my son is 768 00:50:15,080 --> 00:50:18,640 huge in the skiing and I never skied even though I've grown up 769 00:50:18,640 --> 00:50:22,600 in the Northeast in my life. And this winter in January, I 770 00:50:22,600 --> 00:50:27,160 was taking skiing lessons. My instructor had me going on a 771 00:50:27,800 --> 00:50:29,880 slope that was a little too adventurous. 772 00:50:30,240 --> 00:50:34,160 I got my skis caught up, heard a pop in my knee. 773 00:50:35,480 --> 00:50:38,960 And then going to the orthopedic doctor, it was kind of a bit of 774 00:50:38,960 --> 00:50:41,080 time. I had some fracture in my leg 775 00:50:41,080 --> 00:50:43,720 that they had to let heal. So yeah, end of April, I had 776 00:50:43,720 --> 00:50:47,360 surgery. Man, that was that. 777 00:50:47,360 --> 00:50:50,280 That was rough. And I actually had a, a podcast 778 00:50:50,280 --> 00:50:54,720 recording like my surgery was like on a Thursday. 779 00:50:55,920 --> 00:50:58,440 And I think it was that next Monday I had some sort of 780 00:50:58,440 --> 00:51:01,640 podcast recording set. And I, I didn't realize how 781 00:51:03,320 --> 00:51:07,440 intense even the first week of healing would be because man, I, 782 00:51:08,120 --> 00:51:11,320 I saw myself on that recording and I, I, I feel like I looked 783 00:51:11,320 --> 00:51:16,720 and sounded like a hot mess from still being on meds and a lot. 784 00:51:16,920 --> 00:51:19,240 Of opioids and stuff like that, Yeah, and. 785 00:51:19,240 --> 00:51:21,520 I couldn't. My leg was completely like, I 786 00:51:21,520 --> 00:51:23,640 had it propped up like under the desk it was. 787 00:51:24,040 --> 00:51:26,200 But the, the recovery's been, it has been tough, man. 788 00:51:26,200 --> 00:51:28,720 Like I, I'm still not allowed to run or jump. 789 00:51:30,480 --> 00:51:35,720 And I, I can't believe just how the how little bit of surgery it 790 00:51:35,720 --> 00:51:40,680 is in a way on your leg, how much it, it sets you back 'cause 791 00:51:41,480 --> 00:51:44,320 it is, it is a tough thing to recover from so. 792 00:51:45,600 --> 00:51:47,440 Yeah. Did you wind up gaining any 793 00:51:47,440 --> 00:51:49,000 weight while you've been off your feet? 794 00:51:49,440 --> 00:51:50,760 Oh yeah. Yeah, absolutely. 795 00:51:50,760 --> 00:51:54,080 I mean, I'm, I'm up and walking around and, and if you saw me 796 00:51:54,080 --> 00:51:58,000 walking down the street, you'd probably think nothing is sort 797 00:51:58,000 --> 00:51:59,640 of wrong with my leg at this point. 798 00:51:59,640 --> 00:52:02,880 But no, because also when I'm, when I'm feeling down, I love 799 00:52:02,880 --> 00:52:04,760 binge eating. So it's, it's just been 800 00:52:04,760 --> 00:52:06,120 cyclical. I can't go out and hike. 801 00:52:06,160 --> 00:52:11,080 Join the club Join the. Club. 802 00:52:12,840 --> 00:52:18,040 Well, yeah, I never actually had any kind of surgery on my knees 803 00:52:18,040 --> 00:52:23,520 or anything, but I did have a a hernia a couple years ago now. 804 00:52:23,520 --> 00:52:27,400 And like people said, oh, you have to sell your feet for a few 805 00:52:27,400 --> 00:52:29,880 days. I didn't realize like this first 806 00:52:29,880 --> 00:52:32,800 48 hours or so. How? 807 00:52:33,000 --> 00:52:35,400 Because it was outpatient surgery. 808 00:52:35,400 --> 00:52:38,200 So you go in and get the surgery, they knock you out, you 809 00:52:38,200 --> 00:52:42,560 wake up five minutes later and the surgery's all in the past. 810 00:52:42,880 --> 00:52:46,920 But then the recovery winds up taking a couple of months, and 811 00:52:46,920 --> 00:52:49,280 it's the first couple of days they're the worst. 812 00:52:49,880 --> 00:52:52,840 Oh yeah. Yeah, it is, it is brutal, 813 00:52:52,840 --> 00:52:56,880 right. And I'm, I'm not a spring 814 00:52:56,880 --> 00:53:02,720 chicken anymore or whatnot. So but yeah, it's, it's made for 815 00:53:02,720 --> 00:53:05,440 a less than ideal summer in some ways. 816 00:53:05,440 --> 00:53:08,920 But we're, we're going on vacation actually tomorrow with 817 00:53:08,920 --> 00:53:13,680 the family for about a week to the Netherlands and, you know, 818 00:53:13,680 --> 00:53:18,400 looking forward to still doing summary things and, you know, 819 00:53:18,800 --> 00:53:22,360 enjoying life away from Netherlands is. 820 00:53:22,360 --> 00:53:26,800 One of my favorite countries, you know, what I would recommend 821 00:53:26,800 --> 00:53:29,600 if you can, is get outside of Amsterdam a little bit. 822 00:53:29,880 --> 00:53:34,400 Amsterdam is like super cool, but it's also like touristy and 823 00:53:34,400 --> 00:53:38,080 it's a big city. And if you get out into the, you 824 00:53:38,080 --> 00:53:41,000 know, going from city to the city or maybe get into some of 825 00:53:41,000 --> 00:53:44,960 the smaller towns, you're really going to enjoy it. 826 00:53:44,960 --> 00:53:46,320 I mean, it's a beautiful country. 827 00:53:46,320 --> 00:53:49,760 And, you know, I think all most people know they have a dike 828 00:53:49,760 --> 00:53:53,400 system that pumps water out. Otherwise it would be most of 829 00:53:53,400 --> 00:53:55,160 the country would be below water. 830 00:53:55,520 --> 00:53:58,120 And so. It creates like there's all 831 00:53:58,120 --> 00:54:02,880 these, I guess they're dikes that, that, you know, channel 832 00:54:02,880 --> 00:54:04,960 the water out and the, the windmill. 833 00:54:04,960 --> 00:54:08,920 The purpose was to operate the pumps to pump the water out. 834 00:54:09,080 --> 00:54:13,640 Pretty ingenious and, yeah, just a beautiful country, a lot of 835 00:54:13,640 --> 00:54:15,600 farmland. Yeah. 836 00:54:17,080 --> 00:54:18,760 So try to get out there and explore. 837 00:54:18,760 --> 00:54:21,080 I was. I spent a lot of time in Leiden. 838 00:54:21,760 --> 00:54:24,680 It's a city that you can take a train from Amsterdam right 839 00:54:24,680 --> 00:54:28,520 there. So anyway, you, you enjoy that? 840 00:54:29,040 --> 00:54:30,080 Yeah. I will. 841 00:54:31,200 --> 00:54:33,920 Eric, is there anything else or I guess we can wrap up this 842 00:54:33,920 --> 00:54:35,360 episode? I think it's been a really 843 00:54:35,360 --> 00:54:38,240 educational good good. I'm, I'm glad now. 844 00:54:38,240 --> 00:54:42,120 I think if you, if you let me go too long, I'll just keep going 845 00:54:42,120 --> 00:54:43,840 forever. So I'd I'd say we could probably 846 00:54:43,840 --> 00:54:46,720 wrap it all right. Well, good. 847 00:54:46,760 --> 00:54:49,840 I think the first thing I wanted to do is remind everybody about 848 00:54:49,840 --> 00:54:54,000 the HIP conference. You can go to hipconf.com. 849 00:54:54,440 --> 00:54:56,120 I was out at the website already. 850 00:54:56,120 --> 00:55:02,080 The the conference is what, December or November 13th and 851 00:55:02,080 --> 00:55:05,920 14th? I think it's, it's, it's in 852 00:55:05,920 --> 00:55:08,120 November now. I can't remember if it's 12th, 853 00:55:08,120 --> 00:55:11,920 13th or 13th, 14th. It's it says that the the site, 854 00:55:11,960 --> 00:55:13,840 it says it on the website. That's right. 855 00:55:14,600 --> 00:55:19,120 So if you go to hipconf.com, if you do decide to register, if 856 00:55:19,120 --> 00:55:23,760 you look at the awesome speaker list, use the the discount code 857 00:55:24,040 --> 00:55:30,120 IDAC pod, IDACPOD. We'll get you 20% off as the 858 00:55:30,120 --> 00:55:33,200 best discount code that's out there and available. 859 00:55:34,520 --> 00:55:39,160 You also find this podcast on any podcast platform that you 860 00:55:39,160 --> 00:55:44,880 want to listen to Apple Podcasts or Spotify or there's a million 861 00:55:44,880 --> 00:55:48,480 others that are much smaller and we're available in all of them. 862 00:55:50,040 --> 00:55:52,320 We are also available on YouTube. 863 00:55:52,320 --> 00:55:57,000 If you go to idacpodcast.tv, they'll take you right to our 864 00:55:57,000 --> 00:56:00,520 YouTube page. We would appreciate if you enjoy 865 00:56:00,520 --> 00:56:02,720 the podcast to go out there and subscribe. 866 00:56:02,960 --> 00:56:05,560 Check us out. We're putting up new content at 867 00:56:05,560 --> 00:56:08,440 least every week and we're trying to do even more than that 868 00:56:08,440 --> 00:56:13,800 with like stories and outtakes. We also on we have our own 869 00:56:13,800 --> 00:56:20,200 website idacpodcast.com and we're on Twitter or X at with 870 00:56:20,200 --> 00:56:24,920 the at symbol IDAC podcast. We're also on Mastodon. 871 00:56:24,920 --> 00:56:30,160 Now I've never been to that myself, but it's at IDAC podcast 872 00:56:30,360 --> 00:56:36,320 at Infosec dot exchange. And our sponsor for this week is 873 00:56:36,320 --> 00:56:40,800 Sempress or Sempress. I was told by Eric before the 874 00:56:40,800 --> 00:56:43,400 episode that both are used pretty commonly and 875 00:56:43,400 --> 00:56:48,640 interchangeably. And so it's at Semperis or 876 00:56:48,640 --> 00:56:55,320 semperis.com, SEMPERI s.com and we'll have all those notes in 877 00:56:55,320 --> 00:56:59,160 the show note. So for this week, thanks 878 00:56:59,160 --> 00:57:01,960 everyone for tuning in and we'll catch you on the next one. 879 00:57:04,240 --> 00:57:06,680 You've been. Listening to Identity at the 880 00:57:06,680 --> 00:57:09,360 Center? We hope you've enjoyed the show. 881 00:57:09,560 --> 00:57:13,640 Make sure to like, rate and review, and we'll be back soon. 882 00:57:13,920 --> 00:57:16,200 But in the meantime, hit the website at 883 00:57:16,200 --> 00:57:22,560 identity@thecenter.com. See you next time on Identity at 884 00:57:22,560 --> 00:57:23,480 the Center.