How long could your organization go without access to applications and services because of an identity-related cyberattack? That’s the question we often ask security and IT ops leaders when we’re discussing the importance of protecting Active Directory and Entra ID from threat actors. The question seems hypothetical because it assumes a worst-case scenario.

But for far too many organizations—MGM Resorts, Change Healthcare, and countless others every week—the answer comes when an attack takes down business operations for hours, days, or weeks while teams scramble to respond. In fact, 84% of organizations experienced an identity-related breach in the last year, costing $3.5 million per incident on average.

The new Forrester Total Economic Impact (TEI) Report of Semperis gives organizations quantifiable metrics they can use to prove the value of being able to continuously monitor hybrid identity environments for emerging threats, automatically roll back malicious or unintentional changes, and reduce Active Directory recovery time.

“In the event of a ransomware attack, Semperis ensures we can easily recover our AD in hours versus weeks or months. … To know that we have a viable alternative when the worst of the worst happens allows us to sleep better at night.”

CISO, Healthcare

Forrester’s TEI team spent hours interviewing five Semperis customers from various sectors, including consulting, healthcare, energy, and financial services, with annual revenue ranging from $5B to $60B, to discern the business outcomes they achieved after implementing Semperis’ comprehensive identity resilience platform. Those quantifiable benefits include:

Reducing by 90% the time to recover the AD forest after an attack with Active Directory Forest Recovery (ADFR)

Reducing by 90% the time spent in day-to-day operational security management activities such as object- and group-level recovery with Directory Services Protector (DSP)

Reducing by 25% the likelihood of a successful AD attack with DSP’s continuous monitoring for indicators of exposure (IOEs) and compromise (IOCs) and automated remediation

Reducing by 40% the time spent monitoring the hybrid AD environment

We’ve been collecting evidence in customer POCs of reduced time to recover an AD forest with ADFR for years, so we were not surprised that Forrester’s findings validated the 90% time savings in forest recovery. Here’s a visual Forrester includes in the TEI report to show the scope of the massive recovery challenge and downtime risk potential as described by customers before investing in Semperis.

Time to recover Active Directory (Source: Forrester Total Economic Impact of Semperis)

But the other resource savings the Forrester team uncovered on the operational benefits of DSP managing object- and group-level recovery confirmed positive outcomes that we’ve seen in the field but haven’t yet been able to measure. The reduced time to manage operational security and monitor the identity system reported in the study points to the significant resources organizations invest in simply keeping up with the day-to-day changes in a large, complex hybrid AD environment.

We were having frequent group- and object-level incidents where we would have to spend hours trying to restore objects before Semperis. Now, we know how to fix the issue within minutes. It’s night and day.”

Network Systems Analyst, Healthcare

Quantified benefits of Semperis: $9.5M over three years

All up, the Forrester study reported quantified benefits of using Semperis products at $9.5M in present value (PV) terms. Those benefits include:

Improved business continuity due to faster AD attack recovery at $3.9 million in savings.

Improved business continuity through a reduction in the likelihood of a successful hybrid AD attack, worth $1.2 million.

Object- and group-level remediation savings worth $4.3 million.

Hybrid AD environment monitoring efficiencies that save $109,000.

Source: Forrester Total Economic Impact of Semperis

Beyond the measurable benefits, interviewees also talked about the unquantified benefits of using Semperis, which included:

Improved brand credibility: Although any organization could experience the misfortune of being the victim of a cyberattack, for some companies the reputational damage can take years to repair, especially in industries like healthcare where public safety is at stake. With Semperis DSP, organizations can continuously monitor and improve their overall security posture, building credibility and paving the way for business expansion.

Improved visibility of the hybrid AD environment: The SolarWinds attack drove awareness of the increasing number of attacks that start in the cloud and move to the on-premises identity system, or vice versa. These attacks are notoriously difficult to detect and contain. Semperis DSP provides a hybrid identities view that helps IT and security teams see and respond to changes across both on-prem AD and Entra ID.

What organizations were looking for in an ITDR solution

The Forrester study participants discussed their buying criteria for an ITDR solution, focusing on key challenges that the Semperis team has seen in our years of managing hybrid AD systems ourselves. Most large organizations have legacy AD environments with years of accumulated security misconfigurations. The requirements the interviewees listed form the core capabilities of the Semperis identity resilience platform.

Shift from a reactive approach to responding to hybrid AD-related ransomware attacks to a proactive one. One of the assets customers mentioned in the study was the expert guidance provided by the Semperis team. With more than 150 years of collective Microsoft MVP awards and 25 former Microsoft field engineers on staff, we have direct experience successfully conducting AD and Entra ID-related incident response for global organizations. The knowledge we gather about how identity-related attacks work goes directly into our product development strategy.

Improve business continuity by reducing the AD attack recovery time. Cyberattacks disrupt business operations for days, weeks, or months. For smaller companies such as Lincoln College and UK-based telemarketing firm The Heritage Company, a cyberattack can be a business-ending event. The single biggest factor in successfully restoring business operations after a cyberattack is the time to recover the identity system, which is AD for 90% of organizations worldwide. Without AD, business operations come to a halt. We’ve demonstrated time and again in POCs that ADFR can cut recovery time by up to 90%. The Forrester study provided another independent proof point. As a healthcare CISO who participated in the Forrester study said, “In the event of a ransomware attack, [Semperis] ensures we can easily recover our AD in hours versus weeks or months. … To know that we have a viable alternative when the worst of the worst happens allows us to sleep better at night.”

Ensure a fully malware-proof recovery to avoid further disruption and data loss. The only thing worse than a cyberattack is a repeat cyberattack that uses the exact same techniques to bring the business down again. CPO Magazine reported that 67% of businesses that experienced a cyberattack suffered a repeat attack within a year after the first incident. Our patented technology in ADFR decouples the OS from the AD backup, which ensures a malware-free recovery.

Use post-breach forensics capabilities to close back doors and eliminate persistence following an attack. Based on our experience in incident response engagements with some of the largest organizations in the world, we’ve seen that discovering and removing malware left in the environment after an attack can be a tricky and time-consuming process. Our post-breach forensics in ADFR helps isolate changes that occurred during an attack window to eradicate persistence and restore AD to a trusted, malware-free environment.

Reduce end-user downtime during hybrid AD-related ransomware attacks and object- and group-level incidents. Anyone in the AD trenches can attest that the number of changes that occur hourly in AD are time-consuming and error-prone to manage. With just one wrong click, you could wipe out several critical privileged groups, bringing operations to a standstill. DSP helps IT and security teams find and fix operational misconfigurations, saving significant time, especially for organizations with large, complex AD environments.

Improve visibility into the hybrid AD environment to mitigate potential risks and reduce IT team effort. Attackers increasingly target hybrid environments, gaining entry into the cloud identity system and then moving to the on-prem system, or vice versa. Semperis DSP offers a hybrid identities view so you can track changes between Entra ID and on-prem AD. In the Forrester study, a technical architect of AD in professional services said: “We were unaware of what was going on in our AD environment before Semperis. It was difficult to track all of the changes that were being made across the organization on a daily basis and make sure that nothing suspicious was happening.”

Elevate the IT team’s reputation across the organization by enabling proven recoverability of the business-critical identity system. After years of media coverage about high-profile breaches, the fact that AD is the #1 target for cyberattackers is now common knowledge among most business leaders, resulting in IT ops teams taking a more prominent role in developing and implementing overall security strategy.   

The Forrester study found overall that Semperis provided solutions that directly addressed organizations’ key challenges in securing the identity environment. A senior manager of server architecture in the energy sector said, “We were recommended Semperis and after doing our research, it became clear that it’s an amazing tool. When we looked at their competitors, feature to feature, no one came close. Once we met with the Semperis team and ran through the demo, I was very impressed — it was not a hard sell.”

We were unaware of what was going on in our AD environment before Semperis. It was difficult to track all of the changes that were being made across the organization on a daily basis and make sure that nothing suspicious was happening.

Technical Architect of AD | Global Consulting Company

Quantifying the benefits of strong identity system security and recovery

Beyond the highlights I’ve captured here, you’ll find in the full report more information about how Forrester analysts conducted this study, first-hand accounts from the participants about the results they’ve seen from implementing Semperis solutions, and a breakdown of the economic benefits of using our platform.

Business leaders have many competing priorities for their security budgets, and the cybersecurity industry has exploded with new offerings for preventing, remediating, and recovering from cyberattacks. The Forrester Total Economic Impact study conducted with Semperis customers brings a critical and sorely needed quantifiable benefits analysis that will help CISOs, CIOs, and CEOs choose and implement the solutions that will improve overall security posture and ensure that they have a solid identity system disaster recovery plan in place.  

More resources

Active Directory Attacks | Semperis

Active Directory Hardening Best Practices | Semperis AD 101

Snackable Active Directory Security | Semperis

The post New Forrester TEI Report: Semperis Slashes Downtime by 90%, Saving Customers Millions appeared first on Semperis.