We primarily use the solution for recovery purposes.
It has saved our company money in terms of recovering objects, but I can't put a number on that.
The interface and the time to recovery of the objects are great aspects of the solution. The interface is very simple. I didn't have anybody walk me through it. I just went in and said, "Okay, how do I do this?" And it was very slick. It was very simple, and it was very quick.
The menus are streamlined and I could very easily figure out what backup I wanted to go to, how to load it, and how to restore the attributes. I have restored one time—some attributes on an object—and it was very simple. It was very slick and worked really well.
Our impression of the solution for providing a clean, malware-free recovery and protecting our AD backups from compromise is that it is probably one of the best options available. From what I've seen, there are a few vendors that do it in a similar fashion, but what this product does is top-notch. It's a top-tier solution for preventing the reingestion of some type of compromise.
I can't say if it reduces the risk of malware reinfection, but I can definitely say it significantly reduces the possibility of reingestion. It's not doing a full backup of the server, and it's not backing up the driver directory and directories where executable files reside, which is where malware is likely to be hidden. It doesn't have to back those up to do the directory backup. It limits what is backed up and what is restored.
It is very important to have this ability to eliminate the risk of reinfection. If you suffer a compromise, and you're restoring to a clean environment, the assumption is that it's clean. If you have that same infection, then you're doing a tremendous amount of work and spending a tremendous amount of money, and you're going to suffer the same fate down the road.
I've used the solution for about nine months, but I don't manage it on a day-to-day basis. It's really been a set-and-forget type of thing.
I haven't had to engage support for Recovery Manager for Active Directory.
Currently, my team uses the CrowdStrike Falcon platform for threat detection and response.
It definitely acts more as an insurance policy. You could have an external attack, an internal attack, or an internal accident that wipes out a lot of directory information. That information can be recovered pretty easily with this tool.
Over the past number of months, I identified a gap with their Recovery Manager for AD Forest Edition. That software can't recover for us if we have a complete malware/ransomware-type scenario where we lose all our domain controllers. If you lose the entire forest, you can't get it back up with the Forest Edition. You have to use their Disaster Recovery Edition. That suite of software can recover from a complete disaster scenario. And that's what I'm looking at right now to determine if we want to purchase that or one of their competitors' solutions.
So I've started down the path of reviewing Quest Recovery Manager for Active Directory Disaster Recovery Edition along with KOsoft and Semperis, to see the different capabilities among the products. My experience with those other products has really just been from talking with the vendors and looking at the product. I haven't done a PoC or had my hands on them.
We've recently started looking at Varonis. That's going to be owned by a different division within the company, however, it applies directly to directory services on my team and its ability to lock down and protect the directory.
