As I do each year, I recently got together with a group of my very talented colleagues at Quest to explore the key trends for the coming year. I’m excited to say that this time, we were able to supplement their vast industry expertise and personal experience serving customers with some really interesting hard data.
In September 2024, we surveyed 373 IT pros, managers and executives to learn about the state of adoption, maturity and effectiveness of an increasingly significant focus — identity threat detection and response (ITDR). Gartner named ITDR as one of the top cybersecurity trends for 2024, and it’s no wonder: Microsoft Digital Defense Report 2024 states that credential misuse is now a factor in nearly all (99%) of the 600 million daily identity attacks against Entra ID. Attackers don’t break in, they log in. ITDR is a crucial strategy for defending against these attacks because it focuses on enhancing an organization’s ability to prevent, detect, investigate and respond to identity-related threats. As adversaries grow more adept at exploiting vulnerabilities in identity systems, ITDR has become essential for ensuring the integrity and availability of critical systems.
Several of the predictions below reveal key findings of our ITDR survey. I also invite you to read the full report.
Now, let’s dive into the specific trends that our team predicts we will see unfold in 2025.
1. The IT retirement crisis will force organizations to take a more strategic approach to cybersecurity.
Jason Morano, senior solutions consultant at Quest, started us off with a broad perspective. As recently as 2020, Baby Boomers comprised nearly one fifth of the working-age population in North America. But there’s a terribly inconvenient truth: By the broadest generational definition, the last of the Boomers were born in 1964; therefore, by 2030, there will be exactly zero Boomers left under 65 years of age. What’s more, the youngest cohort of Boomers is the largest: This surge, known as “peak 65” or the “silver tsunami,” comprises some 30.4 million people, including a record 4.1 million who turned 65 in 2024.
This reality is especially impactful for modern IT departments because certain vital skills are disproportionately held by older IT pros. In particular, admins qualified to manage Active Directory (AD) are leaving the workforce in droves. As this occurs, tribal knowledge of how things — really critical things — were set up is lost.
For example, many organizations have dozens or hundreds of Group Policy objects (GPOs) that have been created over the years, which draw from a pot of over 4,000 possible settings; newer admins are struggling to understand what they actually do, let alone what they were intended to do. Making matters worse, Microsoft has retired many of the training tracks required to bring newer IT pros up to speed on the critical and complex AD platform.
Jason predicts that organizations will respond to the IT retirement crisis with a strategic approach in 2025: focusing on core security basics. A key initiative here will be Active Directory modernization. AD modernization involves migrating and consolidating the AD environment, while also rationalizing and updating security controls and processes. The result is a reduced attack surface and faster and better detection and response to threats.
The Quest survey I mentioned earlier bears out the effectiveness of this strategy: More than half of respondents (55%) report ITDR improvements after modernizing their Active Directory.
2. Companies will adopt AI-driven security tools like Security Copilot to stay ahead of attackers.
Next, our conversation turned to a tool that promises to be truly transformative in 2025: Microsoft Security Copilot. Mike Wilson, distinguished engineer and AI security evangelist at Quest, points out that a robust security and cyber resilience strategy requires a broad set of solutions — but getting those solutions to work together effectively is often quite a challenge. For instance, the Quest survey found that the top roadblock to ITDR adoption is the complexity of integrating ITDR with existing systems. Indeed, this issue was reported by nearly 7 in 10 respondents.
The elusive goal is known as cybersecurity mesh architecture, which Gartner defines as follows: “Cybersecurity mesh, or cybersecurity mesh architecture (CSMA), is a collaborative ecosystem of tools and controls to secure a modern, distributed enterprise. It builds on a strategy of integrating composable, distributed security tools by centralizing the data and control plane to achieve more effective collaboration between tools.”
CSMA is not new; in fact, Gartner named it one of its top cybersecurity trends in 2022 and again in 2023 (under the term “composable security”). But in 2025, Mike predicts, Security Copilot will supercharge implementation of CSMA by stitching together a wide range of data sources and security tools in a way that was not previously feasible.
That’s because Security Copilot is based on OpenAI’s GPT-4 large language model (LLM), enhanced by a layer of security-specific knowledge. That knowledge includes trillions of daily signals from Microsoft’s vast threat intelligence feed, real-world incident data, and information from Microsoft security products like Sentinel and Defender XDR as well as select third-party solutions such as the market-first Security Guardian from Quest.
As a result, Security Copilot is able to deliver enhanced, multi-layered threat detection that empowers organizations to tackle complex security challenges more cohesively and proactively — even in the face of the growing skills shortage. Indeed, our customers agree that the primary value of this powerful AI assistant is its ability to aggregate and analyze large amounts of data and transform it into human-readable format.
Mike does caution that there are important security and usability concerns that need to be worked out. They include:
- Connecting to confidential data repositories increases the risk of data leakage.
- Organizations need to set assurance levels based on the validity and recency of the data sources.
- Injection of bad data into the LLMs by malicious actors can result in incorrect analyses.
- Playbooks need to be created manually, which takes time and resources.
- Fully realizing the benefits of Security Copilot requires using Microsoft Sentinel.
- Security Copilot is Microsoft-focused, rather than platform-agnostic.
3. 2025 will see a renewed focus on security basics rather than preparing for complex attacks.
As noted earlier, nearly all attacks today involve identity compromise. Let’s dive deeper into exactly what that means — and what it doesn’t.
Organizations commonly assume that adversaries are using exotic techniques and new research into the inner workings of Active Directory in order to carry out their attacks. While that is sometimes the case, the reality is that most cyberattacks target well-known weaknesses, using well-known techniques and readily available tools. According to Gartner, “Organizations are focusing too much on sophisticated attacks while not addressing basic security hygiene and incident response practices. This leaves them exposed to ransomware and account-takeover risks.”
This reality isn’t all that surprising when you consider that Active Directory is already 25 years old. While Microsoft releases new versions of Windows Server every few years, the basic platform has remained the same for a long time. As a result, cyber criminals are well versed in the common weaknesses of Active Directory — and that low-hanging fruit is often sufficient for them to slip into a network, move laterally and escalate their privileges, and achieve their objective, whether that’s exfiltrating sensitive data or unleashing ransomware.
Top examples of common AD weaknesses include:
- Highly privileged service accounts whose passwords haven’t been changed in ages
- Orphaned accounts and unneeded AD security groups
- Use of weak protocols like NTLMv1
- A KRBTGT password that hasn’t been changed in a long time
- Domain controllers (DCs) that have non-essential applications and services installed
- Convoluted Group Policy
In 2025, organizations will focus on addressing these and related AD security gaps by shoring up their fundamental Active Directory security hygiene. When it comes to identity threats, the core set of best practices includes the following:
- Require multifactor authentication.
- Adopt a Zero Trust security model.
- Implement ITDR.
4. Continued need for on-prem AD will necessitate a comprehensive approach to identity security.
Next, Bryan Patton, CISSP and principal solutions consultant at Quest, zoomed in a bit to focus on the evolving structure of IT ecosystems. He expects that Entra ID adoption will hit a ceiling in 2025, with most organizations continuing to maintain a hybrid IT ecosystem. One key reason is that they have a wide variety of third-party and bespoke applications and equipment that are crucial to operations but that do not readily port to the cloud. Examples are easy to come by, from software tools and advanced equipment that rely on Active Directory for authentication, to business process automation or customer relationship management (CRM) software that would be both expensive and risky to modify.
In addition, some data and processes are so critical or sensitive that they should not live in the cloud. Both security and compliance drivers can be at work here. For instance, industrial control systems and related infrastructure may be prohibited from being exposed to the internet, and highly regulated data like health records or financial information might be kept on premises to facilitate compliance with HIPAA, SOX or GDPR. Plus, for some organizations, the physical location of data is in itself an operational issue. For example, trading companies need to have their computers located physically close to the stock exchange’s computers, since microseconds can make crucial differences in high-frequency trading.
In short, a variety of factors will mean that hybrid will continue to be the norm in 2025. Bryan predicts that this fact means that organizations will increasingly adopt a comprehensive approach to identity security across Active Directory and Entra ID. After all, in hybrid environments, these systems are intimately connected. In particular, adversaries who compromise AD are not limited to the on-premises environment— they can move laterally into Entra ID and access cloud resources like critical data in Microsoft 365, circumventing the modern security controls included in Entra ID.
Accordingly, Bryan says, we should expect an increased focus on protecting not merely user credentials but the whole identity infrastructure. This perspective is supported by the Microsoft Digital Defense Report 2024, which notes that while multifactor authentication (MFA) is effective at blocking many password-based attacks, as MFA has seen widespread adoption, threat actors have pivoted to other vulnerabilities — and one of the primary ones is attacking the identity infrastructure.
Our survey found that awareness of the importance of securing the identity infrastructure is high, but action lags: Nearly 100% of respondents agree that identity security requires effective hygiene and prevention measures, but only 50% of organizations utilize an identity infrastructure security tool to root out misconfigurations, and just 42% identify and monitor their critical (Tier Zero) assets. Because these core ITDR strategies are highly effective at protecting the identity infrastructure, we expect to see much broader ITDR adoption in 2025.
5. Risk management will become a priority as it becomes clear that outages are inevitable, even for core providers.
As you almost certainly know, in July 2024, a routine update to CrowdStrike’s Falcon cybersecurity software caused 8.5 million computers running the Microsoft Windows operating system to crash. The impact was felt around the globe: Airlines grounded thousands of flights, hospitals canceled patient procedures, financial institutions struggled with payment and banking issues, media outlets went off the air and much more. Estimates of the financial damage worldwide exceed US$10 billion. Less than two weeks later, Microsoft was hit by a distributed denial of service (DDoS) attack that led to 10 hours of disruptions. Impacted services included Microsoft 365 and Microsoft Purview services, as well as the Azure portal itself.
While Microsoft outages are especially painful because of the ubiquity of the company’s products and services, many other major vendors experienced downtime in 2024 as well. They include Oracle Cloud services in January, Salesforce in May, and AT&T in February and again in May. All of these incidents had significant impacts on the many organizations relying on these core providers.
Matthew Vinton, strategic systems consultant at Quest, says that this pattern of significant outages will not be lost on organizations. In 2025, he says, they will increasingly recognize that outages are inevitable, so trying to avoid them is a hopeless endeavor. No one is abandoning Microsoft or Oracle because of incidents; their products and services are too valuable. Moreover, any alternative vendor would be just as prone to downtime.
Instead, to protect their operations, organizations will increasingly focus on risk management as part of a broader cyber resilience strategy. Quest has an entire blog post devoted to what to consider when developing risk management strategies, which I encourage you to read in full. Among other things, it lays out the five possible responses that organizations can choose for a given risk: reduction, acceptance, avoidance, sharing and transfer.
When it comes to the risk of provider outages, the most viable strategy is reduction: taking action to lessen the likelihood or impact of an adverse event. For vital software and services like those from Microsoft and Oracle, one core control is implementing a robust patch management and software update process to reduce the chance of adversaries exploiting known vulnerabilities. Another is tightly managing access rights, including the privileges granted to the service accounts assigned to third-party applications.
More broadly, organizations will need to pay more attention to software supply chain security. The software supply chain includes anything that plays a role in the development of an application or plays a role during the software development lifecycle. Examples include third-party and proprietary code, open-source libraries and tools, deployment methods and infrastructure, interfaces and protocols, and developer practices and development tools.
Matthew advises that comprehensive supply chain risk management begins with checking each vendor’s certification with an approved secure software development framework or other established standards. But he cautions that this check is only a first step. Organizations must also look for the following:
- Whether a vendor puts its suppliers through an extensive assessment to ensure they meet standards for data protection, privacy and security
- Whether the vendor has a mature development process and rigorously protects its development environment
- What controls have been implemented to mitigate risks in the product development lifecycle
- How the vendor protects against insider threats, including both malicious actions and inadvertent but costly mistakes
6. Organizations will redouble their efforts to move domain-joined endpoints to the cloud in order to reduce their attack surface.
Scott Lilly, product manager for Quest’s AD migration products, turned our attention to another important common weakness in today’s IT ecosystems: endpoints that are joined to legacy on-prem systems.
The vulnerability of domain-joined devices is widely understood. Nearly two thirds of respondents in our survey said they believe that joining devices to the cloud as part of their ITDR practice enhances security. They are right: Top benefits include single sign-on (SSO) to cloud resources, phishing-resistant authentication, device-based conditional access policies, automatic device licensing, self-service password reset, and centralized device identity management. Not surprisingly, 58% of organizations have started down this path.
However, migrating devices from AD-joined to cloud-joined can be quite a lengthy and cumbersome journey. Joining machines to Entra ID by resetting the device frustrates users who must then painstakingly rebuild their profiles, copy their data and reconfigure their desktop settings. Moreover, the process can take 5+ hours — per device. If you have 1,000 devices, that’s potentially 5,000 hours of lost productivity!
Scott expects that in 2025, more organizations will be seeking a truly scalable approach to closing the security gap that their domain-joined devices represent. With a third-party solution that eliminates the need to wipe and reimage the machines and that automatically restores the user profiles on each device, you can slash the time required to move devices from on-premises AD to Entra ID.
7. Protecting cloud-joined devices will become a priority.
Endpoint modernization initiatives and Active Directory modernization projects will result in a growing number of Azure-joined devices. Indeed, Quest telemetry data revealed that 13 billion more Entra-joined device objects were backed up compared to just a year ago, showing the growing number of cloud-joined devices being used and managed.
Becky Cross, technical product manager at Quest, turned our attention to the critical need for organizations to properly secure those devices in 2025. She says that IT teams will need to address multiple concerns. One is device management, which includes enforcing security policies and ensuring that only compliant devices can access corporate resources. In on-prem environments, a large chunk of device security is typically handled by AD Group Policy — which does not exist in Entra ID. Accordingly, organizations will need a solution to manage their cloud-joined devices. As Becky points out, it’s crucial to ensure that IT teams know how to use the new management solutions before any device migrations begin.
In addition, having reliable processes in place to backup and restore device objects is critical for user productivity. After all, when devices are missing or corrupted, the associated users are likely unable to do their jobs, which can disrupt or even halt vital business operations. Therefore, it’s essential to be able to quickly restore devices to a known-good state. This aspect of protecting cloud-joined devices is a crucial element in a broader Entra ID backup and recovery strategy.
8. Organizations will learn the hard way that having a robust, well-practiced disaster recovery plan is essential.
Finally, Fouad Hamdi, CISSP and principal strategic systems consultant, worries that too many organizations still lack a robust, well-practiced disaster recovery (DR) plan. Quick recovery is essential to minimizing the financial cost and other impacts of adverse events. Organizations need to ensure cyber resilience in the face of direct attacks on their network, as well as the supply chain attacks described earlier. Moreover, they need to be able to recover quickly from non-malicious events like errors by IT admins, power outages and equipment failures.
A proper recovery strategy needs to include the identity infrastructure, which for most organizations today involves Active Directory. After all, every second your identity infrastructure is down, your business is dead in the water, and the costs skyrocket. In fact, research calculates the cost of Active Directory downtime to be $730,000 per hour. Over half the respondents in our survey said that their organization can tolerate less than four hours of downtime, and over a quarter (27%) pegged it as less than 1 hour.
Nevertheless, almost one third of organizations (31%) never test their identity disaster recovery plan. Astonishingly, even among organizations that implemented ITDR because of a previous security incident, the percentage is virtually the same (30%)!
Fouad notes that the best practice recommendation is to run a real disaster recovery test, not just a tabletop exercise, every 6 months. Unfortunately, only 24% of organizations meet this bar. Even among those who say their ITDR practice is mature, it’s still just 32% — far below what’s expected at that level. Without regular DR practice, when a real disaster strikes, there will be no muscle memory available when it’s needed most, as adrenaline and stress spike.
Conclusion
2025 is predicted to be a year where security, modernization, risk management and recovery will be front and center. As always, we hope you find these predictions both insightful and useful as you head into another year focused on enhancing the security, productivity and cyber resilience of your organization.
