For several years, Hardis Group has chosen to strengthen its internal security with innovative security solutions which fit better its needs. Indeed, its hosting activities involve the management of traditional, virtual, cloud and hybrid infrastructures. But few solutions are natively able to monitor different environments.
Their choice was SecludIT, in particular for the following reasons :
Jérôme Mollaret, cybersecurity consultant and Certified Ethical Hacker for Hardis Group says :
“When we looked for a real-time detection solution, we chose SecludIT because of the following :
– Scans’ sharpness
– Continuous monitoring of thousands of machines
– Real-time IT inventory with VMware, AWS, Azure … connectors
– Cloning possible for further testing
– Simple, complete and easy-to-understand for all
– Key indicators from ANSSI, OWASP and PCI-DSS standards
– The SecludIT team reactivity and availability“
Elastic Detector integration in Hardis Group IT system
Using the risk detection solution in Appliance mode allows to internally manage the Hardis group IT security. The company split its infrastructure into several perimeters according to criticality. On each perimeter an Elastic Detector is configured to scan a set of machines that can use separate environments like AWS, VMware or various operating systems (Linux, Windows, iOS).
This makes it possible to analyze each perimeter more or less according to the needs and the criticality of the assets. In addition, isolating each of its perimeters with dedicated service accounts allows Hardis Group to be in line with ANSSI’s recommendations.
How did Hardis Group escape to the WannaCry and NotPetya cyberattacks ?
Discovered mid-May 2017 and create by the North-Korean group Lazarus, the WannaCry ransomware was the first of its family to take 2 public exploits stolen from the NSA last year by the group Shadow Brokers concerning the code of EternalBlue and EternalRomance. It has spread on vulnerable hosts to these attacks via weaknesses through the SMB protocol, used for example, for sharing files, printers, etc.
Appeared late June 2017, the NotPetya malware has been clearly identified as a weapon disguised as a ransomware, created by the Russian group Telebots, and appointed retrospectively author of BlackEnergy. It relies on part of the Petya source code, where the KillDisk function is implemented instead of the MFT and MBR encryption, but also on the WannaCry features to propagate.
It also takes a novelty able to steal the credentials of users who have previously logged on the infected host in order to replay them on a remote host vulnerable or not! It is especially this last feature which is alarming and critical when the malware steals those of an account with strong privileges on the whole park like the administrators …
Hardis Group was able to escape these cyberattacks thanks to the continuous monitoring of its IT strategy put in place.
The graph above is an example of one of Hardis Group’s critical perimeters. It is compounded of 23 Microsoft servers under Elastic Detector monitoring.
It can be observed that a remediation campaign was launched the 3rd week of March 2017. Thus, only 5 servers were still vulnerable at the appearance of the Shadow Brokers leaks for production stop reasons and application validations.
The entire perimeter was protected when the WannaCry and NotPetya cyber attacks came out.
So, Elastic Detector allowed Hardis Group to map the perimeters that could be affected by these cyberattacks in order to prevent them from being vulnerable.
To find out if your system is also vulnerable, we invite you to test now our Elastic Detector for 14 days for free.
You can also find below the Jérôme Mollaret Slideshare presentation (in french) concerning the Elastic Detector use on Hardis Group infrastructure.