After more than a decade of experience in hardening projects, CalCom positioned itself as the leading provider of unique hardening tools that addresses both the needs of IT and Security teams. Our products and services are designed to help organizations with large and complex infrastructures minimize their attack surface and achieve compliance.
CalCom Hardening Automation Suite (CHS) minimizes the chances for outages resulted by hardening actions and reduces operational costs by automating the impact analysis process. CHS provides a click-of-a-button solution for hardening eliminating the need to have in-house knowledge and human resources allocated for the hardening project.
What problem are you trying to solve?
System hardening refers to actions done to reduce the attack surface, by securing the configurations of the system’s components (servers, applications, etc.). As arrived from the manufacturer, system components are more function-oriented than security, which means that unnecessary functions are enabled. Each function is a potential attack vector, so securing the system’s configuration is critical for mitigating vulnerabilities and preventing breaches.
Organizations should establish different hardening policies for each system component, aspiring to be as granular as possible (differentiating component’s type, role, version, environment, etc.). In fact, hardening has become a mandatory requirement in every regulation. Therefore, setting a good hardening policy is no longer open for debate and there are security hardening best practices that organizations must follow (e.g., CIS Benchmarks and DISA STIG).
After establishing a hardening policy there are 3 stages you must complete to achieve baseline hardening:
- Testing – pushing your policy as is on to your system will cause extensive damage. While hardening best practices instruct to disable and block any potential attack vector, some rules just cannot be implemented since these settings are in use. To understand which rules can and cannot be enforced, you must understand the entire dependencies in your network. The practice of the testing stage is building a test environment that will simulate your network as accurately as possible and test the impact of each rule enforcement on it. This is, by all means, the hardest, longest, and most resource-demanding stage of the hardening project. In addition, it is the most important one, since if not done properly, it will result in production outages. After finishing testing each configuration change’s impact, the policy must be discussed again to decide the course of action of each impacting rule.
- Enforcing – after testing and adjusting the policy to the test’s findings, you’ll need to enforce all policies on all system components. This stage is also highly prone to human mistakes if you are no using assistive tools. Ensure all components have been enforced with the right policy, and that all policy rules have been properly pushed has high management complexity.
- Monitoring – if you do not want to get back to square one in your compliance posture, monitoring is essential. The organizational network is dynamic and constantly changes. New applications are installed, old machines die, and you must have the ability to react to these changes, so you won’t lose your compliance posture. In addition, changes in configuration can occur either intentionally or unintentionally, and you must have the ability to monitor and fix them.
CalCom takes this tangles process and completely automates, so you can test, enforce, and monitor in a click of a button. By using CHS you will be able to harden a server in only 5 minutes instead of 5 hours using the traditional tools.
How are you solving that problem?
CalCom Hardening Automation Suite (CHS) is a hardening automation platform designed to reduce operational costs and increase infrastructure’s security and compliance posture. CHS is the sole solution for hardening automation.
CHS eliminates outages and reduces hardening costs by automating every stage in the hardening process:
- Automatic impact analysis: indicating the impact of a security hardening change on the production services. CHS learns your production dependencies, therefore saving the need in test environment and conducting the most accurate possible impact analysis report.
- Automatic policy implementation: after setting a policy according to the impact analysis report, CHS will implement each policy on the right machine from a single point of control, therefore eases the task of configuration management. CHS will ensure the right policy is implemented in the right machine and that all systems components are hardened in only few clicks.
- Continues compliance – CHS will monitor your compliance posture, alert, and remediate configuration drifts. CHS will ensure your compliance level remains high in the dynamic ever-changing infrastructure, so you won’t need to perform hardening from scratch a few months post your initial hardening project.
What is the next big challenge in information security?
All evidence shows that excelling the basic security controls will prevent the majority of the attacks. System hardening is the very basic of information security and has a huge impact on organizations security posture. Here is some evidence:
- Misconfigured assets are responsible for over 40% of infrastructure vulnerabilities- for example. In 2018, TLS & SSL versions and other configuration issues held almost 45% of the infrastructure vulnerabilities. In addition, SMB security issues (such as SMBv1 vulnerability), were responsible for almost 30% of infrastructure vulnerabilities.
2. Over 30% of internal-facing vulnerabilities could be mitigated by hardening actions – In 2019, 31% of the internal facing vulnerabilities could be mitigated (partially or completely) via hardening actions.
3. Establishing secure configurations will protect you from the highest number of ATT&CK techniques – According to the CIS Community Defense Model, the 5.1 CIS control- establish secure configurations, maps to 145 ATT&CK techniques, and provides the most coverage in a single safeguard. This illustrates the high value of implementing secure configurations in your organization’s assets.
4. Implementing the CIS benchmarks is mandatory in most regulations and information security frameworks – Common regulations such as GDPR, HIPAA, FISMA, CMMC, and frameworks such as PCI-DSS and NIST accept the CIS Benchmarks as the best practice. Configuring your assets to be in line with the CIS Benchmarks is a huge step toward achieving compliance with those regulations.
How do people get involved/buy into your vision?
For organizations holding large scale infrastructures (several hundred servers and above) CHS is mandatory for avoiding attacks, achieving compliance, and avoiding audit fines.
The costs, in-house knowledge and human resources organizations will need to allocate for a hardening project leads many of them to neglect this task. In addition, we often see organizations one year post their hardening project positioned back in square one, since hardening is a continues task. Treating it as a one-time mission will end up in the need to start the project from scratch.
CalCom not only provide hardening automation for multiple layers (servers, applications, end points), but also provides our hardening experts consultancy for policy discussions and any professional decision that needs to be taken.
Finally, CalCom’s team will make sure that no matter how complex is your network, your hardening project will end up successful and your compliance posture will remain high over time.
