Automation is often mentioned in the context of hardening. It is reasonable since the task of hardening is complex and tangled, especially when done in large and complex infrastructures. In fact, according to our research, most IT professionals report they invest over 5 hours on average for hardening one server, and still suffer from outages more than occasionally. Try to convert this information to thousands of machines responsible for critical operations, and you'll understand the desire to automate as much as possible of this task, decreasing the time and resources invested and aiming to minimize the chance for product damage.
But not every tool that claims to automate hardening will provide the same capabilities, and only a few can be considered as true hardening automation tools. It’s important to understand where automation can come in handy in the hardening process, and the different types of automation available in the hardening process.
Before diving into automation, we'll start by defining the different stages of the hardening project. After building detailed and granulated policies, taking into consideration different types of machines, environments, machines role, and type you can start the process of hardening. We like to divide the hardening project into three stages: testing, enforcing, and monitoring:
1. Testing - pushing your policy as is on to your system will cause extensive damage. While hardening best practices instruct to disable and block any potential attack vector, some rules just cannot be implemented since these settings are in use. To understand which rules can and can not be enforced, you must understand the entire dependencies in your network. The practice of the testing stage is building a test environment that will simulate your network as accurately as possible and test the impact of each rule enforcement on it. This is, by all means, the hardest, longest, and most resource-demanding stage of the hardening project. In addition, it is the most important one, since if not done properly, it will result in production outages.
After finishing testing each configuration change's impact, the policy must be discussed again to decide the course of action of each impacting rule.
2. Enforcing - after testing and adjusting the policy to the test's findings, you'll need to enforce all policies on all system components. This stage is also highly prone to human mistakes if you are no using assistive tools. Ensure all components have been enforced with the right policy, and that all policy rules have been properly pushed has high management complexity.
3. Monitoring - if you do not want to get back to square one in your compliance posture, monitoring is essential. The organizational network is dynamic and constantly changes. New applications are installed, old machines die, and you must have the ability to react to these changes, so you won't lose your compliance posture. In addition, changes in configuration can occur either intentionally or unintentionally, and you must have the ability to monitor and fix them.
If you wish to dive deeper into the process of hardening, its common challenges, and some best practices for a successful hardening project, take a look at this eBook: 'How to Plan and Manage a Hardening Project".
After understanding the different stages of the hardening process, we'll take a look at the different types of tools, claiming to perform hardening automation:
1. Configuration management tools:
These tools are traditionally used for hardening, although they were not developed specifically for hardening, but for general control over systems settings. These tools automate only one out of the three hardening stages - the Enforcement stage. They require certain skills and knowledge to use since they usually require writing scripts and rules to operate. The level of automation is depended on the user's expertise, therefore requires having in-house hardening expertise. Even tools that are were developed with a higher affinity to hardening are only partially automated since they cover only the enforcement stage and are not a matter of a click of a button.
Attributing configuration management tools hardening automation capabilities is an inadequate definition since they only provide a partial solution to one of the stages.
2. Compliance scanners:
Compliance scanning vendors also often claim to automate the hardening process. This is also only partially true, since they too, only address one out of the three stages. Compliance scanners help to automate the monitoring stage (each tool according to its unique features and capabilities). These tools will help you understand your gaps before you start to harden and maintain your compliance posture at the same level post hardening. The same as configuration management tools, referring to compliance scanners as hardening automation tools is also inadequate.
These two families of tools usually like to attribute themselves hardening automation qualities, although it is not accurate. Both types of tools don't provide any solution to the Testing stage, which is by far the most resource-demanding and complex stage. So, what are real hardening automation tools? Are there any in the market? Yes.
Hardening Automation Tools:
Real hardening automation tools completely automates all three stages of the hardening project, transforming the hardening project to a matter of few clicks with no in-house special expertise required. Real hardening automation tools really automates the hardening process. How?
hardening automation tools save you the need to test and automatically generate an impact analysis report which indicates which policy rule is enforced, which isn't. The rules that are not enforced are divided to rules that can be enforced and rules that will lead to downtime when being enforced (and their specific reason). All the information you need is provided without having to do anything. Hardening automation tools generate this impact analysis by learning your production dependencies. This means that the accuracy of the report is as high as possible, minimizing the risk for a downtime caused by hardening. This ability also allows organizations to minimize the time invested for hardening one machine to only 5 minutes (instead of five hours).
real hardening automation tools will completely automate also the enforcement stage. While the configuration management process is complex to handle, manage and monitor, hardening automation tools allow you to control your entire infrastructure from a single point of control. This means that from a single point you'll be able to push any policy to any server in any environment, and also to roll back in case you need to. There is no need for scripts or in-house knowledge on how to build automation. In only a few clicks all your policies can be implemented on the right machine.
in addition to the previous capabilities, hardening automation tools will also monitor and make sure your compliance posture remains as high as it was a minute after you finished to harden. This is done by alerting and remediating on any configuration drifts done by either malicious activity, human error, or accepted changes in the infrastructure. This is extremely important since hardening is not a one-time task, but a continuous process.
Hardening automation should only refer to tools that automate the entire process of hardening. Anything else will provide only a partial solution and misguide the user. To continue your reading and learn which vendor offers hardening automation tools, you can continue your reading here: "Hardening Tools 101"