Cyber Success Stories

The Association Française de Normalisation (AFNOR) has 5 missions: certification, standardization, publishing standards, training, and promoting French standardization internationnally. 
Present in France, but also in other countries (Europe, China, USA, Australia…), the structure counts around 2,000 endpoints, servers and workstations.  
How does HarfangLab protect AFNOR’s information system? Jean-Marc Aubert, CISO, and Christian Plaza, Information System Security Officer, testify. 

Context

AFNOR was in the process of rolling out its cyber roadmap, which included the implementation of security solutions, when it was hit by a ransomware attack in February 2021.

To deal with this major attack, which will have paralyzed the Information System for several weeks, and led to a crisis that will have lasted almost 3 months, a complete security system had to be deployed in record time.

EDR was an integral part of the solutions recommended by the incident response team working with AFNOR to remediate and restore security.

The aim was to put in place measures to prevent a recurrence of the crisis.

“We knew that ransomware was a threat to us. AFNOR was in the process of deploying various protection measures for its Information System, but we were caught short, and had to intervene as quickly as possible. So we achieved in 3 months what we had planned over 3 years!”
Jean-Marc Aubert, CISO

In terms of internal organization, it was no longer a question of convincing people of the relevance of an EDR, but of explaining that the measures taken were the right ones.

“I presented all the security measures adopted to the Executive Committee, using the attack diagram drawn up by the Forensics and Incident Response teams.
All along the attack path, I was able to show how EDR would have enabled us to detect, limit or even prevent the attack.
In practice, if we had been protected by an EDR, it would have been much harder for the attackers to get hold of workstations and servers, or they simply wouldn’t have succeeded, because either we would have received alerts, or the malicious actions could have been blocked upstream.”
Jean-Marc Aubert, CISO

Why HarfangLab?

Given the current crisis situation, the AFNOR Security team placed their full trust in their partner to guide them towards the most appropriate solution.

“We had been working with Airbus for several years, and they suggested a package including a SOC and HarfangLab’s EDR, a recommendation we felt was entirely appropriate.”
Jean-Marc Aubert, CISO

Deployment and support

The deployment of HarfangLab was carried out in waves, by the team dedicated to workstations, and the Operations team who manages the systems.

“We first cleaned up the workstations and reassembled our IT infrastructure, then proceeded to deploy the EDR by waves of 200 workstations, starting with the IT Department.
We then extended to the other departments, checking that the EDR was capable of monitoring the entire IT fleet.
You have to bear in mind that an EDR involves a lot of configuration work, between rules and whitelists, but it’s essential to get the most out of the tool, and also to get to know your IT infrastructure better.
On a day-to-day basis, we appreciate the excellent responsiveness of both our partner and HarfangLab, who both provide us with rapid answers and solutions when we need them.”
Christian Plaza, Information System Security Manager

Results

Since deploying HarfangLab, AFNOR’s security teams work with greater peace of mind… while knowing that if an alert is triggered, it’s the sign of a real problem.

“We know that our workstations and servers are protected. If a security incident is detected, we can react quickly.
The advantage of EDR is also that it is able to detect many anomalies, including the presence of software that shouldn’t be on workstations, which helps us to better control Shadow IT.”
Christian Plaza, Information System Security Manager

“Since the attack we suffered, we have set up an on-call system. Event detection can come from a variety of sources: employees may warn that they have clicked on a dubious link in an e-mail, a SIEM rule may trigger an alert… But from now on, in the event of an alert, since we have an EDR, the first reflex is to check whether it has itself generated an alert. If we don’t see anything in the EDR, we know that it’s not a priority event.
HarfangLab thus helps us to better qualify events coming from these multiple sources.
On the other hand, if the alert comes from the EDR, it’s all hands on deck!”
Jean-Marc Aubert, CISO