Somfy

How global manufacturer monitors and protects its Active Directory infrastructure

建立持續監控與保護目錄安全

Founded in France in 1969 and present in 58 countries, Somfy is the leading partner in all areas of building opening automation systems and a pioneer in the connected home sector. The group is constantly innovating to create homes that offer their users comfort, well-being, and safety to fulfill its vision of ‘‘inspiring a better way of living accessible to all.’’

此願景之所以能夠實現，仰賴的是五大應用程式和 13 個相輔相成的品牌組合：

• 百葉窗與陽光防護
• 室內窗簾與捲簾
• 家庭連網
• Security
• 存取控制

The entrepreneurial spirit of Somfy is embodied by the Group’s 6,070 employees in 117 subsidiaries, eight manufacturing plants, and 80 logistics centers and warehouses. Its presence on five continents enables the group to adapt its products and services to the specific needs and characteristics of its markets.

憑藉數位技術、創新能力和合作夥伴關係，Somfy 得以持續不斷地向所有利害關係人提出嶄新價值。

挑戰

As a global player in home and commercial control systems, Somfy aims for the highest levels of innovation and advancement in its products and solutions. With several companies under its umbrella, Somfy’s security for intellectual property, design, and customer data spanning a vast directory infrastructure was paramount. As a part of its continuous improvement process, Somfy was seeking the best way to tackle unique AD security challenges. 這個方法必須能對根網域進行目標式評估，找出所有問題所在。

找出現有弱點

Utilizing Tenable.ad for AD’s seamless, instant-on deployment, Somfy was able to immediately investigate and identify problems in real-time, each corresponding to one of Tenable.ad’s Indicators of Exposure (IoE). 其中幾個重大問題與 AdminSDholder、Root 權限和 Kerberos 委派指標有關。AD 的初步評估結果突顯出存在跨多個群組管理員過多的嚴重性。

This initial connection between Tenable.ad and Somfy’s AD was vital, as the solution mapped the AD’s topology and identified any existing hidden attack pathways and weaknesses that could be leveraged by attackers.

複雜的子網域

完成初步連結和根網域分析之後，接下來輪到關注子網域。However, a few challenges with the child domain showed potential loopholes and vulnerabilities. 這些挑戰包括：

• 眾多經營實體分布於全球各個角落
• AD 管理員人數過多
• 夾雜著幾個來自委外第三方資源的管理員

解決方案

Following the initial assessment exploring existing weaknesses, misconfigurations, and attack pathways, the Tenable.ad solution provided step-by-step remediation tactics to prevent vulnerabilities and attacks. Due to Somfy's need to quickly acquire some additional expertise relating purely to AD, Tenable.ad’s reputable partner provided ongoing workshops to analyze each IoE. The partner organized a tailor-made mitigation plan based on Tenable.ad for AD’s real-time results available to Somfy senior staff through an intuitive, consolidated dashboard.

Thanks to the Tenable.ad platform’s consistent real-time AD monitoring, Somfy was able to perform continuous workshops to address each actionable IoE task, while relevant teams were equipped with Tenable.ad-proposed checkers to ensure each step was mitigated. 根據複雜程度，針對每個曝險指標 (IoE) 各舉行一場實作研討會，並協助指導 Somfy 如何發揮 Tenable.ad 解決方案的最大效用。

Once the mitigation steps were complete, Somfy’s security team cross-referenced via the Tenable.ad platform to check the security status. Somfy 能夠監控自身的 AD 合規標準，持續監控 AD，甚至獲得建立合規規則的相關協助。

這種衡量 AD 安全的方法讓資安團隊得以快速獲益。完成所有緩解步驟之後，Tenable.ad 仍持續監控根網域，以保障 Active Directory 的安全。在這之後，子網域的安全問題亦獲得圓滿解決。

成果

An adequate delegation model was put into practice to avoid the use of built-in privileged groups.

• 在一天之內找出 AD 管理員的不當行為所引發的安全問題並予以緩解。
• Systems and jobs configured with wrong credentials were spotted and located by the brute-force detection; their misconfiguration was fixed.
• 稍加改進後的網域設定可確保新加入的機器涵蓋在安全修補 GPO 的範圍之內。
• 重新設定眾多服務帳戶，以降低其破壞網域的威脅性。