Employee with VR glasses in an abstract office building

The value of a SOC team and SIEM solutions

Decentralized IT infrastructures: Trends like the digital workplace and IoT are making companies more flexible but also more vulnerable to security incidents

January 10 2024Marcel Hoch

The challenges of New Work and IoT

Working from home and the spread of the Internet of Things (IoT) have revolutionized the corporate IT landscape. However, this poses new challenges for those responsible for cybersecurity and incident response. Decentralized working and the associated increase in network traffic and the number of devices in a network - from laptops and AR glasses to IoT devices - create potential gateways for attackers. Companies are, therefore, well advised to adapt their security strategies.

All-round protection for decentralized IT infrastructures

Woman looking at her smartwatch in an industrial port

Our world is becoming increasingly digital: we live in smart homes and use fitness trackers for our health or VR glasses for gaming. We do office jobs flexibly from home or on the road. Production and logistics are also increasingly networked – mainly through the Internet of Things. IoT sensors on machines, vehicles, or products continuously collect data – on aggregate states, routes, or user behavior – and send it to data centers or the cloud, where it is analyzed accordingly. 

Due to diverse computer networks, cybercriminals can exploit significantly more security vulnerabilities. Current botnets reveal the consequences of this development: While DDoS attacks used to be carried out primarily via classic PCs, more than half of the compromised end devices are now smart devices such as systems, heaters, lamps – or even personal smartwatches.

Shortages of IT security experts

Effective security measures and threat intelligence are needed to close all gateways and better protect against cyberattacks. The problem: Many companies lack the necessary security professionals for this, as IT specialists are currently in short supply. Moreover, the few specialists available for IT security typically command high salaries and, therefore, are hardly affordable, especially for SMEs.

With this in mind, we support not only large companies but also SMEs with our Managed Security Services. Experienced security experts will protect your data, users, and IT systems round-the-clock. For example, over 200 cybersecurity specialists at Deutsche Telekom's Security Operations Center (SOC) in Bonn monitor the IT infrastructure of numerous customers. Thanks to our 24/7 monitoring, we always know how the global security situation is changing. In addition, our security teams undergo continuous training to ensure they are always up to date - be it on the latest threat intelligence, threat detection methods, security tools, cloud native security technologies, or mitigating cyber threats.

IT infrastructure: on the trail of anomalies

Security solutions for Security Information and Event Management (SIEM) are an essential component of our Managed Services. They help companies establish effective lines of defense and raise their security to a higher level. We can connect our SIEM solutions to data from multiple sources - such as IoT devices or software solutions. They scour customers' networks and systems non-stop for anomalies and trigger an alarm in the event of any irregularities.

These alarms are, in turn, analyzed and evaluated by our security experts in our Security Operations Center (SOC): Is it really an intruder? Or is it a false alarm? Sometimes, files that behave suspiciously but are entirely harmless get into a company’s network. Content engineering plays an important role here. We are further developing our detection of security-relevant events based on SIEM data in an ongoing process. The responsibility of our SOC analysts is then to check and decide to what extent anomalies could pose a threat to the company.

Building effective cyber protection

The first question is what constitutes a security incident - and what does not. Conventional SIEM solutions evaluate this based on 700 to 800 predefined rules. But if all the rules are applied at a customer's premises, they can quickly generate up to 2,000 alarms an hour. This is anything but expedient, as no SOC team has the time to check almost 50,000 alarms a day.

The above scenario is why it is vital to know exactly what a customer wants to secure in their IT and then to define and apply the appropriate rules. In most cases, not everything fits together perfectly at the beginning. This is why we start a tuning phase lasting several weeks at the customer's premises, during which we can further adapt the rules. We then keep a constant eye on the regulations and consider new security requirements, such as changes in the threat landscape or new compliance guidelines.

More transparency in the network

The benefits of combined SIEM and SOC are that network and data traffic become transparent, ensuring companies know what is happening in their networks and systems. Although SIEM solutions cannot prevent intrusion into decentralized IT infrastructures or the Internet of Things, they will immediately detect something unusual. If the SIEM triggers an alarm, the SOC team usually evaluates it within 10 to 15 minutes, and incident response processes are immediately triggered in the event of a security incident. This allows security vulnerabilities to be closed quickly and decentralized workstations in the home office or IoT solutions to be better secured.

Threat detection and incident response particularly critical in the healthcare sector

SIEM and SOC help companies in all sectors to improve the protection of their infrastructure. For example, these solutions and services protect global production sites' networked machines and end devices, public authority workers, financial services providers, and insurance company employees working from home.

Another exciting field of application for security solutions is the healthcare sector. Hospitals, for example, increasingly use digital solutions; think of electronic patient files or medical items such as infusion pumps with built-in software. If updates are not installed regularly, this can weaken the entire infrastructure. Installing the latest patches, especially on older devices, is not possible. This creates critical security vulnerabilities that cybercriminals can exploit. In the healthcare sector, in particular, it is not just about operational failures; in the worst-case scenario, human lives are at stake - which makes protecting networks and systems by SIEM and SOC even more critical.

About the author

Marcel Hoch

Teamlead Cyber Security Offense/Defense, operational services

Show profile and articles

Find out more about current trends in cybersecurity

We look forward to hearing from you

Contact us if you would like to learn more about our security information and event management solutions, Security Operations Center, and how we can improve your security posture.
Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.