To shield themselves from advanced persistent threats, organizations are turning to external security operation centers.
Security Operation Center

Where pros fight pros

They creep up, wait patiently and pounce undetected. Advanced persistent threats (APTs) worm their way into IT systems, siphon off data and paralyze entire organizations. To shield themselves from this latest generation of highly professional cyber attacks, more and more organizations are turning to external security operation centers. One provider who offers SOC as a Service is Deutsche Telekom.
Author: Roger Homrich
Photos: T-Systems
They’re called Operation Pawn Storm, Office Monkeys or Fancy Bear. But only their names are fancy. They themselves are cunning, ruthless and willing to inflict sleepless nights on security experts. They work as burglars-forhire, cyber mercenaries who target and attack corporate infrastructures for their clients. The attack begins when malware slips into a network unnoticed. The program spreads stealthily, skims off data and sends it back to the attackers and their clients. The typical cyber spy remains undetected for 208 days, according to estimates by the Federal Office for Information Security (BSI). But that’s only an average. Many stay under the radar for much longer. “The current record, according to our findings, is five years,” said Dr. Alexander Schinner, an IT forensic analyst at T-Systems who tracks down Internet attackers. (see interview with Dr. Alexander Schinner)
APT28 is a hacker collective that has been stalking targets for years. Also known as Fancy Bear, its members strike wherever clients send them – if the price is right. These Russian cyber soldiers allegedly breached the Democratic National Committee’s servers during the US presidential election campaign. APT28 is also suspected of having hacked the German Bundestag in May 2015 and broken into the e-mail accounts of Emmanuel Macron’s party a few short days before the recent run-off elections for French president.

Beware of e-mails from “friends”

Cyber spies use various techniques. One simple, yet popular method is known as “spear phishing”. The hackers observe their targets, learn whatever they can about them and then, one day, send them a seemingly innocuous e-mail. The ostensible sender: a friend or family member. If the victim clicks the enclosed link or attachment, malicious code will surreptitiously install itself on the target computer. An even simpler trap: the malware resides on an infected website, where it awaits unsuspecting visitors, like a tick in tall grass. Or, cyber spooks may wriggle through published network security holes that aren’t patched quickly enough.
"SOCs resemble command centers where security experts track ‘enemy activity’ worldwide and take immediate action as needed."
RENÉ REUTTER, head of the Telekom Security Operations Center
Installing the code is only the first step. “APT28 employs a suite of malware with features indicative of the group’s plans for continued operations,” according to a Fireeye report. The hackers set up a virtual office that serves as a staging ground for even deeper penetrations into the network. An operation this sophisticated requires resources, unlike garden-variety hackers, who simply send out primitive viruses and worms en masse and rely more on luck than skill – but cost less as well.

Central monitoring of IT infrastructure

Mass-market viruses can generally be repelled with conventional firewalls, antivirus software and antiphishing programs. APTs, by contrast, usually demand an arsenal of perfectly coordinated tools and experts that can search for intruders 24/7 and neutralize them immediately. As if that wasn’t hard enough, Fireeye has found out that APT29, another Russian cyber espionage outfit, has also been employing “domain fronting.” This technique disguises the malware’s sender address, making it significantly harder for victim organizations to identify malicious data traffic.
Until recently, only large companies had the funds to professionally orchestrate their cyber defenses. This is a big project: it involves building security operation centers (SOCs) that monitor central IT resources and data for signs of compromise and manage the responses to IT threats. “SOCs resemble command centers where security experts track ‘enemy activity’ worldwide on big screens, investigate system alarms and take immediate action as needed,” explained René Reutter, Vice President IT Security Engineering & Operations and the head of the Deutsche Telekom SOCs.

Carefully coordinated tools


In fulfilling their mission, defense teams employ a broad range of security tools that automatically scan the IT systems under their protection. The systems interface directly with the SOC so that all data traffic can be monitored and analyzed. However, SOCs are costly to build, operate and crew with highly trained specialists in a wide variety of roles. That’s why more and more companies are sharing these costs and turning to externally managed SOCs.
Thanks to cloud technology, service providers like Deutsche Telekom can offer “SOC as a Service”: instead of operating a dedicated security operation center for each client, they can protect multiple clients simultaneously with a single SOC.
As a result, Deutsche Telekom is giving Germany’s SMBs – which represent nearly half of the world’s hidden champions – access to the level of security that until recently was the exclusive preserve of major corporations. It has also eliminated the two biggest obstacles to mid-market enterprises’ own security ambitions: not only can they exit the war for high-priced talent, but they also don’t have to invest in expensive equipment of their own. Given the persistent shortage of skilled labor, Frank Luzsicza, Division Head of ICT & Business Solutions at TÜV Rheinland, believes that “having a competent external cyber security partner that you trust will become one of the most important success factors for a company’s security.”

Driven by KRITIS and IT Security Act

“SOCs are not really new,” said Rüdiger Peusquens. “However, the German IT Security Act and the growing sophistication of cyber attacks have only now stirred up interest in the topic,” noted the head of Deutsche Telekom’s Cyber Defense Center, responsible for protecting Deutsche Telekom as a critical element of infrastructure. The KRITIS Regulation, which implements the IT Security Act, recently went into effect. Now, companies in the IT, food, utility, finance, traffic, transportation and telecommunications industries have to take special precautions to keep their IT systems secure and available.
Only recently, in March 2017, a large energy company entrusted Deutsche Telekom with handling its threat and vulnerability management as well as state-of-the-art analytics for smoothly operating its infrastructure. “An SOC can centrally aggregate and analyze information from all of the process layers in an organization. That has tremendous significance,” said Dirk Backofen, Head of Telekom Security, the new Group business unit. “You need this depth of information in order to properly manage your operating environment and its various security levels.” But that also requires protecting each layer of the customer’s business with a suitable security solution and having the know-how to steer the customer to the right combination of offerings for its use cases.
The depth of experience needed just to select the right technologies and use them properly is one of many reasons for rising worldwide demand for security cyber defense orchestration. Starting this autumn, Telekom Security’s new SOC in Bonn and the Deutsche Telekom Cyber Defense Center will work together to serve that demand.

Prevent, detect, respond

Telekom Security Headquarters
The Security Operations Center in Bonn and the Deutsche Telekom Cyber Defense Center plan to work together to centrally monitor Deutsche Telekom customers’ IT infrastructure starting in the third quarter of this year.
The defensive and offensive technologies required by SOCs may resemble a chaotic patchwork, but they quickly resolve into an organized structure when an SOC’s job is broken down into three levels: prevention, detection, response. In other words, how can I secure an organization in advance? How can I tell if my firewall – as often happens – lets ransomware, APTs and other malware into my network, and intrusion prevention or advanced threat protection solutions have to kick in automatically? And who or what will respond to infected systems on the fly as quickly as possible 24/7/365 – whether remotely or on-premises? Perhaps to quarantine malware or uninstall an infected computer. And these are merely the simpler aspects of Telekom Security’s incident response retainer service. Equally important are the ‘who’ and ‘what’ questions: What exactly happened? What data was exfiltrated? Did it include trade secrets? Where did the data go? There aren’t many experts in Europe who have the forensic skills and experience to answer these questions; over a dozen work at Deutsche Telekom.

Security for industrial systems

Industrial networks and interconnected computers, instruments and control systems can be highly vulnerable to attack by APTs. “Plants frequently run on obsolete technology with no way to ward off cyber attacks. The systems just aren’t designed to be used in a network,” said Bernd Jäger, an expert in industrial control systems security (ICS) at Deutsche Telekom. “Conventional IT security systems like firewalls don’t work in these types of environments, and knowledge of cyber security for industrial networks is often rudimentary at best.” To fill this gap, Deutsche Telekom has expanded its portfolio of security partners to include companies that have developed security solutions tailored to industrial users. These ICS security products focus on reducing detection times in industrial networks and helping managers make appropriate decisions by instituting automatic protection and response mechanisms when and as needed. “These solutions can also be part of a managed security operation center,” explained Reutter.
Clearly, SOCs can have a tremendous impact, as an example from the world of sports shows. An SOC might have saved the World Anti-Doping Agency (WADA) more than a few headaches. Fancy Bear visited the WADA databases multiple times – as its members gleefully admit. “Greetings, citizens of the world,” proclaims their start page at “We stand for fair play and clean sport. We are going to tell you how Olympic medals are won. We hacked World Anti-Doping Agency databases and we were shocked with what we saw.” Sometimes hacking can be useful, too.