As a hazard prevention measure, Deutsche Telekom, its technology partners and customers form a cyber security alliance.

Smart response to hackers.

Every minute, a faceless hacker somewhere in the world perfects another cyber attack. Making it faster, shrewder, more aggressive. Not to mention more brutal, vicious and ruthless. This army of bad guys works relentlessly to build sophisticated new virtual weapons and to refi ne existing attack methods. So where are the good guys who will stand up to them?
Author: Thomas van Zütphen
Illustration: erhui1979/Getty Images 

Who says that hacking targets – which, in 2016, included 93 percent of large and mid-sized German companies – always have to defend themselves on their own? Plenty of organizations hire IT service providers. But in these days of non-stop cyber warfare, it’s risky to hire an IT firm that excels at its bread-and-butter business, but capitulates when faced with a high-tech phalanx of cyber criminals.
Far from giving up, Deutsche Telekom has taken up a strong stance and, on January 1 of this year, consolidated all of its security resources – including nearly 1,200 security experts – into Telekom Security. This new Group unit operates an independent business segment of T-Systems. “Our customers are in the middle of digitizing. For me, digitization is characterized by the trifecta of security, the cloud and the Internet of Things. And of those three things, security is what makes a successful digital transformation possible in the first place,” said Anette Bronder, the Director of Telekom Security, who also oversees the Digital Division at T-Systems. “We incorporate security into the development of products and business models right from the start.”
Deutsche Telekom is more than ready for the challenge, if only because of its own unique history. For over 20 years, in-house security specialists have been safeguarding Deutsche Telekom as a critical piece of infrastructure with 225,000 employees worldwide. They secure networks, data centers, mobile devices and data communications for Deutsche Telekom’s customers. “It just makes sense to offer our customers the same highly professional tools that we use for our own protection,” said Dirk Backofen, Head of Telekom Security (see interview with Dirk Backofen). “Our customers range from blue chip corporations to small and mediumsized market leaders in carmaking, mechanical engineering, chemicals, pharmaceuticals, energy and finance.” The market is worth EUR 13 billion in Europe alone and is slated to grow seven to eight percent every year until 2020.
“CEOs and their security chiefs rightly expect security to be simple, convenient and user-friendly and depend on us to offer the maximum in managed security services.”
Dirk Backofen, Head of Telekom Security

Treasure trove of honeypots

Telekom Security is in the process of hiring another 300 experts in order to meet market demand. Inscribed in the DNA of every one of its then-1,500 specialists for consulting, sales, presales, engineering, production and operational defense will be one objective: zero impact. “Cyber attacks themselves – whether they take aim at individuals, small businesses or major corporations – can never be prevented completely, but their consequences can,” said Backofen. “We want to fashion the cyber security alliance for all our customers.”
This approach doesn’t call for exotic security equipment. In fact, most of the gear can be bought at an average corner store. No, the reason why Deutsche Telekom has set its sights so high is that, unlike other providers, it has ingrained security deep into its cloud and connectivity solutions and possesses the wherewithal to orchestrate many different products. And these skills, once acquired, are not easily forgotten. To gather information, it maintains a honeypot environment comprising around 1,000 virtual sensors embedded in a network of very different devices: PCs, laptops, smartphones or data center racks. This attack surface registers and automatically analyzes a total of 4 million attacks a day. In addition, the Telekom Security whizzes dissect highly specialized, targeted attacks launched daily against their own company and other organizations. With this intelligence, they can continuously refine their defenses and learn more about their attackers.
Each day, Deutsche Telekom registers one billion security events from over 3,000 data sources. Many of the events are innocuous. Some, however, are so dangerous that they require immediate investigation. This wheat has to be separated from the chaff quickly, preferably in real time. To do this, each event is automatically checked against a security database comprising around 20 million pieces of malware and ‘indicators of compromise,’ with new virus signatures and zero-day exploits being added every day – including ones discovered by Deutsche Telekom’s own experts. “We regularly use this treasure trove to test the detection capabilities of new suppliers and their products,” said Backofen. “It’s a natural reflection of our ambition to build a portfolio and partner network that only contains the best of the best – the most innovative suppliers and products – so that we can constantly improve the protection we give to our customers.” The race to keep up with or even stay ahead of cybercrooks is a huge challenge – one too big to tackle alone. That’s why Telekom Security currently works with 50 partners worldwide whose solutions cover the full range of imaginable attack vectors for an organization.

Caught between attacks and defenses

Together, these partners make up the “army of good guys,” a cyber security shield sheltering customers all over the globe, from blue chip corporations to mid-market enterprises to private individuals. To stop cyber vandals, this white-hatted alliance has to immediately integrate insights on every new attack method registered by a customer – whether real or captured by a honeypot sensor – into all its customers’ security systems. But what exactly are Mobile Protect Pro, Internet Protect Pro, Vulnerability Scan as a Service, Security Operation Center or Industrial Control Systems Security? How good are the new security solutions that seem to sprout up daily in the marketplace? How do they help my business processes, and what exactly do they help them with? This question alone demonstrates the urgent need for security operation services. Customers are caught between highly fluid and sophisticated attack methodologies on the one hand, and a bewildering array of cutting-edge defense, detection and prevention technologies on the other. Dirk Backofen noted, “Customers’ CEOs and security chiefs rightly expect our security tools and solutions to be simple, convenient, intuitive and user-friendly. As a managed security service provider, we want to dispel our customers’ fears about cyber security being complicated.”

Weak or fortified?

To reach this goal, Telekom Security established a new security operation center (SOC) that handles customers’ security needs with the same professionalism demonstrated in internal security. Like virtually every modern organization, Deutsche Telekom’s attack vectors range from data, applications and networks to endpoints and mobile devices all the way to IDs and industrial control systems. To manage this complexity in day-to-day operations, the SOC aggregates security information from all the various layers. The new center, in other words, is ground zero for solutions and implementation.
So how secure are today’s organizations overall? Nine out of ten corporate networks at German companies with typical office and data center structures are reasonably secure, according to security experts. However, many still use conventional advanced security hubs, equipped with the traditional toolkit of firewalls, intrusion prevention systems and web proxy/mail relay systems. Only rarely do they realize that these systems can merely find known threats. But how can you detect an attack you’ve never heard of? To do that, organizations need an additional security layer that protects them from previously unknown attacks such as advanced persistent threats and zero-day exploits.

An EKG for your smartphone

One such layer is available from Telekom Security: a sandbox environment that guards against advanced persistent threats. Available as an on-premises version in partnership with Cisco or in the cloud through Checkpoint, this solution opens suspicious e-mails upon arrival in an isolated, highly secure environment that simulates a workstation. Only cached e-mails and attachments that pass the emulation test are sent on to the user. Other Telekom Security services, such as Mobile Protect Pro (MPP), run in the background on customers’ endpoints like a continuous EKG. If the 1,000-plus vectors suddenly coalesce into a never-before seen correlation, MPP assumes that the device is being attacked and takes immediate action. Thanks to a direct interface with the mobile device management system installed in the customer’s IT infrastructure, MPP can not only shut off the tablet or smartphone, but can also cut it off from the corporate network.
“Hackers will never rest as long as there’s something they can steal, whether it’s a single data record or a company’s entire intellectual property.”
Dirk Backofen, Head of Telekom Security
Industrial networks are even more vulnerable than corporate IT. Only ten percent of all customers in Germany secure their industrial networks properly, according to estimates. For years, isolating these networks from the Web was seen as the best protection. That’s no longer an option in these days of IoT, remote maintenance and real-time tracking. Today, all suppliers and manufacturers require physical access in order to remotely support their products. That forces service technicians to use other protocols to secure the interfaces from attack by potential intruders.

Rendezvous in cyberspace

Deutsche Telekom’s industrial control system security (ICS) now includes a flexible remote maintenance solution, Industrial Access Protect Pro, supplied by genua, a Telekom Security partner based in Kirchheim, Germany. The solution can run in a cloud or on-premises and offers granular control of every individual access event for real-time monitoring and documentation of remote maintenance access. Its most important security feature: it doesn’t give outside technicians direct access to the serviced equipment on the factory floor. Instead, each maintenance step is first performed in a virtual space in the cloud where the technician and equipment can interact without any external parties gaining direct access to the industrial system. All truly necessary maintenance connections use encryption instances and always have to be approved and enabled by the customer via a “rendezvous server.”
Other core elements of the industrial control system security portfolio – which ranges from constant vulnerability analysis to automatic attack detection to compliance reporting – include a security incident and event management (SIEM) system, a firewall and an identity and access management system that can operate across networks in typical industrial network languages when paired with solutions developed by CyberX and radiflow, both Telekom Security partners.
However, more and more threats now come from offline sources. Demand has surged for one Telekom Security service to protect original industrial plants from airborne attacks: Deutsche Telekom’s magenta drone defense shield (see “drones”). According to Dirk Backofen, “There’s an alarming side to customers’ strong interest in our security solutions for drone-based crime: the hackers out there will never rest as long as there’s something they can steal, whether it’s a single data record or a company’s entire intellectual property.”