Employee with VR glasses in an abstract office building

The value of a SOC team and SIEM solutions

Decentralised IT infrastructures: trends like the digital workplace and IoT are making companies more flexible, but also more vulnerable to security incidents

10 January 2024Marcel Hoch

The challenges of New Work and IoT

Working from home and the spread of the Internet of Things (IoT) have revolutionised the corporate IT landscape. However, this poses new challenges for those responsible for cyber security and incident response. Decentralised working and the associated increase in network traffic and the number of devices in a network - from laptops and AR glasses to IoT devices - create potential gateways for attackers. Companies are, therefore, well advised to adapt their security strategies.

All-round protection for decentralised IT infrastructures

Woman looking at her smartwatch in an industrial port

Our world is becoming increasingly digital: we live in smart homes and use fitness trackers for our health or VR glasses for gaming. We do office jobs flexibly from home or on the road. Production and logistics are also increasingly networked – mainly through the Internet of Things. IoT sensors on machines, vehicles or products continuously collect data – on aggregate states, routes or user behaviour – and send it to data centres or the cloud, where it is analysed accordingly. 

Due to diverse computer networks, cyber criminals can exploit significantly more security vulnerabilities. Current botnets reveal the consequences of this development: While DDoS attacks used to be carried out primarily via classic PCs, more than half of the compromised end devices are now smart devices such as systems, heaters, lamps – or even personal smartwatches.

Shortage of IT security experts

Effective security measures and threat intelligence are needed to close all gateways and better protect against cyber attacks. The problem: many companies lack the necessary security professionals for this, as IT specialists are currently in short supply. Moreover, the few specialists available for IT security typically command high salaries and, therefore, are hardly affordable, especially for SMEs.

With this in mind, we support not only large companies, but also SMEs with our Managed Security Services. Experienced security experts will protect your data, users and IT systems round-the-clock. For example, over 200 cyber security specialists at Deutsche Telekom's Security Operations Center (SOC) in Bonn monitor the IT infrastructure of numerous customers. Thanks to our 24/7 monitoring, we always know how the global security situation is changing. In addition, our security teams undergo continuous training to ensure they are always up to date - be it on the latest threat intelligence, threat detection methods, security tools, cloud native security technologies, or mitigating cyber threats.

IT infrastructure: on the trail of anomalies

Security solutions for Security Information and Event Management (SIEM) are an essential component of our Managed Services. They help companies establish effective lines of defence and raise their security to a higher level. We can connect our SIEM solutions to data from multiple sources - such as IoT devices or software solutions. They scour customers' networks and systems non-stop for anomalies and trigger an alarm in the event of any irregularities.

These alarms are, in turn, analysed and evaluated by our security experts in our Security Operations Center (SOC): Is it really an intruder? Or is it a false alarm? Sometimes, files that behave suspiciously, but are entirely harmless, get into a company’s network. Content engineering plays an important role here. We are further developing our detection of security-relevant events based on SIEM data in an ongoing process. The responsibility of our SOC analysts is then to check and decide the extent to which anomalies could pose a threat to the company.

Building effective cyber protection

The first question is what constitutes a security incident - and what does not. Conventional SIEM solutions evaluate this based on 700 to 800 predefined rules. But if all the rules are applied at a customer's premises, they can quickly generate up to 2,000 alarms an hour. This is anything but expedient, as no SOC team has the time to check almost 50,000 alarms a day.

The above scenario is why it is vital to know exactly what a customer wants to secure in their IT and then to define and apply the appropriate rules. In most cases, not everything fits together perfectly at the beginning. This is why we start a tuning phase lasting several weeks at the customer's premises, during which we can further adapt the rules. We then keep a constant eye on the regulations and consider new security requirements, such as changes in the threat landscape or new compliance guidelines.

More transparency in the network

The benefits of combined SIEM and SOC are that network and data traffic become transparent, ensuring companies know what is happening in their networks and systems. Although SIEM solutions cannot prevent intrusion into decentralised IT infrastructures or the Internet of Things, they will immediately detect something unusual. If the SIEM triggers an alarm, the SOC team usually evaluates it within 10 to 15 minutes, and incident response processes are immediately triggered in the event of a security incident. This allows security vulnerabilities to be closed quickly and decentralised workstations in the home office or IoT solutions to be better secured.

Threat detection and incident response particularly critical in the healthcare sector

SIEM and SOC help companies in all sectors to improve the protection of their infrastructure. For example, these solutions and services protect global production sites' networked machines and end devices, public authority workers, financial services providers and insurance company employees working from home.

Another exciting field of application for security solutions is the healthcare sector. Hospitals, for example, increasingly use digital solutions; think of electronic patient files or medical items such as infusion pumps with built-in software. If updates are not installed regularly, this can weaken the entire infrastructure. Installing the latest patches, especially on older devices, is not possible. This creates critical security vulnerabilities that cyber criminals can exploit. In the healthcare sector, in particular, it is not just about operational failures; in the worst-case scenario, human lives are at stake - which makes protecting networks and systems by SIEM and SOC even more critical.

About the author

Marcel Hoch

Team Leader Cyber Security Offence/Defence, operational services

Show profile and articles

Find out more about current trends in cyber security

Do you visit t-systems.com outside of Singapore? Visit the local website for more information and offers for your country.