Watch the short excerpt from the interview here or on YouTube, or read the full interview below.
dotmagazine: What is a Security Operation Center?
Jens Kroppmann: A Security Operation Center, or SOC for short, is an organization which offers managed security services. Our job is to increase resistance to cyber attacks for IT security teams within organizations. We have got the software, we’ve got the hardware, we’ve got the processes, and the specialists to increase the protection level against various attackers and attack variants that are current in the market.
dot: Thinking about small and medium sized companies: Do you feel that they are well-equipped at the moment to deal with security issues?
Kroppmann: When I look at the German market – which is actually our focus – I think there’s some potential left to increase the measures for securing IT infrastructures, processes, and not to forget applications that are accessed online. So in terms of the SOC services, we do a monitoring service in which we detect an attack, analyze it, and mitigate it. Then the IT customer’s internal team can put the measures into place to clean up any damage that may have been caused to the organization, to the data, and to any information. The additional measures – which comes down to hardening the IT infrastructure – are known under the term IT Service Management (ITSM). This takes place in larger organizations everywhere, all the time, but it is not applied so much within the small to medium business because it’s rather expensive. There are a lot of processes you have to implement, and live, and train staff in. And so absolutely, there is a gap between the level of protection which is in place and which should be in place in SMEs.
We see this any time that our consultants go to the customers and talk to the IT staff, the security staff, or even the management. Funnily enough, the management generally knows that there has to be some investment put into the IT and security management. But despite this, security is still difficult to argue for.
dot: How can a Security Operation Center support companies in protecting their IT infrastructure?
Kroppmann: The first point is that, from the start, you have to recognize an attack. Even if you have an IT team, you cannot by default see or detect an attack. It is common knowledge that it takes from 90 to 120 days for an attack to be detected. In that time, the attackers feel free to work in your network and systems.
And so this is the main point of using an SOC. The positive effect and the basic impact is that an SOC is able to check and detect attacks at a very early stage, and then to support customers to mitigate the attack. These are standard measures to block some communication and the kill chain. The kill chain is a vector that an attacker tries to use to infiltrate your system. If you notice that there has been an attack, you can stop this communication using technical measures or organizational measures, and then the attacker has to try another way. And it may be that the hacker stops the attack altogether, because you have increased the level of protection so much at this point.
dot: So you say it commonly takes 90 to 120 days before an attack is detected. How fast can an SOC detect an attack?
Kroppmann: That depends on the case, of course. But it can be from minutes to days, or maybe some short weeks. Because very clever, skilled hackers can clean up the steps which they have taken in the network. If that happens, we don’t have enough evidence to decide whether it is communication or not. But the SOC as we do it monitors the pattern of network communication all the time, and then well-trained specialists are able to detect an incident as it is happening. So I think the best answer is from minutes to weeks.
dot: How do you see that the IT security threat situation has changed in recent years?
Kroppmann: What we see is that some years ago, attacks were mostly “script kiddies”, just applying standard software, downloadable from the Internet, to attack companies. Such attacks were generally just for fun, just to try out the technique. And nowadays this has changed to a more professional level. The attacks are more sophisticated and – absolutely – the attackers are more sophisticated, because there is a lot of value to be gained from companies if you manage to do some data exfiltration and sell it, for example.
Jens Kroppmann is head of the SOC team that was set up by CONET in 2019 to extend the service portfolio by a managed security service. He has a longtime background in IT consulting and services. The goal of the SOC is to provide managed security services for mainly medium-sized business organizations to extend the established services and solutions of CONET. The SOC team members provide extended skill in terms of cyber security with a focus on security monitoring.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.