I had the chance for a longer talk with Dr. Karl-Friedrich Thier, Senior Security Consultant of the Business Unit Cyber Security at T-Systems International. We talked for nearly two hours about the technology used and the strategies behind the cyber defense center. It is not only used by Deutsche Telekom itself to protect their huge network, but is also available as a service to (usually very large) customers from T-Systems. There is also one operational aspect (Telekom Cyber Defense Center in Bonn) and one service-level, customer aspect (Advanced Cyber Defense as a service by T-Systems)

But why am I so excited about this ACD? It is more than the usual “firewall bigger and higher” or the casual “we handle the largest DDOS”. It is a complete new philosophy of cyber defense and – as opposed to an abstract philosophy – extremely well executed and put into broad practice. The last sentence is my impression.

The idea and intention behind this center and the used software and hardware, project and people is (according to their web site):

“Companies that don't adapt their cyber detection and response capabilities to this threat constantly lag behind the complex and targeted attacks. To free themselves from this risky and frustrating cycle of playing "catch-up," companies need to construct an intelligent security management system that links information from a range of data sources and analyzes it in real time. The goal of this proactive approach is not only to protect the company from known attacks, but also to identify unknown attacks and quickly initiate countermeasures.”

The technology behind the Cyber Defense Center is very diverse and colorful. A lot of tools are used, like different instruments in an orchestra.

It all starts with building situational awareness. Deutsche Telekom operates  around 180 “honeypots” that mimic vulnerable systems around the world which attract all kinds of attackers. By watching and measuring the hacking attempts, you get a pretty good overview of the actual tools used, current attack vectors in favor and organizations using them. The deployed honeypots are actually mostly raspberry PI’s, btw, that are quite cool gadgets.

Watch 180 honeypots live in action

The results are public and can be viewed on the web site http://www.securitydashboard.eu/. In parallel, there is an automated watch of twitter and news feeds for related activity based on used keywords. Here you see in summary in real-time, where actually threats are brewing. Like a weather radar.

The actual network operations and analytics is performed by tools of RSA, which have a huge large-scale portfolio for network operations analytics and threat detection. But it is all thread-based and pattern based.

The “art of security” is, to look for the right patterns to react upon. And this is something you can’t buy – you have to collect and build it yourself over time. And it is constantly changing. This is one major task of every cyber security center. This is the core IP (Intellectual Property) that makes you excel over all other approaches.

Security analytics is complemented by forensic and advanced malware detection tools like FireEye®. Rather than scanning for specific patterns, FireEye executes potential threats in an isolated virtual machine (Sandbox), and monitors its behavior. Like a virus, that is contained and captured in a laboratory section. The attacker, however, doesn’t see a VM but rather a physical workstation or server. One of the cool features is a “time warp” where you can fool “sleeper Trojans” that will sleep for some time before starting.

There are dozen more interesting and used tools of various companies, but they all underline the various aspects of network security

All these tools are nothing without the proverbial orchestration. The core of the cyber defense center is central organization, different present skillsets from analysts to operators and squad leaders that can act on the spot on any actual thread.

The concept of a Security Operation Center SOC

People as success factors

is the mentioned underline in the slide  and this phrase is taken very seriously here in the ADC-concept.

As shown on this picture, it is the staffing and the organization together with the elected software and hardware tools, that makes this Cyber Defense Center so powerful. A lot during the talk with Dr. Thier, we did not discuss software and feature, but how an organization needs to cater to the need of customers. Every customer is different, every customer has other threat and risk areas and there is no “one size fits all”, especially not in security.

The fascination of the setup was, that there was a deep knowledge of security, both commercial as well as governmental at the people involved at T-Systems, and in conjunction with the well selected software and the organizational strength of a large organization, that this all together made a great picture.

The key of all this technology (like the patterns) is how they are applied, the intellectual property behind the tools. This is how it all works well together.

One of the questions that came to my mind is, if regular customers (and even my customers are not really small) would afford such an organization. Probably not, the reduced risk would be in sharp contrast to the big investments in center, people and technology. But I see in the future a convergence of on premise strategies that are self-contained and services like the Advance Defense Center that will like a shell surround the overall strategy.

We will see, how the security strategies everywhere are evolving in the future.

(Disclaimer: This is not a sales pitch, but if you look into a European case of applied security for large networks, this is someone you should talk to or at least, even if you do this on a much smaller scale, you should learn from the big Ones)