A total of up to two billion events per day – that is everyday life in the Cyber Defense Center (CDC) from Siemens. The company reports on its experiences in a webcast of the Computerwoche. Christian Böhm, Head of Cyber Defense Systems Europe at Siemens, and Tuncay Eren, Director Central Europe at CrowdStrike, outline how the company manages this challenge. It is also about the work of CrowdStrike, a partner of Siemens. Specialist journalist Heinrich Seeger from Computerwoche moderates the webcast.
“Imagine that your company is made known by Emotet …” With this horrific scenario, Böhm starts. His background: With almost 400,000 employees, Siemens offers around 400,000 potential entry points. That is why the group has had a Cyber Defense Center since 2014. Since 2018, it has been acting as a cyber security defense – following the merger with another area. Siemens has been operating with its own analytics platform Argos since 2019. The partnership with CrowdStrike started in 2014. Today, the EDR solution detects 73 percent of the attacks, says Böhm: “This is the most important source!”
But how do webcast viewers organize cyber defense in their company? A survey in which multiple answers are possible shows the following picture: 49 percent have IT responsibility internally, 47 percent have a central unit like Siemens, and 11 percent employ external service providers as a central cyber defense. The greatest challenges are the lack of specialist knowledge and employees (44 percent) and the lack of visibility of security and infrastructure events (39 percent). Eren confirms: “The driver for the introduction of new EDR solutions is 80 to 90 percent visibility!”
Eren outlines the tasks as follows: The CISO (Chief Information Security Officer) is responsible for design and architecture as well as other tasks for internal and external auditing. “Ideally, he has his own budget and reports directly to the board,” he says. According to his observation, around 20 percent of CISOs in Germany are outside of IT and report directly to the board. In any case, the CISO should have at least one independent mandate and its own team.
Back to Emotet: The pest was first seen in 2014. “It was a classic banking Trojan,” remembers Böhm. That changed in 2018. The pest has reached the next level of danger. “He currently has five modules that he can load, including one with which he can read out email passwords and emails,” says the Siemens manager. “This allows it to nest in internal content to make it look even more credible. And the latest thing is ransomware with data encryption – very dangerous for companies.”
How can you fend off Emotet? Böhm mentions three points. First, of course, the classic, i.e. spam filter. Secondly, for the pests that still get through, the EDR solution (including early detection, threat hunting, real time response) and thirdly, reactive measures. “We can proudly say that Emotet has not yet hit Siemens in such a way that it has spread laterally,” says Böhm.
“How did Corona work?” Moderator Seeger wants to know. Böhm observes that many phishings with Covid act as a topic and play with people’s fear. “There are different numbers, but everyone confirms that the number of attacks has increased,” confirms Eren. The experts definitely find that many companies weren’t prepared for this amount of home office workers. “There was also a lack of awareness training for employees,” says Eren.
Böhm keeps hearing five typical five questions from his peers on the topic of security. In detail:
1. Who do you have to include in the planning of the rollout? That is the first question. His answer: all IT colleagues. However, it is important to talk to Legal beforehand, for example. “Can I roll out the product anywhere in the world?” Is a point that needs to be clarified. Data protection and the works council should also be included: “Talk openly about what you can and can’t do with the software,” he advises.
2. What are the technical considerations for the rollout? “You have to make sure that the firewalls are open everywhere and ensure that exceptions are not rolled out. You need extra tools for this,” says the Siemens manager.
3. How do you keep it all in sync with 400,000 endpoints? His short answer: “Praise to the IT service provider!”
4. What should be considered when rolling out the solution? Böhm advises to first switch down all switches and then slowly turn up. “Self-programming sometimes creates problems,” he says. Siemens took two years to evaluate all applications. The actual rollout then ran within three weeks.
5. “Hand on heart: does that really scale?” Is the number five question. The answer is quickly given here too: “We have never had any problems!”
At the end of the program, the viewers have the floor. “In which countries does Crowdstrike host its services and what about the GDPR?” One wants to know. Eren added: “We have data centers in Germany and the United States.” The European customers “want mainland Europe, not Ireland”, the crowdstrike manager continues. He emphasizes that both are GDPR compliant.
“And what savings potential can be achieved by using Prevent?” Böhm replies: “We will be able to slow the build-up of further analysts by around 20 percent.” Eren adds: “A business value assessment is part of it for us. They usually achieve an ROI between six and nine months!”
Watch the webcast here