First anniversary of the Cloud Security Operations Center

May 18, 2020 / by Jan Geisbauer


The Modern Workplace Client requires modern security solutions. Microsoft provides first-class tools that provide all the information needed to respond quickly to threats. However, many companies do not have the time to study these instruments in depth, let alone the manpower to monitor them continuously. That’s why we launched our Managed Service Cloud Security Operations Center (CSOC) a year and a half ago. Time for a bottom line.

The CIO of a large company said in front of me that he had bought a fitness bike for Christmas and put it in the basement. The only problem is that he never goes to the basement.

In our 100% Cloud projects we can convince our customers that a Modern Workplace client needs modern security solutions. Microsoft combines these cloud security tools in the ‘E5 Security’ license. The use of these tools is beyond question for most customers, so that the modern workplace, cloud services, data and identities are equally well protected from any location.

However, after an initial enthusiasm about what can be discovered with these security tools, disillusionment quickly follows, as many employees in companies usually lack the time to study these tools in depth, not to mention the lack of manpower to constantly monitor them. This is quite understandable, as almost all IT departments I know are typically overloaded. And yet the fitness bike in the basement only serves its purpose when it is in use.

With this in mind, we started designing the architecture for our Managed Service ‘Cloud Security Operations Center (CSOC)’ about a year and a half ago. Because we realized that over time, more and more customers are turning to modern cloud security, but need support.

Among other things, we build on the following precepts:

1. Microsoft Native

Those who have studied the cloud know that change is its middle name. This is especially important in the context of security, in order to be able to constantly meet new threats, but it can also mean that connectors and custom software have to be regularly adapted. Here we rely on native Microsoft solutions and are in constant, close contact with the respective product groups in Israel and Redmond. We provide continuous feedback and thus have direct influence on product development - which in turn benefits our customers.

2. No Man Is an Island

Our customers benefit from the knowledge gained in other customer environments. For example, if we discover a new method of attack, we develop special hunting queries for it, which we then use in all environments.

3. Creating More Customer Value

Everything we report to our customers must create more value for them. The customer doesn’t have time to read many pages of security reports. Instead, we focus on one-page reports that are suitable for the management and discuss them in detail:

CSOC Report

This approach has developed into intensive cooperation between the CSOC of Glück & Kanja and the SecOps departments of our customers. Every month we discuss incidents and possible improvements. And we also support the implementation of these suggested improvements. That is the key!

In the meantime, we successfully apply these guidelines to several customers every day. During this time we have prevented or interrupted numerous attacks. We have analyzed assaults forensically and drawn conclusions on how to prevent them in the future. In the process, we have developed tools and procedures that help all our customers.

The daily work consists on the one hand of routine tasks and on the other hand of exciting research in case of attacks by hacker groups. As soon as an interesting case comes up, several specialists put their heads together to reconstruct what happened. We try to reduce the monotonous tasks by constantly improving our processes and automation. Our own service is also lived evergreen.

In addition to incident response and incident analysis for malware, phishing and identity attacks, we have significantly improved the Security Posture of our CSOC customers. For example, we were able to increase the Microsoft Secure Score at one customer to 169% within 3 months and thus greatly optimize his security landscape.

Prospects

As already mentioned: safe is not safe. That is why we are in the process of extending the services of the CSOC to other areas, for example to the Azure Security Center. We are also constantly questioning the alerts and sensors that are monitored on a daily basis and are prepared to adapt them if necessary. This allows us to keep our service ‘new’ and ‘fresh’ to be perfectly prepared for unknown threats.