Tobias Misse has been with G DATA CyberDefense for more than 15 years and has held various positions over the years. He started as a student assistant in support. Today, he is part of the Technical Account Management team as Technical Lead Security Operations Management. Tobias's role involves guiding companies on their journey to a Managed SOC and supporting them during the transition. He and his six colleagues look after the companies and take care of communication with them in the event of detected cyber attacks. Tobias was the first employee in the Managed Security Operations Centre Service and helped to build up the department.
You accompany our Managed SOC customers during onboarding. What are the first steps after signing the contract?
Tobias Misse: First, we contact the customer. Then we arrange a planning meeting – we call it a kick-off. In this meeting, we discuss the entire project plan, set a deadline for integration and ensure that all technical and organisational requirements are known on both sides. We also use this opportunity to explain what our Security Operations Centre does and differentiate our service from advanced persistent threat services, for example. These are provided by G DATA Advanced Analytics, but we do not offer them. It is also important to make it clear that we do not provide general security consulting, which customers would have to purchase separately. However, we do of course provide advice on our Managed SOC.
Once these issues have been clarified, we move on to the scope of the project: What systems are in place and which ones need to be protected? We also want to familiarise ourselves with the IT infrastructure and its specific features, because every company is different.
We repeatedly encounter customers who have systems that we cannot cover because they use operating systems that Microsoft has long since discontinued support for. We need to be aware of such special features, but in this case we cannot install endpoint protection.
What challenges typically arise in the initial phase, and how do you support our customers in this regard?
Tobias Misse: The challenges are often organisational rather than technical in nature. Typically, customers don't have time, employees are sick or spontaneous projects come up. An admin team consisting of three or four people and responsible for a workforce of 500 employees has a lot of tasks to perform, leaving no resources for IT security. It is also not uncommon for the necessary technical expertise to be lacking. These are the reasons why a company has decided to opt for a managed security solution. IT managers want or need to save resources. This situation also leads to onboarding deadlines being missed because the agreed information has not been compiled in time or other tasks on the customer side that are important for the onboarding process have not been completed. That's why I try to work with the company to set a short timeframe so that delays don't cause the implementation to take too long. We also have the option of supporting the transition with special tools to make the process as easy as possible for the customer. Especially in the initial phase, this can only be done with the support of the company. Once this is done, our established processes take over.
How does the onboarding process work?
Tobias Misse: After the kick-off, the customer knows what information we need from them – for example, about their system landscape, the protection requirements assessment for their systems and their telephone availability. Providing a contact person is mandatory for service level G7. Ideally, the company provides us with the data within a few days.
Once we have the information, a second appointment follows: we check the details, clarify any open issues and hand over the customer portal to our contact persons. In doing so, we ensure that the technical requirements for operation are met. We then help with the installation of the first agents, test the functionality and let the customer carry out the complete roll-out.
In the best case scenario, onboarding is completed after about 1.5 months. In exceptional cases, however, it can take significantly longer. Finally, we create a report with the defined and achieved goals as well as any deviations or exceptions. This completes the onboarding process.
Are there any specific best practices or tips that you give new customers?
Tobias Misse: There are no classic models for success in that sense. We ask whether certain applications are in use and use tailored configuration profiles – but these are more like internal best practices that we apply on our side. For example, if a customer wants to switch from application A to B, we naturally provide support, but these are not mandatory requirements.
The most important tip I can give is that communication is crucial. Unlike in the licence business of the past, managed services are not simply about providing software and waiting. Here, everything works through cooperation and trust. Therefore, the following applies: people who communicate can be helped. Whether by telephone, email or regular coordination meetings, it is important that the customer communicates in the way that suits them best. Some simply call directly, others collect topics and clarify them in batches. Both are perfectly fine. The main thing is that we remain in dialogue.
How long does it usually take for a customer to be fully onboarded and make optimal use of the Managed SOC?
Tobias Misse: A pilot customer put it very aptly at one of our roadshows. When asked how much effort was required during and after onboarding, they said: During onboarding, there was intensive coordination, even regularly for about a month afterwards, to align processes that G DATA was not yet familiar with. After that, it settled down to about one exchange per month. After a month of fine-tuning, everything usually runs smoothly.
Of course, IT infrastructure is constantly changing. New projects, enhancements such as additional monitoring or plug-ins can create anomalies that we notice. We then specifically question whether certain changes were intentional or potentially critical to security. For example, a configuration adjustment for monitoring can unintentionally open a security gap. We uncover such issues and actively address them.
This is also the difference between us and traditional antivirus solutions: we see much more and ask questions when configurations deviate from security standards. Occasionally, this means consulting with manufacturers to find the best solution for the customer. This continuous, security-oriented dialogue is part of our service and often happens implicitly – simply because we pay attention.
Is there a particular experience with a Managed SOC customer that has stayed with you?
Tobias Misse: Of course, there are many experiences that have stayed with me. The first onboarding was special – we still work with this customer on a regular basis today. Smaller projects, such as the collaboration with a specialist bookseller, also stand out.
One case I remember is that of an IT administrator who, for budgetary reasons, was only able to secure part of his systems – the most important servers – with our Managed SOC. The rest continued to run with simple endpoint protection. Shortly afterwards, the management requested a penetration test. The administrator informed me of this and I told him straight away that the test would be successful from the attacker's point of view. The unprotected systems would be an easy target. And that's exactly what happened – the pentester's report contained the following key recommendation: “Implement a SOC service.”
The pentest basically just confirmed what we already knew. The admin jokingly asked whether they could have saved themselves the money. Unfortunately not – without this evidence, no additional budget would probably have been approved. In the end, he was able to roll out comprehensive protection.
The bottom line: partial coverage only provides limited security. Without a complete view of all systems, we lack the ability to respond early or effectively isolate an attacker. This was very clearly demonstrated in this case.
In your opinion, what distinguishes our Managed SOC from other offerings on the market? What makes us special?
Tobias Misse: To be honest, many providers do very similar things on a technical level – whether they focus on endpoints, networks or firewalls. What really sets us apart is the human factor: you can talk to us, and that makes a real difference. As I said before, people who talk can be helped. As soon as a customer wants to get closer to the manufacturer, it often becomes difficult with many providers.
A good example was my conversation with a colleague from another company at an event. I was particularly impressed by his statement: ‘I will never talk to a developer at our company – that's out of reach for me.’ That's exactly when I thought: It's different with us. We have short communication channels, a direct line to our developers, engage in constructive discussions and all pull in the same direction. As an owner-managed company, we get the most out of the resources we have – together. We also have direct contact with the analyst team. Our customers benefit from this close network. If they have a technical problem or request, we can see if we can solve it or fulfil it.
As a German company, we are also subject to German data protection legislation. This is a mark of quality and is not the case with many providers. Another point is very important to me: we do not differentiate between small and large customers when it comes to service. Everyone is entitled to good support that corresponds to their chosen service level. Other service providers focus only on large companies and have no interest in smaller firms.
Someone is considering purchasing Managed SOC for their company. In your opinion, what are the most important arguments for making this decision?
Tobias Misse: A lack of skilled personnel and expertise are important factors in deciding to purchase Managed SOC. Often, IT managers in companies cannot handle IT security on their own. In addition, I believe it makes a lot of sense to choose a provider with its own platform and, in particular, its own threat intelligence. Here's an example of why: a company decided against our solution and later became the target of an attack via a known vulnerability in Microsoft Exchange. The attackers first installed a Bitcoin miner – seemingly harmless, but often a first sign of something bigger. The chosen provider recognised the miner, but was unable to put it into context. Thanks to our threat intelligence, however, we knew that the miner originated from a specific group of attackers and that this vulnerability was being exploited for further attacks. Ultimately, the company's access was sold on to other criminals, company data was stolen and everything was encrypted.
The case shows that those who only use third-party signatures often fail to understand the full significance of detection. Having your own platforms with your own threat intelligence not only provides better insights, but also the opportunity for direct exchange – which is crucial, especially in the event of security incidents. Trust plays a central role in this.
Do customers often have ‘special requests’? How do you deal with them?
Tobias Misse: Feature requests are incorporated into our feedback process and evaluated individually. It is important to distinguish between what is a genuine special request and what is not. For example, some customers did not want to receive updates online. We solved this technically because it advanced the project in question.
We also accept other requests, such as not having certain network segments monitored by us, but we document this clearly in the project report. Such decisions reduce the quality of service, which the customer must be aware of.
We always review special technical requests: Is it feasible, sensible and perhaps also useful for other customers? Ideally, we develop generic solutions that are scalable. Our goal remains to have a platform that meets as many customer requirements as possible – but with a sense of proportion.
What if a customer already works with a system house? Do you involve someone from the system house in the onboarding process?
Tobias Misse: Whether and how we involve a system house depends largely on the role of the partner and whether the customer wants us to. A traditional reseller who only sells licences does not play a major role in the onboarding process. The situation is different with a managed service provider: we deliver the service, but direct customer contact is handled by the system house. There are various models: from a pure licence dealer with two employees to a system house that also takes care of patch management. In such cases, we coordinate specifically with the system house, for example, regarding the distribution of our agent. Whether we work with a system house therefore depends on the individual case and its role in the customer's IT operations.
This was the second part of our blog series “The minds behind Managed SOC”. In the first article in this series, Andy Felbinger, Head of Sales Germany at G DATA CyberDefense, gave an insight into the work of his team. The third article is about the analyst team.
