Skip to Content
Author's profile photo Holger Stumm

New era of SAP security strategy: A close look at an advanced cyber defense portfolio

This is a close look at the advanced cyber defense portfolio of Telekom and T-Systems.

I once had a long term and intense 3-year project with T-Systems and there are still strong ties between me and the good folks at T-Systems on a personal level.

This made me write this blog, out of the fascination of the topic and the people. By no means – this is no marketing stint, and I have no commercial ties to TSI.  I also promised in one of my last blogs to make a report about the Cyber Center and a lot of people mentioned interest.

Given the old project ties, it is no wonder that in my new long-term security project at a different customer site we

are still in contact and keep talking. I heard of this newly opened, with much media coverage and even more German politician opened “Cyber Defense Center” in the former German capital Bonn (now capital of Deutsche Telekom). It really interested me and I kept researching about the technology behind the story.


I had the chance for a longer talk with Dr. Karl-Friedrich Thier, Senior Security Consultant of the Business Unit Cyber Security at T-Systems International. We talked for nearly two hours about the technology used and the strategies behind the cyber defense center. It is not only used by Deutsche Telekom itself to protect their huge network, but is also available as a service to (usually very large) customers from T-Systems. There is also one operational aspect (Telekom Cyber Defense Center in Bonn) and one service-level, customer aspect (Advanced Cyber Defense as a service by T-Systems)

But why am I so excited about this ACD? It is more than the usual “firewall bigger and higher” or the casual “we handle the largest DDOS”. It is a complete new philosophy of cyber defense and – as opposed to an abstract philosophy – extremely well executed and put into broad practice. The last sentence is my impression.

The idea and intention behind this center and the used software and hardware, project and people is (according to their web site):

“Companies that don’t adapt their cyber detection and response capabilities to this threat constantly lag behind the complex and targeted attacks. To free themselves from this risky and frustrating cycle of playing “catch-up,” companies need to construct an intelligent security management system that links information from a range of data sources and analyzes it in real time. The goal of this proactive approach is not only to protect the company from known attacks, but also to identify unknown attacks and quickly initiate countermeasures.”

The technology behind the Cyber Defense Center is very diverse and colorful. A lot of tools are used, like different instruments in an orchestra.

It all starts with building situational awareness. Deutsche Telekom operates  around 180 “honeypots” that mimic vulnerable systems around the world which attract all kinds of attackers. By watching and measuring the hacking attempts, you get a pretty good overview of the actual tools used, current attack vectors in favor and organizations using them. The deployed honeypots are actually mostly raspberry PI’s, btw, that are quite cool gadgets.

Watch 180 honeypots live in action


The results are public and can be viewed on the web site In parallel, there is an automated watch of twitter and news feeds for related activity based on used keywords. Here you see in summary in real-time, where actually threats are brewing. Like a weather radar.

The actual network operations and analytics is performed by tools of RSA, which have a huge large-scale portfolio for network operations analytics and threat detection. But it is all thread-based and pattern based.

The “art of security” is, to look for the right patterns to react upon. And this is something you can’t buy – you have to collect and build it yourself over time. And it is constantly changing. This is one major task of every cyber security center. This is the core IP (Intellectual Property) that makes you excel over all other approaches.

Security analytics is complemented by forensic and advanced malware detection tools like FireEye®. Rather than scanning for specific patterns, FireEye executes potential threats in an isolated virtual machine (Sandbox), and monitors its behavior. Like a virus, that is contained and captured in a laboratory section. The attacker, however, doesn’t see a VM but rather a physical workstation or server. One of the cool features is a “time warp” where you can fool “sleeper Trojans” that will sleep for some time before starting.

There are dozen more interesting and used tools of various companies, but they all underline the various aspects of network security

All these tools are nothing without the proverbial orchestration. The core of the cyber defense center is central organization, different present skillsets from analysts to operators and squad leaders that can act on the spot on any actual thread.

The concept of a Security Operation Center SOC


People as success factors

is the mentioned underline in the slide  and this phrase is taken very seriously here in the ADC-concept.

As shown on this picture, it is the staffing and the organization together with the elected software and hardware tools, that makes this Cyber Defense Center so powerful. A lot during the talk with Dr. Thier, we did not discuss software and feature, but how an organization needs to cater to the need of customers. Every customer is different, every customer has other threat and risk areas and there is no “one size fits all”, especially not in security.

The fascination of the setup was, that there was a deep knowledge of security, both commercial as well as governmental at the people involved at T-Systems, and in conjunction with the well selected software and the organizational strength of a large organization, that this all together made a great picture.

The key of all this technology (like the patterns) is how they are applied, the intellectual property behind the tools. This is how it all works well together.

One of the questions that came to my mind is, if regular customers (and even my customers are not really small) would afford such an organization. Probably not, the reduced risk would be in sharp contrast to the big investments in center, people and technology. But I see in the future a convergence of on premise strategies that are self-contained and services like the Advance Defense Center that will like a shell surround the overall strategy.

We will see, how the security strategies everywhere are evolving in the future.

(Disclaimer: This is not a sales pitch, but if you look into a European case of applied security for large networks, this is someone you should talk to or at least, even if you do this on a much smaller scale, you should learn from the big Ones)

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Holger,

      It*s a pretty cool system but at the moment I still miss the link to SAP - you called it "new era of SAP security...". It would be very nice to see some statistics about attacks to SAP URLs or SAP Services. At the moment there are only the common services listed like"Netzwerkdienste, Konsole, ..."

      Kind regards,


      Author's profile photo Holger Stumm
      Holger Stumm
      Blog Post Author

      Hi Frank,

      thanks for your comment. Indeed, this is a more generic article, but I think (out of my discussions with customers) that the need for real time attack surveillance is a goal at most sites. But it is a new area and that is where TSI set their marks.

      As for SAP speciifics: I really would like to share numbers, but nobody wants to see their numbers published. Thats also the dilemma of TSI and their cyber defense strategy. Most customers (if not all) must learn, that it is important (and not a loss of their crown jewels) when they publish their incidents, the patterns and the numbers.

      But especially SAP customers are more than reluctant here. But I guess, we will see this changing in the future.

      In the "Cyber Dawn" scenario, one of my other blogs, this was a finding that even politics was adapting: You will detect danger only if you have a clear consolidatet view on all incidents at the same time (i.e. organized attacks on whole industries or states)



      Author's profile photo Former Member
      Former Member

      Hi Holger,

      Thank you for your feedback. I understand that most real customers doesn't want to publish the according data. But maybe it would be an idea for a cyber security center to install some SAP honeypots - for example in the AWS Cloud (SAP trial Editions for a first test). This would give them the possibility to recognize the scan behaviour of potential attackers.

      Kind regards,


      Author's profile photo Holger Stumm
      Holger Stumm
      Blog Post Author

      Hi Frank,

      let me do a second attempt to answer you: There is no commercial available SAP honeypot but I have seen some very interesting prototypes. The art is not to put just an SAP system out in the wild .. you need to identify the attacks and the patterns, keep the attacker busy, show him also Potemkin villages and trace him back as long as you see their IP. This can be complexe and there are some open source implementations for that (like dionaeae, which I am allowed to mention on scn netiquette) and also some commercial products from big network providers (which scn netiquette does not allow to mention). But they all need to be adapted and this is done by some innovative small companies (which scn netiquette does not allow to mention either)



      Author's profile photo Former Member
      Former Member

      For the record: Holger posted some content with commercial marketing type noise which is not SCN's policy. SAP removed it.

      Personally I also don't like heavy handed moderation nor SAP propaganda with marketing content on what for me is still the SAP Developer Network... but "punting" yourself, bad attitude towards SAP's policy and even bloviating about competences without providing accessible resources on SCN is not the policy, so there is a grey area but disturbing the security space is not acceptable.

      Imagine if everyone did that -> we had that in the past and there were lots of "pissing contests", so the tolerance is set fairly low.

      Perhaps there is interest from3rd party vendors to change the policy? Currently the policy is to register on the SAP ECO-Hub and people who use the search will find the solution descriptions.

      From my experience (also a small specialized company) it does not have much traction. Better is to contribute to (technical) solutions and people who use the search contact you if despite sufficient information they anyway want some consulting or a (partner) tool.

      This works well.

      Bad attitude on SCN does not work well.



      Author's profile photo Holger Stumm
      Holger Stumm
      Blog Post Author

      The reason behind this blog was to show, that there is much more in security concepts that can withstand actual cyber crimes than the usual tools disussion traditional SAP environements.

      Making the Firewall higher (i.e. bigger) or adding an ACL list to the rfc by itself does not help.

      SAP has no real answers yet for threats on cyber crime or industrial (or national) attack vectors. There is no table entry that will make SAP more secure or not

      And it may not be the focus of an SAP product at all.

      Such a cyber defense scenario is laying on top of all the other levels of security. And since such a scenario requires Non-SAP-products (due to the lack of SAP products), we need also to talk about complimentary companies and scenarios.

      Our security world is no unisono one-colored world. The security world is as diverse and couloured as a cyber defense solution must be.

      I am glad that I had the chance to talk to the People at the TSI Cyber Defense Solution. It was one of the rare tech talks where you talk for nearly two hours about solving issues with products and peoples - with the focus on People. And not on Marketing blur. I really enjoyed it.