How a security breach paved the way for an innovative IT environment.
From urgent disaster recovery and incident response to a centralized SOC with 24/7 monitoring.
The challenge
In summer 2022, DVGW – short for Deutscher Verein des Gas- und Wasserfaches e.V. – had to deal with a major safety incident. Hacker had penetrated the company’s network and encrypted all systems with a ransomware called LockBit 2.0.
“The hackers’ target was the active directory, compromising our entire identity system and gaining access to most users and passwords. We were locked out of our own system and no longer had access to our data.”
Thorsten Janssen (IT Project Coordinator at DVGW)
To prevent further damage, it was decided to shut down the network completely. But instead of giving in to the hackers’ demand for a ransom payment in Bitcoin, DVGW decided to call in external help in order to minimize the impact of the attack, and to get the systems up again as soon as possible..
The solution
The next morning after the breach, our IT security experts were already in action with two teams – one on-site for disaster recovery and one remote for incident response. While our disaster recovery team worked to bring the basic infrastructure back online, our incident response team handled evidence collection and identification of compromised devices and their recovery. Thanks to our blueprints, we can respond quickly and effectively to such incidents – not only in terms of the technical side, but also in terms of communication with all stakeholders such as the board of directors, employees, or the press.
“water helped us reset the entire identity management system in just four days. It was incredible how quickly it happened.”
Thorsten Janssen (IT Project Coordinator at DVGW)
Once it was clear that there was no longer an active connection to the outside, we began rolling out Microsoft Defender for Endpoint. After that, we could start implementing and commissioning all Microsoft 365 Defender Suite products to enhance endpoint with identity and productivity security. This multi-phase transition culminated in the deployment of Microsoft Sentinel, providing an inclusive security solution that takes a holistic approach to DVGW’s IT infrastructure.
The benefit
As a result, DVGW is now not only protected against future ransomware attacks, but also a wide range of other potential security threats. At the same time, with the implementation of the Microsoft XDR suite, the IT landscape of DVGW can now be monitored and protected 24/7 with a centralized and managed SOC. This also allows processes to be automated, which leads to a reduction in incidents – and more efficiency.
“What impressed me most was the depth of expertise of the water team. It is a small, powerful unit that always focuses on our business needs when working together.”
Thorsten Janssen (IT Project Coordinator at DVGW)
In addition, structured incident response procedures were defined and recorded in a crisis manual. This ensures that an even faster and more coordinated reaction is possible in the event of a future security breach.
“With the «application triage» we even invented a new word. It’s a system that helps us to prioritize applications during an emergency.”
Thorsten Janssen (IT Project Coordinator at DVGW)