The customer is an established IT service provider in the healthcare sector whose business model is based on the secure processing of highly sensitive data. In view of increasing regulatory requirements (including §75b SGB V (german criminal code)) and growing cyber threats, the company decided to set up a modern cloud security architecture with SIEM integration and SOC operation by PROTOS Technologie GmbH.

Keeping pace with regulation and threats

From the outset, the project faced the task of establishing a powerful SIEM and SOC architecture that could cope with both increasing cyber threats and stringent regulatory requirements. The focus was on the challenge of reliably protecting sensitive health data while ensuring compliance with documentation requirements and audit-proof logging.

In addition to technical security, the requirements of ISO 27001, BSI-KRITIS, NIS2, and GDPR had to be fully met and integrated into the security architecture. Another goal was to significantly reduce incident response times and establish a hybrid operating model based on the principle of “shared responsibility,” in which clear escalation paths and communication chains are defined.

Since the customer’s employees had varying levels of prior knowledge in the area of cybersecurity, a comprehensive awareness and change management program also had to be developed. The aim was to strengthen both technical resilience and organizational security in the long term.

Project start: From the status quo analysis to the roadmap for security

As part of the project launch, PROTOS conducted a comprehensive analysis of the technological and organizational conditions. This involved an analysis of the current IT security architecture, compliance processes, and existing tools.

„First, we worked with the customer to map out the existing infrastructure and record all security-related systems – from firewalls and Entra ID to the M365 environments. This involved not only technology, but also organizational processes and responsibilities. Only then were we able to develop a clear roadmap that took into account both regulatory requirements and corporate goals“, Jan Reimers, Vice SOC Manager & Analyst at PROTOS. 

From correlation to automation – security that grows with you

Following the assessment, PROTOS designed and implemented a cloud-based SIEM solution based on Microsoft Sentinel.

Key steps summarized:

• Connection of all security-related systems (Azure tenants, firewalls, Entra ID, M365, Microsoft Defender)

• Establishment of a CMDB for asset, service, and organizational models

• Development of a hybrid SOC operating model, including escalation chains and SLAs

• Implementation of over 200 new or adapted detection rules (KQL) and automated SOAR playbooks

• Setting up a vulnerability management system with Qualys VMDR and Defender VM

Kevin Jägle, SOC Analyst at PROTOS reports: “The development of API integrations and CI/CD pipelines was particularly important for automating security workflows. We opted for infrastructure-as-code early on to ensure that adjustments to policies and compliance checks remained reproducible and scalable. This enabled us to lay the foundation for a modern SecDevOps model.“

In operation: Response in minutes instead of hours 

Following successful implementation, PROTOS SOC took over 24/7 operations. Continuous monitoring, threat hunting, and automated response processes enable security incidents to be detected and dealt with at an early stage.

„Just a few weeks after going live, we were able to identify suspicious access via compromised login credentials in the Azure environment. Thanks to Sentinel correlation and automated SOAR playbooks, the account was immediately locked and the attack contained. Within minutes, the incident was under control – without any data leakage“, Erik Driene, SOC Analyst at PROTOS. 

In addition to operational defense, PROTOS supports customers in setting up their own SOC team as part of a “Cloud Center of Excellence” and conducts awareness training to sensitize employees to current cyber threats.

Security in numbers: From audit to response time

• Reduction of average incident response time from >4 hours to <15 minutes

• Introduction of 200+ use cases & correlations for SIEM rulesM-Regeln

• 100% compliance with regulatory requirements (ISO 27001, GDPR, BSI-KRITIS, NIS2)

• Establishment of a hybrid SOC operating model with clear escalation paths

• Training of 50+ employees in cybersecurity and compliance

With PROTOS: Future-proof cloud security for critical infrastructure environments 

With the support of PROTOS technology, the customer was able to establish a highly secure, regulatory-compliant, and future-proof cloud security architecture. The combination of strategic consulting, technical implementation, and operational SOC operations ensures that critical infrastructures are protected and resilience to cyberattacks has been sustainably increased.

„For us, it was crucial not only to implement a project, but also to set the course for a long-term security and cloud strategy. Today, the customer benefits from an architecture that is scalable both technologically and organizationally, meets regulatory requirements on an ongoing basis, and can grow with future threats. This not only ensures current security, but also creates a sustainable basis on which digital innovation and regulatory security go hand in hand“, Karsten Quellec, CTO & SOC Manager at PROTOS.

The project exemplifies how PROTOS, as a vendor-independent partner, supports customers in highly regulated industries in implementing complex cybersecurity requirements – from planning and technical implementation to long-term operation.

Do you have questions about our cybersecurity services and our report?

Get in contact with our cloud expert Robert Hackenfort.