Security through transparency - for a universe of glass

More than 130 years after the company was founded, SCHOTT represents a portfolio that covers nearly all spheres of life. The "Hidden Champion" is a global innovation partner for the domestic appliance industry, pharmaceuticals, electronics, optics, life sciences, automotive and aviation. In the 2017/18 financial year, sales of more than 2 billion euros worldwide were booked, of which 86% were from outside of Germany. Its manufacturing and distribution sites in 34 countries employ around 15,500 people. The parent company’s headquarters are in Mainz and it is wholly owned by the Carl Zeiss Foundation.

Such a high-tech company has numerous patents and a tremendous amount of specialised knowledge that must be guarded in all circumstances. Protecting this treasure was also the first step in expanding IT security at SCHOTT. “When I started at SCHOTT, our focus was basically: How do we protect our crown jewels?” explains Dirk Ossenbrueggen, Head of Information Governance and Security at SCHOTT. "The whole big rest went down a bit in IT operations. But then the awareness has grown that there are other things to protect besides the crown jewels and that you need to spend some money to do so. Above all, we had too little transparency at that time. We didn't have a deeper insight into our network, didn't know what we were up against, or what the security level was at all. To solve this problem, I was searching for tools that would give me a quick overview of the security level of our IT.“

After Dirk Ossenbrueggen had initially come across another tool, further research led him to AMPEG’s Security Lighthouse. After comparing both tools with SCHOTT’s specific requirements, the decision was made to use Security Lighthouse. Dirk Ossenbrueggen and his team were guided by the following requirements: "We wanted to know what we're doing in the way of update management, How up-to-date are our Patches? In addition, there was also the question of endpoint protection, i.e. antivirus protection. Which systems are covered and how current are the signatures? The third area was hard drive encryption. We felt that AMPEG could give us the necessary insights into each of these issues with Security Lighthouse. As well as the collectors for the target systems already mentioned, we also had an eye on those for the Active Directory, and that was also the initial setup we started with.“

The group of people actively using Security Lighthouse at SCHOTT has meanwhile expanded considerably: "Until recently, the tool from AMPEG was used exclusively by our five-member security team," said Ossenbrueggen. "We had collected the monitoring data and then instructed the respective IT managers accordingly. In the meantime, we have moved on to the fact that the IT managers in the locations themselves are actively working with the tool. The Security Lighthouse serves exactly that purpose. On the one hand, employees are trained in the use of the system, and on the other hand, the system is so comfortably constructed and user-friendly per se, that the employees can handle it on their own. It's also a bit motivational when people realise, ‘hey look, I can actively help increase IT security and thus improve the situation’. In addition, we hope to arouse an element of competitive ambition in terms of IT security, accordingly to the motto: Why is the other location green and mine not?“

Security Lighthouse is designed for maximum transparency. At SCHOTT, it maps the security status throughout the global office network, down to the individual locations via the Security Information Map. The system uses a traffic light circuit with the usual red, amber and green colours. Even the smallest deficiencies and weak points are systematically revealed and visualised by the monitoring system. The IT department lays the cards out on the table for the management of the company. For Dirk Ossenbrueggen as Head of Information Governance and Security, this "ruthless" transparency is absolutely desired and part of the company's growth culture. What's more: it is the core element of the system for him. "If I don’t have that transparency and do not want it either, then I have a mentality to want to sweep everything under the carpet. And when things do come up, I would have to ask myself why I didn't know about it. My way is the way of transparency. The system shows me the areas needing improvement and I can work on the concrete plans. Even if resolving an issue takes some time - it is crucial that we are aware of the issue. This is a thousand times better than being surprised by something and being told by other people: ‘watch out, you don’t have your business under control’. So it's better to be proactive and use the transparency of the system constructively. Anything else would be a pseudo-solution in my eyes."

Following the collectors installed during the start-up phase, additional collectors were commissioned in the further course of the cooperation, including a CMDB collector (Configuration Management Database) to collect information about all systems known in the service management. At SCHOTT, the experience in the global office network leads to the consideration of extending the monitoring with Security Lighthouse to the company`s Operational Technology (OT).

"At the moment we only have Security Lighthouse in the office IT. However, we already see a part of the manufacturing IT, namely where, for example, an endpoint protection solution is in place that is in fact behind the firewall, but is just on the phone with the head office. And then we also see systems that are not actually in the office network, but instead behind them," explains Dirk Ossenbrueggen. "Our thinking is to include the production potentially more in-depth in the monitoring. But we have to see how practicable it is in this sector. It will not be possibly to want to prescribe the same rules to the systems in production as those in the office network. Because when I say to production, ‘you have to patch your machines every four weeks’, of course that means machine downtime, which is by nature simply not feasible. One solution for the Security Lighthouse could be that you can differentiate between the assets, whether it is IT or OT. Then I would have two categories that could be treated differently. It could go in such a direction in the future.“

At this point it remains be added that AMPEG is now developing and providing special collectors for the OT sector. In this respect, the vision for the future outlined here by SCHOTT, of integrating the OT sector into monitoring in addition to IT, could well become a reality.