Threat Detection and Response

What do you do when the Cyber Police call?

Martin Rothaler
Director Information Technology, LAUDA

It was the kind of call no one wants to receive. In April 2020, BSI (the German Federal Office for Information Security or Bundesamt für Sicherheit in der Informationstechnik) called to inquire whether I was aware that our IT environment was under attack.


As the director of IT at LAUDA, I am responsible for building and managing a holistic IT solution that enables today’s complex global landscape. My team manages the complexity of managing multiple geographies, environments, and industrial control systems operations.

LAUDA’s IT environment features a centralized datacenter, with consistent services distributed to our subsidiaries worldwide using Citrix. We had already converted the IT structure with a global active directory giving all locations with production facilities access to the main location through VPN. Our LAUDA team used centralized email systems, CRM, and ERP. With stack consolidation well underway, my team next turned our attention to migrating two ERP systems and an IoT project to the cloud. This migration involves many connections – each presenting an opportunity for leakage – so strong, sophisticated security was important.

When the BSI called, I instantly understood the severity of the situation. A few years earlier, a friend in the industry had fallen victim to an encryption attack that affected everything, including all backup that relied on NAS drives and cloud. This incident convinced me I needed to be prepared. I had already selected and appointed an incident response team – the QGroup.

I quickly reached out to QGroup who brought in Fidelis Cybersecurity to help stop the attack BSI found and to mitigate damage. (I was fortunate that we had security insurance to cover the cost.) One of the more significant issues that we needed to resolve was that we had not been alerted to the intrusion by the security systems we already had in place. Unrecognized command and control traffic was not recognized or picked up.

The Fidelis solution was up-and-running very quickly. The team was about to build an advanced cyber terrain map within hours and used its phenomenal depth of visibility to eliminate blind spots, identify traffic anomalies, and automatically respond to advanced threats. Remarkably, we caught the intrusion in the early stages so it only impacted one client and two servers. That made it was easy to isolate and destroy the impacted systems. In its investigations, Fidelis also discovered remains of previously undiscovered attacks on several machines. Luckily, those attacks had died from starvation; the command servers had vanished. The Fidelis team found and removed all remaining traces of those attacks.

Because of the way we handled this incident and the malware attacks plaguing many companies in the area, German State Criminal Police Office (or Kriminalpolizei) interviewed our team. We discussed the value of enterprise-wide visibility in better managing the attack. Knowing we weren’t the only organization under attack helped justify our investment into sophisticated security despite tight budgets.

I know it’s unlikely for any organization to ever be 100% secure, but QGroup and Fidelis give me confidence that our security is at the highest possible level.

LAUDA’s IoT solutions are complex and feature sensitive data – some of the systems are in healthcare. Similarly, hybrid cloud environments add incredible complexity to the environment. Given the hard lessons learned, traffic monitoring and endpoint protection are essential.

LAUDA has outsourced most of its security operations to QGroup who continue to rely on Fidelis Cybersecurity. Fidelis has cleaned up our entire IT environment. Now, there are very few reported issues because their systems automatically discover, classify and detect behavior anomalies.

We, at LAUDA, believe the holistic visibility and control Fidelis provides across our environment is helping mitigate risk and protect from today’s sophisticated attackers.

In December 2020, a neighbor company suffered an attack. Months later, the organization is still not fully recovered. LAUDA considers this further justification our continued investment in security solutions with QGroup and Fidelis.

Browse our blog