Security Operation Center

The bouncers

Fifty experts guard customers’ corporate networks around the clock. Finding out what connects Roger Federer to cybercrime and who protects companies in Switzerland from hacker attacks – a visit to the Swisscom Security Operations Center in Zurich.

Text: Flavian Cajacob, Images: Michele Limina, published in the NZZ supplement 9 November 2017,  updated on January 20, 2021

Three doors open in succession for Markus Kaegi, but the fourth one rejects his badge. “Not even I can get in here”, says the Security Services Product Manager at Swisscom. “That’s security level 4. Access is only for staff of the Security Operation Center.” There are fifty of them in total, all of them absolute masters of their craft. Their boss is Nemanja Mitic,

A smart young man with a beard, who opens the security entrance from inside and descends, so to speak, to security level 3. “Anyone who wants to work for my team goes through rigorous testing – on their technical skills, their personality, and of course their record of conduct.” This means that anyone who fails the federal government’s security clearance test will not get a job at Swisscom’s Security Operation Center (SOC) in Binz, near Zurich.

Too much to take on

For many Swiss companies, internet crime is already a reality. It not only affects large corporations, but more and more small and medium-sized businesses. According to a new study by KPMG, nine out of ten Swiss companies have been the victims of cyber attacks in recent months. That’s a 34 percent increase over the previous year. Another survey, this time by EY, also discovered that only two fifths of the companies asked in Switzerland were at all able to identify complex cyber attacks.

These figures are striking, but not surprising. This is because it is increasingly complex and resource-intensive for companies to monitor and protect their own networks. “Costs, capacities and expertise – it can all quickly get too much for a company to take on”, says Kaegi soberly. So is a lack of resources a reason to hold back when it comes to one’s own security? That would be  a very bad idea.

Fighting it off – and keeping quiet

There are many different cyber risks (see info box). Nemanja Mitic presses a button to remove the screen that hides staff in the SOC from the sight of those in the adjacent conference room. He says: “We work here around the clock, seven days a week. Believe me, it never gets boring!” His colleague Markus Kaegi presents some more figures. They show that every month, Swisscom security experts block on average 2250 phishing attacks and identify 1300 malware attacks.

Successful defences like this are not greatly talked about. “We Swiss prefer to keep it to ourselves if something unpleasant like a cyber attack happens. It’s in our DNA”, explains Markus Kaegi. On the one hand, this is completely understandable, but it’s also shooting yourself in the foot. “In the fight against cybercrime, of all things, a bit of transparency would help everyone.” Attacks on company networks could be warded off more quickly and comprehensively, and the analysed data could provide information on other planned attacks.

The whole thing has nothing to do with teenage hackers any more, who are still surprisingly admired by the public. “We’re dealing with professionally organised structures. Cybercrime has now taken on industrial dimensions”, emphasises Kaegi. Swisscom combats malicious network activity with a comprehensive range of Managed Security Services (MSS-i). These can be compiled in modules as required. Customers can put a package together to ensure that their IT infrastructure and digital business processes are protected.

Suddenly things are stirring at the Security Operation Center in Binz. It would be exaggerating to call it hectic. A customer’s file pops up on one of the large screens which show events such as cyber attacks currently taking place. This means that the intelligent monitoring platform has registered an incident and has made an initial, unsuccessful attempt to stop it – now the automatic defence system classifies the attack as threatening. The security analysts step into action, two men and a woman put their heads together and decide what to do next. “It’s always an interaction between human and machine”, explains Nemanja Mitic. “Now we’ve got to move fast. While my colleagues are working on a solution, the customer is notified of the incident.” A dashboard shows what is happening in real time.

Federer causes false alarm

It’s not always a criminal act that triggers an alarm. Mitic gives an example from real life: “When Roger Federer plays tennis, people want to watch it from their offices.” So they watch the match online on their company computer. The head of SOC grins. “And then there are networks which interpret heavy utilisation as a deliberate attack on the IT service.”

The hacker attack the experts were working on has now been averted. The customer had been the target of a phishing attack. However, the Swisscom firewall was able to block the malware – thanks to the security agents it was possible to prevent any damage. The customer will now be sent a detailed report, and the analysts can enjoy a cup of tea. Nobody knows when the next emergency will come.

A list of tasks to do appears on the big screen on the wall of the Security Operation Center. On the next screen, the US President is speaking. And on a third screen white lines cross, indicating current cyber attacks around the world. Mitic closes the screen again – that’s the end of the show. “We’re a bit like the bouncers at a popular club”, he explains, and gets ready to leave security level 3 and go back to security level 4. “We won’t let anyone in who might cause problems. And we throw out anyone who starts trouble.”

The most common cyber threats

MELANI, the Swiss Federation’s Reporting and Analysis Centre for Information Assurance, identifies numerous cyber threats which companies are exposed to:

(Cyber) espionage

Cybercriminals exploit vulnerabilities in the digital infrastructure – unencrypted internet connections or weak passwords, for example – to steal valuable information and prepare further attacks. Not only government agencies but also private companies can have their expertise stolen and misused.

Data leakage

Confidential data is stolen. Outside attackers then blackmail the company by threatening to publish and propagate the data. It is difficult to tell whether what they claim is true or not, which means many companies pay the ransom just to be on the safe side.


These attacks aim to restrict the availability of an IT service such as a website or an internet shop and try to crash it. This type of attack can also involve blackmail. The main targets are IT services with limited capacity or inadequate monitoring of data traffic.

Social Engineering

Users are deceived with psychological tricks and misled into performing risky IT activities. Social engineering exploits humans as a weak spot in the system. This includes pressurising victims with instructions such as “Log in immediately or your account will be blocked”.


A phishing attack aims to glean a person’s access details by assuming a false identity, for example that of their bank. With the deceptively obtained password, cybercriminals can access the victim’s online banking system.


Many cyber attacks take place using what is known as malware. IT systems are manipulated and data is stolen, changed or even destroyed. For companies affected, this kind of attack can mean the confidentiality, integrity and availability of the data is lost.


Using encryption trojans known as ransomware, the victim’s data is encrypted and thus rendered unusable. The cybercriminals demand money in return for decrypting the data, which is by no means guaranteed.

Hand with smartphone


Would you like to regularly receive interesting articles and whitepapers on current ICT topics?

More on the topic