Danfoss resolves 80% of identity theft attempts with Microsoft Sentinel

Deep into its digital transformation, Danfoss’s growth contrasted with inefficient manual, on-premises security solutions. It wanted a scalable security solution to defend its global data and SAP landscape while lifting security team effectiveness.

Danfoss adopted Microsoft Sentinel and the Microsoft Sentinel solution for SAP applications. It ingests logs from 20 applications and thousands of devices with the connectors between Microsoft Sentinel, Defender for Cloud, and Defender for Identity.

Danfoss gained the scalable security and global accessibility it needed. Automated tasks get the work done faster, and customers’ data stays more secure with unified visibility and control.

Danfoss has invented and manufactured innovative customer solutions for nearly a century. Being a global leader in energy-efficient solutions, the company delivers products that improve mechanical productivity, reduce emissions, lower energy consumption, and enable electrification for customers across the automotive, industrial, marine, construction, and power-generation industries. Danfoss’s spirit of inventiveness has driven a years-long push toward digital transformation at the growing company. “Digitization is a key enabler for our business,” says Morten Pors Simonsen, Chief Information Security Officer at Danfoss. “Right now, we are simultaneously developing new all-digital services and globally standardizing our platform to improve our security and visibility.”

The company began searching for new security tools when its existing on-premises security solution began showing signs of poor adaptation to the cloud. Neither did the solution fit with Danfoss’s business-critical SAP infrastructure. Eleven separate SAP systems are responsible for the company’s product design, production lines, warehouse management, shipping, and sales processes. “Any substantial downtime across our SAP systems would not only lose us millions of dollars and jeopardize our product pipelines, it would erode the trust we’ve built with our customers,” says Chunqui Chen, Director of the IT Monitoring and Security Operations Center at Danfoss. With the number of false alarms generated by the company’s longstanding system, and poor coverage of its SAP systems necessitating ever-growing amounts of manual security reviews, alert fatigue began to set in at the Danfoss Security Operations Center (SOC).

Since the beginning of the security digitization initiative, the company has doubled in size, further heightening the need for a scalable solution that can easily provide standardization across multiple markets and geographic areas. Danfoss has long relied on Microsoft for productivity and cloud infrastructure, so when the company discovered the Microsoft Sentinel solution for SAP applications, it quickly moved to take advantage of the opportunity to use this integrated feature within Microsoft Sentinel and a number of other Microsoft Security solutions. “Our main goal is to secure the confidentiality, integrity, and availability of our business-critical applications,” says Chen. “We’re starting with our SAP systems, and then we’re going to do the same for the rest of our business-critical infrastructure.”

“Our main goal is to secure the confidentiality, integrity, and availability of our business-critical applications. We’re starting with our SAP systems, and then we’re going to do the same for the rest of our business-critical infrastructure.”

Chunqui Chen, Director, IT Monitoring and Security Operations Center, Danfoss

An out-of-the-box transition to global standardization

Danfoss worked together with the Microsoft Security Experts team to ensure a quick and seamless implementation process. “The Microsoft Security Experts team was very professional and very open to our input,” says Simonsen. “If we ever encountered a problem, they knew just who to put us in contact with, and that kept things running smoothly.” Chen agrees, adding that the presence of existing connectors between Microsoft Sentinel and other Microsoft Security solutions, like Microsoft Defender for Cloud and Defender for Identity, made his job much easier during the adoption process. “Setting up Microsoft Sentinel to ingest logs from 20 applications and thousands of devices was a very simple thing,” says Chen. “In fact, everything from deploying cloud connections and on-premises log injections to making use of existing workbooks and built-in use cases was incredibly straightforward for us, and that simplicity saves both time and money.”

The Microsoft Sentinel solution for SAP applications was particularly helpful in this regard. “Under our legacy system, our SOC was regularly doing manual log reviews of tens of thousands of lines of text,” says Kevin Cai, IT Specialist in the Security Operations Center at Danfoss. “As our SAP landscape grew, finding potential malicious activity became difficult, which our leadership knew would eventually become an audit and compliance red flag if left unchanged.” Enabling the Microsoft Sentinel solution for SAP applications meant bringing much-needed automation to the company’s SAP-related threat detection, logging, and log review processes, which made its deployment and optimization a top priority early on.

The Danfoss security team’s next priority then became deploying multilayered protection around its expanding core infrastructure. The correlations that Microsoft Sentinel draws between multiple security logs and datasets help create that security by pinpointing where and when potential threats originate. Through automated alerts and responses, the solution can also mitigate a broad spectrum of attacks as soon as they begin. This helps not only safeguard the company’s workstations but the operational technology in its manufacturing facilities. “Because we’re a manufacturing company, ensuring we can reliably produce goods and support our supply chain is central to meeting the needs of our customers,” says Simonsen. “The next step will be extending a layer of advanced AI, like Microsoft Security Copilot, around our operational technology to meet the challenge of future attacks.”

Danfoss is an early adopter when it comes to new security technologies, having already begun the process of drafting a number of bespoke promptbooks that will help Security Copilot aid in security investigations and alert activities. “We make use of new innovations to mitigate emergent threats as early as possible,” says Chen. “We strongly rely on Microsoft and its security technology roadmap to help defend our company in that way, as it can develop solutions faster than we could alone.”

“We make use of new innovations to mitigate emergent threats as early as possible. We strongly rely on Microsoft and its security technology roadmap to help defend our company in that way, as it can develop solutions faster than we could alone.”

Chunqui Chen, Director, IT Monitoring and Security Operations Center, Danfoss

Faster threat responses at scale

By adding Microsoft Sentinel to its security landscape, Danfoss has gained the scalable security and centralized visibility it needs. “With Microsoft Sentinel and the Microsoft Sentinel solution for SAP applications, we’ve centralized our security logs and gained a single pane of glass with which we can monitor our SAP systems,” says Cai. “We can much more easily understand what once felt like complicated log data, and that has helped us mature our overall security stance.” The company also augmented its threat-hunting capabilities by adopting the unified security operations platform offered by Microsoft. It combines security events from the Microsoft Security suite, including Microsoft Sentinel and Microsoft Defender XDR, so that security teams maintain a complete and organized view of incidents.

A few months ago, the company’s new security solution was tested when phishing attacks that targeted employees suddenly skyrocketed to 10 times their previous rate. “We couldn’t exactly increase our security personnel by a factor of 10 to meet demand,” recalls Chen. “Under our old system, our response times would have become increasingly delayed as we handled so many sudden attacks. With Microsoft Sentinel and Microsoft Defender XDR, we were able to automate our response.” In fact, Danfoss was able to automate responses to attempted phishing attacks and to those attacks which resulted in employee identities being compromised. Soon thereafter, Danfoss was mitigating 80% of phishing and compromised identity incidents automatically.

“In the past, we lacked a single solution capable of delivering visibility, control, and automation all at once. By standardizing on Microsoft Sentinel, we’ve improved in all those areas. We’re immensely impressed with the stability and flexibility it’s granted us.”

Morten Pors Simonsen, Chief Information and Security Officer, Danfoss

The efficiency improvements Danfoss has gained through automation have been a major benefit for security and IT personnel. The looming red flag concerning SAP audits and compliance measures has been removed, and this year, junior personnel at Danfoss have reduced their time spent on false positives and repetitive tasks by between 50% and 60%. Senior employees can now better engage with the more complex or unique threats they’ve been assigned. “My team is adapting very quickly to the new querying capabilities in Microsoft Sentinel,” says Chen. “We’re processing logs a hundred times faster than it would take to read through them.” The whole security team is also spending less time on tasks like maintaining the solution and developing new threat responses, compared to its on-premises predecessor.

For Simonsen, standardizing data security across Danfoss has been the biggest benefit of Microsoft Sentinel. “In the past, we lacked a single solution capable of delivering visibility, control, and automation all at once,” he concludes. “By standardizing on Microsoft Sentinel, we’ve improved in all those areas. We’re immensely impressed with the stability and flexibility it’s granted us.”

Discover more about Danfoss on Facebook, Instagram, LinkedIn, X/Twitter, and YouTube.