Chalabala - stock.adobe.com
Airport operator MAG boosts threat visibility with hybrid SOC
With budget concerns weighing heavy during the pandemic, Manchester Airports Group ditched an impending capex-heavy cyber investment in favour of a hybrid managed/in-house approach. Learn more about its experience
With planes grounded and its core business disrupted by the pandemic, Manchester Airports Group (MAG) carried on regardless, enacting a brand new cyber security strategy and ditching a long-standing third-party provider in favour of its own in-house security operations centre (SOC) supported by Bridewell Consulting. It says it is reaping the benefits in terms of increased resilience and visibility.
Despite its name, MAG operates two other major UK airports – East Midlands and London Stansted – and collectively handles 60 million passengers a year. As a significant element of the country’s critical national infrastructure (CNI), it requires continuous monitoring of all the various elements of its IT estate.
There are many who say this is the age of SOC-as-a-service, and that has certainly been the direction in which the prevailing winds are blowing – MAG was itself hitched to that particular wagon train, outsourcing its SOC to a third-party security provider. However, by March 2020, it was becoming apparent to Tony Johnson, MAG head of cyber security operations, that things needed to change.
He explains: “They [the incumbent] were doing a good job, there wasn’t a problem with it, but by then we’d been running for a little over three years, so we were coming towards the end of the existing contract, and the technology stack was up for a refresh because, obviously, things move on a long way in three years.
“My boss, our CISO, has always been keen to get to a position where we have capabilities in-house, the key reason being there’s an ability to be far more reactive if you’ve got the people, the skills and the technology.”
Johnson and his team did assess the merits of remaining with their previous supplier, but in the end baulked somewhat in the face of what would be a massive migration to a next-generation technology stack, with all that entails in terms of capital expenditure and disruption, and ultimately, an increase in operational costs.
“We took it as an opportunity to take a step back and ask: what if we spent that money and did it in-house and invested in our own technology stack?” he says.
“We were also sitting and contemplating our options as the new financial year approached, and then the pandemic landed and we thought, let’s take this chance to shake things up a bit.”
The emergence of Covid-19 threw daily life into disarray and forced MAG to shutter much of its operation as airlines dramatically curtailed flights in the face of global travel restrictions. Reflecting on those strange weeks, Johnson says the initial disruption was fairly straightforward to deal with, as MAG has long been a Microsoft Office 365 house, making the switch to remote working a relatively painless experience.
Of course, the organisation experienced the same uptick in malicious activity as every other, particularly in terms of phishing, but nothing severe enough to disrupt the new plan or introduce any insurmountable challenges.
Departure lounge
Even so, the prospect of taking MAG’s SOC in-house was somewhat daunting, so at the beginning of the process, Johnson sought advice from elsewhere in the aviation sector. He ended up speaking to another large UK airport that had recently undergone a similar digital transformation process, building a new outsourced SOC with Bridewell Consulting. The two organisations had worked together to deploy a SOC technology stack incorporating a blend of Microsoft Azure Sentinel and Microsoft Defender XDR, and impressed Johnson with their speediness.
“From my perspective, it was really interesting,” he says. “One of the things that concerned me personally was the speed of deployment – how quickly are we going to be able to get an in-house SOC up and running, how quickly are we going to be able to get this technology stack going?
“The message that we received back from that airport was, you’ll be amazed at what you can achieve in a few months, because it’s in-house resources. It’s just a lot quicker and a lot slicker. That’s the point at which we met Bridewell, although the interesting part of that was, we weren’t necessarily aware it was Bridewell because they were so well integrated with that company’s team.”
Johnson adds: “They showed us what they’d been doing with the Sentinel and Defender stack and it was after that that we started to develop a conversational-level relationship with Bridewell. When the penny dropped and we said we’re going to bring this in-house, it seemed logical to have another conversation with Bridewell as a Microsoft partner, because they knew our sector, and they’d already operated in a large UK airport, so there shouldn’t have been any surprises for them.”
From taxi to take-off
With the UK’s national lockdown in full swing and no airline pilots up and running, Johnson and his team did the next best thing – get a technical pilot up and running
“We had some funding from Microsoft to get a pilot up and running again – they were on a big push to get Sentinel out there and in use because it’s relatively new to market and wasn’t necessarily on a lot of organisations’ radars,” says Johnson.
This assessment and pilot phase saw Bridewell take on a lot of legwork, performing gap and design analyses to establish what cyber resources were already available and what else might be needed, considering aspects such as the people, processes and technology that would be needed. With a significant number of MAG’s staff on furlough, this was a particular challenge, but things went smoothly and on schedule and, critically, the SOC was moved in-house with Bridewell offering a hybrid model in order for the pilot to start.
“We got some really solid, fairly simple success criteria nailed down to deployment of Sentinel and Defender, primarily carried out by Bridewell just using the technical hands of the MAG team, and very quickly saw that the deployment was very simple, very straightforward, and proved that there was definitely some value in in pushing this to the next level,” says Johnson.
At the end of the eight-week pilot, the team set itself a target of having a “minimum viable SOC” up and running by Christmas Day 2020, a decision driven in part by the fact that the incumbent contract expired at midnight on 23 December. Johnson then drew up a specific list of services that were covered by the previous contract, and set that as the main target to ensure everything was replicated and stood up in advance of a switchover.
“That was always the target – to make sure that by the time we said goodbye to our incumbent, we were going to be in,” says Johnson. “Whatever you do, you cannot afford to make the situation worse. So that was our mantra, right? We were comfortable that we could achieve that, based on what we’d seen in terms of the speed of deployment through the pilot.”
Johnson describes the ensuing job of deploying an in-house SOC across three geographically dispersed airports in under six months as the biggest single project of his career, and one that he would not have been able to accomplish had he not been able to lean on the expertise of a provider that had already been there and bought the t-shirt – Bridewell even embedded a dedicated SOC analyst within MAG’s team to keep things moving along, and also to cut down on the need for Johnson to fork out on more training.
Level flying
The specific target of 70% coverage of MAG’s estate was achieved at the end of this phase, and things then moved forward into the second, final stage of deployment, which was completed in March 2021. For Johnson, the most immediate visible impact was visibility itself.
The previous incumbent’s legacy tools had maxed out at about 5,000 events a second from the 75% of the MAG IT estate that it could see, but by the time the deployment had finished, the SOC team was seeing about 80,000 events a second with 95% of servers and endpoints visible. Johnson describes the benefits as immeasurable.
“Simple things like plugging the Office 365 environment into the SIEM tool gave us an extraordinary level of visibility that we had never expected,” he says. “It was really interesting to see how many people are knocking at that door. I guess that’s one of the things about Office 365 – it’s a very public cloud-hosted service. That’s what makes it so useful for us because it means I can sit with my personal laptop in front of the TV and just quickly log on and check something – but that comes at a price.
“For me, it’s actually drummed home what a good job our incumbent was managing to do with far less.”
New artificial intelligence (AI) and machine learning capabilities have helped smooth the path still further. The old tools were very much based around use-cases, with defined criteria and alerts generated based on those criteria, says Johnson.
“Using AI and machine learning, it’s now that little bit smarter and is looking for connections that aren’t necessarily specifically defined,” he says. “We’ve got a stack of use cases that we’ve set up ourselves for very specific activity we’re looking for. But a lot of what we get alerts on are things that it thinks look suspicious, but there isn’t necessarily anything concrete that’s caused that alert to trigger.”
One particularly impactful change as a result of this has been how MAG is able to deal with phishing attacks. Like most other organisations, it had seen a huge increase in phishing attacks since the start of the pandemic, with malicious actors going to great lengths to get airport staff to click a malicious link.
Before, the solution entailed a lengthy manual process, during which the security team needed to contact other internal technical teams to deal with reports of phishing. The new SOC, on the other hand, can automatically spot such attempts, can verify quickly that nobody has clicked on anything they should not have done, and then purge the threat from any other inboxes where it may be lurking.
Business class upgrade
The culmination of all this is that MAG’s security team is now planning even deeper level changes based on what it can now do. For example, says Johnson: “We’re looking to ingest a lot more threat intel and move to a much more threat intel-led, rather than alert response model, integrating with some threat intel platforms to help tell us where we ought to be focusing our attention. I think that’s going to be a big shift for us.”
The other project now on the table is to extend the security team’s coverage into the air-gapped world of MAG’s operational technology (OT) stack.
“At the moment, the whole point of it being air-gapped is that, you know, it’s less likely to be compromised,” he says. “But obviously, that also means that we struggle to get visibility. We’d like to get more.
“We’re now looking at technologies that are going to allow us to start ingesting data about the activity that’s occurring across things like our baggage systems and our cabin bag X-rays and body scanners – the stuff that isn’t running a simple Linux or Microsoft operating system.”
It is such systems, often running bespoke and in many cases very old operating systems, that are increasingly at risk in a world where threat actors will go to great lengths to gain access to their targets’ networks, as the past couple of years of attacks have shown.
A fault in any of these systems is already enough to cause chaos for airport operations and impact passengers, but a cyber attack could be even more disruptive, so attention must be paid and mitigations in place. “It’s something that we’ve got, but we could definitely do better with next-generation technologies,” says Johnson.
Future plans aside, Johnson reflects on the experience of moving from a managed service to in-house as a proud achievement, and something that was actually really quite fun. “It was a big project, there were challenges, but it was really enjoyable,” he says. “It was nice to sit back at the end and say, wow, we built a SOC. That’s not bad going, really.”