MAG transforms security operations centre to improve cyber resilience
MAG sees more than 60 million passengers flying through its airports including Manchester, East Midlands and London Stansted each year. And with threats against critical national infrastructure increasing, having best-in class cyber security is paramount.
As the largest UK owned airport operator, MAG requires continual security monitoring of all its technologies, including servers, networks and end-point devices. For several years it had outsourced its security operations centre (SOC), including continual monitoring, to a third-party security provider.
However, in March 2020, with the initial contract coming to an end, it became increasingly apparent that the current security set up was no longer fit for purpose.
The incumbent provider wanted to move MAG to a different technology platform which would require substantial CAPEX upfront and result in an increase in operating costs. MAG needed to find a solution that better met the group’s future needs and could provide a more cost-efficient and effective way of strengthening its security operations and safeguarding the business from increasing cyber threats.
Finding the right partner
Setting up the outsourced SOC had previously been a gruelling project and the thought of taking on another project of this scale was daunting for MAG, especially in terms of the time it would take. The company recognised it needed support and sought advice from peers across the UK aviation sector.
Following conversations, Tony Johnson, head of cyber security operations at MAG, was invited to a conference at a leading UK airport that had undergone a similar transformation and migration. It was here that he learned about the airport’s own journey building a more modern, agile outsourced SOC with Bridewell Consulting as its security partner.
The peer airport had moved away from a fully outsourced SOC and worked with Bridewell to deploy a new SOC technology stack which is a blend of Microsoft Sentinel and Microsoft Defender XDR. Johnson was impressed by how much was done in such a short amount of time, including onboarding new services.
“The team spoke highly of Bridewell,” said Johnson. “Bridewell represented themselves very well when we met them there. We had a really productive conversation and could have easily mistaken them for our peers own in-house security team as they had so much knowledge of the business and its infrastructure.”
Getting the project off the ground
The progress that had been made at the airport and the strong relationship between the airport operator and Bridewell put Johnson’s fears to rest concerning the scale of the MAG project. Using the model Bridewell had developed with the Microsoft Defender XDR and Microsoft Azure Sentinel stacks, Johnson got to work on the business case for the new SOC.
He engaged Microsoft to develop a pilot SOC solution, funded by Microsoft, however, they too stressed the importance of having the right cyber security partner involved. Johnson already had Bridewell in mind.
“We had the technical capabilities to do this on our own, but we wanted to work with a company that had been there and done that. We knew that Bridewell had the relevant experience in aviation as well as ASSURE accreditation so could avoid the pitfalls and complications which can arise in this sector,” said Johnson.
Because of the previous experience outsourcing their SOC, MAG wanted to change its delivery model from a fully outsourced setup to a hybrid approach that would enable more autonomy over its protection. It wanted to keep some capabilities in-house in order to benefit from the understanding of the business and context the in-house team brings, while leveraging Bridewell’s expertise to design, implement and operate its security infrastructure, as well as train internal teams.
A two-tiered solution was agreed, keeping some security operations in-house while Bridewell ran the company’s 24/7 monitoring facilities. This enabled MAG to benefit from a state-of-the-art security without having to build their own entire security operation.
Once Bridewell understood MAG’s business objectives, an assessment phase took place in which Bridewell performed a gap analysis, followed by a design phase where it looked at the resources already available within MAG and highlighted any additional resource, technology and processes required to make the transition a success.
With a significant percentage of MAG’s staff furloughed due to the pandemic, resource was a challenge. However, Bridewell was able to fill any gaps and keep the project running smoothly and, crucially, on-schedule.
A resounding success
The initial pilot period lasted eight weeks and was a resounding success. It was completed ahead of deadline with all success criteria met and delivered in budget with no additional spend beyond what was already committed with the incumbent provider.
“Bridewell really impressed us with how organised they were when it came to getting the pilot SOC underway and they drove the team which was exactly what we needed,” said Johnson. “There was no reason not to take it to the next stage.”
Phase one of the rollout needed to be completed by Christmas Eve which was when the existing contract with incumbent provider ended. The incumbent provider had 70% coverage of MAG’s estate and MAG wanted to achieve the same target by the end of phase one. “Bridewell was completely successful in meeting the target and we had exceeded the 70% coverage,” said Johnson.
Bridewell also provided a dedicated SOC analyst who acted as an honorary team member, sharing the skills and knowledge with MAG’s internal team to give them the best success in running the SOC in-house. This resulted in significant cost savings by removing the need to invest heavily in training with an external provider.
Phase two was completed in March 2021 and Bridewell’s SOC analyst and hybrid team has been in place ever since helping the MAG team move forward and providing expert guidance to instil the in-house team with confidence in running the SOC.
Enhanced visibility and protection
Thanks to MAG’s partnership with Bridewell Consulting and Microsoft, the airport group has seen a major improvement in its security set-up across the organisation. The group now has better application security and visibility, including a greater view of its security infrastructure, enabling the team to respond to threats across the kill chain in minutes.
Prior to working with Bridewell, MAG only had 70% visibility of its estate and could only see 5,000 events per second. Since the transition, MAG now has visibility of 80,000 events per second and over 95% of endpoints and servers are visible to the SOC.
MAG’s team were also flooded with a lot of unnecessary noise from the incumbent provider which would constantly notify them of potential issues detected. It would be down to the MAG team to investigate the issues which often turned out to be normal behaviour and required no action.
“We’re very confident that we’re delivering a better service internally than the incumbent provider ever could. We can see the outcomes. We can see the incidents that are getting raised and that we’re solving,” said Johnson.
MAG has seen the biggest impact in dealing with phishing attacks. Like many organisations, MAG has experienced a significant increase in phishing attacks over the last 12 months with attackers continually trying new approaches to trick employees into opening malicious links.
The previous solution would entail a lengthy manual process that required MAG to contact other internal technical teams to undertake tasks every time a phishing attempt was reported. However, the new SOC automatically spots phishing attempts, checks that nobody in the organisation has clicked the links, and removes threat from inboxes across the organisation.
The organisation had also been considering a SOC assurance audit from a third party to demonstrate the strength of the new solution, but initial conversations with assurance providers revealed this would be costly and time consuming. And with the positive impact of the new Bridewell solution so clear, senior stakeholder within MAG deemed that an assurance audit was not necessary.
About the author
Martin Riley is director of managed security services for Bridewell Consulting.