Manchester Airport Group (MAG) sees more than 60 million passengers flying through its airports including Manchester, East Midlands and London Stansted each year. And with threats against critical national infrastructure increasing, having best-in class cyber security is paramount.
Finding the Right Partner
Setting up the outsourced SOC had previously been a gruelling project and the thought of taking on another project of this scale was daunting for MAG, especially in terms of the time it would take. The company recognised it needed support and sought advice from peers across the UK aviation sector. Following conversations, Tony Johnson, Head of Cyber Security Operations at MAG, was invited to a conference at a leading UK airport that had undergone a similar transformation and migration. It was here that he learned about the airport’s own journey building a more modern, agile outsourced SOC with Bridewell as its security partner. The peer airport had moved away from a fully outsourced SOC and worked with Bridewell to deploy a new SOC technology stack which is a blend of Microsoft Sentinel and Microsoft Defender XDR. Johnson was impressed by how much was done in such a short amount of time, including onboarding new services. “The team spoke highly of Bridewell,” said Johnson. “Bridewell represented themselves very well when we met them there. We had a really productive conversation and could have easily mistaken them for our peers own in-house security team as they had so much knowledge of the business and its infrastructure.”
Getting the Project off the Ground
The progress that had been made at the peer airport and the strong relationship between the airport operator and Bridewell put Johnson’s fears to rest concerning the scale of the MAG project. Using the model Bridewell had developed with the Microsoft Defender XDR and Microsoft Azure Sentinel stacks, Johnson got to work on the business case for the new SOC.
He engaged Microsoft to develop a pilot SOC solution, funded by Microsoft, however, they too stressed the importance of having the right cyber security partner involved. Johnson already had Bridewell in mind.
“We had the technical capabilities to do this on our own, but we wanted to work with a company that had been there and done that. We knew that Bridewell had the relevant experience in aviation as well as ASSURE accreditation so could avoid the pitfalls and complications which can arise in this sector,” said Johnson.
Because of the previous experience outsourcing their SOC, MAG wanted to change its delivery model from a fully outsourced setup to a hybrid approach that would enable more autonomy over its protection. It wanted to keep some capabilities in-house in order to benefit from the understanding of the business and context the in-house team brings, while leveraging Bridewell’s expertise to design, implement and operate its security infrastructure, as well as train internal teams.
A two-tiered solution was agreed, keeping some security operations in-house while Bridewell ran the company’s 24/7 monitoring facilities. This enabled MAG to benefit from a state-of-the-art security without having to build their own entire security operation.
Once Bridewell understood MAG’s business objectives, an assessment phase took place in which Bridewell performed a gap analysis, followed by a design phase where it looked at the resources already available within MAG and highlighted any additional resource, technology and processes required to make the transition a success. With a significant percentage of MAG’s staff furloughed due to the pandemic, resource was a challenge. However, Bridewell was able to fill any gaps and keep the project running smoothly and, crucially, on-schedule.
A Resounding Success
Phase two was completed in March 2021 and Bridewell’s SOC analyst and hybrid team has been in place ever since helping the MAG team move forward and providing expert guidance to instil the in-house team with confidence in running the SOC.
Enhanced Visibility and Protection
Thanks to MAG’s partnership with Bridewell and Microsoft, the airport group has seen a major improvement in its security setup across the organisation. The group now has better application security and visibility, including a greater view of its security infrastructure, enabling the team to respond to threats across the kill chain in minutes.
Prior to working with Bridewell, MAG only had 70% visibility of its estate and could only see 5,000 events per second. Since the transition, MAG now has visibility of 80,000 events per second and over 95% of endpoints and servers are visible to the SOC. MAG’s team were also flooded with a lot of unnecessary noise from the incumbent provider which would constantly notify them of potential issues detected. It would be down to the MAG team to investigate the issues which often turned out to be normal behaviour and required no action.
“We’re very confident that we’re delivering a better service internally than the incumbent provider ever could. We can see the outcomes. We can see the incidents that are getting raised and that we’re solving,” said Johnson.
MAG has seen the biggest impact in dealing with phishing attacks. Like many organisations, MAG has experienced a significant increase in phishing attacks over the last 12 months with attackers continually trying new approaches to trick employees into opening malicious links. The previous solution would entail a lengthy manual process that required MAG to contact other internal technical teams to undertake tasks every time a phishing attempt was reported. However, the new SOC automatically spots phishing attempts, checks that nobody in the organisation has clicked the links, and removes threat from inboxes across the organisation.
The organisation had also been considering a SOC assurance audit from a third party to demonstrate the strength of the new solution, but initial conversations with assurance providers revealed this would be costly and time consuming. And with the positive impact of the new Bridewell solution so clear, senior stakeholder within MAG deemed that an assurance audit was not necessary.