Manchester Airport Group (MAG) sees more than 60 million passengers flying through its airports including Manchester, East Midlands and London Stansted each year. And with threats against critical national infrastructure increasing, having best-in class cyber security is paramount.
As the largest UK owned airport operator, MAG requires continual security monitoring of all its technologies, including servers, networks and end-point devices. For several years it had outsourced its security operations centre (SOC), including continual monitoring, to a third-party security provider. However, in March 2020, with the initial contract coming to an end, it became increasingly apparent that the current security set up was no longer fit for purpose.
The incumbent provider wanted to move MAG to a different technology platform which would require substantial CAPEX upfront and result in an increase in operating costs. MAG needed to find a solution that better met the group’s future needs and could provide a more cost-efficient and effective way of strengthening its security operations and safeguarding the business from increasing cyber threats.
Increase visibility and enhance cyber security protection
The progress that had been made at the peer airport and the strong relationship between the airport operator and Bridewell put Johnson’s fears to rest concerning the scale of the MAG project. Using the model Bridewell had developed with the Microsoft Defender XDR and Microsoft Azure Sentinel stacks, Johnson got to work on the business case for the new SOC.
He engaged Microsoft to develop a pilot SOC solution, funded by Microsoft, however, they too stressed the importance of having the right cyber security partner involved. Johnson already had Bridewell in mind.
“We had the technical capabilities to do this on our own, but we wanted to work with a company that had been there and done that. We knew that Bridewell had the relevant experience in aviation as well as ASSURE accreditation so could avoid the pitfalls and complications which can arise in this sector,” said Johnson.
Because of the previous experience outsourcing their SOC, MAG wanted to change its delivery model from a fully outsourced setup to a hybrid approach that would enable more autonomy over its protection. It wanted to keep some capabilities in-house in order to benefit from the understanding of the business and context the in-house team brings, while leveraging Bridewell’s expertise to design, implement and operate its security infrastructure, as well as train internal teams.
A two-tiered solution was agreed, keeping some security operations in-house while Bridewell ran the company’s 24/7 monitoring facilities. This enabled MAG to benefit from a state-of-the-art security without having to build their own entire security operation.
Once Bridewell understood MAG’s business objectives, an assessment phase took place in which Bridewell performed a gap analysis, followed by a design phase where it looked at the resources already available within MAG and highlighted any additional resource, technology and processes required to make the transition a success. With a significant percentage of MAG’s staff furloughed due to the pandemic, resource was a challenge. However, Bridewell was able to fill any gaps and keep the project running smoothly and, crucially, on-schedule.
The initial pilot period lasted eight weeks and was a resounding success. It was completed ahead of deadline with all success criteria met and delivered in budget with no additional spend beyond what was already committed with the incumbent provider.
“Bridewell really impressed us with how organised they were when it came to getting the pilot SOC underway and they drove the team which was exactly what we needed,” said Johnson. “There was no reason not to take it to the next stage.”
Phase one of the rollout needed to be completed by Christmas Eve which was when the existing contract with incumbent provider ended. The incumbent provider had 70% coverage of MAG’s estate and MAG wanted to achieve the same target by the end of phase one. “Bridewell was completely successful in meeting the target and we had exceeded the 70% coverage,” said Johnson.
Bridewell also provided a dedicated SOC analyst who acted as an honorary team member, sharing the skills and knowledge with MAG’s internal team to give them the best success in running the SOC in-house. This resulted in significant cost savings by removing the need to invest heavily in training with an external provider.
Phase two was completed in March 2021 and Bridewell’s SOC analyst and hybrid team has been in place ever since helping the MAG team move forward and providing expert guidance to instil the in-house team with confidence in running the SOC.
Thanks to MAG’s partnership with Bridewell and Microsoft, the airport group has seen a major improvement in its security setup across the organisation. The group now has better application security and visibility, including a greater view of its security infrastructure, enabling the team to respond to threats across the kill chain in minutes.
Prior to working with Bridewell, MAG only had 70% visibility of its estate and could only see 5,000 events per second. Since the transition, MAG now has visibility of 80,000 events per second and over 95% of endpoints and servers are visible to the SOC. MAG’s team were also flooded with a lot of unnecessary noise from the incumbent provider which would constantly notify them of potential issues detected. It would be down to the MAG team to investigate the issues which often turned out to be normal behaviour and required no action.
“We’re very confident that we’re delivering a better service internally than the incumbent provider ever could. We can see the outcomes. We can see the incidents that are getting raised and that we’re solving,” said Johnson.
MAG has seen the biggest impact in dealing with phishing attacks. Like many organisations, MAG has experienced a significant increase in phishing attacks over the last 12 months with attackers continually trying new approaches to trick employees into opening malicious links. The previous solution would entail a lengthy manual process that required MAG to contact other internal technical teams to undertake tasks every time a phishing attempt was reported. However, the new SOC automatically spots phishing attempts, checks that nobody in the organisation has clicked the links, and removes threat from inboxes across the organisation.
The organisation had also been considering a SOC assurance audit from a third party to demonstrate the strength of the new solution, but initial conversations with assurance providers revealed this would be costly and time consuming. And with the positive impact of the new Bridewell solution so clear, senior stakeholder within MAG deemed that an assurance audit was not necessary.