Use Case: Hong Kong International Airport
Establishing directory infrastructure security while continually enhancing airport operations: How Hong Kong International Airport ensures real-time AD security for a major APJ transportation hub
Owned by the Government of Hong Kong Special Administrative Region, Hong Kong International Airport serves as an important regional cargo center, passenger hub, and crossroads for other Asian destinations. It has been one of the busiest passenger and cargo airports in the world for many years. The organization is a pillar of Hong Kong’s economy and employs more than 78,000 people. Hong Kong International Airport continues to grow passenger and cargo services in anticipation of increasing demand.
- Industry: Aviation
- Location: Hong Kong
- Revenue 2018: 19 billion (FY2018/19)
Multiteam AD Management
As a major global player in the aviation sector, Hong Kong International Airport has continued its expansion amid ever-growing passenger and cargo flow. This significant increase in business has led to more complex IT environments administered by diverse teams across a mix of Information Systems (IS), Internet of Things (IoT), and Operational Technology (OT) Systems.
Continuously Changing AD Environment
Unfortunately, rapid growth and development of different technology resources usually introduces various security risks to Active Directory environments, including misconfigurations and illegitimate access rights. These can endanger an entire airport’s network and system. Through ambitious security programs and tools exclusively focused on AD administration, Hong Kong International Airport has established strong security boundaries for its main Active Directory infrastructures.
This process initially required significant time and manual effort from the infrastructure, operations, and security teams. To adapt these boundaries to the latest AD threats and safely integrate acquired resources in the consolidated perimeter, the organization needed to streamline the integration process of new entities while maintaining its cyber resilience via a more proactive and automated approach. Further, a more complex environment representing a bigger attack surface increased the probability of one end user’s endpoint becoming compromised. With a regular phishing or ransomware campaign, an attacker can still easily infiltrate an organization and explore its entire network using only native Active Directory commands. As the security backbone of the Information System, Active Directory was one of the central components used to monitor and protect these production environments. The challenges for Hong Kong Airport were finding the right solutions capable of protecting its worldwide perimeter and consolidating the security of these Active Directory environments.
- Modern, innovative Active Directory security
- Continuous monitoring of AD security risks
- Reduction in incident response
- 1 Centralized Alsid Console
- 1 Domain, 1 Forest
- Protecting over 4,800 users
Stakeholders at HK Airport:
- 1 Security Manager
- 1 Security Analyst
- 1 Active Directory Specialist
- 1 Active Directory Administrator
Alsid dedicated team:
- 1 Alsid Technical Account Manager
- 1 Advanced AD Security Engineer
- 1 Alsid “Follow-the-sun” support
Integration plan insights:
- Plan of Splunk integration is in place to ensure HK Airport is getting the most out of Alsid for AD.
- As HK Airport is getting more familiar with Alsid for AD, automated remediation for low impact IoEs are being considered.
After reviewing the market for advanced AD security solutions, the security team identified Alsid as the most effective method to pre-emptively tackle evolving Active Directory issues at their root cause rather than deal with the aftermath of an attack. A primary focus was identifying the different sets of policies, configurations, and data within the infrastructure to proactively detect inconsistencies
and/or malicious behaviors in real time. Addressing these earlier avoids potential escalations that could severely disrupt business.
Alsid’s platform manages the production infrastructure, giving the client a global view of all security parameters at a glance through a single unique console that integrates seamlessly into the SIEM. Delegation rights, password policies, authentication protocols, GPOs, and more are now under real-time security monitoring by the SOC. Consequently, this mitigates the security risks from an evolving AD perimeter. The Alsid solution was simple and smooth to implement. The deployment of the Alsid solution only took one week, after which the client’s team had access to the web-based interface, indicators of exposure, tailor-made recommendations, and real-time analysis. The SIEM integration enabled security operations to monitor AD security round the clock.
Using Alsid’s consolidated dashboard, the airport’s security teams gained a constant global vision of the security posture of their Active Directory. Thanks to the real-time security monitoring of Alsid’s solution, the client’s security team could evaluate the proper implementation of remediation measures, allowing them to pick the perfect time to rally the new organizations into the global infrastructure.
Adapting Latest AD Threats and Best Practices
The organization faced challenges securing its Active Directory with consistent best practices. Unsurprisingly, this is a common pain point for IT systems and is critical for AD security. This is due to two primary factors: a poor understanding of the latest AD-specific attacks and remediation techniques; and failing to adopt best practices.
AD security is a complex subject and it is difficult to understand every detail. Even though other AD monitoring and auditing solutions exist, they require continuous technical resources to remain effective against the latest AD attacks. Migrating from legacy systems is especially challenging. The traditional AD configurations are mostly insecure and do not conform to best practices. Likewise, AD administration using the same practices is no longer sufficient for AD security requirements.
Resolving AD Security Management Challenges
Fortunately, the security team at Hong Kong International Airport understood and highlighted the security gaps to senior management, acknowledging that additional assistance would be needed to establish a safe AD amid the ever-changing cyber landscape. With Alsid’s dedication to AD security, the adaptive and proactive AD security IoEs ensured that individuals who do not possess a deep technical knowledge of AD security can use the information to identify, detect, protect, and harden.
Securing Daily AD Changes
Another battle for the airport’s security was ensuring the AD is always safe despite the extreme pace of changes in AD every day by different teams. Defined parameters often generate more alerts requiring manual follow-up. With Alsid for AD’s always-on monitoring and real-time risk analysis of AD’s object- level changes, the organization receives alerts as soon as a security risk in AD appears.
Incident Response Reduction
Response time to AD security events has significantly reduced due to less false positive events and seamless integration with SIEM and SOC playbooks. This means malicious actors do not have the chance to gain a significant foothold in the AD and compromise mission-critical systems and networks.
AD security visibility and confidence increased. The easy, agentless deployment of Alsid has allowed the airport to see the value of Alsid from the first day of deployment.