F1 is all about speed. Your team’s cybersecurity solution needs to accommodate this. We spoke to Mark Hazelton, Chief Security Officer at Oracle Red Bull Racing (ORBR), about the importance of cybersecurity within the team and the role Arctic Wolf plays in this regard.
Hazelton has been involved in the world of motorsports for about 25 years. He has been involved with the racing team, now called ORBR, since its inception. The 2024 model was given the model number RB20. That means he has been working there for just under 20 years (his RB1 history dates back to 2005). By the way, there are good reasons for this. He says it's still a very interesting world to work in. At least the laser focus on “just making cars go fast” doesn't make the job boring.
Hazelton observed a significant shift in IT investment priorities about 10 years ago. Previously, the best possible performer's focus was implementing IT infrastructure, but 10 years ago he clearly moved into cybersecurity. That hasn't changed since then. It's becoming more and more important.
A (successful) team like Oracle Red Bull Racing is an interesting target. It was originally intended for attackers looking to steal intellectual property (IP). At the time, it was primarily about insider threats and the risk of IP leaks. In recent years, that has clearly shifted to ransomware and the threat it poses to entire organizations. He also sees his ORBR risk profile as a company increasing rapidly and the professionalism of attackers becoming increasingly evident. “It's no longer hobbyists who attack organizations,” he says.
Cybersecurity must also continue because the focus remains the same
The above developments in the cybersecurity environment are problematic for all organizations. However, for an organization like ORBR, it might be a little more so. That's because the team's focus hasn't changed, Hazelton said. “We're still trying to focus on making the car go fast.” This makes internal sales difficult. Because he's not providing the people who work there with, say, a much faster computing cluster, but a more secure digital environment. At least in theory, this conflicts quite a bit with the speed his ORBR is aiming for as a whole. Safety and speed do not necessarily go hand in hand.
But with ORBR, Hazelton says safety and speed go hand in hand. This is mainly due to the people who work there. They are usually IT savvy and approach their work with great passion and focus to move forward as quickly as possible. He readily admits this is no easy feat. Think about the logistics surrounding an F1 team. Many things have to be arranged: routes, trucks, transportation, hotels, visas, etc. Properly securing this is not an easy task, especially when there is a natural tendency to always seek the fastest solution.
I don't know what I don't know
Hazelton said ORBR is a relatively mature organization from a cybersecurity perspective. “We understand the risks and threats. We know where the gaps are and what controls are in place,” he points out. We also regularly test our environments and measure ourselves against cybersecurity standards and best practices.
The above is definitely a good idea. However, this assumes “what is known”. And that's not exactly where the biggest threats usually occur. It doesn't say everything an organization like ORBR wants to know. Hazelton understands that, too. “Even if you think you’re in good shape, you don’t know what you don’t know.”
To learn what they didn't know, ORBR partnered with Arctic Wolf. This gives Arctic Wolf access to the entire network. Cybersecurity company tools and employees access and analyze all metadata from that network. In this way, ORBR discovers things you didn't know about, such as firewall vulnerabilities you missed.
Hazelton also heard that, thanks to Arctic Wolf, ORBR will be able to run more frequent tests to check the safety of the environment. “Now, instead of him scanning every exposed interface twice a year, he scans it twice a week,” he says. That's a big difference. The main reason for this is that these tests also produce meaningful results. Arctic Wolf makes very little noise, but other solutions ORBR has been working on have been quite noisy. In this case he is specifically mentioning his SIEM solution. These can certainly be interesting after something has happened, but they are not very useful if you want to intervene early.
1 billion items in 10 days: 10-15 alerts per week
Arctic Wolf is not a passive platform. In other words, don't wait for something to pass by. It searches actively. The platform requires agents and sensors that run across the network on endpoints. That's fundamentally problematic for ORBR. “We're always very sensitive about agents on machines,” he points out Hazelton. There's a good reason for that. At the end of the day, ORBR is all about speed, including the servers and other equipment your team uses. “We tend to make the machines work very hard,” he summarizes. Anything that causes performance degradation is undesirable.
When ORBR began using Arctic Wolf in its environment, it did not notice any negative effects from the agent. Agents and sensors were quickly incorporated into a variety of environments, including wind tunnels. Immediately, hundreds of thousands of data points were being sent from ORBR to Arctic Wolf for analysis. This quickly gave us insights we didn't have before. “His SOC at Arctic Wolf detected things that we thought we knew but weren't logged as such,” Hazelton points out. More importantly, the number of false positives has been, and still is, virtually zero. This is a very important metric for security tools. You don't want to waste your time on worthless alerts.
So what does that tell you? Not much, but that's good. ORBR says he sends over 1 billion items to Arctic Wolf every 10 days. This results in approximately 10-15 alerts each week. According to Hazelton, most of these are resolved very quickly.
Good compatibility between ORBR and Arctic Wolf
The above definitely sounds good, but will the selection of arctic wolves ensure Hazelton knows something he didn't know before? “It's in my nature to always be skeptical,” he said, suggesting he was always critical of Arctic Wolf's performance. However, Arctic Wolf's coverage is very good and also shows that ORBR is regularly detecting changes that it did not intentionally notify us of in advance. “Do arctic wolves know everything? Probably not, but they're up there with the best,” Hazelton summarizes.
But the reason we chose Arctic Wolf in the first place wasn't necessarily due to technical considerations. ORBR found Arctic Wolf's approach particularly interesting. That's because the security company was just starting out in Europe at the time. Arctic Wolf was very honest about the solutions and roadmap they provided. This gave us the confidence to commit to a long-term partnership.
Mr. Hazelton also needed confidence. This was because I had been debating for a while whether to do security myself or outsource it through an MDR service. Arctic Wolf offers both. That is, ORBR uses Arctic Wolf's MDR service, but still has access to the data itself. This is important for his ORBR as it also performs its own risk analysis. In addition to MDR, ORBR also uses Arctic Wolf's managed vulnerability services. This allows you to determine where vulnerabilities exist within your organization. Later, incident response (IR) was also added. This, Hazelton says, is how Arctic Wolf continues to add value.
take responsible risks
As we've said many times before, at the end of the day, ORBR is all about speed. Not just the car, but also what's going on in the background. Sometimes you need to do things very quickly. That also comes with risks from a cybersecurity perspective. “If you think you can win the next race, you may have to take some risks,” Hazelton said. You can only do that if you are confident that the security tools you are using can handle it.
Hazelton also points out that ORBR does require people in Arctic Wolf's SOC to look a little closer at certain things. After all, it's not an everyday environment. ORBR does almost everything in-house, from design, prototyping, manufacturing, testing, and logistics. If you do that, you'll often run into something. However, he has seen that Arctic wolves can cope with this difficult environment. As a result, ORBR has the confidence to take responsible risks at all stages mentioned above to make the car go faster.
Finally, the presence of Arctic Wolf at ORBR also gives Hazelton peace of mind. Of course, nothing important is happening, so everything seems to be working fine. Of course, it's difficult to determine whether arctic wolves offer better protection than others. Still, he's confident enough to say it's not “just luck that it hasn't been hacked in the past few years.” This also seems to indicate that Arctic Wolf has discovered and closed quite a few potential holes and loopholes.
Of course, choosing Arctic Wolf does not guarantee that ORBR will win the race. But to hear Hazelton this way, Arctic Wolf is a vital link in the whole chain. Arctic Wolf's risk-based approach is well-suited to the fast-paced environment in which ORBR operates, which requires frequent risk-taking. Not only on the track, but also off the track.
Also read: “Humans are the strongest link in the security chain”
Photographer credits:
Will Cornelius / Content Pool