Formula 1 is all about speed. A team’s cybersecurity solution must keep up with this. We spoke to Mark Hazelton, Oracle Red Bull Racing’s Chief Security Officer, about the importance of cybersecurity within the team and the role Arctic Wolf plays in this regard.
Hazelton has been part of the world of motorized sports for about 25 years. He has been involved with the racing team now called Oracle Red Bull Racing since its inception. The 2024 car has been given the type number RB20. So that means he has been working there for just under 20 years (the RB1 dates back to 2005). There is a very good reason for that, by the way. According to him, it is still a very interesting world to work in. At least the laser focus of doing “only the things that make the car go faster” never makes it boring.
Hazelton did see a marked shift about a decade ago in where priorities lie when it comes to IT-related investments. Whereas before it was mostly about having the best performing IT infrastructure possible, a decade ago it clearly shifted to cybersecurity. That hasn’t changed since then. It has only become more important.
A (successful) team like Oracle Red Bull Racing is an interesting target. Initially, it was for attackers looking to steal Intellectual Property (IP). Back then it was mainly about insider threats and the risk of leaking IP. In recent years, that has clearly shifted to ransomware and the threats it poses to the entire organization. Furthermore, he also sees that the risk profile of Oracle Red Bull Racing as a company has risen sharply, and the increasing professionalism of the attackers is increasingly noticeable. “It is no longer a hobbyist attacking an organization,” he states.
Focus hasn’t changed, so cybersecurity must keep up
The above development in the cybersecurity landscape is problematic for all organizations. For an organization like Oracle Red Bull Racing, however, it may be just a little more so. That’s because the team’s focus remains the same, Hazelton says: “We still try to focus on doing the things that make the car go faster.” That makes it a harder sell internally, because he is not offering the people working there a much faster compute cluster, for example, but a more secure digital environment. At least on paper, that clashes quite a bit with the speed Oracle Red Bull Racing as a whole is aiming for. Secure and fast are not always compatible with each other.
At ORBR, however, secure and fast go hand in hand, we hear from Hazelton. This is largely due to the people who work there. They are usually very well versed in IT and work with an enormous passion and focus to move forward as quickly as possible. This is certainly not easy, he immediately admits. Just think of the logistics surrounding an F1 team. So much has to be arranged around routes, trucks, transport, hotels, visas and so on. Securing this properly is no easy task, especially when the natural tendency is to always go for the fastest solution.
Not knowing what you don’t know
Hazelton states that Oracle Red Bull Racing is a relatively mature organization from a cybersecurity standpoint. “We understand the risks and the threats. We know where the gaps are and which controls we have in place,” he indicates. They also test their environment regularly, measuring themselves against standards and best practices in cybersecurity.
The above is undoubtedly a good idea. However, this assumes ‘the known’. And that is precisely not where the biggest threats usually come from. It doesn’t say everything an organization like Oracle Red Bull Racing wants to know. Hazelton understands that, too: “Even if you think you’re in a good state, you don’t know what you don’t know.”
To find out what they didn’t already know, Oracle Red Bull Racing partnered with Arctic Wolf. It gives Arctic Wolf access to the entire network. The cybersecurity company’s tools and people get access to all the metadata from that network and analyze it. This is how Oracle Red Bull Racing find out things they didn’t already know, such as a vulnerability in a firewall that they had missed.
Oracle Red Bull Racing can also run much more frequent tests to check how secure the environment is thanks to Arctic Wolf, we hear from Hazelton. “We now scan all exposed interfaces twice a week instead of twice a year,” he says. That’s a big difference. A major reason for this is also that these tests produce meaningful results. Arctic Wolf creates little to no noise, something that other solutions Oracle Red Bull Racing has worked with did suffer from quite a bit. He specifically mentions SIEM solutions in this case. These can certainly be interesting after something has happened, but are not very useful if you want to intervene earlier.
A billion items in ten days: 10-15 alerts per week
Arctic Wolf is not a passive platform. That is, it doesn’t wait for something to pass by. It actively searches for it. The platform needs agents and sensors running across the network on endpoints. That is fundamentally a problem for Oracle Red Bull Racing. “We’ve always been very sensitive about agents on our machines,” Hazelton points out. There’s good reason for that. After all, Oracle Red Bull Racing is all about speed, including for the servers and other equipment the team uses. “We tend to make our machines work very hard,” he sums up. Anything that causes the performance to drop is undesirable.
When Oracle Red Bull Racing started using Arctic Wolf in their environment, they didn’t notice any adverse effects because of the agents. Agents and sensors were very quickly incorporated into the various environments, including the wind tunnel. Soon, hundreds of thousands of data points were on their way to Arctic Wolf from Oracle Red Bull Racing for analysis. Pretty soon, this gave it insights it didn’t have before. “Arctic Wolf’s SOC picked up things that we thought we knew, but still weren’t logging as such,” Hazelton points out. More importantly, the number of false positives was and is virtually zero. That’s a very important metric for security tools. You don’t want to waste time on alerts that aren’t worth it.
So what does come through? Not a whole lot, and that’s a good thing. Oracle Red Bull Racing sends no fewer than 1 billion items to Arctic Wolf every 10 days. That results in about 10 to 15 alerts every week. Most of these are also very quick to resolve, according to Hazelton.
Good match between Oracle Red Bull Racing and Arctic Wolf
The above definitely sounds good, but does the choice of Arctic Wolf ensure that Hazelton now knows what he didn’t know he didn’t know before. “It’s in my nature to always be suspicious,” he states, indicating that he will always be critical of Arctic Wolf’s performance. However, he also indicates that Arctic Wolf’s coverage is very good and that it regularly detects changes that Oracle Red Bull Racing had deliberately not communicated in advance. “Does Arctic Wolf know everything? Probably not, but they are up there with the best of them,” Hazelton summarizes.
Yet the reason for going for Arctic Wolf in the first place was not necessarily driven by technical considerations. Oracle Red Bull Racing found Arctic Wolf’s approach particularly interesting because the security company was then just starting out in Europe. Arctic Wolf was very honest about the solution it offered and the roadmap. That gave confidence to work on a long-term partnership.
Confidence was something Hazelton also needed, because he had been wavering for some time between doing security himself or outsourcing through an MDR service. Arctic Wolf offers both. That is, Oracle Red Bull Racing use Arctic Wolf’s MDR service, but they still also have access to the data themselves. This is important to Oracle Red Bull Racing because it also likes to do its own risk analysis. In addition to MDR, the team also use the Managed Vulnerability service from Arctic Wolf. This allows you to determine where vulnerabilities are in the organization. Incident Response (IR) has since been added as well. This is how Arctic Wolf continues to add value, as Hazelton calls it.
Taking responsible risks
Ultimately, as stated several times, Oracle Red Bull Racing is all about speed. Not only of the cars, but also of what is happening in the background. Sometimes things simply have to happen very quickly. That comes with risks, also in terms of cybersecurity. “If we think we can win the next race, we may need to take a certain level of risk,” according to Hazelton. They can only do that if they can also be sure that the security tooling they are using can handle it.
Hazelton notes that Oracle Red Bull Racing certainly also challenges the people at Arctic Wolf’s SOC to look at certain things just a little more closely. After all, it’s not an everyday environment. Oracle Red Bull Racing does almost everything itself, from design, through prototyping, manufacturing and testing to logistics. Then you run into things quite often. However, he has seen that Arctic Wolf can handle this challenging environment. That, in turn, gives Oracle Red Bull Racing the confidence to take responsible risks in all of the stages mentioned above to make the car go faster.
Finally, Arctic Wolf’s presence at Oracle Red Bull Racing also gives Hazelton peace of mind. Of course, it helps that nothing of any significance has happened, so it all seems to be functioning well. It is of course difficult to judge whether Arctic Wolf provides better protection than others. Still, he is confident enough to say that doesn’t think it’s “pure luck that we have not been hacked in the last few years.” That also seems to indicate that Arctic Wolf has discovered and plugged quite a few potential holes and loopholes.
Of course, choosing Arctic Wolf does not in itself ensure that Oracle Red Bull Racing wins races. However, Arctic Wolf is an important link in the whole chain, if we hear Hazelton like this. Arctic Wolf’s risk-based approach is an excellent fit for the fast-paced environment Oracle Red Bull Racing operates in, in which it must frequently take risks. Not only on the track, but certainly off it as well.
Also read: ‘Humans are the strongest link in the security chain’
Photographer credit:
Will Cornelius / Content Pool
19 hours ago
