The Boston Red Sox might be near the top of the American League East in the baseball standings right now, but the team is also going for a cybersecurity security pennant. With a comprehensive strategy of moving its mission-critical operations to a software-as-a-service (SaaS) model and embracing the Internet of Things (IoT) at Fenway Park, the team is swinging for the fences when it comes to building a max-secure cloud operation.
At first glance, it would look to be a quixotic goal: As an organization, the Red Sox have about 450 full-time employees across its corporate, stadium-based, and fan-facing personnel, with another 1,500 seasonal workers hired annually. Out of those, just one person is dedicated full time to information security, while Randy George, vice president of technology operations and information security for the team, spends roughly a quarter of his time on it. In addition, the IT staff is supported by one or two security interns at any one time.
But while that sounds under-resourced, the club is able to punch above its weight thanks, in part, to cybersecurity resources put into place by the broader Major League Baseball (MLB) organization. The league developed a program in the wake of the 2013-2014 hack of the Houston Astros by a former Saint Louis Cardinals exec, who stole confidential information that included lists of eligible players, trade discussions, player evaluations, and an incomplete 2014 team draft board.
“The MLB now brings broad capabilities to bear in the form of a comprehensive cybersecurity program that’s available to all 30 clubs,” George explains. “The Houston Astros scouting system hack was a real black eye that woke everyone up to the fact that we needed to prioritize cyber funding to protect our businesses properly.”
Among other things, the program allows teams to collectively bargain for the procurement of market-leading tooling that George says the Red Sox “would never be able to afford otherwise.” It also offers a raft of expertise, threat intelligence, and other resources that teams can lean on to augment their internal capabilities.
In general, George says that the Red Sox’s particular security apparatus is a dynamic one. New tools and partners are being swapped in and out to meet changes in the team’s risk profile, and fortunately, he says, the Red Sox leadership is all in for funding whatever the club needs.
“We have a cyber program here that we’re really proud of, but it can always be better because determined attackers will find a way to compromise our environment,” George says. “With all the tools that we have in place and the partnerships we have, we feel really good about our posture today, but it’s constantly evolving, for sure.”
Covering the Bases: A Unique Set of Security Priorities
In order to understand the security investments and priorities of the club, it’s important to understand the type of data and network topography it’s looking to secure — and that’s a little different than the typical midsize enterprise environment. The team essentially has three core concerns: safeguarding its intellectual property (IP), ensuring fan privacy and compliance with various regulations, and protecting its extensive IoT network and, by extension, physical assets and people.
Regarding the first point, George says that protecting sensitive business data and internal baseball systems like those that were hacked at the Astros is Job 1.
“The crown jewels for us are the IP we hold in the form of scouting data, player development data, and team information,” he explains. “We tend to overcommunicate in this business with email, and we’re not unusual in that respect, but securing all of those systems that contain sensitive competitive data is really important.”
But while locking down the information that helps the team gain an edge on the baseball diamond is critical, George notes that the Red Sox have different identities that drives the aforementioned compliance and privacy concerns. For instance, it’s an employer that provides sports-related medical care by physicians on staff, so it’s subject to HIPAA regulations. At the same time, it’s a consumer-facing retail operation, so complying with PCI DSS regulations for payment-card data is constantly top-of-mind. In addition, non-federal data-privacy statutes constitute a patchwork of differing requirements depending on the state — and fans are demanding more control over how the Red Sox houses and uses their information.
All of that has made it necessary to implement a broad compliance and privacy program for data protection, according to George.
“We are dedicated to making sure everyone is properly handling the sensitive data that they’re custodians of, but we’ve pivoted a little bit and are now building a data privacy program within our club that allows us to get more advanced — for instance, fulfill any customer requests that come down the pike for discovering their customer records or removing them to the degree that customers choose to do that,” he explains.
Physical Security Dimensions at Fenway Park
Meanwhile, the Red Sox organization also has an important and unique physical concern to worry about: securing operations at the iconic Fenway Park in Boston, along with protecting the safety of millions of people who pass through the stadium gates every summer.
Fenway may have been built in 1912 (and the contours of the place look much the same as they did more than 100 years ago), but underneath it all lies a thoroughly modern smart stadium. As has been the trend with building new venues for the FIFA World Cup, fitting out stadia for the Super Bowl and more, smart capabilities have been engineered into updates to Fenway.
“Smart-stadium technology is a big deal,” George explains. “We’re doing the best that we can to deliver a world-class fan experience in an efficient way. So increasingly a lot of our tech that runs in the park is connected to the network now; things like irrigation sensors, surveillance, access control, concession technology. We even have an IoT device that’s connected to the network that cools our baseballs to a certain temperature — like a humidor for baseballs. There are just gadgets popping up all over the place.”
All of that means more efficiency, but the trade-off is that a well-planned hack of the IoT network can lead to physical disruption to the ballpark’s systems and its ability to operate.
George notes that the Red Sox have an ongoing Dark Web- and social media-monitoring program via a partnership that looks for potential physical threats to the venue, employees, players, or fans. But gaining internal IoT visibility requires a different kind of diligence, including keeping an up-to-the-minute inventory of what endpoints or sensors are on the network, who or what system uses them, and how secure they are.
“We’re incessantly vulnerability-scanning and pen-testing our own environment to stay ahead of the bad guys who want to use something as a beachhead to compromise the environment and move laterally,” he says. “So we are just running constant scans to figure out what’s happening … and it’s a grind.”
Developing a Comprehensive Security Playbook in the Cloud
In order to meet its three core security challenges, the Red Sox, with outfield assists from the MLB and various vendor partners, is focused on a set of key initiatives, starting with moving its mission-critical systems to the cloud and implementing zero-trust capabilities for identity and access management (IAM) to those systems.
“We’re having to expand the scope of our security program around all of those cloud environments, layering in threat intel for our identity providers, ensuring we have proper data protection in place, and making sure that we’re extending our vulnerability and pen-testing capabilities to those cloud environments,” George says. “But we have a big zero trust push here.”
One of the team’s basic nods to zero-trust is requiring multifactor authentication (MFA) for all cloud systems and apps—but, George says that MFA can interfere with productivity. So the team has made a conscious choice to use a variety of MFA approaches, including layering in Okta Fastpass, implementing biometrics like the Windows Hello fingerprint sensor, Ubisoft keys, and “every kind of tool we have at our disposal to maintain the security level of our mission critical systems but make it easier for employees to consume cloud services.” George adds that refining the MFA strategy is a key initiative for the year.
With most systems existing in a cloud model, one tool that goes towards zero-trust from “a really cool niche provider” is a security control framework that layers on top of the Red Sox’ existing IAM system. It identifies issues with permissions and can flag whether something potentially happened by accident, or if it’s likely malicious authentication activity threatening applications.
“The identity management platform is really the center of our universe, if you think about how everyone accesses their data and applications in the cloud, but it’s not necessarily designed to report on anomalous security incidents,” George explains. “So having a security layer on top of it has been really great.”
The Red Sox also just brought in a provisioning platform that sits on top of various management platforms, and allows managers around the business to auto-approve access to certain critical SaaS applications based on policies and trust factors — thus driving more productivity.
And indeed, another key initiative for 2024 is “putting our security program on cruise control where possible and improving level of kind of automation that’s involved with it,” George notes — in other words, artificial intelligence will soon be at-bat.
To that end, the team is constructing an AI roadmap for Fenway first and foremost: taking stock of the IoT that exists in the stadium, as well as leveraging AI to identify threats to the venue, identify children while they’re traversing the stadium, and to help improve the fan experience. For instance, most of the inventory visibility, patch assessments, and asset management “grind” that George mentioned could be addressed with automation via AI.
“The trick for us though is how do we develop a policy framework to govern the use of all those AI tools,” George says. “We need to formulate a strategy on the use of AI tooling so that we’re not exposing sensitive data to some public facing GPT engine, or worse.”
To kickstart the initiative, the Red Sox assembled a strategy team that went out to the marketplace and performed an opportunity assessment on the different ways the team could use AI — encompassing employee productivity, venue security, and generating revenue.
Fenway Sports Group: Taking a Broader View
Going forward, the team is hoping to work with the other organizations that reside under the umbrella of its parent organization, the Fenway Sports Group. Fellow FSG denizens include the English Premier League’s Liverpool Football Club (the Reds); the Pittsburgh Penguins hockey franchise, Boston Common Golf; and New England’s regional sports TV network, NESN.
“We’re trying to look things through the Fenway Sports Group prism, which is evolving into a proper operating company,” explains George. “That gives us an opportunity to engineer a central cyber capability that we can leverage across all the different properties, sort of a mini version of what the MLB has done for all the clubs.”
One major driver for the initiative is information sharing; if everyone uses the same tooling, with the same inputs, at allows the different companies to “protect each other, and share information in real time with almost a crowdsourced model,” George says. “Ideally all the different portfolio properties can tap into the same set of capabilities, and we can spread those capabilities out laterally.”
Embracing Managed Partnerships
And finally, the club plans to lean into managed partnerships as it continues to expand its security focus.
For instance, it recently formed a partnership with Centripetal, which offers a threat intelligence appliance that proactively blocks inbound and outbound attacks, augmented with a virtual security operations center (vSoC) and automated threat intelligence.
“With one security person here on staff, having almost a redundant SoC that comes in the form of the incident responders and forensics folks that Centripetal layers on top of its hardware solution that sits in front of my firewall is a really powerful combination,” George says. “I have a second set of active eyeballs that’s looking at my environment, which deals with 200 million incidents per day.”
Jonathan Rogers, Centripetal COO, said that the Red Sox are facing a common challenge when it comes to “tooling up” to stay ahead of the threat landscape.
“Everybody in the industry is facing this choice of are we going to buy an infinite amount of SIEM capacity, all manner of disparate detection tools, stitch them together, hire out an endless staffing of 24-by-seven SOC operations, and try to run this trailing security operation?” he asks rhetorically. “And are we going to do that in the era of IoT, where we really need to have zero trust all the way down to the packet level? I mean, that’s an enormous challenge, even if you had the collective intelligence of the entire security community. Managed partnerships are necessary.”