XDR That Never Leaves the Terminal
At a glance
CLIENT
A travel retail group
SERVICE
- Managed Detection & Response, Digital Risk Management, Cloud & Data Security
INDUSTRY
- Consumer / Travel & Hospitality
The client operates more than 1,000 travel retail stores across airports, rail hubs and tourist locations in over 20 countries. The environment includes 35,000+ endpoints (POS terminals, workstations, handhelds), multiple e-commerce sites, loyalty platforms and several regional data centres and cloud tenants. Before the programme, security was handled by regional IT teams using different tools and rules. On a typical day they saw over 3 million security events, but only a small fraction were reviewed, and mean time to detect (MTTD) for real incidents regularly exceeded 6–8 hours.
LeanCoded was engaged to design and run a global Managed XDR service. In under five months, we consolidated endpoint telemetry, cloud and network logs into a single XDR and SIEM platform, implemented use-case-driven analytics and automated playbooks, and took over 24/7 monitoring. Within the first year, the service covered 96% of endpoints and servers, reduced high-severity incident MTTD by 68% and cut overall security operations costs by approximately 30%, while giving the CISO a single view of risk across all regions.
From Fragmented Security Tools to Managed XDR
Too many tools, not enough signal
The travel retailer had accumulated more than ten different security products across regions: various endpoint agents, email gateways, firewalls, web proxies and cloud-native protections. Each generated its own alerts, dashboards and reports. Regional teams tuned rules locally; global security had no consistent way to correlate events between, say, an airport in Europe and a duty-free store in Asia. Investigations were manual: analysts exported logs into spreadsheets, chased IP addresses, and opened tickets by hand. False positives were common, and genuinely dangerous activity could stay unnoticed until a payment provider or airport partner reported suspicious behaviour.
Instead of building a full in-house SOC, the client chose to partner with LeanCoded as a cyber security service provider. The goal was to standardise telemetry, introduce a global rule set and run detection and response as a managed cyber security capability with clear SLAs, freeing regional IT teams to focus on availability and projects rather than constant alert triage.
Building a cloud-based XDR backbone
LeanCoded started with a compressed eight-week onboarding phase. We performed targeted cloud security assessments of the client’s main Azure and Microsoft 365 tenants, catalogued all log sources and defined a minimum set of feeds needed for global visibility: identity (Azure AD), endpoints, email, web, VPN and core retail applications. Using this inventory, we designed a single XDR architecture and migrated existing endpoint protections into one consolidated platform, rolling out standard sensor configurations across 30,000+ devices.
We then connected the XDR engine to a cloud SIEM, normalised events into a common schema and implemented an initial catalogue of 60+ detection rules focused on account compromise, lateral movement, POS malware, suspicious travel-related behaviour (for example, logins from unusual airport locations) and risky cloud app usage. At the same time, we built SOAR playbooks to automate routine responses such as host isolation, user lockouts and ticket creation, laying the foundation for a scalable managed detection and response service.
Fitting XDR into a High-Volume Retail Operation
Travel retail has strong seasonality and traffic spikes, from holiday peaks to major sporting events. XDR and SOC processes had to keep up without generating noise every time passenger volumes changed. LeanCoded worked with the client’s operations and risk teams to map typical patterns: check-in peaks, overnight restocking, settlement windows, store opening and closing schedules across time zones. These patterns were encoded as baselines in the detection logic to distinguish normal fluctuations from real anomalies.
We also had to respect tight change windows at airports and rail hubs. XDR sensor rollouts were scheduled per terminal and per region, with pre-approved change bundles and rollback plans. Where network connectivity was limited or intermittent, such as in remote terminals, we used local buffering and minimal sensor footprints to avoid impacting point-of-sale performance. Over time, telemetry from all these locations fed into security analytics and data analytics consulting services used to refine rules, slash false positives and identify new high-value use cases.
Global XDR architecture and rollout
Unified SIEM and log normalisation
Use-case-driven detection content
Automated response with SOAR playbooks
SOC processes and reporting
What Changed for the Security and Operations Teams
Before, each region fought its own fires, working through queues of uncorrelated alerts and relying on informal processes. After the XDR rollout, the client has a single global picture of threats, standard processes and a partner providing 24/7 coverage.
- Faster detection and triage
Mean time to detect high-severity incidents dropped by 68% (from 6–8 hours to under 2 hours on average), and mean time to first response fell below 30 minutes.
- Fewer blind spots
Coverage increased to 96% of known endpoints and servers, up from roughly 75% before the project, with automatic alerts when new unmanaged devices appear.
- Lower cost per monitored asset
Consolidating tools and centralising operations reduced the combined cost of licences, infrastructure and staffing for security monitoring by around 30%, even as coverage and rule depth increased. - Less noise, more real incidents
Fine-tuning rules and automating low-value alerts cut daily alert volumes by more than 40%, allowing analysts to focus on investigations that actually affect customer data and payment security.
How LeanCoded Delivers Managed XDR for Travel Retail
LeanCoded runs the XDR programme as a managed cyber security service, similar to a specialised managed cybersecurity service provider but tightly integrated with the client’s global and regional teams. We provide 24/7 monitoring, triage and containment, while the client retains control over risk appetite, major remediation decisions and regulatory reporting.
Our approach combines security engineering, operations and continuous improvement. Initial onboarding is driven by focussed cloud security assessments and connectivity reviews; ongoing service relies on incident metrics, threat intelligence and joint review sessions to evolve rules and playbooks. Where needed, we complement XDR with adjacent data security service capabilities, such as monitoring for suspicious data movements between airports, cloud platforms and payment providers. The result is a managed cyber security service that scales with the client’s store footprint and traffic patterns, without forcing them to build a large SOC team from scratch.