Infrastructure & Security
The two-year engagement transformed the global security operations and endpoint infrastructure for Kobalt Music Group, shifting the music technology company's posture from reactive firefighting to mature, automated, and governed security delivery.
The Challenge
As the Security Engineer engaged by Kobalt Music Group, Brian faced a nonexistent security monitoring capability at the start of the engagement. The rapidly scaling global business had acquired music rights, expanded offices, and onboarded new platforms without deploying corresponding security infrastructure. Unmanaged endpoints, an absent detection layer, and a blind data pipeline left the growing attack surface highly exposed.
- No centralised detection or visibility existed, allowing potential threats to move freely across the estate without observation.
- The endpoint environment suffered from fragmentation and manual management, resulting in inconsistent configurations, zero standardisation, and a lack of application control.
- No structured event data fed into any logging or SIEM platform, rendering security operations completely blind.
- Local administrator credentials remained shared across all endpoints, posing a persistent, unresolved lateral movement risk.
- Third-party penetration test findings existed merely as documented reports rather than a systematically tracked remediation pipeline.
- The business operated without a tested incident response capability — a severe vulnerability eventually exposed and tested when the Petya ransomware struck mid-engagement.
The Approach
The operational strategy broke the engagement down into four concurrent, mutually reinforcing workstreams: detection and monitoring, endpoint engineering, identity hardening, and operational resilience.
Workstream 1 — Detection & Monitoring Stack
A comprehensive security monitoring capability rose from the ground up. A full Secureworks managed detection stack rolled out across all global offices, utilizing iSensor network intrusion appliances tuned methodically to reduce false positive chatter and sharpen signal quality. Carbon Black Defense brought next-generation endpoint detection directly to a previously unmonitored estate. Simultaneously, Cisco Umbrella added a DNS-layer security control, intercepting threats at the resolution stage before they reached the network perimeter. To replace outdated point-in-time assessments, QUALYS delivered continuous, live vulnerability scanning.
To feed structured event data into centralised logging, Snare log collectors deployed across the estate. These collectors normalized and forwarded critical security events into a fully built Splunk SIEM, successfully establishing a single source of truth for all security operations.
Workstream 2 — Endpoint Engineering & Hardening
A modern, automated deployment pipeline built on Microsoft Deployment Toolkit (MDT) and PDQ Deploy decisively addressed endpoint fragmentation. Repeatable automation replaced inconsistent manual procedures, slashing build times and enforcing strict identical configurations across every managed device.
Three persistent exposure categories closed entirely within this workstream. First, AppLocker application whitelisting locked execution exclusively to approved software, eliminating an unsigned executable risk left open since the estate's inception. Second, BitLocker full-disk encryption protected data at rest using Active Directory key escrow. Finally, the Local Administrator Password Solution (LAPS) entirely eliminated shared local administrative credentials. By automatically rotating unique passwords per machine, LAPS severed one of the most reliable lateral movement paths in the Windows ecosystem. Additionally, a governed WSUS patch infrastructure brought Windows updates under coordinated control.
Workstream 3 — Identity, JML & Administrative Automation
A custom Google Apps Script integration automated the Joiners, Movers, and Leavers (JML) lifecycle end-to-end. This targeted automation stripped out manual handoff errors, eradicated the delayed processing of defunct accounts, and drastically slashed administrative overhead while enforcing consistent policy application at scale.
Workstream 4 — Incident Response & Resilience
The Petya ransomware outbreak aggressively tested the ongoing work under live, extreme conditions. The rapid response contained the outbreak, identified affected systems, and implemented immediate hardening measures. Critically, the nascent detection and endpoint control layers served as the exact visibility required to scope the threat accurately and halt lateral spread before the business suffered catastrophic disruption.
Throughout the larger engagement, a live remediation program systematically drove third-party penetration test findings out of passive reports and into closed, verified status, ensuring each gap had a tightly tracked owner and deadline.
Programme Metrics
| Capability / Control | State at Engagement Start | State at Handover |
|---|---|---|
| Centralised security monitoring (SIEM) | None | Splunk deployed & operational |
| Managed detection coverage | None | Secureworks stack (all global offices) |
| Endpoint detection (EDR) | None | Carbon Black Defense (full estate) |
| DNS-layer security | None | Cisco Umbrella deployed |
| Endpoint build process | Manual, inconsistent | Automated pipeline (MDT + PDQ Deploy) |
| Shared local admin credentials | Present across estate | Eliminated via LAPS |
| Application execution control | None | AppLocker whitelisting enforced |
| Incident response - tested capability | Untested | Proven under live Petya conditions |
The Results
- The security monitoring capability evolved from zero to a fully operational, global machine, establishing detection, logging, endpoint control, and vulnerability management across the entire estate.
- LAPS enforcement entirely neutralized shared local administrator risks, decisively closing one of the most exploited lateral movement paths in enterprise Windows environments.
- The automated MDT/PDQ Deploy pipeline transformed the build process into an auditable operation, embedding a strict security baseline seamlessly into every new deployment.
- A live remediation lifecycle successfully migrated third-party penetration test findings out of untracked formats and into a closed, fully evidenced resolution state.
- Intelligent scripting automated the JML process, permanently removing human-error from handoffs and eliminating the provisioning lag that traditionally leaves former employees active in corporate systems.
Business & Security Impact
- The live containment of the Petya ransomware outbreak proved the immediate ROI of the nascent detection stack. By halting the spread early, the tactical response successfully circumvented the catastrophic operational damage that, according to current industry averages, inflicts a mean 11–27 days of crippling downtime and average total costs exceeding $5.1 million on unprotected businesses.
- Security built in a lab remains theoretical, but the architecture designed during this engagement validated its resilience under active, hostile siege. The infrastructure easily survived the outbreak, definitively demonstrating that Brian's proactive security controls scale seamlessly to protect high-growth corporate environments without acting as a blocker.
This battle-tested outcome underscores Brian's core capability: architecting and operating resilient, high-visibility security frameworks that hold their ground during enterprise-level crises.