Enterprise Cybersecurity Transformation for Cornerstone Consulting Organization
Deploying a Full-Spectrum Security Operations Program Across a Distributed Consulting Workforce Serving the Defense Industrial Base
0
0%
0min
0%
Cornerstone Consulting Organization deploys hundreds of experienced advisers directly into manufacturing facilities, embedding within client operations to increase throughput, reduce waste, and improve profitability. Through affiliate companies Premier Staffing Solution (PSS) and Just-In-Time Staffing (JITS), CCO also places skilled trades professionals, engineers, and technicians into client facilities. Technology Transfer Services (TTS) provides rapid upskilling programs on production floors.
Founded and led by combat veterans, CCO has delivered billions in documented savings for Fortune 500 companies across automotive, aerospace, energy, defense, and heavy equipment manufacturing. The company operates from Toledo, Ohio, with consultants deployed to client sites across the United States and Europe, accessing proprietary production data, engineering specifications, and (for defense clients) controlled unclassified information.
The Challenge
The Problem
CCO's growth to $75 million in annual revenue had outpaced its security infrastructure. Standard business controls (commercial antivirus, basic email filtering, perimeter firewalls at headquarters) were designed for a traditional office, not a distributed workforce operating inside other organizations' networks while handling their most sensitive operational data.
Five risk areas demanded attention. First, distributed workforce exposure: consultants connecting from client facilities, hotels, airports, and home offices created attack surface that perimeter security could not reach. Second, email vulnerability: engagement proposals, FIT Operations reports, and sensitive production data flowed through email daily with only basic spam filtering. Third, zero threat visibility: no SIEM, no centralized logging, no way to answer 'is anyone attacking us right now?' Fourth, endpoint gaps: signature-based antivirus with no EDR capability and no centralized alerting. Fifth, a DNS blind spot: consultants on networks CCO does not control had no protection against DNS-based threats, tunneling, or command-and-control channels.
The defense industrial base dimension elevated the stakes. CCO consultants inside defense contractor facilities handle information relevant to national security. A compromised CCO system could become a supply chain attack vector into a defense manufacturer's network.
Our Approach
4 Phases. 20 weeks + ongoing 24/7.
Flynaut deployed a layered, integrated OneProtect cybersecurity program covering every domain of CCO's attack surface: EDR, MDR, SIEM, email security, DNS protection, identity and Zero Trust, threat intelligence, and vulnerability management.
EDR & Endpoint Hardening
4 weeksCrowdStrike Falcon replaced legacy antivirus across all 340 CCO-managed endpoints. Falcon provides behavioral monitoring detecting fileless malware, living-off-the-land attacks, credential dumping, and lateral movement in real time. USB device control blocks unauthorized removable media. Full endpoint telemetry feeds our OneProtect SOC.
Endpoint protection alone is necessary but insufficient. The real value emerges when endpoint telemetry is correlated with email, DNS, identity, and SIEM data in real time.
SIEM, Email & DNS Security
6 weeksMicrosoft Sentinel deployed as centralized SIEM ingesting logs from 11 sources. Proofpoint Email Protection with TAP provides attachment sandboxing, URL rewriting, and BEC detection. DMARC deployed at reject enforcement. Cisco Umbrella provides DNS-layer protection that travels with every consultant regardless of network.
Monthly average: 4,700 email threats blocked and 12,400 malicious DNS queries blocked — primarily from consultant devices on client and hotel networks.
Identity, Zero Trust & Managed Security
6 weeksMicrosoft Entra ID Protection evaluates every sign-in against risk signals. Conditional access enforces Zero Trust: access requires compliant device, MFA, and acceptable risk score. Privileged accounts use FIDO2 hardware keys. OneProtect SOC provides 24/7/365 monitoring with cross-layer correlation.
Cross-layer correlation catches what single-layer monitoring misses: a medium-severity identity alert + medium-severity endpoint alert + medium-severity data access alert together tell the story of an active compromise.
Threat Intelligence & Vulnerability Management
4 weeksMulti-source intelligence from CrowdStrike, Proofpoint, Cisco Talos, and defense-specific feeds from CISA, DCSA, and DIBNet. Tenable.io provides monthly authenticated scans with real-world exploitability prioritization. Remediation SLAs: critical within 72 hours, high within 14 days. Quarterly penetration tests and annual red team exercises.
Custom detection signatures are developed when campaigns targeting manufacturing consulting firms are observed and pushed to CCO's security stack within hours.
The Results
Performance That Speaks
Metric
Before
After
Change
Security Breaches
Unquantified (no detection)
Zero (18 months)
Threat Detection Coverage
<15% (AV only)
96% (multi-layer)
Mean Time to Detect
Unknown
4.2 minutes
Mean Time to Respond
Hours to days
8 minutes
Phishing Click Rate
28%
3.8%
Email Threats Blocked (monthly)
~200
4,700
DNS-Layer Blocks (monthly)
None
12,400
Endpoint Visibility
0% centralized
100% real-time
MFA Coverage
0%
100%
Critical Vulns Open
Unknown
<5 at any time
Incidents (18 months)
N/A
847 alerts, 23 confirmed, all contained
The most significant confirmed incidents included a targeted spear-phishing campaign impersonating a defense prime contractor, a credential stuffing attack using third-party breach data, a fileless malware loader via a compromised client network, and a DNS tunneling attempt from a compromised IoT device. Every incident was contained without data loss or client notification.
Technology
The Stack
Reflections
What This Project Taught Us
Securing a consulting firm is fundamentally different from securing a company whose employees sit in a single office. CCO's consultants are nomadic by design. The security architecture must travel with the person, not depend on the perimeter. DNS-layer security, endpoint EDR, and identity-based Zero Trust are the three non-negotiable foundations for any distributed workforce.
The cross-layer correlation capability proved its value repeatedly. The most dangerous incidents were ones where no single layer would have generated a high-confidence alert alone. A medium-severity identity alert, a medium-severity endpoint alert, and a medium-severity data access alert are three dismissible events in isolation. Together, they tell the story of an active compromise.
CCO's veteran leadership brought a mission-oriented mindset that transformed this from a compliance exercise into an organizational commitment. When Bill Currence and Scott Wawrzyniak talk about cybersecurity, they talk about duty: to the defense manufacturers whose operations depend on CCO's integrity, to the veterans on their team, and to the national industrial base they strengthen every day.
Ready?
Ready to transform your digital experience?
Flynaut builds enterprise-grade digital experiences for brands that refuse to compromise.