Going above and beyond when an organisation is held to ransom
Early one morning a ransomware payload had been deployed in an organisation’s system – something they hadn’t expected and didn’t know how to handle. They asked us for urgent help to:
• Ensure full containment of the ransomware infection
• Identify the root cause of the infection, if possible
• Identify any evidence of data exfiltration
• Secure and monitor the infrastructure that had not been affected.
We immediately got to work setting up our Tactical Managed Detection & Response (Tactical MDR) service which provides rapid emergency monitoring and holistic protection via the Microsoft Security ecosystem. The Tactical MDR service was up and running within 4 hours to help contain the situation via Microsoft Defender and provide widespread visibility to the IR team to enable them to swiftly investigate whilst keeping the organisation safe from further attack activity.
But what was the extent of the breach, what damage had already been done and why had it happened?
Realising their worst fears
Our highly experienced incident responders, who have hundreds of hours and hundreds of cases behind them, began their investigation. Over the next few days, they discovered that the victim’s servers had been breached and encrypted, affecting their on-premises and cloud systems – including their back-up servers. The attacker had also exfiltrated data.
Furthermore, the attack had disrupted a large portion of the network services and interrupted business operations to a high degree. Fortunately, we identified no evidence to suggest that the threat actor was able to extend their access to any Software-as-a-Service (SaaS) solutions.
“We worked with their teams to understand the extent of the breach, which was severe,” explains James Allman-Talbot, Quorum Cyber’s Head of Incident Response and Threat Intelligence. “The access the attacker had was extremely extensive and they had free rein over the environment. They had been able to gain the highest possible privileges within the network estate, allowing them unrestricted access to everything contained within the on-premises and virtual Azure network.”
Bringing in extra support
The customer contacted Microsoft’s recovery team, which successfully rebuilt the IT environment from scratch. As a Microsoft Solutions Partner for Security, we regularly work with them on security incidents. We explained the current state of the environment to Microsoft and gave our recommendations from what we’d seen the attacker doing.
Our role in such scenarios isn’t limited to technical detective work and advice. We liaise with professional external organisations too. Because incidents of this nature can be very stressful, we also help our customer’s team to de-stress, regroup and re-energise, and we provide much-needed peace of mind during what’s often their worst-ever week at work.
We contacted law enforcement to report the crime and advised our customer to get in touch with their insurers and any stakeholders, guiding them on what information to share, and when. And we contacted the Information for Commissioner’s Office (ICO), a public sector body that’s the UK's authority for data protection and information rights. Making sure everyone has the precise information they need in the aftermath of a cyber-attack is crucial and shouldn’t be underestimated.
Attacked at the worst possible time
Attacks like this one go to show that breaches can happen when an organisation least expects them, and they can result in attackers getting inside IT systems for a long period of time before being detected. In this specific case, the organisation discovered the attack just two weeks before they were due to go live with Quorum Cyber’s Managed Detection & Response (MDR) service.
Comprehensive security solutions, such as the Microsoft XDR ecosystem – provides holistic protection, detection and response across endpoints, data, email, cloud, identify and more. Configured carefully to the company’s environment by Quorum Cyber’s XDR engineers, this provided incredibly strong protection during the company’s worst moments.
Act quickly but take the right steps
When anyone believes they’ve been the subject of a cyber-attack, it’s important to act fast but the specific actions they take are very important, but not always obvious or intuitive, as our ten dos and ten don’ts when responding to a cyber-attack guide outlines. This can be the difference between making a full recovery and making the situation worse for the organisation impacted.
If you believe you’re experiencing a cyber incident right now, please call our Incident Response team on 0333 444 0041 and we’ll help you right away.
The calm after the storm
Since the incident, the customer has upgraded from our MDR service to our Managed Extended Detection & Response (M-XDR) service, signed up for an Incident Response Retainer (IRR) and we’ve conducted extensive advisory services through the Security Director-as-a-Service (SDaaS).
Bird & Bird migrates to the cloud to secure its clients’ data
Leading international law firm adds 24-hour monitoring, detection and response capabilities
Founded in 1846, Bird & Bird is an international law firm with over 1,400 lawyers in more than 30 offices across Europe, the Middle East, Asia-Pacific and North America. The company’s vision is to be “the number one law firm in the world for organisations being changed by technology and a digital world”.
With thousands of clients in a wide spectrum of industries, they decided to transition their systems, applications and vast stores of client data into the cloud to gain all the advantages of speed, agility, responsiveness, automation and security that the powerful cloud computing ecosystem would give them.
In all, their relatively small in-house security team protects 3,400 users in 32 offices around the globe, and secures 700 servers in three data centres as well as a hybrid onsite/Azure cloud environment.
Ready to transition to the cloud
Once their team had designed a strategy to move to the cloud and completed all the necessary preparations, including buying the Microsoft E5 licence, installing encryption key management solutions to manage keys in Azure, Office 365 and other legal technology products, they could step forward. On reviewing which security tools they needed, Microsoft Sentinel made perfect sense as the cloud-native Software-as-a-Service (SaaS) Security Information and Event Management (SIEM) system.
However, Bird & Bird’s technology leadership wanted the security team to stay lean, mean and efficient. Their main aim was to achieve effective security in the cloud, not build a much larger team of professionals to keep up with the ever-evolving cyber security landscape. They needed a first-class security partner to enable them to take the leap while keeping their client’s information and their own business’s data secure around the clock. So they began a process to find and assess potential security partners.
They put their challenge to Microsoft, who suggested talking to Quorum Cyber. After initial discussions, the two companies ran a one-month trial which was extended into a longer-term contract for the Microsoft Sentinel Managed Detection & Response (MDR) service. With this service, Quorum Cyber’s Security Operations Centre (SOC) team, which is based entirely in the UK, monitors, detects and responds to alerts and potential incidents 24 hours a day, every day of the year.
The team’s biggest challenge was moving to the cloud securely and maintaining that security at the highest level regardless of the evolving threat landscape. Law firms’ reputations depend on them securing their clients’ data. One breach could potentially undo decades of work building up their strong reputation worldwide.
A million times more detail
“Before we had monitoring, logging and encryption capabilities there was no way we could move client data to the cloud,” says Martyn Styles, Head of Information Security at Bird & Bird. “It would not be right and our clients wouldn’t allow it.
“In my opinion, security and data protection in the cloud is a lot more capable than most on-site systems. I didn’t have much security telemetry from our co-location data centres prior to moving to cloud. Now we’re in the cloud I can tell exactly who’s accessing what, where they are accessing it from and which devices they are using. The logging, alerting and reporting I get from the cloud is a million times more detailed than on-site solutions and we’re quite confident that we can tell when someone who is not authorised to access our data is trying to access it. We get an instant notification, Quorum Cyber do too, so together we can investigate it.”
Martyn adds that busy lawyers, who are often on the move and who may be checking information while travelling or when on holiday anywhere in the world, could try to access data at any time of the day or night through the company’s systems. Any effective security solution must allow the right people to have access to the data they need, at the right time. His team can check that access is valid and permitted by an authorised user, and not a threat actor trying to break in.
Around-the-clock monitoring and defence
“We feel that Quorum Cyber provides us with a cost-effective 24x7x365 security operations centre, whilst providing our global technology networks and cloud services environment with rapid security incident response,” says Martyn.
By on-boarding Bird & Bird into the SOC, they were placed under the supervision of a qualified team of cyber security analysts who provide security maturity assessments, vulnerability management and threat monitoring to constantly check for weaknesses across the large hybrid IT estate.
“We were very impressed by both the speed and attention to detail when we were onboarded onto the SOC,” says Martyn. “Log messages configurations have been continually tuned to optimise security alert monitoring and reporting as we have upgraded existing applications and onboarded new log sources over time.”
Cybercriminals are notorious for continually adapting their tactics, techniques and procedures (TTPs) to probe organisations for weakness. So while the SOC team uses automation to help cope with the large volume of signals, human creativity and imagination is required to defend the law firm against threat actors who are trying to infiltrate them.
Teamwork, trust and transparency
Trust and transparency are crucial. Everybody in the partnership needs to trust all components of the technology, and they need to trust that everybody else in the team is using the technology to strengthen cyber resilience and reduce risk.
So, to see any incidents that the SOC team is dealing with in real time and to check the status of the security across their estate, Martyn’s team has 24×7 access to the customer portal, Clarity. Not only can they see all the key information related to their service in one place, but the tool also gives suggestions about how security could be improved. “Clarity is very easy to use, and I often export data from it when I’m preparing monthly service reports for the team,” says Dan Fleming, Information Security Specialist at Bird & Bird.
The plethora of tools involved in defending an organisation’s assets can get pretty complicated. But business relationship needn’t be. To keep the relationship simple and efficient, Bird & Bird has a single Service Delivery Manager (SDM) who holds regular meetings with the law firm’s security team.
“It feels very much like Quorum Cyber, who we work very closely with every day, is an extension to our team. Our other partners work closely with them too – it’s a symbiotic relationship.”
Cybercriminals rely on the element of surprise and often try to breach organisations in places they would least expect. To thoroughly check that the SOC is picking up every alert worth investigating, in every nook and cranny of their IT ecosystem, Martyn’s team also run their own security tests – without notifying the SOC team when and where they are doing it.
“These simulations test the detection technology and keep everyone on their toes,” says Martyn. “It rings alarm bells that the SOC team then reports back to us. I’d be concerned if they missed anything but so far, I’m happy that they have passed all our tests. They are often ‘belt & braces’ to our own security. Alert fatigue can mean people miss something, but we’re confident that nothing’s been missed.”
Lean and mean cyber security
Before embarking on the long-term partnership, Bird & Bird couldn’t move their clients’ sensitive and confidential data to the cloud to secure it to today’s gold standard. In the past year the partnership has significantly strengthened the overall security of the law firm and given them the confidence and peace of mind that all their clients’ data is safe from the frequent attempts they see of threat actors attempting to break in.
Data security is one of the pillars to safeguarding Bird & Bird’s reputation as a trustworthy and reliable company to look after clients’ data, wherever their 1,400 lawyers are working and travelling around the world.
“The MDR service allows our team to remain lean and mean and we intend to stay that way,” concludes Martyn. “To run this service ourselves, we would need to employ a number of SOC engineers and threat analysts and it’s not our strategy or intention to build a larger in-house team. The SOC team allows me to sleep at night, knowing that we’re protected around the clock. We don’t work 24 hours a day, but hackers do.”
Explore and compare our managed security services
Our tiered approach for managed security services offers scalable protection that evolves with your organisation.
Frasers Group finds the perfect partner to guide them to self-dependence
International retail giant builds cyber security team
Selling a range of iconic and famous brands in nearly 1,000 branches throughout the UK and from stores in more than 20 countries across Europe, Asia and North America, and via their digital platforms, Frasers Group is a retail success story.
In early 2022, the group, which has huge ambitions to continue its expansion in both its home market and internationally, lacked a security team or a Security Operations Centre (SOC) to protect its assets. It’s always been a Microsoft house and, with E5 licences, it benefitted from the company’s modern security tools including Microsoft Sentinel, but didn’t have the personnel to make the most of them. However, its culture to manage everything in-house as much as possible meant it planned to create its own security team in the not-too-distant future.
In the meantime, the digital landscape was fast becoming more inhospitable and unpredictable, and there were increasingly frequent reports of retailers and other companies being breached and infiltrated by financially motivated threat actors. The risks of doing nothing were too great for a sector-leading, 24-hour business at the forefront of digital retail. Frasers Group’s leadership team knew it needed a security partner to protect it while it worked on building its own team from the ground up. They sought Microsoft’s advice and decided to talk to their shortlist of recommended professional service providers.
A security partner to hit the ground running
Cyber security firms have different approaches when it comes to defending their customers. Having all their own Microsoft tools already in place, Frasers Group were focused on finding a knowledgeable, qualified partner that could defend them through their own tenancy; they didn’t want to use unnecessary external tools or be surprised by hidden services or costs.
The Microsoft Sentinel Managed Detection & Response service, which is managed by the 50-strong SOC team based entirely in the UK, proved to meet the retailer’s needs perfectly.
“Quorum Cyber ticked all the boxes,” says Matthew Burrows, Head of Cyber Defence and Frasers Group. As a Microsoft Solutions Partner for Security, the company has over 1,000 years of combined security and Microsoft experience, so they were equipped to defend the retail giant from day one. In addition, both companies were comfortable working in a collaborative, hybrid environment – they knew that first and foremost teamwork is essential when keeping cybercriminals out.
Furthermore, sharing know-how and information is part of Quorum Cyber’s culture – exactly the type of partner that the retail group needed on their journey to full cyber security independence.
“The engagement allowed me to step back and build our team in the background,” explains Matthew. “It allowed me to evaluate how big our team should be, which certifications they required, how to best triage alerts and what our service level agreements (SLAs) need to contain. Quorum Cyber set the benchmark for us.”
During the 18-month partnership, Matthew and his growing team were keen to learn as much as possible. “Everyone has been really open and honest, and communication has always been great.”
Smooth hand-over maintains strong security
Frasers Group had always planned to bring their cyber security in-house. And with a seasoned guide to light the way, they successfully built a professional team in a relatively short space of time to defend their IT estate, their data and their business. A smooth transition with a trusted partner that took the time to understand their precise needs and challenges guaranteed they could meet their objectives early.
In less than two years, with Quorum Cyber’s support and guidance, Frasers Group has built an independent cyber security team from scratch to protect its entire business and give it the confidence to launch new services and expand into new regions.
Devon County Council embeds cyber security into its culture
Serving a county of 1.2 million people in south-west England, for years Devon County Council has been well aware of the growing importance of cyber security to keep its operations running smoothly. The most prudent approach was to move from an on-premises solution to the cloud.
Against a backdrop of more frequent and more damaging security incidents, particularly in the public sector among regional governments, the council proactively took steps to secure their organisation and the people, communities and businesses they serve. They realised it was probably only a matter of time before they’d be targeted by a cybercriminal group intent on encrypting or stealing their data, or both.
More intelligence and greater knowledge of their assets
So, a few years ago they installed Microsoft Defender tools to gain more intelligence about their IT estate and acquire the knowledge they needed to respond to security alerts. However, while all this information was clearly invaluable, it also presented a challenge.
“The ICT strategy at Devon County Council had determined that an enterprise licensing arrangement with Microsoft was the right approach for the authority, with the benefits of Defender’s extensive security tooling being an attractive element of the package,” says Robyn Dennis, Strategic Cyber Security Manager in the Digital & Technology Service at Devon County Council. “With over 5,000 internal staff we knew we needed comprehensive protection in place across the whole organisation.
“However, we also knew we didn’t have the capabilities, knowledge or capacity in-house to handle what we were seeing. We reached out to a couple of suppliers we’d previously worked with to run a Proof-of-Concept (POC) on Microsoft Sentinel to understand it better and consider what the architecture of a Security Operations Centre (SOC) would look like in the long run, and we discovered that a hybrid approach to the SOC would suit us best.”
Previously, the local authority had some out-of-hours security coverage but lacked 24*7 monitoring of their estate, which they knew was the minimum level of security to give them peace of mind every day.
Setting out on the next stage of their journey, they searched for the right partner to protect their organisation, which was when Microsoft suggested they talk to Quorum Cyber.
“We liked their ethos of helping good people win and with their Microsoft-first approach they seemed the right fit,” says Robyn, who has worked tirelessly to raise cyber security awareness in the council’s hierarchy and to convince the senior management and governing board that it should be part of their culture.
Swift onboarding to add a safety net
Onboarding to the Microsoft Sentinel Managed Detection & Response (MDR) service, run by the experienced SOC team, was swiftly achieved before the Christmas 2022 change freeze to give Robyn’s team a safety net and peace of mind during the festive season, which some threat actors see as an opportunity to target organisations whose teams are on annual leave.
“The 24*7 monitoring capability is a real plus point and gives me more assurance that we have the right capabilities in place to manage risks as best we can,” she says. “It frees a lot of our team up to take on other activities.”
In a relatively short time of working alongside Quorum Cyber, she’s happy with the continual improvement, the iterative reviews to assess the council’s security maturity, the guidance to navigate any incidents, and the ease of engaging with the SOC.
“The service gives us a lot more confidence and assurance that our systems are working and that any alerts will be picked up at an early stage,” says Robyn. “It gives us the confidence that we can deliver services to citizens. Our Sentinel and our analytics are being managed by experts in their field. We know that without this service, we’d struggle to recruit the same level of skilled professionals.”
Trust has grown so much that the partnership is now looking to set up delegation of authority so that the SOC team can fine-tune configurations without requesting permission from Robyn’s team on a case-by-case basis, which speeds up improvements to security.
Growing a cyber security culture
“Cyber security is now one of our highest corporate risks and high on the board’s list of priorities. I’m doing a piece of work so that our senior leadership team (SLT) always understands the cyber risks we face. I always tell the SLT about the positive news and the partnership definitely helps me with this. We need to keep progressing and it’s important that we don’t take any steps backwards. I’ve also spent some time telling our cabinet members and our scrutiny board to help them understand our current cyber security posture – what’s good and what’s bad. We’ve been on a journey of internal awareness of why cyber security is important. Years ago there was a perception that it could have been a blocker to operational activities, but we now see it as an enabler in the long term.”
The purpose-built customer dashboard is another plus point for Robyn. “Clarity is brilliant, the detail that goes into the tickets is really useful. I regularly take reports and the dashboard images to our Senior Information Risk Officer (SIRO). The dashboard images give us useful information and we see threat intelligence reports give us advanced warning of zero-days. Knowing that there’s someone in the background threat hunting in our environment gives us extra assurance.”
Supporting Joyn Insurance in their early growth
Helping a start-up rapidly and securely ramp up its insurance business
Founded in mid-2020 during the height of the coronavirus pandemic, Joyn Insurance provides commercial insurance for small- and medium-sized companies in the US. Since its creation, the company has quickly expanded its coverage for the real estate, manufacturing, professional services, wholesale, retail and contractor industries in most of the states in the US.
Deep Microsoft expertise
“We knew from the very beginning that cyber security was going to be very important to us,” explains Joyn’s Co-founder and Chief Technology Officer Ed McGough. “We were specifically looking for an organisation that had deep knowledge and experience of the Microsoft toolset. We made the decision very early on that we were going with Microsoft tools 100%.”
Ed’s team met with three or four cyber security providers, all of which had different approaches. “Everybody we spoke to in Quorum Cyber was very knowledgeable,” says Ed. “What also appealed to us was that every tool we owned stayed within our environment, everything remained within our technology stack. We didn’t need to buy licences for other tools.“
“Furthermore, we felt that the company had exactly the right level of expertise that we required,” says Caroline Ettinger, Joyn’s Head of Business Insights and Tech Operations.
Complying with cyber security regulations from state to state
As Ed explains, meeting regulatory requirements is crucial: “Insurance is very heavily regulated in the US and companies need to meet state-specific cyber regulations in order to operate. We initially made sure that we met the requirements of the New York regulators, as they were one of the first to provide a mandate and remain one of the most stringent.”
Every year Joyn has to attest to the New York Department of Financial Services (NYDFS) that it fully complies with their regulations – and these become tighter as a company grows. Fortunately, if they can comply with New York State’s regulations then they are likely to meet the requirements of other states too.
While setting up the business with a small team they also realised that they needed assistance with all the detailed cyber security policies and procedures. “We asked Quorum Cyber for help and they conducted excellent work,” says Ed. “What we have from a policies and procedures perspective is better than I’ve seen at larger, older organisations.”
Monitoring and detection around the clock
Within a year of being established, Joyn agreed a three-year contract for the Managed Detection & Response (MDR) service, run by the Security Operations Centre (SOC) team and signed up for penetration testing.
“We knew we needed a 24×7 monitoring service and we didn’t have the size of team in-house to do this ourselves,” says Ed. “Despite the SOC being entirely based in the UK, this hasn’t affected the quality of the service. In fact, this has actually been an advantage because problems often happen at night,” explains Ed.
As Joyn operates across all US time zones and has team members and suppliers working from Europe and the Middle East, the location of the security team is irrelevant – time zones don’t matter in cyber security.
One call away from advice and guidance
“Whenever we’ve asked for advice on anything about cyber security, the team has always helped – and they haven’t used this as an opportunity to try to sell us any extra services, which is refreshing,” says Ed. “Cyber security is still one of my biggest worries. The amount of cybercriminal activity never ceases to amaze me and that does keep me awake at night. I don’t need to think about the monitoring of our IT as having the SOC team managing everything all the time really helps.”
While technology and data are two keys to Joyn’s impressive growth, the company prides itself on its people and its values as the pillars of its culture. Two of their values are transparency and trust, which Quorum Cyber has also built its business on since being established in Edinburgh, UK in 2016.
“The relationship with Quorum Cyber really feels like a partnership. We have a good relationship with the team. Everyone we’ve met has been delightful – they’ve made the team a real pleasure to work with.”
Teamwork solidifies South Ayrshire Council’s cyber defences
Scottish local authority continues its journey to reducing risk
With a population of around 112,000 people, South Ayrshire is one of 32 council areas in Scotland. South Ayrshire Council ensures that services run smoothly throughout the region, keeping the business community working, the economy flowing and making life easier for people’s everyday lives. It’s also a major employer, with more than 5,000 staff. So it’s no surprise that the local authority makes cyber security a top priority. Reducing the risk of services being disrupted or confidential data being stolen or leaked externally is essential – just as in any other public sector body.
Providing value for money for taxpayers is obviously crucial too. So the Council chooses to work with a cyber security partner for the expertise and resources it doesn’t have in-house.
The relationship began four years ago when Quorum Cyber helped with consultancy work that proved central to transitioning the Council’s connection to the Public Service Network (PSN) away from the use of a segregated enclave toward an organisational security posture that met PSN security compliance requirements.
South Ayrshire Council recognised that a strong partnership with cyber security experts was necessary to make such a transformational change in the cyber security posture.
“We needed a partner to help plan what that should look like and to help with advice and decision making that our operational teams needed to move forward with the cyber resilience programme,” explains Anne Yeo, Senior ICT Security Analyst at South Ayrshire Council.
“It turned into a partnership that offered much more. As we began to implement security solutions we discovered that zero-trust networking would strengthen the security profile and improve our entire corporate network. Quorum Cyber was able to validate some of the plans that our zero-trust partner had set up. Quorum Cyber took on much more of an auditing role in that partnership, as well as providing core functionality for some of the cyber security we needed. Both of those things were instrumental to getting us to where we are now.”
Working together
This early work laid a solid foundation for the Council to prepare to take on a round-the-clock monitoring and detection service.
“We found that Quorum Cyber’s Managed SOC solution was in line with the partnership view compared to other cyber security providers,” says Anne. The Council benefits by working together with Quorum Cyber to improve things and by taking a team approach, rather than having an external company coming in, delivering a fixed service and then walking away.
The Council is now protected with 24/7 security via Quorum Cyber’s Microsoft Sentinel Managed Detection & Response service, which is run by its experienced Security Operations Centre (SOC) team in the UK. “This service has changed the way we think about security here,” says Anne. “Twenty-four hour monitoring provides a reassurance that is hugely popular and very much worth the investment.”
In parallel, the Council’s ICT Security Team has made real improvements in cyber security awareness across the Council’s service teams during the past four years. Like in any organisation, employees form the frontline of defence against cyber threats, so the staff’s knowledge and understanding of how to identify and react is really important.
Quorum Cyber has recently provided other services, including Incident Response playbooks, to help thoroughly prepare in the event of a security incident.
Extending the cyber security team
“We’ve really felt that Quorum Cyber is part of the cyber team and the wider team,” explains Anne. “They’re happy to quickly advise on small matters or simple questions as well as get involved in the larger, more complicated projects. And we’ve found the personal relationships most valuable.”
Quorum Cyber continues to work closely with the local authority to ensure that they widen their focus and mature their cyber security posture in line with an ever-changing threat landscape.
Capricorn Energy tightens security with Microsoft-first partner
Headquartered in Edinburgh, UK, Capricorn Energy is one of Europe’s leading independent upstream energy companies with a history stretching back to 1980. The international business has an outstanding track record of discovering and extracting oil and gas from locations in Europe, the Americas, Asia and Africa.
During more than five years of collaboration, Capricorn Energy and Quorum Cyber have grown together, steadily strengthening the energy company’s cyber security within budget and reducing their risk exposure while they’ve operated in challenging offshore environments around the globe.
In 2020, the company was ready to entrust Quorum Cyber’s Security Operations Centre (SOC) team to provide its Microsoft Sentinel Managed Detection & Response (MDR) service for three years.
Microsoft security top of the wish-list
One attraction for Capricorn Energy was to partner with a company based in the same city for relatively easy access to Quorum Cyber’s growing team of experts. Another big plus was to work with a Microsoft-only cyber security specialist that continually invested in its employees’ training and development alongside its day-to-day focus on safeguarding the energy firm’s complex and ever-evolving IT system.
“Being a Microsoft-first cyber security company is really important for us and one of the key things that mattered when we searched for a partner,” explains Nick Mier, Group Head of Information Technology and Cyber Security for Capricorn Energy. “We are very much Microsoft-first when it comes to security and that’s one of the key things that Quorum Cyber has. It’s essential to us that they manage their security via Microsoft Sentinel.”
In addition to the MDR service, which the SOC team runs 24/7, 365 days a year, Quorum Cyber provides vulnerability management and phishing simulation services and Security Director as-a-Service.
Education is key
While Quorum Cyber’s team members have deep experience in Microsoft Security technologies, at its heart cyber security is really about risk management and, therefore, very much about people. That’s why educating customers’ employees is so important and why this has been a key focus during the relationship.
“Our team members are now very cyber aware,” adds Nick. “Improved education in cyber awareness has definitely come through the partnership, although there’s always more to do.”
As part of their contract, Capricorn Energy benefits from receiving regular service reviews, useful and timely threat intelligence reports, vulnerability management meetings, and practical advice to improve their quality of signals and data quality.
Achieving cyber maturity
“While we’ve been maturing as a company, our relationship has matured along the way, so that’s definitely been beneficial,” says David Malone, Capricorn Energy’s IT Service Delivery Manager. “Over the last 18 months we’ve had a seismic shift in terms of the maturity of the relationship and that’s good for both parties.”
Despite the steady improvement in their security posture, the company is determined not to let their guard down in an increasingly unpredictable digital environment. “Going forward, our goals are to achieve a higher score in the US National Institute of Standards and Technology (NIST) cyber security framework by the end of 2024 and to focus on automation,” Nick says. “While partnering with Quorum Cyber we’ve doubled our score in the past three years. We also aim to tighten up on data security and insider risk.”
MCi Protects its Customers Worldwide with Enterprise-Grade Cyber Security
Serving state, local governments, and global Fortune 100 companies in the energy, mining, manufacturing, and chemicals industries, Management Controls, Inc. (MCi) needed to transform its cyber security to the world-class level expected by its long list of prestigious customers. As a software technology and services leader, MCi provides critical Software-as-a-Service (SaaS) solutions and its unique TRACK® platform for tracking and managing contract labor, equipment rental, and material spending. MCi counts many of the world’s largest companies as loyal customers, some of whom it has served for over twenty-five years.
Privately owned, the Houston-headquartered business has ambitions to grow in the U.S. healthcare, automotive, aerospace, chemical and upstream energy sectors and extend its footprint across North America, Europe, Asia, Australasia, and Africa. Safeguarding its customers’ data is essential to achieving its international expansion plans.
Customers demand world-class security
“Our customers are increasingly asking us detailed questions about our security, including disaster recovery and how we’ll respond to severe incidents. We must confidently reassure them that we have enterprise-grade protection in place,” explains Daniel Iturbe, Vice President of Infrastructure, Security & Compliance at MCi.
“To achieve this, we have implemented rigorous security protocols and business continuity and recovery plans that ensure the safety and confidentiality of our customer’s data. Our team of experts is continuously monitoring and updating these measures to stay ahead of potential threats.
“We understand that our customers trust us with their sensitive information, and we take that responsibility very seriously. Rest assured, our commitment to providing top-notch security measures is unwavering, and we are always ready to respond swiftly and effectively in any security incident.”
After completing a comprehensive program of preparation internally, MCi was ready to find a cyber security partner to provide a Security Operations Centre (SOC) that would match their business needs and meet the high standards of cyber security demanded by their customers worldwide.
MCi searched Quorum Cyber online, and a local Microsoft representative assured them they were worth talking to. Founded in 1989, MCi is predominantly in the cloud, and its cloud hosting is 100% provided by Azure. Hence, being a Microsoft-only house and a Microsoft Solutions Partner for Security, Quorum Cyber seemed like a good candidate. However, there were many other companies to assess as well.
Five essential criteria for a long-term partner
MCi took a diligent approach in selecting a long-term cyber security partner. They conducted an exhaustive Request for Proposal (RFP) discovery and execution phase over five months. During this time, they carefully evaluated over ten cyber security companies and thoroughly assessed their service offerings. Price was not the only determining factor, and the companies were assessed based on several essential criteria:
- Vendor qualifications: Experience, expertise, and financial stability.
- Technology and tools: A vital matrix component consisted of selecting a SOC company focusing only on Microsoft Azure Security Stack and Azure toolsets.
- Service Level Agreements (SLAs): Response times, escalation procedures, and reporting capabilities needed to comply with MCi contractual and compliance requirements.
- Flexibility and customization: The ability to tailor and customize services to meet MCi annual reports and audits for MCi customers.
- Security and compliance: SOC requirements to have Microsoft and industry-accepted certifications and accreditations.
- Cost and value: SOC’s pricing structure, schedule, add-on services, and overall were collectively categorized and analyzed independently.
- Reputation and references: The SOC’s reputation in the industry and references from current and past customers were scored using an internal MCi review process.
After evaluating all proposals, MCi trusted Quorum Cyber as their long-term cyber security partner. This decision was made after considering the added complexity of working with multiple vendors and that Quorum Cyber met all their requirements, including their need for an experienced and reputable Microsoft partner with a complete set of security competencies, certifications, advanced SIEM services, and strong customer support.
A true partner that lives and breathes cyber security
“I strongly believed that we needed a partner dedicated solely to the Microsoft ecosystem, who deeply understood cyber security and could fully support our Security Operation Center’s needs. We wanted a partner who would invest the time to comprehend our cloud infrastructure, unique business model, and even our customers and be part of our growth journey and continued success,” said Daniel.
Moreover, MCi needed an expert in Microsoft Sentinel, Azure, and cloud computing that can proactively detect and defend against zero-day attacks and possess strong automation skills to improve efficiency and reduce the risk associated with cyber incidents. The ideal partner should also have experience working within a single, integrated security ecosystem.
After onboarding MCi onto their SOC in early 2022, MCi is confident that Quorum Cyber, whose SOC team runs the Microsoft Sentinel Managed Detection & Response (MDR) service, has already helped to improve its cyber security posture and security scores significantly.
“I am thoroughly impressed by the exceptional customer service provided by Quorum Cyber. Their attention to detail, quick response time, and efficient triaging of information by their SOC is outstanding,” said Daniel.
“The single-pane-of-glass view offered by their customer portal, Clarity, has been an invaluable asset to my team. This enables us to access all the necessary information from one dashboard easily.
“Quorum Cyber’s technical expertise and account management skills are second to none, and their professionalism is truly commendable. They maintain continuous communication with their customers and offer top-notch customer support, a rare quality in today’s business world.
“Overall, Quorum Cyber is a fantastic extension of our organization and a true partner. Their unwavering commitment to excellence is reflected in every aspect of their services, making them a top-class provider in the cyber security industry.”
Peace of mind around the clock
“We couldn’t get the security and visibility of the SOC by recruiting more people to cover the same things in-house,” concludes Daniel. “In a nutshell, MCi has been able to catapult our cyber security posture to an enterprise-grade level, thanks to the mutual partnership in working towards the same goals.”
Partnership approach key to success at Renfrewshire Council
For Renfrewshire Council, situated in central, west Scotland, cyber security is about people and partnerships first and foremost. Technology simply provides the tools for people to collaborate to protect its assets and data, and minimise risk. How partners work together on all levels is crucial to strengthening the cyber security posture for the Council which, like all public sector bodies, needs to continuously defend itself against today’s threats and any that are just over the horizon.
Renfrewshire Council’s cyber security partnership with Quorum Cyber has grown from strength to strength since it began in 2019. Then, all Local Authorities in the UK needed to complete an annual Public Services Network (PSN) compliance health check, which consisted of vulnerability management and penetration testing among other assessments. Originally seeking professional support to pass their PSN health check, Quorum Cyber have since successfully tendered for more one-off engagements including advisory services.
Growing and learning together
Collaboration on projects has worked well, with both sides contributing and learning from each other along the journey and culminated in Renfrewshire Council partnering with Quorum Cyber when they tendered for a Security Operations Centre (SOC) team to monitor and protect their IT estate and multi-cloud environment around the clock. Quorum Cyber implemented the Microsoft Sentinel Managed Detection and Response (MDR) service in September 2022. The SOC team runs the MDR service 24 hours a day, 365 days a year to provide comprehensive protection and peace of mind.
From day one of the relationship, the Council was clear that it wasn’t interested in a simple transactional service; it wanted to extend its security team to exchange ideas and knowledge, develop its own services and grow together with a partner it could trust and call upon at any time should a cyber security incident occur. They were attracted by Quorum Cyber’s fresh, honest approach to cyber security.
“Price is never the driving factor when it comes to security partners,” says Carol Peters, Cyber Security Architect at Renfrewshire Council. “It was important for us to join up with a company that was going to be a true partner and we wanted an interactive one that could react fast when necessary.
“That partnership was essential for us and we’ve always had a very good relationship with Quorum Cyber. They are willing to help us deal with any incidents quickly, even if they are out of scope of the contract, or out of hours.”
Serving around 180,000 citizens in west, central Scotland, Renfrewshire Council needs to keep its physical and digital operations running for schools, medical centres, transport, businesses and the whole community, without interruption.
Cyber security is a business issue
The Council shares Quorum Cyber’s belief that cyber security isn’t really a technology issue, but a business issue where risk needs to be managed holistically. In the event of a sudden, damaging cyber-attack, systems and tools could be taken out of action at very short notice, or no notice – it’s then an urgent problem for the business.
“It’s important that cyber security is seen to be a business enabler and my cyber security strategy is aligned to the Council’s,” says Carol. “Quorum Cyber knows our architecture, they know us and our approach to cyber security.”
Protecting the whole community
As in any organisation, while building a strong cyber security posture is important, people are often the greatest asset, but only if they understand cybercrime. Employees need to be trained in how to spot phishing emails, maintain good cyber hygiene and stay safe online. One click on a malicious email could open the door to a breach which, in turn, could result in a ransomware attack later on.
This is why the Council is serious about cyber security education and training. The Council partnered with Get Safe Online, the UK’s leading internet safety organisation and in 2019, the Council launched Ren Safe Online to teach citizens and employees about threats on the internet. The Council was also the first in Scotland to launch the Get Safe Online Ambassador training programme, training volunteers about online safety and how to recognise when someone is at risk of harm due to online threats such as scams or bullying. Ultimately, the Council’s long-term partnership with Quorum Cyber is a joint operation about protecting families, children and essential community services, and people’s data, identities and finances.
Big Bus Tours finds the perfect cyber security partner
As the largest operator of open-top sightseeing bus tours in the world, Big Bus Tours helps over 5 million people explore some of the most famous cities on Earth every year. Tourists can hop on and hop off to visit the main highlights in cities across Europe, North America, the Middle East and Asia-Pacific.
Although it was successfully growing its business across four continents, the company acknowledged that it needed to overhaul its out-of-date and inadequate cyber security to protect its assets and its customer data. So when it was forced to freeze its services during the coronavirus pandemic, the IT team took the opportunity to simplify the whole security infrastructure, consolidating to a Microsoft security stack by June 2022.
Searching for the perfect partner
Part-way through the transformation programme they set out to find a qualified cyber security partner to protect their private equity-owned international business from the growing threats posed by cybercriminals to every organisation in any industry. They were specifically looking for a Security Operations Centre (SOC) to monitor and respond to any suspicious incidents across their IT estate around the clock.
Initially expecting this to be a fairly straightforward and easy exercise, they soon discovered they had to search high and low for a trusted Microsoft-first cyber security expert that could offer a simple, transparent service relevant to their needs. With a relatively small IT and security team, the company wanted to know exactly what security benefits and value they would receive for their investment.
However, despite a number of companies willing to work with them, it eventually took eight months for Big Bus Tours to identify the ideal UK-based partner that could deliver a service tailored to their needs and offer a fair price and sensible payment model to match. Quorum Cyber’s services and strong partnership approach was instantly very appealing.
Professional services with a simple, transparent pricing model
“It was the perfect fit,” says Dave Knowles, Chief Technology Officer for Big Bus Tours. “We found other companies to be very complicated to deal with – they just wouldn’t give us straight answers to our questions. Companies were trying to sell us things we didn’t need. It was a painful, frustrating experience and wasted a lot of our time.”
Before approaching Quorum Cyber, the tourism company’s cyber security set-up consisted of many different products and platforms from multiple vendors, making it laborious and time-consuming for the team to manage. Having started the transformation programme to consolidate their estate and move to a Microsoft-first environment, they needed a security partner who could support them on their journey and bring the right expertise to complement their own.
“One of the largest challenges we have is communicating with our diverse international team members – who aren’t all tech-savvy – to ensure they have adequate cyber security awareness training and don’t fall for the carefully crafted phishing emails we see,” explains Dave.
Feeling more confident after just the first conversation, Big Bus Tours signed up for the Microsoft Sentinel Managed Detection & Response (MDR) service. It’s run by Quorum Cyber’s SOC team who apply a combination of human ingenuity, knowledge and creativity backed by automated software to monitor an organisation’s entire IT estate.
Protection, confidence and peace of mind
“We feel that Quorum Cyber truly understands the ongoing threat landscape and protects our Chairman, C-suite and wider team from potentially dangerous phishing emails and other threats,” Dave continues. “Their team is very knowledgeable with their delivery, so we feel really confident in our security maturity and that we’re being looked after. I sleep much sounder knowing we have the Quorum Cyber team looking after us.”
Big Bus Tours’ short- to mid-term security goal is to maintain, or improve upon, the previous security score they were awarded in the parent company's security assessment. This is against a more unstable geopolitical climate during the past 12 months when cyber incidents have increased in frequency and complexity.
The company is looking forward to building on what the partnership has achieved so far. “The next step is for Quorum Cyber to help us be more proactive in our security operations and assist us in making the progress we’ve made just business as usual.”
Microsoft Solutions
- Microsoft Sentinel
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Office 365
- Microsoft Defender for Cloud Apps
