An American Financial Services Company achieves actionability across vulnerabilities and assets with JupiterOne

Vulnerability Management at an American Financial Services Company

The Head of Vulnerability leads the company’s asset and attack surface management program. Their team is actively responsible for securing all cloud resources, physical devices, and SaaS applications that process sensitive financial and customer data across the financial services company.

The company’s vulnerability management group needs to ensure that they are discovering, triaging, fixing, and continuously monitoring for any critical vulnerabilities and misconfigurations associated with the organization’s most critical assets.‍‍

CHALLENGE

Vulnerability Management Needs More Than Siloed Scanners and Databases

The American financial services company’s vulnerability team had been searching for a better solution to help the team level up its vulnerability management and asset management programs. Visibility  into important security metrics are top of mind for the vulnerability  management group, as it determines how quickly the team can discover  new vulnerabilities in order to triage, fix, and close them out in an efficient  and timely manner. The work they do to protect the organization is highly  visible. For example, the vulnerability team and their security metrics (e.g. mean  time to discover, triage, and fix vulnerabilities, etc.) are shared across the  organization, as they are a critical priority for the American financial services company’s security strategy  and program.  

“There’s a huge problem in the industry of different products building their own databases of vulnerabilities. We have many vulnerability scanning  products that show us threats and risks. But each is selling their own individual vulnerability databases with their own associations. The problem we face is that all of these databases don’t agree with each other. Even when someone has an asset management database, there’s a huge challenge in getting vulnerabilities into that database and connecting them to assets  in a meaningful way,” said the Head of Vulnerability at the American financial services company.

The American financial services company’s vulnerability team needed a better way to do vulnerability management  in order to continue to keep their platform and users secure. The first order of business for the team was to shift the way the organization viewed vulnerability management. By shifting the focus away from constant patching and toward continuous risk management, the team could start focusing on why the assets themselves have vulnerabilities attached to them and begin filtering problems by risk level.

‍‍‍SOLUTION

American Financial Services Company Achieves Collaborative Vulnerability Management and Asset Management That Actually Works

Prior to JupiterOne, the American financial services company followed the typical approach to asset management  — going through all their different database sources and tools,  manually translating all the asset metadata, pulling the data  into an Excel spreadsheet, and manually mapping assets  and vulnerabilities.  

“This is a very human-intensive process and it’s not automated.  It’s not like real asset management,” said the Head of Vulnerability team.  

Although the vulnerability management team had set up  automated workflows for their scanning tools to bring  awareness of their vulnerabilities, the ongoing challenge was  that their vulnerabilities data and processes weren’t correlated  with their asset management solution. This kept the team in  the dark about additional vulnerabilities, their connections, and how they could inadvertently exploit each other.

In their search for a better way to discover, automate, and  manage vulnerabilities across their entire asset ecosystem, the  vulnerability team evaluated several solutions. As a fintech  company, the American financial services company has stringent compliance requirements  to meet. The team built a vulnerability management program that clearly defined everything for compliance requirements, and that could also continue to effectively protect sensitive customer and financial data.

With JupiterOne, the American financial services company now ingests, aggregates, and normalizes all critical  vulnerability and asset data through their homegrown tools and commercial security solutions. With a centralized repository of their entire vulnerability database and asset ecosystem, the Vulnerability  team can now effectively achieve a risk-based approach to  managing the American financial services company’s asset ecosystem.

The vulnerability team uses JupiterOne’s Queries as a  foundation for their program to create an echelon of risk  scoring to continuously monitor and alert on both managed  and non-managed assets that are critical to their business. If  any managed critical asset with a vulnerability exceeds their set risk threshold, the team is alerted immediately, and a ticket is assigned to the appropriate team, where immediate action  can be taken to fix the vulnerability.  

“What we’ve built starts with asset management from  JupiterOne at the center. It serves as a single system of record  for all asset types across the company — EC2 databases, IP  addresses, applications, code, repositories, DNS, endpoints  … everything,” said the Head of Vulnerability. “We went with JupiterOne for this  because it is based on a graph database, and has lots of features  around asking questions. Once you ask the questions you can  do really powerful stuff with the results.”

RESULT

A Better Questions-Based Approach to Security, Continuous Monitoring, and Reporting with JupiterOne

For years, the Head of Vulnerability has been a known  advocate for asset management in  the security industry. Prior to joining the American financial services company, he championed the idea of  a questions-based approach. These were called “attack surface questions.”

“My approach for vulnerability and asset  management is fairly straightforward —  regardless of the tech I use, these are  the questions I care about and I want  to know the answers at this cadence,”  said the Head of Vulnerability.

“When I was shown JupiterOne,  that’s exactly what I got. JupiterOne’s Queries are the centerpiece to  everything that we do and always gives  us actionability. JupiterOne’s Query Language allows me to query any asset  across any dataset and I can save it as  a question and an alert. It turns out,  JupiterOne was exactly the model I had  advocated for and was the product that  should’ve always existed.”

With JupiterOne, the team can turn  highly specific questions into full queries  that continuously run and automatically  trigger an action when a match is found,  such as sending a notification via Slack  or email, creating a Jira ticket, or running  other custom actions. This, in addition  to having a centralized location for all  querying — eliminating the need to  query individual tools — tremendously  accelerates American financial services company’s vulnerability  management workflows. Among the benefits of using JupiterOne,  the ability to optimize and scale  resources has been key for American financial services company.  “A JupiterOne query takes a few seconds  and if we did it the manual way, it would take several minutes to get the answers to the same question.” Before JupiterOne,  the team estimates that it would have taken 20 times longer to achieve what  they can accomplish in the JupiterOne  platform with a single query.

The team also leverages JupiterOne  data and metrics as part of their primary  security reporting process when  sharing results and metrics up to the  company’s executives, board members,  and all employees at the American financial services company. When  the American financial services company’s SLA success rate suffered  from inefficient discovery, assessment,  triage, and remediation, JupiterOne’s  continuous search for vulnerabilities and  acceleration of these activities took their  team from spending up to two days on  discovery alone to close to five minutes  in total. Not only did their ability to  meet SLAs improve for each part of the  process, JupiterOne’s up-to-date metrics  dashboards made it easy to compare “success rate across teams and provided  critical, contextual knowledge that  illuminated hidden information behind  each SLA’s performance.

The majority of the American financial services company’s  security team is now using JupiterOne.  The vulnerability management team  continues to ingest new integrations  and data into the JupiterOne platform  to support their growing attack surface  and evolving needs. Even colleagues in  engineering and across other parts of  the company are now using JupiterOne’s  Queries to discover and monitor  assets related to their own teams.  

“The great thing is that they’re all self serving on the JupiterOne platform,”  added the Head of Vulnerability.