Blend is a cloud-first company that facilitates lending. They work to bring simplicity and transparency to financial services in an effort to make the world’s financial resources more accessible. Blend processes mortgages and other housing related transactions for over 300 banks, credit unions, and other financial technology companies. As the point-of-sale system (POS) that handles mortgage workflows, thousands of users interact with Blend’s products on a daily basis, making cloud security of the utmost importance.
Blend constantly looks for ways to create value for its customers. In March of 2021 they acquired Title365, a top provider of title insurance and settlement services, to expand their service offering. According to the press release, “Together, Blend's technology platform and Title365's operational expertise in title, escrow, and settlement will help financial institutions more efficiently and effectively engage with consumers across a fully integrated home buying journey.”
Mergers and acquisitions (M&A) are always complicated. From a technology perspective, however, they are especially complex. How do you combine IT infrastructures and processes? How do you know which systems and servers to keep? Most importantly, how do you combine two enterprise IT organizations without disrupting business operations?
Paul Guthrie, Information Security Officer at Blend, needed to understand what cloud assets existed in the Title365 universe, and what Blend would be keeping in the acquisition. Paul and his team used JupiterOne to discover, map, and categorize all of the technology they would be acquiring.
Blend started with asset discovery, using JupiterOne to get a complete cyber asset inventory from all of the Title365 cloud service provider (CSP) accounts, Identity and Access Management (IAM) systems, Git repositories and more. This included assets like Datastores, IP addresses, and endpoints, IAM permissions, users, access keys, devices, configurations, and code repositories. The newfound visibility gave them a firm understanding of the scope of the assets they needed to ingest.
Once all assets were identified, teams from both companies collaborated in real time to tag and identify which cyber assets would be transferred to Blend, and which needed to stay with Title365’s parent company. Without JupiterOne, this would have been an entirely manual process. The security, infrastructure, and information technology teams from both Blend and Title365 worked in parallel to complete the process in a few weeks.
Once the acquisition was complete a new challenge arose: maintaining continuous compliance for all new cloud assets. Often referred to as Cloud Security Posture Management (CSPM), Blend needed to enforce policies and best practices for cloud deployments across the recently expanded team. Paul wanted to ensure that any newly created cyber assets were identified, understood, and met comprehensive security standards.
Paul found that without automation, disseminating cloud security standards to the co-located teams and enforcing them was nearly impossible. His security team set out to develop standards - including hardening, infrastructure requirements, and best practices - with the goal of shifting security further left, continuing to optimize workflows, and reducing bottlenecks in cloud asset management across teams. These standards were then turned into templates and distributed to various parts of the organization, ensuring continuous compliance of all cyber assets.
“There are firms that specialize in cloud security posture management (CSPM), but we’re more interested in driving continuous compliance through integrating an asset management platform like JupiterOne with our SOAR than actually using CSPM, because we can respond better to out-of-compliance assets by treating them like an incident, and performing automated responses when applicable.”
Incident response involves a lot of manual time and effort pulling information from disparate systems and trying to find connections and make sense of the data. By integrating their SIEM and Vulnerability Management tools into JupiterOne, Blend is able to rapidly respond to cyber incidents and calculate a blast radius for potential breaches.
The security team at Blend can ask questions through the JupiterOne console and discover where their vulnerabilities lie. They needed to understand things like:
In a recent example, Paul described the process his team used to identify a new zero day vulnerability. They identified all the assets that were using Java, and then used JupiterOne to dig deeper into those cyber assets. The team was able to visualize the relationships and connections between assets and, with the new context provided by JupiterOne, quickly realized where issues existed. The security team remediated the vulnerability by the next morning, securing their environment from a potential attack.
“JupiterOne gives us a better and more complete identification of “like assets”, and empowers us to calculate an incident response plan for containment, eradication and recovery.“
Beyond streamlining M&A and enforcing CSPM, The Red Team at Blend also leverages JupiterOne as the foundation for their activities.
Cyber Red Teams are considered “offensive security” and according to NIST are “authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture.” To maximize efficiency, Red Teams need to have a complete and accurate inventory of all potential entry points to an enterprise.
Rather than depending on existing documentation or “what engineers have told them,” Red team members at Blend were able to run a simple query, returning a list of all the externally facing IPs and endpoints detected by JupiterOne. They used this to establish the baseline of assets, ensuring Blend has 100% coverage on the entire public facing enterprise. With this accurate picture of their asset universe, the red team was able to establish a test plan and started executing.
According to Paul, Blend “has other ways of getting the information, they’re just not as convenient. My team is finding they go into JupiterOne a lot, different people for different reasons, because it’s the most convenient way to get all the information together. We have a number of projects upcoming in 2022 that have JupiterOne as a core component as we mature our security program in the coming year.”
In 2020, the Indeed leadership team saw an opportunity to innovate and mandate a company-wide strategy: Indeed would migrate its business infrastructure from data centers into a cloud-first environment. The goal was to transition to a 100% multi-cloud environment to better scale and support their changing business and customer needs.
Daniel leads the company’s asset and attack surface management program. His team is actively responsible for securing all cloud resources, physical devices, and SaaS applications that process sensitive financial and customer data across the online brokerage.
Sean Cooper joined LiveIntent three years ago to help build out their security program. As the company grew, and the security challenges evolved, Sean found that the security team needed better visibility into their environment and a better process for managing incident responses, audits, and day-to-day security operations.