An American Financial Services Company achieves actionability across vulnerabilities and assets with JupiterOne

Challenges

  • Vulnerability management requires multiple siloed scanning tools and databases
  • Inability to correlate assets with vulnerability findings

Results

  • Vulnerabilities and assets are ingested, aggregated, and normalized in a single platform
  • Complete visibility and centralized repository of vulnerabilities and assets
  • Vulnerability management team can achieve more with fewer resources
  • Improved internet-facing security and risk posture
  • Company-wide self-servicing for asset discovery and management

Vulnerability Management at an American Financial Services Company

The Head of Vulnerability leads the company’s asset and attack surface management program. Their team is actively responsible for securing all cloud resources, physical devices, and SaaS applications that process sensitive financial and customer data across the financial services company.

The company’s vulnerability management group needs to ensure that they are discovering, triaging, fixing, and continuously monitoring for any critical vulnerabilities and misconfigurations associated with the organization’s most critical assets.

CHALLENGE

Vulnerability Management Needs More Than Siloed Scanners and Databases

The American financial services company’s vulnerability team had been searching for a better solution to help the team level up its vulnerability management and asset management programs. Visibility  into important security metrics are top of mind for the vulnerability  management group, as it determines how quickly the team can discover  new vulnerabilities in order to triage, fix, and close them out in an efficient  and timely manner. The work they do to protect the organization is highly  visible. For example, the vulnerability team and their security metrics (e.g. mean  time to discover, triage, and fix vulnerabilities, etc.) are shared across the  organization, as they are a critical priority for the American financial services company’s security strategy  and program.  

“There’s a huge problem in the industry of different products building their own databases of vulnerabilities. We have many vulnerability scanning  products that show us threats and risks. But each is selling their own individual vulnerability databases with their own associations. The problem we face is that all of these databases don’t agree with each other. Even when someone has an asset management database, there’s a huge challenge in getting vulnerabilities into that database and connecting them to assets  in a meaningful way,” said the Head of Vulnerability at the American financial services company.

The American financial services company’s vulnerability team needed a better way to do vulnerability management  in order to continue to keep their platform and users secure. The first order of business for the team was to shift the way the organization viewed vulnerability management. By shifting the focus away from constant patching and toward continuous risk management, the team could start focusing on why the assets themselves have vulnerabilities attached to them and begin filtering problems by risk level.

"We believe Vulnerability Management is more about Asset Management, Attack Surface Management, and Risk Management than pure patching. Our team’s goal is to understand our current security posture as close to real-time as possible, and to properly prioritize action for deviations from ideal state."


Head of Vulnerability at American Financial Services Company

SOLUTION

American Financial Services Company Achieves Collaborative Vulnerability Management and Asset Management That Actually Works

Prior to JupiterOne, the American financial services company followed the typical approach to asset management  — going through all their different database sources and tools,  manually translating all the asset metadata, pulling the data  into an Excel spreadsheet, and manually mapping assets  and vulnerabilities.  

“This is a very human-intensive process and it’s not automated.  It’s not like real asset management,” said the Head of Vulnerability team.  

Although the vulnerability management team had set up  automated workflows for their scanning tools to bring  awareness of their vulnerabilities, the ongoing challenge was  that their vulnerabilities data and processes weren’t correlated  with their asset management solution. This kept the team in  the dark about additional vulnerabilities, their connections, and how they could inadvertently exploit each other.

In their search for a better way to discover, automate, and  manage vulnerabilities across their entire asset ecosystem, the  vulnerability team evaluated several solutions. As a fintech  company, the American financial services company has stringent compliance requirements  to meet. The team built a vulnerability management program that clearly defined everything for compliance requirements, and that could also continue to effectively protect sensitive customer and financial data.

With JupiterOne, the American financial services company now ingests, aggregates, and normalizes all critical  vulnerability and asset data through their homegrown tools and commercial security solutions. With a centralized repository of their entire vulnerability database and asset ecosystem, the Vulnerability  team can now effectively achieve a risk-based approach to  managing the American financial services company’s asset ecosystem.

The vulnerability team uses JupiterOne’s Queries as a  foundation for their program to create an echelon of risk  scoring to continuously monitor and alert on both managed  and non-managed assets that are critical to their business. If  any managed critical asset with a vulnerability exceeds their set risk threshold, the team is alerted immediately, and a ticket is assigned to the appropriate team, where immediate action  can be taken to fix the vulnerability.  

“What we’ve built starts with asset management from  JupiterOne at the center. It serves as a single system of record  for all asset types across the company — EC2 databases, IP  addresses, applications, code, repositories, DNS, endpoints  … everything,” said the Head of Vulnerability. “We went with JupiterOne for this  because it is based on a graph database, and has lots of features  around asking questions. Once you ask the questions you can  do really powerful stuff with the results.”

Key Integrations

AWS
Jira
GitHub
Okta
HackerOne
Snyk
VMware
Google
Slack
Orca

RESULT

A Better Questions-Based Approach to Security, Continuous Monitoring, and Reporting with JupiterOne

For years, the Head of Vulnerability has been a known  advocate for asset management in  the security industry. Prior to joining the American financial services company, he championed the idea of  a questions-based approach. These were called “attack surface questions.”

“My approach for vulnerability and asset  management is fairly straightforward —  regardless of the tech I use, these are  the questions I care about and I want  to know the answers at this cadence,”  said the Head of Vulnerability.

“When I was shown JupiterOne,  that’s exactly what I got. JupiterOne’s Queries are the centerpiece to  everything that we do and always gives  us actionability. JupiterOne’s Query Language allows me to query any asset  across any dataset and I can save it as  a question and an alert. It turns out,  JupiterOne was exactly the model I had  advocated for and was the product that  should’ve always existed.”

Using JupiterOne, the team can transform highly specific questions into continuous, automated queries that actively monitor the environment and trigger actions when conditions are met. For example, they can automatically query and map all S3 buckets across their AWS environment, identifying critical attributes such as encryption status, access policies, and public exposure. This enables the team to quickly detect and address any misconfigured or non-compliant S3 buckets that pose security risks, such as those lacking encryption or being publicly accessible.

By integrating this process with the AWS CIS Foundations Benchmark, specifically the controls that mandate S3 bucket encryption and restricted access, the team ensures that its storage environment aligns with the framework's recommendations. This proactive approach not only reduces the risk of data breaches but also simplifies audits, as the organization can demonstrate compliance with industry standards and regulatory requirements.

By centralizing queries in one platform, JupiterOne eliminates the need to query individual tools, significantly streamlining the vulnerability management workflows of American financial services company. Through integrations with AWS Analyzer and Inspector, JupiterOne consolidates vulnerability findings into a unified view, greatly enhancing the team's ability to manage and mitigate risks. This aggregated data provides a comprehensive overview of asset vulnerabilities, simplifying the identification and prioritization of remediation efforts. The holistic approach aligns seamlessly with the PCI DSS v3.2 framework, which emphasizes the importance of continuous vulnerability management and secure system configuration. By bringing these findings together in a single platform, the team can address vulnerabilities more swiftly and efficiently, supporting PCI DSS compliance while reinforcing the organization’s overall security posture.

"My approach for vulnerability and asset management is fairly straightforward — regardless of the tech I use, these are the questions I care about and I want to know the answers at this cadence. When I was shown JupiterOne, that’s exactly what I got. JupiterOne’s Questions is the centerpiece to everything that we do and always gives us actionability."


Head of Vulnerability at American Financial Services Company

Among the benefits of using JupiterOne, the ability to optimize and scale resources has been key for American financial services company. “A JupiterOne query takes a few seconds and if we did it the manual way, it would take several minutes to get the answers to the same question.” Before JupiterOne, the team estimates that it would have taken 20 times longer to achieve what they can accomplish in the JupiterOne platform with a single query.

The team also leverages JupiterOne data and metrics as part of their primary security reporting process when  sharing results and metrics up to the  company’s executives, board members,  and all employees at the American financial services company. When  the American financial services company’s SLA success rate suffered  from inefficient discovery, assessment,  triage, and remediation, JupiterOne’s  continuous search for vulnerabilities and  acceleration of these activities took their  team from spending up to two days on  discovery alone to close to five minutes  in total. Not only did their ability to  meet SLAs improve for each part of the  process, JupiterOne’s up-to-date metrics  dashboards made it easy to compare “success rate across teams and provided  critical, contextual knowledge that  illuminated hidden information behind  each SLA’s performance.

The majority of the American financial services company’s  security team is now using JupiterOne.  The vulnerability management team  continues to ingest new integrations  and data into the JupiterOne platform  to support their growing attack surface  and evolving needs. Even colleagues in  engineering and across other parts of  the company are now using JupiterOne’s  Queries to discover and monitor  assets related to their own teams.  

“The great thing is that they’re all self serving on the JupiterOne platform,”  added the Head of Vulnerability.

SUMMARY

  • Vulnerabilities and assets are ingested, aggregated, and normalized in a single platform
  • Complete visibility and centralized repository of vulnerabilities and assets
  • Vulnerability management team can achieve more with fewer resources
  • Improved internet-facing security and risk posture
  • Company-wide self-servicing for asset discovery and management
American Financial Services Company achieves actionability across vulnerabilities and assets with JupiterOne
Reduced time spent on correlating vulnerabilities to a single asset by 20x
American Financial Services Company achieves actionability across vulnerabilities and assets with JupiterOne
Download PDF

About

Industries

FinTech
Trading Platform
Stock Exchanges
Cryptocurrency

Employees

1,000-5,000

Headquarters

United States
An American Financial Services Company achieves actionability across vulnerabilities and assets with JupiterOne
Download PDF

Keep Reading

Case Study
Okta Customer Identity Cloud transforms security into a business enabler

Learn how Okta has turned security into a business enabler by bringing secure-by-design products to market quickly.

Case Study
Mercury Financial tackles complexity with a single source of truth

Mercury Financial established complete cyber asset visibility across 130 integrations within one week.

Case Study
Indeed securely transitions to AWS with JupiterOne

With JupiterOne, Indeed gained a holistic view of all its asset relationships and attack surface alongside a broad cloud migration.