CASE STUDY

Databricks Case Study:Greater Asset Visibility with JupiterOne

How Databricks automated asset discovery and ownership accountability to increase visibility and simplify vulnerability management.

As the leader in Unified Data Analytics, Databricks helps organizations make all their data ready for analytics, empower data science and data-driven decisions across the organization, and rapidly adopt machine learning to outpace the competition. By providing data teams with the ability to process massive amounts of data in the Cloud and power AI with that data, Databricks helps organizations innovate faster and tackle challenges like treating chronic disease through faster drug discovery, improving energy efficiency, and protecting financial markets.

Databricks' Story

The first requirement for any tool Adam Youngberg, Kishore Fernando and the security engineering team at Databricks adds is it must enable the company to continue to achieve the highest level of security.

Security has always been at the core of Databricks’ mission. So when Adam and Kishore were brought on board at Databricks by Caleb Sima, VP, Security, they were tasked with finding or building a solution that enabled greater visibility and discoverability across their cloud assets, as well as the owners of those assets. “Centralization and Visibility can enable greater security and speedier remediation,” noted Adam.

Most asset management and configuration monitoring tools fell short on visibility, openness and flexibility. Not only that, most seemed to lean towards legacy, on-prem businesses with cloud as an afterthought. They wanted something cloud first. 

“What we see in JupiterOne is something better than what we would have built ourselves, without actually having to build it. Being cloud-native, it really resonated that JupiterOne is cloud-first.”

Getting Up and Running

Traditionally, asset management and configuration monitoring tools can be time intensive and taxing to deploy, especially if they are a virtual appliance. Being 100% SaaS, JupiterOne prioritizes deployment speed and the time to first value for already busy security teams. Getting your resources ingested and mapped takes only minutes, whether your environment is complex or relatively simple.

“One thing we were pleasantly surprised by at the outset was how painless the integration process was,” Adam noted. “Within an hour and a half on that first day, we had ingested and confirmed that the data coming into JupiterOne from our AWS resources looked right. All of the managed integrations are painless.“

JupiterOne for S3 Bucket Security

One of the early objectives for Databricks was ensuring Amazon S3 bucket security. “When you think about security and vulnerability, you have to know about your assets. Leveraging Amazon GuardDuty for alerts is helpful, but it’s a reactive approach with limited input.”

For example, Adam could dive in to see which buckets appear exposed because they are publicly accessible. But there are situations where a bucket is not, itself, publicly accessible, but could still be exposed. If a resource is only accessible via Cloudfront, but Cloudfront is public, then the assets should also be considered public and exposed.

“We needed to be able quickly and reliably know what S3 buckets existed, who owned them and whether they were publicly accessible themselves or via another service. Not only that, we wanted to move from being reactive to proactive in our vulnerability management. The only way to do that was to look at the relationships between the resources in our AWS environment.” 

To move towards proactive, Adam needed deeper details, such as their cloud asset states and the relationships between multiple services. This would help the team determine if an asset’s state is conducive to problems, making it easy to confirm the alerts you are getting. 

“JupiterOne has become critical for S3 bucket security because it provides a really good line of sight into assets to get ahead of vulnerability management.”

Incident Response

Because of the ephemeral nature of many of the cloud assets used in Databricks products, it is important to be able to respond to reported vulnerabilities with data. Adam and team leverage JupiterOne as a critical tool during their incident response and triage process. It is often the starting place for triage and follow-up answers. 

“If someone reports that an IP address owned by Databricks has security concerns, we are able to establish a timeline for when we actually owned the IP address, and whether the identified problems are actually ours. In many cases, the problem is for an address that was ours, but now belongs to someone else, and the security issue is not ours.” In cases where the vulnerability does belong to one of their assets, querying the graph makes it easy to assess what needs to be changed and who is responsible to change it. “This insight boosts confidence in our incident response process,” said Adam.

Beyond S3 Bucket Security

Adam enjoys leveraging the relationship queries in JupiterOne for reviewing access controls of both their cloud and non-cloud digital assets. 

“With most tools, it is pretty easy to see who has admin access. But when there are a lot of accounts the process is tedious.” 

With JupiterOne, Adam and Kishore can review admin policy details across all tools and resources in a single UI. They can also run a query that displays accounts with root access that can themselves assume admin privileges of accounts for greater access visibility and security.

“For both of these cases, we have configured a JupiterOne query to gain visibility. That query is saved as a rule and we are quickly alerted when changes occur.”

Every JupiterOne query that we add answers a critical question for us and becomes its own use case.

Building on JupiterOne’s Openness with AWS

JupiterOne was designed to be open. Security engineering teams don’t need to wait for integrations to be added if they want more information centralized. They can leverage JupiterOne’s API to ingest the data. Not only that, JupiterOne’s graph data model will automatically map relationships on known entities. 

Adam and Databricks built a Slack integration using JupiterOne’s API, a lambda and Amazon CloudWatch for scheduling. The integration runs every 30 minutes and notifies the security team when changes to admin users are made, which should be a rare occurrence, and if the organization ownership changes. This integration helps ensure that those who have high access aren’t making unexpected changes through the wrong channels.

“The nice thing when creating our integration was that JupiterOne’s Mapping was smart enough to determine the email address added in our Slack integration matched those added by existing integrations, mapped relationships properly and automatically, without any additional configuration from me.” 

Because of the graph model, the Databricks security team was able to further validate that those with Slack admin access had also completed relevant KnowBe4 awareness training.

Always Speedy Support 

Databricks leverages the JupiterOne community slack channel to collaborate directly with the JupiterOne engineering team. 

“Whether I want help configuring a JupiterOne query, have an idea for simplifying a process in JupiterOne or come across an issue, the team at JupiterOne always responds and delivers quickly. Almost routinely, there are items in the release notes that come from requests we had put in – often within the same release, sometimes even the same day! It’s obvious how much impact customers have on the product.”

Final Thoughts

Leveraging JupiterOne, Adam, Kishore and the Security Engineering team at Databricks have been able to simplify and speed up vulnerability management and incident response while, most importantly, increasing their security. 

See How JupiterOne Can Streamline Vulnerability Management

Request a Demo