About the customer
BHG Financial, LLC is a leading provider of lending, and risk and regulatory management services. The company also provides private equity and venture capital valuation processes.
The BHG engineering team develops dozens of applications in a fast-moving, cloud-based CI/CD pipeline process. They have mostly standardized on Azure, but have a few projects on-premises for which they use code repository. They use Azure DevOps, Pipelines, and ACR for their code repository and to build, test, and deploy their software, as well as Terraform to define their infrastructure.
Efforts to secure development
The company’s security program includes monitoring its software development lifecycle (SDLC). They have mostly standardized on Azure, but have a few projects on-premises for which they use an internal code repository. They use Azure DevOps, Pipelines, and ACR for their code repository and to build, test, and deploy their software, as well as automation tools to define their infrastructure.
As their cloud development efforts grew, the team began to experience an unsustainable increase in alert noise and inability to address risk in a unified, efficient way. Specifically:
1. Pipeline visualization
The company generated many thousands of alerts based on vulnerabilities and misconfigurations in their software pipelines. Many of these were duplicates, often from detecting the same issue in multiple stages of development, such as QA, staging, and production. This meant that just a handful of root causes could mushroom into hundreds of alerts.
2. Risk unification
The team struggled to get a unified view of their risk. With multiple tools, each detecting issues in a slightly different way and with no way to connect those detections to the resources in the pipeline, it was impossible to gather, analyze, and prioritize the alerts and make them actionable for developers without significant manual effort.
3. Cloud governance
The team found that not all of their code repositories were being monitored as part of their SCA program, which meant they weren’t getting the entire benefit of a “shift left” security stance. Beyond pipeline coverage, the team also wanted to shore up secrets in code to prevent inadvertent data exposures.
The solution: Dazz
To address these issues, the company invested in the Dazz Remediation Cloud. With a simple API-based integration, the team connected Dazz to the company’s cloud repositories and detection tools to map its code-to-cloud development pipelines. In a single pane of glass, Dazz showed them all of their cloud development resources and how they were integrated, uncovered un-monitored pipelines, and sussed out secrets in code.
The Dazz Smart Root Cause Engine reduced the alert noise to a fraction of root causes, including mapping 34% of all cloud misconfigurations to just 20 root causes, and tracing 45 misconfiguration alerts in Azure Cloud Defender back to a single Terraform module.
The team took advantage of the ability to map user access and permissions between their directory service and Dazz, as well as automatically find and connect code owners to their projects they work on. By establishing these relationships in Dazz, the team is now able to facilitate efficient remediation of root causes, leading to a sustainable, developer-driven cloud security process.
- Discover - Understand the deployment process from code to cloud, unify cloud risk from all tools, and identify architecture gaps.
- Reduce - Clean up the noise: deduplicate and prioritize CVEs and misconfigurations based on their unique root causes, and automatically find their owners.
- Fix - Concise, contextual, and actionable process for remediation, from detection to deployment.
The company security team is using Dazz as its central point of truth for its own work and for reporting across security architecture and business units. Next steps will be to use Dazz workflows to enable self-service remediation.