About the company
The company is a Japanese-based, global biopharmaceutical company focused on drug research and therapy development in oncology, gastroenterology, rare diseases, and neuroscience, in addition to investments in plasma-derived therapies and vaccines.
Massive digital transformation
The company has gone through a massive digital transformation including building software in the cloud to support business activities from business intelligence to data science to patient engagement. They’ve modernized dozens of legacy applications, and their fast-moving development pipeline has allowed them to build hundreds of new applications.
The company has largely standardized on Amazon Web Services (AWS), and defines its infrastructure in HashiCorp Terraform, uses GitHub as its code repository, and runs its deployment process in GitHub Actions.
Cloud security process
As a leading pharmaceutical company, it has a lot to protect in the cloud such as: patient data, intellectual property, in-process R&D project information, corporate strategic plans, non-public financial results, and more.
For cloud security, the company started using cloud security posture management (CSPM), static application testing (SAST), software composition analysis (SCA), secrets scanners, and vulnerability scanners across development, pre-production, and post-production. They consolidated tools, standardizing on GitHub Advanced Security (including Dependabot) and Wiz.
With all of that development, vulnerabilities grew and so did their alert backlog. Prior to streamlining their process and consolidating tools, the team’s backlog grew to an untenable 6.1 million alerts in just 18 months. The security team needed to reduce noise and prioritize the issues. Specific challenges included:
1. Pipeline visibility
The security team was unable to see what software projects were in place and what the architecture looked like. They couldn’t control process hygiene, such as contractor access to GitHub using non-company emails or rogue pipelines outside the security monitoring process.
2. Alert explosion
Alerts exploded, topping out at 6.1 million at the high point. Many of these alerts were duplicates from across tools, and often alerts would recur because developers weren’t able to fix issues at the source.
3. Issue ownership
As alerts arose, the security team struggled to track down code owners quickly. They kept massive spreadsheets and attended countless calls to find the right people and share information.
4. Slow remediation
As a result of these challenges, the company’s remediation was slow and cumbersome. Its MTTR for “critical” issues was 30 days.
The solution: Dazz
To address the massive backlog and make its cloud security process sustainable, the security team purchased the Dazz Remediation Cloud.
The team connected Dazz to GitHub and its security tools with a simple API integration, which enabled them to discover and map all of the organization’s code-to-production development pipelines. In a single pane of glass, Dazz showed which tools were in use, automatically deduplicated alerts by more than 1,000:1, and identified the code owner of each unique issue based on a analysis of the code repository and its change history.
Dazz also auto-generated developer-friendly fixes right in the developer’s workspace. Code owners could fix issues in a fraction of the time, cutting mean time to remediation (MTTR) by 77% and closing the risk window from 30 to 7 days.
- Discover - Understand the deployment process from code to cloud, unify cloud risk from all tools, and identify architecture gaps.
- Reduce - Clean up the noise: deduplicate and prioritize CVEs and misconfigurations based on their unique root causes, and automatically find their owners.
- Fix - Concise, contextual, and actionable process for remediation, from detection to deployment.
Next up on the company’s agenda is to roll out Dazz to the remaining 300 engineers, and enable them to streamline their entire workflow in the Dazz Remediation Cloud.