How ASOS used agentless scanning to tackle Log4j in hours

When Log4j hit, Wiz's agentless solution helped the ASOS security team identify where they had Log4j instances across their environment and quickly remediate any issues.

ASOS

Industry

Retail

Region

Global

Cloud Platforms

Azure
Ready to start?
Request a demo

Challenge

  • As they reached the latter stages of their journey towards being cloud native, ASOS needed a security partner that could scale and be as cloud native as they were.

  • When Log4j hit, ASOS needed a clean way to immediately identify where instances of Log4j where located.

  • ASOS needed the visibility, context, and automation necessary to prioritize and remediate Log4j.

Solution

  • Wiz’s agentless solution let ASOS get full coverage of their environment and identify all their instances of Log4j in hours.

  • Wiz gave ASOS the foundation needed to automate their compliance monitoring and security hardening efforts as they continue their journey towards being fully cloud native.

  • ASOS found a security partner that works at the scale they needed to create a source of truth for cloud security.

ASOS’ security journey as a cloud-first retailer

ASOS is a destination for fashion-loving 20-somethings around the world, headquartered in the UK. As a digital-first business, they invest heavily in the cloud, and are in the latter stages of becoming fully cloud native. They are primarily Azure users, and like many organizations, their security team supports a much larger engineering organization. To keep up with the speed of the engineering teams and the focus on the cloud, the security team only considers cloud-native solutions that can scale to the needs of their business.

As a team tasked with supporting a rapidly growing cloud estate, ASOS’ security team strives to find solutions that allow them to scale and get richer information about their cloud environments and any potential risks. They started their cloud security journey with native cloud security tooling, but as they matured, they wanted a more comprehensive picture of the potential cloud threats.

Log4j response and remediation strategy

The power of a comprehensive picture of ASOS’ environment and its potential threats was made abundantly clear when Log4j hit. Their immediate need was to understand exactly where in their environment they had Log4j. With Wiz’s support, the team developed full coverage of their environment and visibility into where they had instances of Log4j within hours. Wiz’s agentless scanning and deep insights into workloads helped ASOS quickly and accurately identify where they had Log4j across VM images, serverless, PaaS, and IaaS.

The lack of agents in Wiz was massively important to us. As our  infrastructure is constantly evolving, Wiz’ agentless solution helped us get 100% coverage quickly and at scale.

Brad Abel
Enterprise and Principal Security Architect, ASOS

ASOS also leveraged Wiz’s capabilities to support insight into third party libraries. This provided further visibility into their stack so they could understand the role each third party solution played in their environment, allowing them to prioritize the potential risk each one represented, and track which third party solutions were on top of addressing Log4j for themselves.

Context is crucial for being able to prioritize risk, and something that a lot of security tooling struggles with. A vendor’s perspective of what’s critical isn’t necessarily the same as ours. Wiz gives us the contextual view of potential risks in our environment so we can gain a better understanding of and prioritize them based on our knowledge of what’s critical.

Brad Abel
Enterprise and Principal Security Architect, ASOS

Once they had identified their instances of Log4j, the next step was prioritizing and remediating any issues. ASOS required a contextual view of each Log4j instance in the environment, so they could understand where each instance sat and how it related to the rest of the environment. Wiz supports ASOS in identifying this information and building recommendations for their remediation plan. As a result, they were able to quickly and efficiently take care of Log4j in their environment and report to their leadership team.

Log4j really proved the value of Wiz for us. Once we implemented Wiz, we quickly had a full plan for remediation that we could take to senior leadership.

Brad Abel
Enterprise and Principal Security Architect, ASOS

Achieving value beyond Log4j

ASOS continuously finds new ways to leverage Wiz. Wiz helps provide ASOS with an end-to-end picture of its cloud estate, while also empowering the team to dive into the details for specific potential risks. This creates a strong base for prioritizing and remediating vulnerabilities. To continue expanding that value, ASOS is creating plans for automating their security hardening process with Wiz. They are creating a continuous flow between Security Operations for monitoring issues and Security Assurance for identifying and packaging repeated patterns that they can shift left to the engineering team to fix in the development pipeline. Wiz provides the ability to identify these patterns, create these policies, and automate the implementation of them across the entire pipeline.

Wiz is an easy to use, easy to set up, incredibly powerful solution that is becoming one of the main toolsets in our belt. The volume and information we get from Wiz helps steer our focus moving forward.

Brad Abel
Enterprise and Principal Security Architect, ASOS

With its value proven through Log4j, Wiz has become a go-to platform for ASOS. From automation to compliance monitoring, ASOS is turning to Wiz for support more and more often. For a security team with stringent requirements for scale and cloud-native approaches for any tooling they use, ASOS has found a true partner in Wiz to build a source of truth for their cloud security.

Getting started is easy

Complete security for AWS, Azure, GCP, OCI, Alibaba Cloud, Kubernetes, and Openshift. Start securing your cloud with a 5 minute agentless install. Meet your new partner in cloud security.