Challenge
Bridgewater’s offerings rely on multiple cloud services and vendors that each have their own architectures and approaches, which makes managing the security, governance, and inventory of its entire environment challenging.
Previously, Bridgewater compiled inventory and security reports manually, but as the company acquired more cloud resources, the task took its toll on the team.
Bridgewater needed a solution that would help deliver visibility into its entire hybrid and multi-cloud environment to maintain the level of security it requires.
Solution
Wiz helps Bridgewater to contextualize data points around cloud resources and controls to understand how they interact with each other, painting a clearer picture of its entire hybrid and multi-cloud environment.
Wiz Security Graph frees up the Bridgewater’s critical infrastructure and security teams from the manual work of compiling security reports, enabling them to concentrate on more strategic and impactful work instead.
Wiz provides broad visibility, allowing rapid response and prioritization of vulnerabilities (i.e. Log4Shell).
200
cloud accounts deployed in hours
100x
additional instances of Log4J vulnerabilities detected
1 month
to integrate and operationalize Wiz across all dev teams
Innovating while maintaining mission critical security
Driven by a desire to understand the fundamental and timeless linkages that drive how the world’s markets and economies work, Bridgewater Associates is a premier asset management firm managing about $150 billion for institutional investors worldwide. The company uses technology to systematically generate, validate and execute on its views on the markets. As the company innovates, its technical infrastructure increases in complexity, which then requires advancements in its mission critical security program to match it.
“As global macro investors, we must translate insights into investing strategies,” says Igor Tsyganskiy, President & CTO at Bridgewater Associates. “On any given day, we can execute billions of dollars in trades across hundreds of markets worldwide, so technology and security are critically important to us.”
Improving efficiency in a multi-cloud infrastructure
Having worked with both AWS and Azure for many years, today Bridgewater’s mission-critical systems are all in the cloud. The company needed to transform to keep up with a quickly evolving digital landscape where the cloud is changing in a way that could lead to exposures if those changes are not accounted for.
Security is the prime principle of how we build software, but dealing with cybersecurity is like skiing on broken ice over a river; the river is flowing, the ice is moving, and you have to skate. You don’t know what your next move will be. You only know that there will be one, otherwise you’ll fall in the water.
Igor TsyganskiyPresident & CTO, Bridgewater Associates
Traditionally, managing all these resources required significant manual effort. Each service has different configurations, and each small change can bring up new vulnerabilities. Keeping up was taking its toll on Bridgewater’s critical infrastructure and security teams, who spent hours collating inventory and security reports manually. Their goal was to create an in-house security graph in order to track the assets they wanted to protect, as well as the relationships between these assets and roles types. But this time-consuming effort still couldn’t keep up with the constantly-changing nature of the cloud and provide the full picture Bridgewater needed to maintain the level of security it requires.
Selecting the right tools to match speed with security
When looking for solutions, Bridgewater wasn’t interested in bespoke security products that could tackle only one aspect of the problem. The company had 3 additional criteria when evaluating a security tool:
Continuous innovation
How complete the tool is, in terms of accounting for cloud resources, data, data plane, identity, control plane, and the relationships between them
Ease of deployment with no need for agents or wide development cycle with ongoing upgrades
Impressed by Wiz’s ability to deploy in hours, even for the most technical of architectures, the team selected Wiz as its trusted security partner. In fact, “Wiz came on top of all those criteria during our evaluation,” says Rob Bruce, Head of Critical Infrastructure at Bridgewater. “We deployed Wiz via control plane actions to 200 accounts very easily and within hours, we had the full power of Wiz explaining to us what was going on in our environment. Nothing has ever matched that in terms of quick, painless deployment and no-maintenance after the fact.”
From the point of engagement to the point of ROI, it was easy to choose Wiz. We hadn’t even paid and already got results. Nowhere else was this process so fast.
Igor TsyganskiyPresident & CTO, Bridgewater Associates
Bringing visibility to a complex environment with ease
Bridgewater quickly saw the value of Wiz during Log4Shell, when the company used Wiz to rapidly see, prioritize, and address at-risk instances of Log4j that it hadn’t known were there. “When Log4Shell started breaking out, we wanted to know the extent of our exposure. Within days, Wiz found it was 100 times more than we initially thought,” Tsyganskiy recalls.
This was possible because Wiz scans every layer of Bridgewater’s cloud environments to provide complete visibility into every technology running in its cloud without blind spots. Wiz’s container registry scanning proved important for Bridgewater, considering the complex technology infrastructure it is protecting: cloud resources sit on both AWS and Azure, and containers AKS and EKS managed with Kubernetes.
The Log4J situation highlighted how remarkable Wiz is: there are plenty of tools out there that can tell you where Log4J is, but nobody else was able to tell you what mattered and what didn’t in that scenario.
Rob BruceHead of Critical Infrastructure, Bridgewater Associates
Additionally, Bridgewater uses the Wiz Security Graph to contextualize data points around cloud resources and controls. “Wiz is the only company we’ve found that is taking this approach of pulling in all relevant data points from the inventory to build a security graph with analytics built on it,” says Bruce. The result is a security graph that shows Bridgewater the interconnections between technologies running in its multi-cloud environment, all from a single console.
“Team members who used to collate security reports manually are now freed from the task to focus on more impactful and valuable work,” adds Tsyganskiy.
Improving security across the organization
Bridgewater is distributing security across the organization by creating custom frameworks such as CIS benchmarks for development teams. “Wiz allows us to quickly push out relevant work to those who can act on it,” says Bruce. “We rolled out our custom frameworks within a few weeks and immediately started to see traction against our issues.”
Developers were quick to embrace Wiz with nearly every mission critical development team across the firm adopting Wiz in 30 days, and teams immediately gained more autonomy in resolving issues. Bridgewater also integrated Wiz with Jira to automate its ticketing system, which developers then go over during their sprints to remediate risks efficiently and within their existing workflows.
Since the adoption of Wiz, development teams are now able to continuously maintain and improve the security of their products because team members now see things they couldn’t see before: new exposure paths, toxic combinations, how all cloud services and containers are configured, and how any changes can impact the overall system.
Continuing to secure a growing environment
Next, Bridgewater aims to optimize its use of Wiz Inventory management. “There’s huge potential for where we can go with inventory management using Wiz. We’ll better understand where our machines are, whether they’re meeting our BCP standards, and if they’re in line with our best practices,” Bruce explains.
In Bridgewater’s quest for unified security across all their cloud environments, they are excited to extend Wiz into their hybrid and on-premises VMware environments. Wiz brings visibility and risk reduction to their hybrid cloud in one single platform, and the team is looking forward to rolling it out further. As Tsyganskiy explains, “There is no private cloud or public cloud, there is just cloud. We are in AWS and Azure and we have some VMware racks that will always be there. If our VMware environment is not secure, our public clouds are not secure, and vice versa.”
With Wiz, our cloud security team gains a unified view of our security posture and knows what we need to cover across our entire interconnected environment.
Igor TsyganskiyPresident & CTO, Bridgewater Associates
Additionally, the company is looking at Wiz Cloud Detection and Response (CDR) to better manage cloud events, with context, as they unfold. “Wiz CDR enables us to not only see where there’s a threat, but also to understand how worried we should be about it – this feature is all about effective prioritization.”
Beyond cybersecurity, the company is engaged in next-generation research that calls for scalability. “Our research reconciles what’s happening in microenvironments, such as a company, with what’s happening globally,” explains Tsyganskiy. The goal is to enable our investors to understand what’s happening on a level we’ve never seen before to enhance their productivity.” Powering this project could expand Bridgewater’s environment many times over. With Wiz in its arsenal, Bridgewater is confident that it can face any future changes.
“Our ambitions are leading us toward a completely new landscape for cybersecurity. It’s hard to say where the journey will take us, but I know it will be hard, challenging, interesting, and exciting,” Tsyganskiy concludes.
