Challenge
esure operates in a highly regulated industry where the protection of customer information is paramount.
esure lacked comprehensive visibility of its complex, multi-cloud environment.
An accelerated deployment cycle was making it harder for esure’s team to maintain security oversight.
Solution
esure can easily measure against compliance standards thanks to built-in Wiz frameworks and reporting.
The esure security team has consistent visibility across their multi-cloud environment, with a clear picture of risks across all clouds.
esure can prioritize risk using Wiz, enabling rapid remediation and allowing developers to focus on the most critical risks.
Switching to cloud and maintaining security
An innovator in the UK insurance market, esure pioneered the purchase of car and home insurance online. Security has been at the forefront of a digital transformation that has allowed esure to continue to disrupt the market and offer new products on a customer-focused platform. The company’s strategy is to be secure by design and embed security at every stage of development.
By decommissioning legacy technology and moving to the cloud, esure opened new opportunities, but also faced fresh risks. The company’s security team had limited visibility into their multi-cloud and complex environment and lacked clear risk prioritization. esure’s existing solution also produced constant alerts and false positives, making it difficult to identify which was most pressing. This meant that time was wasted triaging alerts that were not actual risks.
The biggest change from an on-premise environment to a cloud environment is just the sheer amount of attack vector that you need to secure.
Kenichi Shibata, DevSecOps engineer, esure
For Kenichi Shibata, DevSecOps engineer at esure, the big issue is how to prioritize hundreds of thousands of vulnerabilities, and then build reporting on top of it, so that the exec can see the level of risk. “In a sea of vulnerabilities, which ones do we look at?” says Shibata.
The deployment life cycle at esure has also gone from once every month to once every week, and is moving towards a single day, creating an even bigger security maintenance challenge. The team needed to ensure that this rapid deployment was supported, without compromising security. By building automation between the planning and deployment stages esure was able to identify security risks early on.
With a large and complex environment and ongoing maturation in the cloud, this was becoming an increasingly important priority. Wiz was identified as the best fit for esure due to its focus on risk prioritization and the centralized features of its CNAPP platform that expand beyond traditional CSPM tooling, including DSPM, CIEM, attack path analysis and secret scanning in GitHub repos.
Increased visibility enables faster remediation
esure uses its own consolidated key risk indicator dashboard in Grafana, to vizualise any risk across its cloud estate and provide an executive-level view of severity. Wiz made it easy to merge with the existing processes and workflows that esure’s developers were using, with no need to adapt to brand new tools.
By pushing Wiz data into the Grafana dashboard, esure has been able to establish a “security single pane of glass” that includes a range of data points, making it easier for developers to triage and executives to prioritize remediation.
We needed to have a tool in place to give us visibility and measure risk across all our cloud environments, and also translate that risk into a priority. We found that with Wiz.
Richard Frost, CISO, esure
This has already helped with internal reporting, with the Wiz Security Graph making queries easy to share with company executives. When deeper information is needed, esure’s security team gives developers self-service access to Wiz to get full context on attack paths and remediation.
“After implementing Wiz, we were able to give broader reach across all our teams, and we’ve increased our visibility across our cloud platforms,” says Richard Frost, CISO at esure. “That’s allowed us to reduce the time to remediate some of the risks we've identified.”
Thanks to this increased visibility, esure now proactively removes critical risks in their environment and can take steps to reduce its cloud attack surface. As a result, the teams are much more confident that the right things are getting fixed at the right time. And now that they’re no longer sifting through thousands of alerts, productivity has also increased.
Compliance is easy to track and maintain across environments
In a highly regulated industry such as insurance, maintaining compliance is critical. Before implementing Wiz, esure found compliance frameworks challenging in the cloud, because much of its compliance reporting was manual.
esure now uses Wiz’s built-in compliance frameworks and CIS benchmarks to assess compliance across its entire environment and easily report on their compliance posture to audit teams. With continuous assessment and automated reporting generated by Wiz, the company can quickly see how it stacks up against compliance frameworks for each of its different accounts and subscriptions.
Before we had Wiz, it was a difficult and manual process to report against compliance frameworks in the cloud. Having a tool like Wiz allows esure to very quickly see how we compare against a compliance framework for each of our different accounts and subscriptions.
Richard Frost, CISO, esure
Compliance reporting is now standardied with quarterly reports generated and downloaded through Wiz’s portal.
esure is also using Wiz’s data posture security management (DSPM) to get a complete view of sensitive information across all of its cloud platforms. The company also values Wiz’s ability to get a full view into all of esure’s cloud resources. “For example,” says Frost, “do we have CrowdStrike on all our non-ephemeral instances? What's our end of life software looking like? And setting up alerts. All these other features around the edge are really useful.”
Wiz gives security teams the confidence to look ahead
The range of functionality that Wiz provides for esure in a single platform has alleviated the pressures of ongoing procurement and focused attention solely on vulnerabilities. This is vital for the team at a time of increased cyberattacks, including threats from ransomware gangs.
esure’s team is now freed up to dig deeper into the tactics of such gangs, understanding how they can manage to breach secure environments and what controls might be implemented to prevent attacks. “We’re more future focused, rather than reactive to issues,” says Shibata. “We’re anticipating breaches, rather than just reacting to them. It gives us a lot of confidence.”
Working with Wiz, as a team, is very collaborative. To be able to get up and running within a couple of weeks was amazing.
Richard Frost, CISO, esure
So far, Wiz’s solution has been used by esure’s security operations and architecture teams, with a “capture the flag” exercise run by Wiz to support cross-team working and boost the adoption of Wiz technology across the company. The next stage is to onboard esure’s security operations center (SOC) teams, with wraparound engagement on security leaving the business free to grow and develop new products.
“The next step in our security journey is to just get better and better and better and continually improve,” says Frost. “Wiz is fundamental to that journey across our cloud.”
Want to learn how your cloud security program can achieve the same results as esure? Take a closer look at Wiz's cloud security solutions for financial services.
