Challenge
Digital analytics solution provider FullStory wanted to broaden its cloud security visibility to identify and mitigate hard-to-predict vulnerabilities.
FullStory’s security team sought to nurture company-wide collaboration, embedding its security ethos across the organization, for the benefit of all.
FullStory required a solution capable of identifying critical risks and generating prioritized alerts that did not swamp the engineering function.
Solution
FullStory correlates cloud security issues across its cloud environment, and enables runtime context by deploying the Wiz Runtime Sensor in its Kubernetes clusters.
With insights generated by Wiz, the security team can better explain to engineering colleagues why risks need to be mitigated, further strengthening partnership and collaboration.
FullStory uses Wiz to differentiate between critical risks and hypotheticals, false positives and low/medium risks, to optimize security resource allocation.
Revealing the triggers that influence consumers’ buying behavior
Founded in Atlanta in 2014, FullStory is a market leader in digital analytics software for digital companies. Its platform offers businesses a full picture of how consumers use their website, mobile app, or software platform, so they can improve CX and boost customer conversion rates.
With its Session Replay technology, FullStory lets digital companies vendors see when a customer abandons his or her shopping cart and why, giving vendors an opportunity to address UX issues. FullStory uses autocapture technology to help reveal these insights, extracting the relevant sections of HTML needed to recreate customer interactions.
To make this possible, the FullStory team uses Google Kubernetes Engine for container deployments, Google Compute Engine to host virtual machines, and BigQuery for data storage.
Mark Stanislav, FullStory’s VP of Security Engineering, Governance, Risk and Compliance, says concentrating on a single cloud provider is a strategic choice: “FullStory is steeped in Google Cloud and always has been. Great security ultimately comes back to minimizing complexity. The less complexity, the easier it is to achieve your objectives.”
Enabling the engineering function through strengthened collaboration
Enhancing the relationship between FullStory’s software engineering and security teams was a major priority for Stanislav when he was promoted to VP of Security Engineering in September 2022. Without any security-team influence, the firm’s engineering function had already created robust processes around product software design, document creation, and peer review. The engineering team had its own approval processes, which included an analysis of cloud security risk blockers for each product.
Stanislav says his goal is to nurture this environment and further enable FullStory’s engineers, rather than block them with security hurdles. “There’s this rigorous and mature engineering culture at FullStory,” he explains. “We hire extremely talented and thoughtful engineers, so we want to keep them moving safely, rather than putting security barriers in front of them,” he explains.
According to Stanislav, every FullStory software deployment follows a similar pattern. This templated approach ensures maximum consistency around new code creation and deployment. But despite FullStory’s security-conscious engineering team and a streamlined Google Cloud environment with standardized deployments, Stanislav and his team still needed a fast and effective way to identify and mitigate unforeseen threats to the company’s cloud environment.
A lot of security teams get very good at securing the things they know about. So, the real risk lies in the things they don’t know about, or the technology they didn’t know was deployed. We needed a solution that could focus on our cloud security gaps, the outlier risks and the unknowns.
Mark Stanislav, VP of Security Engineering, Governance, Risk and Compliance, FullStory
The challenge of deploying a granular cloud security solution, however, is that security teams can be deluged with notifications (including hypotheticals and false positives), and this noise can mask critical vulnerabilities.
Stanislav’s team needed a solution that not only prioritized critical risks but also provided rich context, so they could explain the urgency to mitigate specific vulnerabilities to the engineering team. This level of shared insight would further strengthen collaboration within FullStory.
Leveraging a “shockingly fast” solution, built from the ground up
FullStory adopted the Wiz platform on the strength of at least two USPs. The first was the speed at which users can interact with the platform. “Even when you’re focusing on very complex, nuanced queries, Wiz’s responses are shockingly fast,” says Stanislav. “You can build just about any sort of request and Wiz will reply almost immediately. Other CSPMs can take minutes to generate one response, which can be very frustrating.”
FullStory was initially cautious about rolling out Wiz's Runtime Sensor, taking a “land and expand” approach, enabling them to fully assess the impact of the solution. They proved the sensor did not degrade performance and found tremendous value in the new use cases the sensor unlocks. Now, the Runtime Sensor is deployed across their GKE managed clusters. This enables real-time monitoring, real-time detection, and Runtime context. Stanislav views the additional sensor features as a natural extension to the core agentless product. The addition of run-time context, seeing the vulnerability running, shows the solution is correctly prioritizing risk mitigation, adding another layer of confidence for Stanislav’s team.
The risk with other high-automation technologies is that they issue so many alerts that users tune out. Wiz, however, classifies risk in a highly actionable way. We don’t get 200 alerts a day, so when we do get a critical alert, we know we need to fix it immediately.
Mark Stanislav, VP of Security Engineering, Governance, Risk and Compliance, FullStory
For example, this granular visibility can enable Stanislav’s team to swiftly identify an exposed service port – an issue that could otherwise take months or years to identify. They can also immediately isolate new code vulnerabilities ahead of a product launch, reducing cloud security risk to virtually zero.
One of the other key selling points for FullStory is that the Wiz platform has been developed independently, with no clunky third-party technology bolted on. “With many cyber security solutions, you can tell that they’ve been cobbled together following a merger or acquisition,” says Stanislav. “It’s obvious these platforms don’t have the same underlying code base or the same APIs. Wiz is different because it has been built from the ground up, with intentional uniformity. The resulting superior quality is obvious.”
Making security a shared responsibility
Stanislav and his team have been able to further enhance internal collaboration by giving engineering teams access to Wiz. This allows them to understand and easily prioritize risks faster, and at a more granular level, by interrogating the platform’s security graph and running accurate security reports.
The security team is supporting more stakeholders and growing its sphere of influence across the company by leveraging the data Wiz provides to empower everyone to play a role in safeguarding FullStory from security threats.
Mark Stanislav, VP of Security Engineering, Governance, Risk and Compliance, FullStory
Extending visibility to the engineering team is a key part of the collaborative process for Stanislav. He says that “it’s not good enough to tell an engineer to fix a security vulnerability, they want to know why. They want to be partners. That means the security team also needs to have an idea of what a solution might look like.”
Stanislav and his team are now exploring exciting new opportunities to partner with internal stakeholders from a wider range of business functions, sharing Wiz vulnerability alerts and spreading their unique cloud security message as they go.
