Challenge
MercuryGate wanted to create an in-house, shared responsibility model where all stakeholders were responsible for the security of their cloud resources to reduce costs and decrease the time it took to identify and remediate issues.
To support a massive cloud migration, M&A, and future growth, MercuryGate needed a cloud security platform that could help protect a large environment at scale.
The company saw news of a growing number of cyber security attacks across the software industry and wanted to future-proof itself with a solution that would keep pace with potential threats.
Solution
MercuryGate consolidated its cloud security monitoring with Wiz. Up to 75% of its users are non-security personnel, so security is a shared responsibility across the organization.
The organization uses Wiz to reduce the time it takes to scan its entire cloud environment for risks and can review additional assets, such as environments introduced through M&A activity, in 15 minutes rather than 8 months.
By shifting left, MercuryGate is able to use Wiz to scan for new threats and identify issues before they deploy code to production, staying ahead of potential risks.
50% decrease
of critical risks in the first 60 days
8 months to 15 days
Reduction in time to scan the environment of an acquired business
75%
Wiz users that are non-security personnel
A race to safely accelerate growth
MercuryGate is a global smart transportation platform with more than two decades of experience helping customers with logistics from the first mile to the last. Today, their services include everything from claims management and compliance to ocean visibility tools. To continue innovating offerings on its platform, MercuryGate decided to migrate its on-premise infrastructure to the cloud. During the early stages of this journey, the organization relied on legacy security solutions and third-party security teams, but as its footprint grew, it needed to bring security in-house to improve visibility and remediation speed.
In its larger transition phase, MercuryGate also needed cloud security tooling that would help it effectively secure a massive cloud environment. “We have a really large cloud footprint, especially for a company of our size,” says Chad Hicks, CISO at MercuryGate. “That comes with some unique struggles when we think about protecting thousands of EC2 instances, containerized workloads, and native databases.”
Security is a shared responsibility, and having the right tools in your tool belt ensures we can democratize security to protect our system. Our legacy solutions left our team at a security standstill, and it was extremely frustrating to lose credibility with our senior leaders because we didn't have a tool that helped us clearly identify or share security issues, so we knew we needed to shift our tools and our mindset.
Taryn Lloyd, Cloud Engineer, MercuryGate
To ensure sustainable growth, the team wanted to build a security program that focused on internal collaboration. Since mergers and acquisitions are a large part of the company’s growth strategy, MercuryGate needed to evaluate the security posture of new acquisitions while educating and collaborating with new team members on security measures. “I think about security like an F1 race. Racing teams spend a lot of time putting up guardrails and safety measures to ensure drivers can go into corners as fast as possible,” Hicks said. “In security, we aim to do the same thing. All of our teams come together to make sure DevOps can move as fast as possible while staying safe.”
Using shared visibility to create an organization-wide security team
To protect its cloud infrastructure and shift its team’s mentality around cloud security from protecting an on-premise solution to the cloud, MercuryGate began its search for a new cloud security solution. During the evaluation process, the company prioritized fast deployment. When it came to Wiz, the team was happy to find that they could stand up the platform in minutes to begin scanning right away. “It took 15 minutes to deploy Wiz,” said Taryn Lloyd, Cloud Engineer at MercuryGate. “There was almost no time between implementing Wiz and being able to accurately represent our security vulnerabilities.” The security team worked closely with DevOps to create a mutual ownership of security from the moment they chose the new solution.
With Wiz, MercuryGate is able to closely connect these teams to more efficiently find vulnerabilities and accelerate how quickly they can act on findings. “Other security tools spit out thousands of findings and you can lose track of what’s important,” Hicks said. “The context Wiz provides allows us to work on high-impact fixes quickly.” Having a shared space where teams can collaborate also means that they no longer have to work using spreadsheets to track data or run reports in real time.
Sharing data also extends to MercuryGate’s other senior leaders. “We have to put together security metrics presentations every quarter and as we work through those, it's really difficult to go into platform after platform to aggregate data,” Hicks added. “Wiz aggregates it all in a single pane of glass and makes it easy to share.”
When there’s a new vulnerability, I can easily find the affected systems and CVEs listed right on the Wiz dashboard. I can see where each system lies within our infrastructure and turn that into a ticket for our offshore resources to work on.
Taryn Lloyd, Cloud Engineer, MercuryGate
The team has extended this collaborative space to include users throughout the organization—75% of Wiz users at MercuryGate are not on the security team. By opening Wiz up to additional teams, such as operations and development, everyone involved in the security process can generate their own reports, identify issues related to their own projects, and remediate them without the security team having to assign a task. “Wiz has allowed me to grow our operations team and help train them on how aggressively we approach patching,” said Lloyd. “I can also show our senior leaders that many of our high risks are at zero because of the work that we're doing.”
Gaining complete visibility across a complex cloud environment to cut risk by 50% in 60 days
Democratizing access to information in Wiz has helped MercuryGate’s teams keep the company more secure with fewer resources. Tasks that once required two dedicated cloud engineers can now be easily shared with offshore teams to resolve issues, freeing in-house teams to focus on developing new features. It’s also helped them scan for and remove unused resources to save tens of thousands of dollars after just a few months using the platform. Collectively, this has resulted in cutting risks by 50% within 60 days of implementing Wiz.
From a compliance perspective, the organization has been able to consolidate asset management into Wiz for easier monitoring. “Being able to see our SOC2 compliance directly in Wiz is much more accurate than the spreadsheets we dealt with in the past,” said Hicks. “Now, we can do a quick search, get lists from our system that may not be protected by the MDR agent, and work quickly to deploy. The accuracy empowers us to tell auditors that we're doing everything we need to and reducing risk.”
When you're looking at mergers and acquisitions, if you're doing something that's not cloud native and without Wiz, it could take six to eight months to get things deployed which we can now do in 15 minutes.
Chad Hicks, CISO, MercuryGate
With its single pane of glass, new acquisitions have also become easy to introduce to MercuryGate’s cloud environment. Whenever a cloud-native company is acquired, MercuryGate can deploy Wiz to gain visibility into its environment within 15 minutes. “We do a lot of due diligence on the front end, but many organizations hold information and their security strategy close to the chest,” Hicks said. “One of the first things we do post-acquisition is deploy Wiz and build a roadmap for the next 30 to 60 days of security work.”
Getting ahead of potential threats
MercuryGate is now using Wiz’s IaC scanning to identify threats before they make it to production environments. This, together with cross-company visibility, is helping MercuryGate developers to incorporate security earlier into the creation of new features.
The company is committed to using these resources to keep ahead of evolving and future threats. “As we look over the horizon of cloud security, we must follow threat actors. Right now, there's a big focus on IAM compromise,” said Hicks. “We're spending time on that and Wiz will be key in finding threat actors’ next move so we can be sure to detect any issues or misconfigurations in our environment.”
