Revolut wanted a solution that provides fewer, smarter alerts to highlight real issues that require careful attention.
Revolut needed to create a collaborative, flexible partnership between security and engineering teams.
With high volumes of new features constantly in production, smarter automated visibility was needed to institute better baseline policies.
Revolut used Wiz to prioritize the most critical threats and provide actionable context that allowed security and developers to better focus their time.
Revolut instituted a new cross-functional committee to routinely discuss new security issues, supported by Wiz dashboards and reports.
Revolut instituted custom controls that align with security policies and integrated Wiz with Jira, creating automated tickets to remediate identified vulnerabilities faster.
Revolut helps over 30 million customers in 40 countries spend, save, and invest to build a better financial future. It enables people to manage all of their financial activities from a single platform - from currency exchange to fund transfers and investments.
Accelerated growth has seen the Revolut team expand from hundreds to thousands of staff in eight years, with close to 1,000 engineers working across multiple projects and feature updates at once.
“When you essentially become an enterprise, there are new kinds of processes you need to establish,” says Uros Solar, Head of Security Operations and IT Security at Revolut. “It brings a lot of change, especially in a rapidly growing environment where there’s lots of new features constantly being added.”
Since its foundation, Revolut has operated as a deeply cloud native operation in Google Cloud, with a small number of on-prem systems to adhere to certain regulatory requirements. But with a focus on building a serverless and containerized operation, the company stands prepared to take advantage of new opportunities as customer needs change.
Under its traditional scanning systems, the Revolut security team found there was simply too much noise being generated. High volumes of alerts and tickets caused too much manual work as well as unnecessary friction between security and engineering teams.
"It is important for security to be a business-enabler and not adversely limit progress, but balance risk and benefits appropriately,” says Solar. “It’s best to tell end users what is actually happening and what the real risks are and then see how we can mitigate them in a real-world environment.”
This drive to build better communication was behind Revolut’s search for a solution that gave both visibility and context into its environment. A more targeted approach would help Revolut build a foundation for iterative conversations between engineering and security teams to address vulnerabilities and risks.
Security is like an immune system of the organization. It needs to evolve with the primary function of the organism. If it doesn’t, it will soon become obsolete to its own purpose.Uros Solar, Head of Security Operations and IT Security, Revolut
Moving to Wiz, Solar admits he “instantly fell in love with how issues are presented.” Revolut found Wiz delivered immediate value. “The ease of integration was quite high,” says Solar. “I was not expecting there to be a lot of value from the product as soon as we integrated. That was a pleasant surprise.”
Going beyond simple alerts, Revolut appreciated how Wiz didn’t just flag issues, but also offered recommendations on how any given issue could be resolved.
“Wiz grants us the ability to display issues in an engaging and quite interesting way to the wider organization,” says Solar. “Wiz really seems to understand a company like ours, and gives a lot of oversight immediately, guiding someone to go deeper into an issue to really understand what, where, when and how it can be exploited.”
Revolut is now using Wiz to proactively identify potential vulnerabilities and misconfigurations, to monitor compliance across PCI and SOC2, and to detect critical exploits such as malware. The security team has also instituted custom controls that align with security policies, sending automated alerts directly to the engineers to mitigate the risk.
While Revolut found success with the integration of Wiz in their processes, the security team also pushed to make strides to improve the overall security culture of the organization.
“We don’t want to make every decision within security,” says Solar. “Security touches everything, but we would never be the subject matter experts on everything. We need to hear other views and take other inputs as well to consider whether any given potential problem should be treated as a real issue or not.”
It’s always about listening to the rhythm of the organization, being flexible, knowing what’s going on, and how to facilitate and enable it. We need to know a lot about a lot of things. Otherwise, we can’t secure it.Uros Solar, Head of Security Operations and IT Security, Revolut
To do this, Revolut hosts regular catch ups between key stakeholders and security teams. “We don’t want to create tickets for people without them being a part of the conversation - including them in the vulnerability management process from the start before the issues even generate a ticket,” says Solar.
For instance, Wiz was able to link service accounts with the underlying data access they enabled, ensuring that relevant issues were associated appropriately to reveal exactly what systems and data sets were at risk.
“Understanding when a particular service account is able to see assets across different projects or environments helps pinpoint whether an account might have more permissions than you would expect it to have and how that relates to active deployments and assets,” says Solar. Highlighting these issues in one place gave Revolut teams immediate understanding of how to reduce permissions to the bare necessary functions.
With Wiz automatically providing such insights, Solar sees a significant reduction in time and effort of security researchers needing to manually chase details from engineers on what any given account is used for, so it can move to the mitigation phase without delay.
Placing issues into context shows how they can chain together to create a big issue, but it was always a problem when they were identified independently. Having Wiz automatically know how issues relate to underlying assets is extremely powerful.Uros Solar, Head of Security Operations and IT Security, Revolut
For Revolut, the clarity and focus delivered by Wiz has supported the team’s effort to build trust between security and engineering teams. Having created new cross-functional committees who meet to discuss progress on security and compliance controls, Revolut sees it is achieving its goal of making security a supportive enabler of great customer services. In addition, Solar is able to use the dashboard to show senior engineering leadership the extent to which vulnerabilities are being rectified. “It’s important to present what you’re working on in the best light,” says Solar, “Wiz helps us do that.”
As it deepens its use of Wiz across the company, Revolut expects to continue its push to include staff in the security decision process. “We want to take input because a lot of times the user will understand the context more than we will,” says Solar. “Most investigation work is asking staff what they think about events. We want to minimize the need to ask questions ourselves and mostly just listen for the answers as they come through a better process. It’s essentially always about context.”
Want to learn how your cloud security program can achieve the same results as Revolut? Take a closer look at Wiz's cloud security solutions for financial services.