The situation
- Our vulnerability risk management program was not built for the scale of the business
- We lacked asset and vulnerability risk visibility
- We were struggling to prioritize vulnerabilities based on risk to the business
- Manual, time-consuming remediation tasks
- Lack of trust and collaboration with engineering teams
About Wealthsimple
Wealthsimple is a digital financial advisor and investment platform headquartered in Toronto with more than two million clients worldwide and $11 billion in assets under management. Wealthsimple rapid growth necessitated a more robust and efficient approach to vulnerability risk management.
Wealthsimple operates in a cloud-centric environment, relying on Amazon Web Services and some Google Cloud Platform services. The company employs multiple vulnerability scanners, including AWS Inspector, Prisma Cloud, and Dependabot as well as SonarQube, SentinelOne and other open source scanners. In addition, they use Jira and Slack for cross-team collaboration. They required a vulnerability risk management solution that integrated seamlessly with their security tech stack.
The challenge
Initially, the company lacked a cohesive vulnerability management program, though it had plenty of robust security mechanisms in place already. This was not a unique problem for our organization.
There were no clearly defined processes to identify, prioritize and remediate vulnerabilities. Vulnerabilities were often getting lost, overlooked, or lacking information to remediate effectively.
There were also communication gaps and trust problems between security and engineering teams due to poor ticketing and handoffs. Even when critical vulnerabilities were identified, engineering teams were not efficiently resolving vulnerability risks.
And the fact is – if the remediation isn’t happening, then even the best identification and prioritization processes are limited in their impact.
There are a number of reasons why remediation often doesn’t happen as we would expect:
We sought a solution to improve vulnerability management efficiency by integrating it with our existing security tools.
In addition, we needed to improve trust between teams. We wanted to make sure that the engineering teams didn’t perceive our team as a team that sends irrelevant tickets their way.
In many cases, they required more context into a vulnerability’s potential impact on the business, as well as how it might be exploited. Getting them onboard with the true risk posed by vulnerabilities was key if we were going to have success in working together to remediate them.
Finally, we didn’t want to depend too much on external risk criticality scores to influence prioritization for our unique business. We heard from other organizations who tried to solve the vulnerability risk management and mitigation challenge with other solutions that used external or fixed risk ratings for prioritization. When security teams disagreed with the risk score, they’d simply not use the tool—leading to inefficiencies and poor security posture. We knew we needed to be able to determine their own criteria for prioritization.
The process
In our search for an effective vulnerability management solution, we considered various options while prioritizing ease of integration and the ability to customize vulnerability risk scores. Vulcan Cyber® stood out for its capability to offer a holistic overview of our asset and vulnerability risk, along with providing a sophisticated system for scoring and prioritizing these vulnerabilities according to our risk tolerance and unique business characteristics. Our team successfully integrated Vulcan Cyber with our existing suite of security tools, with the Vulcan Cyber team providing quality support throughout the setup process.
To streamline our workflow we utilized the Vulcan Cyber tagging feature to assign specific owners to each ticket, ensuring that every issue had a designated point of contact. This approach was complemented by assigning liaisons to each ticket, providing our engineers with a consistent reference throughout the remediation process. Additionally, we committed to integrating Vulcan Cyber with any new tools we adopted in the future. This strategy was meant to preserve a unified operational perspective on all assets and vulnerabilities, accommodating the growth of our technology stack.
Our vulnerability management process was significantly enhanced by these measures. We could now seamlessly prioritize and delegate tasks to our engineering teams, leveraging both task automation via the Vulcan Cyber platform and manual oversight to tackle the most critical vulnerabilities. These tasks were organized on a dedicated vulnerability management board in Jira, where we could add further vulnerability remediation details as needed. Subsequently, tasks were cloned and allocated to the appropriate engineering teams within Jira, based on the tags previously set in the Vulcan Cyber platform, ensuring an efficient and organized response to security threats.
The solution
We needed a comprehensive solution that provided context-rich recommendations for vulnerability fixes and risk-based prioritization that was relevant to our business. We also needed a platform that was user friendly, with customizable risk scoring and robust integrations.
Vulcan Cyber met all these criteria, streamlining vulnerability identification and prioritization, and providing clear guidance on mitigating critical risk. This, in turn, has fostered greater trust and collaboration between our security and engineering teams, leading to significant improvements in resolving vulnerabilities.
Vulcan Cyber gives our engineering team the context they need to make decisions:
- Consolidated understanding of all asset and vulnerability risk
- Risk-based prioritization of vulnerabilities
- Automated remediation tasks
- Metrics to gauge ongoing vulnerability management effectiveness
Not only does Vulcan Cyber integrate seamlessly with workflow tools like Slack—reducing remediation time for critical vulnerabilities; it also makes streamlining vulnerability management workflows simple through integrations with popular security tools:
- Vulnerability scanners to import vulnerability data
- SIEM tools to automatically import security alerts
- Incident response tools for automated remediation
Vulcan Cyber has been able to meet both our current and future needs as our vulnerability management maturity grows.
Vulcan Cyber immediately began providing superlative context to optimize vulnerability response. In a single view, Vulcan Cyber gives us all the data we need: whether something is a high-risk vulnerability; whether there is a fix; whether it is a critical asset.
With limited resources and a mounting list of vulnerabilities, this functionality was vital. Without the context-based prioritization from Vulcan Cyber, we risked losing the trust of our engineers and hampering collaboration between our teams, by sending them false-positive vulnerabilities, or issues that simply didn’t have much impact on our operations.
And Vulcan Cyber also offers plenty of room for future expansion. Our ultimate goal is to make vulnerability management a self-service program, so that the engineers don’t need me. Vulcan Cyber provides those playbooks and even the analytics that can provide dashboards for the teams so they understand how they’re doing.
The results
The most significant outcome for us in implementing Vulcan Cyber is that we now have a vulnerability program in place that meshes with our pre-existing workflows. Prior to Vulcan Cyber, inaccurate prioritization and a lack of context meant that few Jira tickets were resolved.
With Vulcan Cyber in place, vulnerability tickets have become simple for our engineering teams to accept; and since the tickets actually provide context, our engineering teams’ effectiveness at resolving vulnerabilities has shot up while cutting mean time to remediation (MTTR), an important security metric.
Here are some of the more dramatic results we’ve seen:
- More effective ticketing and remediation:
- Greater trust relationship with engineering: “No nonsense tickets”
- Reduced mean time to remediate (MTTR)
- Improved overall security posture and procedures
- Extremely high engineering satisfaction with workflows
Going forward with Vulcan Cyber
We’ve been very pleased with our decision. Vulcan Cyber has helped us significantly improve our vulnerability management program and reduce the risk of cyberattacks. Plus, we can count on using Vulcan Cyber into the future, with capabilities that will aid us in maturing our vulnerability management programs through automated playbooks and integration for even greater resilience.
Want to see the platform for yourself? Book a demo today.