Challenges
The Schibsted central security team wanted to establish close-knit collaboration with developers but didn’t want to impose a new solution that might hinder their productivity.
With more than 60 brands under its umbrella, Schibsted looked for a CSPM that would help establish security consistency while enabling each brand and its developers to maintain autonomy.
Schibsted wanted to switch from a reactive to a proactive security approach, but somewhat lacked the visibility needed into its cloud and configurations.
Solutions
The Schibsted central security team and hundreds of developers across each of the group’s brands enjoy using a single security solution that fits into their existing workflows.
Developers have insights that are relevant to them and can address fixes autonomously, while the Schibsted central security team can stay on top of what’s happening across the group’s entire cloud estate.
Schibsted now has complete visibility across cloud environments, quickly addressing any new issues, and has created an effective vulnerability program leveraging agentless scanning.
Decreased the number of critical risks
from 150 to zero
Empowers a security team of 15
to support 1,200 engineers across 60 brands
Frees up 20 people from responding to emergency threats
with support from the Wiz Research team and Threat Center
Making it easy to keep security front of mind
Since 1839, when it started as a publishing house in Norway, Schibsted has continually transformed its business by creating and acquiring new companies. More recently, the group entered a new era by splitting into two companies: a Nordic media house delivering journalism through brands such as VG, Aftonbladet, Aftenposten, and Svenska Dagbladet, and an online marketplace connecting millions of users each month through platforms like Finn, Blocket, Tori, and Oikotie.
“We’re continuously reinventing ourselves,” says Ståle Pettersen, Head of Product and Application Security at Schibsted, “but success means having security in mind each time we’re doing anything—from developing new features to thinking up new business ideas.” That’s why Pettersen’s team, the central security team at Schibsted Marketplaces, aims to support all developers across its brands with the best security tooling in the market. While Schibsted designed some of this tooling in-house, it also brought Wiz into its security ecosystem due to its usability and flexibility to fit into its teams’ existing workflows.
If we provide solutions that aren’t user-friendly for developers and product owners, they’ll ignore them. Then what’s the point? Usability is a key priority in our security strategy, and Wiz certainly ticks that box.
Ståle Pettersen, Head of Product and Application Security, Schibsted
With Schibsted’s brands functioning autonomously with their own developers, security stacks, and programming languages, Pettersen’s team aims to support their freedom while aligning them with Schibsted’s security strategy. The company promotes a casual, united team spirit to do this while empowering developers by making security self service, rather than blocking them with complicated processes. “Developers don’t need to fill in a form or follow a formal protocol to chat with the central security team; If they need any security support, they just ask us to lend a hand over Slack,” says Faisal Soomro, Cloud Security Engineer at Schibsted.
Additionally, Schibsted holds monthly security forums where all brands gather to outline security plans and discuss issues, an occasion developers take to consult the Schibsted central security team on architecture and infrastructure security. “We’re a security team of 15 people, and we have around 1,200 developers across Schibsted. We must let them drive security in their own areas, support them as best as we can, and share solutions we all enjoy using,” explains Pettersen.
Proactively uncovering cloud vulnerabilities and enforcing correct configurations
Schibsted was already at the forefront of cloud computing when Pettersen joined the company in 2016, using Amazon Web Services (AWS) to run 99% of its workloads. To secure its investment in the cloud, the company began by using cloud-native security solutions to flag misconfigurations and other point solutions to identify specific issues. All findings were aggregated into security reports, from which developers could address the issues relevant to them. “We didn’t have much visibility at that point,” says Pettersen. “We spent one year trying to get audit access and visibility into our AWS accounts, and understanding what was in each account required a lot of manual querying.”
Finding and understanding risks was a manual and person- or project-based endeavor happening across each brand under the Schibsted umbrella, while the central security team had limited visibility across the entire environment. Schibsted wanted to address this challenge while using the momentum to move from a reactive security approach to a proactive one. For that, it needed better visibility into its cloud and configurations.
So in 2019, Schibsted traced a new cloud security plan to be rolled out between 2020 and 2023. Schibsted aimed to refine its central security strategy and establish consistency without building out a huge central cloud security team while remaining cloud agnostic. That’s when seeking external security support became an important part of its cloud security strategy. Schibsted had 34 criteria when evaluating security vendors, and conducted an extensive Proof of Concept (POC) that entailed several test cases around Cloud Security Posture Management (CSPM) before making a decision. “Whatever incidents we had seen by that time in Schibsted’s history, and whatever new incidents we could think of, we put to the test to evaluate each vendors’ proof of value. Ultimately, we wanted a solution that would deliver while being the least intrusive for our developers. That’s how we chose Wiz CSPM,” says Soomro.
Wiz is built for cloud security, whereas other solutions have cloud security as a business case or added feature. This becomes clear when exploring the Wiz Security Graph. I can make a quick query to figure out all that’s going on across my entire cloud, something that wasn’t easily available through other vendors.
Faisal Soomro, Cloud Security Engineer, Schibsted
Optimizing security with full cloud visibility and close-knit collaboration
Within less than two months, Schibsted deployed Wiz to its cloud and collaborated with the Wiz team to develop scripts that addressed the nuances within its unique infrastructure, including mapping out its AWS accounts and creating bespoke automations for its in-house solutions. Since then, the Schibsted central security team can onboard new users to Wiz according to their roles in each of the 60 brands in just a few clicks.
Schibsted now has 120 developers and operations engineers logging into Wiz each month. Beyond that, another 800 developers access Wiz data from Schibsted’s internal dashboards, using Wiz Integrations, which collects vulnerabilities from all the scanners across the group. With the information consolidated in one place, the relevant teams can act on it.
The company has hundreds of sensors deployed and uses Wiz CDR to look at their output and gain the insights and context necessary to investigate suspicious activity. Schibsted has found early success with threat detections related to logins on backup accounts. This is an activity that should not readily occur so the team responds quickly to these alerts. They previously had a runtime solution in place, so when it came time to evaluate the Wiz sensor they developed 12-15 distinct use cases and were satisfied with the way the sensor performed and the results it provided. Schibsted also ingests AWS GuardDuty findings and other audit log events into Wiz to enrich its Wiz Security Graph and perform forensics at scale.
Soon after deploying Wiz, a Bug Bounty Program revealed a potential backdoor that could be exploited in a code library used by Schibsted, similar to Log4J. Schibsted used the Wiz agentless Software Bill of Materials (SBOM) feature to see clearly across its inventory, determine if it was vulnerable to remote code execution, and address the vulnerability before it became a problem. More recently, when XZ backdoor became a celebrity vulnerability, Schibsted again used Wiz to pinpoint where it was located within its estate.
We became aware of the XZ backdoor vulnerability early on but by then I had so much trust in Wiz that instead of having 20 people working on it, Wiz quickly came up with queries and research to address the vulnerability. Once again, Wiz delivered.
Ståle Pettersen, Head of Product and Application Security, Schibsted
Meanwhile, using a combination of Wiz’s prebuilt queries and custom queries, Schibsted uses the Wiz Security Graph for achieving full visibility into its AWS inventory. Next, the team wants to better understand its growing GCP estate. “Currently, we don’t have control over who owns what in our GCP infrastructure, where we have 2,000 projects,” explains Pettersen. “One approach is to map out what users own what projects within GCP, something we can easily figure out using the Wiz Security Graph.”
Schibsted is also mapping scripts using Wiz Integrations to create alerts for unplanned activities across its cloud environment. For example, if a new cloud subscription appears and isn’t mapped to the right team, the central security team is alerted, finds the relevant owners using the Wiz Security Graph inventory visualization, and fixes the issue immediately. This process change means the team won’t have to chase developers within the relevant team to address the problem. And when users leave or join the organization, automated scripts can create or delete their Wiz access, helping to further optimize the process.
Moving forward with zero critical issues
Over the four years during which Schibsted has been acting on its Cyber security program, initiatives such as extensive developer training have set the stage for its wide Wiz adoption and other security successes. Notably, Schibsted eliminated 93 critical vulnerabilities in its first 3 months and reached zero Critical Issues in 2024. With Wiz, the Schibsted security team knows its developers are focusing on the most pressing vulnerabilities.
Next, Schibsted will be experimenting with Wiz CLI and evaluating the Wiz Security Scorecard to keep extending its (already extensive) internal security awareness and help teams prioritize their security work. Beyond that, as Schibsted continues to transform and expand through mergers and acquisitions, its central security team will keep on providing a unified security suite for new companies joining the group, “of which Wiz is now an important part,” Pettersen concludes.
