ChallengeAfter bringing together two companies, Vistra’s security team sought to improve visibility into the reimagined Vistra’s multi-cloud/multi-architecture environment.
Security also wanted to improve governance over—and the risk posture of—its expanded cloud environment.
With multiple point solutions in place, the security team sought to uplevel and consolidate its toolkit.
SolutionVistra can see how all resources are connected, using Wiz to enable cross-functional teams to collaborate on integrating and securing new business units' cloud environments post-merger.
Vistra now identifies high-priority risks and the risk posture of key assets using Wiz to prioritize remediation issues, strengthen governance.
Vistra reduced the need for multiple point security solutions with Wiz’s support for hybrid environments and agentless processes, streamlining security processes and reducing overall spending.
Complete visibility
across the multi-cloud environment
Proactively reduces risks
and ensures compliance across all businesses and new products
Deployed a full-featured cloud security platform
reducing the need for multiple point solutions
Improving governance over a growing multi-cloud environment Vistra is a leading provider of essential business services, such as human resources, tax, legal entity management, and regulatory compliance, that help companies and private capital funds grow across their entire business and investment lifecycle. Created by the combination of Tricor Group and Vistra, the reimagined Vistra has experienced fast-paced business growth and oversees a large multi-cloud/multi-architecture environment.
As a result, the security team and other key stakeholders needed holistic visibility into their global cloud footprint, with the ability to apply and enforce governance consistently and at speed.
We want to consolidate what we have and bring the best tools, practices, and integrations together for our security team. For example, if we detect a risk or an incident in one platform, we should be able to respond in another. Everything should work together in a seamless and frictionless way.
Him Tang, Cyber Security Manager, Vistra
Shifting left to develop products that are secure by design Vistra wanted to accomplish both short- and long-term goals with security. Over the near term, the company saw an opportunity to rationalise security tools. By consolidating on best-of-breed solutions, the security team would gain holistic visibility, ensure governance consistency with one set of policies, and be able to identify risks and prioritize remediations.
“Originally, we were using cloud-native CDR capabilities within different platforms, but this was creating multiple policies, rules, and monitoring mechanisms across our environment at a time when we wanted to centralize and consolidate functionality,” says Him Tang, Cyber Security Manager at Vistra.
Streamlining collaboration to enable continuous improvement Vistra reviewed multiple vendors, choosing Wiz because of its breadth of services, usability, and cost. By deploying Wiz, Vistra gained the holistic visibility and governance across cloud infrastructure that the security team sought. The team rapidly adopted Wiz CNAPP functionalities, including Wiz DSPM, and IaC Scanning to detect security risks early on.
To identify critical attack paths, the security team uses Wiz to scan every resource and technology in their cloud environment across virtual machines, containers, and serverless functions. All Vistra teams now access Wiz to gain the same view of cloud resources, with risks, context, and correlations built in, while IT and security streamline cloud inventory management processes.
The security team uses this information and automated workflows to prioritize and remediate risks, such as PII or PCI exposures. Similarly, developers gain actionable insights on high-priority risks to address during the product development cycle without noise or the need to create context and correlations manually.
“Before, we could set policies within our AWS and Azure accounts but couldn’t see the inconsistencies and other risks. With Wiz, we have the visibility and insights to review configurations and policies proactively across all our tenants, enabling Vistra to create a culture of continuous improvement,” says Tang.
As Vistra continues its journey to shift left, creating a true DevSecOps capability by empowering developers with the insights they need to identify and address risks throughout the product development lifecycle rather than bolting on fixes afterwards.
“DevSecOps is still maturing for our company. As a result, we’re scanning new applications to ensure development teams address critical risks before launching new products,” says Tang.
As we move to an Infrastructure as Code model, Wiz is helping us shift left and scan code to identify and remediate risks earlier in the product development lifecycle. Boosting these capabilities helps us assure business owners that applications are secure by design.
Him Tang, Cyber Security Manager, Vistra
Development, Infrastructure and security teams use Wiz Projects and role-based access controls to enable collaboration for internal and external contributors in Wiz. The joint team uses a cloud landing zone and Wiz compliance check to onboard new business units quickly and securely. With this functionality, Vistra automatically evaluates and maintains regulatory compliance with a risk posture score, built-in frameworks, and reporting.
By empowering cross-functional teams with greater visibility, risk identification, and remediation capabilities, Vistra has greatly improved its cloud security posture, while improving operational efficiency.
Wiz provides a single pane of glass for cloud security at Vistra. We’ve gained the visibility, collaboration tools, and reporting capabilities we need to speed up the integration of our two companies and enable secure product development.
Him Tang, Cyber Security Manager, Vistra
Rapidly evolving security capabilities to support future growth Vistra has set the security foundation to enable continued rapid growth using Wiz. Cross-functional teams can rapidly and securely onboard new systems, design secure products, and streamline collaboration. Teams have complete visibility of their multi-cloud infrastructure, with contextualised risks and correlations, enabling them to set security strategies, evolve risk management capabilities, and proactively address vulnerabilities.
Next, Vistra plans to deploy Wiz CDR to elevate its threat detection, investigation, and response capabilities. Wiz CDR combines its agentless, graph-based approach with cloud activity logs, enabling teams to identify threats proactively, simulate attacker views, limit their damage, and perform forensics at scale during an unfolding threat.