Challenge During its shift from a single cloud to a multi-cloud environment, Schrödinger needed a CSPM that would consolidate security monitoring and provide visibility across its environments.
The company’s small security team wanted to optimize its resources to best support the organization as it scales.
Schrödinger sought to improve communication between its development and security teams to better protect its environment from key vulnerabilities.
SolutionSchrödinger was able to centralize visibility across its environment and improve coverage as its environment grows in complexity.
By giving its security team simpler and faster access to information, the company can more easily catch risks and vulnerabilities that might otherwise slip through the cracks.
With a single platform supporting security posture management, development and security teams can more easily agree on risk prioritization and remediation.
Saves >$613k per year
on cloud costs by identifying and removing unused resources
Eliminated all
critical vulnerabilities
Improves cross-team collaboration
by enabling 12+ engineers to access Wiz.
Building internal connections to accelerate drug discoveryDrug discovery and materials design leader, Schrödinger, and its physics-powered computational platform supports organizations around the world seeking to streamline drug discovery and material development. To power all of this, the organization requires a cloud environment that can keep pace with development—and a security solution that can protect it.
The company’s existing security management tools felt disjointed, making it difficult to see across its multiple cloud environments. This disconnect also made it challenging for developers and security engineers to collaborate. “Our cloud providers have some built-in security functionality, but each of them offered different features,” said Ryan Murphy, Senior Security Engineer at Schrödinger.
My vision is to empower our engineers to own their security management and make remediation more self-service. We chose Wiz because we saw an opportunity to support our small security team and developers with one solution.
Ryan Murphy, Senior Security Engineer, Schrödinger
A key criteria Schrödinger searched for in an all-inclusive security solution was that it was agentless, so it could easily deploy and ensure it caught issues that may have otherwise fallen through the cracks with manual work. “Wiz was the most comprehensive solution we found that supported our multi-cloud CSPM needs,” said Murphy.
Rethinking security programs to protect a multi-cloud organizationWith Wiz deployed, the team’s first priority was improving visibility, so it could quickly assess its overall cloud security posture. “From an organizational level, we were able to gain visibility across our entire environment,” added Murphy. “We plugged Wiz in and immediately discovered exposures that we were able to address. That was a massive value add from the moment we got started.” By improving visibility with a consolidated security monitoring solution, Schrödinger has also improved its trust in its security status and confidence in what work is needed to protect the organization.
We need to trust our CSPM solution not only with our security, but also with helping us foster better relationships with our engineers. With Wiz as the centerpiece of our cloud security management, we can be accurate and up to date.
Ryan Murphy, Senior Security Engineer, Schrödinger
The team promptly used that newfound trust in its data to improve communications between its developers and the security team with a measured, risk-based approach to remediation. “We would file JIRA tickets and discuss remediation with our dev teams, but it was all manual work, and we wanted to build more trust through transparency,” Murphy shared. “With Wiz, we can show developers an issue, walk through exactly why it’s an issue, and they can trust our shared solution instead of just taking our word for it.” This collaborative approach has led to more than a dozen developers regularly using Wiz to explore and address potential risks.
Reaching zero criticals through data-driven decision makingBy consolidating contextualized information about threats, Schrödinger’s security team can more easily prioritize critical Issues and effectively communicate with its engineers. “With our previous solution, communication was really our primary security challenge,” said Murphy. “With Wiz, we have more context and information up front, so when we reach out to engineers, we can point directly to an issue, explain why it's important, and use this hands-on process to help them prioritize remediation.” This has led to being able to provide best practices for secure coding and developer education, including threat modeling exercises, to build a more proactive security ecosystem.
They’ve also connected Wiz to JIRA to divide critical Issues among relevant teams and track remediation progress. With this integration, teams can better focus resources on higher-impact triage and avoid working on false positives. “We have planning meetings where we can upgrade or downgrade what people should work on and distribute tasks evenly across teams,” said Murphy. “Those teams know their products better than we do, and working together through Wiz and JIRA, we can more easily determine a path forward as a team. By tracking that progress, we can also more easily show our upper management the number of critical Issues going down, and identify more metrics to gauge our effectiveness.”
Because of these process improvements , Schrödinger has reached zero critical vulnerabilities across its cloud environment. “Today our security team has more information and insight into our cloud environment at an organizational level,” Murphy shared. “We can work with our developers to make more informed decisions about our security posture to guide the rest of the organization.”
Designing a collaborative approach to cloud security The company now leverages features such as Wiz CLI to monitor vulnerabilities in code and attack surface management to gain a new perspective of its potential vulnerabilities. With this information available directly to the team’s engineers, they’re able to uncover new ways to self-service, manage, and remediate their own issues before they’re ever deployed. Giving engineers access to Wiz is helping the team catch issues sooner and gradually shift left. “We’re seeing engineers take the initiative to explore Wiz for themselves. Engaging with Wiz then turns into self-servicing their issues more frequently because they can review and validate issues themselves,” Murphy said.
This gradual evolution of Schrödinger’s cloud security approach also extends beyond traditional security frameworks. “One of our engineers asked me about how many virtual machines we’re currently running in Google Cloud, and I was able to find that for him using Wiz in less than two minutes,” he added.
Every single person we’ve worked with at Wiz has been helpful, personable, and responsive. Wiz’s team has been invaluable in our success, and the support has been excellent.
Ryan Murphy, Senior Security Engineer, Schrödinger
The company’s ongoing effort to build this shared security language in Wiz is helping it reach its larger cloud management goals, including reducing cloud spend. “Our organization has been in the cloud for years, so when we introduced Wiz, we were able to locate a lot of leftover legacy infrastructure,” said Murphy. “Wiz helps us identify those resources, so we can remove them and save on cloud costs.”
As Schrödinger continues to optimize these processes, it can regularly revisit its current resource usage, evaluate it, and address issues. This has saved the organization more than $613k annually in cloud computing costs alone.
Designing a future-facing, compliant Schrödinger With its security foundation laid, Schrödinger is using Wiz as it works toward SOC2 and ISO 27001 compliance to reach customers with stringent security standards. As part of this effort, the organization is exploring using the Wiz sensor to implement real-time monitoring and threat detection. “We know the sensor will help us catch potential incidents ahead of time,” said Murphy.
This ongoing commitment to proactively address risks also involves further democratizing access to Wiz and making security a company-wide, collaborative effort. “We’re excited because the more proactive we can be as an organization, the better and more securely we can grow,” he concluded.