Wiz Helps Blackstone Build a Secure Environment on AWS

Executive Summary

Blackstone is one of the world’s largest alternative asset managers and invests capital on behalf of pension funds, large institutions, and individuals. Blackstone chose Wiz on Amazon Web Services (AWS) to provide advanced, agentless security scanning across its complex, hybrid network. Wiz provides a single view of complex infrastructure, providing security teams with the visibility they need to improve their cloud security posture.

Security Upgrade for Blackstone’s Global Business

Global investment business Blackstone is all-in on AWS. As it continued to develop its cloud capabilities it needed a solution that would provide a deeper understanding of its security posture, which is a top priority for the firm.

Blackstone was seeking a truly cloud-native solution to replace multiple systems that were operating in isolation. The company turned to AWS Partner Wiz. Running on AWS, Wiz provides a single view of Blackstone’s security, vulnerability, identity, and access management needs to satisfy General Data Protection Regulation requirements and other data privacy regulations.

Blackstone’s highly technical team was looking for cutting-edge technology to support its advanced use cases and Wiz fitted the bill.

"Wiz includes all the main capabilities in one platform. It’s accessible through a single-pane-of-glass view and shows us exactly what’s going on across our environment."

- Adam Fletcher, Chief Security Officer, Blackstone

Supporting Blackstone’s 5 Pillars of Security

The nature of Blackstone’s business requires the highest levels of security. But the company also needs the freedom to rapidly innovate to provide the best and fastest systems to run its investment business. It needed security tools that could make sense of complex, hybrid network environments and do more than just identify potential issues or misconfigurations.

The team at Blackstone identified 5 key capabilities, or pillars, it wanted its security platform to provide: cloud security posture management, breach path detection, vulnerability scanning, secrets management, and container security posture management. 

After researching the market, the team understood that addressing these needs via separate products would not provide the granular view it needed and would add unacceptable management overheads to its work.

An Agentless Solution Offering a Single-Pane-of-Glass View

Blackstone’s existing security infrastructure already satisfied its 5 security pillars. But integrating the various products it was using and ensuring they worked properly together was difficult for the team—that’s where Wiz helped. “Wiz includes all the main capabilities in one platform. It’s accessible through a single-pane-of-glass view and shows us exactly what’s going on across our environment,” says Adam Fletcher, chief security officer at Blackstone. “But it’s not just a point solution. We appreciated that Wiz’s product was able to consolidate the 5 key capabilities that we felt were important to securing our cloud environment using one single platform.”

Another key differentiator for Wiz on AWS was that it is agentless, which suits the changeable and ephemeral nature of Blackstone’s cloud-centric systems. Because cloud environments rapidly and automatically add and remove resources—like containers or additional serverless compute power—security teams cannot keep up if they rely on software agents that must be installed and configured on individual machines.

It is difficult for security staff to have visibility into every resource in the cloud—never mind getting additional agents in place and running in a timely manner. Agents also consume compute resources and need to be maintained and managed like any other software.

Agentless systems are built for the cloud. They run scans using AWS APIs to understand how workloads are operating and do so without impacting on cloud resources.

Wiz also gave Blackstone a deep understanding of its complex and changing network environments. “Wiz doesn’t just scan for vulnerabilities or misconfiguration,” says Fletcher. “Its graph database looks at multiple layers of the cloud environment to spot potential breach paths or other risks. It provides a simple, single interface that we can easily interrogate.”

Today, Blackstone can run customizable queries on Wiz to visualize and secure its entire cloud environment.

Proving its Worth Countering Log4j

Log4j was a widespread vulnerability in an open-source logging tool buried in many corporate systems. It emerged as a serious risk in late 2021 and security teams had to scramble to check exactly how and where it resided on their systems before they could start to remediate the risk.
Wiz was the main tool Blackstone used to address the risks associated with Log4j. “Wiz scans agentlessly using AWS, which gave us unparalleled visibility for Log4j,” says Raaz Herzberg, head of product at Wiz. “We used AWS APIs to take snapshots of every machine and every container node, analyze the data, and report back. There is no agent to install with issues of coverage or time lost to configuring. Getting that visibility across AWS is the first huge challenge that Wiz solves. But even when I know where the problems are, how do I prioritize between the hundreds of instances I have?”
Herzberg explains that Wiz analyzes the context and prioritizes the public facing and highly privileged machines that need fixing first. “We give you discovery, prioritization, and can even assign issues to the relevant teams to fix,” she adds.

“We used AWS APIs to take snapshots of every machine and every container node, analyze the data, and report back. There is no agent to install with issues of coverage or time lost to configuring.”

Raaz Herzberg, Head of Product, Wiz

Advanced Use Cases Using Wiz and AWS

Despite its advanced analytical capabilities, Wiz works through a single-pane interface to ease the burden on security teams—information is displayed graphically and in one place. This interface shows the current AWS runtime-based configuration and vulnerabilities that Wiz is able to detect. The flexible and robust graph APIs and custom controls mean that Blackstone can understand and spot unexpected changes in its AWS environment.

Blackstone wanted to be able to secure it's infrastructure by understanding not just what’s accessible from the internet from AWS but also what is accessible from their own networks. It worked with Wiz to extend the existing network exposure analysis tools to include analysis of what traffic was flowing through the transit gateways.

The two companies worked together as a team. “Our relationship with Wiz has been an incredible partnership. Everyone on my team really appreciates the listening that Wiz does. They’re great at seeking feedback and then delivering that back to us as a feature or capability. It’s been a game changer and is making our business better and helping us make faster, better decisions,” says Fletcher.

"The clarity and visibility that Wiz provides helps give Blackstone the assurance it needs to continue to innovate at speed with more advanced security capabilities."


About Blackstone

Blackstone is one of the world's largest alternative asset managers and invest capital on behalf of pension funds, large institutions, and individuals. 

About AWS Partner Wiz

Wiz performs a deep assessment of entire cloud and then correlates a vast number of security signals to trace the real infiltration vectors that attackers can use to break in. Wiz also gives you the tools to bring your DevOps and development teams into the process to fix these risks, creating a culture of security in your cloud operations that results in a stronger, more secure cloud.

Published January 2023