Transcription
CASE STUDY FIVERRFiverr Replaces Multiple Tools withOrca Security to Gain Immediate andComplete Visibility into AWS Assets“Within minutes, we gained full“Orca has taken our cloudvisibility into our AWS account.environment visibility from zero toBefore Orca, I had zero visibility.100%. When I discuss with my teamNow, I see everything I need to see.what to address first, now I speakPlus, we now have a single tool thatfrom a far more credible position.”does it all.”DougGraham ShaharMaorCSOCPOChief&InformationSecurity OfficerFiverrI N D US T RYCHAMPIONC LO U D E N V I R O N M E N TInternetShahar Maor: CISOAWSCloud SecurityChallenges No way to understand the full context of whatwas happening across AWS AWS and open source tools were timeconsuming and ineffective Flooded with thousands of alerts that nobodyhas time to reviewCloud SecurityResults Deep cloud inspection identifies malware,misconfigurations, “secrets”, weak passwords,and PII Saves hours of work per week, less reliant onDevOps, and no overlooked assets Alerts now prioritized based on environmentalcontext, pushed to Slack, and resolved1
CASE STUDY FIVERRRapid Global ExpansionCalls for AWS CloudSecurity at ScaleFounded in 2010 and headquartered in Tel Aviv Fiverr(NYSE: FVRR) is a vast online global marketplace forfreelance services. Its platform enables freelancersto offer services to customers worldwide whilehelping businesses find services they need simplyby browsing a catalog or conducting a search.Fiverr’s platform has served over 5.5 millionan issue. It’s a misconception to think that if youhave a cloud-native infrastructure that you see itmore clearly. There are a lot of complexities whensecuring cloud environments.”Maor had concerns about platform users havingweak passwords, and the potential for malware to berun on AWS servers. “When I first mapped the risksagainst our high-value assets, it was evident wehad blind spots. Plus, I was spending way too muchmanual time monitoring assets—especially the AWSS3 buckets—to make sure nothing was exposed. Itwas very tedious.”businesses and facilitated over 50 milliontransactions. With so many people accessing theplatform, maintaining a secure AWS infrastructure iscrucial.Fiverr’s CISO ShaharMaor Knew that SecuringCloud Environments is aComplex AffairThe Ideal Solution Neededto Provide Deep VisibilityAcross All AWS AssetsWith specific requirements in mind, Maor set outto find an AWS cloud security solution. We neededa solution that could provide complete visibility“I was the first full-time security professional Fiverrhired,” reveals CISO Shahar Maor. “Although securitywas already deeply embedded in Fiverr’s culture.”Maor’s initial analysis of the AWS infrastructurepointed to potential attacks from external vectors,hackers, malicious bots, and viruses. But he knewthat in a cloud environment, there’s more thanmeets the eye.“Often, organizations assume that if they“Often, organizations assume thatif they protect the perimeter, that’ssufficient, and the cloud infrastructureis often overlooked.”Shahar MaorChief Information Security OfficerFiverrprotect the perimeter, that’s sufficient, and thecloud infrastructure is often overlooked,” Maorsaid. “You might not think about the fact that amisconfiguration on the platform itself could be2
CASE STUDY FIVERRinto our AWS environment while also scanningfor malware, identifying misconfigurations, andprotecting PII.”The optimal cloud security tool would be acomprehensive solution for identified risks, as wellas provide actionable insights and value acrossNative Tooling, LegacyScanners, and Agentbased Approaches Weren’tGoing to Cut ItIT, DevOps, and engineering. Additional goals andMaor understood that Fiverr’s cloud environmentrequirements for an AWS security solution included:had unique requirements that many available cloudsecurity tools couldn’t meet. “Native tools such No agents to manageas Amazon Inspector or GuardDuty provide basic Complete visibility; no overlooked assetsfunctionality, but they don’t correlate logic with Search for and protect PIIincidents or understand the full context of what’s Perform health checks on servershappening. You still have to analyze logs and invest Identify weak passwordsmore time to make sense of the data. They’re better Find misconfigurationsthan nothing, as are open-source tools, but there’s Look for “secrets” left in existing code Monitor exposed assets, such as S3 buckets Simplify regulatory compliance, particularlyfor PCIno workflow for delivering findings to your teams totake action.”Maor added that scanners and agent-based toolsare very limited. “Some commercial tools scan aserver for vulnerabilities, but that’s it. In short, thesetools create more work, and they require domainexpertise and additional tools to work effectively.”Single Tool Does It All“We needed a solution that couldprovide complete visibility intoour AWS environment while alsoscanning for malware, identifyingmisconfigurations, and protecting PII.”Shahar MaorChief Information Security OfficerFiverrMaor sees Orca Security as a one-stop-shopfor reducing risks hiding inside Fiverr’s AWSinfrastructure. “Orca provides a holistic solutionfor mitigating risk in Fiverr’s datacenter. The uniquemethod Orca uses to scan AWS proved to be themost suitable for us, and it won over our DevOpsteam. Plus, we now have a single tool that doesit all.”3
CASE STUDY FIVERROrca SideScanning Eliminates Need forAgents, Has No Impacton Performance“Orca sends meaningful, actionable alerts in real-Running security agents on individual virtualSimplifying RegulatoryCompliancemachines requires ongoing management andadministration. Instead of that approach, Orca runsas a SaaS service with read-only access to thetime to bring our attention to a threat, instead ofcreating tons of logs and thousands of alerts thatnobody reads or has time to review. We get Slackalerts on every critical finding. If Orca uncovers anew vulnerability, we know about it immediately.”customer’s AWS, Azure, and/or GCP workloads’ run-Additionally, Orca Security simplifies regulatorytime block storage. It reconstructs bits and bytescompliance. “PCI requires us to scan ourfrom the snapshot to build out a virtual, read-onlyenvironment—and because it’s serverless, thatview of the operating systems, applications, andpresents unique challenges. Orca’s solution lets usdata—then scans them for vulnerabilities and risks.scan both EKS and ECS containers, providing goodcoverage for PCI.”“Orca is extremely lightweight and has no impacton the network whatsoever,” says Maor. “You getvisibility without any interference with the instanceitself. Orca simply creates a copy, reads it, analyzesfindings, then presents them in a dashboard for usto review.”Meaningful, High-ValueAlerts without the NoiseOrca Security’s patented SideScanning technology automatically discovers every asset ina customer’s environment. This provides securityteams with immediate visibility into compromisedresources, vulnerabilities, malware, and“Orca Security sends meaningful,actionable alerts in real-time to bringour attention to a threat. If Orcauncovers a new vulnerability, we knowabout it immediately.”Shahar MaorChief Information Security OfficerFiverrmisconfigurations. By combining such informationwith environmental metadata, Orca sends alertswithin context to enable effective prioritization.4
CASE STUDY FIVERRComplete Visibility,Minimal EffortSaving Hours per Week,No Need to Rely on DevOpsSoon after implementation, Orca surfacedMaor now spends half the time he used to onvulnerabilities that Maor’s team was able to address.“Orca Security delivers valuable insights and theability to extend Fiverr’s security posture. BeforeOrca, I had zero visibility. Now, I see everything Ineed to see.”For Maor, that was validation that Orca Securityis all he needs. “I still have both Orca and a CASBimplemented, but on my next renewal, I’ll beremoving the CASB because it’s not providing anyinsights,” he said. “I’ll be relying solely on Orca formonitoring the AWS production environment, endto-end.”cloud security work. “Orca has eliminated hoursof work every week with regard to cloud securitymaintenance and administration work. Plus, I don’thave to rely on DevOps for support.”As an added bonus, Maor is able to rely on OrcaSecurity’s team for recommendations and expertise.“The Orca team brings an extensive backgroundand practical knowledge in security, together withamazing agility and flexibility. We’re already seeingtons of value from Orca, and we’re excited to growwith it as our main AWS security platform.”About Orca SecurityUtilizing its unique patent-pending SideScanning technology, Orca Security provides cloud-wide,workload-deep securityand compliance for AWS, Azure, and GCP. After an instantaneous, read-only and impact-free integration to the cloud provider,it detects vulnerabilities, malware, misconfigurations, lateral movement risk, authentication risk, and insecure high-risk data—then prioritizes risk based on the underlying issue, its accessibility, and blast radius - without deploying agents.Connect your first cloud account in minutesand see for yourself: Visit orca.security Copyright Orca Security 2021. All trademarks, service marks, and trade names referenced in this material are the property of their respective owners.
Fiverr’s platform has served over 5.5 million businesses and facilitated over 50 million transactions. With so many people accessing the platform, maintaining a secure AWS infrastructure is crucial. Fiverr’s CISO Shahar Maor Knew that Securing Cloud Environments is a Complex Affair “I was the firs
