Sysdig

Santander Group’s Ben Visa Vale Protects 800K Cardholders

70%
LESS TIME SPENT ON VULNERABILITY MANAGEMENT
65%
COST REDUCTION ON SECURITY TESTING
98%
FEWER VULNERABILITIES IN THE PRODUCTION ENVIRONMENT

Business Need

  • Eliminate vulnerabilities in the development pipeline without impeding workflows
  • Ensure PCI-DSS compliance
  • Securely scale financial services
  • Streamline development to ship new software faster
  • Enable more effective use of security budget
“I have worked in security for more than 20 years, and used multiple tools in that time. I’m incredibly impressed with what Sysdig can do – and with how it’s enabled us to more effectively manage vulnerabilities without compromising application security.”
Anderson Agapito CISO, Infrastructure and Security at Ben Visa Vale

Company Overview

Founded in 2018, Ben Visa Vale issues prepaid Visa credit cards to over 3,500 companies, with more than 800,000 cardholders between them. Based in Brazil, the company is part of the Santander Group – one of the world’s largest multinational financial institutions. Today, Ben Visa Vale facilitates roughly $36 million in transactions annually.

With 1 million benefits cards in a closed payment loop, Ben Visa Vale currently holds 3.5% of the benefits credit card market in Brazil.

Industry: Finance

Infrastructure: Amazon Web Services (AWS)

Orchestration: Amazon Elastic Kubernetes Service (EKS), SUSE Rancher

Solution: Sysdig Secure

Challenges

Flying Blind into Kubernetes

Ben Visa Vale was created to transform benefits management, offering intuitive applications and services catering to both large organizations and individual users. With a commitment to continuous improvement, they sought ways to streamline their development process.

It was this mindset that motivated the company to transition their applications from a third-party provider to a Kubernetes environment. This migration significantly reduced customer login times from 12 seconds to three, and markedly decreased the company’s time to market.

There was just one problem – security.

“Our initial migration to Kubernetes put us in a bit of a tough spot,” said Anderson Agapito, CISO, Infrastructure and Security at Ben Visa Vale. “Our vulnerability management processes were inefficient, and we lacked visibility into our containers. At the time, we were relying on SonarQube and post pipeline ethical hacking tests for security – an approach we recognized would not effectively safeguard against vulnerabilities in a Kubernetes environment.”

This significantly impacted the company’s development timelines. Vulnerabilities would frequently be discovered very late in production, leaving them with two choices: launching vulnerable applications or stalling launches indefinitely.

“Given our operations in financial services, it’s extremely important that we’re able to observe what happens in our environment,” Agapito said. “We’re bound by various compliance regulations and also face security expectations from the Santander Group.”

Meeting those expectations was made all the more challenging by time constraints, as the company’s IT team, comprised of only two cloud engineers, two DevOps engineers, and Agapito himself, had limited capacity.

This team was required to check in frequently with Ben Visa Vale’s parent company on both security posture and practices. In addition, they ran ethical hacking tests on their infrastructure every year and tested whenever they launched a new application. These tests incurred significant costs, amounting to over $20,000 each – another driver in the company’s search.

Had Ben Visa Vale not been actively seeking a Kubernetes security solution, an announcement from Brazil’s Central Bank in early 2019 would have compelled them to do so. With plans to modernize the country’s financial system through the Open Finance implementation, Ben Visa Vale’s payment cards, previously operating within a closed-loop environment, faced impending changes.

The shift to an open-loop environment necessitated that Ben Visa Vale’s products comply with the Payment Card Industry-Data Security Standard (PCI-DSS).

“We initiated discussions with our Santander Group colleagues here in Brazil,” Agapito said. “We wanted to see if they had a solution for ensuring security and observability within Kubernetes. Unfortunately, the solution they were testing at the time didn’t align with our requirements and involved a rather complex installation process.”

The company needed something flexible, scalable, and lightweight – a solution that was easy for their small team to use and manage, while also incorporating a framework for PCI-DSS compliance.

With that in mind, they initiated an online search that eventually led them to Falco, and subsequently to Sysdig.

“By understanding what vulnerabilities are most critical in our environment, we’ve been able to spend 70% less time on vulnerability management without sacrificing application security.”
Anderson Agapito CISO, Infrastructure and Security at Ben Visa Vale

Secure Code and Agile Development: The Best of Both Worlds

Improved Time to Market, Reduced Vulnerabilities

“After discovering Sysdig, we ran an initial scan as a proof of concept,” Agapito said. “That scan revealed vulnerabilities in 98% of our applications. We immediately began planning to make a business case for deployment.”

Vulnerability management aside, Agapito and his team were able to demonstrate Sysdig’s capacity to reduce time to market for the company’s software. Not only would they be able to meet their launch deadlines, but they could do so while also securing their clusters.

“Time to market is always a major concern,” Agapito said. “When you discover a large vulnerability close to launch, it costs a great deal of time and money to fix. Preventing such occurrences represents a huge potential return on investment.”

Streamlined Security

Sysdig’s ease of use was also a major selling point. Ben Visa Vale sought a security solution with minimal management overhead that would allow them to streamline their pipeline’s security process with minimal time investment.

“Configurability is really easy for us,” Agapito said. “For instance, we just configured our PCI framework, and all it took was a few clicks to get all the rules up and running. Sysdig also provides comprehensive visibility into DevOps and enables automatic blocking of high or critical severity vulnerabilities from advancing to our production environment.”

Building a Better Pipeline

Since implementing Sysdig into its continuous integration/continuous delivery (CI/CD) pipeline, Ben Visa Vale has noticed an immediate difference in terms of efficiency. Their security team no longer has to engage in a back-and-forth with developers to explain vulnerabilities or remediation requests. Instead, Sysdig automatically creates and assigns Jira tickets when it detects vulnerabilities.

“In terms of an increase in productivity, Sysdig has proven to be of immense value,” Agapito said. “I estimate a reduction in time to remediation by at least 60 to 70%.”

Consequently, this increase in productivity has not only streamlined launching applications on schedule but has also reduced the cost of ethical hacking tests for the company.

“Prior to Sysdig, we spent close to $20,000 per test,” Agapito said. “Now, we spend roughly $7,000 on the same process.”

Seeing the Full Picture

Apart from vulnerability management, Agapito uses Sydig as a monitor for Ben Visa Vale’s cluster, cross-referencing its output with data like AWS cloud logs. In the future, they also plan to integrate Sysdig with Wazoo, their security information and event management (SIEM) solution.

“It’s highly valuable for us to have a comprehensive view of our security environment,” he said.

Championing a New Approach to Security

“We were the first company in the Santander Group to use Sysdig, and among the first in Latin America,” Agapito said. “It gives us a complete view of Kubernetes that no other tool offers. Our next step is leveraging Sysdig for posture management.”

Meanwhile, Agapito has been hard at work spreading the word about the solution. “Since partnering with Sysdig, I’ve presented to several other companies advocating why they’re a good choice,” he said.

“I’ve found it’s often quicker to talk to Sysdig about issues than it is to address them internally, which significantly increases efficiency,” Agapito said. “Overall, my experience has been exceptional, and I can’t recommend them highly enough.”

To learn more about Ben Visa Vale, visit www.benvisavale.com.br.

“Through our partnership with Sysdig, we demonstrated to our CTO and CEO that achieving a rapid time to market is possible while also identifying and resolving vulnerabilities well before an application’s launch window.”
Anderson Agapito CISO, Infrastructure and Security at Ben Visa Vale

About Sysdig

In the cloud, every second counts. Attacks move at warp speed, and security teams must protect the business without slowing it down. Sysdig stops cloud attacks in real time, instantly detecting changes in risk with runtime insights and open source Falco. We correlate signals across cloud workloads, identities, and services to uncover hidden attack paths and prioritize real risk. From prevention to defense, Sysdig helps enterprises focus on what matters: innovation.

Sysdig. Secure Every Second.

To learn more about Sysdig, visit sysdig.com

Request a Demo

Take the Next Step!

See how you can secure every second in the cloud.