Case Study

CoStar Group

InsightCloudSec Enables Continuous Multi-Cloud Security and Compliance for CoStar During Mergers and Acquisitions

CoStar Group is the leading provider of commercial real estate information, analytics, and online marketplaces. They conduct expansive, ongoing research to produce and maintain the largest and most comprehensive database of commercial real estate information. Their suite of online services, which include Apartments.com, LoopNet, Lands of America, BizBuySell, and many more, enable clients to analyze, interpret, and gain unmatched insight into property values, market conditions, and current availabilities.

To expand their reach, CoStar supplements its core products with complementary services and capabilities through mergers and acquisitions (M&A). As of October 1, 2019, CoStar has spent approximately $2 billion acquiring a total of 27 organizations, each with a unique cloud presence and varying levels of cloud competency. They have an estimated revenue of $1.2 billion. CoStar’s challenge is ensuring the security and compliance of its constantly growing and evolving cloud footprint, which spans across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

When growing through M&A, CoStar must be able to do three things:

  1. Understand the cyber risk of the acquisition target by:
    1. gaining visibility into the cloud and container environments; 
    2. determining if these cloud and container environments meet CoStar’s security and compliance requirements; and
    3. establishing the cyber risk associated with these environments and building a plan to minimize this risk
  2. Integrate the newly acquired resources, including continuous monitoring and remediation of security and governance, risk, and compliance standards
  3. Maintain the ability of these acquired entities to accelerate innovation through the use of cloud services to continue to grow CoStar as an industry leader without the loss of control

In 2018, CoStar selected the InsightCloudSec platform to establish and maintain comprehensive security for their multi-cloud environment. CoStar’s primary objective in the cloud is to achieve a rigorous standard of security while accelerating innovation and growth. InsightCloudSec provides CoStar with control over their cloud resources in a way that supports their business model and culture.

The Process 

Understand the Cyber Risk 

When acquiring a new company through M&A, CoStar uses InsightCloudSec as part of its onboarding. This onboarding process integrates key infrastructure and cloud service provider security tools, InsightCloudSec, and other third-party tools. This onboarding is done in-house using a custom script. Within about 10 minutes, the script is complete and the new cloud environments are visible in InsightCloudSec.

Using InsightCloudSec’s Badges and non-invasive Insights as part of their onboarding process, CoStar has immediate visibility of how a new cloud environment scores against their security baseline.

At this point, if any of the new environments do not meet CoStar’s security or compliance requirements, InsightCloudSec will automate remediation. For example, InsightCloudSec can send an alert in response to these violations notifying specified personnel through email, Slack, and InsightCloudSec’s user interface. Detection and automated remediation can begin in as little as 30 seconds, allowing CoStar to understand the risk created by security, compliance, and governance gaps; alert the right people in real time; and harness the power of meaningful automated remediation.

Integrate and Automate

After using InsightCloudSec to align the new cloud environments with CoStar’s cloud security requirements and validating proper configuration, CoStar integrates cloud account authentication and authorization into its Active Directory. At this point, InsightCloudSec’s Badging function aligns the new accounts to CoStar’s organizational structure.

Badges allow enterprises like CoStar to customize the organization of their cloud accounts within InsightCloudSec. Badges are key-value pairs, similar to AWS tags or GCP labels, that are stored in InsightCloudSec. Badges are applied at the cloud account/subscription/project level, depending on the cloud service provider. 

CoStar uses InsightCloudSec Insights and Bots to identify and automate many standard actions that would otherwise require manual remediation. An Insight is essentially a question about the data, (e.g., “is the database encrypted?”). A Bot is a workflow that can be automatically triggered if and when a finding is detected by an Insight. This workflow executes a user-defined set of actions. These actions include notifications, ticketing, logging, orchestration of third-party systems, and reconfiguration of cloud services. CoStar uses Badges to scope their Insights and Bots. For example, applying a different set of Insights and Bots to development versus production environments or to different business units. With Insights, Bots, and Badges, CoStar can:

  1. organize their cloud controls in a logical way that aligns to their current business needs while providing flexibility for the future, 
  2. identify standard levels of acceptable risk based on specific resources and settings, and 
  3. create workflows to remediate situations that fall outside the scope of acceptable risk.

 

Synergistic Symbiosis

Once the new environments are fully integrated, InsightCloudSec continues to play a vital role by providing critical data, continuous monitoring, and automated remediation while integrating with many of CoStar’s tools. Through InsightCloudSec, CoStar has a holistic, enterprise-level view of their clouds and is able to maintain their secure baseline across AWS, Azure, and GCP. With InsightCloudSec’s automated remediation capabilities, CoStar and its subsidiaries can focus confidently on developing and delivering the best possible products to their customers using the full power of cloud technology. By keeping pace through agile development and minimizing friction from security, CoStar allows its acquisitions to thrive. In this relationship, security and development are not opposing forces. In fact, they work together.

The Results

InsightCloudSec has enabled CoStar to create a standardized security baseline across products, business units, and cloud service providers. Without InsightCloudSec, CoStar would have to manually aggregate resources and resolve security issues between AWS, Azure, and GCP. Based on the comprehensive snapshot that InsightCloudSec provides, CoStar defines how they are going to address and minimize vulnerabilities, prioritized by risk, using both automated and manual interventions.

InsightCloudSec automatically alerts the CoStar security team of misconfigurations, and in some circumstances, corrects issues automatically. Without InsightCloudSec’s automation, CoStar’s pace would slow and its vulnerability to risk would rise. Relying on human detection, notification, and intervention for misconfigurations alone would require additional employees, thereby increasing overhead costs and reducing profit. Relying on human intervention would also clash with their developer-centric culture (there is one information security engineer for every twelve developers).

Through continued collaboration, InsightCloudSec has delivered several features that extend beyond CoStar’s primary goal of achieving rigorous security while driving innovation and growth. InsightCloudSec has become a cornerstone of CoStar’s cloud strategy, which, in turn, supplements their ability to synergize with agile, innovative companies that complement the brand. By investing in InsightCloudSec, CoStar has been able to accelerate their M&A process, reduce the cyber risk associated with it, and can adapt to future challenges of cloud security in their evolving organization. CoStar’s ability to leverage InsightCloudSec ensures their success because they have the right pieces in place to support their security posture, regardless of CSP, before, during, and after a deal is complete.

Interested in learning more? See InsightCloudSec in action in our demo!