How Do You Handle Security at a Multinational Company with Record-Breaking Growth? — vpTech Knows!
Security challenges at large companies require an extra level of organization, testing and responsibility. The Head of IT Security at vpTech has shared how the team’s coordination and practices allow handling these challenges on a daily basis.
Cybersecurity at Veepee has experienced a huge boost in the last years — together with the unstoppable growth of the company. How can you predict and play out different security weaknesses and threats when your company is present in 10 countries, and the global traffic is estimated at 4.5 million unique visitors per day?
vpTech implements IT security strategies at Veepee. The tech community takes into account the challenges resulting from the company’s presence in different countries, the multicultural aspect that comes with it, as well as Veepee’s strong and steady growth. The cybersecurity approach of vpTech is purely pragmatic — it is based on emerging and existing threats which could be dangerous for the company, its partners and members.
At the same time, this straightforward approach is only possible with a shared vision of business challenges, well-established collaboration, processes and communication within the IT Security teams.
Antonin Garcia, Head of IT Security, has shared the procedures and innovations introduced in the last years which have allowed to reinforce Veepee’s cybersecurity. Even though certain parts had to be fully rebuilt, restarting from scratch made it possible to build the foundation for security provided by vpTech today. It is focused on approaching security operations from following angles: attack, defense and governance.
We protect via attacks from our Offensive Security specialists (OffSec)
The OffSec team runs a lot of penetration testing, red team exercises and bug bounty programs — intense and interesting offensive techniques which allow the security team to identify vulnerabilities and fix them quickly.
Red team is when the team emulates a cyberattack to target valuable assets or data by ‘hacking’ systems, processes and humans. An example of a red team could be conducting social engineering attacks to gain access to a sensitive database. It is like a full-blown cyberattack, and it’s crucial to run this kind of testing.
Bug bounty is another practice dear to vpTech, where external ethical hackers are encouraged to come and test the security of Veepee. It gives incredible visibility on blind spots.
Forewarned is forearmed, and with practice via the OffSec approach the defense is tested and reinforced.
We defend through our Security Operations Center
The main idea of the SOC is to have dedicated analysts who are continuously watching and looking for illegitimate and suspicious behaviors. The team responds to any kind of security incidents which could impact the staff (phishing, scam, etc.), assets (malware, new vulnerability exposed, etc.) and data at Veepee. Having this operational center allows Veepee to be responsive and prepared when there is a need to defend our lines.
We coordinate with the Information Security strategy (InfoSec)
InfoSec completes vpTech’s security strategy with governance, risks and compliance by continuously supporting corporate and technical teams. They are looking for the best approach to enhance security maturity.
Yes, we think we have to constantly improve everything! Our security specialists have access to a multitude of resources and practices which allow them to act together, find possible threats and reinforce existing practices. Permanent improvement is a must when you establish security strategies in a rapidly growing company.
How does this organizational structure define the work of engineers at vpTech?
To guarantee the cybersecurity of Veepee, we must first provide our team with the necessary resources, practices and services. The combination of the three angles of security allows us to have a versatile yet solid security practice.
On top of that, the IT Security team also embraces open source, SecOps and Infrastructure as Code technologies to support the tooling of the team. Today it’s over a hundred servers maintained by the team to support daily security activities. We can find the event history of the past year, coordinate automated attacks and responses, centralize and standardize security findings, share Indicators of Compromise, etc. The team has access to all these events, where they can contribute, communicate, and then respond to any security threat in a prompt way.
It has been a lot of work to build an effective tooling corresponding to our needs from scratch. Today it’s running like a charm on the private cloud of Veepee aka Veepee Cloud !
The described approach gives a lot of subjects and ideas for the security engineers to work with. We also encourage our engineers to step out of the security context and get their hands on operational build and run, such as server maintenance and applications development.
Why would we do it? Don’t engineers already have enough on their hands?
At vpTech, Antonin Garcia didn’t want to put the security teams in the position of a forever grumpy inspector, always on the hunt for the errors other teams make. Participating in production allows them to step aside and put things into perspective. When they make their own production, they have a different view on their security guidelines and supporting approaches.
“It allows our engineers to think like hackers but in a good way. We all need to be white hats !”
How do we think IT Security could be a game changer for the entire practice?
The IT Security team started to share the indicators of compromise with other large retail players. This opens up perspectives to build the security on a whole different level by sharing, consuming and taking a look on what is happening outside Veepee. This exchange also enables the company to work with security professionals who want to contribute to the common effort to fight against cybercriminal activities.
When you are handling volumes of data like Veepee, it’s inevitable that you are at permanent gunpoint of potential cyber attacks. vpTech has established a solid, yet always evolving system of guaranteeing security. The team has access to all the possible resources, both external and internal, to eliminate existing threats and build up new levels of security for any potential dangers.
Do you feel like you could put on the ‘white hat’ at vpTech? Don’t hesitate to check out our job offers — there could be a challenge with your name on it!
