How cybersecurity helps uphold trust for a leading cryptocurrency platform
Coinbase + IBM
Display of home screen on the Coinbase app, with owner's assets in different cryptocurrencies
Maintaining trust in a bleeding-edge space

“We have a very large number of assets under custody, and the single most important thing that we have to do is keep our customers’ assets secure,” says Jeff Lunglhofer, Chief Information Security Officer (CISO) at Coinbase, one of the world’s leading  cryptocurrency platforms.                 

Coinbase is building the most trusted crypto products and services—and supporting other builders—to make it easy and safe for people around the world to benefit from this new economy. But as crypto’s value has boomed, so has the frequency of cyberattacks on crypto wallets and platforms.

So how does Coinbase maintain customers’ trust?

“To be the most trusted name in crypto means we have to provide the most secure platform,” says Pete Smith, Coinbase’s Head of Security Operations, who leads the company’s 24x7 global security monitoring team. “That means defending against the best and latest threats out there. And to understand what we have to defend, we have to know what’s tempting to attackers.”

Coinbase’s business creates a unique attack surface. It’s one of the largest players in a relatively new, rapidly evolving space. It supports fast development of new services and features, and it has an active merger and acquisition (M&A) strategy. While the company has over a decade of experience navigating risk and volatility, the Security team at Coinbase constantly invests in new technologies to keep customers secure.

“We’re at the bleeding edge of a bleeding edge space,” says Lunglhofer. “We were born in the cloud and we’ve been raised in the cloud. We have a lot of cloud capabilities and significant SaaS-based exposure. We don’t have large data centers. It’s a very uniquely different risk model than a traditional financial institution.”

Protecting this environment requires sophisticated attack surface management (ASM) and advanced red teaming capabilities.

ASM with deep human expertise, augmented by automation

Coinbase conducted a detailed analysis of various ASM offerings and chose to use the IBM Security® Randori® Recon solution, including its IBM® X-Force® Attack Targeted service, which, as Lunglhofer says, “came out on top from a value perspective and from a pure capability perspective.”

Coinbase has now used Randori for several years and, as the company has rapidly evolved, it’s worked closely with the Randori team to continually test and strengthen its everchanging attack surface. Randori combines ASM automation software with X-Force Red, a human team of cybersecurity experts and ethical red team hackers. While the automation drives surface testing at scale, the people collaborate directly with Coinbase to address issues requiring deeper insight and nuance.

“I’ve always been incredibly impressed by the Randori team members that I’ve spoken with,” says Lunglhofer. “They spend a lot of time listening to our concerns, then they take that information and synthesize it into a really meaningful attack plan that shows us where we can tighten things. It really is next level, the deep understanding and spending hours on the phone talking through our business and getting very focused on the targeting. That’s a huge differentiator, that level of investment.”

Over time, Coinbase has adjusted how it uses Randori in order to maximize its effectiveness. In the first year or so, Coinbase had the Randori team operating almost independently, as a “very-red red team,” as Lunglhofer puts it, stealthily hunting across Coinbase’s network for any potential risks. There were some very valuable finds, but by and large, thanks to the skills of the Coinbase security team, the network was tight. It was difficult for the red team to find areas needing improvement.

Seeing potential for steadier value, Lunglhofer and team replaced cloak-and-dagger red teaming with more collaborative purple teaming, having the Randori red team work directly with Coinbase security “blue” teams in attack planning sessions. Now, Coinbase teammates with deep knowledge of the network guide the red team to the areas they most want to test. The result, Lunglhofer says, is “more impactful tests that more accurately simulate an adversary. It’s a much more consistent positive impact.”

I’ve always been incredibly impressed by the Randori team members that I’ve spoken with … It really is next level, the deep understanding and spending hours on the phone talking through our business and getting very focused on the targeting. That’s a huge differentiator, that level of investment. Jeff Lunglhofer Chief Information Security Officer Coinbase
USD 312B quarterly volume traded USD 330B assets on platform
Diversifying ASM’s value: two use cases

Smith and colleague Paul Hodapp, Coinbase’s Director of Security Technical Program Management, relate two specific and varied examples of how they’ve put Randori to use:

Strengthening security in the existing network
When the Randori team recently noted a visibility gap in one environment, related to a particular beaconing protocol, Smith brought key personnel from the affected environment together with his Security Ops team and Randori personnel. “Everybody’s in the room together,” says Smith. “It gets our infrastructure people thinking about how to resolve this from a holistic level, our security people thinking about the types of detections they need to write. We coalesced all that into a package of solutions within a couple of days and closed the issue.”

Mergers and acquisitions (M&A) onboarding
In periods of rapid acquisition, Hodapp explains that his team used Randori to support a methodical, disciplined approach to aligning acquisitions to Coinbase’s high security standards. Upon finalizing an M&A agreement, Coinbase has the acquired company provide extensive information about its security domains. Then Coinbase will apply Randori to the environment as an objective check, and potentially to uncover forgotten or unknown elements (shadow IT). “It gives us more visibility and an independent data source,” says Hodapp. “We could pretty quickly look at the Randori platform and see if it’s all been cleaned up or that there’s still more to go. It’s peace of mind that there isn’t some piece of the attack surface we don’t know about and risks we don’t understand.”

We look for partners who help constantly up-level our team. That requires an equally sophisticated actor, and we’ve found that with Randori. It helps keep us sharp. Pete Smith Head of Security Operations Coinbase
Securing trust

For the Coinbase team, all the above comes back to trust. The company has built a sophisticated security program as a key component to earning and maintaining the trust of its customers, whether they’re advanced crypto users or beginners. But no connected technology or network is airtight. “So we look for partners who help constantly up-level our team,” says Smith. “That requires an equally sophisticated actor, and we’ve found that with Randori. It helps keep us sharp.”  

Coinbase logo
About Coinbase

Coinbase (link resides outside of ibm.com) is on a mission to increase economic freedom for more than 1 billion people by ensuring that they can participate fairly in the economy through cryptocurrency. It aims to update the century-old financial system by providing a trusted platform that makes it easy for people and institutions to engage with crypto assets, including trading, staking, safekeeping, spending, and fast, free global transfers. Coinbase also provides critical infrastructure for onchain activity and supports builders who share its vision that onchain is the new online. And together with the crypto community, Coinbase advocates for responsible rules to make the benefits of crypto available around the world.

Optimize Your Security Strategy with IBM Security Randori

Free trial: explore sample data for Attack Surface Management discovery, prioritization and robust risk management. Or schedule a personalized demonstration for visibility into your organization's attack surface.

Start your free trial Request a demo
Predict, prevent and respond to threats faster with IBM X-Force

IBM X-Force can help you build and manage an integrated security program to protect your organization from global threats. With a deep understanding of how threat actors think, strategize and strike, our team knows how to prevent, detect, respond to, and recover from incidents so that you can focus on business priorities. X-Force offensive and defensive services are underpinned by threat research, intelligence and remediation services.

Get a 1×1 X-Force Briefing View more case studies
Legal

© Copyright IBM Corporation 2024. IBM Corporation, IBM Security, New Orchard Road, Armonk, NY 10504

Produced in United States of America, April 2024.

IBM, the IBM logo, ibm.com, IBM Security, and Randori are trademarks or registered trademarks of International Business Machines Corporation, in the United States and/or other countries. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on ibm.com/legal/copyright-trademark.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

All client examples cited or described are presented as illustrations of the manner in which some clients have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions. Generally expected results cannot be provided as each client's results will depend entirely on the client's systems and services ordered.

All client examples cited or described are presented as illustrations of the manner in which some clients have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions. Generally expected results cannot be provided as each client’s results will depend entirely on the client’s systems and services ordered. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

Statement of Good Security Practices: No IT system or product should be considered completely secure, and no single product, service or security measure can be completely effective in preventing improper use or access.  IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.