The need for security operations in the cloud is clear. Compared to traditional environments, cloud environments generate vast amounts of data that’s more accessible than ever before. With simple APIs and centrally managed configuration, SecOps teams operating in the cloud can have access to audit trail covering their entire environment in minutes. In theory, this visibility should give security operations teams (SecOps) an unparalleled ability to detect, investigate, and respond to threats in real-time.
But as any team operating in the cloud knows, this just isn’t the reality today. Huge volumes of data obscure meaningful signals in noise. Modern attackers can seamlessly move through the different layers of the cloud – exploiting vulnerabilities in runtime, gaining access to an identity, and moving laterally to disappear within the control plane. Traditional SecOps tooling, like SIEM and EDR, was never designed to handle either this volume or complexity of security data. Agent-based approaches can’t provide a complete view when organizations share control of operating systems with vendors, and pulling threads to investigate across identity, data, network, compute, and control plane is just not feasible when our only option is manually querying raw data.
Our core belief at Wiz is that the key to effective cloud security is context. With Wiz Cloud, we provided cloud security teams with critical risk context to identify, prioritize, and remediate their most important risks fast. Now, Wiz Defend brings that same approach to security operations – giving SecOps teams the context they need to detect, investigate, and respond to real-time threats in cloud environments fast.
Cloud SecOps in Practice: Fusing Context Across Domains
Effective cloud security operations require deep visibility across all the different layers of the cloud, and the ability to automatically correlate data across these different sources.
Without all this data in a single place, even seemingly easy tasks can become difficult to impossible in the cloud. Take malware scanning as an example – teams frequently run specialized compute instances, like third party firewalls, appliances, or databases, that limit the installation of security agents. Understanding whether malware is present in your environment on these provided, but restricted, instances become extremely challenging. Agentless scanning and cloud visibility, which cloud security teams have used to get insight into risk, becomes critical for security operations teams as well.
Case Study: PAN-OS Remote Code Execution Campaign
The exploitation in the wild of the recently disclosed vulnerabilities in Palo Alto’s PAN-OS provides a good example of how cloud-native SecOps should work in practice. PAN-OS is the software powering Palo Alto’s next-gen firewall and is extremely common in today’s enterprise environments..
The exploit, which was first disclosed on November 8th and confirmed to be exploited in the wild as a 0-day several days later, chains together two vulnerabilities: the first, CVE-2024-0012, enables malicious actors to bypass authentication to the PAN-OS management interface if its publicly exposed. The second, CVE-2024-9474, allows for privilege escalation and ultimately remote code execution. With RCE achieved, threat actors deploy malware and establish a foothold to move laterally to other workloads in the environment.
Based on Wiz data, 24% of enterprise cloud environments contained virtual PAN-OS devices vulnerable to these CVEs at the time these vulnerabilities were disclosed. Surprisingly, 7% of such environments exposed the PAN-OS management interface to the Internet and were therefore vulnerable to unauthenticated remote code execution.
Of note with these vulnerabilities is the extreme speed in which the widespread second wave of exploitation campaign began. Following the initial disclosure of a suspected 0-day on November 10th, CVEs were assigned and a formal advisory had been released by November 18th. The very next day, a proof-of-concept exploit was published and threat actors immediately added it to their arsenal.
Since then, Wiz Research has observed ongoing exploitation in the wild, and 1 out of 3 environments that were exposing vulnerable appliances to the internet had been infected with malware within 24 hours of the publication of the proof-of-concept exploit. Unfortunately, in cloud environments, this pace is par for the course: attackers move extremely quickly to capitalize on new emerging tactics.
Understanding if Exploitation has Occurred Requires a New Approach
The power of Wiz Cloud is to identify vulnerable appliances immediately, with a prioritized list of where to fix. But the challenge of Security Operations teams is different: it’s not “where am I exposed” – it’s “have I been breached”? Given the speed with which attacks progress in the cloud, understanding the answer to this question immediately becomes paramount.
But when using out-of-the-box machines provided by third parties – a common practice in the cloud – deploying agents is often not practical or even possible. This makes detection with traditional tooling extremely difficult. Instead, the only way to understand whether your organization has been breached is to gather context: threat hunting not just via signatures, but via correlation:
First, SecOps teams need to understand where their vulnerable appliances are, using an up-to-date inventory of their environment.
Second, they need to understand and validate if vulnerable appliances are exposed, and exploitable
Third, they need to leverage an agentless approach to collect data from these exposed, vulnerable instances and analyze it in real time for evidence of exploitation attempts or successful compromise.
Detection of a threat from this exploit is only possible with all this context. And that’s only step one: once you detect a threat, what do you do next? How do you contain the threat and ensure that the attacker’s foothold is eradicated?
Wiz Defend: Bringing Cloud Context to SecOps
With Wiz, all this context is already available. With the Wiz Dynamic Scanner, exposed & exploitable instances are proactively identified. From there, Wiz agentlessly analyzes the disks attached to the vulnerable instances, identifying traces of malware or evidence of exploitation to determine whether the appliance has been compromised.
This context is surfaced in real time for security operations teams and correlated with additional activity happening in the cloud environment. Imagine an attacker compromised a vulnerable Palo Alto appliance running on an AWS EC2 instance. If the EC2 was running with privileged role in the environment, the attacker could leverage those privileges to pivot to the cloud control plane. From there, the attacker can move laterally, and compromise additional cloud services, such as S3 buckets, for exfiltration. Similarly, if the EC2 instance had network access to other sensitive machines within the local VPC (which is to be expected considering the function of a firewall), the attacker could also move laterally through the network layer to achieve their goals.
Wiz Defend provides visibility over this entire attack chain, with out-of-the-box detections to identify each individual attacker tactic here: the initial machine compromise, the lateral movement, and the exfiltration. But the real magic is in the context: Because these detections all tie back to the vulnerable instance, Wiz Defend automatically correlates them into a single threat. Security operations teams get an automated threat timeline and graph showing each step of the process, with actionable recommendations for containment at each phase.
A New Operating Model for Cloud Security Operations
Wiz Defend delivers this new experience by fusing together risk context from the Wiz Security Graph, runtime data from the eBPF-based Wiz sensor, and IaaS and SaaS activity context from CSP audit logs. With this rich context, Wiz Defend provides the most complete view of cloud threats available today.
With Wiz Defend, SecOps teams get four key benefits:
Comprehensive breach readiness analysis: Wiz Defend continuously assesses an organization’s telemetry coverage and ingestion, mapping coverage to the MITRE ATT&CK matrix so teams can rest easy that they have the data they need to detect and respond to cloud threats.
High-fidelity, cross-layer threat detection: Wiz Defend fuses data from across identity, data, network, compute, and control to detect high-fidelity threats in real time. With thousands of detection rules curated by Wiz research, behavioral analytics to tune alerting and reduce noise, and the industry-leading cloud context of the Wiz Security graph, SecOps teams get the broadest coverage of emerging cloud-native attacks with the least amount of noise.
Intuitive, context-led investigation and response: Wiz Defend automates the construction of threat graphs and timelines for every alert it generates, enriching the investigation experience with the deep context of the Wiz Security Graph and reducing mean time to respond.
Native response, containment, and forensics: SecOps teams get opinionated guidance about next steps to contain each threat – whether at the control plane or workload level. And AskAI further streamlines investigation with rich threat stories and answers to a responder’s immediate questions.
These capabilities dramatically drive down the time it takes to detect and respond to cloud threats. But the biggest benefit is that Wiz enables the new cloud operating model bringing together CloudSec, SecOps, and Dev teams – all speaking the common language of the Wiz Security Graph. This is critical: effective cloud security requires a shift not just in the data that SecOps teams have available, but also how teams work together, breaking down silos and enabling a flywheel that continuously improves security.
Detecting and Responding to Cloud Threats Faster
With Wiz Defend, SecOps teams can finally realize the promise of security operations in the cloud era. To learn more, read the latest Wiz Defend docs and release notes (requires login) or ask us to see it in action.
