Introducing Wiz Defend: Redefining a new standard for cloud detection and response

Accelerate your cloud SecOps transformation.

7 minute read

Today marks the general availability of Wiz Defend, the industry’s first threat detection and response solution truly reimagined for the cloud. 
 
Our mission has always been clear: to protect everything you build and run in the cloud. Doing so requires operationalizing a cloud operating model with three key pillars: 

  1. Preventive security that establishes strong baselines as code is written, typically owned by Application Security teams. 

  2. Proactive security that fixes critical risks before they can be exploited, typically owned by Cloud Security teams. 

  3. Blocking security that identifies and responds to emerging threats fast before they become breaches, typically owned by Security Operations teams. 

That is why we are bringing Security Operations into the Wiz security platform to achieve defense-in-depth across cloud, AI, and development infrastructure. Wiz Defend unifies runtime signals from the Wiz Sensor, real-time analysis of cloud and SaaS telemetry, our proprietary threat intelligence, and the deep code-to-cloud context of the Wiz Security Graph to provide Security Analysts, Detection Engineers, Incident Responders, and Threat Hunters with precise detection and complete analysis of threats. Our approach, a truly cloud-native approach to SecOps, reduces manual workload and removes noise, enabling rapid response by breaking down organizational siloes and enabling swift collaboration across security and development teams through automations and root-cause analysis in code. 

The result? Better runtime protection for the cloud threat landscape: 

  • 5x improved visibility and coverage of cloud workloads 

  • 10x faster time to detect and respond to threats, with many customers reporting MTTRs under an hour 

  • <24hr immediate visibility to 0-day threats 

  • 10x lower effort to investigate and remediate issues 

The value of Wiz Defend cannot be overstated.  The rich context and automated data enrichment, correlation, and prioritization of threats has streamlined our workflows and significantly reduced our manual workload, allowing us to focus on critical threats and get one step closer to operating at machine speed.

Quincy Castro, CISO, Redis

Bring together security operations, cloud security, and application owners

The cloud attack surface and threat landscape have changed. With the rise of cloud-native development and an evolving wave of new attacker tactics, techniques, and procedures (TTPs), cloud attacks have become increasingly complex. Today’s attackers might not even bother with malware – with a single vulnerable workload and a single compromised credential, they can disappear into the control plane and pivot through the identity, data, network, compute, SaaS, and PaaS layers of modern environments.  

This new model requires teams to centralize context from multiple layers to investigate and resolve threats but many security teams still rely on security tooling built for endpoints and workloads. For too long, SecOps teams have been burdened by siloed alerts, manual investigations, and a constant struggle to prioritize threats, leaving organizations with slow response times, increased analyst workload, and critical gaps in coverage in the cloud. 

Plus, in modern cloud environments, getting to the root cause of a threat requires bringing developers and SecOps teams together to share context. But today’s operating model for detection and response makes this collaboration far too difficult — both in terms of operations and mutual visibility into potential and emerging threats. Developers often have critical context in incident response to remediate rapidly and drive learnings, so why is visibility and context into their application and infrastructure security not shared? Siloed context, teams, and processes hinders, not helps, effective cloud defense. 

Wiz Defend represents a fundamental shift in how organizations approach cloud security operations. It brings together context from across cloud, workload, Kubernetes layers, and developer activity for complete runtime protection and rapid investigation & response. It brings SecOps , Cloud Security, and developers together in the same platform, with the single source of truth, allowing developers to gain full visibility end-to-end of their assets from code to runtime and SecOps teams to be able to detect high-fidelity threats, investigate using root-cause analysis, and containment and response in real-time via automations, root-cause analysis and fixes in code. 

I'm skeptical of generic anomaly detection because it typically lacks important context...Wiz solved this well. I could open an issue and quickly see which user accessed which bucket, what files they interacted with, and determine if that activity matched their job responsibilities.

Chris Long, Sr Director of Security & Threat Research, Material Security

Wiz Defend: a unified approach to Cloud Security Operations 

Wiz Defend uniquely combines code to cloud context, CSP telemetry, the latest threat intelligence, and runtime signals from a lightweight ePBF sensor for complete runtime protection and complete coverage of cloud environments. 

  • Precise threat detections with behavioral analytics: Wiz Defend eliminates noise using a powerful combination of behavioral analytics, thousands of built-in detections for cloud-specific TTPs, real-time threat intelligence, behavioral analysis, and code to cloud context for a clear and prioritized view of active threats. This reduces analyst workload, drives down MTTD, and ensures you are the first to know of a potential breach.

  • Accelerated cross-layer investigations with the Wiz Investigation graph and Incident Timeline: Significantly accelerate MTTI and reduce manual workload with instant, context-rich visualizations of threats. Wiz Defend automatically correlates related detections and visualizes the threat and potential blast radius in the Investigation graph. This capability enables SOC and IR analysts to quickly understand not only what happened, but why it matters: surfacing critical context like whether a threat could lead to crown-jewel data stores or a high-value admin role. 

  • Pre-built containment playbooks and remediation back to source code: Reduce MTTR by up to 10x and boost collaboration for faster, more effective response. Wiz Defend offers collaboration and easy context-sharing between SecOps, Cloud Security, and Development within a single platform. One-click containment actions ensure you can instantly isolate affected workloads, and context from development pipelines enables tracing of incidents back to source applications, infrastructure and development owners. One-click Fix PRs empower developers to remediate root cause vulnerabilities and proactively improve cyber resilience.   

  • Elevated threat hunting and forensics: Wiz Defend elevates your threat-hunting capabilities with a queryable graph and pre-built investigation dashboards to accelerate context gathering. When you need to dig deeper, you can easily query raw data from both the cloud environment and our runtime sensor in an intuitive interface to answer complex questions about the cloud environment. All raw CSP, IdP, VCS, SaaS, and runtime telemetry is parsed and enriched in a single place, allowing you to perform powerful, complex, and precise queries across the different layers of your environment. 

  • End-to-end runtime protection: Wiz Defend provides end-to-end runtime protection, providing visibility early on the development lifecycle so you can minimize your cloud attack surface and allow developers to detect and fix any instances of infrastructure drift in your production environments. Continuous protection extends from code through runtime with the Runtime Sensor enabling teams to block cloud attacks and gain real-time, in-depth context for containers, VMs, and serverless. 

Real world example: SeleniumGreed 

How does this work in practice? Let’s revisit a real-life cloud-native attack, SeleniumGreed:

Imagine an attacker targeting a Selenium service running in an AWS Kubernetes environment. The attacker would exploit the Selenium service to open a reverse shell and establish a foothold on the compromised host.  

The Runtime Sensor deployed on the node detects the reverse shell immediately and raises an alert to the security operations team. Running in blocking mode, the sensor would even kill the malicious process immediately and stop the attack. But if blocking was not enabled for reverse shell and the attack continued, Wiz would detect each subsequent phase of the attack as well.  

As the attack continues, Wiz would detect this threat at every phase of the attack lifecycle, enabling teams to contain the threat actor at each stage. If the attacker continues on, they will locate and exfiltrates AWS credentials from the host to move laterally to the control plane, finally successfully exfiltrating data from a sensitive AWS S3 bucket.  Most solutions would have gaps in identity and data risk visibility or requiring pivoting between multiple platforms to get this data. But in Wiz, these steps and context are clearly laid out in the Security Graph and Incident Timeline in addition to being narrated in a simple, AI-assisted storyline for analysts less experienced in container threats. 

As the attacker shifts to the control plane, Wiz correlates the keys used in the exfiltration attempt to the compute node targeted in the original attack and presents Incident Responders and SOC teams with multiple, actionable recommendations for containment: kill the malicious process, rotate the compromised credentials, block S3 bucket public access, or remediate the misconfigured Selenium service. 

In addition to the above, Wiz can help SecOps teams collaborate with development and proactively improve cyber resilience by remediating the vulnerabilities on the selenium-grid container that was compromised. Wiz can trace the issue in the live container back to the original Docker file used to build the container images, then provide developers with the guidance and a one-click pull request to easily remediate the vulnerability, retest, and redeploy. 

Instead of requiring tedious manual querying in a SIEM and endless click-ops in the EDR, Wiz provides a seamless experience across the entire cloud environment. SecOps teams detect the threat in real-time and get the context they need to investigate and respond immediately – all in a single platform. 

The future of cloud detection and response is here 

Truly effective threat detection and response in the cloud requires a new operating model—one that promotes collaboration, builds shared context, and democratizes security across SecOps, Cloud Security, and Development teams. 
 
This model unlocks a security flywheel where Cloud Security and Developers proactively reduce the attack surface, SecOps monitors for residual risk and responds to threats, and Developers fix the root cause in applications, infrastructure, and configurations to enhance cloud resilience. No more silos, just holistic security that moves at the speed of the cloud.  

Wiz Defend, with its real-time threat detection and response, empowers this flywheel. It reduces noise, focusing analysts on the most critical threats, accelerates incident response times, improves coverage and incident readiness in the cloud over time. 

Join us in shaping the future of cloud security. We invite you to experience Wiz Defend, now generally available. You can join our upcoming webinar to see how Wiz Defend can transform your security operations for the cloud! 

Wiz customers can get started in the Wiz Defend docs and release notes. 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management