AcademyDiscovering Misconfigurations with Wiz’s custom Host Configuration Rules

Discovering Misconfigurations with Wiz’s custom Host Configuration Rules

As organizations increasingly adopt cloud technologies, the number of applications, services, and workloads grows ever-greater.

Wiz Experts Team

This growth in cloud workloads is compounded by a proliferation of services, applications, and operating systems which increase the complexity of the technology landscape. Then layer over that the global reach of cloud services complicating the compliance position, with different jurisdictions mandating their own frameworks, and industrial regulations making additional demands. Tracking configuration and compliance in complex environments, while ensuring consistent workload security and compliance, can be challenging. 

Traditional compliance and configuration management tools often rely on agents and privileged service users resulting in gaps in observability. A compliance and configuration management solution that does not provide total coverage really is not a solution at all. There has to be a better way. 

Discovering the misconfigurations and identifying the drifts  

Revealing misconfiguration and detecting drift are crucial steps in ensuring application security and stability. Misconfigurations can leave systems vulnerable to attack and service disruption, while drift results in configuration deviating from its intended state, leading to errors and outages. 

Wiz provides a comprehensive set of rules designed to satisfy popular configurations while providing visibility and auditability. These rules can be used straight out of the box, or as a foundation for users to build custom rules that are executed against workloads by agentless scans.   

Use of custom rules makes running manual commands to determine the configuration state of a workload a thing of the past, without an agent or a sidecar in sight. As new workloads are added, Wiz evaluates configuration state against custom rules to detect misconfiguration. Configuration change is tracked over time, and any drift is identified immediately. Any malicious activity is detected and logged, and alerts are triggered, which provides operations teams the intel they need to take effective action. 

Large scale application infrastructures equate to larger probabilities for misconfigurations 

Modern application infrastructure means a greater likelihood of misconfiguration. Organizations use ever-increasing numbers of technologies in a variety of compliance frameworks, with specialist operations teams to run it all. The result of all this is a complicated technology landscape where simple tasks take significant resources, costing the organization money as well as limiting flexibility and agility which, in turn, compromise competitive advantage. 

Efforts to deploy configuration management and compliance solutions in large scale environments are often themselves beset by the difficulties complexity brings. Deploying agents to large numbers of workloads means scripting installation and configuration across multiple operating systems, as well as updating virtual machine images to include new agents. Then those agents need to manage themselves to stay current with patches and updates. 

Detecting host and application misconfigurations 

Detecting and addressing misconfiguration at the host and application level is essential to achieving compliance and reducing cloud security risk. Traditional tools offer agent-based and host-specific coverage, resulting in operations teams analyzing huge numbers of alerts as well as leveraging third-party solutions to provide context   

Cloud Security Posture Management (CSPM) solutions have made compliance more achievable at a high level, but consistent configuration analysis has remained a difficult thing to achieve. Agent-driven solutions have been found by Wiz research to only provide endpoint protection to 20% of the virtual machines in an organization, making any such solution inefficient even if we assumed it detected all misconfiguration events. This mismatch between cloud and host level detection is a recipe for problems. 

Creating a custom host configuration rule 

Creating a custom host configuration rule in Wiz using the rules editor is a simple three-stage process: 

  • Select your target: Multiple operating systems and applications can be selected as target platforms, and any workload matching the target criteria of a rule will have its configuration updated in accordance with the rule. Functionality to permit all technologies on a virtual machine to be configured by a single rule is in the release schedule too. 

  • Define your rule: Whether built-in or custom, the next step is to define the rule configuration you want to deploy to your targets. Direct OVAL language is the simplified version of the OVAL schema used by Wiz for the definition of rules, and a rule consists of a schema test of a condition which is evaluated to establish an expected outcome. 

  • Add rule metadata: Use unique rulenames and optional descriptions to make your rules easily identifiable. It is also possible to add a severity label to a rule, providing a rating between low and critical as compared to the policies of the organization. Link the rule with built-in or custom compliant frameworks to assist in audit and provide a configuration and compliance context. 

Once executed, the rule generates findings for each non-compliant workload. The configuration tab in the results for each host displays all system configuration issues in one place. 

Agentless host configuration solution 

The agentless approach that Wiz adopts for cloud configuration has been extended to the host, with host-level operating system and application configuration issues now visible and resolvable from a single pane of glass. Save time, money, and management overhead by using an agentless configuration management and compliance solution that automatically scales with your technology infrastructure. 

Configuration assessments at the host level provide context that empowers organizations to prioritize their resources and remediation activities based on compliance posture, as well as evaluating that posture on a holistic basis armed with comprehensive information. 

Automatically determine if the application or OS is misconfigured 

Once Wiz has been deployed and a set of rules has been created, using built-in rules and custom capabilities to deliver a solution to meet your configuration and compliance needs, the organization will benefit from full coverage across the technology estate. 

New workloads are automatically assessed against the rulebase. If the expected outcome is achieved, the target is compliant with the rule. If it is not, the target is non-compliant and an alert will be generated automatically. Operations teams will be provided with comprehensive information to permit the misconfiguration to be addressed, and runbooks can be used to automate the return of a workload to an established configuration or compliance baseline. 

Findings for infrastructure and application teams to remediate the misconfiguration 

Wiz permits multiple tests to be executed against hosts, as well as multiple tests within a rule. The design of the solution means the rule is defined once, but can be deployed against any workload without the need to recreate it. 

Once a host fails a check against a rule, an alert is logged in the dashboard. These alerts mean a spotlight on misconfiguration, without a need to connect to individual workloads to identify it. The alert shows the host affected, the policy breached, the severity attached to that failing as well as the category – much of which is informed by metadata added during rule creation. The severity provides a red / amber / green rating, providing the application team with an at-a-glance ability to prioritize remediation effort and return workloads to a solidcompliance baseline efficiently and effectively. 

Contact Wiz for ademo, and see how quickly visibility of your technology environments can be achieved.

Continue Reading

What are the key requirements of a modern CSPM?

Cloud Security Posture Management, or CSPM is a set of practices and tools used to monitor and manage the security posture of cloud infrastructure environments, including public, private, hybrid and multi cloud.

What is Shadow Cloud IT? Challenges, Risk Management, and Best Practices

Shadow cloud IT refers to the use of cloud computing resources by the employees of an organization without the knowledge or consent of the IT department.

What is Multi-Cloud Security? Challenges, Benefits, and Best Practices

Cloud computing has revolutionized infrastructure management, as well as application and service deployment.

The Definitive Guide to CI/CD Pipelines and Tools

Continuous integration and continuous deployment, or CI/CD, is a software development methodology that sees frequent code changes released to production. Often considered a single term, CI and CD are separate concepts. Continuous integration tooling automates the build and test process, committing code to a single branch and ensuring the reliability of the code. Continuous deployment calls for the automation of code delivery via regular processes to frequently update the codebase.

Getting Started with AWS Security: Key Principals and Resource

Amazon Web Services (AWS) is a popular cloud platform, thanks to its pay-as-you-go consumption model, and its cost-effective delivery of a huge number of products and services designed for rapid solution deployment at scale.