Wiz

CTO Point of View: Why Wiz is launching a Runtime Sensor

Today we are excited to announce the Wiz Runtime Sensor. The sensor collects signals in real-time from the workload runtime to simplify threat detection and response in the cloud as part of our Cloud Detection and Response (CDR) capabilities.

3 minutes read
Ami Luttwak

Three years ago, we set out to help security and dev teams transform their cloud security operating model by simplifying prevention. Since then, we have helped teams gain immediate visibility to everything they build and run in the cloud, improve their security posture, and dramatically reduce risk. This approach has enabled them to build faster and more securely than ever before.

The number one priority in cloud is risk reduction

In the cloud, attacks happen in minutes. Attackers can start exfiltrating your critical data almost immediately after they discover an exposed database. If you wait for an alert on data exfiltration, it is already too late. This makes prevention and security posture management priority number one. Prevention requires an always-on, full-coverage, scan-everything strategy – and this can only be achieved with agentless technologies that make coverage the default rather than opt-in.

Wiz has introduced an agentless, API-centered approach to seamlessly scan any workload and give full visibility of cloud environments across VMs, containers, serverless and PaaS. Our unique Security Graph provides deep cloud context, and enables organizations to triage and correlate critical attack paths, producing high-fidelity results that any security or development team can interpret and act upon immediately.

We are excited to see how this approach has already become the industry standard for reducing risk in the cloud.

Bringing Wiz to Cloud Detection and Response

After establishing posture as their cornerstone, organizations can build securely by design in the cloud. Then organizations can turn to residual risk: cloud detection and response controls.

Detecting cloud attacks requires deep context that spans both cloud and workload. Last year we released our CDR module, which focuses on analyzing cloud and Kubernetes events, enriching them with the Security Graph context for deep prioritization and blast radius analysis. With the Wiz Runtime Sensor signal, we can now complete the additional workload runtime context of network, process, and memory for complete end-to-end visibility of cloud attacks.

Revolutionizing threat detection in the cloud

Threat detection in the cloud today faces a similar set of challenges as those that Wiz set out to solve in the posture space: the complexity of cloud environments presents a new challenge for security teams. Traditional detection tools were created for on-prem and adopt a workload-only focus that produces siloed, contextless alerts. On top of that, SOC teams struggle to complete the picture due to lack of cloud context and visibility requiring constant dev team involvement.

The Wiz Runtime Sensor – born for cloud

Wiz CDR takes a cloud-first approach to detection and response. By starting from a deep analysis of cloud context using the Wiz Security Graph, then analyzing cloud and Kubernetes events, and only then incorporating runtime signals, we have created a lightweight runtime component truly meant for cloud.

  • Lightweight – Most signals, including vulnerabilities, host configurations and more, are still collected from our agentless API-based scan. We only use the Runtime Sensor to collect true runtime signals such as runtime network use, processes, and memory use. This allows the Runtime Sensor to remain a lightweight eBPF agent.

  • Breaking the silos – The Wiz Runtime Sensor generates workload signals that are well-integrated with the surrounding cloud and Kubernetes activity, as well as the Wiz Security Graph context to uncover attacker movement across layers and within the cloud environment, enabling immediate assessment of incident blast radius and impact. For example, a suspicious process on a highly privileged machine that can access buckets with sensitive data can be immediately prioritized.

  • Designed for cloud-native workloads – the Wiz Runtime Sensor was specifically designed to protect cloud-native, highly ephemeral workloads, which sets it apart from traditional solutions that are focused on server or endpoint host-centric protection. When malicious activity occurs on short-lived containers or other ephemeral resources, the Wiz Runtime Sensor detects it and associates the detection and response to the specific workload (e.g., a Kubernetes Deployment), enabling accurate surface and scope for responding to the threat.

Wiz CDR can also consume signals from existing EDR and runtime solutions, enabling organizations to choose their own stack and extend it with cloud context.

With the added Wiz Runtime Sensor signal, and the capability to consume signals from existing EDR and runtime solutions, Wiz now covers the full deployment pipeline from code to runtime, across all cloud layers from workload to infrastructure, enabling us to bring true cloud context to threat detection.

If you want to learn more about the Wiz Runtime Sensor, read the Sensor launch blog.

Tags
#Product#News

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo