To reduce the attack surface and protect their crown jewels, organizations need to understand and visualize their cloud network. what and how resources are effectively exposed to the internet, and what an attacker can see. Attackers often use publicly exposed resources as an easy point of network intrusion to sabotage operations and perform lateral movement to reach the crown jewels of your environment. Wiz research estimates that 55% of organizations have at least one database currently exposed to the internet that uses weak passwords or even no authentication, making them an easy target for attackers looking to access sensitive data. According to recent data published by the Cloud Security Alliance, accidental data exposure is one of the top 11 threats to cloud computing.
Relying on legacy CSPM solutions alone is not enough as they only look at cloud configuration without understanding the full network topology. They can answer binary questions such as whether a VM has a public IP or not, but do not provide the full context needed to understand whether exposure is legitimate or not. Adding a network or an agent-based scanner will not solve the problem either as it just adds another solution that generates lots of noisy, inaccurate alerts that are both false positives and negatives.
Sorting through the noise to actually reduce the attack surface is a major challenge. To do so, cloud defenders need to know what is really exposed, whether it is virtual machines, containers, or serverless functions in the context of their cloud environment. Currently, they often must look at different sources of information, manually test ports and protocols and then take the necessary actions. This is very time-consuming and extends the mean-time-to-detect (MTTD) issues considerably.
Wiz, through its cloud-native network analysis engine, can already identify every object in your cloud environment that is exposed, by analyzing every network rules in network management services such as load balancers, firewalls, gateways, VPCs, subnets, and more in an effective way.
We are excited to announce enhancements to our network analysis engine with the integration of our dynamic scanner to validate ports and protocols of exposed resources to give customers:
Full visibility on resources that are effectively exposed
A comprehensive view from an attacker perspective including screenshots
Discover, analyze, and validate your externally exposed resources
With the Wiz Security Graph and network analysis engine, it is very easy to discover and visualize potential resource exposure. Wiz analyzes all the layers of the cloud and Kubernetes to build a network topology. However, these are potential exposures, and customers want full validation of those without relying on another solution like external attack surface management that doesn't understand the full context of their cloud infrastructure.
To help you prioritize the risks and give you an attacker’s view on your environment, we have introduced the dynamic scanner. It will try to connect from the outside to resources to validate potential exposure and determine IP addresses and ports - just like a hacker would.
Customers can now see through the UI if ports are exposed and what the status is and can prioritize their actions.
As shown below, you can detect and validate that a Jenkins server is publicly exposed, and the port is opened and validated.
Another common mistake that can happen is to inadvertently publicly expose an ELK server as you can see in the screenshot below.
Understand risks through an attacker's eyes
To give even more context, the dynamic scanner takes a screenshot of the exposed endpoint and displays it in the Wiz application, so you see what an attacker would see after scanning your environment. This way, you can immediately see what information is revealed to an attacker to give cloud defenders the appropriate context they need to act quickly.
Continuing with our previous example, you can now easily confirm through the WIZ UI that Jenkins is exposed to the outside, with a screenshot of what the attacker will see. This is probably a high risk, if someone manages to hack it, they will have access to your supply chain and will be able to find secrets and move laterally.
Another example that you will probably have to prioritize is the evidence that an ELK (Elasticsearch, LogStash, Kibana) is publicly exposed, such as the Kibana Dashboard that contains sensitive information.
The dynamic scanner provides the most complete and fastest network analysis available today
The Wiz network analysis engine already identifies the effective exposure paths for your cloud resources, providing an important layer of context for identifying and prioritizing critical risks in your environment. The dynamic scanner now enhances this context by taking an outside-in approach and showing you what hackers see when they attempt to access your environment. With this additional level of validation, grounding our analysis by cross-referencing multiple sources of data and even including screenshots of what hackers actually see, security teams can more effectively prioritize and remediate security issues.
The dynamic scanner is one aspect of our vision to bring the richness of context to cloud defenders as part of Wiz Cloud Detection and Response (CDR). CDR further enriches the context provided by the Wiz Security Graph by incorporating cloud event analysis, so cloud defenders can determine if resources with critical risks have been targeted by attackers. Now cloud defenders have the combined prevention and detection context needed to identify threats as they unfold and prioritize remediation based on effective risk. You can learn more about this feature in the Wiz docs (login required). If you prefer a live demo, we would love to connect with you.