Wiz Defend is Here: Threat detection and response for cloud

Ta-da! Wiz launches Runtime Sensor to provide real-time detection and response

Agentless visibility and risk assessment paired with Wiz Runtime Sensor real-time detection for the best of both worlds

5 minutes read

Today, we’re very excited to announce the launch of the Wiz Runtime Sensor into public preview, enabling organizations to detect threats affecting their cloud workloads and contextualize detection and response.

Cloud-native applications introduced unique attack vectors that challenge existing threat detection tools that were not built for the cloud. Today, cloud defenders are required to address these gaps with significant manual investigation. For instance, traditional detection tools focus on workload activity but are detached from the cloud context, which makes it difficult for the cloud defenders to understand the potential impact of threats – which resources could be accessed? Which access keys could have been compromised? Another common gap is introduced as attackers’ movement in the cloud involves activity across different layers, such as the cloud infrastructure control plane, Kubernetes control plane and individual workloads. These activities are typically examined separately, making it difficult to piece together the complete puzzle and identify end-to-end coordinated attacks.

With this announcement of the Wiz Runtime Sensor, organizations can better detect threats affecting their cloud workloads and contextualize detection and response – while easily understanding the full picture of an unfolding attack and the potential impact so appropriate action can be taken immediately.

The new Wiz Runtime Sensor adds native detection and response capabilities, so organizations can protect their cloud workloads in real-time. It is a lightweight eBPF-based agent that can be deployed within Kubernetes clusters to provide real-time visibility and monitoring of running processes, network connections, file activity, system calls, and more to detect malicious behavior affecting the workload. When combined with the agentless, API-based visibility and cloud risk assessment of the Wiz Security Graph, organizations gain the best of both worlds: 

  • Real-time monitoring and detection of threats and malicious behavior: Wiz detects known and unknown threats including cryptocurrency miners, remote shells, ransomware, rootkits and techniques commonly associated with cloud and Kubernetes actors such as container escape, remote code execution, lateral movement, persistence, and more.

  • Full end-to-end visibility into attacks for faster, more efficient response: Wiz extends its Cloud Detection & Response (CDR) module, by correlating threats across workload runtime signal, cloud activity, and audit logs in a unified, contextual view to uncover attacker movement within a cloud environment so cloud defenders can rapidly respond to limit the impact of a potential incident and use cloud context to prioritize threats.

  • Built-in detections for cloud-native attacks: The Wiz Threat Research team constantly adds coverage for the latest cloud and Kubernetes attacks seen in the wild. The Wiz detection engine is updated with rulesets that provide transparent and consistent detections, including complex detections that require correlation across signals.

  • Further use of runtime signal for better risk prioritization: Enriches Wiz’s agentless vulnerability assessment using runtime workload signals to identify vulnerabilities affecting active packages that are being used by the workload, so security teams can focus remediation efforts.

Take for example, the recent attack, where an attacker suspected to be related to TeamTNT gained initial access to a container, assumed the identity of the container, and moved laterally within the environment to ultimately steal proprietary data. This increasingly common attack pattern traverses different layers of the cloud starting at the container and ending with the data stored in the cloud.

Cloud attack paths frequently follow the pattern of initial cloud access to lateral movement to an organization's crown jewels, often across different layers of the cloud

Traditional, siloed approaches would provide a series of disconnected, low-fidelity alerts about this attack that are difficult to tie together. The attacker’s activity would typically appear as potentially suspicious IMDS and network connections inside the container itself, and separately some suspicious enumeration actions at the cloud-level. When multiple events like this occur at the same time within an environment, this combination may not be flagged as a critical detection and can be extremely challenging to identify through manual investigation alone. This increases the risk of overlooking the attack in a timely manner.

Organizations need a holistic approach that automatically correlates workload activity, cloud activity, and infrastructure context to understand the full picture of an attack and the potential blast radius. Wiz correlates real-time workload activity with cloud activity and overlays that on top of the agentless visibility and attack path analysis of the Wiz Security Graph to provide end-to-end visibility for faster response. In the above example associated with TeamTNT, this would allow a cloud defender to rapidly determine that the suspicious network connections are an indicator of an attacker’s remote access and that the cloud identity activities are an indicator that the attacker has successfully moved laterally in the environment. By understanding that this identity has access to sensitive PII data, security teams can work more efficiently to stop this unfolding incident before it reaches their crown jewels.

Existing Wiz customers will recognize that this attack path analysis post-breach is the same attack path analysis that they already use for proactive reduction of their attack surface before exposure. This unified approach enables organizations to create a defense in depth strategy that covers both prevention and real-time detection and response as a last line of protection. Now, organizations no longer need to choose between siloed technologies. They can radically simplify the complexity of cloud security with the best visibility, risk assessment, and real-time threat detection and response in a single platform. Two such forward-thinking organizations are DoubleVerify and Dexcom,

We at DoubleVerify promised the board world class CSPM and real-time threat detections. Between what Wiz already brought to the table with agentless visibility, risk assessment and the new Runtime Sensor, Wiz exceeds that promise and delivers additional forensics features as well. After months of robust review, it is by far the best offering on the market and enables us to drive our hybrid and multi-cloud security strategy from a single platform.

Joel Bork, CISO, Double Verify

Wiz enables us to combine the reactive and proactive aspects of cloud security in a single source of truth. We rely on the visibility that Wiz provides to surface the unknowns and provide actionable signals from noise, allowing us to prioritize our efforts. With the Wiz Sensor, we are adding active, real-time telemetry that gives my team intelligent insight to drive better actions. By leveraging Wiz, we can support and accelerate our cloud transformation without doubling the security team because my team is more efficient and able to focus on strategic work. Wiz simplifies our security challenges and will allow us to more than double our cloud environment over the coming years without scaling complexity.

Joel Cardella, Director, Cybersecurity Engineering, Dexcom 

Wiz is extending its cloud security platform to give organizations complete end-to-end visibility to rapidly determine whether suspicious activity is malicious with full context to determine the blast radius of a potential incident. This enables organizations to minimize disruptions to their business, while removing noise, and avoiding tool sprawl. At Wiz, we believe that sharing signals is critical to improving the overall security and ROI of our customers’ investments, which is why we’re committed to building an open security platform. For customers that wish to leverage their current threat detection tools within Wiz CDR, Wiz ingests alerts from our partners like Amazon GuardDuty and soon, EDR solutions like SentinelOne, so organizations can get the full picture across the entire technology stack that makes sense for their business.

Curious to know more about why Wiz is launching a Runtime Sensor now? Check out our co-founder and CTO Ami Luttwak’s post.

To learn more about how you can protect your workloads from build-time to run-time, contact us to see a demo.

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management