Full Report
Wiz for DSPM: Additional enhancements to help you correlate suspicious events related to unprotected data in near real-time.
Analysis Summary
# Best Practices: Cloud Data Security Posture Management (DSPM) and Integrated Cloud Security
## Overview
These practices focus on rapidly detecting, monitoring, and responding to data exposure risks within cloud environments, integrating Data Security Posture Management (DSPM) capabilities directly with Cloud Native Application Protection Platforms (CNAPP) to minimize the time between risk occurrence and remediation. The primary goal is to prevent data breaches through near real-time threat detection and attack path visualization.
## Key Recommendations
### Immediate Actions
1. **Enable Out-of-the-Box Controls:** Immediately activate and leverage all newly released, built-in security controls related to suspicious cloud events targeting unprotected data. (Note: These reportedly require no initial configuration.)
2. **Prioritize Unprotected Data Exposure:** Utilize dynamic monitoring tools to identify and prioritize cloud resources containing sensitive data that are currently exposed or improperly protected.
3. **Investigate Anomalous Traffic:** Immediately investigate any alerts flagging data resources with sensitive data that show traffic originating from an unrecommended or suspicious IP address.
### Short-term Improvements (1-3 months)
1. **Address Brute Force Attacks:** For any data resources flagged as targets of SSH brute force attacks, verify the legitimacy of the activity and immediately implement remediation measures (e.g., encryption, strengthened access controls).
2. **Visualize Critical Attack Paths:** Regularly use security graph visualizations (like the Security Graph) to map attack vectors leading directly to critical sensitive data stores (e.g., employee directories, PII in finance applications).
3. **Remediate Access Controls:** For identified unauthorized access vectors, promptly apply necessary access control measures, ensuring enforcement of least privilege where data is concerned.
### Long-term Strategy (3+ months)
1. **Integrate Data Security with CNAPP:** Strategically integrate DSPM capabilities directly into the existing CNAPP framework to correlate infrastructure risks with data risks holistically.
2. **Establish Near Real-Time Monitoring Thresholds:** Define and tune monitoring thresholds to ensure near real-time detection of suspicious activities related to unprotected data, optimizing for faster Mean Time To Respond (MTTR).
3. **Mandate Data Protection Standards:** Implement organizational standards requiring encryption at rest and in transit for all identified sensitive data stores as a baseline requirement, alongside rigorous access control policies.
## Implementation Guidance
### For Small Organizations
- Focus on rapidly deploying a comprehensive cloud visibility solution that bundles DSPM and CNAPP capabilities to gain immediate, out-of-the-box coverage without needing large internal configuration teams.
- Rely heavily on built-in controls provided by security tools to provide immediate visibility into attack paths and toxic data combinations.
### For Medium Organizations
- Dedicate resources to review and remediate the top 10 most critical attack paths visualized leading to sensitive data within the next 30 days.
- Establish standard operating procedures (SOPs) for incident response specifically tailored to data exposure alerts identified by the DSPM solution.
### For Large Enterprises
- Automate the application of remediation actions (e.g., automatically isolating resources exhibiting repeated unauthorized access attempts, subject to pre-approved policies).
- Integrate DSPM findings directly into existing GRC (Governance, Risk, and Compliance) frameworks to demonstrate continuous compliance regarding data protection.
- Conduct regular "red team" exercises specifically focused on exploiting weaknesses in visualized attack paths leading to high-value data assets.
## Configuration Examples
*No specific, generic configuration examples were provided; recommendations focus on using vendor-provided, built-in controls.*
**If an IP is identified accessing data:**
1. **Action:** Block the identified unauthorized IP address at the network perimeter, firewall, or security group level targeting the affected resource.
2. **Remediation:** Apply encryption (if not already present) and review Security Group/IAM policies to restrict access further.
**If an SSH brute force attack targets a sensitive data host:**
1. **Action:** Immediately lock down the affected VM to a maintenance state pending investigation.
2. **Remediation:** Ensure strong authentication secrets (strong passwords/keys) are enforced, and enable Multi-Factor Authentication (MFA) where applicable for administrative access.
## Compliance Alignment
*The concept of rapid data risk detection supports broader compliance mandates requiring timely breach notification and robust data governance.*
- **NIST CSF:** Aligns with **Identify** (understanding data assets) and **Detect** (monitoring for anomalous activity that could lead to a breach).
- **ISO 27001 (A.9/A.14):** Directly supports requirements for access control verification and secure system acquisition/development, focusing on protecting data as the asset.
- **CIS Benchmarks (Cloud Specific):** Supports controls related to configuration management and monitoring for unauthorized access to critical services hosting sensitive data.
## Common Pitfalls to Avoid
- **Ignoring Out-of-the-Box Alerts:** Assuming built-in controls are too generic or noisy, thus failing to address the initial high-fidelity alerts provided.
- **Treating Data Security in Isolation:** Failing to integrate data security findings (DSPM) with infrastructure and identity findings (CNAPP), leading to incomplete attack path analysis.
- **Delaying Remediation:** Allowing security alerts regarding unauthorized IP traffic or brute force attacks to languish, resulting in high vulnerability exposure time (noting that unsecured databases can be breached in as little as 8 hours).
## Resources
- Access organization-specific DSPM datasheets (if available) for detailed feature listings.
- Utilize vendor documentation (e.g., Wiz docs) for deep dives into specific security controls and graph visualization features once access is granted.
- Schedule live demonstrations to better understand how to map internal critical data assets to security graph visualizations.