Full Report
Stop chasing CVEs with new UVM and Sensor Workload Scanner capabilities. Remove silos to effectively prioritize and reduce exposures across cloud, code, and on-prem.
Analysis Summary
This article focuses on the concept of **Exposure Management** and the introduction of new capabilities within the **Wiz** platform, rather than detailing a specific piece of malware or a threat actor's specific attack tool. The summary below translates the discussed security capabilities and processes into the requested format, viewing "Wiz for Exposure Management" as the primary "Tool" being described.
# Tool/Technique: Wiz for Exposure Management (and related platform components)
## Overview
Wiz for Exposure Management is a security solution designed to unify visibility, context, and remediation across cloud, on-premises, and application environments. It evolves traditional vulnerability management by integrating asset, exposure, and threat data to prioritize risks based on actual attack paths leading to critical assets.
## Technical Details
- Type: Tool/Platform Feature (Exposure Management Solution)
- Platform: Cloud, On-premises (Hybrid environments), Application Infrastructure (Containers, Databases, APIs).
- Capabilities: Unified vulnerability management (UVM), asset discovery, attack path analysis, vulnerability deduplication, AI-generated remediation guidance, code-to-cloud context integration, and workflow automation.
- First Seen: The article announces new capabilities leveraging existing and acquired technologies (like Dazz acquisition for UVM).
## MITRE ATT&CK Mapping
Since this is a defensive security product description, the mappings relate to the defensive capabilities it enables, primarily focusing on **Detection** and **Investigation** tactics.
- [TA0001 - Initial Access] (Mitigated by identifying and fixing exposed entry points)
- [TA0003 - Persistence] (Mitigated by hygiene enforcement)
- [TA0006 - Credential Access]
- [TA0007 - Discovery]
- [TA0009 - Collection]
- [TA0011 - Command and Control]
- [TA0012 - Exfiltration]
- [TA0018 - Impact]
Due to the nature of the text describing a security platform, specific defensive techniques are more relevant:
- [TA0014 - Defense Evasion] (Detection helps prevent evasion techniques)
- [TA0001 - Initial Access]
- [T1190 - Exploit Public-Facing Application] (By prioritizing fixes for public exposures)
- [TA0013 - Credential Access]
- [T1552 - Unsecured Credentials] (By surfacing exposed secrets in code/configuration)
- [T0852 - Detection] (Platform provides broad detection coverage)
- [T1571 - Non-Standard Port] (Implied visibility during scanning)
## Functionality
### Core Capabilities
- **Unified Vulnerability Management (UVM):** Centralizing findings from various tools (SAST, DAST, traditional scanners, pen tests) into a singular platform.
- **Asset Inventory and Enrichment:** Gaining a complete inventory of assets and enriching them with project, environment, and ownership context (including CMDB integration).
- **Contextual Prioritization:** Correlating findings from the Wiz Security Graph to deduplicate alerts and validate real exposure (e.g., checking if vulnerabilities are loaded into memory via the Runtime Sensor).
- **Attack Path Analysis:** Focusing remediation efforts on vulnerabilities that form critical attack paths leading to crown jewels.
### Advanced Features
- **Code-to-Cloud Context:** Bridging the gap between code artifacts (SAST/SCA findings) and cloud runtime reality.
- **Automated Remediation Workflows:** Automatically assigning findings to resource owners (Security, Dev, Infra) and kicking off workflows.
- **AI-Generated Remediation Guidance:** Providing actionable guidance, including root cause fixes in code, IDE integration (via Wiz MCP Server), and infrastructure-as-code fixes (Terraform generation or CLI implementation).
- **Sensor Workload Scanner:** Extending Wiz’s native scanning capabilities to hybrid and on-premises infrastructure.
## Indicators of Compromise
As this is a description of a defensive security tool, traditional malicious IoCs are not provided. Instead, the product focuses on detecting and managing exposure indicators:
- File Hashes: N/A (Focuses on scanning existing files/images)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on managing exposure, not C2 communication)
- Behavioral Indicators: Focuses on validating runtime state (e.g., vulnerability loaded into memory) to prioritize risk.
## Associated Threat Actors
This tool/feature is associated with the ecosystem of defensive security users (CISOs, Security Teams, DevOps) and is used to defend against a broad range of threat actors utilizing vulnerabilities across hybrid IT environments.
## Detection Methods
The platform itself is a detection and prioritization mechanism:
- Signature-based detection: Leverages signatures embedded in third-party scanners ingested via the ecosystem.
- Behavioral detection: Utilizes the Wiz Security Graph and runtime sensors to detect active exploitation paths and in-memory threats.
- YARA rules: Not explicitly mentioned, but native scanning capabilities imply deep file analysis possibly leveraging signature logic.
## Mitigation Strategies
- **Shift Left:** Fixing issues at the source using code context and IDE integration.
- **Prioritization:** Focusing on high-ROI actions and exposures that form critical attack paths.
- **Hygiene Enforcement:** Using Posture Issues to bundle multiple related CVEs (like OS patches) into single, high-impact remediation tasks.
- **Workflow Integration:** Democratizing security by assigning findings directly to the appropriate owners in their native tools/workflows.
## Related Tools/Techniques
- **Unified Vulnerability Management (UVM):** The technological category the product falls under.
- **Wiz Code and Wiz Security Graph:** Core components providing context and correlation.
- **SAST/SCA/DAST:** Traditional tools whose data is aggregated by Wiz UVM.
- **Wiz Sensor Workload Scanner:** Component enabling on-premises scanning parity.