Full Report
Discover how Wiz's innovative hybrid approach revolutionizes runtime security for the modern cloud era.
Analysis Summary
# Tool/Technique: Wiz Runtime Security Approach (Agentless/Hybrid Sensor)
## Overview
Wiz utilizes a hybrid approach, primarily agentless for broad visibility, supplemented by a lightweight, purpose-built sensor (eWiz Sensor) utilizing eBPF technology, to provide continuous monitoring, real-time threat detection, and protection for dynamic cloud workloads (containers, serverless, VMs) in production environments.
## Technical Details
- Type: Security Solution/Framework (Focusing on Runtime Protection capabilities)
- Platform: Cloud Environments (Containers, Serverless Functions, Virtual Machines)
- Capabilities: Real-time threat detection, automated response, file integrity monitoring (FIM), image drift detection, runtime behavioral baselining, forensic data collection, kernel-safe protection architecture.
- First Seen: Not explicitly stated, but context suggests adoption alongside cloud-native environment growth.
## MITRE ATT&CK Mapping
Since Wiz is a security solution providing detection and prevention capabilities, the mappings below reflect the *activities* it is designed to detect or mitigate, rather than a specific threat actor's TTPs.
- **Defense Evasion**
- T1036 - Masquerading
- T1070 - Indicator Removal on Host
- T1070.004 - File Deletion
- **Execution**
- T1059 - Command and Scripting Interpreter
- **Persistence**
- T1543 - Create or Modify System Process
- **Lateral Movement**
- T1090 - Proxy
- **Impact**
- T1486 - Data Encrypted for Impact (Potentially related to ransomware behavior detection)
## Functionality
### Core Capabilities
- **Agentless Security:** Provides full-stack visibility by scanning cloud environments without deploying agents universally.
- **Real-Time Threat Detection:** Identifies and can block sophisticated cloud threats as they occur, including monitoring for suspicious processes and malicious IOCs.
- **Runtime Behavioral Baselining:** Establishes norms for workload activity to reduce detection noise and identify anomalies.
- **Unified Contextual Insights:** Correlates runtime events with control plane, data, identity, network, and PaaS events for richer investigation.
### Advanced Features
- **eBPF-based Sensor:** Lightweight, kernel-safe sensor that minimizes performance impact while offering deep runtime protection.
- **Automated Response:** Ability to block threats immediately at the sensor level or respond via the control plane.
- **File Integrity Monitoring (FIM) & Image Drift Detection:** Continuously monitors containers for unauthorized changes to the OS or files within the golden image.
- **Log Tampering Prevention:** Monitoring to prevent adversaries from covering their tracks.
## Indicators of Compromise
As Wiz is a detection/prevention platform, it focuses on identifying malicious **Indicators of Compromise (IOCs)** rather than generating them. However, the behaviors it monitors are indicative of compromise:
- File Hashes: Detection of known malicious hashes (Malicious IOCs).
- File Names: Detection of known malware file names.
- Registry Keys: Not explicitly detailed, but implied monitoring exists on OS levels accessed.
- Network Indicators: Detection of suspicious outbound network scanning or connections to known bad C2 infrastructure.
- Behavioral Indicators: File integrity changes, image drift, log tampering, execution of malicious processes, and deviations from runtime behavioral baselines.
## Associated Threat Actors
Not explicitly named in the context of using this particular solution commercially. However, the techniques it protects against are commonly employed by threat actors targeting cloud environments.
## Detection Methods
- **Signature-based detection:** Detection of malicious IOCs (hashes, network indicators).
- **Behavioral detection:** Leveraging runtime behavioral baselines, monitoring for suspicious activity (network scanning, process creation, file modification).
- **YARA rules if available:** Implied capability for custom threat detection rules tailored to specific threats.
## Mitigation Strategies
- **Prevention:** Real-time blocking of sophisticated cloud threats by the Wiz Sensor.
- **Hardening Recommendations:** Prioritizing and reducing risk by validating vulnerabilities in runtime.
- **Operational Improvement:** Reducing incident investigation time via forensic data collection.
- **Containment:** Improved containment and response actions available at the workload or control plane level.
## Related Tools/Techniques
- **Legacy Endpoint Agents:** Highlighted as struggling or ill-suited for cloud environments due to resource constraints and complexity.
- **Cloud Native Security Solutions:** The overall category to which Wiz belongs, utilizing cloud-native mechanisms like eBPF.