Full Report
Prevent misconfigurations in your environment from being exploited with Wiz’s real-time CSPM.
Analysis Summary
This article focuses on an enhancement to the Wiz Cloud Security Posture Management (CSPM) solution—the introduction of real-time scanning capabilities to prevent and remediate cloud misconfigurations immediately upon detection. It is not about a specific malware family or threat actor technique, but rather a security control focused on preventing common human-error-based risks in the cloud.
# Tool/Technique: Wiz CSPM (Real-time Scanning)
## Overview
Wiz CSPM (Cloud Security Posture Management) is a security offering designed to automatically detect misconfigurations in cloud environments. The key update discussed is the extension of this capability to **real-time scanning**, enabling immediate detection and remediation of security risks, such as publicly exposed storage buckets, as soon as they are introduced or altered.
## Technical Details
- Type: Security Tool/Control Feature (CSPM)
- Platform: Cloud Environments (Virtual machines, containers, serverless, AI resources)
- Capabilities: Agentless scanning, configuration checks (over 2,300 built-in rules), attack path correlation, real-time visibility, and automated remediation triggering.
- First Seen: Announcement of real-time scanning feature (Contextual date not provided, but refers to a specific product launch).
## MITRE ATT&CK Mapping
As this is a defensive tool focused on preventing initial access and configuration flaws, the relevant tactic relates to preventative measures related to system configuration.
- **TA0003 - Persistence** (Indirectly, by preventing an attacker from establishing persistence via misconfiguration)
- **T1592 - Gather Victim Identity Information** (Preventing unintentional public exposure of data/resources)
- **T1592.004 - Cloud Service Configuration** (Focuses on securing cloud settings)
*Note: While traditional malware TTPs are not the focus, misconfigurations often map to the Initial Access and Persistence tactics concerning adversary techniques.*
## Functionality
### Core Capabilities
- **Agentless Scanning:** Scans every resource in the environment using the Wiz Security Graph.
- **Configuration Checks:** Utilizes over 2,300 built-in rules to ensure adherence to security best practices.
- **Attack Path Correlation:** Connects misconfigurations with other identified cloud risks to prioritize critical exposure paths.
### Advanced Features
- **Real-time CSPM Scanning:** Detects configuration changes (e.g., a storage bucket becoming public) immediately as the triggering cloud event occurs.
- **Real-time Remediation Enabling:** Allows customers to trigger automated remediation flows instantly (e.g., automatically restricting public access).
- **Governance:** Provides instant visibility into new resources to enforce policies immediately upon provisioning.
## Indicators of Compromise
This section is not applicable as Wiz CSPM is a defensive tool that identifies *potential* weaknesses rather than detecting active malicious artifacts.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Detection of configuration change events (e.g., permission modification on a cloud resource).
## Associated Threat Actors
N/A (Associated with security defenders and organizations seeking to improve cloud posture, such as Pfizer).
## Detection Methods
This is a **detection and prevention solution**, not an indicator source.
- Signature-based detection: Configuration checks based on defined security rules.
- Behavioral detection: Monitoring cloud control plane APIs for configuration changes that violate policy.
- YARA rules: N/A
## Mitigation Strategies
The primary mitigation is the deployment and effective use of the real-time CSPM feature to eliminate systemic weaknesses arising from human error.
- **Prevention:** Remediating misconfigurations immediately upon introduction (proactive removal).
- **Hardening Recommendations:** Utilizing continuous monitoring to ensure configuration drift is corrected instantly.
- **Process Improvement:** Fostering cross-team trust by providing accurate, up-to-date remediation status feedback to development teams.
## Related Tools/Techniques
- Legacy CSPM tools (which only provide point-in-time visibility).
- Cloud Security Posture Management (CSPM) solutions.