Full Report
A hands-on walkthrough of how to use Wiz to find sensitive data and uncover who can access it.
Analysis Summary
# Tool/Technique: Wiz Data Security (Visibility Layer)
## Overview
This summary details the capabilities of the Wiz platform, specifically focusing on the visibility layer of its Cloud Data Security features. The primary purpose is to help organizations discover where sensitive data resides in their cloud environments, how that data is exposed, and identify the entities (identities) that have access to it, leveraging an agentless scanning approach.
## Technical Details
- Type: Tool (Cloud Security Posture Management/Data Security Platform)
- Platform: Cloud environments (various supported data services)
- Capabilities: Agentless scanning, sensitive data detection, data classification, visualization (Treemap), identity-to-data access mapping, queryable security graph.
- First Seen: Information not explicitly provided in the text, but relates to the "Wiz Data Foundations" series announcement.
## MITRE ATT&CK Mapping
This tool is designed for *defense* and *detection*, so it primarily maps to defensive tactics rather than offensive TTPs. However, visualizing relationships and access privileges aligns with understanding the pathways attackers might exploit.
- **TA0006 - Credential Access** (Relevant to identifying who *could* gain access)
- T1078 - Valid Accounts
- **TA0007 - Discovery** (Relevant to mapping accessible resources)
- T1580 - Cloud Accounts
## Functionality
### Core Capabilities
- **Data Discovery and Classification:** Agentless scanning of supported data services to detect and classify sensitive data out-of-the-box.
- **Visualization:** The **Data Stores Treemap** provides a visual breakdown of sensitive data distribution grouped by resource type, environment, and sensitivity level.
- **Access Auditing (Data-Centric):** Starting from a specific data store, users can view all identities with access, including the path (direct or inherited) and the access level.
- **Access Auditing (Identity-Centric):** The **Identity Entitlements** view allows filtering identities (human/machine), sorting by access level (read/write/admin), and seeing how access was granted.
- **Identity Profiling:** Viewing a specific identity's profile lists all accessible resources, including those containing sensitive data.
### Advanced Features
- **Security Graph:** Provides ultimate flexibility for path-based querying across complex relationships involving data, identity, exposure, and risk (e.g., transitive access mapping).
- **Custom Querying:** Ability to write inline custom questions directly on identity profile pages (e.g., checking for write access to unencrypted databases by a specific role).
- **Context Correlation:** Surfacing **Issues** which correlate multiple risks (e.g., sensitive data + public exposure + no encryption).
## Indicators of Compromise
The output of this system consists of **security findings and insights** within the Wiz platform, not traditional malware IOCs.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The tool analyzes existing, potentially compromised, infrastructure)
- Behavioral Indicators: Correlated behaviors leading to "Issues," such as:
- Identity having write access to sensitive storage without MFA.
- Data stores exhibiting public exposure coupled with lack of encryption.
## Associated Threat Actors
This tool is used by **Defenders** (Security Teams, Cloud Security Engineers) to monitor and secure assets against threat actors, rather than being used *by* threat actors.
## Detection Methods
The platform itself is a detection and visibility mechanism:
- Signature-based detection: Prebuilt sensitive data detection logic.
- Behavioral detection: Analyzing access patterns and contextual correlation of risks across the cloud environment.
- YARA rules if available: Not specified, focus is on cloud metadata/configuration analysis.
## Mitigation Strategies
The platform facilitates mitigation by providing visibility into risks:
- Prioritizing remediation based on correlated risk scores (Issues).
- Identifying and reducing overly permissive access paths identified via the Identity Entitlements view or Security Graph.
- Hardening access controls around critical data layers based on Treemap analysis.
## Related Tools/Techniques
- **Wiz Agentless Approach:** Mentioned as the underlying method for scanning.
- **Wiz 5R Framework:** Referenced as the response methodology intended to follow the visibility phase.
- Security Graph exploration (similar concepts found in graph databases used for security analysis).