Wiz Landmines Flashcards

1
Q

Attack Paths/Crown Jewel Risk

A

We have heard from customers that Wiz does not prioritize the risk associated with assets that matter to their crown jewels.
Do you find it important to prioritize risks surrounding crown jewels?

Attack path is utilized to link alerts into all attack paths that can be used by attackers allowing you to focus remediations to your most critical assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Attack Path Real-world example

A

Customers who store data in S3 buckets or RDS databases are interested in knowing how an attacker might gain access to their data. Orca can identify those paths, reduce permissions, and identify PII that is improperly exposed leading to data breaches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

PII and Data Discovery

A

We have heard from customers that Wiz doesn’t scan for PII and they usually have to look for another solution. Orca does scan for exposed data and helps you identify where it is and how an attacker would get access.

Data breaches are one of the main objectives for attackers. They can hold your company and reputation for ransom. Identifying PII and Sensitive data in the cloud is very important.

Orca scans for PII right out of the box, no configs or other solutions required. By identifying exposed SSN, Credit Cards, PII, health records and more we stop data breaches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

PII Real World Example 1

A

An AWS public S3 bucket was configured for website use and no sensitive data exists. Over time, someone exported data to the S3 bucket or some data was saved that contains emails, ssn, or credit card info. Orca would detect and show you that you now have sensitive data on a public bucket when the intention was not to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

PII Real World Example 2

A

An external webserver has vulnerabilities but also has uploads from customers. those uploads contains PII information and since the machine is vulnerable and external facing, that sensitive data is now easier for the attacker to potently exfiltrate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Malicious Events

A

Currently, Wiz can only perform signature-based detection. Don’t let Wiz’s marketing confuse you. On its own, signature-based (hash lookups) detection is a very poor approach. It should always be augmented by heuristic scanning.

Only looking for known bad signatures results in not being aware of new malware

Orca uses deep scans to identify if any events are aimed at assets and vulnerabilities and can display events triggered by malicious IP addresses which Wiz cannot.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Malicious Events Real-World Example 1

A

Event showing brute force attempts on an exposed asset with RDP. Customers might ignore these if there are assets facing the internet. If Orca adds context for you, it will inform you that the event happened against a vulnerable or exposed machine, allowing you to decide whether you want to fix the vulnerabilities or close the port facing the internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Malicious Events Real-World Example 2

A

API access from malicious or suspicious IP addresses can indicate that an attacker is trying to list objects, write to them, and other actions, which can indicate an attacker already has a foothold and is attempting to steal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Malicious Events Real-World Example 3

A

Orca identifies suspicious activities such as network scanning with nmap, modifying permissions for scripts, and other suspicious activities that an attacker would do.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Compliance

A

Having a detailed understanding of which controls are failing and what assets need to be addressed is imperative to remediating those issues using best practices around compliance.

Orca provides detailed compliance checks that you can expand and drill down to the individual controls so you can see pass/fails along with related alerts, not just Pass/fail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Compliance Real World Example

A

If you fail control 1.5 for MFA for root user being enabled, you would need to know which root accounts in which AWS accounts you need to go fix. Control 1.5 requires you to enable MFA for the root user in any AWS account to fail. To solve this, you need to know which root accounts in which AWS accounts you need to fix. This is explained in detail in the Orca platform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Malware

A

New malware is created constantly and relying on just signatures doesn’t work. This is why AV engines don’t just look at signatures which is how Wiz is detecting for malware.
How would Wiz identify unknown malware if they are only checking for known malicious signatures?

Orca provides advanced malware detected via a sophisticated ML engine and deep analysis capabilities that include both signature-based and heuristic detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Malware Real World Example

A

An attacker can take code from different known malware and package them into their own making a brand new malware file that is unknown and no signature exists. this would be missed by wiz since they only check for known bad signatures. This would go undetected and the customer would not know about malware in their environment that an agent might have also missed if not present.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Trigger Based Scanning

A

New VMs and containers are setup and deployed daily. The quicker you can respond to an exposed asset that has vulnerability and related risks, the quick you can reduce the risk to your organization.
Wiz doesn’t scan assets as they are created and started but only once a day. Is it important for you to identify vulnerable assets as they are deployed instead of just a daily scan?

Orca does daily scans but also has event based triggers for some assets to scan them as they are created, started or stopped.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Trigger-based Scanning Real World Example

A

A developer or IT personnel create a new VM from a vulnerable image. The customer would want to know when that machine starts to run if its vulnerable or misconfigured as quickly as possible to take it offline or remediate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Installed Package Inventory

A

How would you identify systems with software that is vulnerable when the vulnerability data to detect them has not yet been released?
Orca is able to identify that with our application catalog and many customers used that during log4j since there was a delay in the release of data needed to detect them. Wiz only provides a small list of applications and do not have this capability. Do you need to look up software in your environment frequently, maybe something around the use case we just mentioned?

As a security operations requirement, you should be able to query your software inventories without limitations. A lack of knowledge about what you have limits your ability to respond to specific security issues.

Orca Security has a robust and complete support for data in installed packages than Wiz. At Orca Security, you can quickly and easily find a package with any name, without opening a ‘feature request’ to support that name.

17
Q

Installed Package Inventory Real World Example

A

A package may not have a patch, but has mitigation. To apply the mitigation, you will need to know the exact location of every package in your cloud estate. Log4j is a great example of a specific package because even though it had a patch, it also had a mitigation. In many cases, the mitigation is both easier and faster to apply.

18
Q

Login Data or Security Logs

A

Did Wiz tell you that they do not capture or store security logs and login data to save costs?
Access to this data is requested by companies for compliance reasons. They are required to provide this information during audits. Furthermore, logs and data from security logins can be extremely valuable to a customer who needs to investigate a breach.

Orca captures security logs and login data to allow a quick assessment of the workload situation. Wiz spares the cost and doesn’t store that information.

19
Q

Login data or Security Logs

A

Every day, computer networks across the globe are generating records of the events that occur. Some are routine. Others are indicators of a decline in network health or attempted security breaches.

Log files contain a wealth of information to reduce an organization’s exposure to intruders, malware, damage, loss and legal liabilities. Log data needs to be collected, stored, analyzed and monitored to meet and report on regulatory compliance standards like Sarbanes Oxley, Basel II, HIPAA, GLB, FISMA, PCI DSS, NISPOM. This is a daunting task since log files come from many different sources, in different formats, and in massive volumes, and many organizations don’t have a proper log management strategy in place to monitor and secure their network.

20
Q

Scanning all Assets

A

We have heard from customers that run auto-scaling groups they had challenges with scanning all their assets with Wiz. I believe they scan only a sample of them and some customer reporting missing findings because of it. Do you run any Auto scaling groups or other dynamic resources where this lack of visibility would be a concern?
Wiz scans only a sample of their customers’ assets by default (only 1 VM for Auto-scaling groups). This is done to reduce costs on their end, but it leaves gaps for customers running automatic calling groups, which a large number of customers do.

When Orca searches for specific events against these assets, they are scanned throughout the day and not just once a day.

21
Q

Scanning all Assets Real World Example

A

If you are running 100 virtual machines as part of an autoscaling group, Wiz would scan 1 . The 99 vms can have completely different running configurations, meaning although they are all from the same image, the runtime causes drift in configuration that could be missed.

Example: An administrator logs into a non-scanned asset and types in a password, adds a secret, or the machine is now vulnerable to a new vulnerability- WIZ WOULD SHOW THIS, just the 1 Vm that it might say has no risk while the other 99 have many risks.

22
Q

Wiz Differentiators

A

Attack Path Analysis
PII and Data Discovery
Malicious Event Detection
Compliance
Malware
Trigger Based Scanning, All Assets
Queries - Software and Package Inventory
Login data and Security Logs for Audits