Wiz Landmines Flashcards
Attack Paths/Crown Jewel Risk
We have heard from customers that Wiz does not prioritize the risk associated with assets that matter to their crown jewels.
Do you find it important to prioritize risks surrounding crown jewels?
Attack path is utilized to link alerts into all attack paths that can be used by attackers allowing you to focus remediations to your most critical assets
Attack Path Real-world example
Customers who store data in S3 buckets or RDS databases are interested in knowing how an attacker might gain access to their data. Orca can identify those paths, reduce permissions, and identify PII that is improperly exposed leading to data breaches
PII and Data Discovery
We have heard from customers that Wiz doesn’t scan for PII and they usually have to look for another solution. Orca does scan for exposed data and helps you identify where it is and how an attacker would get access.
Data breaches are one of the main objectives for attackers. They can hold your company and reputation for ransom. Identifying PII and Sensitive data in the cloud is very important.
Orca scans for PII right out of the box, no configs or other solutions required. By identifying exposed SSN, Credit Cards, PII, health records and more we stop data breaches
PII Real World Example 1
An AWS public S3 bucket was configured for website use and no sensitive data exists. Over time, someone exported data to the S3 bucket or some data was saved that contains emails, ssn, or credit card info. Orca would detect and show you that you now have sensitive data on a public bucket when the intention was not to.
PII Real World Example 2
An external webserver has vulnerabilities but also has uploads from customers. those uploads contains PII information and since the machine is vulnerable and external facing, that sensitive data is now easier for the attacker to potently exfiltrate.
Malicious Events
Currently, Wiz can only perform signature-based detection. Don’t let Wiz’s marketing confuse you. On its own, signature-based (hash lookups) detection is a very poor approach. It should always be augmented by heuristic scanning.
Only looking for known bad signatures results in not being aware of new malware
Orca uses deep scans to identify if any events are aimed at assets and vulnerabilities and can display events triggered by malicious IP addresses which Wiz cannot.
Malicious Events Real-World Example 1
Event showing brute force attempts on an exposed asset with RDP. Customers might ignore these if there are assets facing the internet. If Orca adds context for you, it will inform you that the event happened against a vulnerable or exposed machine, allowing you to decide whether you want to fix the vulnerabilities or close the port facing the internet.
Malicious Events Real-World Example 2
API access from malicious or suspicious IP addresses can indicate that an attacker is trying to list objects, write to them, and other actions, which can indicate an attacker already has a foothold and is attempting to steal data
Malicious Events Real-World Example 3
Orca identifies suspicious activities such as network scanning with nmap, modifying permissions for scripts, and other suspicious activities that an attacker would do.
Compliance
Having a detailed understanding of which controls are failing and what assets need to be addressed is imperative to remediating those issues using best practices around compliance.
Orca provides detailed compliance checks that you can expand and drill down to the individual controls so you can see pass/fails along with related alerts, not just Pass/fail
Compliance Real World Example
If you fail control 1.5 for MFA for root user being enabled, you would need to know which root accounts in which AWS accounts you need to go fix. Control 1.5 requires you to enable MFA for the root user in any AWS account to fail. To solve this, you need to know which root accounts in which AWS accounts you need to fix. This is explained in detail in the Orca platform.
Malware
New malware is created constantly and relying on just signatures doesn’t work. This is why AV engines don’t just look at signatures which is how Wiz is detecting for malware.
How would Wiz identify unknown malware if they are only checking for known malicious signatures?
Orca provides advanced malware detected via a sophisticated ML engine and deep analysis capabilities that include both signature-based and heuristic detection
Malware Real World Example
An attacker can take code from different known malware and package them into their own making a brand new malware file that is unknown and no signature exists. this would be missed by wiz since they only check for known bad signatures. This would go undetected and the customer would not know about malware in their environment that an agent might have also missed if not present.
Trigger Based Scanning
New VMs and containers are setup and deployed daily. The quicker you can respond to an exposed asset that has vulnerability and related risks, the quick you can reduce the risk to your organization.
Wiz doesn’t scan assets as they are created and started but only once a day. Is it important for you to identify vulnerable assets as they are deployed instead of just a daily scan?
Orca does daily scans but also has event based triggers for some assets to scan them as they are created, started or stopped.
Trigger-based Scanning Real World Example
A developer or IT personnel create a new VM from a vulnerable image. The customer would want to know when that machine starts to run if its vulnerable or misconfigured as quickly as possible to take it offline or remediate.