It’s time to fill those cloud security gaps
Here’s how Wiz can help
Sponsored Feature When software vulnerabilities and zero days moved up the enterprise worry list 15 years ago, nobody imagined the world would one day end up with a threat as perplexing as Log4Shell – a vulnerability in the Apache Log4j open source logging framework that's used in software on all major operating systems spanning everything from cloud services to PC games.
In what might be called the happier days of the past, flaws were something that affected single applications and individual software vendors. You could see where the problem was because it was inside one company's code. Fixing these flaws wasn't always simple – patches weren't always quickly available for zero days – but at least the hierarchy of responsibility was clear.
Log4Shell, or CVE-2021-44228 to give it its precise name, was very different. The December 2021 RCE mega-flaw became the latest example of a new and increasingly common type of super-vulnerability that challenged these simple prescriptions. This was the kind of zero day that would provide a remote attacker complete control over a vulnerable server (CVSS score 10.0), but that was only the beginning of the anxiety.
Less soluble, was its ubiquity – Log4j is one of the most popular tools used by developers to collect information across networks, websites and applications. Everyone had used it and it was inside countless applications built around Apache Frameworks, including services as embedded in everyday life as Apple's iCloud. Super-flaws, then, were partly a product of the way the world has tilted towards sprawling software systems built from multiple parts, some more carefully tended than others, the Lego on which today's cloud platforms rest.
According to analysis by cloud security startup Wiz and EY (Ernst & Young), 93 percent of cloud environments were vulnerable to the Log4Shell vulnerability. The good news was that within 10 days of the flaw being made public, 45 percent of vulnerable cloud environments (excluding on-premises servers) had been patched. And yet the task of patching this type of flaw can be complex in cloud environments. Even finding the flaw is a major task, while the affected library can be deployed either as a package or already integrated into an application.
If the flaws threatened the integrity of individual applications, in the cloud era a similar issue might undermine entire services and the platforms on which they depend. Fixes would be slow, expensive, and might not happen at all. In some organizations, Log4J2 could be buried in hundreds of individual instances, a mammoth clean-up job for something this important.
Growing at pace, Wiz was created in 2020 to solve this and the many other multi-fanged problems that are starting to weigh on hybrid clouds. The company's founders realized that securing these platforms was inherently difficult even when security teams weren't rushing to fix specific flaws such as Log4Shell. There is a huge amount to go wrong:
- Security holes opened by misconfiguration.
- The hidden exposures that arise with Infrastructure as code (IaC).
- Securing container pipelines and deployment, including on-premises container environments such as Red Hat's OpenShift.
- Implementing a cloud native application protection platform (CNAPP) to unify management.
- Enforcing cloud infrastructure entitlement management (CIEM).
- Identifying data repositories that contain sensitive information which might accidentally be exposed.
It's a challenge that existing tools struggle with, argues Wiz product vice president Yinon Costica, who points out that these have been adapted ad-hoc from an established computing model not built with cloud security in mind.
"Existing tools take from months to years to deploy traditional agent tooling and still result in blind spots and a lack of visibility into the environment," he says. "These look at layers such as containers or a single risk factor such as vulnerability management or CIEM which generate a lot of noisy alerts requiring manual effort to correlate risk. But real attack paths are much more sophisticated and involve exploiting many risk factors in combination."
Platform-specific tools are point solutions that don't work well in today's hybrid clouds or integrate on-premises with cloud monitoring. Tackling security alerts is particularly challenging in cloud environments which feature multiple stakeholders and technology layers, and fixing the issue tends to end up creating additional problems.
Wiz was founded specifically to solve these cloud security issues. It integrates a suite of capabilities into a new type of platform that supports the whole cloud stack, including OSes and code libraries connected to AWS, Azure, and GCP, as well as Kubernetes and OpenShift. Unlike rival tools, there's nothing to deploy – no agents to install or manage – all customers need to do is connect their cloud environment
Visibility is the key
The platform first scans for misconfigurations, weaknesses, and possible malicious compromises, a role carried out using API calls without the need for traditional agents, one of the platform's distinctive features. The advantages of the agentless approach are that it bypasses the problem that some systems can't run agents, don't exist for long enough to have them installed, or running them would consume precious resources.
"By taking a 100 percent API-based approach to cloud scanning, Wiz is able to rapidly reduce the time it takes to deploy from months to years with traditional agent-based approaches down to minutes to day.," says Costica.
Moreover, relying on the patchy coverage provided by agents may result in a security picture that is incomplete and misleading. "Through snapshots, Wiz can ingest all relevant security metadata, which is then run through a risk analysis engine across different layers and modelled in a graph database to correlate everything together."
This is the Wiz Security Graph, a contextual, visual representation that builds a single prioritized view of the risks in an environment, including vulnerability management and IaC scanning, Kubernetes security, cloud workload protection state, and CIEM. The Graph accommodates custom controls and policies and can be used to answer a range of deeper queries.
"By modelling the cloud environment and risk factors on a graph, Wiz delivers context and an easily explorable view of the cloud for users. Beyond visualizations and queries, the Security Graph enables Wiz to interrogate the underlying cloud environment," he adds.
Through the insight provided by the Security Graph, customers can see the vulnerabilities, misconfigurations, and attack paths in their entire infrastructure, in many cases the first time they've had such a comprehensive view.
But simply addressing the problem of the security team isn't enough to make cloud security work. Developing cloud native applications in an agile manner involves teams that can build loosely coupled applications - independently of each other across the enterprise. That means security must be integrated within a development process that allows teams to iterate applications in a decentralized way.
"Wiz enables development teams to take action independently of security with direct visibility, risk prioritization, and context into the environments they own so they can ship faster, more securely," says Costica.
"Role based access control ensures developers only see the resources and risks they own. Teams use Wiz to implement a golden VM image pipeline, hardening their images before distribution and ensuring all teams create instances from hardened VM images."
Discovering blind spots
Costica offers the example of a Jenkins container exposed to the Internet in which exploitable VM vulnerabilities give attackers a backdoor into the production environment. Any one of these issues is potentially dangerous but the combination of oversights turns this into a disaster-in-the-making. Wiz was designed to spot precisely this type of complex security problem before the damage is done.
Says Costica, "the most critical risks that could lead to breaches are often a combination of several different risk factors. Real attack paths are much more sophisticated than a single misconfiguration or vulnerability and often involve exploiting many risk factors in combination."
Another issue is the way many cloud vulnerabilities fall between the reporting gaps. In the software sphere, vulnerabilities are made public and tracked using CVEs, a system that has proved less suited to the cloud security context, Wiz argues. In many cases, what justifies a CVE is up to the cloud service provider, which tips on its head the CVE model in which the customer manages fixes at their own discretion. But lacking CVEs for many issues, customers find it harder to work out which fixes are the most urgent. In many cases, when they are told, the news arrives by email, an unreliable method of communication.
Wiz's answer is The Open Cloud Vulnerability and Security Issue Database, an open initiative announced in 2022 that has set itself the task of becoming a public repository for cloud flaws and service provider issues. As the site states:
"Our goal in this project is to pave the way for a centralized cloud vulnerability database, by cataloging CSP security mistakes and listing the exact steps CSP customers can take to detect or prevent these issues in their own environments."
What counts is that the customer understands their exposure to critical issues as rapidly as possible. Although an extreme example, Log4Shell was a case in point, says Costica.
"Less than 24 hours after the discovery of Log4Shell, customers could use Wiz to detect if they were utilizing vulnerable Log4j libraries across all clouds and workloads in their environment and follow the product's remediation guidance to reduce the risk."
The reality is that this type of flaw quickly turns into trench warfare and won't recede any more than other infamous flaws such as 2014's Heartbleed have. Years later, many servers remain vulnerable to this issue, he points out. Log4Shell will continue to be an issue because many organizations lack the time or will to fix it or, worse, can't see their vulnerability in the first place. And when they fix Log4Shell, that doesn't address the wider issue that another big flaw will strike at some point.
"Customers need to see the scale of the problem as quickly as possible. That requires the right software for the job."
Sponsored by Wiz.