Today, we are excited to announce new remediation and response capabilities to help cloud security teams streamline real-time enforcement of security best practices while also helping incident responders with the ability to contain incidents and reduce the blast radius quickly. The new capability enables customers to:  

• Investigate misconfigurations that Wiz detected and enable one-click remediation  

• Implement automation rules to auto-remediate misconfigurations that deviate from an organization's security policies 

• Use real-time response in conjunction with Wiz’s real-time cspm detection  

• Respond to and contain unfolding incidents to reduce the potential blast radius  

• Customize infrastructure to add new remediation functions tailored to the organization's unique needs   

These new automation capabilities can be used in multiple ways. Teams can leverage them when deviations from established security best practices are detected, ensuring that configurations adhere to stringent security standards.  When cloud security incidents are identified, these automation capabilities can help drive rapid response to mitigate threats and minimize potential damage. 

The new 'Remediation and Response' feature has been a strong addition to our security operations strategy. As a security engineer, I appreciate its ease of use and flexibility. This feature allows us to effortlessly enforce cloud configuration best practices across our organization at scale. It's streamlined our processes and enhanced MongoDB's strong security posture by giving us the full flexibility to support our organization's unique needs. With Wiz, we can maintain strict compliance with industry standards with minimal effort.

John Misczak, Senior InfoSec Engineer at MongoDB

The role of effective remediation in cloud security  

Cloud Security operations, focused on cloud posture management, threat detection, and response workflows, are often arduous and require significant human capital. The sheer volume of security events often overwhelms the limited workforce, preventing effective scaling. The combination of inefficient processes and stringent security engineering requirements complicates the development of effective, scalable solutions for cloud security teams.

We needed an approach that would free security teams from monotonous tasks, allowing them to focus on projects that add value to the company and better utilize their skills. Effective remediation is a critical building block that enables the scalability and democratization of cloud security. This can be achieved using a combination of human-in-the-loop approaches (that provide one-click fixes for security issues) with flexible automation rules that allow organizations to enforce their security policies and reduce security team overhead. 

Four remediation and response use-cases unlocked  

1: Detect and Prevent misconfigurations in real time, and track completion  

Misconfigurations in cloud infrastructure can potentially lead to unwanted exposure of crown jewels in the environment. Attackers can exploit such misconfigurations as an initial access point into the environment, so fixing them can drastically reduce an attack surface and reduce the exposure window. Any detected misconfiguration that is mapped to a response action can be quickly resolved by leveraging a one-click (human-in-the –loop) workflow resolution using the Fix button.    

Some popular configuration best practices that can be leveraged using remediation and response include: 

• ensuring cloud networking is not open to the internet 

• identifying stale IAM access keys and deactivating them 

• adding data protection to storage buckets 

• preventing databases from being public facing 

• enforcing strong account password policies  

Once a fix is triggered, the progress, completion, and past activities can be tracked directly from the Wiz findings page.    

2: Respond to Threat Detection Issues 

To respond to and mitigate a cloud security threat, often the initial step is to quickly isolate the affected systems to prevent the spread of the threat and assess the scope and impact of the incident. Wiz gives you the detection of the potential incident – including full evidence and context. The Remediation and Response features can trigger real-time response actions that reduce and contain the likely blast radius. Common actions to mitigate the impact of a threat include:  

• suspending or terminating the virtual machine 

• isolating it from network connectivity 

• detaching roles from the compute instance 

• deleting the Lambda function or setting its concurrency to zero 

• stopping the ECS Task or Service 

3: Create Custom Response Functions 

Remediation and response also provides the option to add custom response functions. Custom functions can be handy when teams require dedicated customizations to reflect their internal security and business processes and workflows. Utilizing provided standard code templates, customers can use Wiz to remediate cloud security findings with standard cloud provider libraries.

After custom response functions have been created, Wiz makes it easy to review and manage them in the new Response Actions Catalog. View all available response functions and their mapping to cloud misconfigurations. View available actions and review a response action to see its details — such as source code, risks, and all instances of it — across your remediation and response deployments and projects. Disable an action for the entire organization, (or for specific subscriptions), to prevent it from being triggered manually, or automatically or mark a response action instance as disruptive.   

4: Build custom automation rules for real-time automated remediation   

Author automation rules that reflect an organization's custom cloud security workflow. Define and filter trigger actions and specify the remediation actions that can be applied to the response flow in real time. Scope the workflow for the entire organization or limit the scope to only specific projects. Additionally, understand the immediate impact of trigger actions to the cloud environment and configuration findings.   

Automation is at the core of our cloud security strategies at TransUnion.  It enables us to continuously scale our controls and effectively accelerate our response to identified security risk. Our team previously leveraged an open-source solution to implement auto-remediation of select security violations in our enterprise cloud environment. While we were able to achieve some desired functionality, it came with limited agility and introduced a heavy operational tax due to the substantial number of resources that were required to be maintained in the cloud provider. We recently moved our cloud security posture management capabilities to Wiz and have started to operationalize hard enforcement actions there utilizing their Response framework. Even though Wiz's Response Action and Automation Rule functionality is relatively new to their platform, it shows a lot of promise and provides us a better long-term scalable solution that will simplify our operational duties.  My team has been actively developing and testing custom auto-remediation rules for non-compliant cloud resource configurations and the Wiz team has been highly collaborative throughout our efforts.  Whether it be a discovered gap or identified whitespace, Wiz has quickly developed and released new capabilities that help ensure we remain successful with this initiative.  We are happy with where we are currently and really excited for where we will be in 6 months as we continue to create and mature our automated controls and capabilities in Wiz.

Austin Cheung, Lead Security Engineer, TransUnion

Getting started with these new capabilities is easy. Wiz advanced customers can leverage these capabilities in AWS environments today. To learn more about using these capabilities, explore the Wiz docs (login required). Have questions, comments, or feedback? Do reach out to Wiz. We love hearing from you.