A few months ago, we announced Wiz Remediation and Response. Today, we are thrilled to extend enhanced remediation and response capability to support Azure and GCP cloud environments. As a result, Cloud security teams on all major public cloud environments can enforce security best practices in real-time and empower incident responders to quickly contain and minimize the impact of security incidents.  

As a quick recap, Wiz remediation and response enables the following capability:  

1. Investigate misconfigurations that Wiz detected and enable one-click remediation.  

2. Implement automation rules to auto-remediate misconfigurations that deviate from an organization's security policies.  

3. Use real-time response in conjunction with Wiz’s real-time cspm detection.  

4. Respond to and contain unfolding incidents to reduce the potential blast radius.  

5. Customize infrastructure to add new remediation functions tailored to the organization's unique needs. 

Cloud security remediation and response are critical for minimizing the impact of security threats in cloud environments. Swift and effective responses help prevent incidents from escalating, reducing potential damage and operational downtime. By implementing robust remediation processes, organizations can proactively address misconfigurations, ensuring a strong security posture that keeps pace with evolving threats. 

Remediation and Response for cloud security teams  

Cloud security teams prioritize remediation to proactively manage risks, minimize the impact of threats, and ensure a resilient security posture. Rapid remediation addresses misconfigurations before attackers can exploit them, reducing the overall attack surface. Effective remediation and response are also essential for meeting compliance standards, protecting sensitive data, and maintaining customer trust, ultimately contributing to a more secure and reliable cloud environment. Common cloud misconfigurations for cloud security teams include: 

Ensure cloud networking is not open to the internet: Remediation and Response provides dozens of out of the box response actions, including actions to prevent access to cloud-based services from any address on the internet (0.0.0.0/0). For example, ports 80 and 443 may be open to the entire internet deliberately as part of a web application to end users, but other services as part of that stack such as SQL based services, and Linux VMs should only be accessible to specific internal addresses. 

Publicly Exposed Storage Buckets: Leaving storage resources like Azure Blob or Google Cloud Storage publicly accessible risks exposing sensitive data, leading to potential compliance and security issues. 

Add data protection to storage buckets: A common tactic of attackers is to target an organization's data, deleting/encrypting it and then exfiltrating it for ransom. Wiz can identify storage buckets that do not have native protections enabled and harden their security posture so that features such as object versioning and MFA delete are enforced, providing an extra layer of protection in the event of a cyber security data breach. 

Enforce strong account password policies: By default, cloud account password policies may be less stringent than an organization's agreed standard baseline. Using Wiz, you can scan all connected cloud subscriptions for weak password requirements and set a much more robust baseline with example requirements for such items as minimum password length, uppercase/lowercase character requirements, password expiry and more. 

Remediation and response for Incident Response teams  

Response capabilities in the cloud are essential for the incident response team because they enable quick containment and resolution of threats, reducing the risk of data breaches and minimizing operational disruption. These capabilities allow responders to act in real-time, limiting the spread of incidents and protecting sensitive resources from further exposure. Some common potential actions that teams can take in-response to incident include  

Suspend or terminate virtual machine: Suspending or permanently terminating a virtual machine can halt any malicious activity originating from it. This action is crucial to prevent further compromise of your data and systems, allowing time for thorough investigation and remediation. This containment step is essential to control the damage while you analyze and address the security breach. 

Isolating a virtual machine from its network connectivity: Isolating a virtual machine from the network stops it from communicating with other systems, mitigating the risk of spreading the attack. 

Detach role from the compute instance: Removing the role from a compute instance revokes its permissions, thereby limiting its access to other resources. This action helps prevent unauthorized activities and data breaches by ensuring the compromised instance no longer has the credentials to perform potentially harmful operations. 

Getting started with these new capabilities is easy. Wiz advanced customers can leverage these capabilities today. To learn more about using these capabilities, explore the Wiz docs (login required). Have questions, comments, or feedback? Do reach out to Wiz. We love hearing from you.