A Deep Dive Into CNAPP and Wiz.io Toxic Pair Feature

Before we can dig into the Wiz.io Toxic Pair capabilities, I need to provide some background information on CNAPP.

You can connect with me on LinkedIn at https://www.dhirubhai.net/in/timlaytoncyber/ or on my blog at https://timlayton.cloud/

Introduction to CNAPP

• A Cloud-Native Application Protection Platform (CNAPP) is a unified security solution specifically designed for cloud environments.
• It combines various cloud security technologies, including CSPM, CWPP, CIEM, IaC scanning, and more.
• CNAPP addresses the need to secure cloud-native applications comprehensively, considering both infrastructure and application layers.

Before we dive into the CNAPP details, I will make sure to summarize CSPM, CWPP, CIEM, and IaC because it is critical to understand this information before moving forward.

Summary of CSPM, CWPP, CIEM, and IaC

CSPM (Cloud Security Posture Management):

• Purpose: CSPM tools are designed to identify and remediate risks across cloud infrastructures automatically. They help manage the security posture of cloud environments, ensuring configurations align with best practices and compliance requirements.
• Key Features: Continuous Monitoring: Scans and monitors cloud environments for misconfigurations and compliance violations. Compliance Reporting: Assists in adhering to regulatory standards like GDPR, HIPAA, and more. Risk Assessment: Identifies and prioritizes security risks based on their potential impact. Remediation: Offers guidance or automated actions to rectify detected security issues.
• Use Cases: Ideal for organizations using cloud services to ensure secure and compliant cloud configurations, especially beneficial in multi-cloud environments.

CWPP (Cloud Workload Protection Platform):

• Purpose: CWPP solutions focus on securing workloads (like virtual machines, containers, and serverless functions) in cloud and hybrid environments. They offer protection against threats, vulnerabilities, and exploits specific to cloud workloads.
• Key Features: Runtime Protection: Monitors workloads for malicious activities in real-time. Vulnerability Management: Identifies and helps remediate vulnerabilities within workloads. Compliance Assurance: Ensures workloads comply with security policies and standards. Network Security: Offers network-level controls and monitoring for cloud workloads.
• Use Cases: Useful for organizations with diverse cloud workloads needing protection from threats and vulnerabilities while ensuring compliance.

CIEM (Cloud Infrastructure Entitlement Management):

• Purpose: CIEM solutions manage and control identity and access entitlements in cloud environments. They address the complexities of cloud access controls, reducing the risks of excessive permissions and identity sprawl.
• Key Features: Permission Analysis: Evaluates permissions and roles to identify excessive or unused entitlements. Role Optimization: Helps in right-sizing roles and permissions based on actual usage. Anomaly Detection: Identifies unusual access patterns or potential privilege escalations. Governance: Enforces policies around identity and access management.
• Use Cases: Critical for organizations seeking to manage and secure identity and access in cloud environments, mitigating risks associated with over-privileged accounts.

IaC (Infrastructure as Code):

• Purpose: IaC is a method of managing and provisioning infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. It's a key practice in DevOps.
• Key Features: Automation: Automates the deployment and management of infrastructure, ensuring consistency and speed. Version Control: Infrastructure changes are versioned and tracked like software code, enhancing collaboration and rollback capabilities. Scalability: Facilitates rapid scaling of infrastructure resources. Infrastructure Documentation: The code serves as documentation for the infrastructure.
• Use Cases: Essential for organizations adopting DevOps practices, seeking to automate and streamline their infrastructure deployment and management processes.

Understanding these concepts is crucial for effectively managing cloud security and infrastructure as organizations increasingly adopt cloud-native technologies and methodologies.?Now, we can explore these technologies and compare them to CNAPP's.

CNAPP's Relationship with CSPM, CWPP, CIEM, and IaC

Cloud-Native Application Protection Platform (CNAPP) is an evolutionary step in cloud security, integrating and enhancing the functionalities of Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Cloud Infrastructure Entitlement Management (CIEM), and Infrastructure as Code (IaC).

Here’s how CNAPP relates to each of these components and why it represents an improvement:

CNAPP Improvements Over CSPM, CWPP, CIEM, and IaC

CSPM Integration:

• CNAPP includes the capabilities of CSPM, which focuses on identifying and remediating misconfigurations and compliance issues in cloud environments.
• Improvement: CNAPP detects misconfigurations and correlates these findings with other security data to provide a more holistic view of the cloud security posture.

CWPP Functionality:

• CWPP provides security for cloud workloads, including virtual machines, containers, and serverless functions. CNAPP encompasses these features, offering protection against threats and vulnerabilities in cloud workloads.
• Improvement: CNAPP extends CWPP capabilities by integrating them into a broader security context, thus enhancing threat detection and response across the entire cloud environment.

CIEM Features:

• CIEM manages identity and access in the cloud. CNAPP integrates CIEM to handle the complexity of access controls and entitlements in cloud environments.
• Improvement: In CNAPP, CIEM is combined with other security dimensions, allowing for more nuanced access and identity management, considering the interdependencies with workload security and compliance.

Incorporation of IaC:

• IaC practices are critical in cloud environments for automating and managing infrastructure. CNAPP often includes IaC scanning and compliance, ensuring the infrastructure code adheres to security best practices.
• Improvement: CNAPP's integration of IaC scanning enables proactive security measures, identifying potential risks in infrastructure deployment scripts before execution.

CNAPP Value Proposition

Cloud-Native Application Protection Platforms (CNAPPs) are critical for cloud computing due to several key reasons:

Comprehensive Security Coverage: CNAPPs provide an all-encompassing approach to cloud security. They integrate various functionalities like Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), and Cloud Infrastructure Entitlement Management (CIEM) into a single platform. This comprehensive approach is crucial for addressing the multi-faceted security challenges in cloud environments.

Adaptability to Cloud Dynamics: Cloud environments are dynamic, scalable, and distributed by nature. CNAPPs are designed specifically for these environments, providing the flexibility and scalability to secure cloud-native applications effectively.

Automated Threat Detection and Response: CNAPPs leverage advanced technologies like machine learning and AI to detect and respond to threats in real-time. This automated approach is vital in cloud environments where the speed and volume of operations can overwhelm traditional security measures.

Enhanced Visibility and Control: CNAPPs offer deep visibility into cloud environments, spanning infrastructure, applications, and data. This visibility is crucial for detecting misconfigurations, vulnerabilities, and unauthorized activities that could lead to security breaches.

Proactive Risk Management: By continuously monitoring and assessing cloud environments, CNAPPs help organizations proactively manage risks. They can predict and address potential security issues before they escalate into serious threats or cyber incidents.

Compliance and Governance: With the increasing number of data security and privacy regulations, CNAPPs aid in ensuring compliance. They provide monitoring, reporting, and auditing tools to meet various regulatory requirements.

Facilitation of DevSecOps: CNAPPs integrate security into the DevOps process (DevSecOps), promoting a culture where security is a shared responsibility and an integral part of the development lifecycle. This integration is crucial for securing cloud-native applications from the outset because the traditional roles of network engineers, security engineers, IT administrators, and programmers have been mushed together in the cloud and are now the responsibility of the DevOps engineer. While this helps create efficiency, it also introduces new risks.

Reduction of Complexity and Cost: By consolidating multiple security tools and processes into one platform, CNAPPs reduce the complexity and operational costs of managing separate security solutions.

CNAPPs like Wiz.io are critical for cloud computing as they offer a unified, scalable, and automated approach to securing cloud-native applications, infrastructure, and data. They address the unique challenges of cloud environments, making them indispensable for organizations looking to leverage the cloud securely and efficiently.

Why CNAPPs are Crucial

• Traditional security methods fall short in cloud environments characterized by their dynamic, ephemeral, and scalable nature.
• CNAPP exists due to the shift to cloud-native environments and their unique security challenges, including complex attack vectors, rapid scalability, and DevOps taking on the roles of network engineer, IT administrator, cybersecurity engineer, and programmer.
• CNAPP's integration of IaC scanning enables proactive security measures, identifying potential risks in infrastructure deployment scripts before execution. This is especially important because the traditional roles of network engineers, security engineers, IT administrators, and programmers have been mushed together in the cloud and are now the responsibility of the DevOps engineer. While this helps create efficiency, it introduces new risks that can be identified and managed via IaC scanning methods.

Security Challenges Addressed by CNAPP

• Cloud complexity and dynamic nature create new attack paths and require a different threat detection and response approach.
• Traditional agent-based tools lead to visibility gaps; CNAPP’s agentless approach covers new workloads automatically, eliminating blind spots.
• Standalone tools create siloed operations; CNAPP offers a unified platform, reducing operational overhead and improving risk prioritization.

Wiz.io Approach and Features

Wiz.io is a Cloud-Native Application Protection Platform (CNAPP) that offers a comprehensive security solution for cloud environments. There are many other CNAPP vendors in the space competing with Wiz.io.

Wiz.io integrates a variety of security tools and capabilities to provide visibility and protection for cloud-native applications across the full stack and throughout their lifecycle.

Wiz.io's platform is designed to identify and remediate security risks in real time, offering features such as automated threat detection, vulnerability management, compliance monitoring, and identity access management.

Its agentless approach ensures extensive coverage and rapid deployment, making it an effective tool for organizations looking to secure their cloud infrastructure against a wide array of security threats.

• Wiz.io utilizes a graph-based model for risk analysis, emphasizing the significance of context in understanding complex cloud environments. I think of this as the visualization of toxic pairs with the additional benefits of risk ratings that allow swift prioritization of active threats.
• Wiz.io provides complete visibility across all cloud services and resources, including VMs, serverless functions, and containers. This is especially important with the dynamic nature of serverless functions.
• Wiz.io’s agentless architecture ensures comprehensive coverage without the performance impact associated with agents.

Other CNAPPs provide the toxic pair functionality in their own way, and I cannot possibly cover all vendors. I find the Wiz.io user interface to be exceptional and intuitive. The user interface is simple and clean and enables quick detection of important issues that need investigation and attention and the onboarding of subscriptions through a simple connector process is about as easy as it can get.

Toxic Pairs Detection

• Wiz.io identifies 'toxic pairs' – combinations of configurations or permissions that pose significant security risks when paired.
• This feature aids in preemptively recognizing and addressing potential breach paths, enhancing overall cloud security posture.

The screenshot from the Wiz.io platform below indicates a compound security risk detected within a cloud environment. In the sections below, I will summarize how this can help cybersecurity and DevSecOps professionals.

Summary:

• Issue: The primary concern highlighted is a publicly exposed virtual machine (VM) or serverless function with a high/critical severity network vulnerability and access to sensitive data.
• Severity: The issue is marked as critical, suggesting immediate attention and remediation is required.
• Vulnerability Details: The issue details mention a Common Vulnerabilities and Scoring System (CVSS) score, indicating that the vulnerability is known and likely has a publicly disclosed Common Vulnerabilities and Exposures (CVE) identifier. The CVSS is linked, providing a quick path for investigation.
• Risk Context: The description notes that an attacker could exploit this vulnerability to execute code or manipulate the publicly exposed resource due to its high privileges, potentially leading to data breaches.
• Environment: The subscription is marked as AWS, implying that the resources are hosted on Amazon Web Services.
• Attack Path Visualization: The visualization graphically represents the attack path, showing how various AWS services, including EC2 instances and S3 buckets, are interconnected and could be involved in potential exploit scenarios.

Analysis for Cybersecurity Professionals

• Identification of Immediate Risks: The visualization helps identify the immediate risks and how they are connected within the cloud architecture. The cybersecurity professional can see the potential path an attacker might take, saving a lot of time during the investigation process.
• Prioritization of Threats: Since the issue is marked as critical with known exploits, it must be prioritized above other vulnerabilities. This helps in allocating resources effectively.
• Attack Vector Understanding: The visualized attack path provides a clear picture of how an attacker could leverage the exposed VM/serverless function to move laterally or escalate privileges within the cloud environment.
• Strategic Remediation: Based on the information, a cybersecurity professional can strategize a remediation plan that may involve patching the vulnerability, changing configurations to limit public exposure, and modifying permissions to reduce access to sensitive data.
• Collaboration and Documentation: The ability to comment, create a ticket, and give feedback directly from the platform ensures this tool is designed for collaboration among security teams and for maintaining a record of security incidents and responses.
• Ongoing Monitoring: The status "In Progress" indicates that the issue is currently being addressed, and the cybersecurity professional would ensure that continuous monitoring is in place for any changes in the risk posture.

How DevSecOps Would Use This Information:

Immediate Action: Initiate a response to the critical issue, likely involving both infrastructure and security teams to address the vulnerability and secure the sensitive data.

Risk Assessment: Evaluate the broader security implications for the cloud environment, considering the interconnected nature of cloud services.

Policy Review: Analyze whether existing security policies need to be updated to prevent similar occurrences, potentially involving a review of IaC configurations for automated deployments.

Incident Response Coordination: Use the platform's capabilities to coordinate an incident response, ensuring that all relevant parties are informed and involved in the remediation process.

Compliance Implications: Consider the compliance implications of the exposure, especially if the sensitive data pertains to regulated information.

Overall, the information serves as a detailed and actionable alert for cybersecurity professionals, providing critical information for immediate and strategic actions to secure the cloud environment against identified risks.

Benefits for Cybersecurity Teams

• CNAPP, particularly with Wiz.io’s capabilities, allows cybersecurity professionals to address cloud-native security challenges more effectively and proactively versus using a post-incident detection approach.
• It offers a holistic view of the cloud environment, enabling better prioritization and response to real and active threats.
• The integration of CNAPP into CI/CD pipelines facilitates a shift-left approach, identifying and addressing security issues early in the development cycle.

Conclusion

• For cybersecurity professionals, CNAPP, and specifically Wiz.io’s approach to toxic pairs detection, represents a significant evolution in cloud security.
• It provides a more nuanced and effective way to manage cloud security risks, aligning with cloud-native environments' dynamic and complex nature.

You can connect with me on LinkedIn at https://www.dhirubhai.net/in/timlaytoncyber/ or on my blog at https://timlayton.cloud/