Exploring the Wiz Cloud Security Platform
Key Takeaways
The video explores the Wiz Cloud Security Platform, a cloud security platform that provides 100% visibility and big picture coverage of entire business environments, and demonstrates its features and tools for cloud security, vulnerability management, and AI security.
Full Transcript
Cloud security isn't just the cheesy saying of oh it's someone else's computer even with hosting providers like AWS gcp Azure and more it's still your operational infrastructure and your attack surface but between all the different kinds of cloud Technologies even mixing in container security kubernetes and AI there is a lot to juggle obviously it's a whole another world compared to traditional endpoint security so look let me tell you about some sweet tooling that you can use to not just gain visibility over all your Cloud assets but even detect and prevent against threats all with the context of your entire environment and let me be straight up this is a fully featured and dedicated video for our sponsor whiz but hey we use whiz like at my day job we love it everyone I know that uses whiz absolutely loves it and by the way they're kind of the fastest growing software company like literally ever and even Google wanted to buy them for like $23 billion that's the biggest one of cash they've ever put on the table so seriously whiz is a big deal and they're freakin fantastic they do also have a ton of sweet free educational resources like a CTF or Capture the Flag war game equivalent I've showcased their eks cluster games a bit before but a really cool new one they have is prompt Airlines that's online at prompt airlines.com and it's all about about AI security and those prompt engineering tricks super cool stuff but anyway let me show you a bit of their platform whiz connects to your environment and then scans everything without an agent so you get that 100% visibility and the big picture coverage of your entire business and then it calculates all the potential risk factors across your org think like Network exposure vulnerabilities identity threats misconfigurations everything they do all this with that holistic approach and context to track down what they call toxic combinations that a threat actor or any attacking adversary could leverage those are at the end of the day the most critical risks that you want to solve within your environment to improve your security posture but let's check out the dashboard we can dive into one of those critical risks and a toxic combination as an example of what might threaten your business here's a simple one right let's start small let's say there was a publicly exposed virtual machine or seress function that has a super high severity vulnerability affecting it there's a known public exploit out and about already in the wild and worst of all this Cloud asset actually has access to sensitive data within your orc but look at the coolest part here check out that attack path visualization whiz will give you basically a whole flowchart as to how this goes down you can see all of the involved resources what the potential damage and impact might be and it'll even cover some of the remediation we'll touch on that in a sec but I do want to show you the security graph here say you've got an AWS ec2 instance that you can see is absolutely publicly exposed and if you want you can totally click into this this is all interactive here with that you can see the exact path and route to the internet like you've got your load balancer all the network in your faces you know but if you click into any of the end points you can get the external perspective like what does this attack surface look like from the outside and there's no secrets here right oh just a classic HTTP 200 status okay and a typical engine X server just doing its thing but I do love that it captures a screenshot and it really renders what it looks like in a web browser even something as simple as that can really help you uncover stuff that you just don't want to be publicly exposed what about that vulnerability though we can drill down into it and see that it is cve 2020 9283 now I know that for some team members I'm thinking like upper management or whatever they don't particularly care about what that cve identifier is or all the tech details but maybe you or us Tex at the end of the day want to get that detail all in all we know that it's bad and we want to get that vulnerability fixed you've got all the technical Insight outlined here and you can even see just how readily available an exploit is like in this case it's just flat out on exploit DB but keep in mind the context here whiz is going to give you all that visibility so you know that this threat will offer access to an IIM role there's a whole identity aspect here and following through the green colors here you can see that I IM roll has access to other S3 buckets maybe like internal storage right and that has some sensitive stuff pii emails data that you just don't want to have compromised from Cradle to grave though what we're looking at is the big picture for what could totally be a data breach that could be something in the news or headlines for your business and I know when we say oh it's in the cloud it's someone else's computer the onus and ownership of security is still on you so it's a matter of having that visibility to even first identify and then correlate what leads to what in your environment that is a toxic combination and with whiz you got all the actionable details to tell you this is a critical risk if you wanted to interrogate a little bit more though you can get the full details of that cloud asset you can see that it might be running Docker containers maybe some kubernetes in the mix and even other vulnerabilities that whiz discovered so what do we do how do we fix this up well you've got this remediation tab right over here that gives you the play-by-play instructions as to what to change now obviously this varies right from one issue to another and some of the bullet points might have to be a little bit more generic or strategic than tactical but at the bottom here you can just as easily gener generate remediation steps for whatever solution you might be working with you've got the classic command line you've got the AWS console terraform and more if you've connected whiz to your GitHub source code repository in cicd pipeline whiz can even trace the vulnerability through the pipeline back to the code and person that committed it all using the graph and even give you a single click pull request to fix it and if you want an easy button you can click that ask AI magic and have that clean all things up for you with a little bit more brass tax details and speaking of AI I know it's a Hot Topic but it's obviously very real and here to stay so when we dig into AI security whiz has a ton of functionality to protect you there too but it's the real stuff it's not like fluff or just throwing buzzwords around they're literally tracking what AI Services you in your organization might be using even if you don't even realize like services that are just offered by the cloud providers themselves or in apps that you might use or even your own models that you might use in your infrastructure obviously a lot of folks rush to adopt AI crazy fast and security hasn't really been on the Forefront of their minds in that process so again first pillar of our process here whiz and their agentless scanning is going to build out that inventory of what AI components are in your environment you can see here some of the platform as a service tricks that P s acronym things like AWS Bedrock Sage maker Azure open Ai and all those super handy here though to see at a glance how many resources utilize this or how many instances of this you have in your environment across different projects for each and every component you've got the visibility of your hosted AI models like hugging face here Lang chain and all the other software tidbits you have that are related to AI but the biggest thing here are these exposed secrets or sensitive API Keys obviously that's Bad News Bears and look I'm sorry i' I'd love to ask i' love to get your opinion right how many orgs do you think even have an inventory like a list of things like this not even in the direction of AI but just an asset and application inventory do you have an accurate upto-date and ultimately documented asset inventory especially for cloud infrastructure anyway I don't mean to fall down the rout hole here I'm sorry but I do think that is one of the most awesome parts of whiz and that's like part number one whiz is doing the same toxic combination analysis even for AI and a ton of their researchers are digging into these threats and seeing what other risks exist they have one use case here that I'd love to show off because this is an attack technique that targets exposed buckets that have ai training data but it's World writable so think like anyone on the internet internet can totally poison your training data ultimately meaning new bad results and outputs to anyone that uses the AI that obviously opens the door for further damage think like adding in links for either compromised websites further malware fishing and social engineering that laundry list just goes on and on but take a look here whiz is tracking an exposed resource on the Google Cloud platform that has those weak access controls and anyone can manipulate or tamper with the data that is used to train in this case gcp vertex AI if you click into the IM am bindings here you can see everyone in the world has data read and write access there's nothing stopping a bad actor from just clobbering your training data and getting some malicious inputs into your AI Solution that's kind of wild whiz is still doing what they do best here though they've got through mediation steps you can generate as always and the big picture view with context of how this holistically impacts your environment I hope you got a chance to see though we're talking about all the big players here like whiz is streamlined to play nice with gcp AWS Azure it's working everywhere I know though so far we've kind of been in like aisle one for the nist cyber security framework and the Cyber defense Matrix and all we've been chatting a lot about identifying buing your attack surface and knowing your environment with that asset inventory and holistic approach but there is more to dig into here whiz can do so much more for that active prevention or detection of threats so honestly I got together with some of their folks and I tried to pick their brain about hey what are the new Innovations and new capabilities that they're bringing to the table I got to chat with Alma Raziel and Greg zemlin some of the product managers at whiz and I do want to let them chime in a bit and uh I know you went through a whole lot of inventory to start like hey getting the Telemetry kind of having the insight as to what is actually in your environment especially in the case of AI as well um how has that changed over time because if I may I I know you all have seen incredible growth um but there's has there been sort of a a path and a trajectory of okay getting the inventory and then moving to defense is there a little bit of prevention or uh how is the security approach kind of changed throughout you all building and building and building and making this awesome thing that's that's actually a great question so I think where we started and where is kind of uh the core functionality of whiz is with actually creating the inventory for the environment gaining the visibility and then spotting the most critical risks that we see in the environment and telling you to fix them so actually uh uh we also have a club uh for customers that reach zero critical issues like this is what we uh say is the goal when you connect with for uh your environment you want to reach zero critical issues in order to reduce your attack surface in the environment and then once we uh achieve that then there are two more directions that we're going to uh this last year that can uh kind of expand security both left and right so if we're talking about shifting security left we're talking about uh connecting also into uh uh the sdlc systems being able to uh scan the code that is finally being deployed to the cloud environment and this helps us achieve a few different goals so first of all it makes the remediation for what uh we see regarding risk in the cloud environment a lot easier because we can track everything back to the source code and actually tell you where uh for example the container image that has the vulnerability is uh uh is actually uh stored and where you can just face it in the code so it will affect all of the machines not only uh a single machine that you will patch so that is one thing it can also uh help preventing from the risk ever reaching the environment because if you scan the code before you actually deploy it you can uh know what the effect of this code will be on the environment and prevent any risk from happening in the first place and then lastly we can also secure the sdlc system uh itself for any misconfigurations that might be there as well so that is uh kind of the left side and then if we go to uh to the right side then of course we have uh real time uh threat detection and response so very exciting times for detection and response now it whiz as we are uh working uh after the gem security acquisition uh a few months ago we're working towards uh a lot of new exciting features in detection and response and of course we already have the runtime sensor that's doing real time threat detection so uh uh tune in to uh to hear more in the near future about that one thing to elaborate a little bit there is like really taking it from that approach that Elma just described and really like a Natural Evolution through the product it allowed us to build everything right it is like truly one unified product here and so um I didn't show you but those vulnerabilities that we were looking at in that first toxic combination like all the developer information there the repo information who did the commit like what layer uh actually in the in the code the vulnerabilities in um and it's the same approach that we're taking with Jam so we did acquire them um but the good news is like they're a new company they were just like in build build build phase of their product and saw some tremendous success um but instead of bringing that product on and trying to do some front-end magic we went back from the ground up and we're rebuilding all of Gem's technology on uh whiz infrastructure just to ensure that we keep that consistency across the product fun fact we are actually part of that zero critical Club they sent us some sweet swag for maintaining an average of zero high in critical findings I think it's pretty sweet not going to lie but all righty I don't mean to keep rambling here but honestly seriously I'm a huge Fanboy of whiz I think they have a beautiful like usable product that is practically magic for cloud security and I do want to Echo the sentiments that Greg and Alma shared with me like really you got to play with the thing super encouraging folks to interact with the platform see the interface and watch it in action if you are a little bit keen on learning more about whiz check them out with the link below in the video description jh. life/ Wiz thank you so much for watching please do all those YouTube algorithm things like comment subscribe and with that I'll see you in the next video
Original Description
https://jh.live/wiz-2024 || Get the big picture of your security posture across your entire cloud environment with Wiz and their Cloud Native Application Protection Platform: https://jh.live/wiz-2024
Play Prompt Airlines for free: https://promptairlines.com/
Learn Cybersecurity with Just Hacking Training: https://justhacking.com
Learn Coding: https://jh.live/codecrafters
Don't listen to other "influencer" VPN crap -- host YOUR OWN: https://jh.live/openvpn
WATCH MORE:
Dark Web & Cybercrime Investigations: https://www.youtube.com/watch?v=_GD5mPN_URM&list=PL1H1sBF1VAKVmjZZr162aUNCt2Uy5ozAG&index=4
Malware & Hacker Tradecraft: https://www.youtube.com/watch?v=LKR8cdfKeGw&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv&index=5
📧JOIN MY NEWSLETTER ➡ https://jh.live/email
🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Cloud Security
View skill →Related Reads
📰
📰
📰
📰
Cloudflare to block cynical search-and-scrape bots from ad-supported web pages
The Register
My Thought Process While Investigating a Real Suspicious Email
Medium · Cybersecurity
Fake Invoice Emails Targeting Small Businesses in Schenectady
Medium · Cybersecurity
Why Cybersecurity Is No Longer an IT Decision; It’s a Business Strategy
Dev.to · Code Decode Labs
🎓
Tutor Explanation
DeepCamp AI