A single cloud security incident can stop an enterprise in its tracks, sometimes resulting in irreparable damage to its operation, reputation, and customer loyalty. One key strategy for preventing such incidents is combining complementary cybersecurity tools to defeat threats at scale.
A coherent Cyber Security Incident Response Planning (CSIRP) approach requires enterprises to select and integrate the right tools before a security incident occurs. Torq’s next-generation orchestration and automation capabilities combined with Wiz Cloud Detection & Response empowers forward-thinking security teams to analyze cloud events and alerts from services like Amazon GuardDuty alongside the rich context provided by the Wiz Security Graph.
“The combination of Torq’s no-code security automation approach that delivers immediately actionable response and Wiz’s comprehensive contextual and accurate malicious activity identification means we can focus on high-level threats without being overwhelmed by cloud alerts. Torq and Wiz work seamlessly together to give us a major real-time advantage in mitigating the ever-evolving cloud-based threat landscape.” CISO of a major gaming company
Customers are already seeing that combining Torq and Wiz means the whole is far greater than the sum of the parts.
Achieve a Coherent CSIRP with Wiz and Torq
In its Computer Security Incident Handling Guide (Special Publication 800-61), NIST advises organizations to strengthen their capabilities in four broad areas:
- Detection and Analysis
- Containment / Eradication / Recovery
- Post-Incident Lessons Learned and Documentation
To better understand these areas, let’s apply them to a hypothetical brute force attack.
To be prepared for a brute force attack, you should:
1. Set up the infrastructure to identify potential attacks
Amazon GuardDuty can continuously monitor network and endpoint activity in production cloud environments to detect brute force attacks (amongst many others). Furthermore, Amazon CloudWatch Events or Amazon EventBridge should be configured to monitor events on new or updated GuardDuty findings. These events will later be consumed by an automation and orchestration system to enrich, analyze, and remediate the issues.
2. Analyze the assets’ context
Understanding the topology of your cloud environment, maintaining up-to-date connection states, and knowing which assets have access to sensitive data are critical to prioritizing response efforts to an attempted brute force attack. The Wiz Security Graph discovers and correlates these signals, providing incident responders with important context. For example, Wiz will alert on an SSH brute force attack when attempted on a publicly exposed asset that allows password authentication and has high permissions to the organization’s cloud environment.
3. Orchestrate analysis and resolution
Notifications of new potential threats must be handled and interpreted consistently and programmatically (i.e. with minor involvement of human analysts) in order to operate at scale. Torq allows enterprises to automate data and response flows generated by the Wiz Security Graph, making it possible to route remediations either directly to DevOps or after a quick triage process of the security team. The owners of the at-risk assets receive all the relevant contextual information around the alert to quickly resolve the issue and shorten the MTTR significantly. Torq’s no-code automation platform lets you build these workflows from scratch, leverage hundreds of security process templates, and adjust them to the needs of every environment.
Here’s how Torq combines with Wiz to create autonomous responses to security events:
The detection stage begins with Wiz delivering an alert based on an Amazon GuardDuty event together with the context of the cloud environment. The alert immediately drives the execution of an automated response workflow in Torq.
In the analysis stage, contextual data about external exposure to the asset is retrieved from Wiz Cloud Security Graph as part of the alert. If there was internal exposure, further analysis would be conducted to understand the possible connections between the attacked asset and the crown jewels that might be exposed to it.
In the containment stage, particular sources of the attack can be blocked by modifying the Security Groups and Access Control Lists, as well as by prompting an additional wider response to the potential threat. Further eradication of an issue can be achieved by orchestrating changes in the configuration of the cloud assets to improve their security posture and by enforcing multi-factor authentication and strong passwords.
Torq enables enterprises to respond by both triggering containment flows and alerting the relevant teams in the organization on the event, preventing them from wasting crucial time.
The incident audit trail is created to chronicle lessons learned to better mitigate related threats in the future. Security teams can use the audit trail together with the visibility they get from the Wiz Security Graph to identify potential weak points and work to mitigate them in advance
To learn more, see how you can reduce alert fatigue and focus on the most critical security gaps with Wiz and Get Started with Torq’s no-code security automation platform to handle these and similar threats at scale.