Identify and prioritize security risks with Wiz Security Graph and Google Cloud

Last reviewed 2024-11-21 UTC

By Mason Yan - Partner Solution Engineer, Wiz; Jimit Modi - ISV Partner Engineer,Google

Wiz helps organizations secure their cloud environments. This document describeshow to identify and prioritize security risks in your cloud workloads with WizSecurity Graph and Google Cloud. Security Command Center Premium, Google's built-in CNAPP for Google Cloud, and Wiz's Cloud add-on capability are bettertogether, giving you contextual visibility across your cloud organizationwith the ability to prioritize risk mitigation.

For more information about Wiz, see theWiz website and theGoogle Cloud case study.

Architecture

The following diagram shows how Wiz connects to your Google Cloudinfrastructure and how Wiz is integrated with built-in Google Cloudtools.

Wiz connects to Google Cloud infrastructure and is integrated with builtin Google Cloud tools.

Wiz Cloud Security Platform is a software-as-a-service (SaaS)solution. This architecture diagram demonstrates the following workflow:

  1. Wiz API scanning collects Google Cloud services and theirconfiguration metadata to build a complete inventory.
  2. Wiz Workload scanning collects the metadata of operating systems,apps, packages, secrets, and container files to create a list ofvulnerabilities and misconfigurations.
  3. Wiz Data scanning scansCloud Storage,non-OS volumes, tables inCloud SQL,and collects metadata from sensitive data objects.
  4. Wiz usesIdentity and Access Management (IAM)Recommender to find excessive and unused permissions to create Wiz findings.
  5. Wiz ingestsAdmin Activity audit logs andSecurity Command Center findings to add threat events to create Wiz findings.

Wiz uses the information that it gathers to create a node-and-edge graph ofyour assets and their interconnections. This graph, called theWiz SecurityGraph, lets Wiz identify the most toxic risk combinations. Thesecombinations are then flagged as Wiz Issues, which trigger alerts and automatedworkflows for remediation.

Connect the Wiz tenant to your Google Cloud infrastructure

Before you connect Wiz to your Google Cloud infrastructure, ensure thatyou've met the following prerequisites. To deploy on the organization level, theperson who performs the connection must have sufficient permissions, either as aGoogle Cloud owner or as a user with the following organization-levelroles:

  • roles/iam.serviceAccountAdmin
  • roles/iam.organizationRoleAdmin
  • roles/iam.securityAdmin
Note: Wiz strongly recommends that you connect on the organization level. Doingso lets all Google Cloud projects, both existing and future, be detected andscanned automatically.

To deploy on the project level, the person who performs the connection must havethe rights of a Google Cloud projectroles/owner role (or better).

Other prerequisites include the following:

Create a Google Cloud connector

Wiz provides auto-generated scripts that you can run to create a service accountand all the roles that you need to use Wiz with Google Cloud.The following screenshot shows a Wiz service account created by the scripts:

Wiz service account generated through a script.

Use Cloud APIs to scan your organization

This section explains the interactions between Wiz and Google Cloudcomponents to help you understand the necessity of permissions and roles to begranted.

UseIAM to grant Wiz with read-only roles to scan your Google Cloud organizationusingCloud APIs.

Wiz requires read-only roles to callCloud APIs.Wiz collects the metadata and configuration information from all the Googleservices in your Google Cloud organization, including firewall rules andaccess controls. Wiz then builds an inventory of all Google Cloudservices.

For more information, seeSupported Cloud Services Google Cloud.

Use Wiz Workload scanning

To create and delete a snapshot, Wiz requiresproper IAM roles.After the API scan is complete, Wiz automaticallycreates a Workload scanner in the sameregion where the Compute Engine instance resides.

The Wiz Workload scanner creates a snapshot of the boot volume of eachCompute Engine instance. It does so by mounting a read-only volume thatis backed by the snapshot. After the scan is complete, Wiz deletes the snapshot.Workload scanning detects several coding languages or frameworks like Go,Python, or React. It also detects operating systems or applications on a VM,container, or serverless function–for example, Linux, NGINX, Docker, or Ansible.Workload scanning collects metadata on packages, misconfigurations, and secrets,including SSH keys, cloud keys, and container files from the boot volumes.

The following screenshot of the Wiz UI shows the results of a Wiz Workload scan:

Items that are scanned in a Wiz snapshot.

Use Wiz Data scanning

Data scanning is an extension ofWiz Workload scanning.If you enable data discovery, the scanner performs a sampling scan of the files.Files are scanned in the following locations:

Wiz searches files for the following sensitive data:

  • Payment card industry data
  • Personally identifiable information (PII)
  • Protected health information (PHI)

When a match is detected with high confidence, metadata about these objects isadded to the Security Graph as a Data Finding. After an object is added to theSecurity Graph, queries and Controls are used for risk analysis.

AControl consists of a pre-defined Security Graph query and a Severity level. If a Control's query returns any results, an Issue isgenerated for every result.

Note: As with all other Wiz assessments, Wiz doesn't store the data. Wiz onlystores the metadata results. Wiz highlights only a partially redacted sample ofthe detected Data Finding so that you can identify, verify, and remediate theData Finding. Wiz requires additional permissions to scan your private bucketsand platform-as-a-service (PaaS) databases like Cloud SQL for protecteddata and secrets.

Ingest Event Threat Detection from Security Command Center

Wiz integrates Google Cloud's Event Threat Detection with Security Command Centerto add correlation and context to Security Command Center events and highlight thecritical risks on the security graph. For example, Wiz Security Graph visualizesan exposed Compute Engine instance with a critical vulnerability and alateral movement finding on which Event Threat Detection has also detected potentiallysuspicious events. This integration requires Security Command Center Premium,because this is the tier that detects threats. The Google Cloud SecurityReviewer role that is attached to the Wiz service account grants the permissionsto list the Security Command Center findings.

The following diagram illustrates the attack path analysis of a hypotheticalcritical issue in Security Graph:

The attack path analysis of a hypotheticalcritical issue in Security Graph.

The diagram shows how Wiz ingests threat events from Event Threat Detectionand adds them to Security Graph. There is an SSH Brute Force finding associatedwith a hypothetical Compute Engine instance. The hypotheticalCompute Engine instance has Common Vulnerabilities and Exposures (CVE)and is exposed to the internet. The Compute Engine instance also has anaccess key that leads to data access.

The combination of multiple risks represents a high probability for a maliciousactor to access this instance and exfiltrate any data it contains. The SSH BruteForce alert on this hypothetical Compute Engine instance needs immediateattention.

Connect Cloud Audit Logs to Wiz Cloud Detection and Response

Wiz Cloud Detection and Response (CDR) detects, investigates, and responds tocloud threats. Wiz CDR ingests cloud events fromCloud Audit Logs andGoogle Workspace audit logs.These logs are streamed to a Pub/Sub topic that you create.

Here are the deployment steps:

  1. Create a Pub/Sub topic and subscription in aGoogle Cloud project.
  2. Stream admin activity and data access audit logs to the created topic.
  3. Stream audit logs from Google Cloud to Wiz.
  4. Connect Wiz to the Pub/Sub topic.

The following diagram shows that Wiz connects to Pub/Sub to readlogs that are published by the connected projects or organization:

Wiz connects to Pub/Sub to read log file data.

For more information about configuration details, see theWiz documentation.

Deploy the Wiz Runtime Sensor to a GKE cluster

The following diagram shows how the Wiz Runtime Sensor in the Google Cloudenvironment connects to the Wiz container registry and the Wiz cloud backend:

The Wiz Runtime Sensor in the Google Cloud environment connects to theWiz container registry and the Wiz cloud backend.

In the diagram, the Wiz Runtime Sensor is an eBPF-based executable designed tooffer real-time visibility into your Google Cloud and Kubernetes workloads.TheContainer Security section provides additional detail.

Prerequisites

To deploy the Wiz Runtime Sensor to a GKE cluster, you must meetthe following prerequisites:

  • Google Cloud is connected to Wiz.
  • GKE is running version 1.20.9-gke.1000 and later.
  • The GKE cluster allows outbound HTTPS connectivity.For more information see,Outbound Communication.

Deployment

Here are the steps to use a Helm chart to deploy Wiz Runtime Sensor daemon setto a GKE cluster:

  1. Create a Service Account for the Runtime Sensor in Wiz.
  2. Obtain the Runtime Sensor Helm chart.
  3. Obtain the Runtime Sensor image pull key from Wiz.
  4. Install the Runtime Sensor on a GKE cluster.
  5. Perform a confidence check.

For more information about deployment details, seeInstall Runtime Sensor.

Security

As a customer, you own your Wiz tenant. Wiz doesn't have access to your tenant.To list your cloud resources and interrogate the control plane for theirconfiguration, the cloud scanner connects using read-only permissions. Theread-only permissions grant access to yourcloud APIs (like AWS, Azure, Google Cloud, OCI, Kubernetes, and others).

By default, the read-only permissions that you created for the Wiz scanner grantaccess to all the Google Cloud services that you use. The goal is completevisibility into your environment. To exclude some of the services, you canmodify your Wiz role-creation scripts.

VPC Service Controls

If your organization uses VPC Service Controls to restrict Google servicesin projects that you want Wiz to scan, you need to add an access rule foreach perimeter. Users that have either theroles/accesscontextmanager.policyAdmin role or theroles/accesscontextmanager.policyEditor role can perform this operation.

Because Wiz initiates requests from outside of the VPC Service Controlsperimeters, you might need to add Wiz to your ingress rules. When you use anAccess Level while setting up your Ingress Policy, you might see theFROMattributes of the API client. If your access level selection restricts sourceIP addresses, you can add IP addresses for Wiz data centers.

Ingress policy

  1. In the Google Cloud console, navigate toSecurity > VPC Service Controls.Each perimeter protects one or more projects.

  2. For each perimeter that restricts Google services in projects where youwant Wiz to scan, clickEdit > Ingress Policy.

    Edit Access Level options.

    As shown in the preceding screenshot, leave the Source, Project, andServices fields with their Default values.

  3. Select the Wiz Service Account (default name:wiz-service-account),then clickAdd Rule.

  4. ClickSave.

  5. Navigate toAccess Level Manager and addWiz Data Center Scan IPaddresses to the Access Level.Edit Access Level options.Edit Access Level options.

    As shown in the preceding screenshots, you create an access level with acustom name, and then you add the IP addresses of the data center where yourWiz tenant is located.

  6. In theConditions section:

    1. Add each Wiz data center IP address as an IP address subnetworkin this format:3.132.145.19/24.
    2. SetWhen condition is met, return toTRUE.

  7. ClickSave to update the perimeter settings. Deployment can take upto 20 minutes.

  8. Repeat the previous three steps for every access level used by aperimeter that affects a project that you want Wiz to scan.

Use Wiz Outpost to keep data in your project

As shown in the following screenshot, Wiz Outpost is an alternative deploymentmodel to the standard SaaS deployment mode that's described in this document. Itlets you perform all Workload scanning in your own environment, using your owninfrastructure.

The following screenshot shows how to connect Outpost in the Wiz portal.

Wiz Outpost options selection screen.

As shown in the preceding screenshot, you must provide the Google Cloudorganization ID you want to scan using this connector. Youmust also provide the project ID of the project where the Wiz outpost wasdeployed.

The following sample command creates a Wiz service account with a read-onlyrole to all the cloud services and a role to create snapshots and deletesnapshots.

For more information about the deployment details, see the Wiz documentation onGoogle Cloud connector.

After determining the correct deployment information for your use case, useCloud Shell to run the following command:

curl -fsSL https://SERVER_URL/deployment-v2/gcp/cli/wiz-gcp.sh | bash /dev/stdin managed-standard organization-deployment  --organization-id=ORGANIZATION_ID  --wiz-managed-id=WIZ_MANAGED_ID

Replace the following:

  • SERVER_URL: The server URL that appears in theWiz console.
  • ORGANIZATION_ID: The Google Cloudorganization ID.
  • WIZ_MANAGED_ID: The account ID for the Wizmanaged service account in Google Cloud.

Using the Wiz Outpost deployment model, all Workload scanner functionality ispulled out of the Wiz backend and recreated in your own environment. Thisprocess is shown in theArchitecture section diagram. The Wiz workload scan of the GKE cluster inWizproject should be deployed to a project in theCustomer Organization.

Snapshots in the Outpost deployment model are still created, scanned, anddeleted in the same manner, but all analysis occurs in your environment. Onlythe metadata results are sent to the Wiz backend. Examples of metadata resultsinclude the following:

  • Installed packages
  • Exposed secrets
  • Malware detection

Use case: Agentless scanning provides full stack multi-cloud visibility in minutes

Wiz scans the entire cloud stack in read-only mode, including all VMs,containers, serverless apps, data repositories, and PaaS services that use theCloud APIs. For example, customers use Wiz to search for resourcesthat are associated with Log4j vulnerabilities.

The Wiz cloud risk engine compiles multiple layers of configuration, network andidentity data, and cloud events from Cloud Audit Logs to surface effectiveexternal exposure, unintentionally excessive permissions, exposed secrets, andlateral movement paths.

As shown in the following diagram, Wiz Security Graph shows the cloud resourcesthat are associated with Log4j vulnerabilities:

Entire Wiz scan of an example cloud stack.

Compliance

Wiz automatically assesses your compliance posture against more than 100industry compliance frameworks or your custom frameworks. That assessment helpseliminate the manual effort and complexity of achieving compliance in dynamicand multi-cloud environments. The following screenshot shows a complianceheatmap, which lets you survey your Google Cloud environment across allcompliance frameworks–including CIS and NIST–at a high level and quicklydetermine where your security teams should focus.

A compliance heatmap of an example Google Cloud environment across all compliance frameworks.

Container security

Wiz assesses and correlates container security risk across container images,identities, the Kubernetes network, and the cloud environment. Wiz also enablescomprehensive, end-to-end Kubernetes security posture management and compliance.Wiz Guardrails enable organizations to enact a single policy framework thatspans the development lifecycle (CI/CD pipeline) to runtime. Wiz Runtime Sensoris a lightweight eBPF-based agent that can be deployed within Kubernetesclusters as a daemon set to provide real-time visibility and monitoring ofrunning processes, network connections, file activity, system calls–and more–todetect malicious behavior affecting the workload.

The following diagram shows the Wiz Guardrails that are in place. Theseguardrails span the development cycle to runtime.

Diagram of the Wiz Guardrails in place that span the development cycle to runtime.

Deploy Wiz

Connectors let Wiz access your cloud environment to assume roles, createsnapshots, share snapshots with Wiz for analysis, and delete snapshots. You'llneed to create a Cloud Connector for your Google Cloud organization orproject. As mentioned previously, Wiz supports both shell script and Terraform.

The following is a sample scriptfor Cloud Shell that connects Wiz to an organization. It alsoincludes an ID test for standard deployment:

curl -fsSL https://SERVER_URL/deployment-v2/gcp/cli/wiz-gcp.sh | bash /dev/stdin managed-standard organization-deployment  --organization-id=test  --wiz-managed-id=WIZ_MANAGED_ID

Replace the following:

  • SERVER_URL: The server URL that appears in theWiz console.
  • WIZ_MANAGED_ID: The account ID for the Wiz managedservice account in Google Cloud.

The following is a sample Terraform script that connects Wiz to an organization.It also includes an ID test for standard deployment:

module "wiz" { source = "https://SERVER_URL/deployment-v2/gcp/wiz-gcp-org-terraform-module.zip" org_id = "test" wiz_managed_identity_external_id =WIZ_MANAGED_ID data_scanning = false }

For more information, see the Wiz documentation onHow to connect to Google Cloud.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-11-21 UTC.