Cloud security has evolved beyond a specialized domain to encompass virtually all aspects of modern cybersecurity. During Wizdom in London some time ago, we sat down with Amitai Cohen, responsible for threat research and intelligence at Wiz. We talked about threat intelligence, security hygiene, misconfigurations, and the importance of runtime security.
Speaking at Wiz’s Wizdom event in London, Cohen explained that the integration of cloud services into organizational infrastructure has made cloud security inseparable from general security practices. Whether attackers gain access through cloud vulnerabilities or use cloud resources as their target, the cloud plays a central role in today’s threat landscape.
The persistent problem of misconfigurations
Despite years of awareness, cloud misconfigurations remain one of the most significant security challenges. Cohen identifies several key areas where organizations continue to struggle, particularly around legacy support and default configurations.
One example is Amazon’s Instance Metadata Service (IMDS). IMDSv1 remains widely used, even though IMDSv2 offers significantly better security. “Slowly, slowly, customers are switching to IMDSv2, but it’s not the default,” Cohen explains. “That is the story with a lot of misconfigurations where in order to support legacy, in order to support all sorts of different scenarios, vendors choose to allow these things to be deployed insecurely.”
While issues like public S3 buckets have become easier to identify and fix, they remain prevalent. Cohen notes that the focus has shifted to application misconfigurations at both the SaaS and self-hosted levels. This is particularly evident in emerging technologies.
The power of secure defaults
Research from Wiz reveals that defaults carry tremendous influence over security outcomes. “When we check what is actually being configured, 80% keep the default configuration and only 20% customize it,” Cohen says. This makes it all the more important for vendors to set secure defaults. The challenge, as always, is to balance security with compatibility and ease of use. This is especially important when supporting legacy systems or diverse use cases.
Cohen is a strong advocate of opinionated security approaches, citing examples like Microsoft’s TPM requirement for Windows 11 and GitHub’s evolving security posture around GitHub Actions. “I personally love opinionation,” he states. “I think that’s very important for companies to make sure that their customers are secure.”
Supply chain security across ecosystems
Different package registries have adopted varying security postures, with direct consequences for their ecosystems. Cohen observes that the npm registry experienced a disproportionate number of supply chain attacks over the past year. This happened largely because it chose a less secure posture that placed more responsibility on consumers.
The issue extends to both sides of the supply chain: developers creating and uploading packages need to use attestation and multi-factor authentication. Meanwhile, consumers downloading packages need visibility into what they’re deploying.
“We as Wiz feel that we’re in a position to mediate between the open source vendors and their consumers in order to at least help them gain visibility into cases where they’re deploying this open source software insecurely,” Cohen says.
AI security: new surfaces and old vulnerabilities
The rapid adoption of AI tooling has created significant security challenges, particularly around deployment practices. Many AI tools designed for laboratory environments are being deployed in production without proper security considerations.
“A lot of this tooling that’s coming out like Llama and Langflow and all of these things, they’re built for the lab and if you read the docs, there’s a big, big call out at the start: Don’t expose this to the Internet, don’t use this in production environment,” Cohen says. However, he also sees that people do it anyway. The problem is exacerbated by the expanding range of people deploying AI tools. This includes data scientists, HR departments, and others without traditional development backgrounds. The phenomenon of “vibe coding” means people with limited technical expertise are deploying complex systems.
However, Cohen notes that many AI vulnerabilities are traditional in nature. “What we noticed is that a lot of the vulnerabilities we were finding were just traditional vulnerabilities. There was nothing unique to AI in that sense. It was just the same old identity things, network things”, he states.
AI-powered attacks and runtime detection
Wiz’s threat research team is developing frameworks to understand how AI is changing the attack surface. The key question is whether AI simply allows attackers to operate at greater scale or whether it creates fundamentally new attack vectors. According to Cohen, the latter is very much happening. He gives an example of this too. Recent npm registry attacks had S1ngularity malware abuse AI CLIs on developer laptops. “That’s basically a brand new attack surface. It didn’t exist a year ago,” he says.
Of course, this development has implications for detection strategies. Traditional approaches of analyzing malware to determine its behavior become less effective when malicious instructions are embedded in natural language prompts. “It shifts the detection to just as it happens instead of analyzing the malware and figuring out what it does,” Cohen explains. In other words, runtime detection becomes even more critical.
It is clear that the security industry faces many challenges, both old and new. However, Cohen also sees opportunities in the rapid pace of AI development. “The fact that it’s fast means that we do have the opportunity now, because everybody’s talking about these things, to educate and do the research and help people figure out how to do this correctly, shine a light on the problems as soon as they emerge.” It’s going to be interesting to see how companies like Wiz are going to use AI and take the fight to the attackers.
Also read: Wiz builds ‘horizontal security model’ based on Security Graph