AWS Partner Network (APN) Blog

Wix Combines Amazon GuardDuty and Orca Security to Provide Enterprise-Grade Security for Over 230 Million Users

By Ty Murphy, Director, Product Marketing – Orca Security
By Josh Dean, Sr. Partner Solutions Architect – AWS

Orca Security

Wix is a global leader in providing a comprehensive, cloud-based platform for web development. The company’s massive infrastructure is incredibly complex, but while its hundreds of cloud accounts are decentralized with many internal owners, security is centralized for visibility across its entire platform.

The security team at Wix needed to reduce and prioritize the number of alerts and get a deeper dive into their cloud infrastructure stack. They sought to understand issues and vulnerabilities that could possibly be exploited and gain more context pertaining to incidents.

Wix added the Orca Cloud Security Platform to complement Amazon GuardDuty. The integration allowed the security team to fully comprehend the extent of alerts detected by Amazon GuardDuty, and automatically correlate which alerts deserved to be prioritized first based on Orca’s additional context and comprehensive understanding of Wix’s Amazon Web Services (AWS) environments.

In this post, we will review the security challenges and benefits of the combined solutions that enabled Wix to continue to securely position themselves as a digital presence leader.

Orca Security is an AWS Security Competency Partner that provides cloud-wide, workload-deep, context-aware security and compliance for AWS without the gaps in coverage, alert fatigue, and operational costs of agent-based solutions.

Wix is a Platform to Create, Manage, and Grow a Digital Presence

Using a range of Wix tools and templates, anyone can create a beautiful, professional, and functional web presence to manage and grow their business. What began as a website builder in 2006 is now a complete platform providing users with enterprise-grade performance, security, and reliable infrastructure.

Offering a wide range of commerce and business solutions, as well as advanced SEO and marketing tools, Wix enables users to have full ownership of their brand, their data, and their relationships with their customers.

Wix’s infrastructure information security team has vast responsibilities for securing the environment and preventing attacks and breaches—not only for Wix but for its global customer base. The security architecture team oversees cloud security for all Wix environments, including tools pertaining to configuration and vulnerability management. A DevOps team is responsible for internally-developed security tools along with their integrations and automation. A third team provides incident response across the Wix platform.

Senior Cybersecurity Architect Opher Hofshi leads AWS cloud security efforts for Wix. “Securing our environment is a huge challenge, given its constant state of flux,” says Hofshi. “We operate a multi-cloud, hybrid environment that auto scales dramatically. It can vary in size by 10-20% each day, depending on when customer markets begin their heavy use. A single cloud account can use 300,000 containers every day, and we have more than 80 accounts to oversee.”

Enterprise-Grade Security That Scales to Protect Users

“Wix takes security very seriously,” says Shaul Eldar, who leads the infrastructure information security team at Wix. “It can be complicated when you have so many technologies to manage, so we need to be flexible with our cloud security monitoring infrastructure. A lot of integrations and automation are relevant for part of the solutions but not for others.”

Hofshi explains the unique way Wix uses its security toolset: “We try to centralize security across all cloud accounts. An in-house tool aggregates all data from our infrastructure components and security tools, including those native to AWS. We usually cherry-pick specific areas, alerts, and findings we like from each tool, then send it to our aggregation tool to create our own alerts based on that information.”

The company was already using Amazon GuardDuty to aggregate some security findings. GuardDuty is a threat detection service that continuously monitors AWS accounts for malicious activity, delivering detailed findings for visibility and remediation.

Wix wanted to add to its security mix to address other issues, mostly at its infrastructure API level. “It could be basic like a publicly accessible bucket; something we can identify very easily. But when we go deeper into our cloud infrastructure things are less intuitive, like a function that exposes environmental variable secrets,” says Eldar.

“This you can’t know off-hand based on basic API ports. Our infrastructure is massive; we need to know what packages we have, whether there are vulnerabilities, and if specific service vulnerabilities can be exploited,” Eldar adds. “We had a good understanding of our infrastructure from the perimeter side, but needed to dive deeper inside the stack to understand other issues.”

Escalating the Severity of Alerts Based on Orca’s Intelligence

Orca Security uses an out-of-band approach to reach cloud workloads through its virtualization layer. The platform provides full-stack security visibility of cloud environments for 100% of an organization’s assets, with no troublesome agent or network scanner required.

Orca provides visibility into vulnerabilities, misconfigurations, weak and leaked passwords, lateral movement risk, breaches, and more.


Figure 1 – Orca consumes an Amazon GuardDuty-detected brute force attempt.

In this scenario, Amazon GuardDuty detected brute force attempts to access an Amazon Elastic Compute Cloud (Amazon EC2) instance. Furthermore, the Orca platform recognized this was indeed an internet-facing asset that could pose additional lateral movement risk.

Orca received the initial Secure Shell (SSH) alert from GuardDuty, and added additional context and enrichment that increased the prioritization of this alert, moving the finding from a behavior anomaly to an increased level of detected risk.

Combining GuardDuty malicious and threat behavior alerts with Orca’s posture analysis provides shared customers with more intelligence for better prioritization and efficient risk classification. By correlating GuardDuty’s alert with Orca’s context-rich platform, customers are able to correlate the Remote Desktop Protocol (RDP) brute force attempts to the state of the asset/machine, confirming if the brute force attempt worked and if the asset became compromised.

Orca can provide a series of additional risks associated with this asset, such as sensitive data, service vulnerabilities, and unsupported host operating systems that could also prove hazardous to this asset. Furthering the customer visibility, Orca illustrates the potential attack chains and displays login history and other important data regarding all of the risks associated with this EC2 instance.

Wix Uses Orca Security to Elevate GuardDuty Value

Adding Orca Security to its security stack has improved Wix’s overall experience. Orca ingests GuardDuty alerts and adds comprehensive contextual information to assist with triage. Orca evaluates the alerts to prioritize those that should be responded to first, based on selected compliance frameworks, attack path analysis, and sensitive data.

“Orca Security gives us insight no other tool can provide—for example, insecure private keys on compute,” says Shaul. “Knowing that some assets could allow lateral movement to hundreds of others is a game-changer. If an attacker lands there, it’s pretty much game over. Having these alerts and insights in near real-time before an attacker could leverage it is highly beneficial for Wix and important for our users.”

Derived from its patented SideScanning and unified data model, Orca provides investigative content and rules for sorting alerts. It also provides deep context for its findings. Combined with GuardDuty’s in-depth findings, it’s this context that creates a more powerful security solution for Wix.

“What Orca does is take the potential and the actual, and combines them together,” says Hofshi. “So I can tell my team, ‘Look, it’s not just that the asset is public, but it’s also currently being brute forced and trying to be breached by an external entity.’ It’s not just about the discovery of the event, but having the full scope of data; like what is the risk, what is the context.”

GuardDuty Detects Security Events While Orca Provides Context

“Amazon GuardDuty is great at detecting security events in real time, at which point Orca Security can put each incident in context, telling us the risk in terms of exploitability and business impact,” Hofshi illustrates. “For example, if GuardDuty detected an exfiltration of instance role credentials, Orca enables our security team to understand not only what credentials had been leaked, but also the potential lateral movement risk a compromised key might have.

“This helps us to fully understand the policy, which permissions it grants, and how that leaked key could be used to allow access to other parts of our cloud infrastructure, including our crown jewel data. This kind of attack path analysis done by Orca Security is a game-changer,” adds Hofshi.

Eldar adds, “Orca automates this for us, reducing our incident response resources required to manually correlate each event. Orca helps educate our junior or less technical security engineers by correlating the context associated with a GuardDuty alert, saving them lots of pain and time-to-remediation. The Orca Security and GuardDuty combination help us solve our most difficult cloud security challenges at scale—testing and understanding what happened, and the risk associated with every critical GuardDuty alert.”

Hofshi continues, “At our scale, with hundreds of thousands of containers and virtual machines, every bit of accuracy and ancillary context can narrow down alerts and tell us which are critical to focus on. Orca Security does this really well.”

Amazon GuardDuty + Orca Security: Better Together for Wix

Customers of this joint solution get improved alert intelligence, better risk prioritization, and more efficient risk remediation through the following features:

  • Better visualization: See how any alert may play a role in a larger attack path that could compromise sensitive data.
  • More context: Understand why an alert matters by way of a summary digest along with recommended remediations.
  • Accurate classification: Group GuardDuty and other AWS alerts together based on compliance, severity, asset, or risk type.

Hofshi proclaimed that the integration of Amazon GuardDuty and Orca Security “delivers a lot of value,” adding that “GuardDuty helps us discover what is actually happening, while Orca can correlate those discovered incidents into what the potential risk is based on our environment. It helps us understand the full scope of the attack or potential attack, and see the full story and impact on our business.”


Both Amazon GuardDuty and Orca Security offer free 30-day trials, giving customers a risk-free opportunity to test drive the integration for themselves.

With this integration, customers benefit from improved operational efficiencies and reduced alert fatigue. With GuardDuty and Orca Security, organizations are able to prioritize detected alerts based on the severity of a security issue, its accessibility, and business impact. This helps security teams focus on remediating the critical risks that matter most to the organization.


Orca Security – AWS Partner Spotlight

Orca Security is an AWS Security Competency Partner that provides cloud-wide, workload-deep, context-aware security and compliance for AWS without the gaps in coverage, alert fatigue, and operational costs of agent-based solutions.

Contact Orca Security | Partner Overview | AWS Marketplace