Google Cloud introduces Community Security Analytics
Google Cloud recently released Community Security Analytics (CSA), a set of open source queries and rules for security analysis designed to help detect common cloud-based threats.
Written to help detection engineers, threat hunters, and data governance analysts, CSAs are predefined queries and rules for analyzing Google Cloud logs, including Cloud Audit logs, Flow logs VPC and DNS logs, using cloud-native and third-party tools.
According to the cloud provider, the new version simplifies the adoption of a continuous detection and continuous response (CD/CR) workflow for security operations teams. Roy Arsan, Solutions Architect, and Iman Ghanizada, Head of Security Solutions, explain:
CSA requests are mapped to the MITER ATT&CK Tactics, Techniques and Procedures (TTP) framework to help you assess their applicability in your environment and include them in your threat model coverage. These queries can be run using cloud-native or third-party analytics tools. The initial release of CSA offers detections in the form of YARA-L rules for Chronicle and SQL queries for BigQuery, with other formats to follow based on community feedback.
The rules are currently divided into six categories, covering more than 40 use cases that reflect the most critical questions organizations need to ask their logs: connection and access patterns, IAM, cloud provisioning activity, usage of cloud workload, data usage and network activity.
To provide coverage against the most common threats in the cloud, CSA is an open source project (Apache-2.0 license) that aims to make security analysis outsourced and no longer developed independently by each organization. Arsan and Ghanizada point out some of the limitations:
It is important to note that the detection queries provided by CSA will be self-managed and you may need to tune to minimize alert noise (..) CSA is not meant to be a complete, managed set of threat detections , but a community-contributed collection of sample analyzes to provide examples of essential detective controls, based on cloud-based techniques. (…) and have no cost estimates or performance guarantees.
Gunnar Peterson, CISO at Forter, comments:
In “What Next”, suggest going beyond login failure and taking a step-by-step analysis of widely used identity protocols. Brute force is a good place to start, but also redirection, impersonation, tampering, etc.
The project is a collaboration between Google, MITER Engenuity’s Center for Threat-Informed Defense and Google customers. The cloud provider recently published an article that covers new resources and initiatives for autonomous security operations.