Google Cloud recently released Community Security Analytics (CSA), a set of open-sourced queries and rules for security analytics designed to help detect common cloud-based threats.
Written to help detection engineers, threat hunters and data governance analysts, CSA are pre-built queries and rules to analyze Google Cloud logs, including Cloud Audit logs, VPC Flow log and DNS logs, using cloud-native and third-party tools.
According to the cloud provider, the new release simplifies the adoption of a continuous detection and continuous response (CD/CR) workflow for security operations teams. Roy Arsan, solutions architect, and Iman Ghanizada, security solutions manager, explain:
CSA queries are mapped to the MITRE ATT&CK framework of tactics, techniques and procedures (TTPs) to help you evaluate their applicability in your environment and include them in your threat model coverage. These queries can be run using either cloud-native or third-party analytics tools. The initial CSA release offers detections in the form of YARA-L rules for Chronicle, and SQL queries for BigQuery, with more formats to follow based on community feedback.
The rules are currently distributed in six categories, covering over 40 use cases that reflect the most critical questions organizations should ask to their logs: login and access patterns, IAM, cloud provisioning activity, cloud workload usage, data usage and network activity.
To provide coverage against most common threats in the cloud, CSA is an open source (Apache-2.0 license) project that wants to make security analytics crowdsourced and no longer developed independently by each organization. Arsan and Ghanizada highlight some of the limitations:
It’s important to note that the detection queries provided by CSA will be self-managed and you may need to tune to minimize alert noise (..) CSA is not meant to be a comprehensive, managed set of threat detections, but a collection of community-contributed sample analytics to give examples of essential detective controls, based on cloud techniques. (…) and do not have cost estimations or performance guarantees.
Gunnar Peterson, CISO at Forter, comments:
On “What Next”, suggest going beyond login failure and into a step by step analysis of widely used identity protocols. Brute force is a good place to start, but also redirection, impersonation, tampering, and so on.
The project is a collaboration between Google, MITRE Engenuity’s Center for Threat-Informed Defense and Google customers. The cloud provider recently published an article that covers the new resources and initiatives for autonomic security operations.