Google Cloud recently introduced Community Security Analytics (CSA), a set of open-sourced queries and rules for self-service security analytics geared toward helping security teams detect common cloud-based threats.
The company believes that developing a community around standardizing and sharing cloud security analytics promises to help improve detective capabilities — giving threat researchers, threat hunters, security analysts, and data governance teams a place to collaborate, while also leveraging Google’s cloud-native threat prevention and detection capabilities.
Security operations teams can use CSA to get started with analyzing their Google Cloud logs to audit recent behavior and help detect threats to common workloads. Google has partnered with the MITRE Engenuity’s Center for Threat-Informed Defense, CYDERES, and a variety of contributing customers to develop a sample set of analytics and kick-start the community's development. Leveraging the collective knowledge of the community, other organizations can use these queries and customize them to their own requirements.
Can Google's Community Security Analytics tip favor to security teams?
The release of Google's CSA demonstrates Google's community leadership and vision, said Sandy Dunn, CISO at BreachQuest. Dunn said software development teams have embraced DevOps continuous integration/continuous development (CI/CD), but continuous detection and response has been either a mashup of home-grown solutions or required additional investment from the cloud provider. Aligning with MITRE ATT&CK qualifies the information and helps teams map to the missing or weak controls.
“Development and cybersecurity teams finally have both the data and the MITRE ATT&CK ‘Rosetta Stone,’” Dunn said. “MITRE ATT&CK provides the information on known exploited vulnerabilities, mapped to NIST 800-53v5 which identifies the missing controls, and now Google's CSA identifies new threats or gaps.”
Ratan Tipirneni, president and CEO of Tigera, said the security industry has been losing the battle to hackers because there’s a fundamental incongruity: hackers only need to find one gap in the tens of thousands of permutations to find their way into a system, and then they have an efficient mechanism to share this knowledge with other hackers.
“One powerful strategy to counter this is to unlock the power of the community by crowdsourcing intelligence about vulnerabilities and creating a powerful distribution mechanism to get this knowledge into the hands of everyone else in the community,” Tipirneni said. “Over the past few decades we have successfully applied this model of unlocking the intelligence of the community — Google’s page rank algorithm itself is a great example of this. Google’s CSA has the potential to change the odds of success in our battle against the bad guys.”
John Bambenek, principal threat hunter at Netenrich, said with the move to cloud infrastructure, many traditional forms of cybersecurity protection were left behind.
“This release by Google is an attempt to address the gap in detecting attacks on resources in their cloud infrastructure,” Bambenek said. “Open-source collaboration like this can help organizations bootstrap their protection.”