This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

How Risk Engine detects toxic combinations

Posted on 07-29-2024 08:18 AM
andras
Staff
Reply posted on --/--/---- --:-- AM

Please note at the time of this post the Toxic Combinations feature is currently in Preview.

A toxic combination is a group of security issues that, when they occur together in a particular pattern, create a path to one or more of your high-value resources that a determined attacker could potentially use to reach and compromise those resources.

A security issue is anything that contributes to the exposure of your cloud resources, such as a particular configuration of resources, a misconfiguration, or a software vulnerability.

The Risk Engine of Security Command Center Enterprise detects toxic combinations during the attack path simulations it runs. For each toxic combination that Risk Engine detects, it issues a finding. Each finding includes an attack exposure score that measures the risk of the toxic combination to the high-value resources in your cloud environment. Risk Engine also generates a visualization of the attack path that the toxic combination creates to the high-value resources.

A score on a toxic combination finding is similar to attack exposure scores on other types of findings, but can be thought of as applying to a path rather than a finding of an individual software vulnerability or misconfiguration.

Generally, a toxic combination represents a greater risk to your cloud deployment than an individual security issue. However, compare the score of a toxic combination finding to the scores of other toxic combination and posture findings to determine which you should act on first.

If the score of a finding of an individual security issue is significantly higher than the score of a toxic combination finding, you should prioritize the finding with the higher score.

Security Command Center Enterprise opens a case in the Security Operations console for each toxic combination finding that Risk Engine issues. You can query or filter toxic combination cases by using the TOXIC_COMBINATION tag that they include. 

Screenshot 2024-07-16 at 15.17.04.png

The case is the primary way to investigate and track the remediation of a toxic combination. In the case view, you can find the following information:

  • A description of the toxic combinationScreenshot 2024-07-16 at 15.19.18.png

Screenshot 2024-07-16 at 15.16.08.png

  • Information about the affected resource
  • Information about the steps you can take to remediate the toxic combination
  • Information about any related findings from other Security Command Center detection services, including links to their associated cases
  • Any applicable playbooks
  • Any associated tickets

How Risk Engine detects toxic combinations

Risk Engine runs attack path simulations on all of your cloud resources approximately every six hours.

During the simulations, Risk Engine identifies potential attack paths to the high-value resources in your cloud environment and calculates attack exposure scores for findings and high-value resources. If Risk Engine detects a toxic combination during the simulations, it issues a finding.

For more information about attack path simulations, see Attack path simulations.

Toxic Combinations Overview:

https://cloud.google.com/security-command-center/docs/toxic-combinations-overview

2 0 789
0 REPLIES 0
Top Solution Authors
View all