Full Report
Fully understand the impact and architecture behind any threat to streamline and speed effective response with a first-of-its-kind integration combining the Wiz Security Graph’s deep cloud and multi-cloud risk context with Google Cloud’s Security Command Center’s advanced threat detection.
Analysis Summary
The provided article focuses on a **product integration and resulting capability enhancement** rather than detailing a specific piece of malware, a known attack tool, or granular threat actor TTPs. The core subject is the integration between the **Wiz Security Graph/Cloud Detection and Response (CDR)** platform and **Google Cloud Security Command Center (SCC)**.
Therefore, the summary will focus on the capabilities delivered by this integration, framed as a "security technology" or "detection capability."
# Tool/Technique: Wiz CDR Integration with Google Cloud SCC
## Overview
This describes the integration between the Wiz Cloud Detection and Response (CDR) platform, utilizing its Security Graph, and Google Cloud's Security Command Center (SCC). The purpose is to merge threat detection data from SCC with existing cloud risk context (vulnerabilities, misconfigurations, network exposure) provided by Wiz to enhance threat investigation, context prioritization, and incident response efficiency for cloud workloads.
## Technical Details
- **Type:** Security Capability / Platform Integration
- **Platform:** Primarily Google Cloud workloads, enhanced by Wiz's multi-cloud context capabilities.
- **Capabilities:** Correlates threat events (e.g., brute force alerts from SCC) with existing cloud risks (e.g., critical vulnerabilities, public exposure, lateral movement paths) to provide high-fidelity, contextualized threat prioritization.
- **First Seen:** Not specified in the text (the announcement is recent relative to the article publication).
## MITRE ATT&CK Mapping
Since this is an advancement in detection and response technology, it primarily relates to defensive capabilities, which map broadly to the **Detection** tactic. Specific mappings for the *detection* process itself are often generalized:
- **TA0014 - Operational Command and Control** (Indirectly, by improving C2 detection context)
- **TA0005 - Defense Evasion** (Indirectly, by improving speed of response against evasive threats)
- **TA0040 - Impact** (Specifically by reducing MTTR and blast radius)
*Note: Direct mapping to T-numbers representing offensive techniques is not applicable as this is a defensive enhancement.*
## Functionality
### Core Capabilities
- **Efficient Threat Investigation:** Provides a unified data layer and visibility across cloud risks, events, and threats for Google Cloud and multi-cloud environments, allowing rapid understanding of a threat's impact and blast radius.
- **Focused Threat Response:** Correlates detected threats with underlying cloud risk factors (misconfigurations, vulnerabilities, network exposure, secrets, permissions) to create a single, prioritized queue of issues for remediation.
- **Contextual Prioritization:** Uses the Security Graph to illustrate complex risk scenarios, such as a brute force attack targeting a publicly exposed VM with a critical vulnerability that has a lateral path to an administrative role.
### Advanced Features
- **Automated Incident Response:** Supports automation of cloud-native response actions using Google Cloud playbooks to investigate and isolate affected resources at scale.
- **10x Improvement in Analysis Time:** Claims significant efficiency gains by reducing the manual analysis time spent by SOC/IR teams on alerts.
## Indicators of Compromise
This section generally does not apply as the subject is a security integration. The text references examples of events detected by the correlation:
- **File Hashes:** N/A
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:** Example scenario described an affected VM that was **publicly exposed to the internet** (Defanged: `publicly exposed to internet`).
- **Behavioral Indicators:** Detection of **brute force attacks** (via SCC), identification of **lateral movement path** findings.
## Associated Threat Actors
N/A. This describes a synergy between Google Cloud and Wiz to defend against various threat actors.
## Detection Methods
The integration enhances existing detection engines:
- **Signature-based detection:** Leverages existing SCC detections (e.g., for brute force).
- **Behavioral detection:** The Wiz CDR capability adds behavioral context by analyzing asset state and lateral movement potential against detected events.
- **YARA rules:** N/A
## Mitigation Strategies
The platform aims to improve existing mitigation/response actions:
- **Prevention measures:** Faster remediation based on prioritized risk context reduces the window of opportunity for attackers. Automated response using Google Cloud playbooks aids in isolation.
- **Hardening recommendations:** Integration helps security teams quickly identify and prioritize hardening steps (patching vulnerabilities, closing network exposure, limiting permissions) that have the maximum impact on reducing the threat's blast radius.
## Related Tools/Techniques
- Google Cloud Security Command Center (SCC)
- Cloud Detection and Response (CDR)