Identity & Security

3 steps to detect and remediate security anomalies with Cloud Anomaly Detection


Editor's Note: This is the third blog in our six-part series on how to use Cloud Security Command Center. There are links to the first two blogs in the series at the end of this post. 

When a threat is detected, every second counts. But, sometimes it can be difficult to know if a threat is present or how to respond. Cloud Anomaly Detection is a built-in Cloud Security Command Center (Cloud SCC) feature that uses behavioral signals to detect security abnormalities, such as leaked credentials or unusual activity, in your GCP projects and virtual machines. In this blog, and the accompanying video, we’ll look at how to enable Cloud Anomaly Detection and quickly respond to threats. 

1. Enable Cloud Anomaly Detection from Cloud Security Command Center
Cloud Anomaly Detection is not turned on by default. You need to go to Security Sources from the Cloud SCC dashboard and activate it. Keep in mind, to enable a security source, you need to have the Organization Administrator Cloud IAM role. Once it's turned on, findings will automatically be surfaced and displayed in the Cloud Anomaly Detection card on the Cloud Security Command Center dashboard.

1 Enable Cloud Anomaly Detection.png

2. View findings in Cloud Security Command Center 

Cloud Anomaly Detection can surface a variety of anomalous findings, including:

  • Leaked service account credentials: GCP service account credentials that are accidentally leaked online or compromised.
  • Resource used for outbound intrusion: One of the resources or GCP services in your organization is being used for intrusion activities, like an attempt to break in to or compromise a target system. These include SSH brute force attacks, Port scans, and FTP brute force attacks.
  • Potential compromised machine: A potential compromise of a resource in your organization.
  • Resource used for crypto mining: Behavioral signals around a VM in your organization indicate that it might have been compromised and could be getting used for crypto mining.
  • Unusual Activity/Connection: Unusual activity from a resource in your organization.
  • Resource used for phishing: One of the resources or GCP services in your organization is being used for phishing.

3. Remediate findings from Cloud Security Command Center 
After Cloud Anomaly Detection generates a finding, you can click on the finding for more information about what happened and use that information to fix the security issue.

2 Remediate findings.png

To learn more about Cloud Anomaly Detection, including how to turn it on and how it can help your organization, check out the video below.