Security Operations on Google Cloud Platform

Cybersecurity attacks continue to make headlines in the news.  Our personal and business information is located on many different platforms over the cloud.  Protecting this information from ransomware, brute force, injection, and man-in-the-middle attacks through proactive hunting, recognition, and resolution are paramount.  

With Google’s announcement of the Siemplify acquisition, Google has strengthened their position in the area of cloud security operations.    

What is a SIEM and SOAR? 

Before talking specifically about Google’s cloud security capabilities, it is important to understand the role of SIEM and SOAR within Security Operations.  A security information event management (SIEM) is a solution within a security operations center that gathers logs and events from various appliances and software within an information technology infrastructure.  These SIEM solutions then review the logs and events for potential threats by searching for behavior that is not typical to best practices or may be seen as anomalous or atypical.  The benefit of having and utilizing a SIEM is that without one, security operations personnel would need to review each of these log and event files manually.  Since there are thousands of log and event files within companies, this option has the potential for mistakes as fatigue becomes an issue when scrolling through these files.  A SIEM picks out the logs and events that could be a threat and security personnel can then investigate these potential threats.  Decreasing the time to recognize a threat or vulnerability and allowing the security operations team to be more efficient and effective in their investigations. 

A security orchestration automated response (SOAR) solution is a complementary solution to a SIEM.  SOAR solutions can add automation to the response of potential events identified as threats in the log files by initiating a workflow.  An example of this would be an activity log from a device that has been accessed from a location that has been flagged as a threat.  the SOAR can initiate a workflow to take that device offline and send an alert to the security operations response team to investigate. 

The ability for these two solutions to work together provide a company with the capability to extend their ability to detect and respond to potential threats more rapidly with decreased human intervention. Let’s take a deeper look at the solutions that make up Google Cloud Security Operations.

Google Cloud Security Operations

As mentioned in the previous section, security operations are generally made up of SIEM and SOAR solutions to collect, detect, investigate, and respond to vulnerabilities and threats within the cloud and hybrid infrastructure.  In order for a SIEM and SOAR to be successful, activity, event, and audit logs need to be brought into the solutions.  Google captures this information through their Stackdriver solution. Log information and telemetry data from Google Cloud Platform’s network, compute, and data solutions is collected and stored in Google Cloud Storage.  How that information is used to detect, investigate, and respond to potential threats is an important piece of cloud security operations.

Google integrates the power of Big Query with their Chronicle security platform to continuously analyze these logs to detect and investigate possible vulnerabilities and threats.  Click here for more information on Chronicle

In addition to the Security Operations capabilities of Chronicle, Google Cloud Platform also provides other services to secure, protect, and monitor data.  These include:

  • Data Loss Prevention
  • Identity-Aware Proxy
  • Cloud Armour
  • Cloud Security Scanner

Security Command Center provides a security dashboard to view assets for compute, networking, and data with monitoring and alerts to potential vulnerabilities and anomalous behavior to allow a company to remediate the controls that are in place before these vulnerabilities become exploited threats.

These security solutions along with Siemplify on Chronicle provides an in-depth portfolio of solutions to manage cloud platform security and cloud security operations.  Let’s discuss Siemplify and the integration with Chronicle.

Siemplify integrated with Chronicle

Siemplify is a cloud-based SOAR solution that can simplify the management of security operations for an organization.  As stated above, SIEM solutions like Chronicle ingest and analyze log data for events and activity that may be anomalous and suspect to identify and alert on potential threats.  Without a SOAR solution integrated with the SIEM, security operations personnel would need to respond to events that could be easily remediated with automation.  Siemplify can automated these tasks and workflows to allow security operations personnel to focus on more complex investigation and response.  Below are the ways that Siemplify can do this.

  • Security operations management from a single platform.  Siemplify can manage the case creation as well as the investigation through remediation within the cloud-native dashboard.  This dashboard provides the security operations team with insights into log data, status of active investigations, and management of automation playbooks for remediation of incidents.
  • Automation playbooks provide an ability to build repeatable processes to orchestrate tasks with the tools provided.  These tools automate these workflows with a simple drag and drop setup to decrease response times and allow personnel to focus on more complex tasks.
  • Understand performance of the Security Operations Center (SOC).  Siemplify provides data driven information on performance SLAs, mean time to respond (MTTR) data, and analysis of events that are creating false positives, allowing the SOC to adjust and increase performance of the SOC.

Siemplify combines the ability to analyze events intuitively and increase SOC productivity.  When this is combined with the Chronicle integration with Big Query analytics, security operations are strengthened within the tools available within  Google Cloud Platform.  Click here for more information on Siemplify

How Cloudreach, an atos company, can help.

Cloudreach has been named the Google Cloud Security Partner of the Year for the past three years and can help you with your security operations needs.  Our Google Cloud Engineers can discuss your cloud security approach and how you are structuring your security posture management and security operations.