Today’s Cloud IT Security experts are overwhelmed in their fast-paced departments. They are the protectors against malicious activity from persistent threats and incorrectly configured cloud resources. Most have relied on stand-alone security information event management (SIEM) systems to aggregate log data from many sources for event correlation, detection, and incident response. However, these legacy SIEM solutions are unable to scale to accommodate increasing data volumes and the growing number of cloud data sources. In turn, the process of identifying, investigating and tracking these incidents have failed to keep up with the complexities of cloud computing. Companies have been experiencing a growing visibility gap and insufficient repeatable automation that prevent IT Security from achieving their goals in threat detection, response, and vulnerability management.
Enter Google’s Security Command Center (SCC), a one-stop shop for security and risk management platform for GCP with out-of-the-box detection and response capabilities for greater visibility. SCC allows you to gain centralized visibility of cloud assets, identify security configurations and detect threats using streamlined log aggregation running in GCP at scale. I must say, it is an amazing tool for stopping bad actors before attacks escalate into breaches.
A comprehensive approach to solving this problem is to automate processes and workflows from (identification) SCC into Gitlab (Tracking). In between these two endpoints are automated and human workflows that speed up the linking of the processes involved. By applying filters (Critical-High-Medium-Low) for active vulnerabilities in SCC the GCP Messaging service Pub/Sub can ingest these filter events at accelerated speeds and publish them in near real-time when alerts are generated. Server-less compute services such as Cloud Functions will quickly and logically process the input from Pub/Sub topics. The Cloud Function will also communicate rapidly with the GITLabs API and perform the following processes:
At this stage the human workflow GITLab Maintainers adhere to standard SLA Policies describing timeframes for resolving vulnerabilities. These Maintainers also analyze and decide whether the vulnerability is legitimate or not. More Importantly, Vulnerability Exceptions come into play and are an integral part of the workflow as they require a written approval from IT Security. At this stage additional mitigating risk controls can be discussed to compensate for a possible rejection of the Vulnerability Exception. Through the back and forth communications between the business unit and IT Security, a time frame and compromise will be agreed upon so that vulnerability fixes will be efficiently implemented.
A third and final workflow is executed via SCC Mute Rules which allows the IT Security staff to decide on either applying bulk or individual mute rules based on severity, validity and additional criteria being met. This essentially disables the noise within the SCC console on similar SCC findings. Finally, with the speedy click of a mouse button, IT Security can transform 100s or 1000s of reviewed SCC findings into resolved issues thereby responsibly enhancing the security posture of a company’s Google Cloud Platform.
LucidPoint Cloud Engineer