Cloud

Google Cloud provides multiple layers of security to help customers stay ahead of evolving threats and keep their cloud workloads safe. Today at our annual Security Summit, we are excited to announce the general availability of Secure Web Proxy, a new cloud-first network security offering that provides web egress traffic inspection, protection, and control. Secure Web Proxy (Cloud SWP) can help networking and security teams implement Zero Trust networking principles, discover malicious activity, and support forensic investigations

How Secure Web Proxy works

You configure workloads to use Secure Web Proxy as a gateway. Web requests can originate from virtual machine (VM) instances, containers, serverless environments, and workloads outside of Google Cloud connected by Cloud VPN or Cloud Interconnect. Policies and rules in Cloud SWP will be applied to traffic sent from these workloads to the internet.

Cloud SWP helps enable organizations to enforce granular access policies, limiting egress web traffic based on source, identities, destination, or request types. With Cloud SWP you can create policies with Google CloudIdentity Access Management (IAM) context using service accounts and secure tags to block egress. For example, you can set a policy to limit a service account to sending traffic to a specific outbound destination. 

Secure Web Proxy offers a scalable TLS inspectionservice that lets you intercept TLS traffic, inspect the encrypted request, and enforce your policies. Cloud SWP integrates with Cloud Logging to record metrics and transaction logs for requests handled by the proxy.

Common use cases for Secure Web Proxy

Many organizations employ a proxy like Cloud SWP to programmatically restrict workload access to only trusted external web services. 

You can also use Cloud SWP to monitor outbound access. The proxy identifies traffic that doesn’t conform to policy and logs it to Cloud Logging. This allows you to monitor internet usage, discover and disrupt threats on your network by spotting command and control traffic or anomalous data transfers. Logs can be also used in forensics to investigate security events and incidents involving egress web traffic. 

Operational benefits

Secure Web Proxy is another example of how Google Cloud continues to deliver built-in, cloud-first security capabilities that offer operational efficiencies for our customers.

Cloud SWP is easy to deploy and manage because it is a managed service. Unlike frequently deployed proxy solutions, it does not require users to configure virtual machines (VMs) to run and scale the proxy. Security patching is handled automatically. As your business and outbound traffic grows, Cloud SWP takes care of growing your proxy infrastructure for you. 

Secure Web Proxy can also help make cloud migrations more seamless. If you are using an on-premises proxy, you can easily port the existing proxy’s policies to Cloud SWP when you migrate the app, maintaining the same egress protection in the cloud as you had on-premises.                       

Customer testimonials

Preview customers validated the operational and security value of implementing Cloud SWP:

“Google’s Secure Web Proxy is a powerful tool that can help businesses of all sizes protect their cloud workloads from online threats. By using the granular policy controls and TLS inspection, we are ensuring that our cloud applications only access approved external destinations. Additionally we are able to comply with data security regulations,” said David Saleh, director, Cloud Architecture and Application Security, ATB Financial.

“Secure Web Proxy has helped us to improve our security in Google Cloud. We are now able to filter outbound HTTP and HTTPS traffic from our applications. In addition, having a native solution will allow us to replace the VM-based solution we currently have, providing us with cost savings and continuing to deliver on our strategy of replacing products with cloud native services,” said Roberto Vega, cloud analyst, Carrefour.

Getting started with Secure Web Proxy

You can get started with Cloud SWP by visiting our documentation page to learn more about Cloud SWP prerequisite requirements and configuration options. If you want to quickly evaluate Cloud SWP for your cloud environment, use the SWP evaluation guide for step-by-step instructions. Be sure to check out all our sessions at this year’s Google Cloud Security Summit.

Organizations large and small are realizing that digital transformation requires a ground-up approach to modernize security. However, that digital transformation is being threatened by increasingly disruptive cyber risks and threats. At our annual Google Cloud Security Summit today, we’re sharing the latest insights into how the threat landscape is evolving and how innovations across our portfolio, including generative AI-driven capabilities, can help organizations around the world address their most pressing security challenges. 

We’ve recently announced the Google Cloud Security AI Workbench, an industry-first extensible platform powered by a specialized security large-language model (LLM), Sec-PaLM 2, as well as a partnership with Accenture to use Security AI Workbench to enhance their solutions. Today, we’re announcing that Broadcom, Crowdstrike, Egnyte, Exabeam, F5, Fortinet, Netskope, Securiti, SentinelOne, Sysdig, Tenable and Thales have committed to work with Google Cloud to bring AI-based security enhancements to their respective products.

Innovating in security with AI

Google is constantly evolving to stay ahead of threats. We’ve been working to integrate AI into our cybersecurity products and innovations since 2011 to help defend ourselves and our users, and just published our Security AI Framework outlining our principles and guidance on how to secure AI systems. Google Cloud Security AI Workbench is fine-tuned for security use cases and powers new offerings across our product portfolio that can help organizations better prevent threats, eliminate toil, and empower our collective talent to improve our security.

Empowering our security partner ecosystem with AI 

While we can supercharge our own products with AI and gain scale because they are cloud-based, we can also truly empower the industry by opening our platform to security partners who share our vision for how generative AI capabilities can meaningfully address the fundamental problems we all face. Security AI Workbench allows for partner plug-in integrations to bring in additional threat intelligence, workflow, and other critical security functionality to customers, and we’ve seen an outpouring of interest from our partner ecosystem in taking advantage of platform AI capabilities since our announcement.

Generative AI has the potential to reduce the toil of repetitive tasks that plague security teams, like aggregating and enriching data from a multitude of sources to gain a more complete understanding of risks and where to focus. 

Glen Pendley, chief technology officer at Tenable, said, “Tenable is excited to continue partnering with Google Cloud to combine our deep and extensive expertise in vulnerabilities and misconfigurations across the entire attack surface, with Google’s Security AI workbench, the first large language model built by security experts for security customers. This initiative will change the way that our joint customers protect their organizations and get ahead of security risk and exposure.” 

AI can also help address the chronic shortage of security talent by helping non-experts to secure assets without highly specialized domain knowledge or deep tools expertise. 

Alex Au Yeung, chief product officer, Symantec Enterprise Division, Broadcom, said, “Broadcom is working with Google Cloud to provide our customers with faster and more effective protections against an expanding threat landscape. Our continued collaboration will combine security AI innovations from Symantec and Google as we work to take advantage of generative AI capabilities in Google Cloud’s Security AI Workbench.”

You can learn more about our announced security partners’ AI efforts below.

Continuing the journey on cloud innovation and frontline intel

We’re also continuing to deliver new built-in products and features that can help make you safer in our trusted cloud and products that bring our leading security capabilities to on-premises environments and other clouds. Today at the Google Cloud Security Summit, we’re announcing the following updates: 

Chronicle TDIR for Google Cloud: Threat detection, investigation, and response (TDIR) in the cloud requires different approaches, tools, and processes compared to an on-premise environment. Unfortunately, many organizations resort to a lift-and-shift approach rooted in their legacy security operations, which results in intensive efforts that often fail to deliver expected outcomes. Our cloud-based Chronicle Security Operations platform helps enable security teams to detect, investigate, and respond to cyber threats with the speed, scale, and intelligence of Google.

We’re deepening the integration across our portfolio by introducing Chronicle TDIR for Google Cloud. Defenders can now get one-click ingestion of relevant cloud telemetry in Chronicle, and can detect cloud threats based on what Google knows, without the need for expert rule engineering. Chronicle will also correlate your cloud telemetry with intelligence that Chronicle sees so defenders can conduct more effective investigations, and significantly reduce response time through customizable playbooks.

Security Command Center attack path simulation: Security Command Center Premium, our built-in security and risk management solution for Google Cloud, is adding attack path simulation. Attack path simulation gives defenders insight into their most valuable and most vulnerable resources by mimicking how a real-world attacker could exploit security gaps to access high-value assets. Security teams will be able to better pinpoint where and how they may be attacked so they can put in place the right preventative security controls. 

Unlike other attack path tools that analyze static, point-in-time snapshots of an organization’s cloud footprint, Security Command Center dynamically assesses Google Cloud resources and the current state of defenses to reduce coverage gaps and help prioritize security remediation efforts. Forthcoming enhancements will use Security AI Workbench to translate complex attack graphs to human-readable explanations of attack exposure, including impacted assets and recommended mitigations.

We also recently introduced our Cryptomining Protection Program offering up to $1 million of financial protection to Security Command Center Premium customers to help cover the compute expenses associated with undetected cryptomining attacks.

Secure Web Proxy: This new cloud-based service can help monitor and secure egress web traffic. It enables organizations to better enforce granular access policies, limiting egress based on source identity, destination, or request types. It also allows organizations to monitor access to untrusted web services and investigate security events and incidents involving egress web traffic to the Internet. Unlike existing solutions, Secure Web Proxy doesn’t have virtual machines (VMs) to set up and configure, doesn’t require software updates to maintain security, and offers elastic scaling.

reCAPTCHA Enterprise Fraud Prevention: To better secure financial transactions on applications and websites by preventing fraud with holistic bot management, account takeover, and online fraud detection, reCAPTCHA Enterprise now has a dedicated fraud prevention solution. reCAPTCHA Enterprise Fraud Prevention can help protect payment transactions by identifying targeted manual attacks and large-scale fraud attempts. It automatically trains fraud models based on behavior and transaction data to identify events that are likely fraudulent and could cause a dispute or chargeback if accepted.

Apigee Advanced API abuse detection: New capabilities for Apigee’s Advanced API Security that can detect security threats and API misconfigurations. Currently in public Preview, the new API abuse detection dashboards use ML models which have been trained on a large corpus of API traffic, honed over years of learning, and used to protect Google’s public-facing services. Using these dashboards, customers can now uncover critical API abuse incidents – even business logic attacks, scraping, and anomalies – without alert fatigue or overheads.

Passkeys support for Google Cloud and Google Workspace accounts: Passkeys are a simpler and more secure alternative to passwords that allows users to sign in with a fingerprint, face recognition, or other screen-lock mechanism across apps on phones, laptops, or desktops. In an open beta, more than 9 million organizations can allow their users to sign in to Google Workspace and Google Cloud accounts using passkeys instead of passwords.

Growing momentum with security ecosystem partners to add AI to their products

We are proud to announce that in addition to Broadcom and Tenable, 10 more partners have agreed to bring AI-based security enhancements to their respective products.

CrowdStrike: “Security leaders are uniting to deliver the most innovative AI intelligence for cyberdefense,” said Daniel Bernard, chief business officer at CrowdStrike. “CrowdStrike is proud to partner with Google Cloud on this important AI initiative to deliver cybersecurity’s platform of choice that stops breaches.”

Egnyte: “The acceleration of generative AI in recent weeks has allowed Egnyte to bring customers new solutions to better manage and secure their content. We are excited to combine Google Cloud’s AI capabilities with Egnyte’s content to provide customers with self-service tools to classify documents, synthesize security datasets and extract answers from complex documents in a privacy-first manner,” said Amrit Jassal, co-founder and chief technology officer at Egnyte.

Exabeam: “We’re excited to be partnered with Google Cloud in today’s AI-driven revolution,” said Adam Geller, chief product officer, Exabeam. “Combining Google’s leading AI capabilities with Exabeam’s own machine learning and AI-based initiatives will benefit our New-Scale SIEM customers by making security more efficient and effective for everyone responsible for protecting their organizations.”

F5: “F5 takes advantage of Google Cloud’s AI capabilities to drive our Distributed Cloud Bot Defense service. F5’s SOC and Data Science teams add our own unique data insights to deliver class-leading functionality which enables our customers to defend against the Internet’s most sophisticated automated threats. Our teams are evaluating how Google’s new Vertex AI and the tools in Generative AI Studio will improve customer experience and make service delivery teams more efficient,“ said Brian A. McHenry, vice president, Web Application and API Security at F5.

Fortinet: “At Fortinet, we understand the positive impact AI has on cybersecurity and threat prevention, which is why we built AI-powered security into our industry-leading solutions—including our offerings for Google Cloud-based environments. We’re excited to explore ways we can leverage the Google Cloud AI platform to support our joint customers,” said John Maddison, EVP of Products and CMO at Fortinet.

Netskope: “Enterprise teams can encourage the responsible use of generative AI applications if they have the right controls in place,” said John Martin, chief product officer, Netskope. “Netskope today offers the most comprehensive data protection capabilities for safely enabling the use of generative AI. We are proud to continue to work with Google Cloud AI to drive the right outcomes for AI’s role in security and networking.”

Securiti: “AI has been foundational to Securiti.ai’s Data Controls Cloud, a solution that enables organizations to leverage the incredible power of their data by providing automated and unified data controls. Google’s leading capabilities in AI, along with its Security AI Workbench, would enable further advances in the data controls for security, privacy, governance and compliance,” said Rehan Jalil, CEO, Securiti.

SentinelOne: “We are very pleased to join forces with Google to once again transform enterprise security,” said Gregor Stewart, vice president of AI at SentinelOne. “By deeply integrating generative AI technology into our platform, we will enable customers to more effectively protect their operations today and lay the foundation to defeat coming threats.”

Sysdig: “We see the tremendous potential that AI can make in up-leveling developer and security teams. We applaud Google Cloud’s AI leadership, and like Google, we believe that AI can help up-level developer and security teams. In the event of an attack, AI can help everyone better communicate and leap-frog threat actors who are also racing to use AI for their own ill-gotten gains. We’re excited to leverage Google Cloud’s AI capabilities with our unique runtime insights,” said Loris Degioanni, CTO and founder of Sysdig.

Thales: “Managing risk has grown in complexity as more organizations store their sensitive information in the cloud — often without encryption or full visibility into where that data lives. Through this collaboration, Google’s leading AI capabilities will further enhance the performance of Thales CipherTrust Intelligent Protection, which aims to solve these challenges through the discovery and classification of sensitive information,” said Todd Moore, vice president of Encryption Products at Thales. “Together, these technologies will allow for powerful, AI-backed features that automate fundamental tasks for customers and ultimately ensure their sensitive data in the cloud remains within established and secure premises.” 

Learn more at Google Cloud Security Summit

You can learn more about our announcements by attending the Google Cloud Security Summit, which runs today and on-demand afterwards. We look forward to helping make your organization, employees, and customers safer with Google, in the industry’s most trusted cloud or wherever your critical assets reside.

As cloud adoption continues to grow, so too does the number of cloud-born security threats. However, cloud environments can present significant opportunities to improve security with the right tools and processes in place.

When it comes to effective threat detection, investigation and response (TDIR) in the cloud, modern solutions must ensure that the entire security operations workflow — from data analysis through detection to response — are working in tandem to deliver the insights, context, and processes needed for cyber defenders to respond to threats with speed and precision. 

At Google Cloud, we believe that modern security operations should rely less on customer engineering and more on packaged outcomes delivered by solution providers. With this in mind, we are excited to announce today at our annual Security Summit that Chronicle Security Operations now provides turnkey TDIR for Google Cloud. By integrating with our cloud-focused Security Command Center Premium (SCC) and Google Cloud telemetry, Chronicle can collect and analyze data from Google Cloud, detect and investigate threats, and automate responses to mitigate risks.

In our recent State of Cloud Threat Detection and Response Survey, 71% of respondents said that “entire classes of threats are eliminated by migrating to the cloud,” and 82% stated that “the cloud affords the ability to process more data, including on-prem data, which can improve detection across the board.” 

To take advantage of all that the cloud can do for security, organizations should to do more than “lift and shift” their existing security tools and processes to the cloud. The cloud presents a different attack surface, often across several cloud services and data repositories, and each can have different attack tactics, potential misconfigurations, and context.  

This update to Chronicle helps enable teams to:

Detect with confidence. Out-of-the-box detection rule sets developed by Google threat researchers surface cloud attack vectors and provide high fidelity, contextualized alerts that quickly give insight into potential threats in your Google Cloud environment. 

Investigate with full context. Visualize threat storylines, complete with cloud-specific context that is correlated with additional data and context from across your environment for fast and efficient investigations.

Respond with speed and precision. Streamline workflows and automate response actions with prebuilt playbooks and best practices designed specifically for Google Cloud. Chronicle SOAR’s case management and team collaboration help ensure fast and timely response.

Simplify data ingestion. Chronicle automatically ingests, normalizes and contextualizes cloud telemetry from a variety of Google Cloud services (such as Cloud Asset Inventory, Google Kubernetes Engine, Google Compute Engine, cloud audit logs, and Cloud DLP), reducing the need for complex and time-consuming engineering.

Putting Google Cloud TDIR to work 

Let’s take a closer look at how our end-to-end cloud TDIR workflow manages a potential Google Cloud attack. 

Setting up cloud TDIR in Chronicle only takes a few clicks. Security Command Center’s built-in threat detection identifies attacks against Google Cloud resources. These findings, as well as audit, NAT, DNS, and firewall logs, are ingested into Chronicle to provide additional insight and context into Google Cloud threats.

Chronicle now provides detection rules for Google Cloud threats. These rules correlate SCC findings with Chronicle’s advanced detection engine to reveal the broad scope of malicious activity, giving you visibility and more contextual information into what’s going on in your environment. In our example, Chronicle alerts on suspicious activity that can indicate an attempt to exfiltrate data from BigQuery.

The new Chronicle Alert Graph surfaces key details of primary alerts you’re investigating in seconds. Combining cloud alerts and telemetry and correlating that with vital context from other sources (such as user data, endpoint data, and threat intelligence,) you can explore the visual representation of an alert’s relationship to other alerts and entities, dig into the potential attack paths, get quick summaries of implicated security artifacts, and pivot into your Google Cloud Console to do a deeper dive into potentially-impacted resources.  

In our example, we can see a BigQuery exfiltration event associated with a customer and that it’s associated with a particular service account tied to a Google Cloud org. Alert context below tells us more about what’s been impacted. It shows us that cloud credentials in the form of encryption keys and email addresses were associated with the event.

Chronicle case management automatically groups any related alerts into threat-centric cases, uniting the information that matters and making it simple for you to see and understand the scope of the event. 

In our example, Chronicle groups these alerts together based on common source address and username, and the case wall provides the summary of the alerts and actions that are taking place across the entire case.

Chronicle playbooks, designed specifically for Google Cloud, automate your desired response processes. In our example, when an alert was generated a playbook automatically ran through predefined steps that gathered data, enrichment, and took automated remediation steps to prevent this service account and instance from continuing.

Ready to detect with confidence, investigate with broad context, respond with speed and precision, and simplify data ingestion? Chronicle Security Operations is your go-to for turnkey, end-to-end threat detection, investigation, and response on Google Cloud.    

Tune in to our Security Summit session to learn more and see a demo of the new Google Cloud TDIR capabilities.

To help secure increasingly complex and dynamic cloud environments, many security teams are turning to attack path analysis tools. These tools can enable them to better prioritize security findings and discover pathways that adversaries can exploit to access and compromise cloud assets such as virtual machines, databases, and storage buckets.

Other attack path tools rely on static, point-in-time snapshots of an organization’s cloud footprint, which often contain sensitive data about their environment, how it is configured, and where the most sensitive data resides.

At Google Cloud, we are taking a different approach. We are excited to announce today at the Google Cloud Security Summit that we are adding attack path simulation to Security Command Center, our built-in security and risk management solution for Google Cloud. This new risk management capability automatically analyzes a customer’s Google Cloud environment to pinpoint where and, importantly, how vulnerable resources may be attacked, so security teams can stay one step ahead of adversaries.

We expect attack path simulation capabilities to be available in Security Command Center Premium later this summer.

Unlike some third-party security products, Security Command Center continuously scans an organization’s cloud environment gathering near real-time data about cloud resources and security vulnerabilities. Our attack path simulation engine uses this information to automatically generate and render high-risk attack paths, without the hands-on toil of having to repeatedly run manual queries.

A different approach to attack path analysis

Other attack path analysis tools involve significant operational toil. The static, point-in-time snapshots that these tools generate have to be sent to an external provider, which can add risk. Then security teams have to follow up with complex queries before they can identify likely attack paths. 

Google Cloud’s advanced attack simulation engine leverages our first-party, agentless visibility of Google Cloud assets, the relationships between assets, and the current state of defenses. Attack path simulation is fully automated with no need to manually run queries. Simulations run in the Google Cloud environment, and do not send snapshots outside your environment, avoiding exposure of sensitive information.

See what attackers can see

Effective attack path analysis should mimic how a real-world attacker can reach and compromise high value resources. This is why Security Command Center simulates how attackers try many different ways to infiltrate a cloud environment. SCC then generates attack path graphs to give defenders insight into how adversaries could exploit a single security weakness or various combinations of security vulnerabilities to access valuable assets. SCC also provides detailed information on how to remediate issues and shore up defenses based on its findings

We are delivering combined attack path simulation and analysis as a managed service. There are no agents to install or manage. Results automatically reflect changes in your organization’s Google Cloud environment. Because our attack path simulations are conducted on models of an organization’s cloud resources, there is no performance or operational impact to the live production environment.

Better security prioritization

Security Command Center automatically computes an attack exposure score for misconfigurations and vulnerabilities that expose valuable resources to attackers. The score is a measure of cyber risk. It takes into account how exposed valued resources are, and the paths of least resistance for attackers to reach those resources. 

Security teams can use these scores to prioritize remediation efforts and improve their overall risk posture.

How attack path analysis has already reduced risk for customers 

Dozens of customers have already used our attack path capabilities in private Preview to improve their security posture and reduce their operational risk.

Security Command Center alerted one customer to a finding with a high attack exposure score. The finding was related to a service account whose keys were not being rotated. After reviewing the attack paths related to this finding, the cloud security manager discovered that even though the service account was named “test,” it provided access to storage buckets outside of the test environment. 

If an attacker had been able to steal the credentials for this test account, they could have easily accessed production data. The security manager removed administrator privileges on the account. The attack path simulation enhanced their understanding of the severity of the finding, and helped convince them to make it a high-priority fix.  

Another customer using attack path simulation needed to assess which security findings created the greatest risk. Two findings related to the same service account with high exposure scores rose to the top of the list. The attack paths revealed that the service account had access to more than 500 storage buckets. If an attacker were to gain access to this account they would be able to read, write, or delete data across any of those buckets, many of which contained sensitive business data and confidential customer information.

Using Security Command Center’s attack path results, the security team remediated the risk by limiting permissions to the storage buckets needed for that specific role.  

Next steps

Attack path simulation capabilities are planned for availability later this summer.  We expect forthcoming enhancements to use Security AI Workbench to translate complex attack graphs to human-readable explanations of attack exposure, including impacted assets and recommended mitigations.

You can learn more about Nordnet Bank’s experience using attack path simulation at our Security Summit session. To get started with Security Command Center today, please go to the Google Cloud console.