Welcome to the first Cloud CISO Perspectives for November 2023. Google Cloud has announced multiple collaborations with sector-specific information sharing and analysis centers over the past 18 months, and in my column today I’ll be discussing why these ISACs are valuable partners for Google Cloud and our industry.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
Sharing cyber-intelligence to strengthen defenses, one ISAC at a time
Earlier this month, Google Cloud announced that we had joined Bio-ISAC as an industry member, helping to connect organizations to better secure the biological resource-driven economy with Google Cloud’s own cybersecurity resources and expertise.
Phil Venables, CISO/VP, Google Cloud
Information sharing is a vital tool in cybersecurity defense, and it’s come an incredibly long way over the past several decades. Processes that used to be manual and ad-hoc are now automated and scalable. Knowledge shared by word-of-mouth has become industrialized, with security intelligence feeds from dozens of organizations (including Google Cloud) used to enhance cyber-defenses and stop threat actors before they succeed.
Automated threat intelligence is important, but it’s not the only tool that organizations need to augment their defenses. Applying AI and end-to-end automation to support our ability to act on threat intelligence is crucial to accelerate our response time, as is merging threat intelligence with organizational risk context.
Even with all the automation, our interpersonal and cross-organizational communications are also hugely important. Some of that communications work involves framing security strategies properly so that business executives and boards of directors are more participatory and can help ensure that security operations are better understood, funded, and optimized.
From the threat actor perspective, defenders who can effectively share threat intelligence raise the cost of a successful attack, which eats into their bottom line. The key word is “effective,” because there are so many threat intelligence signals today that it can be hard to tell what’s mission critical and what can be dealt with on a less harried timeline.
ISACs can help cut through the noise to give their member organizations clear signals. Their highly-trusted, peer-to-peer networks are very effective at sharing threat intelligence — including attackers’ goals, objectives, tools, tactics, and procedures with immediate relevance to their community — and responding to that shared intelligence faster and faster.
The continuous sharing over time that ISACs enable can help us spot trends and new techniques that adversaries use, and can lead to improve sector-wide resiliency. Our support of ISACs also aligns with Google Cloud’s shared fate approach: It is our responsibility as the cloud provider to be active partners as our customers deploy securely on our platform. These ISAC partnerships are a continuation of Google’s August 2021 commitment to invest at least $10 billion over five years to advance cybersecurity.
Along with the data-sharing that ISACs foster, they also encourage more collaboration between member organizations on how to respond. Many intelligence-informed drills can drive systemic improvements. ISAC participation also includes sharing information about emerging areas that need to be addressed more systematically such as post-quantum cryptographic standards adoption.
More recently, Google Cloud’s partnership with Health-ISAC has led to the development of an open-sourced integration that connects the Health-ISAC Indicator Threat Sharing (HITS) feed directly with our Chronicle Security Operations platform. HITS allows Health-ISAC members to easily connect and quickly share cyber threat intelligence through machine-to-machine automation, can help Health-ISAC members discover threats more rapidly, and can also assist in evicting malicious actors from their infrastructure.
We regularly share information gathered by Google threat intelligence services, including those developed and curated by Mandiant, directly with ISAC members, at no additional cost. We’re also working on bringing insight from other Google Cloud services, including VirusTotal, to ISAC operations.
ISACs crowd-sourced approach means that any member organization that detects a threat can share that threat indicator automatically with others, which informs other members to investigate and update their defenses as needed. It speaks to the ultimate impact that ISACs can have: As the cybersecurity world moves towards more automation, ISACs create a potential for even more impactful inter-organizational communications; sharing knowledge and guidance between organizations can only help improve our collective ability to defend against the latest cybersecurity threats.
We’re partners, and we’re also helping build close relationships with these organizations, bringing teams together to protect communities globally.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
Beyond GovClouds: Building a secure, AI-enabled government: To thrive in this AI-driven era, the public sector needs a modern cloud partner offering unmatched scale, features, and timely innovation that GovClouds cannot deliver — but Google Cloud can. Read more.U.S. government workers want more choice in tech, worry about cyber attacks: To do their jobs better and more securely, government workers and private sector employees are overwhelmingly united in wanting more choice in the tech they use, according to a new Google Cloud survey. Learn more.Google researchers discover ‘Reptar,’ a new CPU vulnerability: We detail the findings of Reptar, a new vulnerability that impacts several Intel desktop, mobile, and server CPUs — and how we patched it with Intel. Read more.DHS Sec. Mayorkas talks cybersecurity with Kevin Mandia: DHS Sec. Alejandro Mayorkas shares his thoughts on cybersecurity trends and defender partnerships with Mandiant CEO Kevin Mandia. Read more.Google Cloud’s approach to trust and transparency in AI: Gen AI has emerged as a disruptive technology with tremendous potential. We believe that the only way to be truly bold in the long term is to be responsible from the start. Read more.Singapore and Google partner to protect citizens from scams: The Singapore government has partnered with Google Cloud Security’s Web Risk to protect its citizens from online scams and enhance the security of web users. Read more.Google Cloud sponsors CyberGreen Institute to aid cyber public health research: Cyber Public Health embraces lessons from the development of public health and applies them to cybersecurity. To help advance this goal, Google is becoming an official sponsor of the CyberGreen Institute. Read more.Protecting your remote workforce with context-aware data loss rules and URL filtering: We’ve added two secure enterprise browsing capabilities in Google Chrome to help implement strong, low-overhead data controls in tools already in end-users hands. Read more.GKE Enterprise, the next evolution of container platforms, is now GA: GKE Enterprise is now generally available to help organizations increase development and deployment velocity, securely run their most important business-critical workloads, and reduce total cost of ownership. Read more.Gain access visibility and control with Access Transparency and Access Approval: Google Cloud’s Access Transparency and Access Approval can help you achieve your security, compliance, and regulatory goals. Read more.Introducing ransomware and threat detection for Backup and DR in Security Command Center: Powerful new rules in Security Command Center Premium can help customers quickly identify and remediate threats to backup and recovery infrastructure. Here’s how.
News from Mandiant
How Sandworm disrupted power in Ukraine, just before the missiles began to fall: New Mandiant investigation reveals the details of an ICS/OT attack that relied significantly on living-off-the-land techniques. Read more.The CTI process hyperloop: A practical implementation: Cyber threat intelligence can be very valuable to organizations, when they know how to best use it. Here’s how to implement the CTI Process Lifecycle on both tactical and strategic levels. Read more.Flare-On 10 challenge solutions: To celebrate 10 years of Mandiant Flare-On contests, our goal this year was to make the most difficult Flare-On challenge ever. Here’s the solutions for this year’s puzzles. Read more.Investigation of session hijacking via Citrix NetScaler ADC and Gateway vulnerability: We discuss artifacts that can be used to identify exploitation activity and highlight some of the post-exploitation techniques we observed during Citrix NetScaler incident response investigations. Read more.
Now hear this: Google Cloud Security and Mandiant podcasts
How to decode SaaS security: When people talk about cloud security, they often forget software-as-a-service. From how to secure SaaS to debating CVEs for SaaS, hosts Anton Chuvakin and Tim Peacock get SaaS-y with Adrian Sanabria, director of Valence Threat Labs at Valence Security. Listen here.What security experts can expect in 2024: Casting predictions in an industry that can shift as quickly as security may strike some as foolhardy, but Kelli Vanderlee, senior manager for threat analysis, Mandiant at Google Cloud, explains to Anton and Tim the value of our annual Security Forecast report, from cloud trends to election security. Listen here.The VC take on AI security: Is the key to the future of AI hidden in previous platform shifts? Wei Lien Dang, general partner at Unusual Ventures, chats with Anton and Tim about the security problems that AI companies are telling him about, and how the AI boom compares to previous sea change in the tech industry. Listen here.Share and share alike: One of the hottest discussions in cloud security is about how cloud service providers and their customers should share responsibility… and their fate… and maybe their faith, too. Jay Thoden van Velzen, strategic advisor to the CSO, SAP, joins Anton and Tim to discuss his recent blog and how organizations, like toddlers and some adults, need to learn how to share better. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.
Read More for the details.