GCP – Secure backups with end-to-end workflows for threat detection and remediation
Data backups are a lifeline and the ultimate safeguard when your organization is faced with unexpected disruption.
Last year, we introduced backup vault, a powerful storage feature available as part of the Google Cloud Backup and Disaster Recovery (DR) service. Backup vault secures backups against tampering and unauthorized deletion, and integrates with Security Command Center for real-time alerts on high-risk actions.
To further support your security needs, we’re deepening the integration between Google Backup and DR and Security Command Center Enterprise. This integration adds new detections — including the ability to detect threats to backup vault — and end-to-end workflows to help customers protect backup data.
Backups and real-time threat detection
Among the most pressing threats to organizations today are ransomware attacks. We have seen threat actors intentionally delete data to raise the likelihood of seeing their ransom demands met and encrypt unprotected backups to hold them hostage. Accidentally deleting critical data can also cause serious harm, even if unintended.
Whether malicious or unintended, the consequences of threats to data security can be severe and result in significant data loss and operational disruptions. Security Command Center provides security and risk management across your Google Cloud footprint. It ingests and analyzes security telemetry to detect threats in near real-time. Activity that raises suspicion of an adversary or insider attempting to tamper, modify, or delete your backups will be immediately flagged and brought to your attention.
Security Command Center: Accelerating incident response
Security Command Center surfaces threats using findings, which are notifications that a specific behavior was observed in your environment. These provide contextual information on the threat event, including which resource was affected, the time of the occurrence, and the nature of the threat.
To further investigate, Security Command Center findings are linked to Cloud Logging, enabling a deep dive into the forensic details. Here, you can analyze the event to pinpoint the user or service account responsible and take action to remediate.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘$300 in free credit to try Google Cloud security products’), (‘body’, <wagtail.rich_text.RichText object at 0x3e7a0a9f2280>), (‘btn_text’, ‘Start building for free’), (‘href’, ‘http://console.cloud.google.com/freetrial?redirectPath=/welcome’), (‘image’, None)])]>
Streamlining response with Google Security Operations
Along with new Security Command Center detections for backup vault, we are also introducing prebuilt Backup and DR detections in Google Security Operations.
Organizations using Security Command Center Enterprise now have access to curated detections designed for backup-related threats in the Google Security Operations console. With these detections, you’re equipped to respond effectively from day one without the need to craft custom rules.
Google Security Operations intelligently aggregates related alerts into comprehensive cases, providing a consolidated view of the incident. It can automatically enrich each case with relevant contextual details to help you understand scope and potential impact.
For example, a user who takes a high-risk action, such as deleting several backups in quick succession, would be flagged by Security Command Center, surfaced as an alert in Google Security Operations, and aggregated in a case for triage by your SOC team.
Gemini for Google Security Operations
Adding another layer of capability is Gemini in Google Security Operations, which can summarize findings, recommend remediation steps, and help you craft custom detections.
- Summarizing findings: When a backup deletion alert arrives, ask Gemini to “Summarize the findings related to the recent backup deletion attempt,” to receive a clear, concise summary of the event, including details about the affected resources.
- Recommending remediation steps: When you ask Gemini for guidance, such as, “What steps should I take to restore the deleted backup?” Gemini will provide tailored recommendations, drawing from security best practices and product specifics.
- Proactive threat hunting: You can engage Gemini in proactive investigations. For example, you might ask, “Show me users who have deleted backups recently.” Gemini will quickly review events and alerts on your behalf.
Protecting your backups with confidence
The powerful synergy between Backup and DR and Security Command Center Enterprise, amplified by Gemini, provides a robust framework for threat detection and response.
By using these advanced Google Cloud tools, your security team can swiftly identify suspicious activities, gain a comprehensive understanding of incident scope, and take action to safeguard backups.
Learn more about how Google Cloud can help you protect your data with Security Command Center for Backup and DR, and attend the breakout Next session.
Read More for the details.