Google SecOps FAQs

What is Google Security Operations?

Google Security Operations is a cloud service, built as a specialised layer on top of core Google infrastructure designed for enterprises to privately retain, analyse, and search the massive amounts of security and network telemetry they generate. Google Security Operations normalises, indexes, correlates, and analyses the data to provide instant analysis and context or risky activity.

What data can Google Security Operations ingest?

Google Security Operations can ingest numerous security telemetry types through a variety of methods including: Forwarder – a lightweight software component, deployed in the customer’s network, that supports Syslog, packet capture, and existing log management / SIEM data repositories. Ingestion API’s – API’s that enable logs to be sent directly to the Google Security Operations platform, eliminating the need for additional hardware or software in customer environments. Third-party integrations – Integration with third-party cloud APIs to facilitate ingestion of logs, including sources like Office 365 and Azure AD. Google Security Operations has forwarders for both Linux and Windows, details can be found here:

• https://cloud.google.com/chronicle/docs/install/forwarder-linux#system_requirements

An architectural overview of the data ingestion flow to Google Security Operations can be found here:

• https://cloud.google.com/chronicle/docs/data-ingestion-flow

How does Google Security Operations deliver results?

The analytical capabilities of Google Security Operations are delivered to security professionals as a simple, browser-based application. Many of these capabilities are also accessible programmatically via API’s. At its core, the purpose of Google Security Operations is to ingest all security telemetry allowing analysts to quickly gain visibility of potential threats. This allows an analyst to quickly determine what it is, what it’s doing, whether it matters, and how best to respond.

How long does it take to implement Google Security Operations?

From the initial design workshop and set-up to successfully ingesting logs it would be approximately 2 weeks. Cyberseer then ensure logs are being parsed correctly, finalise any rule customisations and configure required alerting. Therefore, Google Security Operations would be at initial operating capability in approximately 4 weeks.

What deployment architecture would I need to run Google’s Security Operations platform?

The architecture for the solution will involve Google Cloud’s Platform, Security Operations SaaS for log storage, dash-boarding, alerting and searching. A log collector/forwarder will be configured for on-premise data sources which will be forwarded to the Google Security Operations SaaS tenant. Other log sources which are in the cloud will have collectors configured or cloud-to-cloud connectors, depending on the technology.

What is Cyberseer’s Managed Service for Google Security Operations?

Cyberseer integrated ASPECT with Google Security Operations to provide customers high fidelity alert monitoring and prioritisation. ASPECT – Cyberseer’s fully automated, anonymised 24×7 alert enrichment and escalation platform processes the output generated by all Cyberseer’s selected detection technologies and enforces a standardised, efficient workflow, each time, and every time, to identify and deliver priority alerts to our skilled, experienced analysts. Cyberseer ASPECT will pull alerts raised from within Google Security Operations and enrich the data. Potential priority alerts will be raised to tier 3 analysts who will then triage the alerts. Incidents will be raised and incidents where mitigation steps have been predefined and pre-agreed will be actioned by Cyberseer. Cyberseer’s automation allows our analysts to spend their time understanding our customer’s environment, defining use cases with relevant data sources, and carrying out proactive threat hunting.

Does the Cyberseer SOC service include any threat intelligence or threat feeds?

Yes, Google Security Operations utilises threat feeds from VirusTotal, Uppercase, ET, Avast and DHS. Other third-party threat feeds can also be incorporated into the Google Security Operations platform if you have them. Cyberseer offers an additional service with our partner Digital Shadows to provide additional detection use cases, including brand reputation, data leakage, spoofing, and credential leakage that can be integrated into the Google Security Operations and the MDR service.

How does Cyberseer ensure its service remains fit for purpose evolving in line with changing attacker TTPs?

Cyberseer works closely with the customer to understand the wider digital strategy to assess and quantify further risk and build visibility using the MITRE ATT&CK framework and the associated TTPs. We continually provide TTP insights in this framework as your environment develops.

How does Cyberseer reduce the number of false positives raised to the customer?

Human expertise. Our team of highly skilled experienced tier 3 analysts own this process. They focus on tuning rules to reduce the number of false positives they receive from the deployed detection technology. From their experience and exposure to a diverse customer base, they can quickly reduce the false positives you receive from the service. Cyberseer’s automation platform ASPECT provides enrichment of alerts and supports our Analysts to make quick decisions. Continuous improvement of your data sources against TTPs will be managed in the weekly meeting minutes to support higher alert efficacy.

Does Cyberseer perform proactive threat hunting?

Cyberseers actively look for TTP that attackers use. This enables us to detect attacks, including zero-day behaviour. If we deem a search can be automated by creating rules that yield low false positives, then those would be implemented into the customer’s systems so that the system can alert quickly when that technique occurs in the future.

Is Google Security Operations easy to scale?

The license for Google Security Operations is based on the number of users. The addition of new technologies can easily be ingested into the service without the requirement for additional storage costs. This allows you to scale out as you grow without worrying about logging costs. Cyberseer can work with you to incorporate these technologies or advise on complementary technologies and, if appropriate add these to the service. It is worth noting that whilst Google Security Operations commercially offers a solution to ingest everything, not all data is made equal. The Cyberseer SOC will consult with you on use cases against TTPs and advise on the need for the most valuable additional data sources. Importantly, we want to partner with you and keep an ongoing understanding of your strategy over the service term.

How does Google Security Operations baseline ‘normal’ system behaviour access across our estate? How long does the tuning take?

Google Security Operations normalises the data rather than baselining the system behaviour. We then apply rules and threat hunting to this normalised data. Google Security Operations uses a feature called prevalence, which highlights activity not usually seen, for example, how many times has this IP address been seen in your network. This process starts as soon as logs are correctly ingested. From our experience, two weeks after the initial operating capability is signed off is when we start seeing value from this feature set.

Can a log repository be provided to support forensic investigations and meet PCI compliance? (12 months retention of logs)?

Yes, and yes, Google Security Operations is PCI compliant. 12 months of hot data retention is the minimum available with Google Security Operations.

Can the log repository be accessed for our own investigations?

Yes

What are the network bandwidth requirements for Google Security Operations?

Google Security Operations do not stipulate a minimum requirement for the forwarder. It would be very much based on the events per second and volume of logs. To reduce bandwidth the forwarder does compress packets before it leaves the edge / network.

Where does my data reside?

Data resides in GCP datacenters in the EU. Data will be stored by Google Security Operations for a year. No customer data will be stored by Cyberseer.

Does Google Security Operations work with the XDR approach?

Google Google Security Operations can work within the new XDR approach. Google Security Operations can take endpoint and log data and provide deep contextualisation and the latest threat intelligence, looking beyond the endpoint. Associating files, links, and other assets to an indicator of compromise can cut down on response time and aid in vulnerability management. Additionally, Google Security Operations ability to use modern YARA-L language, search petabytes in less than a second, visualise data, and mapped to the MITRE ATT&CK framework makes it a leading cloud security solution.

What benefits does Google Security Operations offer?