Security Command Center Premium for Backup and DR Service

Security Command Center (SCC) is a centralized platform for visibility, monitoring, and alerting across Google Cloud. SCC provides real-time detection and alerting by ingesting logs and events from across Google Cloud to identify security risks.

With the Backup and DR Detector, now available to all Security Command Center Premium customers, security administrators can receive pre-configured alerts on anomalous backup activity. Where backups are a target for ransomware or insider threats, this integration between Backup and DR and SCC immediately surfaces high-risk events to enable investigation and remediation of potential threats.

Alerts to customers come in the form of Findings generated in SCC, which provide detailed information on the risk event, the severity of that event, the affected backup resources, and workflows for investigation and remediation.

Before You Begin

To enable security alerting, activate Security Command Center Premium if it's not already enabled.

  1. Navigate to Security Command Center in Google Cloud console.
  2. Select Premium tier. This is required to enable Event Threat Detection.
  3. Select Services. BackupDR is pre-selected by default.
  4. Grant roles.

It's a good idea to review Using Event Threat Detection and the Event Threat Detection rules in Overview of Event Threat Detection

Generating a Finding

High risk actions taken by a user in Backup and DR Service may generate a finding. These actions include:

  • Expire a backup image
  • Expire all images
  • Remove a backup plan
  • Delete a backup template
  • Delete a backup policy
  • Delete a profile
  • Remove a backup/recovery appliance
  • Deleted a host
  • Delete a storage pool
  • Reduced backup expiration
  • Reduced backup frequency

There is a full list of findings for all products in the Security Command Center documentation.

A user who performs one of the actions in Backup and DR Service triggers Event Threat Detection to analyze the event to determine if it represents a security risk.

Understanding Findings

When an action is deemed a security risk by Security Command Center, a finding is generated. A security administrator can then take a closer look at the resources affected and take recommended next steps. For high severity findings, further investigation and remediation may be required. Findings include details on the resources affected, when the security event occurred, and what actions to take to remediate a threat.

Learn more about Findings query results.

Backup resources

Findings include information on affected backup resources.

  • Template Name: A template consists of backup policies.
  • Policy Name: A policy defines when a backup is run, the frequency, and the retention.
  • Application Name: An application is a VM, database, or file system known to the Backup and DR Service management console.
  • Host Name: A host is a VM that hosts a database or file system that is to be protected.
  • Storage Pool Name: A storage pool is a Cloud Storage bucket where an OnVault backup is stored.
  • Policy Option Name: Policy options are additional configurations users can apply to a given policy.
  • Profile Name: A profile defines where a backup is to be stored.
  • Backup Type: Backups are of three types: Snapshots, Remote Snapshots, and OnVault.
  • Backup Time and Date: Time and Date defines the time and date when the affected backup was taken.

Investigation and Remediation

When you get a finding, see Investigating and responding to threats. You can see example JSON in Using Event Threat Detection.

Security Command Center offers additional built-in investigation tooling for customers. Linking to Cloud Logging, MITRE indicator, and affected resources enable rapid remediation.

  • Native Cloud Logging integration lets you click through to a detailed Cloud Logging query.

  • Cloud Monitoring integration enables creation of additional alerts on similar events.

  • MITRE classifications indicate type of attack indicated by a finding (example).