This guide describes the integration between Security Command Center, Google Security Operations (Google SecOps), and Backup and DR Service. This integration enables alerts for high risk actions that occur within Backup and DR Service that are surfaced in Security Command Center and Google SecOps.
With Security Command Center and Google SecOps for Backup and DR Service you can:
- Receive instant alerts on high-risk actions, such as removing protection from a workload
- Investigate threats and identify affected backup resources
- Aggregate backup threats in cases for quick and systematic remediation
Security Command Center ingests logs and events from across Google Cloud to identify potential security risks. Google SecOps, included as part of Security Command Center Enterprise, is a SIEM (security information and event management) and SOAR (security orchestration, automation, and response) tool that intelligently aggregates and correlates threats across multiple sources. Google SecOps also enables case management and remediation for threats.
Before You Begin
Activate Security Command Center Premium if it is not already enabled. This can be done using the Google Cloud console. For Security Command Center Enterprise, contact your Google Cloud account team.
Generating a Finding
High risk actions taken by a user in Backup and DR Service are monitored using Event Threat Detection (part of Security Command Center Premium and Security Command Center Enterprise). These actions are monitored in real-time, correlated with other risk events across Google Cloud, and surfaced as findings (Security Command Center), alerts (Google SecOps) and auto-curated cases (Google SecOps).
These actions include:
- Deleting a backup
- Deleting a Backup Plan
- Removing backup protection from a workload
- Removing backup infrastructure that may impact recovery
A full list of detections are available in Security Command Center documentation.
Real-time findings in Security Command Center
When an action is deemed a security risk by Security Command Center, a finding is generated. A security administrator can then take a closer look at the resources affected and take recommended next steps. Findings include details on the resources affected, when the security event occurred, and what actions to take to remediate a threat.
Security Command Center offers built-in investigation tooling for customers. Links to Cloud Logging, MITRE indicator, and affected resources enable rapid remediation.
- Cloud Logging integration lets you click through to a detailed Cloud Logging query.
- Cloud Monitoring integration enables creation of additional alerts on similar events.
- MITRE classifications indicate type of attack indicated by a finding as shown in this example.
Case management and remediation in Google SecOps
Google SecOps features curated detections which surface high-risk events as Alerts. Among these curated detections are potential threats to backups and backup resources. Curated detections require no additional configuration. Alerts are also aggregated into cases for triage and remediation.
Threat detection for Backup and DR Service is available to all Security Command Center Premium and Security Command Center Enterprise customers. Google SecOps for Backup and DR Service is available exclusively to Security Command Center Enterprise customers.