Google Cloud Platform Security Monitoring
24x7 detection and response for GCP workloads using built-in GCP APIs and services
Managed detection and response for GCP
(Even for lumberjacks, wrestling with GCP logs can get tricky)
If your developers are coding, then your cloud is growing. And chances are they didn’t convene a blue ribbon committee to review their security strategy. Expel can help you get visibility into risks that are unique to Google Cloud Platform (GCP) and chase them down without annoying your DevOps team.
for your GCP environment
Our GCP detection strategy uses native GCP services:
- Analyzes Event Threat Detection (ETD) alerts
- Adds custom detections for high-risk activities
- Tunes detections to match your apps and workloads
What we do
24x7 GCP monitoring
Our analysts chase down your GCP alerts so you can focus on building new features, products and services.
Investigations in GCP
We’ll connect the dots from suspicious GCP alerts back to their root cause and tell you what they mean.
Fixes “written in GCP”
Whenever possible, our analysts will recommend configuration changes to address activities we tell you about.
What we look for
(updated as GCP makes up for lost time)
Google adds shiny new services almost as fast as they rename the ones they already have. As GCP rolls out these new services, we’ll help you keep up. That includes evaluating and updating our detection and response strategy where it makes sense. Here are a few examples of what we’ll look for:
How we use native GCP services
(Hint: it takes more than Admin Activity Audit Logs)
Expel uses API integrations to connect directly to your GCP platform. We support authentication via Cloud IAM. To collect data, Expel communicates directly with APIs for services like Event Threat Detection (ETD) and Admin Activity Audit Logs.
How Expel uses GCP services for detection, investigation and response
|GCP service||Examples of how we use them||Detect||Investigate|
|Event Threat Detection (ETD)||Add-on service (cha ching!) monitoring anomalous flow log activity|
|Cloud SQL||Keeps an eye out for suspicious deletion of logs or someone exporting sensitive data|
|Cloud IAM||Monitors who’s accessing your environment and what resources they may have access to|
|Key Management Service (KMS)||Monitors who’s touching your encrypted data|
|Cloud Functions||Checks workloads that don’t need authentication to access (like those with public access)|
|Cloud Storage||Monitors when content goes public (especially to an anonymous user or non-corp GCP user)|
|Cloud Compute Engine||Monitors for external access to images and/or snapshots 📸|
|Cloud VPC||Looks for firewall rules created outside the norm|
|BigQuery||Catches public access granted to a BigQuery dataset|
Running a Google Cloud Platform (GCP) workload or thinking about integrating it into your security portfolio? Expel can help!
Andrew Pritchett and Peter Silberman walk through GCP Service Accounts best practices.
Switching to a multi-cloud solution? Easy! Just kidding. Expel’s senior detection & response engineer shares some things you need to think about when going multi-cloud – and how to stay sane.