{"id":21750,"date":"2024-06-09T16:15:48","date_gmt":"2024-06-09T10:45:48","guid":{"rendered":"https:\/\/ivaluegroup.com\/en-in\/?p=21750"},"modified":"2025-04-25T13:11:59","modified_gmt":"2025-04-25T07:41:59","slug":"continuous-monitoring-and-threat-detection-in-gcp","status":"publish","type":"post","link":"https:\/\/ivaluegroup.com\/en-in\/resources\/blogs\/continuous-monitoring-and-threat-detection-in-gcp\/","title":{"rendered":"Continuous Monitoring and Threat Detection in GCP"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"21750\" class=\"elementor elementor-21750\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-48045299 e-flex e-con-boxed e-con e-parent\" data-id=\"48045299\" data-element_type=\"container\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-41d6534b elementor-widget elementor-widget-text-editor\" data-id=\"41d6534b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.20.0 - 26-03-2024 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<h2>Why Continuous Monitoring Matters in the Cloud<\/h2><p>\u00a0<\/p><p><span style=\"font-weight: 400;\">The best organizational cybersecurity strategies have continuous monitoring as one of their main tenets. Sure, you can get a bunch of flashy new security tools, but it\u2019ll all be for naught if you\u2019re not constantly keeping tabs on them.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">And if you\u2019re not constantly keeping tabs on them, you run the risk of being breached and finding out about it when the damage is already done. This holds even more weightage in cloud environments, where people are still assimilating to the relatively new technology. <a href=\"https:\/\/www.ibm.com\/reports\/data-breach\" target=\"_blank\" rel=\"noopener\">45% of all breaches are cloud-based<\/a>, and executives say security <a href=\"https:\/\/info.flexera.com\/CM-REPORT-State-of-the-Cloud\" target=\"_blank\" rel=\"noopener\">(85%<\/a>) is the biggest challenge when it comes to cloud adoption.<\/span><\/p><p><span style=\"font-weight: 400;\"><a href=\"https:\/\/www.crn.com\/news\/cloud\/aws-microsoft-google-s-cloud-market-share-q1-2023\" target=\"_blank\" rel=\"noopener\">65%<\/a> of the world\u2019s cloud data is stored in either an AWS, Azure or <a href=\"https:\/\/ivaluegroup.com\/en-in\/resources\/blogs\/decoding-google-cloud-platform-gcp\/\">Google Cloud Platform<\/a> (GCP) server, but going with big names doesn\u2019t necessarily guarantee big security. 27% of organizations have experienced public cloud security incidents, and a lot of this has to do with not being aware of all the security resources each platform provides.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">This blog covers the continuous monitoring and threat detection methods in GCP you can adopt using all its native tools. Constant keeping of tabs doesn\u2019t necessarily mean reading countless logs all day. In this current scenario, where 80% of organizations report not having a dedicated cloud security team, that approach is unfeasible.<\/span><\/p><p><span style=\"font-weight: 400;\">As it turns out, GCP has a lot of tools that do the heavy lifting for you, with the right configurations and alerts, of course. Utilizing them effectively will create a robust mechanism to detect &amp; respond to potential security incidents. We\u2019ll start off by discussing the various monitoring and detection tools GCP has at its disposal, and then impart what we consider to be cloud security monitoring best practices.<\/span><\/p><p><span style=\"font-weight: 400;\">Let\u2019s begin by stating that the bedrock of successful cloud threat detection strategies are <\/span><i><span style=\"font-weight: 400;\">logs<\/span><\/i><span style=\"font-weight: 400;\">. Lots and lots of logs. From your VMs, your network traffic, your storage systems, your application services. Only by thoroughly scrutinizing all these logs can you begin to identify any anomalous activities or patterns.<\/span><\/p><p><span style=\"font-weight: 400;\">Here are some of the resources at your disposal to help you with that:<\/span><\/p><h3><span style=\"font-weight: 400;\">Cloud Monitoring<\/span><\/h3><p><span style=\"font-weight: 400;\">This resource collects metrics, events &amp; metadata from all across the platform, and converts them into dashboards, alerts and uptime checks to ensure that the systems are running reliably. One can create custom alerting policies that promptly alert you whenever an event triggers a condition in one of the policies you create. This method can also be configured to send notifications to people or third party notification services.<\/span><\/p><h3><span style=\"font-weight: 400;\">Cloud Identity<\/span><\/h3><p><span style=\"font-weight: 400;\">This is GCP\u2019s Identity as a Service (IDaaS) platform, that manages and authenticates users across all GCP environments. Cloud Identity is in charge of giving users Google identities, and then granting access allotted to individual identities.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">Here are the logs you should be keeping tabs on in this platform:<\/span><\/p><ul><li aria-level=\"1\"><b>Admin Audit Logs <\/b><span style=\"font-weight: 400;\">track actions performed in the Google Admin Console, allowing you to see activities like an admin adding a user or changing a setting.<\/span><\/li><li aria-level=\"1\"><b>Login Audit Logs <\/b><span style=\"font-weight: 400;\">track sign-ins, like failed logins and suspicious logins from unfamiliar IP addresses.<\/span><\/li><li aria-level=\"1\"><b>Group Audit Logs<\/b><span style=\"font-weight: 400;\"> track changes to group settings and memberships in Google Groups.<\/span><\/li><li aria-level=\"1\"><b>OAuth Token Audit Logs <\/b><span style=\"font-weight: 400;\">track third party application usage and data access requests.<\/span><\/li><li aria-level=\"1\"><b>SAML Audit Logs <\/b><span style=\"font-weight: 400;\">track successful &amp; failed logins to SAML applications.<\/span><\/li><\/ul><h3><span style=\"font-weight: 400;\">Cloud Logging: <\/span><span style=\"font-weight: 400;\">The Importance of Logs in Cloud Security<\/span><\/h3><p><span style=\"font-weight: 400;\">This program receives, indexes and stores log entries from Agent Logs (running on VMs or Google Kubernetes Engine), Access Transparency Logs (actions taken by Google staff when accessing your data) and, most pertinently, Cloud Audit Logs.<\/span><\/p><p><span style=\"font-weight: 400;\">Those logs are highly pertinent because they record all the who, where, and when. With them, it is possible to attain the same level of transparency as on-premises environments over admin activities &amp; data access in GCP, because every activity is recorded on a hardened, always-on audit trail that attackers can\u2019t disable.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">Cloud Audit Logs can be divided into the following 4 categories:<\/span><\/p><table><tbody><tr><td><b>Type of Audit Log<\/b><\/td><td><b>Instances<\/b><\/td><td><b>Roles Required<\/b><\/td><\/tr><tr><td><span style=\"font-weight: 400;\">Admin Activity<\/span><\/td><td><span style=\"font-weight: 400;\">API calls or other admin actions that modify configurations or resource metadata (creating VM instances, changing IAM permissions)<\/span><\/td><td><p><span style=\"font-weight: 400;\">Logging\/Logs Viewer<\/span><\/p><p><span style=\"font-weight: 400;\">Project\/Viewer<\/span><\/p><\/td><\/tr><tr><td><span style=\"font-weight: 400;\">System Event<\/span><\/td><td><span style=\"font-weight: 400;\">Google Cloud admin actions that modify configuration of resources (GCE live migrating an instance to another host)<\/span><\/td><td><p><span style=\"font-weight: 400;\">Logging\/Logs Viewer<\/span><\/p><p><span style=\"font-weight: 400;\">Project\/Viewer<\/span><\/p><\/td><\/tr><tr><td><span style=\"font-weight: 400;\">Data Access<\/span><\/td><td><span style=\"font-weight: 400;\">User-driven API calls that create, modify or read user-provided resource data (Admin reads, data reads &amp; data writes)<\/span><\/td><td><p><span style=\"font-weight: 400;\">Logging\/Private Logs Viewer<\/span><\/p><p><span style=\"font-weight: 400;\">Project\/Owner<\/span><\/p><\/td><\/tr><tr><td><span style=\"font-weight: 400;\">Policy Denied<\/span><\/td><td><span style=\"font-weight: 400;\">When Google Cloud service denies access to user or service account because of security policy violation<\/span><\/td><td><p><span style=\"font-weight: 400;\">Logging\/Logs Viewer<\/span><\/p><p><span style=\"font-weight: 400;\">Project\/Viewer<\/span><\/p><\/td><\/tr><\/tbody><\/table><h3><span style=\"font-weight: 400;\">Access Logs<\/span><\/h3><p><span style=\"font-weight: 400;\">These are logs generated by a variety of services, such as:<\/span><\/p><ul><li aria-level=\"1\"><b>VPC Flow Logs <\/b><span style=\"font-weight: 400;\">capturing information about traffic going to &amp; from VPC network interfaces<\/span><\/li><li aria-level=\"1\"><b>Cloud Load Balancing Logs <\/b><span style=\"font-weight: 400;\">capturing details of each request or connection made to a Load Balancer<\/span><\/li><li aria-level=\"1\"><b>Cloud CDN Logs <\/b><span style=\"font-weight: 400;\">dealing with external HTTP(S) load balancers that the Cloud CDN backend is attached to<\/span><\/li><\/ul><h3><span style=\"font-weight: 400;\">GCP Security Command Center (SCC)<\/span><\/h3><p><span style=\"font-weight: 400;\">Finally, we\u2019ve saved (arguably) the best for last. The SCC is a risk dashboard &amp; analytics system for spotting, understanding &amp; remediating security &amp; data risks across your GCP presence. It is comprehensive in displaying possible security findings &amp; risks associated with each asset, and the findings can come from built-in services, third party partners or even custom sources.<\/span><\/p><p><span style=\"font-weight: 400;\">Here are the SCC\u2019s distinct features:<\/span><\/p><table><tbody><tr><td><b>Feature<\/b><\/td><td><b>Description<\/b><\/td><\/tr><tr><td><span style=\"font-weight: 400;\">Asset discovery &amp; inventory<\/span><\/td><td><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Discovering &amp; viewing assets in near-real time across App Engine, BigQuery, Cloud SQL, Cloud Storage, Compute Engine, Cloud IAM, GKE and more<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Reviewing historical discovery scans to identify new, modified or deleted assets<\/span><\/li><\/ul><\/td><\/tr><tr><td><span style=\"font-weight: 400;\">Threat prevention<\/span><\/td><td><p><span style=\"font-weight: 400;\">Contains:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Security Health Analytics &#8211; Managed VA scanning that automatically detects highest severity vulnerabilities &amp; misconfigurations for Google Cloud Assets<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Web Security Scanner (Premium) &#8211; Scans that identify common web application vulnerabilities in apps like App Engine, Compute Engine &amp; GKE<\/span><\/li><\/ul><\/td><\/tr><tr><td><span style=\"font-weight: 400;\">Threat detection<\/span><\/td><td><p><span style=\"font-weight: 400;\">Containing all the following premium options:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Event Threat Detection &#8211; detects threats like Malware, Cryptomining and Brute Force SSH<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Container Threat Detection<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">VM Threat Detection<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Sensitive Action Detection<\/span><\/li><\/ul><\/td><\/tr><\/tbody><\/table><p><span style=\"font-weight: 400;\">So there we have it &#8211; all the myriad parts of GCP that can help you continuously monitor all your assets . Here are the four steps you can undertake to seamlessly bring these continuous monitoring tools GCP has provided into one cogent strategy:<\/span><\/p><h3>Step 1: Gather All the Logs<\/h3><p><span style=\"font-weight: 400;\">Cloud Logging must be enabled in every GCP project to collect logs from every environment, and here are some of the many logs you should be collecting &#8211; Agent Logs, Application Event Logs, Audit &amp; Access Transparency Logs, Access Logs and Kubernetes Logs.<\/span><\/p><p><span style=\"font-weight: 400;\">Oh, and get all the logs you can from Cloud Monitoring, Cloud Identity and SCC, too.<\/span><\/p><h3>Step 2: Queueing Up for Cloud Resilience<\/h3><p><span style=\"font-weight: 400;\">The integrity, completeness and availability of collected logs are crucial for forensic and auditing purposes. The challenge lies in the fact that most logs (like all the Cloud Logging ones) are only there for a limited time. Therefore, a queuing system like Pub\/Sub could be used to receive &amp; buffer all the logs collected. This improves your cloud resilience, since queuing can be crucial in the event of a downstream component failure.<\/span><\/p><h3>Step 3: Secure Storage with DLP and IAM<\/h3><p><span style=\"font-weight: 400;\">A LogStash Agent can be used to pull logs directly from Pub\/Sub topics &amp; store them in a bucket where they are treated as immutable files. Properly configuring the Bucket Retention Policies &amp; Retention Policy Locks ensures that nobody is able to delete objects during the pre-defined retention period.<\/span><\/p><p><span style=\"font-weight: 400;\">In addition, you should fortify these files with DLP to prevent &amp; detect cases of attempted data exfiltration, and strong IAM to limit access.<\/span><\/p><h3>Step 4: Stay Alert with Cloud Monitoring and SIEM<\/h3><p><span style=\"font-weight: 400;\">Cloud Monitoring forms the crux of this &#8211; you can use it to create and manage your alerting policies so that you can be immediately informed if something potentially fishy is going on. Additionally, another LogStash agent can be used to pull logs from Pub\/Sub to an ElasticSearch instance used by your SOC team for monitoring.<\/span><\/p><p><span style=\"font-weight: 400;\">So there you have it! With a little assimilation to all the great tools GCP has at its disposal, you can effectively create continuous monitoring &amp; threat detection ecosystems that allow you to be at ease when it comes to your cloud data. <\/span><\/p><p><span style=\"font-weight: 400;\">We\u2019d be happy to help you out with this, so contact us <\/span><a href=\"https:\/\/ivaluegroup.com\/en-in\/limitless-possibilities-with-google-cloud-platform\/\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\"> to start the conversation.<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5695226 e-flex e-con-boxed e-con e-parent\" data-id=\"5695226\" data-element_type=\"container\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-98f8bc7 elementor-cta--layout-image-left animated-slow elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"98f8bc7\" data-element_type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;none&quot;}\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<link rel=\"stylesheet\" href=\"https:\/\/ivaluegroup.com\/en-in\/wp-content\/plugins\/elementor-pro\/assets\/css\/widget-call-to-action.min.css\">\t\t<div class=\"elementor-cta\" data-e-bg-lazyload=\".elementor-bg\">\n\t\t\t\t\t<div class=\"elementor-cta__bg-wrapper\">\n\t\t\t\t<div class=\"elementor-cta__bg elementor-bg\" style=\"background-image: var(--e-bg-lazyload-loaded); --e-bg-lazyload: url(https:\/\/ivaluegroup.com\/en-in\/wp-content\/uploads\/sites\/2\/2024\/04\/premier-partner-google-cloud-1-300x300.png);\" role=\"img\" aria-label=\"iValue Group - Sell Premier Partner - GCP Badge\"><\/div>\n\t\t\t\t<div class=\"elementor-cta__bg-overlay\"><\/div>\n\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t<b>Get started on your GCP journey!<\/b>\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tTalk to iValue Group Experts to know more\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item \">\n\t\t\t\t\t<a class=\"elementor-cta__button elementor-button elementor-size-\" href=\"https:\/\/outlook.office.com\/bookwithme\/user\/185bc7334b3e4a31b81de9788cffa620@ivalue.co.in?anonymous&#038;ep=pcard%20\" target=\"_blank\" rel=\"noopener\">\n\t\t\t\t\t\tBook a Meeting\t\t\t\t\t<\/a>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Why Continuous Monitoring Matters in the Cloud The best organizational cybersecurity strategies have continuous monitoring as one of their main tenets. Sure, you can get a bunch of flashy new security tools, but it\u2019ll all be for naught if you\u2019re not constantly keeping tabs on them. And if you\u2019re not constantly keeping tabs on them, &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/ivaluegroup.com\/en-in\/resources\/blogs\/continuous-monitoring-and-threat-detection-in-gcp\/\"> <span class=\"screen-reader-text\">Continuous Monitoring and Threat Detection in GCP<\/span> Read More \u00bb<\/a><\/p>\n","protected":false},"author":1,"featured_media":20195,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[131],"tags":[273,194,299],"whitepapers":[],"case_studies":[],"acf":[],"_links":{"self":[{"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/posts\/21750"}],"collection":[{"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/comments?post=21750"}],"version-history":[{"count":11,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/posts\/21750\/revisions"}],"predecessor-version":[{"id":21938,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/posts\/21750\/revisions\/21938"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/media\/20195"}],"wp:attachment":[{"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/media?parent=21750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/categories?post=21750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/tags?post=21750"},{"taxonomy":"whitepapers","embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/whitepapers?post=21750"},{"taxonomy":"case_studies","embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/case_studies?post=21750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}