Source: Detect and respond to high-risk threats in your logs with Google Cloud from Google Cloud
Editor’s Note: This the fourth blog and video in our six-part series on how to use Cloud Security Command Center. There are links to the three previous blogs and videos at the end of this post.
Data breaches aren’t only getting more frequent, they’re getting more expensive. With regulatory and compliance fines, and business resources being allocated to remediation, the costs from a data breach can quickly add up. In fact, the average total cost of a data breach in the U.S. has risen to $3.92 million, 1.5% more expensive than in 2018, and 12% more expensive than five years ago, according to IBM.
Today, we’re going to look at how Event Threat Detection can notify you of high-risk and costly threats in your logs and help you respond. Here’s a video—that’s also embedded at the end of this post—that will help you learn more about how it works.
Enabling Event Threat Detection
Once you’re onboard, Event Threat Detection will appear as a card on the Cloud Security Command Center (Cloud SCC) dashboard.
Event Threat Detection works by consuming Cloud Audit, VPC flow, Cloud DNS, and Syslog via fluentd logs and analyzing them with our threat detection logic and Google’s threat intelligence. When it detects a threat, Event Threat Detection writes findings (results) to Cloud SCC and to a logging project. For this blog and video, we’ll focus on the ETD findings available in Cloud SCC.
Detecting threats with Event Threat Detection
Here are the threats ETD can detect in your logs, and how they work:
Responding to threats with Event Threat Detection
When a threat is detected, you can see when it happened—either in the last 24 hours or last 7 days—and how many times it was detected, via the count.
When you click on a finding, you can see what the event was, when it occurred, and what source the data came from. This information saves time and lets you focus on remediation.
To further investigate a threat detected by Event Threat Detection, you can send your logs to a SIEM. Because Event Threat Detection has already processed your logs, you can send only high value incidents to your SIEM, saving time and money.
You can use a Splunk connector to export these logs. Splunk automatically sorts your key issues—you can see events and categories—so you can investigate further and follow the prescribed steps.
To learn more about how Event Threat Detection can help you can detect threats in your logs, watch our video.