How-to guides

5 GCP security tools you should know about

In this blog post, we’ll explore five GCP security tools you should know about.

Roy Horev | March 30, 2024

Whether your organization was born in the cloud or is aiming to modernize its IT landscape through cloud adoption, having a well-defined and comprehensive cloud security program is crucial. Managing security in the cloud calls for different strategies than managing security in networks or applications surfaces, and requires a paradigm shift due to the constantly evolving threat landscape. Applying the right risk management practices must therefore be an integral part of your cloud security program decision-making. If you are a GCP customer, GCP security tools are a good starting point for your cloud security journey.

Cloud follows a shared responsibility model in which customers own the security of their workloads while the service provider ensures the security of the cloud platform holistically. This stands true for all three major cloud service providers—AWS, Azure, and GCP. End-to-end security of workloads in the cloud often calls for a combination of native security tools and third-party integrations to implement the right security controls.

GCP, though fairly new to the market compared to its competitors, offers a number of security tools and capabilities to help enable cloud security. In this blog post, we’ll explore five GCP security tools you should know about.

GCP security tool #1: Security Command Center

When it comes to managing cyber risk in the cloud, cloud security posture management (CSPM) solutions play a pivotal role. Security Command Center is GCP’s native CSPM solution, providing a single-pane view of the overall security status of your workloads hosted in GCP. It identifies misconfigurations and security compliance violations that could enable threat actors to exploit them. Security Command Center uses auto discovery for easy onboarding of your cloud resources to the service, with minimal operations overhead.

To ensure cyber hygiene, the entire application stack must be secured. To this end, Security Command Center identifies common application vulnerabilities and attacks such as cross-site scripting (XSS), use of legacy attack-prone binaries, reverse shell, and more. The service also monitors log patterns emitted by cloud resources to help identify potential threats.

While Security Command Center provides centralized visibility and control of your GCP resources, cloud sprawl is pushing more and more organizations to adopt multi-cloud architectures. Multi-cloud deployments therefore require cyber risk-based remediation tools, in addition to your native cloud security tools, that are capable of handling such architectures and that provide a holistic view of security posture across your multi-cloud environments.

GCP security tool #2: Web Security Scanner

Web Security Scanner protects web applications hosted in GCP services (GKE, Compute Engine, and App Engine) from commonly known vulnerabilities like Flash injection, plain-text password transmission, mixed content, and more. It also helps identify weak links in your application lifecycle management, such as exposed Git/SVN repositories. Web Security Scanner can also be used to protect applications with public IPs and URLs that are not behind a firewall.

Web Security Scanner supports a subset of critical web application vulnerabilities listed in the OWASP Top 10, helping to monitor web applications for compliance control violations. The tool also runs automated weekly scans to identify vulnerabilities in exposed public web endpoints. In addition, customers can schedule comprehensive custom scans on demand at the GCP project level. Vulnerabilities flagged by the scanner are published in the Security Command Center through native integration.

But identifying vulnerabilities is only the first step in the risk remediation process—you don’t want your “to-fix” backlog to grow out of proportion. Third-party solutions offering automation and orchestration can help you prioritize and fix the vulnerabilities as well.

GCP security tool #3: Cloud Armor

GCP’s Cloud Armor service provides protection from cloud-based attacks at Layers 3, 4, and 7. Cloud Armor provides protection against organized volumetrics DDoS attacks that could bring down your workloads in the cloud. The service also provides web application firewall (WAF) capabilities for applications deployed behind load balancers, protecting against such common attacks as SQL injection, remote file inclusion, remote code execution, and more. It leverages the same enterprise-level protection used for the Google search engine, YouTube, Gmail, and other popular Google services.

Cloud Armor comes with WAF rules out of the box to detect and protect your workloads from the OWASP Top 10 vulnerabilities. The service also offers the flexibility to create custom rules using parameters like geolocation and L3-L7 configurations to detect attack patterns. It has also enabled Adaptive Protection powered by machine learning to protect from L7 DDOS attacks and other malicious activities. Cloud Armor also allows you to extend Layer 7 protection from DDoS or web attacks to hybrid and multi-cloud architectures.

GCP security tool #4: Chronicle Detect 

Built on Google’s core infrastructure, Chronicle Detect enables SIEM capabilities as part of GCP security tools. The highlight of the service is its rule engine, which is built on the well-known YARA detection language and enables faster search and detection of threats. It also helps detect threat patterns at scale by injecting logs from multiple GCP resources. By applying a common data model across the received telemetry data from users/machines and other sources, the rules engine is able to apply detection rules to a unified data set, which can be in the range of petabytes.

Chronicle leverages threat intelligence information from VirusTotal to automated risk investigation. Built on Google infrastructure, it offers unparalleled speed for security analytics as well as built-in intelligence to eliminate false positives. The service also provides visualization of how your cloud assets are interacting with potentially malicious domains.

While Chronicle can help to identify the risks, a risk-based platform will help you prioritize and focus on filling the gaps in your cloud security.

5. Event Threat Detection

Through monitoring of your cloud logging stream, GCP provides near real-time event threat detection capabilities. While not am official GCP security tool, this helps to protect your cloud assets from threats such as malware, cryptomining, data exfiltration, outgoing DDoS, and brute-force SSH, to name a few. The service is available out of the box through the Premium tier in the Security Command Center.

For GCP, the service can monitor your API call logs and actions such as creating, updating, or reading of cloud assets or updating their metadata. The log data sources include SSH logs, syslog, cloud administrative activity, data access, cloud NAT, firewall rules, VPC flow, and cloud DNS. Its event threat detection capabilities leverage proprietary threat detection and analysis methods, such as advanced profiling, machine learning, windowed profiling, tripwire indicator matching, and then records the findings in the Security Command Center.

Augmentation with third-party integrations

As cyber threats continue to evolve on a daily basis and attackers find more sophisticated methods to exploit cloud and GCP vulnerabilities, organizations need to step up their game. The focus should be on end-to-end risk management, by first detecting the risks, prioritizing them, and enabling faster remediation. A risk-based cyber security solution can augment your native cloud security tools, enabling visibility and risk remediation across multi-cloud environments—one of the greatest challenges enterprises now face.

The Vulcan Cyber® Risk Remediation Platform provides an end-to-end scan-to-fix solution for your cloud workloads. Vulcan’s GCP plugin allows you to inventory your GCP cloud assets and automate the entire risk remediation process. Getting started with the GCP connector is easy. You simply provide the GCP project details and JSON service account key file with the IAM service account to authenticate the project.

The identified vulnerabilities from GCP and other connected cloud environments are consolidated to provide a holistic view of your cloud environment security posture. Vulcan correlates both internal and external business data, threat intelligence, and vendor guidelines to provide an organization-centric prioritization approach. 

Customers can leverage integration with automated ticketing tools like Jira to create and assign remediation tickets. You can also enable automated remediation actions like patch deployment and configuration script execution through integration with tools like Chef, Ansible, and Ivanti. The Vulcan risk-based platform also analyzes and reports the effectiveness of the remediation process to reduce business risk and improve cyber hygiene across all cyber security programs.

Keep up with emerging vulnerabilities across your cloud environment. Get free access to thousands of vulnerabilities and get fix done with Vulcan Remedy Cloud or request access to Vulcan Free.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy