This principle in the security pillar of theGoogle Cloud Well-Architected Framework provides recommendations to build robust cyber-defense programs as part of youroverall security strategy.

This principle emphasizes the use of threat intelligence to proactively guideyour efforts across the core cyber-defense functions, as defined inThe Defender's Advantage: A guide to activating cyber defense.

Principle overview

When you defend your system against cyber attacks, you have a significant,underutilized advantage against attackers. Asthe founder of Mandiant states,"You should know more about your business, your systems, your topology, yourinfrastructure than any attacker does. This is an incredible advantage." Tohelp you use this inherent advantage, this document provides recommendationsabout proactive and strategic cyber-defense practices that are mapped to theDefender's Advantage framework.

Recommendations

To implement preemptive cyber defense for your cloud workloads, consider therecommendations in the following sections:

• Integrate the functions of cyber defense
• Use the Intelligence function in all aspects of cyber defense
• Understand and capitalize on your defender's advantage
• Validate and improve your defenses continuously
• Manage and coordinate cyber-defense efforts

Integrate the functions of cyber defense

This recommendation is relevant to all of thefocus areas.

The Defender's Advantage framework identifies six critical functions ofcyber defense:Intelligence,Detect,Respond,Validate,Hunt, andMission Control. Each function focuses on a unique part of thecyber-defense mission, but these functions must be well-coordinated andwork together to provide an effective defense. Focus on building a robustand integrated system where each function supports the others. If you needa phased approach for adoption, consider the following suggested order.Depending on your current cloud maturity, resource topology, and specificthreat landscape, you might want to prioritize certain functions.

1. Intelligence: The Intelligence function guides all the otherfunctions. Understanding the threat landscape—including the most likelyattackers, their tactics, techniques, and procedures (TTPs), and thepotential impact—is critical to prioritizing actions across the entireprogram. The Intelligence function is responsible for stakeholderidentification, definition of intelligence requirements, data collection,analysis and dissemination, automation, and the creation of a cyberthreat profile.
2. Detect and Respond: These functions make up the core of activedefense, which involves identifying and addressing malicious activity.These functions are necessary to act on the intelligence that's gathered bythe intelligence function. The Detect function requires a methodicalapproach that aligns detections to attacker TTPs and ensures robustlogging. The Respond function must focus on initial triage, datacollection, and incident remediation.
3. Validate: The Validate function is a continuous process thatprovides assurance that your security control ecosystem is up-to-date andoperating as designed. This function ensures that your organizationunderstands the attack surface, knows where vulnerabilities exist, andmeasures the effectiveness of controls. Security validation is also animportant component of the detection engineering lifecycle and must be usedto identify detection gaps and create new detections.
4. Hunt: The Hunt function involves proactively searching for activethreats within an environment. This function must be implemented when yourorganization has a baseline level of maturity in the Detect and Respondfunctions. The Hunt function expands the detection capabilities and helpsto identify gaps and weaknesses in controls. The Hunt function must bebased on specific threats. This advanced function benefits from afoundation of robust intelligence, detection, and response capabilities.
5. Mission Control: The Mission Control function acts as the centralhub that connects all of the other functions. This function isresponsible for strategy, communication, and decisive action across yourcyber-defense program. It ensures that all of the functions are workingtogether and that they're aligned with your organization's business goals.You must focus on establishing a clear understanding of the purpose of theMission Control function before you use it to connect the other functions.

Use the Intelligence function in all aspects of cyber defense

This recommendation is relevant to all of thefocus areas.

This recommendation highlights the Intelligence function as a core part of a strongcyber-defense program. Threat intelligence provides knowledge about threatactors, their TTPs, and indicators of compromise (IOCs). This knowledge shouldinform and prioritize actions across all cyber-defense functions. Anintelligence-driven approach helps you align defenses to meet the threats thatare most likely to affect your organization. This approach also helps withefficient allocation and prioritization of resources.

The following Google Cloud products and features help you take advantageof threat intelligence to guide your security operations. Use these features toidentify and prioritize potential threats, vulnerabilities, and risks, and thenplan and implement appropriate actions.

• Google Security Operations (Google SecOps) helps you store and analyze security data centrally. UseGoogle SecOps to map logs into a common model, enrich thelogs, and link the logs to timelines for a comprehensive view of attacks.You can also create detection rules, set up IoC matching, and performthreat-hunting activities. The platform also provides curated detections,which are predefined and managed rules to help identify threats.Google SecOps can also integrate withMandiant frontline intelligence.Google SecOps uniquely integrates industry-leading AI, alongwiththreat intelligence from Mandiant andGoogle VirusTotal.This integration is critical for threat evaluation and understanding who istargeting your organization and the potential impact.

• Security Command Center Enterprise, which is powered by Google AI, enables security professionals toefficiently assess, investigate, and respond to security issues acrossmultiple cloud environments. The security professionals who can benefitfrom Security Command Center include security operations center (SOC) analysts,vulnerability and posture analysts, and compliance managers. Security Command CenterEnterprise enriches security data, assesses risk, and prioritizesvulnerabilities. This solution provides teams with the information that theyneed to address high-risk vulnerabilities and to remediate active threats.

• Chrome Enterprise Premium offers threat and data protection, which helps to protect users fromexfiltration risks and prevents malware from getting ontoenterprise-managed devices. Chrome Enterprise Premium also provides visibility intounsafe or potentially unsafe activity that can happen within the browser.

• Network monitoring, through tools likeNetwork Intelligence Center,provides visibility into network performance. Network monitoring can alsohelp you detect unusual traffic patterns or detect data transfer amountsthat might indicate an attack or data exfiltration attempt.

Understand and capitalize on your defender's advantage

This recommendation is relevant to all of thefocus areas.

As mentioned earlier, you have an advantage over attackers when you havea thorough understanding of your business, systems, topology, andinfrastructure. To capitalize on this knowledge advantage, utilize this dataabout your environments during cyberdefense planning.

Google Cloud provides the following features to help you proactively gainvisibility to identify threats, understand risks, and respond in a timely mannerto mitigate potential damage:

• Chrome Enterprise Premium helps you enhance security for enterprise devices byprotecting users from exfiltration risks. It extendsSensitive Data Protection services into the browser, and prevents malware. It also offers features likeprotection against malware and phishing to help prevent exposure to unsafecontent. In addition, it gives you control over the installation ofextensions to help prevent unsafe or unvetted extensions. Thesecapabilities help you establish a secure foundation for your operations.

• Security Command Center Enterprise provides a continuousrisk engine that offers comprehensive and ongoing risk analysis and management. The riskengine feature enriches security data, assesses risk, and prioritizesvulnerabilities to help fix issues quickly. Security Command Center enables yourorganization to proactively identify weaknesses and implement mitigations.

• Google SecOps centralizes security data and providesenriched logs with timelines. This enables defenders to proactivelyidentify active compromises and adapt defenses based on attackers' behavior.

• Network monitoring helps identify irregular network activity that mightindicate an attack and it provides early indicators that you can use to takeaction. To help proactively protect your data from theft, continuously monitorfor data exfiltration and use the provided tools.

Validate and improve your defenses continuously

This recommendation is relevant to all of thefocus areas.

This recommendation emphasizes the importance of targeted testing andcontinuous validation of controls to understand strengths and weaknessesacross the entire attack surface. This includes validating theeffectiveness of controls, operations, and staff through methods like thefollowing:

• Penetration tests
• Red-blue team andpurple team exercises
• Tabletop exercises

You must also actively search for threats and use the results to improvedetection and visibility. Use the following tools to continuously test andvalidate your defenses against real-world threats:

• Security Command Center Enterprise provides a continuous risk engine to evaluatevulnerabilities and prioritize remediation, which enables ongoingevaluation of your overall security posture. By prioritizing issues,Security Command Center Enterprise helps you to ensure that resources are used effectively.

• Google SecOps offers threat-hunting and curateddetections that let you proactively identify weaknesses in your controls.This capability enables continuous testing and improvement of your abilityto detect threats.

• Chrome Enterprise Premium provides threat and data protection features thatcan help you to address new and evolving threats, and continuously updateyour defenses against exfiltration risks and malware.

• Cloud Next Generation Firewall (Cloud NGFW) provides network monitoringand data-exfiltration monitoring. These capabilities can help you to validatethe effectiveness of your current security posture and identify potentialweaknesses. Data-exfiltration monitoring helps you to validate the strengthof your organization's data protection mechanisms and make proactiveadjustments where necessary. When you integrate threat findings fromCloud NGFW with Security Command Center and Google SecOps,you can optimize network-based threat detection, optimize threat response,and automate playbooks. For more information about this integration, seeUnifying Your Cloud Defenses: Security Command Center & Cloud NGFW Enterprise.

Manage and coordinate cyber-defense efforts

This recommendation is relevant to all of thefocus areas.

As described earlier inIntegrate the functions of cyber defense,the Mission Control function interconnects the other functions of thecyber-defense program. This function enables coordination and unifiedmanagement across the program. It also helps you coordinate with other teamsthat don't work on cybersecurity. The Mission Control function promotesempowerment and accountability, facilitates agility and expertise, and drivesresponsibility and transparency.

The following products and features can help you implement the Mission Controlfunction:

• Security Command Center Enterprise acts as a central hub for coordinating andmanaging your cyber-defense operations. It brings tools, teams, and datatogether, along with the built-in Google SecOps responsecapabilities. Security Command Center provides clear visibility into yourorganization's security state and enables the identification of securitymisconfigurations across different resources.
• Google SecOps provides a platform for teams to respond tothreats by mapping logs and creating timelines. You can also definedetection rules and search for threats.
• Google Workspace and Chrome Enterprise Premium help you to manage and control end-user access tosensitive resources. You can define granular access controls based on useridentity and the context of a request.
• Network monitoring provides insights into the performance of networkresources. You can import network monitoring insights into Security Command Centerand Google SecOps for centralized monitoring and correlationagainst other timeline based data points. This integration helps you todetect and respond to potential network usage changes caused by nefariousactivity.
• Data-exfiltration monitoring helps to identify possible data lossincidents. With this feature, you can efficiently mobilize an incidentresponse team, assess damages, and limit further data exfiltration. You canalso improve current policies and controls to ensure data protection.

Product summary

The following table lists the products and features that are described in thisdocument and maps them to the associated recommendations and securitycapabilities.