Cloud CISO Perspectives: Guidance from our latest Threat Horizons report

Welcome to the first Cloud CISO Perspectives for February 2024. Today I’ll be looking at our latest Threat Horizons report, which provides a forward-thinking view of cloud security with intelligence on emerging threats and actionable recommendations from Google's security experts.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security & CISO, Google Cloud

Latest Threat Horizons report: Emerging threats, actionable recommendations

By Phil Venables, VP, TI Security & CISO, Google Cloud

Google Cloud’s new Threat Horizons report for the first half of 2024 concludes that we saw threats increase across information technology environments, including on-premise, mobile, operational technology, and the cloud in 2023. However, while some sectors were more plagued by underlying vulnerabilities, security concerns for cloud providers were more often driven by security hygiene and misconfigurations. We expect those trends to continue in 2024, as the report notes, which means that organizations may also have a better sense of the kinds of threats they face (and how to prepare for them) in the coming year.

At Google Cloud, we take credential abuse seriously, so we offer many security capabilities to support customers and protect their environments, including two-factor authentication, strong password policies, identity and access management (IAM) policies, cloud audit logs, and a centralized view of threats and vulnerabilities in Security Command Center. We also now offer a credential leak monitoring service through Mandiant Digital Threat Monitoring.

The report also confirmed that data theft in general and ransomware specifically remain challenges for cloud customers. In 2023, threat actors targeting cloud environments began prioritizing data exfiltration over data encryption and stolen data advertisements. While this could suggest that they are focused on monetary gain, we noted that they “increasingly seek to profit by selling the data (or access to the data) rather than expecting victims to pay the ransom for decryption keys.”

To better secure cloud instances, we recommend deploying cloud-specific backup strategies that include testing configurations and templates of stored assets; using technologies such as WORM (Write Once Read Many) and the Bucket Lock feature on Google Cloud to provide immutable and policy compliant backup storage, and implementing resilient architecture, such as multi-region cloud use and backup mirroring, to reduce risk of data loss or inaccessibility.

Security logs can often capture and make visible to defenders a level of contextual and historical background data that enables them to better observe threat actors at work. Exporting relevant logs to a centralized, well-governed repository can help monitor threat activity on your network and in your systems.

As more industries and organizations move to the cloud, it will become an ever-more appealing target. The full report provides more details on these topics as well as on nation-state threat activity, ransomware, and the positive impact of security partnerships, which you can read here. You can read previous Threat Horizons reports here.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams:

• Gen AI governance: 10 tips to level up your AI program: To help organizations navigate AI governance challenges, we’ve outlined 10 best practices to streamline and operationalize AI implementation at scale. Read more.
• Scaling security with AI, from detection to solution: In alignment with Google’s Secure AI Framework (SAIF), we’ve been using AI itself to automate and streamline routine and manual security tasks, including fixing security bugs. Last year, we wrote about how LLMs can expand vulnerability testing coverage, and we’re excited to share some updates. Read more.
• U.N. cybercrime treaty could endanger web security: Earlier this month, the United Nations convened member states to continue its years-long negotiations on the U.N. Cybercrime Treaty. Google takes the threat of cybercrime very seriously, and dedicates significant resources to combating it. We urge member states to heed calls from civil society groups to address critical gaps in the treaty and revise the text to protect users and security professionals. Read more.
• Simplify DORA compliance with Google Cloud's updated contracts: Google Cloud is committed to supporting our customers’ compliance with EU DORA. Here’s the latest on our DORA support. Read more.
• A recipe for scaling security: In 2023, Google was able to modernize and improve our code at scale — no small feat given our vast portfolio of services. It’s important for us to share how we did it, what security benefits the changes brought to our users, and importantly, how other interested organizations can adopt the same strategy. Read more.
• Introducing Policy Analyzer: We are pleased to announce the general availability launch of Policy Analyzer for Org Policy and Custom Org Policy, which can help customers identify which resources are governed by which org policy constraints, empowering customers to understand and strengthen their security posture, and satisfy attestation and auditing requirements. Read more.
• Synthesized uses gen AI for compliant BigQuery dataset snapshots: Learn how Synthesized uses generative AI to create privacy-preserving snapshots of BigQuery datasets. Read more.

News from Mandiant

• Latest research on Ivanti Connect Secure VPN zero-day exploitation: We follow our first blog on two zero days impacting VPN provider Ivanti with additional tactics, techniques, and procedures used by UNC5221 and other threat groups against Ivanti customers. We also detail new malware families and variants to previously-identified malware families being used by UNC5221. Read more.
• Uncovering USB malware's hidden depths: Mandiant Managed Defense has been tracking UNC4990, a threat actor who heavily relies on USB devices for initial infection. Since at least 2020, they have primarily targeted users based in Italy and are likely motivated by financial gain. Read more.
• Introducing credential leak monitoring from Mandiant: Mandiant Digital Threat Monitoring now includes the capability to monitor your credential leaks on the deep and dark web, which will automatically alert you if your employees’ accounts have appeared in our compromised credential data. Read more.
• Dynamic capa: Exploring executable run-time behavior with CAPE sandbox: We are excited to announce that capa v7.0 can now identify program capabilities from dynamic analysis reports generated from the CAPE sandbox, an expansion of capa’s original static analysis approach. Read more.

Now hear this: Google Cloud Security and Mandiant podcasts

• Cloud-ghostbusters: Who you gonna call for cloud forensics: How does cybersecurity forensics happen in the cloud? Google security engineer Jason Solomon sits down with our Cloud Security podcast hosts Anton Chuvakin and Tim Peacock to talk about next steps when there’s something strange in your cloud neighborhood. Listen here.
• Learn how Google Workspace security is built for modern threats: Workspace makes the claim that, unlike other productivity suites available today, it’s designed for the modern threat landscape. What gives Google the ability to make this claim? Engineering managers Emre Kanlikilicer and Sophia Gu discuss with Anton and Tim what sets Google Workspace apart, from a security perspective. Listen here.
• Prescriptions for a healthy cybersecurity future: Unfortunately, 2023 was a banner year for healthcare and life sciences cybersecurity incidents. Google Cloud Office of the CISO Director Taylor Lehmann and Security Architect Bill Reid join host Luke McNamara to discuss their takeaways from the last year of threat activity witnessed by enterprises within healthcare and life sciences. Listen here.
• Is the CTI lifecycle due for an update: Mandiant Intelligence Advisor Renze Jongman joins Luke to discuss his blog post on the CTI Process Hyperloop, and how we can do better at applying threat intelligence to the needs of the security organization and larger enterprise. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.