Chronicle CyberShield - Google Cloud’s Approach to Strengthen Nation-wide Cyber Defense
Nikhiel Sawhney
Head of EMEA Security Practice
Philip Maurer
Head of EMEA Customer Engineering Public Sector
One of the primary functions of any government is to protect its citizens, institutions, infrastructure and way of life. With the rise of the global Internet, the world is more connected and traditional borders do not exist, meaning those same citizens, institutions, infrastructure, and way of life are at greater risk of malicious activity online. The threat profile of many governments has evolved and it is more important than ever to protect and defend critical online services.
Of the intrusions investigated by Mandiant in 2022, response efforts for government-related organizations captured 25% of all investigations, compared to 9% in 2021. This primarily reflects the extensive work Mandiant has conducted in support of customers affected by the Russian invasion of Ukraine.
To help governments around the world continue to realize the benefits of digital transformation while mitigating the risk of cyber threats, we’ve developed Chronicle CyberShield to provide government agencies with a solution that integrates threat intelligence, detection, and response. Chronicle CyberShield is unique in that it enables multiple government entities to proactively and rapidly share threat information, accelerate investigations and initiate a united response.
Situational threat awareness at a national level
Governments need to invest in improving their cybersecurity capabilities and cultivate a collaborative culture of enhanced information-sharing and threat awareness at scale. They need to reduce the impact and severity of cyber attacks on critical national infrastructure and develop capabilities to secure the networks that support it. Further, as governments adopt the cloud to accelerate innovation and drive repeatable outcomes, they need to ensure that it’s secure and reliable. Lastly, and most importantly, government entities need to be empowered with advanced skills and capabilities to defend against an ever-evolving threat landscape.
The large attack surface across a government makes visibility and situational awareness of the threat landscape paramount. Even governments with mature cybersecurity postures are at risk to most advanced persistent threat actors who constantly evolve their techniques. As a result, rapid aggregation of security events and real-time sharing of actionable cyber threat intelligence widely across the government sector is necessary to prevent widespread cyber incidents.
Chronicle CyberShield
Chronicle CyberShield enables governments to build an enhanced cyber threat intelligence capability; protect web-facing infrastructure from cyber attacks; monitor and detect indicators of compromise, malware, and intrusions; and rapidly respond to cyber attacks to limit widespread impacts. In addition, it enables governments to raise threat and situational awareness, build cybersecurity skills and capabilities, and facilitate knowledge sharing and collaboration to raise the bar for security at a national level.
Cybershield Core Components
Improving situational threat awareness with a modern security operations center
In the digital world, operating a sophisticated and streamlined Security Operations Center (SOC) is at the core of maintaining digital integrity and security. A primary component of Chronicle CyberShield is establishing a modern government SOC, comprising a network of interconnected SOCs to scale and aggregate security threats. This empowers governments to operate a cyber defense center for enhanced detection, protection against major threats, and automated response and incident management across multiple entities.
As part of Chronicle CyberShield, governments can leverage cyber threat intelligence from Google and Mandiant, now part of Google Cloud, to build a scalable and centralized threat intelligence and analysis capability. This is integrated operationally into the government SOC to identify suspicious indicators and enrich the context for known vulnerabilities.
In addition, Chronicle CyberShield allows governments to build a coordinated monitoring capability with Chronicle SIEM to simplify threat detection, investigation, and hunting with the intelligence, speed, and scale of Google. By implementing Chronicle across a network of SOCs, attack patterns and correlated threat activity across multiple entities is available for investigation and analysis. With Chronicle’s cloud-focused scalable architecture and innovative pricing model, governments can analyze large volumes of security telemetry within seconds without sacrificing visibility, performance, or costs.
Once threats are identified in Chronicle SIEM, automated playbooks can be developed in Chronicle SOAR to address root causes and reduce the impact of threats and cyber attacks. Integration with third party solutions enables Chronicle SOAR to enrich data with threat intelligence and additional context to get faster insights. Analysts in the government SOC can focus on resolving cases faster and reducing dwell time by uncovering threats faster and containing them more rapidly.
When major cyber attacks take place, time is of essence to clearly understand the scope and magnitude of impact. Governments need additional support to augment their in-house capabilities to respond to the full lifecycle of any major security incident. With Chronicle CyberShield, governments can agree on pre-established terms and conditions for incident management and response support from Mandiant, saving precious time when it matters the most.
Lastly, staying ahead of attackers requires continuous validation to strengthen detection and response capabilities. Governments need to continuously test security controls by launching real-world attacks against critical assets to identify vulnerabilities and harden systems. Chronicle CyberShield includes continuous red teaming and penetration testing services delivered by Mandiant to test security controls and protect critical assets by identifying and mitigating security gaps and vulnerabilities.
By continuously assessing security controls and capabilities, governments can rapidly identify and respond to threats. This results in heightened situational awareness and prepares teams to mobilize quickly in response to major threats.
Government SOC Components
Protect web applications from cyberattacks
In addition to monitoring and responding to threats, Chronicle CyberShield provides governments with the capability to protect web applications from large-scale cyber attacks. With the Digital Security component of Chronicle CyberShield, governments can integrate with existing solutions and build anti-DDoS, anti-bot, web application firewall (WAF), and API protection to protect against new and existing threats.
Cloud Armor protects applications from DDoS attacks and mitigates against OWASP Top 10 risks. Integration with reCAPTCHA Enterprise identifies fraudulent activity, spam, and abuse like scraping, credential stuffing, automated account creation, and exploits from automated bots. Lastly, applications and APIs are secured using Apigee API management.
Defend against tomorrow’s attacks today
CyberShield includes consulting services from Google Cloud and Mandiant to further assist governments.
By leveraging Google Cloud’s professional services and Mandiant’s government consulting solutions and expertise, governments can develop core capabilities to improve security governance, upskill talent in government, enhance knowledge sharing and collaboration, and drive effective security operations. Governments can benchmark their capabilities against our National Cybersecurity Capability Framework and establish an Advanced Skills Academy with instructor-led and web-based training on cybersecurity topics including cloud security fundamentals, threat modeling, and secure architecture design. With support from Google Cloud and Mandiant, governments can run cyber attack simulations and table top exercises to test existing controls and be well-prepared for future cyber attacks.
Chronicle Cybershield Capabilities
In summary, with Chronicle CyberShield governments will be able to enhance situational threat awareness across a network of interconnected SOCs powered by the speed, scale and performance of Chronicle sec ops suite. In addition, governments get advanced protection for web apps, services, and APIs against DDoS, L7 and bot attacks at a Google scale. Lastly, Chronicle CyberShield empowers governments with the resources to improve security governance, build skills and make strategic decisions to protect the nation.
To learn more about Chronicle CyberShield, please contact our experts.