Endpoint Detection
Originally
ADR-0012-ENDPOINT-DETECTION (v8) · Source on Confluence ↗Endpoint Detection and Threat Response Solution
Context and problem statement
- We want the engineers to understand which endpoint detection products are used in the enterprise, the applicable NIST Controls required to be met, if any work is required for implementation and impact to leagues.
- The controls cover runtime and malicious code protection, vulnerability monitoring, product diversity, threat hunting, and more.
- For GKE, Container Threat Detection in Security Command Center (SCC) creates GKE objects in your enabled clusters used to monitor container images, manage privileged containers and pods, and evaluate state. No action will be required by software engineers for implementation; PE, ITOps, and InfoSec will work together to ensure the proper GKE configuration, routing, firewall, and DNS requirements are met prior to communicating and scheduling project enablement.
- For Compute Engine, Virtual Machine Threat Detection in SCC enables a hypervisor agent to scan VM instances for potentially malicious applications. No action is required by software engineers for implementation. PE, ITOps, and Infosec are determining the roles and responsibilities for enablement and auditing.
- Event Threat Detection detects threats from event logging by scanning Cloud Logging.
- Crowdstrike is a required software on corporate owned workstations and no action is required by end users.
Decision drivers
- NIST compliance
- Breadth of coverage
- Scalability
- Ease of deployment
- GCP-native for GCP workloads
Decision Outcome
Google Security Command Center for GCP
Event threat detection utilizes Cloud Logging for the following protections:
Container runtime threat detection (GKE) SI-7(17)
- Can be enabled per project or inherited from organization
- Does not require an agent or sidecar for pods
Virtual machine threat detection (Compute Engine) SI-7(17)
- Can be enabled per project or inherited from organization
- Does not require an agent on the VM. Installation is on the hypervisor.
Good, no agent installation required.
Good, works with Cloud Asset Inventory CM-8 to ensure complete coverage in the organization
Good, new projects can automatically inherit organization settings
Good, data is easy to export to support audits RA-5(8) in the following formats:
- CSV downloads
- PubSub topic publishing
- BigQuery
Good, also provides dynamic Application Security Testing (DAST) Protection with
Good, also provides misconfiguration detection for GCP services with Security Health Analytics
Good, has native integrations with many GCP products; i.e. Sensitive Data Protection, Cloud Armor, Cloud IDS, Anomaly Detection
Crowdstrike for user workstations
Crowdstrike was previously decided as the user workstation endpoint detection solution.
It was compared with Cybereason in 2023 and determined to be the most cost effective solution to cover the most NIST controls.
The following modules are included in the DroneUp package:
Good, Spotlight provides vulnerability management RA-5
Good, Overwatch provides threat hunting RA-10
Good, Prevent provides next-generation anti-virus SI-3
Good, Discover provides asset management CM-8
Good, Fusion provides workflows for automated alerts and remediations CA-7(6)
Good, Intelligence integrates threat intelligence into all modules SI-3
Good, Additional capabilities are available for future growth if needed:
- Identity Protection for protection against identity based attacks
- Device Control for USB protection
- Firewall Management for host based firewall management
- Insight XDR for more comprehensive visibility across technologies
Consequences
Google Security Command Center for GCP
The following items are in progress or needed:
- Service enablement will be planned out and communicated
- Workflows for detections, exceptions, and notifications are in planning
- Roles and responsibilities for notifications and remediations in planning
- Work to enable additional logging for more security coverage in planning
Crowdstrike for user workstations
The following items are in progress or needed:
- Workflows for detections in continuous improvement phase
- Prevention policies in continuous improvement phase
- Establishing plan to guide incident response for detections and alerts
- Reports need to be created for applications and vulnerabilities
Considered options
Crowdstrike for GCP
Good, Provides single pane of glass for endpoint detection
Good, Provides same protections as for workstations
Good, Can automatically discover GCP workload footprints CM-8
Good, provides runtime protection SI-7(17)
Good, multi-cloud offering
Bad, Large effort estimated to value
- requires agent installation for virtual machines which in turn needs CI/CD initiative
- requires installation for GKE that needs CI/CD initiative
Cybereason for user workstations
Good, provides services for the following NIST controls:
Good, Managed Detection Response (MDR) included
Bad, does not provide services for the following NIST controls, so a separate product would have to be found:
Bad, effort required to build, test, and deploy new agent package
Bad, does not provide Cloud or IOT offerings
Out of scope
The following security items do not apply to endpoint detection:
- Software Composition Analysis (OS and dependencies)
- Static application security testing (SAST)
- Network intrusion detection
Links
[Confluence - Google Security Command Center](confluence-title://IS/Google Security Command Center (SCC))