Google Cloud + CrowdStrike: Transforming Security With Cloud-scale Multi-level Defense

Organizations adopting cloud-native applications face an increasingly diverse and sophisticated threat landscape, in addition to proliferating devices and expanding remote workforces. Meeting these challenges requires deeper integration between cloud services and security solutions, with an equally shared responsibility for securing the cloud estate. In response, the rise of DevSecOps teams — IT operations and security functions combined into one — has been happening in enterprises that are instrumenting cloud-native security controls and integrating them with existing IT infrastructure.

CrowdStrike is proud to announce several service integrations with Google Cloud that deepen our partnership and deliver defense-in-depth security strategies. Joint customers can now achieve workload protection and visibility at scale and meet compliance requirements across hybrid environments.

The CrowdStrike Falcon® platform will be integrated with Chronicle, Google Cloud’s security analytics platform; Google Cloud’s Security Agent Deployment with Operating System Configuration Management for automating CrowdStrike Falcon agent deployment; VirusTotal for enriched threat intelligence; and Cloud Security Command Center (SCC) for threat detection aggregation. CrowdStrike will also integrate its Zero Trust Assessment tools with Google Cloud’s BeyondCorp Enterprise and Google Workspace to allow granular access policy creation and enforcement for Zero Trust initiatives. These integrations between the two cloud-scale platforms leverage powerful APIs and share enriched telemetry to help deliver powerful security benefits.

The Powerful Benefits of Google Cloud + CrowdStrike

  • Comprehensive visibility and control: Comprehensive visibility into GCP workload events and compute instance metadata, combined with aggregated data findings, enables detection, response, proactive threat hunting and investigation to ensure that nothing goes unseen in your cloud environments.
  • Accelerated threat investigation and remediation: By correlating security findings from Falcon platform’s endpoint and workload telemetry with Chronicle and Google Cloud’s SCC, security teams can prioritize violations and investigate alerts, anomalies and threats with improved contextual insights to proactively stop cyber attacks.
  • Proactive defense with enriched threat intelligence: VirusTotal provides access to enriched security data from over 70 security vendors, increasing investigation accuracy and reducing alert fatigue by profiling adversaries and focusing on TTP-based threat hunting — all leading to an improved security posture.

Integrating Chronicle with CrowdStrike

The Chronicle platform allows security teams to cost-effectively store and analyze all of their security data in one place to investigate and detect threats at Google’s speed and scale. Security teams can hunt for threats across live and historical endpoint and workload security telemetry at unprecedented speed, with shared indicators of compromise (IOCs) across Chronicle and the Falcon platform, providing proactive security. They can search across petabytes of data and correlate enriched datasets from the Falcon platform, enabling them to thoroughly investigate sustained, long-term attacks and respond proactively to stop cyberthreats.

The Falcon Event Streams API integration sends detection events to Chronicle via the Partner Ingest API. This integration runs inside the Falcon Integration Gateway, an application that sends detections to various cloud SIEMs and security platforms. These detections can be viewed, queried and analyzed within the Chronicle console. There is data integration leveraging Falcon Data Replicator (FDR) between the two platforms where the Falcon platform sends process, user, network and audit telemetry data to Chronicle for advanced analytics. These two integrations in tandem allow analysts to pivot from a detection to its related telemetry.

Asset View (Click to enlarge)

Event Search (Click to enlarge)

Integrating VirusTotal with CrowdStrike

VirusTotal is a rich, interlinked and near-real-time crowdsourced malware corpus that is a part of the Google Cloud Security family.

VirusTotal will integrate with the Falcon platform, via the CrowdStrike Store, to provide critical context around any suspicious activity to help accelerate threat detection and response. The data provided includes antivirus detection ratio, threat label and category, submission uniqueness, number of submitters, crowdsourced YARA matches and other valuable details.

Customers can get this actionable data and quickly pivot to find related files and URLs for the set of activities under investigation, uncovering previously unknown threats, speeding incident response workflows and boosting accuracy. Integrating VirusTotal with the Falcon platform allows security teams to track adversaries and implement proactive defenses to eliminate blind spots in your organization so you can get more from your existing investments.

Integrating Cloud Security Command Center with CrowdStrike

Google Cloud’s SCC will aggregate alerts and events from the Falcon platform and other partner data sources to provide contextual insights, allowing for a comprehensive view of security and compliance across the customer’s Google Cloud environment via a single unified management dashboard.

Detection findings generated by the Falcon platform inform Cloud Security Command Center administrators about suspicious files and behaviors in their Google Cloud environment. Cloud administrators will be able to see detections on a range of activities, from the presence of a bad file (an IOC) to a nuanced collection of suspicious behaviors (indicators of attack, or IOAs) occurring on one of the hosts or containers. They can now take action within the family of Google Cloud services to correct policy violations and address security threats.

(Click to enlarge)

CrowdStrike Cloud Security Offerings

Built in the cloud for the cloud, the Falcon platform eliminates friction and boosts cloud security efficiency, with zero impact on productivity. In addition to deep integrations, we offer visibility into cloud workload events and instance metadata to provide detection, response and proactive threat hunting and investigation via our market-leading Falcon Cloud Workload Protection solution.

To support DevOps, organizations can identify and correct any mistakes as quickly as possible using CrowdStrike Falcon Horizoncloud security posture management (CSPM), which provides visibility across multiple environments and reduces alert fatigue for security operations centers.

To learn more about our Google Cloud product offerings and integrations, visit our webpage.

Additional Resources

Related Content