Data incident response process  |  Documentation  |  Google Cloud (2022)

Download pdf version

Introduction

Maintaining a safe and secure environment for customer datais Google Cloud’s highest priority. To protect customer data,Google runs an industry-leading information security operationthat combines stringent processes, a world-class team, andmulti layered information security and privacy infrastructure.This paper focuses on Google’s principled approach tomanaging and responding to data incidents for Google Cloud.

Incident response is a key aspect of Google’s overall security andprivacy program. We have a rigorous process for managing dataincidents. This process specifies actions, escalations, mitigation,resolution, and notification of any potential incidents impactingthe confidentiality, integrity, or availability of customer data.

At Google, a data incident is defined as a breach of Google’ssecurity leading to the accidental or unlawful destruction, loss,alteration, unauthorized disclosure of, or access to, customerdata on systems managed by or otherwise controlled by Google.While Google takes steps to address foreseeable threats to dataand systems, data incidents do not include unsuccessfulattempts or activities that do not compromise the security ofcustomer data, including unsuccessful login attempts, pings, portscans, denial of service attacks, and other network attacks onfirewalls or networked systems.

How Google helps secure customer data

The security of customer data is of the utmost importance, but security is the outcome ofthe collaboration between Google and the customer. While Google secures the underlyingcloud infrastructure and services, the customer secures their applications, devices, andsystems when building on top of Google’s Cloud infrastructure. Google provides customerswith guidance and multiple security features to enable Google-grade security practices:

  • Identity and access management

  • Data encryption at rest and in transit by default, i.e., without any additional effort from customers

  • Multi factor authentication, including phishing-resistant hardware second factor key

  • A range of network security options including virtual private cloud (VPC) and sharedVPC, built-in DDoS protection for software-as-a-service (SaaS), platform-as-a-service(PaaS) solutions and the option to use these for infrastructure-as-a-service (IaaS)solutions as well

  • Detailed audit logging

To learn more about how Google secures the cloud, see Google’s Infrastructure Security Design Overview paper and the associated NEXT '18 security presentation or visit Google Cloud Security Site.

(Video) Data Management: The New Best Practice for Incident Response (Cloud Next '19)

Google provides customers with visibility across the services they use on Google Cloud; customers can use the security center for Google Workspace to prevent, detect, and remediate issues with Gmail, Drive, Devices, OAuth, and User Accounts. Similarly for GCP, customers can use Cloud Security Command Center to gain visibility into their assets, vulnerabilities, risks, and policy across their organization.

On their end, customers must properly configure security features to meet their own needs, install software updates, set up networking security zones and firewalls, and ensure that end users secure their account credentials and are not exposing sensitive data to unauthorized parties.

Figure 1 provides an illustrative example of how the responsibility shifts between the customer and Google based on the extent of managed services leveraged by the customer. As the customer moves from on-premises solutions to IaaS, PaaS, and SaaS cloud computing offerings, Google manages more of the overall cloud service, and the customer has fewer security responsibilities.

For more information on cloud security configurations, customers should reference the applicable product documentation.

Data incident response process | Documentation | Google Cloud (2)

Data incident response

Google's incident response program is managed by teams of expertincident responders across many specialized functions to ensureeach response is well-tailored to the challenges presented by eachincident. Depending on the nature of the incident, the professionalresponse team may include:

  • Cloud incident management
  • Product engineering
  • Site reliability engineering
  • Cloud security and privacy
  • Digital forensics
  • Global investigations
  • Signals detection
  • Security, privacy, and product counsel
  • Trust and safety
  • Counter abuse technology
  • Customer support

Subject matter experts from these teams are engaged in a variety ofways. For example, incident commanders coordinate incidentresponse and, when needed, the digital forensics team detectsongoing attacks and performs forensic investigations. Productengineers work to limit the impact on customers and providesolutions to fix the affected product(s). The legal team works withmembers of the appropriate security and privacy team to implementGoogle’s strategy on evidence collection, engage with lawenforcement and government regulators, and advise on legal issuesand requirements. Support personnel respond to customer inquiriesand requests for additional information and assistance.

Team organization

When we declare an incident, we designate an incident commander who coordinates incident response andresolution. The incident commander selects specialists from different teams and forms a response team.A typical response organization appears in Figure 2 below. The incident commander delegates the responsibilityfor managing different aspects of the incident to these professionals and manages the incident from the momentof declaration to closure. Figure 2 depicts the organization of various roles and their responsibilities duringincident response.

Data incident response process | Documentation | Google Cloud (3)

Data incident response process

Every data incident is unique, and the goal of the data incident response process is to protect customers’ data,restore normal service as quickly as possible, and meet both regulatory and contractual compliance requirements.Google’s incident response program has the following process:

Data incident response process | Documentation | Google Cloud (4)

(Video) Incident Management (class SRE implements DevOps)

Identification

Early and accurate identification of incidents is key to strong and effectiveincident management. The focus of this phase is to monitor security eventsto detect and report on potential data incidents.

Google’s incident detection team employs advanced detection tools, signals,and alert mechanisms that provide early indication of potential incidents.

Google’s sources of incident detection include:

  • Automated network and system logs analysis — Automated analysis ofnetwork traffic and system access helps identify suspicious, abusive, orunauthorized activity and escalates to Google’s security staff

  • Testing — Google’s security team actively scans for security threats usingpenetration tests, quality assurance (QA) measures, intrusion detection,and software security reviews

  • Internal code reviews — Source code review discovers hidden vulnerabilities,design flaws, and verifies if key security controls are implemented

  • Product-specific tooling and processes — Automated tooling specific to theteam function is employed wherever possible to enhance Google’s ability todetect incidents at product level

  • Usage anomaly detection — Google employs many layers of machinelearning systems to differentiate between safe and anomalous user activityacross browsers, devices, application logins, and other usage events

  • Data center and / or workplace services security alerts — Securityalerts in data centers scan for incidents that might affect thecompany’s infrastructure

  • Google employees — A Google employee detects an anomaly and reports it

  • Google’s vulnerability reward program — Potential technical vulnerabilities in Google-owned browser extensions, mobile, and web applications that affectthe confidentiality or integrity of user data are sometimes reported byexternal security researchers

    (Video) Data Loss Prevention Incident Response Demonstration Video

Coordination

When an incident is reported, the on-call responder reviews and evaluates thenature of the incident report to determine if it represents a potential data incidentand initiates Google’s Incident Response Process.

Once confirmed, the incident is handed over to an incident commander whoassesses the nature of the incident and implements a coordinated approach tothe response. At this stage, the response includes completing the triageassessment of the incident, adjusting its severity if required, and activating therequired incident response team with appropriate operational/technical leadswho review the facts and identify key areas that require investigation. Wedesignate a product lead and a legal lead to make key decisions on how torespond. The incident commander assigns the responsibility for investigation andthe facts are assembled.

Many aspects of Google's response depend on the assessment of severity, whichis based on key facts that are gathered and analyzed by the incident responseteam. These may include:

  • Potential for harm to customers, third parties, and Google

  • Nature of the incident (e.g., whether data was potentially destroyed,accessed, or unavailable)

  • Type of data that may be affected

  • Impact of the incident on customers’ use of the service

  • Status of the incident (e.g., whether the incident is isolated, continuing,or contained)

The incident commander and other leads periodically re-evaluate these factorsthroughout the response effort as new information evolves to ensure thatGoogle’s response is assigned the appropriate resources and urgency. Eventsthat present the most critical impact are assigned the highest severity. Acommunications lead is appointed to develop a communications planwith other leads.

Resolution

At this stage, the focus is on investigating the root cause, limiting the impact of the incident, resolvingimmediate security risks (if any), implementing necessary fixes as part of remediation, and recoveringaffected systems, data, and services.

Affected data will be restored to its original state wherever possible. Depending on what is reasonableand necessary in a particular incident, Google may take a number of different steps to resolve anincident. For instance, there may be a need for technical or forensic investigation to reconstruct the rootcause of an issue or to identify any impact on customer data. Google may attempt to recover copies ofthe data from Google's backup copies if data is improperly altered or destroyed.

(Video) Data protection and regulatory compliance with Google Cloud — Next '19

A key aspect of remediation is notifying customers when incidents impact their data. Key facts areevaluated throughout the incident to determine whether the incident affected customers’ data. Ifnotifying customers is appropriate, the incident commander initiates the notification process. Thecommunications lead develops a communication plan with input from the product and legal leads,informs those affected, and supports customer requests after notification with the help of oursupport team.

Google strives to provide prompt, clear, and accurate notifications containing the known details of thedata incident, steps Google has taken to mitigate the potential risks, and actions Google recommendscustomers take to address the incident. We do our best to provide a clear picture of the incident so thatcustomers can assess and fulfill their own notification obligations.

Closure

Following the successful remediation and resolution of a dataincident, the incident response team evaluates the lessons learnedfrom the incident. When the incident raises critical issues, the incidentcommander may initiate a post-mortem analysis. During this process,the incident response team reviews the cause(s) of the incident andGoogle’s response and identifies key areas for improvement. In somecases, this may require discussions with different product,engineering, and operations teams and product enhancement work.If follow-up work is required, the incident response team develops anaction plan to complete that work and assigns project managers tospearhead the long-term effort. The incident is closed after theremediation efforts conclude.

Continuous improvement

At Google, we strive to learn from every incident and implementpreventative measures to avoid future incidents.

The actionable insights from incident analysis enable us to enhanceour tools, trainings and processes, Google’s overall security andprivacy data protection program, security policies, and / or responseefforts. The key learnings also facilitate prioritization of engineeringefforts and building of better products.

Google’s security and privacy professionals enhance the securityprogram by reviewing the company’s security plans for all networks,systems, and services and provide project-specific consultingservices to product and engineering teams. They deploy machinelearning, data analysis, and other novel techniques to monitor forsuspicious activity on Google’s networks, address informationsecurity threats, perform routine security evaluations and audits, andengage outside experts to conduct regular security assessments.Additionally, our full-time team, known as Project Zero, aims toprevent targeted attacks by reporting bugs to software vendors andfiling them in an external database.

Google conducts regular trainings and awareness campaigns todrive innovation in security and data privacy. The dedicated incidentresponse staff are trained in forensics and in handling evidence,including the use of third-party and proprietary tools. Testing ofincident response processes and procedures is performed for keyareas, such as systems that store sensitive customer information.These tests take into consideration a variety of scenarios, includinginsider threats and software vulnerabilities and help us better preparefor security and privacy incidents.

Google’s processes are tested on a regular basis as part of ourISO-27017, ISO-27018, ISO-27001, PCI-DSS, SOC 2 and FedRAMPprograms to provide our customers and regulators with independentverification of our security, privacy, and compliance controls. A morecomprehensive list of Google Cloud’s third-party certifications isavailable here.

Summary

As detailed above, Google operates a world-class incidentresponse program that delivers these key functions:

  • A process built upon industry-leading techniques forresolving incidents and refined to operate efficientlyat Google’s scale

  • Pioneering monitoring systems, data analytics, andmachine learning services to proactively detect andcontain incidents

    (Video) Google Data Center Security: 6 Layers Deep

  • Dedicated subject matter experts who can bedeployed to respond to any type or size ofdata incident

  • A mature process for promptly notifying affectedcustomers, in line with Google’s commitments inour terms of service and customer agreements

Protecting data is core to Google’s business.We continually invest in our overall securityprogram, resources, and expertise, whichenables our customers to rely on us to respondeffectively in the event of an incident, protecttheir data, and maintain the high reliabilitycustomers expect of a Google service.

FAQs

What are the 7 steps in incident response? ›

In the event of a cybersecurity incident, best practice incident response guidelines follow a well-established seven step process: Prepare; Identify; Contain; Eradicate; Restore; Learn; Test and Repeat: Preparation matters: The key word in an incident plan is not 'incident'; preparation is everything.

What are the 5 6 major stages of incident response? ›

cyber incident response plan has 6 phases, namely, Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned.

What are the 8 basic elements of an incident response plan? ›

Elements of an Incident Response Plan
  • Introduction. ...
  • Incident Identification and First Response. ...
  • Resources. ...
  • Roles and Responsibilities. ...
  • Detection and Analysis. ...
  • Containment, Eradication and Recovery. ...
  • Incident Communications. ...
  • Retrospective.
12 Aug 2020

Which is the most difficult phase in incident response? ›

Phase 2: Detection and Analysis

Accurately detecting and assessing incidents is often the most difficult part of incident response for many organizations, according to NIST.

What is the correct order of the incident response process? ›

Incident Response Phases. Incident response is typically broken down into six phases; preparation, identification, containment, eradication, recovery and lessons learned.

What is the first step of a data breach incident response process? ›

The initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.

Which one is most important aspect of incident response? ›

Explanation. The most important aspect of incident response is a well-documented and approved response plan.

How do I write an incident response plan? ›

Developing and implementing an incident response plan will help your business handle a data breach quickly and efficiently while minimizing the damage.
  1. STEP 1: IDENTIFY AND PRIORITIZE ASSETS. ...
  2. STEP 2: IDENTIFY POTENTIAL RISKS. ...
  3. STEP 3: ESTABLISH PROCEDURES. ...
  4. STEP 4: SET UP A RESPONSE TEAM. ...
  5. STEP 5: SELL THE PLAN.

What are 3 basic elements in an incident? ›

The Three Elements of Incident Response: Plan, Team, and Tools.

What makes a good incident response plan? ›

Incident response planning typically includes:

Procedures for each phase of the incident response process. Communication procedures within the incident response team, with the rest of the organization, and external stakeholders. How to learn from previous incidents to improve the organization's security posture.

What is the first rule of incident response investigation? ›

The first rule of incident response is "do no harm".

Which of the following are incident response phases choose two correct answers? ›

Answer: NIST breaks incident response down into four broad phases: (1) Preparation; (2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post-Event Activity.

What is incident response methodology? ›

Incident response is the methodology an organization uses to respond to and manage a cyberattack. An attack or data breach can wreak havoc potentially affecting customers, intellectual property company time and resources, and brand value.

What is the first step when implementing an incident response plan? ›

The first phase of building an incident response plan is to define, analyze, identify, and prepare.

What is the difference between alert and incident? ›

Events are captured changes in the environment, alerts are notifications that specific events took place, and incidents are special events that negatively impact CIA and cause an impact on the business.

Who is involved in incident response process? ›

Incident response managers—have at least two members of staff responsible for approving the incident response plan and coordinating activity when an incident occurs. Security analysts—review alerts, identify possible incidents and perform an initial investigation to understand the scope of an attack.

What are the 2 main frameworks for cyber security incident response? ›

These are called Incident Response Frameworks, and two of the most commonly used ones are called the NIST and SANS frameworks. Let's dive into what each of these offers.

What is the first step when performing proper incident response after an incident report has occurred? ›

Step 1: Detection and Identification

When an incident occurs, it's essential to determine its nature. Begin documenting your response as you identify what aspects of your system have been compromised and what the potential damage is.

What are the two incident response phases? ›

Question 39What are two incident response phases? (Choose two.) prevention and containmentconfidentiality and eradicationmitigation and acceptancecontainment and recoveryCorrect! Correct! risk analysis and high availabilitydetection and analysisCorrect!

What is the first priority when responding to a major security incident? ›

The first priority in responding to a security incident is to contain it to limit the impact. Documentation, monitoring and restoration are all important, but they should follow containment.

What is the purpose of documenting an incident? ›

The purpose of incident reporting is to record an incident, determine its possible cause, document any actions taken, and make it known to stakeholders. An incident report can be used in the investigation and analysis of an event.

How many components are there in incident response? ›

Effective incident response inherently depends on four components: training, communication, technology, and disaster recovery. Any weaknesses in these components can greatly hinder an organization's ability to detect, contain, and recover from a breach.

What are the key capabilities in incident response services? ›

In addition to technical expertise and problem solving, cyber incident response team members should have strong teamwork and communication skills. Speaking and writing skills are essential because cooperation and coordination are the key to effective incident response.

How often should the incident response plan be updated? ›

5) What to focus on when updating your incident response plan. There's always room for improvement. According to NIST, organizations should review their incident response plans at least once a year.

What is an incident response template? ›

An incident response plan template is a comprehensive checklist of the roles and responsibilities of an incident response team in the event of a security incident. It also describes the steps and actions required to detect a security incident, understand its impact, and control the damage.

What are the steps of incident management? ›

6 Steps to Incident Management
  1. Incident Detection. You need to be able to detect an incident even before the customer spots it. ...
  2. Prioritization and Support. ...
  3. Investigation and Diagnosis. ...
  4. Resolution. ...
  5. Incident Closure.

What is an incident response plan? ›

Definition(s): The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information systems(s).

How do you handle an incident response? ›

Key Elements of Incident Response Management
  1. Respond to threats.
  2. Triage incidents to determine severity.
  3. Mitigate a threat to prevent further damage.
  4. Eradicate the threat by eliminating the root cause.
  5. Restoring production systems.
  6. Post-mortem and action items to prevent future attacks.

What is the first phase in incident response? ›

1. Preparation: As the name suggests, this phase of the incident response plan comes before the incident or data breach even takes place. It is the ultimate step that can make or break your response to cybersecurity events.

What are 3 types of incidents? ›

3 Types of Incidents You Must Be Prepared to Deal With
  • Major Incidents. Large-scale incidents may not come up too often, but when they do hit, organizations need to be prepared to deal with them quickly and efficiently. ...
  • Repetitive Incidents. ...
  • Complex Incidents.
16 Dec 2015

What are the 4 main stages of a major incident? ›

What is a Major Incident? enquiries likely to be generated both from the public and the news media usually made to the police. Most major incidents can be considered to have four stages: • the initial response; the consolidation phase; • the recovery phase; and • the restoration of normality.

What is the first rule of incident response investigation? ›

The first rule of incident response is "do no harm".

What makes a good incident response plan? ›

Incident response planning typically includes:

Procedures for each phase of the incident response process. Communication procedures within the incident response team, with the rest of the organization, and external stakeholders. How to learn from previous incidents to improve the organization's security posture.

Which one is most important aspect of incident response? ›

Detection. One of the most important steps in the incident response process is the detection phase. Detection (also called identification) is the phase in which events are analyzed in order to determine whether these events might comprise a security incident.

Why do I need an incident response plan? ›

Incident response planning is important because it outlines how to minimize the duration and damage of security incidents, identifies stakeholders, streamlines digital forensics, improves recovery time, reduces negative publicity and customer churn.

How can I be a better incident manager? ›

A successful Incident Manager needs to be proactive and a real people person.
...
  1. An eye for detail. An Incident Manager must ensure processes and policies are being adhered to and standards are being met. ...
  2. Be calm under pressure. ...
  3. A methodical mind. ...
  4. A good communicator. ...
  5. A problem solver.
29 Apr 2016

What are the two incident response phases? ›

Question 39What are two incident response phases? (Choose two.) prevention and containmentconfidentiality and eradicationmitigation and acceptancecontainment and recoveryCorrect! Correct! risk analysis and high availabilitydetection and analysisCorrect!

What is the difference between incident response and incident management? ›

Probably the most widespread viewpoint on the differences between incident response and incident management boils down to the idea that the former focuses on the technical processes necessary to resolve an incident, whereas the latter deals with managing the broader impact of an incident on the business.

Which three 3 of the following are components of an incident response policy? ›

The Three Elements of Incident Response: Plan, Team, and Tools.

Who is involved in incident response process? ›

Incident response managers—have at least two members of staff responsible for approving the incident response plan and coordinating activity when an incident occurs. Security analysts—review alerts, identify possible incidents and perform an initial investigation to understand the scope of an attack.

What is the difference between alert and incident? ›

Events are captured changes in the environment, alerts are notifications that specific events took place, and incidents are special events that negatively impact CIA and cause an impact on the business.

Videos

1. Lapsus$ Cloud Incident Response Case Study
(Palo Alto Networks Unit 42)
2. The Six Phases of Incident Response
(Ascend Technologies)
3. AWS re:Inforce 2022 - Cloud incident response essentials: Plan ahead to improve security (TDR205)
(AWS Events)
4. Automating Google Workspace Incident Response | Megan Roddie
(SANS Digital Forensics and Incident Response)
5. End to End Incident Response Using Elastic Security
(Elastic)
6. Resolve Incidents Faster: Transforming Your Incident Management Process
(Atlassian)

Top Articles

You might also like

Latest Posts

Article information

Author: Msgr. Benton Quitzon

Last Updated: 09/11/2022

Views: 5551

Rating: 4.2 / 5 (43 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Msgr. Benton Quitzon

Birthday: 2001-08-13

Address: 96487 Kris Cliff, Teresiafurt, WI 95201

Phone: +9418513585781

Job: Senior Designer

Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics

Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.