How-To Guide Tenable for Google Cloud Platform Introduction This document describes how to deploy Tenable SecurityCenter Continuous View (Security Center CV ) for integration with Google Cloud Platform. Please email any comments and suggestions to support@tenable.com. Organizations have been faced with the challenges of maintaining the security of traditional, on-premises datacenters for years. As many organizations begin to transition key infrastructure to cloud services, such as Google Cloud Platform, the challenges for IT departments continually increase. Knowing what systems and applications are running in your environment, and who and what devices are trying to gain access, only becomes more complex in a hybrid environment. Moving infrastructure and workload to Google Cloud Platform enables business agility, lowers costs and increases innovation, but it also introduces a new layer of security complexity. To reduce the attack surface and prevent compromise in a hybrid environment, organizations must be able to confidently answer these key questions: Are logs being collected for all of my assets, including those from cloud environments like Google Cloud Platform? Have there been any brute force login attempts or unauthorized web application scans? How many virtual machines are running in the cloud environment and when are new hosts created? So, how do organizations ensure complete visibility into their entire IT infrastructure to be able to answer those questions? Tenable secures both on-premises environments and Google Cloud Platform through the use of SecurityCenter Continuous View. SecurityCenter CV integrates with Google Cloud Platform to enable organizations to continuously monitor their cloud environment to help eliminate blind spots. As a result, organizations can employ a single technology for monitoring hybrid environments, thereby eliminating the need to purchase, deploy and manage multiple tools. The Log Correlation Engine (LCE ), a component of SecurityCenter CV, integrates with the Google Cloud Platform Publish and Subscription service to provide the following benefits: Complete view of on-premises and Google Cloud Platform environments in one interface (SecurityCenter CV) saves time and money purchasing, deploying and maintaining multiple solutions Discover malicious or unauthorized activity through SecurityCenter CV alerts, resulting in a quicker time to resolution and a better assurance of your security posture Achieve compliance goals more easily through new host discovery to uncover when new systems are provisioned
Integration Configuration Google Cloud Platform Configuration In order to access Google Cloud Platform, customers are required to create and activate an account at https://cloud.google.com. Once the Google Cloud Platform account is active, users can log into https://console.cloud.google.com to begin integration configuration. To enable Google Pub/Sub logging, begin by clicking on the hamburger button (three horizontal lines) in the top-left hand corner. Select Permissions from the drop-down menu. 2
Navigate to Service accounts and select Create service account. In the Create service account window, enter a name for the service account and enable the Furnish a new private key option. The JSON key type is the required setting and is enabled by default. Click Create to complete the service account setup. The service account s public/private key pair will be stored locally on the system used to create the account. It is the only copy of the key and will need to be stored securely. 3
Once the service account is set up, click the hamburger button in the top-left corner and select API Manager. Navigate to Credentials in the left-hand menu, click Create credentials, and select the Service account key option in the drop-down menu. 4
Click the Service account drop-down and select the previously created service account. JSON is the required Key type and is enabled by default. Click Create to complete the credentials setup. The JSON key will be automatically downloaded and will be used during the LCE Web Query Client policy configuration. Click the hamburger button in the top-left corner and navigate to Pub/Sub. 5
Click Create topic and enter a descriptive name for the topic. Click Create. Once created, the new topic will appear in the Topic list. Hover the mouse over the newly created topic and a + New subscription option will appear to the right of the topic. Click the + New subscription button. Enter a descriptive name for the subscription and ensure that the Delivery Type is set to Pull. This will allow the LCE Web Query Client to pull the logs from the Pub/Sub subscription. Click Create to create the new subscription. 6
Tenable recommends making note of the Subscription URI as it will be needed for the LCE Web Query Client configuration. Click the hamburger button on the top-left corner and navigate to Logging. Select Exports from the left-hand menu. From the Select service drop-down, select the service(s) you wish to be able to log with the LCE Client. If all services are to be logged, check the All sources checkbox. Once the service(s) is selected, click + Add item button. Next, click the drop-down under Publish to Pub/Sub topic and select the previously created topic. Click Save to complete the configuration within Google Cloud Platform. 7
Tenable Log Correlation Engine Configuration The Tenable Log Correlation Engine (LCE) version 4.8+ and LCE Web Query Client version 4.6+ are both required for integration with Google Cloud Platform. The software downloads and installation instructions for both are available on the Tenable Support Portal. Once the LCE and LCE Web Query Client have been installed and initial configurations have been performed, log in to the LCE web console and navigate to Clients. The LCE Web Query Client should appear in the client list if it was configured correctly during the initial setup. If the LCE Web Query Client does not appear in the client list as shown in the screenshot below, please refer to the LCE 4.8 User Guide for troubleshooting tips. 8
Navigate to Policies and click Add policy. Click the OS drop-down and select the OS of the system the LCE Web Query Client is installed on. Next, click the Client drop-down and select LCE Web Query. Click Start Editing. 9
To allow the LCE Web Query Client to interact with Google Cloud Platform, the default_rhel_web.lcp policy requires modification. Begin by clicking the + to the right of Group to add a new group endpoint. Enter a name for the Add a new endpoint group and configure the Optional parameters. Refer to Table 1: Add a New Endpoint Group below for a description of each field. 10
Table 1: Add a New Endpoint Group Options Endpoint Group Option Description Name Usage limit Usage limit type Enter a descriptive name for the Google Cloud Platform endpoint. The limit of calls or bytes the LCE Web Client can make to Google Cloud Platform. Bytes can be set to an integer followed by K (Kilobyte), M (Megabyte) or G (Gigabyte). Set to unlimited for no limit restriction. Groups can be limited by either bytes or calls. Usage limit reset period Frequency that the usage limit will reset to zero. Usage limit start day Defines the starting day when the time parameter is set to monthly. Click the + Add Google Cloud endpoint option to add the endpoint. Once the endpoint is added, enter an Endpoint name and select the Active checkbox. Specify the Query interval (in seconds) that the LCE Web Query Client communicates with Google Cloud Platform. Enter the JSON service account key and Subscription information generated during the Google Cloud Platform configuration. Click Save. 11
Once the policy file has been modified, click + Save as in the upper right-hand corner and enter a descriptive name. Click OK. Once the policy is saved, navigate to Clients and click the LCE Web Query Client. Click the Policy drop-down and select the previously created Google Cloud policy. Click Update. 12
The LCE Web Query Client will now begin monitoring Google Cloud Platform logs. To verify the logs are being imported into SecurityCenter, log into your SecurityCenter instance, navigate to Analysis, and click Events from the drop-down. Click the Type Summary drop-down and select Normalized Event Summary. 13
Click >> to the left of Normalized Event Summary to expand the Filters section and click Select Filters. Check the boxes next to the Timeframe, Syslog Text, LCEs, Normalized Event and Type filters and click Apply to add each filter. 14
Click the Syslog Text filter, type google in the text box and click OK. Click the Type filter, select unnormalized from the list and click OK. Click Apply All to display the Google Cloud Platform syslog events. About Tenable Tenable transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. Tenable eliminates blind spots, prioritizes threats and reduces exposure and loss. With more than one million users and more than 21,000 customers worldwide, organizations trust Tenable for proven security innovation. Tenable customers range from Fortune Global 500 companies, to the global public sector, to mid-sized enterprises in all sectors, including finance, government, healthcare, higher education, retail and energy. Transform security with Tenable, the creators of Nessus and leaders in continuous monitoring, by visiting tenable.com. 15