Full Report
Experts at the Google Cloud Next event set out how security teams need to adapt their focuses in the wake of trends such as rising cyber-attacks and advances in AI
Analysis Summary
# Best Practices: Evolving Cybersecurity for a Changing Threat Landscape
## Overview
These practices address the necessities for cybersecurity teams to adapt to a rapidly changing environment driven by increased criminal activity, geopolitical tensions, new regulations, and the widespread adoption of new technologies like AI. The focus is on eliminating blind spots, mitigating insider threats, leveraging AI for efficiency, securing AI deployments, and hardening cloud credential security.
## Key Recommendations
### Immediate Actions
1. **Assess Visibility Gaps:** Immediately identify and inventory devices that typically do not support traditional endpoint detection and response (EDR) tools, such as firewalls, virtualization platforms, and VPN solutions.
2. **Proactive Zero-Day Hunting/Response:** Review internal processes to rapidly assess organizational compromise upon the publication of a major zero-day vulnerability affecting the technology stack.
3. **Enforce Foundational Authentication:** Ensure Multi-Factor Authentication (MFA) is enforced across all cloud environments and critical systems, and mandate strong password policies (no reuse).
4. **Establish Data Gateways for AI:** Implement a single access layer for all organizational data to pass through before being used by AI agents, ensuring centralized control over inputs.
### Short-term Improvements (1-3 months)
1. **Implement Lateral Movement Detection:** Focus security tooling and monitoring efforts on detecting anomalies indicative of lateral movement *following* a compromise of previously hard-to-monitor assets (e.g., network infrastructure, edge devices).
2. **Enhance User and Entity Behavior Analytics (UEBA):** Deploy or tune systems to detect anomalies in user behavior, specifically looking for credentials being used in unexpected or suspicious ways ("living off the land" techniques).
3. **Develop Comprehensive Insider Threat Vetting:** Collaborate with HR to create enhanced hiring protocols, including rigorous background checks, especially for IT roles, possibly requiring in-person interviews where feasible.
4. **Utilize AI for Alert Triage:** Pilot or deploy AI-powered automation tools to handle initial investigation and triage of low-fidelity security alerts to free up SOC analysts for high-fidelity threats.
### Long-term Strategy (3+ months)
1. **Establish AI Data Governance Controls:** Implement automated processes—potentially leveraging AI itself—to rapidly analyze unstructured data (images, text, video) and assign appropriate, consistent sensitivity labels to enforce governance policies.
2. **Map Cloud Footprint and Shared Responsibility:** Perform a comprehensive discovery of all SaaS providers and cloud instances utilized by the business units. Validate that security configurations align with the cloud provider's Shared Responsibility Model.
3. **Curate Safe AI Tooling:** Establish a process for vetting and curating AI agents, utilizing marketplaces or internal reviews to ensure that adopted AI tools have been classified as "safe" and meet internal security standards.
4. **Strengthen Access Controls for Third Parties:** Develop and strictly enforce Identity and Access Management (IAM) programs specifically designed to restrict and audit the access privileges assigned to third-party contractors.
## Implementation Guidance
### For Small Organizations
- **Prioritize MFA Everywhere:** Make the deployment of MFA on all corporate and cloud accounts the absolute top priority, as it directly mitigates risks from credential harvesting malware.
- **Focus on Detection over Prevention for Blind Spots:** Since dedicated EDR on all network gear is costly, focus budget on strong logging and UEBA tools that can spot suspicious activity *after* a peripheral device is breached.
- **Leverage Vendor Visibility Tools:** When selecting cloud services, prioritize providers that offer comprehensive visibility tooling to help fulfill the organization’s side of the Shared Responsibility Model.
### For Medium Organizations
- **Integrate HR/Security Vetting:** Formalize the collaboration between Security and HR for advanced vetting, focusing hiring process changes on roles with high potential access to sensitive systems.
- **Pilot AI for SOC Efficiency:** Deploy AI augmentation tools for alert triage to immediately reduce analyst burnout and refocus skilled personnel on complex incident response.
- **Inventory Edge Devices:** Develop a formal process and toolset (e.g., an NMAP scan schedule or configuration management system) to maintain a real-time inventory of firewalls, VPNs, and virtualization platforms for security review.
### For Large Enterprises
- **Implement Zero-Day Response Retainers:** Proactively engage specialized third-party experts (like Mandiant) for rapid assessment services following major zero-day disclosures to quickly determine exposure across the large, complex technology stack.
- **Establish Centralized Data Access Layer:** Architect and enforce a unified data gateway for all AI interactions to standardize governance controls over unstructured data inputs.
- **Establish AI Agent Governance Marketplace:** Build an internal process or portal where teams can browse, approve, and manage pre-vetted, secure AI agents to prevent unauthorized shadow AI usage.
## Configuration Examples
*Note: Specific technical commands were not provided in the source context. The following outlines areas requiring specific configuration.*
| Component | Best Practice Configuration Area | Focus |
| :--- | :--- | :--- |
| **Cloud IAM** | Enforce MFA via conditional access policies. Deny long-lived access keys where possible; favor short-term credentials. | Credential Security |
| **Network Infrastructure** (Firewalls/VPNs) | Implement rigorous logging directed to a centralized SIEM/Log aggregator. Configure alerts for anomalous administrative access or lateral connection attempts originating from these devices. | Blind Spot Detection |
| **AI Workloads** | Configure fine-grained access policies (Role-Based Access Control) on the data gateway to ensure AI agents only access data necessary for their function (Principle of Least Privilege). | Data Governance |
| **User Behavior Monitoring** | Build analytics rules specifically targeting atypical access patterns for high-privilege accounts (e.g., a developer accessing infrastructure management console overseas late at night). | Living Off the Land Detection |
## Compliance Alignment
* **NIST Cybersecurity Framework (CSF):** Practices heavily align with **Identify** (Asset Management, Risk Assessment) and **Detect** (Anomalies, Monitoring) functions.
* **ISO/IEC 27001:** Addresses requirements within Annex A controls related to Access Control (A.9) and Operations Security (A.12), particularly regarding secure configuration and logging.
* **CIS Critical Security Controls:** Directly supports Control 1 (Inventory and Control of Hardware Assets) and Control 5 (Account Management, focusing on MFA).
## Common Pitfalls to Avoid
1. **Underestimating Non-Traditional Assets:** Assuming devices like firewalls or virtualization layers are "secure enough" because they don't run standard EDR agents.
2. **Ignoring Lateral Movement:** Relying solely on perimeter defenses; threat actors are expected to pivot quietly once a blind spot is exploited.
3. **Treating Insider Threat as Purely Technical:** Failing to involve HR and management in mitigating insider threats like the fake IT worker scheme, which requires process and human vetting, not just firewalls.
4. **Lax AI Data Handling:** Allowing employees to input sensitive, proprietary, or regulated data into general-purpose AI tools without passing through a governed access layer.
5. **Assuming Cloud Security is Handled:** Believing that cloud providers manage all security risks; failing to understand and implement required controls under the Shared Responsibility Model leads to credential compromise exposure.
## Resources
- **Mandiant Consulting:** Recommended for proactive consultation when zero-day vulnerabilities are disclosed in key technologies.
- **Google Cloud AI Agent Marketplace:** A resource for procuring pre-vetted AI agents that meet baseline security standards.
- **UEBA/SIEM Platforms:** Tools necessary for monitoring anomalies in credential usage and lateral movement across the environment.