Introduction
The purpose of this article is to provide specific guidelines on how to perform a Proof of Concept (PoC) for Microsoft Defender for Cloud’s native GCP (Google Cloud Platform) support. This article is part of a series of articles called The Microsoft Defender for Cloud PoC Series, each providing specific guidelines on how to perform a PoC for a specific Microsoft Defender for Cloud plan. For a more holistic approach and where you need to validate Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) capabilities all up, see the How to Effectively Perform an Microsoft Defender for Cloud PoC article.
Planning
This section highlights important considerations and availability information that you should be aware of when planning for the PoC.
NOTE: At the time of writing this article, Microsoft Defender for Cloud native GCP support isn’t available for national clouds (such as Azure Government and Azure China 21Vianet). For most actual information, see Feature support in government and national clouds.
The first step of the PoC begins with gaining a clear understanding of the benefits the native GCP support in Microsoft Defender for Cloud brings to your organization. This includes:
- Native Agentless CSPM for GCP resources
- Native CWP support for GCP GKE clusters
- Native CWP support for GCP Virtual Machine instances
- Native CWP support for SQL servers running on GCP Compute instances
The CSPM for GCP resources is completely agentless and at the time of writing this article, supports the data types in GCP as mentioned towards the end of this article. Additionally, Microsoft Defender for Cloud currently also supports assessing your GCP resources against regulatory standards which currently include: GCP Default, GCP CIS 1.1.0, GCP CIS 1.2.0, GCP ISO 27001, GCP NIST 800 53, and PCI DSS 3.2.1.
NOTE: Standards are added to the dashboard as they become available. The preceding list might not contain recently added standards.
Keep in mind that the CSPM plan for GCP resources is available for Free. Refer to this document for additional information.
The CWP support for GCP GKE clusters offers a wide set of capabilities including discovery of unprotected clusters, advanced threat detection for the control plane and workload level, Kubernetes data plane recommendations (through the Azure Policy extension) and more.
The CWP support for GCP VM instances offers a wide set of capabilities, including automatic provisioning of pre-requisites on existing and new machines, vulnerability assessment, integrated license for Microsoft Defender for Endpoint (MDE), file integrity monitoring and more.
The CWP support for SQL servers running on GCP Compute Instances offers a wide set of capabilities, including advanced threat protection, vulnerability assessment scanning, and more.
Now that we’ve touched briefly on the benefits that Microsoft Defender for Cloud’s native GCP support provides, let’s move onto the next step. Next up is identifying which use cases the PoC should cover. A few common use cases are ensuring that Compute instances do not have public IP addresses, ensuring that the default network does not exist in a project, or ensuring that VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys.
Preparation and Implementation:
This section highlights the requirements that you should be aware of before starting the PoC. For the complete list of permission requirements and additional pre-requisites, see the Availability section.
There are three main steps when preparing to enable Microsoft Defender for Cloud’s native GCP support.
- Determining which capabilities are in the scope of the PoC
At the time of writing this article, Defender for Cloud supports the following GCP capabilities: (see Figure 1):
- Native Agentless CSPM for GCP resources
- Native CWP support for GCP GKE clusters
- Native CWP support for GCP Virtual Machine instances
- Native CWP support for SQL servers running on GCP Compute Engine
Figure 1: Native CSPM and CWP capabilities for GCP in Microsoft Defender for Cloud
- Selecting the GCP projects on which you’d like to perform the PoC
For the purposes of this PoC, it’s important that you identify which GCP project(s) are going to be used to perform the PoC of Defender for Cloud’s native GCP support. You can choose a single GCP project or optionally, you can choose your GCP organization, which will include each project discovered under the provisioned organization.
- Connecting GCP projects Microsoft Defender for Cloud
Figure 2: Connecting GCP accounts to Microsoft Defender for Cloud
To connect GCP projects to Microsoft Defender for Cloud you need to perform a series of steps in Azure and GCP. For detailed technical guidance see Connect your GCP projects. For a video of step-by-step guidance on how this process looks like end-to-end in Azure and GCP, see this short video.
NOTE: If you’ve enabled sending control plane audit logs from the GKE control plane to your project’s Cloud Logging and are exporting data out of GCP (i.e. to Azure or an external SIEM), you will incur additional costs on the GCP side.
Validation
Once you’ve created the connector, you can validate it by analyzing the data relevant to the use cases that your PoC covers.
When validating recommendations for GCP resources and adding custom assessments, you can consult Custom assessments and standards in Microsoft Defender for Cloud for GCP workloads (Preview) - Micro....
When validating alerts for GCP VM instances, you can consult reference list of alerts for machines.
When validating alerts for GKE clusters, you can consult reference list of alerts for containers – Kubernetes clusters.
When validating alerts for SQL servers running on GCP VM instances, you can consult reference list of alerts.
- You can also export Defender for Cloud security alerts to a SIEM (i.e. Azure Sentinel or 3rd party SIEM).
- Learn more about how to stream alerts to a SIEM, SOAR or ITSM.
- Learn more about how to investigate Microsoft Defender for Cloud alerts using Microsoft Sentinel.
Closing Considerations:
By the end of this PoC, you should be able to determine the value of the native GCP integration in Defender for Cloud. The native GCP support provides agentless CSPM for GCP resources and advanced CWP capabilities for servers, containers, and databases. For a more holistic approach where you need to validate Microsoft Defender for Cloud’s CSPM and CWP capabilities, see How to Effectively Perform an Microsoft Defender for Cloud PoC article.
P.S. To stay up to date on helpful tips and new release, subscribe to our Microsoft Defender for Cloud Newsletter and join our Tech Community where you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
