Security Operations Suite arrow_forward expand_more
Solutions arrow_forward expand_more
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
Resources arrow_forward expand_more
Security Operations Suite arrow_forward expand_more
Solutions arrow_forward expand_more
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
Resources arrow_forward expand_more
Mandiant is now part of Google Cloud. Learn More Mandiant is now part of Google Cloud. .
How threat detection and incident response compare and contrast between cloud and on-premises

While science still needs to progress and significant hurdles must be overcome, humans are undeniably closer than ever before to colonizing space, potentially only years away if you believe the most ambitious milestones for moon settlements.

If you were to join a lunar base tomorrow, you’d experience firsthand just how different the moon is than Earth —climate, size, and lifelessness to name a few. But if you can look past the moon’s low-gravity, dusty surface and its underground lava tubes (the latter are actually good for human colonization as they protect against harmful radiation … and those pesky space rocks), you might find a lot of things that remind you of home.

For example, the moon has a comparable axial tilt to Earth, and a landscape and day-night cycle that are not too dissimilar. Eventually, if enough people settled, society would take on a familiar look and feel as well. Homes and economies would emerge, and relationships would prosper.

When your organization enters the cloud, it may feel like the security team is on a rocky spacecraft to some alien planet, never to again experience life as they once knew it. (And why wouldn’t they feel this way? As more organizations take the cloud plunge, more attackers have become interested. According to a recent report, more than 80% of organizations have experienced a cloud security incident in the past year, from publicly exposed buckets to cryptocurrency mining.)

But, as you’ll find, the cloud doesn’t have to be some strange, uncomfortable place.


Yes, incidents will happen in the cloud. And many things about the experience will be different than you remember from on-premises detection and response, including:

The amount and types of telemetry that will be present

Cloud environments produce a boundless array of logs, including logs related to application and servers, APIs, and just about anything else running in the environment.

Your methods for collecting logs

Due to this high data volume, system logging requires specific methods and skills to extract insights. Plus, the assets that live there are often short-lived, making basic log collection more difficult.

You won’t be able to do everything yourself

The cloud introduces a “shared responsibility” model (which we believe is better served as a “shared fate” arrangement). This means you will need to lean on your cloud service provider during an investigation to acquire certain data.


But before all the differences between cloud and on prem make you want to blast yourself into the cosmos, never to be seen or heard from again, let’s keep you grounded with some reasons how cloud security is similar to doing it the traditional way, including:

Your data still needs to be retained

Just because your logs or container images are living in the cloud doesn’t free them from legal scrutiny. This means your cloud data still needs to be preserved (keeping in mind the ephemeral nature of the cloud) so it can be normalized, correlated, and analyzed during an investigation.

The basics still pay off

From collecting evidence to drawing conclusions, your investigative techniques don’t change much in the cloud, and sound processes still rule the day. Of course, it’s difficult to probe what you don’t understand, so—like you do for your on-premises environment—understand how cloud technology works, how systems communicate, how code is pushed, and arguably most important of all, where critical data flows and the crown jewels live.

Every incident is still different

Lean into the fact that every security episode, no matter which environment it occurs in, whether on Earth or the moon—or on premises or in the cloud—will be different. And that’s OK. The key is how you have prepared for the inevitable event and how you react when it happens.

What can you do today to detect and respond more effectively in the cloud?

Your migration to the cloud is inevitable, if not already fully in progress or place. Here are some quick-hit reminders for how your security operations team can succeed in this new paradigm.

  • Baseline your environment and understand your security profile

  • Prepare logs and telemetry so you’re not caught unprepared

  • Conduct realistic red and blue team exercises to advance your skills

  • Make sure your security profile evolves to match your cloud environment

  • Get help from Google Cloud, including Chronicle and Mandiant

To learn more about how to detect and respond in the cloud, watch on demand this Google Cloud Next Session, featuring Anton Chuvakin of Google’s Office of the CISO and Mandiant CTO Marshall Heilman.

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page