AlienVault® USM Anywhere™

GCP Sensor Deployment

The USM Anywhere Sensor provides operational visibility into the security of your Google Cloud Platform (GCP) environment. Based on the collected log information, USM Anywhere analyzes the data generated by your GCP environment and provides real-time alerting to identify malicious activity. The sensor is deployed into your GCP environment to provide ultimate control over the installation and the data contained within it, while avoiding any external access to your environment.

All USM Anywhere Sensors allow for authenticated scans of assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. by leveraging stored credentials that you define in USM Anywhere. This allows USM Anywhere to detect potential vulnerabilities, installed software packages, and running processes and services.

The GCP Sensor does not require you to install a sensor for every GCP project you wish to monitor. If you have multiple projects under a single GCP organization, the sensor can be configured to handle multiple projects within that organization.

Log Collection and Scans

The GCP Sensor collects GCP and system logs, and generates asset scans and vulnerability assessmentsVulnerability assessment uses active network vulnerability scanning and continuous vulnerability monitoring to provide one of the five essential capabilities., consisting of the following:

  • Cloud Audit Logs
  • VPC Flow Logs
  • Firewall Logs
  • syslogs
  • Operational logs for critical software packages deployed, such as HTTP servers and database servers
  • Asset scans on your virtual machines (VMs) to inventory installed software packages, running processes, and services
  • Periodic vulnerability assessments

Log Analysis

USM Anywhere analyzes these logs in these stages:

  1. Collects logs from systems and software running in your environment
  2. Configures log line processing and generates events

    • Includes IP addresses and timestamps culled from extracted log line data
    • Adds other data to the event, such as security context and environmental information
  3. Analyzes events and stores them

USM Anywhere collects log data, processes the data, and produces normalized events

Deployment Overview

AT&T Cybersecurity distributes the GCP Sensor as a Cloud Deployment Manager template specifically for the Google virtual private cloud (VPC).

The deployment process for an initial USM Anywhere Sensor in your GCP environment consists of these primary tasks:

  1. Review requirements for a GCP Sensor deployment.
  2. Prepare your GCP environment for sensor deployment.
  3. Deploy the USM Anywhere Sensor within your GCP environment.
  4. Register the sensor with your sensor authentication code to provision the USM Anywhere instance and connect the deployed sensor.
  5. Complete your GCP Sensor configuration, including initial asset discovery.
  6. Configure log collection with Google Cloud Pub/Sub.