Google Cloud Login Behaviour
With all the publicity about breaches of servers containing Government Personnel data, it is a good time to consider how well you understand access to your Google cloud environment.
Servers on your LANs that have been breached, no matter what the path, will leave a packet trail that you can follow up to a suspicious device. There is no guarantee that that device is the end-point, but at least you have the start of the path that law enforcement can then follow.
In the Google cloud, how do you identify such suspicious activity? Google is getting better at identifying and alerting users to suspicious activity, but good hackers will be well aware of the alarms Google set, so how do you as an Admin get the big picture and bring human intuition to bear on the collective pool of data?
One tool GAT provides is ‘User Logins’.
Clicking on this audit area lets you analyze the login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.
The screenshot above is from ‘Events tab’ and will give the big-picture view of worldwide accesses to your domain. Are there logins from unexpected locations?
Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.
Users Logins can also be checked by clicking on the “Apply custom filter” button.
Where an admin can narrow down the search and extract more detailed information regarding an event.
For example, an Admin can search for all events with status “Invalid Password” this will bring all results and it will be displayed on the map where this actually happen and generate a report for this.
It shows Login Event Locations and Login IP Locations.
What else should you look for? search by ‘OK’ logins and look for the ratio of different users to successful logins. If you see something like 10 logins from a single IP address and 5 different users, then that is either a new office you opened yesterday or very strange behavior – if it is not a new office then check out that address and those accounts in more detail.
The second-way GAT attempts to watch your back is via the Alarms section (Select ‘Alarms’ on the home page).
While these are no substitute for the human intelligence an Admin brings to bear by knowing their own data, they can help watch your back in some areas. To configure an alarm click on the plus icon/button.
Based on our experience the alarm ‘Alert on new IP addresses with negative logins’ is the most useful because it flags someone taking a ‘potshot’ at one of your domain accounts. We only alarm you if we have never seen a successful login from that address before – this eliminates a lot of false positives.