Netflix Security Monkey on Google Cloud Platform (GCP)

Today we are happy to announce that Netflix Security Monkey has BETA support for tracking Google Cloud Platform (GCP) services. Initially we are providing support for the following GCP services:

  • Firewall Rules
  • Networking
  • Google Cloud Storage Buckets (GCS)
  • Service Accounts (IAM)

This work was performed by a few incredible Googlers with the mission to take open source projects and add support for Google’s cloud offerings. Thank you for the commits!

GCP support is available in the develop branch and will be included in release 0.9.0. This work helps to fulfill Security Monkey’s mission as the single place to go to monitor your entire deployment.

To get started with Security Monkey on GCP, check out the documentation.

See Rae Wang, Product Manager on GCP, highlight Security Monkey in her talk, “Gaining full control over your organization’s cloud resources (Google Cloud Next ‘17)”:

Security Monkey’s History:

We released Security Monkey in June 2014 as an open source tool to monitor Amazon Web Services (AWS) changes and alert on potential security problems. In 2014 it was monitoring 11 AWS services and shipped with about two dozen security checks. Now the tool monitors 45 AWS services, 4 GCP services, and ships with about 130 security checks.

Future Plans for Security Monkey:

We plan to continue decomposing Security Monkey into smaller, more maintainable, and reusable modules. We also plan to use new event driven triggers so that Security Monkey will recognize updates much more quickly. With Custom Alerters, Security Monkey will transform from a purely monitoring tool to one that will allow for active response.

More Modular:

  • We have begun the process of moving the service watchers out of Security Monkey and into CloudAux. CloudAux currently supports the four GCP services and three (of the 45) AWS services.
  • We have plans to move the security checks (auditors) out of Security Monkey and into a separate library.
  • Admins may change polling intervals, enable/disable technologies, and modify issue scores from within the settings panel of the web UI.

Event Driven:

  • On AWS, CloudTrail will trigger CloudWatch Event Rules, which will then trigger Lambda functions. We have a working prototype of this flow.
  • On GCP, Stackdriver Logging and Audit Logs will trigger Cloud Functions.
  • As a note, CloudSploit has a product in beta that implements this event driven approach.

Custom Alerters:

  • These can be used to provide new notification methods or correct problems.
  • The documentation describes a custom alerter that sends events to Splunk

We’ll be following up with a future blog post to discuss these changes in more detail. In the meantime, check out Security Monkey on GitHub, join the community of users, and jump into conversation in our Gitter room if you have questions or comments.

Special Thanks

We appreciate the great community support and contributions for Security Monkey and want to specially thank:

  • Google: GCP Support in CloudAux/Security Monkey
  • Bridgewater Associates: Modularization of Watchers, Auditors, Alerters. Dozens of new watchers. Modifying the architecture to abstract the environment being monitored.

By: Patrick Kelley and Mike Grima