Jump to Content
Product Announcements

Arming Google Workspace users and admins with advanced counter-abuse and threat-analysis capabilities

May 18, 2021
https://storage.googleapis.com/gweb-cloudblog-publish/images/workspace_security.max-2600x2600.jpg
Sarah Zimmel

Product Marketing Manager, Google Cloud Security

Brad Meador

Product Lead, Google Workspace Security

We’re adding new security capabilities into Google Workspace, including Alert Center enrichment with VirusTotal threat context, restricted access to resources, and user blocking in Drive.

Try Google Workspace at No Cost

Get a business email, all the storage you need, video conferencing, and more.

SIGN UP

Like everything we build at Google, we created Google Workspace with security at its core to defend against threats and combat abuse, helping all of our users stay safe. With these protections, we enable IT admins to defend against attackers who are always looking for new vectors to exploit. To ensure we’re giving admins the controls and capabilities that help them protect their users and organizations against security threats and abuse, we’re adding new advanced security features to Google Workspace. 

Alert Center enrichment with VirusTotal threat context

Google Workspace’s Alert Center provides IT admins with actionable, real-time alerts and security insights about the important security-related activity in their domain. It helps admins cut through the security notification noise with a unified view of the most critical alerts, allowing them to focus on what matters and more efficiently serve and protect their organization. Today, we’re taking Alert Center’s alerts to the next level by enriching them with industry-leading VirusTotal threat context and reputation data.

https://storage.googleapis.com/gweb-cloudblog-publish/images/An_enhanced_VirusTotal_enrichment_report_i.max-1700x1700_VNTAKwM.jpg
An enhanced VirusTotal enrichment report in the Alert Center

This integration equips admins with the ability to dig into their alerts at a deeper level. When an Alert Center notification contains a supported VirusTotal entity, such as a domain, file attachment hash, or IP address, a VirusTotal report enrichment widget (VT Augment) will be shown right in the Alert Center dashboard. For paid VirusTotal subscribers, an enhanced version of the report will automatically populate. Enhanced reports contain advanced threat analysis details, such as: 

  • Indicators of compromise: See threat relationships with other artifacts in the VirusTotal dataset, allowing analysts to map out threat campaigns and pinpoint malicious network infrastructure like command-and-control servers, distribution sites, and more.

  • Threat graph: Visualize threat relationships graphically so that analysts can easily make quick and accurate determinations for any alerts they study.

  • Multi-angular detections: Get enhanced reputation information via crowdsourcing of YARA, SIGMA, and intrusion detection system rules.

  • In-the-wild details: Understand geographical and time-spread details for threats, common attacker deception techniques, and more through VirusTotal submission metadata.

  • One-click search pivots: Immediately launch VirusTotal Enterprise advanced searches to uncover other related malware in VirusTotal, all with a single click following a suspicious-threat attribute.

It’s important to note that VirusTotal provides an investigation layer on top of alerts but isn’t being used directly for detection or alerting. No customer information is shared from Google to VirusTotal except when an admin clicks to retrieve a VirusTotal report for a specific entity. These enhancements are starting to roll out in the coming weeks for Google Workspace Business Plus, Enterprise Standard and Plus, and Education Standard and Plus licenses, and will help empower admins to take an in-depth look at threats and potential abuse to better protect their organizations. 

User blocking in Drive 

Google Drive enables both individuals and organizations to store, share, and collaborate from anywhere. Drive’s sharing capabilities fuel productivity and collaboration, but bad actors can abuse tools that are meant to facilitate helpful sharing. That’s why it’s important to have the necessary security controls in place to fend off these sharing threats. Today, we’re announcing user blocking in Drive to do just that. User blocking will help protect Drive users in three ways:

  • Block another user from sharing any content with you in the future. This can be a useful control if, for example, another user has a history of sending spam or abusive content. 

  • Remove all existing files and folders shared by another user. This is an easy way to get rid of all spam or abusive content shared from a specific user at one time.

  • Remove another person’s access to your content, even if you’ve previously shared it with them.

User blocking will not only preserve Drive sharings’ helpfulness, but most importantly preserve the safety of Drive users. Drive user blocking controls are rolling out over the next few months.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Blocking_an_individual_from_future_sharing.max-1700x1700.jpg
Blocking an individual from future sharing in Google Drive

Restricting access to Google Workspace resources

Whether you’re protecting your organization’s data from an attacker seeking your sensitive information, or from an app that simply doesn’t meet your security standards, keeping your organization’s data in safe hands is critical. To help admins control access to organizational data with more precision, we just launched two enhancements for restricting Google Workspace resource access: blocking all OAuth 2.0 API access with app access control and new context-aware access for Google mobile and desktop apps.

Apps can try to trick your users into granting access to corporate data. Limiting both third-party and internals apps’ access to Google Workspace data is an important part of making sure that corporate data does not get into the hands of bad actors. With app access control, admins can choose to trust, limit, or block access to Google Workspace data. 

As an enhancement to app access control, last month we launched a new setting, generally available now for all Google Workspace customers, that enables admins to block all third-party API access to Google Workspace and end-user data. When enabled, all OAuth 2.0 scopes are blocked, and users cannot use their Google Workspace accounts to sign into third-party apps and websites.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Blocking_third-party_API_access_with_app_a.max-1600x1600_LGUFF9u.jpg
Blocking third-party API access with app access control

With context-aware access, admins can control access to apps based on granular attributes like user identity, location, device security status, and IP address so that only the appropriate users can have access to internal apps. Now, we’re expanding context-aware access to Google desktop and mobile apps for Google Workspace Enterprise Standard, Enterprise Plus, Education Plus, and Cloud Identity Premium customers to give admins even more control over how, when, and where users can access Google Workspace resources.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Apply_context-aware_access_to_Google_deskt.max-1200x1200_mXossWG.jpg
Apply context-aware access to Google desktop and mobile apps

With each of these developments that help keep users and organizations safe from abuse and security threats in Google Workspace, we’re building a safer environment for collaboration and productivity to thrive. You can watch the Google Cloud Security Talks for more on how we are empowering collaboration with security.

Posted in