Google s security monitoring program is focused on information gathered from internal network
trac, employee actions on systems, and outside knowledge of vulnerabilities.
At many points across our global network, internal trac is inspected for suspicious behavior, such
as the presence of trac that might indicate botnet connections. This analysis is performed using
a combination of open source and commercial tools for trac capture and parsing. A proprietary
correlation system built on top of Google technology also supports this analysis. Network analysis is
supplemented by examining system logs to identify unusual behavior, such as unexpected activity in
former employees accounts or attempted access of customer data.
Google Security engineers place standing search alerts on public data repositories to look for security
incidents that might aect the company s infrastructure. They actively review inbound security
reports and monitor public mailing lists, blog posts, and web bulletin board systems. Automated
network analysis helps determine when an unknown threat may exist and escalates to Google
Security sta, and network analysis is supplemented by automated analysis of system logs.
Google employs a full-time team that is dedicated to helping ensure that vulnerabilities are managed
in a timely manner. The Google Security Team actively scans for security threats using commercial
tools, intensive automated and manual penetration eorts, quality assurance (QA) processes,
software security reviews, and external audits. The vulnerability management team is responsible
for tracking and following up on vulnerabilities.
Once a legitimate vulnerability requiring remediation has been identi ed by the Security Team, it is
logged, prioritised according to severity, and assigned an owner. The vulnerability management team
tracks such issues and follows up frequently until they can verify that they have been remediated.
Google also maintains relationships and interfaces with members of the security research community
to track reported issues in Google services and open source tools. More information about reporting
security issues can be found at http://www.google.com/intl/en/corporate/security.html
Google has an incident management process for security events that may aect the con dentiality,
integrity, or availability of its systems or data. This process speci es courses of action, procedures
for noti cation, escalation, mitigation, and documentation. Google s security incident management
program is structured around the NIST guidance on handling incidents (NIST SP 800-61).
Key sta are trained in forensics and handling evidence in preparation for an event, including the use
of third party and proprietary tools. Testing of incident response plans is performed for key areas, such
as systems that store sensitive customer information. These tests take into consideration a variety of
scenarios, including insider threats and software vulnerabilities.
To help ensure the swift resolution of security incidents, the Google Security Team is available 24x7
to all employees. When an information security incident occurs, Google s Security sta responds by
logging and prioritising the incident according to its severity. Events that directly impact customers
are treated with the highest priority. An individual or team is dedicated to remediating the problem
and enlisting the help of product and subject experts as appropriate. Other responsibilities are
deferred until the issue is resolved.
Google Security engineers conduct post-mortem investigations when necessary to determine the
root cause for single events, trends spanning multiple events over time, and to develop new strategies
to help prevent recurrence of similar incidents.
Google employs multiple layers of defense to help protect the network perimeter from external
attacks. Only authorised services and protocols that meet Google s security requirements are
permitted to traverse the company s network. Unauthorised packets are automatically dropped.
Google s network security strategy is composed of the following elements:
Control of the size and make-up of the network perimeter. Enforcement of network segregation
using industry standard rewall and ACL technology.