The Google Workspace Security Investigation Tool (GSIT) is an integral part of securing every data source—from Gmail to Google Drive. Introduced in 2018, the tool helps security analysts and super administrators conduct investigations and reduce risks. Although it can be a powerful tool for investigations, Google’s security tool has its limitations. In this post, we’ll address the tool’s seven primary gaps and offer some key solutions.
7 Limitations of Google’s Security Investigation Tool
1. Reviewing public and external access
Although administrators can use the GSIT to investigate issues with public access or outside domains, the tool can only go so far. One frustrated administrator put it this way:
“I’m trying to figure out if there’s a way for me to see all files that are shared with someone other than (or in addition to) our domain. I can search the Drive Events Log, but that only goes back six months. The Security Dashboard File Exposure report seems to only go back 180 days. There doesn’t seem to be any way to audit the current state of all files in our Google Drive…individuals or shared drives. I tried the Investigation tool and did find the recent access change for that file where I removed his access, but since it’s a log and not really searching all Drive files, it’s pretty inconclusive.”
We hear this often from customers and administrators who are unable to get everything they need with the investigation tool.
As we saw in the example above, data retention for Drive log events only goes back six months (180 days). It’s not possible to get a complete overview of every file in your company’s Drive using the GSIT, and results can still be open to doubt.
Another issue is when looking at external users who are “anonymous” (users who are not signed in to a Google Account), not all of their events may be logged. For example, for anonymous users, edits are logged but any views and downloads are not.
2. Offboarding and layoff events
Lacking access to historical data can impede security investigations when employees leave the company. There could also be delays in Google collecting and processing this information. Delays can hinder investigations into offboarding incidents, especially if the employee’s departure is sudden. According to Google, “retrieving report or log events data for older dates or a wide time range might take so long that, by the time results are available, the most recent log data might no longer be fresh.”
Companies need tools that give near real-time and comprehensive monitoring that updates with the most accurate data, quickly and efficiently.
3. Security incidents and data breaches
Organizations may generate vast amounts of data in Google Drive. Investigating all the logs, events, and alerts generated during or after a breach can overwhelm Security, IT, and Compliance teams, potentially causing delays in identifying the breach.
Alerting can help but might include false positives, or may not give full context into the issue. Companies need a way to quickly sift through vast amounts of Drive log data, using filtering to understand what went wrong and what they can do to mitigate risk.
Although the GSIT can help identify issues, filtering is not always intuitive, and the tool does not offer a comprehensive view of the entire security landscape.
4. Compliance, contracts, and legal investigations
Numerous compliance frameworks deal with data retention. For example, SOX says that financial statements must be kept for seven years after an audit or review is done. This is where the GSIT’s limitations become a larger problem. With its limit of six months, there’s no way to truly preserve a company’s historical data for compliance purposes greater than this period. Companies must turn to external tooling and start logging their data in a system that will store the information for more than 180 days.
The same goes for legal investigations that require administrators or legal personnel to retain or search for data from a specific period. The tool can help investigate data for a short period but runs into issues when you need to store and retain data for longer amounts of time.
5. Investigating abnormal behavior
One problem when investigating abnormal behavior is a lack of context. Certain actions can seem suspicious when examined in isolation but may be part of a legitimate workflow.
Investigating abnormal behavior related to insider threats can also be complex because insiders often have legitimate access to systems and data. Distinguishing between malicious intent and innocent actions can be a challenge.
It’s important to note that in the investigation tool, not all activities in Drive are logged. For example, when a user prints a file opened in a Google file format like Google Docs, this is not recorded. Also, Drive audit events are logged only for files owned by users with supported editions; if this user does not have the right edition, the event will not be recorded.
GSIT’s limitation of 180 days can also leave investigators with an incomplete picture of what transpired within the Google Workspace over time, potentially missing crucial context.
6. Searching shared drives
It’s difficult for administrators to easily find every document in a shared drive. Often, items may be missing from the results due to the 180-day time limit.
In the tool, you can’t take bulk actions across all shared drives. There are also limitations when it comes to folders in shared drives. According to the Google Admin Help Center, while Drive allows the sharing of folders and changing the ownership of folders, the investigation tool does not allow these actions for administrators.
7. Remediating issues
There are a few issues you can remediate in the GSIT. You can remove or add collaborators, remediate link-sharing permissions, and change ownership, among other actions. However, the tool has its shortcomings.
In the GSIT, you are only able to audit the permissions of the first 300 items. Filtering can take time and doesn’t allow you to filter by criteria, like viewing all documents shared with personal accounts. The UI is not intuitive and has time-consuming pagination. You can’t easily tell how many results you have, and you can’t see all files at once.
Administrators need to set very precise conditions to get their desired results. And when you do finally get results, they can take time to load and only give partial data, often due to the 180-day limit.
Addressing the Limitations of Google’s Security Tool
Although Google’s security tool has limitations, the need for faster security investigations is not going away. Nira’s solution addresses the issue of only showing six months of data: the tool goes back to the first day an event happened in the company’s Google Workspace. This extended data retention capability is a game-changer for investigations, as it allows investigators to delve deep into historical records, identify patterns, and trace the evolution of security incidents over time.
Nira also streamlines investigations by offering enhanced search and filtering capabilities, making it easier for administrators to pinpoint relevant information quickly. Its user-friendly interface empowers security professionals to perform tasks more efficiently, reducing the time and effort required to identify and mitigate security threats.
Faster security investigations in Google Drive
Google’s Security Investigation Tool has emerged as a pivotal security solution since its introduction in 2018. Designed to empower administrators and security analysts, the GSIT plays a key role in the identification, assessment, and mitigation of potential threats. Its capabilities extend across various Google services, aiding IT and Security teams in safeguarding their company data.
While the GSIT has been a valuable tool, Nira takes investigations to the next level by addressing the limitation of data retention and offering an intuitive, easy-to-use UI. Nira’s ability to provide access to historical data makes it a superior choice for faster and more comprehensive security investigations within Google Drive. To learn more, visit here.