Cloud Security Command Center Blog | Sovereign Solutions

Cloud Security Command Center Blog

Cloud Security Command Center (Cloud SCC) is a comprehensive security management and data risk platform for GCP. It is the canonical security and data risk database for Google Cloud Platform (GCP). Cloud SCC enables you to understand your security and data attack surface by providing asset inventory, discovery, search, and management.

It is designed to help security teams prevent, detect, and respond to threats from a single pane of glass.

Cloud SCC provides a number of capabilities. Some are built in, while others are provided by separate tools that are fully integrated with it.

Prevent, detect, and respond to threats

Cloud Security Command Center makes it easier for you to prevent, detect, and respond to threats. Identify misconfigurations in virtual machines, networks, applications, and storage from a single pane of glass and act on them before they result in business damage or loss. Built-in threat detectors can quickly surface suspicious activity in your Stackdriver security logs or compromised virtual machines. Quickly respond to threats by following actionable recommendations or exporting data to your SIEM.

Prevent threats with visibility and control over your cloud data and services

Cloud Security Command Center gives enterprises centralized visibility into their cloud assets across App Engine, Compute Engine, and more. Built-in security analytics and threat intelligence assesses your overall security state and activity of your virtual machines, network, and storage and surfaces vulnerabilities in your applications. These insights can help you take preventative actions to reduce your exposure to threats.

Detect and respond to threats targeting your Google Cloud Platform assets

Cloud Security Command Center reveals virtual machines that have been used for malicious purposes. Event Threat Detection uses industry-leading threat intelligence, including Google Safe Browsing, to detect suspicious activity in your Stackdriver logs. In just a few clicks, you can identify high-risk incidents and focus on remediation.

Cloud Security Command Center integrates with Google Cloud Platform security tools like Binary Authorization or Google Cloud Phishing Protection. You can also integrate third-party security solutions from Acalvio, Capsule8, Cavirin, Chef, Check Point CloudGuard Dome9, Cloudflare etc.

Features Cloud SCC

Asset discovery and inventory

Discover and view your assets across App Engine, BigQuery, Cloud SQL, Cloud Storage, Compute Engine, Cloud IAM, and Kubernetes Engine. Review historical discovery scans to identify new, modified, or deleted assets.

Sensitive data discovery

Find out which storage buckets contain sensitive and regulated data using the Cloud DLP API. Help prevent unintended exposure and ensure access is based on need-to-know. The DLP API integrates automatically with Cloud Security Command Center.

Application vulnerability detection

Uncover common vulnerabilities such as cross-site-scripting (XSS), outdated libraries, and more that put your App Engine applications at risk with Cloud Security Scanner. Cloud Security Scanner integrates automatically with Cloud Security Command Center.

REST API and SIEM

Leverage the Cloud Security Command Center REST API for easy integration with your existing security systems and workflows. Export Cloud Security Command Center data to Splunk or other SIEMs for further analysis.

Access control monitoring

Native ability to surface the identity and access management policies for your cloud resources. Help ensure the appropriate access control policies are in place and get alerted when policies are misconfigured or unexpectedly change.

Forseti, our open source security toolkit for Google Cloud Platform, integrates with Cloud Security Command Center.

Anomaly detection from Google

Identify threats such as coin mining, unusual activity, hijacked accounts, compromised machines used for botnets or DDoS attacks, and anomalous data activity with Cloud Anomaly Detection, developed by Google. Cloud Anomaly Detection integrates automatically with Cloud Security Command Center.

Threat detection

Automatically scan Stackdriver security logs for high-profile indicators of compromise with Event Threat Detection and further explore these findings from Cloud Security Command Center.

Third-party security tool inputs

Integrate output from your existing security tools into Cloud Security Command Center to detect security and compliance policy violations and instance vulnerabilities and threats.

Real-time notifications and remediation

Receive Cloud Security Command Center alerts via Gmail, SMS, and Jira with Cloud Pub/Sub notification integration. Quickly remediate security alerts by using Cloud Pub/Sub events and Cloud Functions.

Audit logs

Integrate Cloud Audit Logging events for Compute Engine, Google Cloud networking, Cloud Storage, Cloud IAM, and Binary Authorization into Cloud Security Command Center to help meet regulatory requirements or provide an audit trail while investigating an incident.

Cloud SCC authentication

Authentication methods

Service accounts

Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application.

User accounts

You can authenticate users directly to your application, when the application needs to access resources on behalf of an end user.

If your application uses end user authentication, you need to specify OAuth scopes when making a method call.

Access control

Roles limit an authenticated identity’s ability to access resources. When building a production application, only grant an identity the permissions it needs in order to interact with applicable GCP APIs, features, or resources.

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Cloud Security Command Center (Cloud SCC) API.

Using the Assets display

To access the Cloud SCC assets display, you must have a Cloud Identity and Access Management (Cloud IAM) role that includes the permissions of the Security Center Assets Viewer role.

Accessing the assets display

  1. Go to the Security Command Centerpage in the GCP Console
  2. Select the organization you want to review.
  3. On the Security Command Center dashboard that appears, click the Assets tab.

Viewing Assets

The assets display enables you to view assets for the entire organization or you can view assets only within a specific project, asset type, or change type. For a detailed view of attributes, resource properties, and findings on a specific asset, click the asset name under the resource_properties.name column.

Viewing by project

By default, assets are displayed in the organization and project hierarchy. To view assets associated with a specific resource, under View by Project, select the organization or project you want to review.

Viewing by asset type

To view your assets grouped by resource type, under the Assets tab, click Asset type. Assets are displayed in categories like application, bucket, project, and service. The following asset types are currently supported:

  • Resource Manager
    • Organization
    • Folder
    • Project
  • App Engine
    • Application
    • Service
    • Version
  • Compute Engine
    • Address
    • Autoscaler
    • BackendBucket
    • BackendService
    • BillingAccount

Viewing by asset changed

To view new and deleted assets, under the Assets tab, click Asset changed. All assets are displayed, including subgroups for new and deleted assets.

Viewing by Cloud IAM policy

Cloud SCC displays Cloud Identity and Access Management (Cloud IAM) policies for assets on the Assets tab under the iamPolicy column.

Configuring the assets display

By default, the assets display includes the following columns:

  • Asset name: resource_properties.name
  • Asset type: resourceType
  • Asset owner: resourceOwners
  • Any marks added to the asset: marks
  • The Cloud Identity and Access Management (Cloud IAM) policies on the asset: iamPolicy

Using Findings

Accessing Cloud Security Command Center (Cloud SCC) findings to review possible security risks, called findings, for your organization’s Google Cloud Platform (GCP), hybrid, and multi-cloud resources.

To access Cloud SCC findings, you must have a Cloud Identity and Access Management (Cloud IAM) role that includes the permissions of the Security Center Findings Viewer role.

Accessing findings inventory

  1. Go to the Security Command Center in the GCP Console.
  2. Select the organization you want to review.
  3. On the Security Command Center dashboard that appears, click the Findings tab.

Viewing findings

The Cloud SCC Findings display enables you to view potential security risks for your organization.

Viewing by finding type

By default, findings are displayed in specific categories like cross-site scripting (XSS) and exposure of credit card number or phone number. If you leave the category field blank when you create a finding, it doesn’t have a category in the Findings display.

  • To view details about a specific risk type, under View by Finding type, select the type of risk you want to review. All findings of that type are displayed in the middle panel.
  • To view detailed information about a specific finding, click the finding under category.

Viewing by source

A finding source is any provider of findings, like Cloud Security Scanner or Cloud DLP Data Discovery scanner. These sources include the following:

  • Scanners that provide a sampled snapshot of findings at a specific time.
  • Monitors that provide an event stream of findings.
  • Loggers that provide output of historical events

You can view findings by source in multiple ways:

  • To view findings grouped by source type, under the Findings tab, click Source type.
  • To view individual findings for a specific source type, under View by Source type, select the source type you want to review. All findings of that type are displayed in the middle panel.
  • To view detailed information about a specific finding, click the finding under category.

Viewing by findings changed

To view new and inactive findings, under the Findings tab, click Findings changed. All findings are displayed in the following subgroups:

  • Active changed findings: findings that changed to active during the selected time period.
  • Active unchanged findings: findings that are active and were active during all or part of the selected time period.
  • Inactive changed findings: findings that changed to inactive during the selected time period.
  • Inactive unchanged findings: findings that are inactive and were inactive during the selected time period.
  • New findings: findings that are new during the selected time period.

Any findings in a group with a “Changed” tag have changed properties during the selected time range.

Using Cloud SCC security marks

Security marks, or just “marks”, enable you to annotate assets or findings in Cloud SCC and then search, select, or filter using the mark. You can use security marks to provide ACL annotations on assets and findings. Then you can group them by these annotations for management, policy application, or integration with workflow. You can also use marks to add priority, access level, or sensitivity classifications.

Exporting Cloud SCC data

Cloud SCC enables you to export data using the Cloud SCC API, or by using the Google Cloud Platform Console.

To export Cloud SCC data, you need the following:

  • A Cloud Identity and Access Management (Cloud IAM) role that includes the permissions of the Security Center Admin Viewer role.
  • A GCP project in which you can create a Cloud Storage bucket and write the export data.

 

Manage vulnerability and threat sources

Adding vulnerability and threat sources to Cloud Security Command Center

Viewing vulnerabilities and threats

Sending Cloud DLP scan results to Cloud SCC

Sending Forseti result to Cloud SCC

Enabling Security Health Analytics

Supported Security Health Analytics findings

Managing Security Health Analytics vulnerability findings


Talk to our experts now to learn how Sovereign Solutions can help your organization meet its business objectives

*This content is being provided for informational and educational purposes, and should not be regarded as a specific recommendation for your situation.

Comments