Understanding Security Command Center findings

Security Command Center is the security and risk database for Google Cloud. Security Command Center includes a risk dashboard and analytics system for surfacing, understanding, and remediating Google Cloud security and data risks across an organization. Google Cloud Armor is integrated automatically with Security Command Center and exports two findings to the Security Command Center dashboard. This guide describes the findings and how to interpret them.

If you do not already have Google Cloud Armor enabled in the Security Command Center, see the documentation for Security Command Center. Note that you see findings in Security Command Center only for projects that have Security Command Center enabled at the organization level.

Allowed traffic spike finding

Allowed traffic consists of well-formed HTTP(S) requests that are destined to reach your backend services after a Google Cloud Armor security policy is enforced.

This finding notifies you of a spike in allowed traffic on a per-backend-service basis. A finding is generated when there is a sudden increase in the allowed number of requests per second (RPS) compared to the normal volume observed in recent history. The RPS that constituted the spike and the RPS of the recent history are provided as a part of the finding.

Use case: potential L7 attacks

Distributed denial of service (DDoS) attacks occur when attackers send large volumes of requests to overload a target service. Layer 7 DDoS attack traffic typically presents a spike in the number of requests per second. An allowed traffic spike finding can indicate that a potential layer 7 DDOS attack is underway.

An allowed traffic spike finding tells you the backend service to which the RPS spike is directed and the traffic characteristics that caused Google Cloud Armor to classify it as an RPS spike. Use this information to determine whether a potential attack is under way, the service that is being targeted, and the actions you can take to mitigate the potential attack.

The following is a screen shot of a sample allowed traffic spike finding on the Security Command Center dashboard.

Allowed traffic spike finding
Allowed traffic spike finding (click to enlarge)

The values Long_Term_Allowed_RPS and Short_Term_Allowed_RPS are calculated by Google Cloud based on Google Cloud Armor historical information.

Increasing deny ratio

This finding notifies you that there is an increase in the ratio of traffic that is blocked by Google Cloud Armor because of a user-configured rule in a security policy. Although the denial is expected and does not affect the backend service, this finding helps alert you to increases in unwanted and potentially malicious traffic targeting your applications. The RPS of the denied traffic and the total incoming traffic are provided as a part of the finding.

Use case: mitigating L7 attacks

A deny traffic finding enables you to see both the impact of successful mitigations and significant changes in the behavior of malicious clients. The finding identifies the backend to which the denied traffic was directed and provides the traffic characteristics that caused Google Cloud Armor to raise the finding. Use this information to evaluate whether the denied traffic must be studied in detail to further strengthen your mitigations.

The following is a screen shot of a sample increasing deny ratio finding on the Security Command Center dashboard.

Increasing deny ratio finding
Increasing deny ratio finding (click to enlarge)

The values Long_Term_Denied_RPS and Long_Term_Incoming_RPS are calculated by Google Cloud based on Google Cloud Armor historical information.

After traffic returns to normal

Security Command Center findings are notifications that a particular behavior was observed at a point in time. No notification is sent when the behavior clears.

There might be updates to existing findings if the current traffic characteristics increase substantially in comparison to existing characteristics. If there is no follow-up finding, then either the behavior cleared or the traffic volume did not increase (allow or deny) substantially after the initial finding was generated.

What's next

For troubleshooting information, see Troubleshooting Google Cloud Armor security policies}}.