Security Command Center overview

This page provides an overview of Security Command Center, Google Cloud's centralized vulnerability and threat reporting service. Security Command Center helps you strengthen your security posture by evaluating your security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities, and threats; and helping you mitigate and remediate risks.

Security Command Center uses services, such as Event Threat Detection and Security Health Analytics, to detect security issues in your environment. These services scan your logs and resources on Google Cloud looking for threat indicators, software vulnerabilities, and misconfigurations. Services are also referred to as sources. For more information, see Security sources.

When these services detect a threat, vulnerability, or misconfiguration, they issue a finding. A finding is a report or record of an individual threat, vulnerability, or misconfiguration that a service has found in your Google Cloud environment. Findings show the issue that was detected, the Google Cloud resource that is affected by the issue, and guidance on how you can address the issue.

In the Google Cloud console, Security Command Center provides a consolidated view of all of the findings that are returned by Security Command Center services. In the Google Cloud console, you can query findings, filter findings, mute irrelevant findings, and more.

Security Command Center activation levels

You can activate Security Command Center on an individual project, which is known as project-level activation, or an entire organization, which is known as organization-level activation.

For more information about activating Security Command Center, see Overview of activating Security Command Center.

Security Command Center service tiers

Security Command Center offers two service tiers: Standard and Premium.

The tier you select determines the built-in services that are available with Security Command Center.

If you have questions about the Security Command Center service tiers, contact your account representative or Google Cloud sales.

For information about costs associated with using a Security Command Center tier, see Pricing.

The Standard service tier

The Standard tier includes the following services and features:

  • Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types:

    • Dataproc image outdated
    • Legacy authorization enabled
    • MFA not enforced
    • Non org IAM member
    • Open ciscosecure websm port
    • Open directory services port
    • Open firewall
    • Open group IAM member
    • Open RDP port
    • Open SSH port
    • Open Telnet port
    • Public bucket ACL
    • Public Compute image
    • Public dataset
    • Public IP address
    • Public log bucket
    • Public SQL instance
    • SSL not enforced
    • Web UI enabled
  • Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IP addresses that aren't behind a firewall. Scans are manually configured, managed, and executed for all projects, and support a subset of categories in the OWASP Top Ten.
  • Security Command Center errors: Security Command Center provides detection and remediation guidance for configuration errors that prevent Security Command Center and its services from functioning properly.
  • Continuous Exports feature, which automatically manages the export of new findings to Pub/Sub.
  • Access to integrated Google Cloud services, including the following:

    • Sensitive Data Protection discovers, classifies, and protects sensitive data.
    • Google Cloud Armor protects Google Cloud deployments against threats.
    • Anomaly Detection identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and cryptocurrency mining.
    • Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters.
  • Integration with BigQuery, which exports findings to BigQuery for analysis.
  • Integration with Forseti Security, the open source security toolkit for Google Cloud, and third-party security information and event management (SIEM) applications.
  • When Security Command Center is activated at the organization level, you can grant users IAM roles at the organization, folder, and project levels.

The Premium service tier

The Premium tier includes all of the Standard tier services and features and the following additional services and features:

  • Attack path simulations help you identify and prioritize vulnerability and misconfiguration findings by identifying the paths that a potential attacker could take to reach your high-value resources. The simulations calculate and assign attack exposure scores to any findings that expose those resources. Interactive attack paths help you visualize the possible attack paths and provide information about the paths, related findings, and the affected resources.
  • Vulnerability findings include CVE assessments provided by Mandiant to help you prioritize their remediation.

    On the Overview page in the console, the Top CVE findings section shows you vulnerability findings grouped by their exploitability and potential impact, as assessed by Mandiant. On the Findings page, you can query findings by CVE ID.

    For more information, see Prioritize by CVE impact and exploitability.

  • Event Threat Detection monitors Cloud Logging and Google Workspace, using threat intelligence, machine learning, and other advanced methods to detect threats, such as malware, cryptocurrency mining, and data exfiltration. For a full list of built-in Event Threat Detection detectors, see Event Threat Detection rules. You can also create custom Event Threat Detection detectors. For information about module templates that you can use to create custom detection rules, see Overview of custom modules for Event Threat Detection.
  • Container Threat Detection detects the following container runtime attacks:
    • Added Binary Executed
    • Added Library Loaded
    • Execution: Added Malicious Binary Executed
    • Execution: Added Malicious Library Loaded
    • Execution: Built in Malicious Binary Executed
    • Execution: Modified Malicious Binary Executed
    • Execution: Modified Malicious Library Loaded
    • Malicious Script Executed
    • Reverse Shell
    • Unexpected Child Shell
  • Sensitive Actions Service detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they are taken by a malicious actor.
  • Virtual Machine Threat Detection detects potentially malicious applications running in VM instances.
  • Security Health Analytics at the Premium tier includes the following features:

    • Managed vulnerability scans for all Security Health Analytics detectors
    • Monitoring for many industry best practices
    • Compliance monitoring. Security Health Analytics detectors map to the controls of the common security benchmarks.
    • Custom module support, which you can use to create your own custom Security Health Analytics detectors.

    In the Premium tier, Security Health Analytics supports the standards described in Remain compliant with industry standards.

  • Web Security Scanner in the Premium tier includes all Standard tier features and additional detectors that support categories in the OWASP Top Ten. Web Security Scanner also adds managed scans that are automatically configured.
  • Compliance monitoring across your Google Cloud assets.

    To measure your compliance with common security benchmarks and standards, detectors of the Security Command Center vulnerability scanners are mapped to common security standard controls.

    You can view your compliance with the standards, identify non-compliant controls, export reports, and more. For more information, see Assess and report compliance with security standards.

  • You can request for additional Cloud Asset Inventory quota if the need for extended asset monitoring arises.
  • Rapid Vulnerability Detection scans networks and web applications to detect weak credentials, incomplete software installations, and other critical vulnerabilities that have a high likelihood of being exploited.
  • The security posture service lets you define, assess, and monitor the overall status of your security in Google Cloud. The Security posture service is only available in the Security Command Center Premium tier for customers who purchase a fixed-price subscription and activate Security Command Center Premium tier at the organization level. The Security posture service doesn't support usage-based billing or project-level activiations.
  • Secured Landing Zone service can be enabled only in the Security Command Center Premium tier. When enabled, this service displays findings if there are policy violations in the resources of the deployed blueprint, generates corresponding alerts, and selectively takes automatic remediation actions.
  • VM Manager vulnerability reports
    • If you enable VM Manager, the service automatically writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in the operating systems installed on Compute Engine virtual machines. For more information, see VM Manager.

Strengthen your security posture

Security Command Center works with Cloud Asset Inventory to provide complete visibility into your Google Cloud infrastructure and resources, also referred to as assets. Built-in services—Security Health Analytics, Event Threat Detection, Container Threat Detection, and Web Security Scanner—use nearly 200 detection modules that continuously monitor and scan your assets, web applications, Cloud Logging stream, Google Workspace logs, and Google Groups.

Powered by Google's threat intelligence, machine learning, and unique insights into the architecture of Google Cloud, Security Command Center detects vulnerabilities, misconfigurations, threats, and compliance violations in near-real time. Security findings, attack exposure scores, and compliance reports help you triage and prioritize risks, and provide verified remediation instructions and expert tips for responding to findings.

The following figure illustrates the core services and operations in Security Command Center.

Operations include asset detection and scans. Core services include
scanning for threats and vulnerabilities and alerting you to misconfigurations

Expansive inventory of assets, data, and services

Security Command Center ingests data about new, modified, and deleted assets from Cloud Asset Inventory, which continuously monitors assets in your cloud environment. Security Command Center supports a large subset of Google Cloud assets. For most assets, configuration changes, including IAM and organization policies, are detected in near-real time. You can quickly identify changes in your organization or project and answer questions like:

  • How many projects do you have, and how many projects are new?
  • What Google Cloud resources are deployed or in use, like Compute Engine virtual machines (VMs), Cloud Storage buckets, or App Engine instances?
  • What's your deployment history?
  • How to organize, annotate, search, select, filter, and sort across the following categories:
    • Assets and asset properties
    • Security marks, which enable you to annotate assets or findings in Security Command Center
    • Time period

Security Command Center always knows the current state of supported assets and, in the Google Cloud console or Security Command Center API, lets you review historical discovery scans to compare assets between points in time. You can also look for underused assets, like virtual machines or idle IP addresses.

AI-generated summaries

If you are using Security Command Center Premium, Security Command Center provides dynamically generated explanations of each finding and of each simulated attack path that Security Command Center generates for Vulnerability and Misconfiguration class findings.

The summaries are written in natural language to help you quickly understand and act on findings and any attack paths that might accompany them.

The summaries appear in the following places in the Google Cloud console:

  • When you click the name of an individual finding, the summary at the top of the details page of the finding.
  • In Security Command Center Premium, if a finding has an attack exposure score, you can display the summary to the right of the attack path by clicking the attack exposure score and then AI summary.

Required IAM permissions

To view the AI summaries, you need the required IAM permissions.

For findings, you need the securitycenter.findingexplanations.get IAM permission. The least-permissive predefined IAM role that contains this permission is the Security Center Findings Viewer (roles/securitycenter.findingsViewer) role.

For attack paths, you need the securitycenter.exposurepathexplan.get IAM permission. The least-permissive predefined IAM role that contains this permission is the Security Center Exposure Paths Reader (roles/securitycenter.exposurePathsViewer) role.

During the preview, these permissions are not available in the Google Cloud console to add to custom IAM roles.

To add the permission to a custom role, you can use the Google Cloud CLI.

For information about using the Google Cloud CLI to add permissions to a custom role, see Create and manage custom roles.

Actionable security insights

Security Command Center's built-in and integrated services continuously monitor your assets and logs for indicators of compromise and configuration changes that match known threats, vulnerabilities, and misconfigurations. To provide context for incidents, findings are enriched with information from the following sources:

  • AI-generated summaries that help you understand and act on Security Command Center findings and any attack paths included with them. For more information, see AI-generated summaries.
  • With Security Command Center Premium, vulnerability findings include information from their corresponding CVE entries, including the CVE score, its potential impact, and potential for being exploited.
  • Chronicle, a Google Cloud service that ingests Event Threat Detection findings and lets you investigate threats and pivot through related entities in a unified timeline.
  • VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.
  • MITRE ATT&CK framework, which explains techniques for attacks against cloud resources and provides remediation guidance.
  • Cloud Audit Logs (Admin Activity logs and Data Access logs).

You get notifications for new findings in near real-time, helping your security teams gather data, identify threats, and act on recommendations before they result in business damage or loss.

With a centralized view of your security posture and a robust API, you can quickly do the following:

  • Answer questions like:
    • What static IP addresses are open to the public?
    • What images are running on your VMs?
    • Is there evidence that your VMs are being used for cryptocurrency mining or other abusive operations?
    • Which service accounts have been added or removed?
    • How are firewalls configured?
    • Which storage buckets contain personally-identifiable information (PII) or sensitive data? This feature requires integration with Sensitive Data Protection.
    • Which cloud applications are vulnerable to cross-site-scripting (XSS) vulnerabilities?
    • Are any of my Cloud Storage buckets open to the internet?
  • Take actions to protect your assets:
    • Implement verified remediation steps for asset misconfigurations and compliance violations.
    • Combine threat intelligence from Google Cloud and third party providers, such as Palo Alto Networks, to better protect your enterprise from costly compute layer threats.
    • Ensure the appropriate IAM policies are in place and get alerts when policies are misconfigured or unexpectedly changed.
    • Integrate findings from your own or third-party sources for Google Cloud resources, or hybrid or multi-cloud resources. For more information, see Adding a third-party security service.
    • Respond to threats in your Google Workspace environment and unsafe changes in Google Groups.

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Identity and access misconfigurations

Security Command Center makes it easier for you to identify and resolve findings of identity and access misconfigurations on Google Cloud. The management of identity and access security issues is sometimes referred to as cloud infrastructure entitlement management (CIEM).

Security Command Center misconfiguration findings identify principal accounts (identities) that are misconfigured or that are granted excessive or sensitive IAM permissions (access) to Google Cloud resources.

You can see the most severe identity and access findings in the Identity and access findings panel near the bottom of the Security Command Center Overview page in the Google Cloud console.

On the Vulnerability page in the Google Cloud console, you can select query presets (predefined queries) that show the vulnerability detectors or categories that are related to identity and access. For each category, the number of active findings is displayed.

For more information about the query presets, see Apply query presets.

Remain compliant with industry standards

Most of Security Command Center detectors are mapped to one or more of the following compliance standards:

CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center adds support for new benchmark versions and standards. Older versions of the CIS Benchmark remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark available.

The security posture service lets you map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could impact your business's compliance.

Flexible platform to meet your security needs

Security Command Center includes customization and integration options that let you enhance the service's utility to meet your evolving security needs.

Customization options

Customization options include the following:

Integration options

Integration options include the following:

When to use Security Command Center

The following table includes high-level product features, use cases, and links to relevant documentation to help you quickly find the content you need.

Feature Use cases Related docs
Asset discovery and inventory
  • Discover assets, services, and data across your organization or project and view them in one place.
  • Assess vulnerabilities for supported assets, and take action to prioritize fixes for the most severe issues.
  • Review historical discovery scans to identify new, modified, or deleted assets.
Optimize Security Command Center

Access control

Using Security Command Center in the Google Cloud console

Configuring asset discovery

Listing assets

Confidential data identification
  • Find out where sensitive and regulated data is stored using Sensitive Data Protection.
  • Help prevent unintended exposure and ensure access is on a need-to-know basis.
Sending Sensitive Data Protection results to Security Command Center
SIEM and SOAR integration
  • Easily export Security Command Center data to external systems.
Exporting Security Command Center data

Continuous Exports

Vulnerability detection
  • Correlate vulnerability findings with the security standard controls that they violate.
  • Be proactively alerted to new vulnerabilities and changes in your attack surface.
  • Uncover common vulnerabilities like cross-site-scripting (XSS) and Flash injection that put your applications at risk.
  • With Security Command Center Premium, prioritize vulnerability findings by using CVE information, including assessments of exploitability and impact provided by Mandiant.
Security Health Analytics overview

Web Security Scanner overview

Rapid Vulnerability Detection overview

Vulnerabilities findings

Access control monitoring
  • Help ensure the appropriate access control policies are in place across your Google Cloud resources and get alerted when policies are misconfigured or unexpectedly change.
Access control
Threat detection
  • Detect malicious activities and actors in your infrastructure, and get alerts for active threats.
Event Threat Detection overview

Container Threat Detection overview

Error detection
  • Be alerted to errors and misconfigurations that prevent Security Command Center and its services from working as intended.
Security Command Center errors overview
Prioritize remediations
  • Identify the vulnerabilities and misconfigurations that are the most important to remediate by specifying which resources belong in your high-value resource set. Findings that expose resources in your high-value resource set get higher attack exposure scores that you can use to determine which findings you should fix first.
Overview of attack exposure scores and attack paths
Remediate risks
  • Implement verified and recommended remediation instructions to quickly safeguard assets.
  • Focus on the most important fields in findings to help security analysts quickly make informed triage decisions.
  • Enrich and connect related vulnerabilities and threats to identify and capture TTPs.
  • Resolve errors and misconfigurations that prevent Security Command Center and its services from working as intended.
Investigating and responding to threats

Remediating Security Health Analytics findings

Remediating Web Security Scanner findings

Rapid Vulnerability Detection findings and remediations

Security response automation

Remediating Security Command Center errors

Posture management
  • Ensure that your workloads conform to security standards, compliance regulations, and your organization's custom security requirements.
  • Apply your security controls to Google Cloud projects, folders, or organizations before you deploy any workloads.
  • Continuously monitor for and resolve any drift from your defined security controls.
Security posture overview

Manage a security posture

Third-party security tool inputs
  • Integrate output from your existing security tools like Cloudflare, CrowdStrike, Prisma Cloud by Palo Alto Networks, and Qualys, into Security Command Center. Integrating output can help you to detect the following:
    • DDoS attacks
    • Compromised endpoints
    • Compliance policy violations
    • Network attacks
    • Instance vulnerabilities and threats
Configuring Security Command Center

Creating and managing security sources

Real-time notifications
  • Get Security Command Center alerts through email, SMS, Slack, WebEx, and other services with Pub/Sub notifications.
  • Adjust finding filters to exclude findings on allowlists.
Setting up finding notifications

Enabling real-time email and chat notifications

Using security marks

Exporting Security Command Center data

Filtering notifications

Add assets to allowlists

REST API and Client SDKs
  • Use the Security Command Center REST API or client SDKs for easy integration with your existing security systems and workflows.
Configuring Security Command Center

Accessing Security Command Center programmatically

Security Command Center API

Data residency controls

To meet data residency requirements, when you activate Security Command Center for the first time, you can enable data residency controls in Security Command Center.

Enabling data residency controls restricts the storage and processing of Security Command Center findings, mute rules, continuous exports, and BigQuery exports to one of the data residency multi-regions that Security Command Center supports.

For more information, see Planning for data residency.

What's next