Security Command Center conceptual overview

What Security Command Center offers

Security Command Center is Google Cloud's centralized vulnerability and threat reporting service. Security Command Center helps you strengthen your security posture by evaluating your security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities, and threats; and helping you mitigate and remediate risks.

Security Command Center tiers

The tier you select determines the built-in Security Command Center services that are available for your organization:

Tier details

Standard tier features

  • Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types:

  • Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IP addresses that aren't behind a firewall. Scans are manually configured, managed, and executed for all projects, and support a subset of categories in OWASP Top Ten
  • Support for granting users Identity and Access Management (IAM) roles at the organization level.
  • Access to integrated Google Cloud services, including the following:

  • Integrate with Forseti Security, the open source security toolkit for Google Cloud, and third-party security information and event management (SIEM) applications.

Premium tier features

The Premium tier includes all Standard tier features and adds the following:

  • Event Threat Detection uses threat intelligence, machine learning, and other advanced methods to monitor your organization's Cloud Logging and Google Workspace and detect the following threats:
    • Malware
    • Cryptomining
    • Brute force SSH
    • Outgoing DoS
    • IAM anomalous grant
    • Data exfiltration

    Event Threat Detection also identifies the following Google Workspace threats:

    • Leaked passwords
    • Attempted account breaches
    • Changes to 2-step verification settings
    • Changes to single sign-on (SSO) settings
    • Government-backed attacks
  • Container Threat Detection detects the following container runtime attacks:
    • Added Binary Executed
    • Added Library Loaded
    • Malicious Script Executed
    • Reverse Shell
  • Security Health Analytics: the Premium tier includes managed vulnerability scans for all Security Health Analytics detectors (140+) and provides monitoring for many industry best practices, and compliance monitoring across your Google Cloud assets. These results can also be reviewed in a Compliance dashboard and exported as manageable CSVs.

    In the Premium tier, Security Health Analytics includes monitoring and reporting for the following standards:

    • CIS 1.1
    • CIS 1.0
    • PCI DSS v3.2.1
    • NIST 800-53
    • ISO 27001
  • Web Security Scanner in the Premium tier includes all Standard tier features and adds managed scans that are automatically configured. These scans identify the following security vulnerabilities in your Google Cloud apps:
    • Cross-site scripting (XSS)
    • Flash injection
    • Mixed-content
    • Clear text passwords
    • Usage of insecure JavaScript libraries
  • Support for granting users IAM roles at the organization, folder, and project levels.
  • Continuous Exports, which automatically manage the export of new findings to Pub/Sub.

VM Manager vulnerability reports

  • If you enable VM Manager, the service automatically writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in the operating systems installed on Compute Engine virtual machines. For more information, see VM Manager.

For information about costs associated with using a Security Command Center tier, see the Pricing page.

To subscribe to the Security Command Center Premium tier, contact your sales representative or fill out our Premium inquiry form. You should receive a response within three US business days. If you don't subscribe to the Premium tier, then the Standard tier is available.

Actionable security insights

Security Command Center helps security teams gather data, identify threats, and act on them before they result in business damage or loss. It offers deep insight into application and data risk so that you can quickly mitigate threats to your cloud resources across your organization and evaluate overall health. Security Command Center provides a single, centralized dashboard so you can:

  • View and monitor an inventory of your cloud assets.
  • Scan storage systems for sensitive data.
  • Detect common web vulnerabilities and anomalous behavior.
  • Review access rights to your critical resources in your organization.
  • Apply recommended remediations to resolve vulnerabilities.

Security Command Center roles are granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, security sources, and security marks depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Visibility into your cloud data and services

Security Command Center gives enterprises consolidated visibility into their Google Cloud assets across their organization. You can quickly understand:

  • The number of projects you have
  • What resources are deployed
  • Where sensitive data is located
  • How firewalls rules are configured

With ongoing discovery scans, enterprises can view asset history to understand exactly what changed in their environment and act on unauthorized modifications.

Powerful insights to help enhance your security posture

Security Command Center provides powerful security insights about your Google Cloud resources. With this tool, security teams can answer questions like:

  • Which Cloud Storage buckets contain personally-identifiable information (PII)?
  • Are any of my Cloud Storage buckets open to the internet?
  • Which cloud applications are vulnerable to cross-site-scripting (XSS) vulnerabilities?

By applying ongoing security analytics and threat intelligence, enterprises can assess their overall security health in a central dashboard and take immediate action on security risks.

Flexible platform to meet your security needs

Security Command Center integrates with Google Cloud security tools like Web Security Scanner and Cloud Data Loss Prevention (Cloud DLP), and third-party security solutions like:

  • Acalvio
  • Capsule8
  • Cavirin
  • Chef
  • Check Point CloudGuard Dome9
  • CloudQuest
  • McAfee
  • Qualys
  • Reblaze
  • Prisma Cloud by Palo Alto Networks
  • StackRox

Google Cloud security insights from partner products are aggregated in Security Command Center, and you can feed them into existing systems and workflows.

Security Command Center features

Feature Name Feature Description
Asset discovery and inventory Discover your assets, data, and Google Cloud services across your organization and view them in one place. Review historical discovery scans to identify new, modified, or deleted assets.
Sensitive data identification Find out which storage buckets contain sensitive and regulated data using Cloud DLP. Help prevent unintended exposure and ensure access is based on need-to-know. Cloud DLP integrates automatically with Security Command Center.
Application vulnerability detection Uncover common vulnerabilities like cross-site-scripting (XSS) and Flash injection that put your App Engine applications at risk with Web Security Scanner. Web Security Scanner integrates automatically with Security Command Center.
Access control monitoring Help ensure the appropriate access control policies are in place across your Google Cloud resources and get alerted when policies are misconfigured or unexpectedly change. Forseti, the open source security toolkit for Google Cloud, integrates with Security Command Center.
Anomaly detection from Google Identify threats like botnets, cryptocurrency mining, anomalous reboots, and suspicious network traffic with built-in anomaly detection technology developed by Google.
Third-party security tool inputs

Integrate output from your existing security tools like Cloudflare, CrowdStrike, Prisma Cloud by Palo Alto Networks, and Qualys, into Security Command Center. Integrating output can help you to detect:

  • DDoS attacks
  • Compromised endpoints
  • Compliance policy violations
  • Network attacks
  • Instance vulnerabilities and threats
Real-time notifications Get Security Command Center alerts through email and SMS with Pub/Sub notification integration.
REST API and Client SDKs Use the Security Command Center REST API or client SDKs for easy integration with your existing security systems and workflows.

How Security Command Center works

Security Command Center enables you to generate curated insights that provide a unique view of incoming threats and attacks to your Google Cloud resources, called assets. Assets are resources like organization, projects, instances, and applications.

Security Command Center displays possible security risks, called findings, that are associated with each asset. Findings come from security sources that include Security Command Center's built-in services, third-party partners, and your own security detectors and finding sources.

Assets Summary

Security Command Center asset discovery runs at least once each day. You can manually re-scan on demand from the Security Command Center Assets display. Assets discovery uses your Security Command Center organization hierarchy to curate a list of your existing and new assets.

Google Cloud security findings

Along with the built-in services listed previously on this page, Security Command Center integrates with Google Cloud detectors to surface potential security risks in your assets. Google Cloud detectors include:

These detectors operate regularly to track asset changes over time. Security Command Center enables you to inspect your current and past asset states, and compare assets between two points in time.

Your own security findings

Along with Google Cloud security findings, you can integrate findings from your own or third-party sources for Google Cloud resources or hybrid or multi-cloud resources. For more information, see adding security sources.

When to use Security Command Center

Security Command Center currently focuses on asset inventory, discovery, search, and management. Use Security Command Center when you want to understand your security and data attack surface and answer questions like:

  • How many projects you have, and how many projects are new
  • What Google Cloud resources are deployed, like Compute Engine, Cloud Storage, or App Engine
  • What services are in use, such as Virtual Machines (VMs) or buckets
  • What's your deployment history
  • What images are running on your VMs
  • What IP addresses are open to the public
  • How to organize, annotate, search, select, filter, and sort across the following categories:
    • Assets and asset properties
    • Findings and finding properties like the type of risk
    • Security marks, which enable you to annotate assets or findings in Security Command Center
    • Time period

What's next