What Security Command Center offers
Security Command Center is Google Cloud's centralized vulnerability and threat reporting service. Security Command Center helps you strengthen your security posture by evaluating your security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities, and threats; and helping you mitigate and remediate risks.
Security Command Center tiers
The tier you select determines the built-in Security Command Center services that are available for your organization:
Standard tier features
The Premium tier includes all Standard tier features and adds the following:
Event Threat Detection also identifies the following Google Workspace threats:
VM Manager vulnerability reports
For information about costs associated with using a Security Command Center tier, see Pricing.
To subscribe to the Security Command Center Premium tier, contact your account representative.
Strengthen your security posture
Security Command Center works with Cloud Asset Inventory to provide complete visibility into your Google Cloud infrastructure and resources, also referred to as assets. Built-in services—Security Health Analytics, Event Threat Detection, Container Threat Detection, and Web Security Scanner—use nearly 200 detection modules that continuously monitor and scan your assets, web applications, Cloud Logging stream, Google Workspace logs, and Google Groups.
Powered by Google's threat intelligence, machine learning, and unique insights into the architecture of Google Cloud, Security Command Center detects vulnerabilities, misconfigurations, threats, and compliance violations in near-real time. Security findings and compliance reports help you triage and prioritize risks, and provide verified remediation instructions and expert tips for responding to findings.
The following figure illustrates the core services and operations in Security Command Center.
Expansive inventory of assets, data, and services
Security Command Center ingests data about new, modified, and deleted assets from Cloud Asset Inventory, which continuously monitors assets in your cloud environment. Security Command Center supports a large subset of Google Cloud assets. For most assets, configuration changes, including IAM and organization policies, are detected in near-real time. You can quickly identify changes in your organization and answer questions like:
- How many projects do you have, and how many projects are new?
- What Google Cloud resources are deployed or in use, like Compute Engine virtual machines (VMs), Cloud Storage buckets, or App Engine instances?
- What's your deployment history?
- How to organize, annotate, search, select, filter, and sort across the
- Assets and asset properties
- Security marks, which enable you to annotate assets or findings in Security Command Center
- Time period
Security Command Center always knows the current state of supported assets and, in the Google Cloud Console or Security Command Center API, lets you review historical discovery scans to compare assets between points in time. You can also look for underused assets, like virtual machines or idle IP addresses.
Actionable security insights
Security Command Center's built-in and integrated services continuously monitor your assets and logs for indicators of compromise and configuration changes that match known threats, vulnerabilities, and misconfigurations. To provide context for incidents, findings are enriched with information from the following sources:
- Chronicle, a Google Cloud service that ingests Event Threat Detection findings and lets you investigate threats and pivot through related entities in a unified timeline
- VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses
- MITRE ATT&CK framework, which explains techniques for attacks against cloud resources and provides remediation guidance
- Cloud Audit Logs (Admin Activity logs and Data Access logs)
You get notifications for new findings in near real-time, helping your security teams gather data, identify threats, and act on recommendations before they result in business damage or loss.
With a centralized dashboard and robust API, you can quickly do the following:
- Answer questions like:
- What static IP addresses are open to the public?
- What images are running on your VMs?
- Is there evidence that your VMs are being used for coin-mining or other abusive operations?
- Which service accounts have been added or removed?
- How are firewalls configured?
- Which storage buckets contain personally-identifiable information (PII) or sensitive data? This feature requires integration with Cloud Data Loss Prevention.
- Which cloud applications are vulnerable to cross-site-scripting (XSS) vulnerabilities?
- Are any of my Cloud Storage buckets open to the internet?
- Take actions to protect your assets:
- Implement verified remediation steps for asset misconfigurations and compliance violations.
- Combine threat intelligence from Google Cloud and third party providers, such as Palo Alto Networks, to better protect your enterprise from costly compute layer threats.
- Ensure the appropriate IAM policies are in place and get alerts when policies are misconfigured or unexpectedly changed.
- Integrate findings from your own or third-party sources for Google Cloud resources, or hybrid or multi-cloud resources. For more information, see Adding a third-party security service.
- Respond to threats in your Google Workspace environment and unsafe changes in Google Groups.
Security Command Center roles are granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, security sources, and security marks depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
Remain compliant with industry standards
Compliance reporting is available as part of Security Health Analytics. Most of the service's detectors are mapped to one or more of the following compliance standards:
- CIS Google Cloud Computing Foundations Benchmark v1.1.0 (CIS Google Cloud Foundation 1.1)
- CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0)
- Payment Card Industry Data Security Standard 3.2.1
- National Institute of Standards and Technology 800-53
- International Organization for Standardization 27001
- Open Web Application Security Project (OWASP) Top Ten
Security Health Analytics continuously evaluates your security posture against compliance standards. In addition, Security Command Center makes it easy to do the following:
- Monitor and resolve compliance violations that are associated with findings.
- Integrate Cloud Audit Logging events for Compute Engine, networking services, Cloud Storage, IAM, and Binary Authorization. This will help you meet regulatory requirements or provide an audit trail while investigating incidents.
- If you subscribe to Security Command Center Premium, you get additional reporting and exporting options to ensure all of your resources are meeting compliance requirements.
Flexible platform to meet your security needs
Security Command Center includes integration options that let you enhance the service's utility to meet your evolving security needs:
- Use Pub/Sub to export findings to Splunk or other SIEMs for analysis.
- Use Pub/Sub and Cloud Functions to quickly and automatically remediate findings.
- Access open-source tools to expand functionality and automate responses.
- Integrate with Google Cloud security tools, including the following:
- Integrate with third-party partner security solutions:
- Google Cloud security insights from partner products are aggregated in Security Command Center, and you can feed them into existing systems and workflows.
When to use Security Command Center
The following table includes high-level product features, use cases, and links to relevant documentation to help you quickly find the content you need.
|Feature||Use cases||Related docs|
|Asset discovery and inventory||
||Optimize Security Command Center|
|Confidential data identification||
Sending Cloud DLP results to SCC
|SIEM and SOAR integration||
||Exporting Security Command Center data|
||Web Security Scanner overview|
|Access control monitoring||
||Event Threat Detection overview|
||Investigating and responding to threats|
|Third-party security tool inputs||
||Configuring Security Command Center|
||Setting up finding notifications|
|REST API and Client SDKs||
||Configuring Security Command Center|
- Get started with the quickstart for Security Command Center.
- Learn more about Google Cloud security sources for vulnerabilities and threats.
- Learn how to use the Security Command Center dashboard.