Security sources for vulnerabilities and threats

A list of the Google Cloud security sources that are available in Security Command Center. When you enable a security source, it provides vulnerability and threat data in the Security Command Center dashboard.

Security Command Center enables you to filter and view vulnerability and threat findings in many different ways, like filtering on a specific finding type, resource type, or for a specific asset. Each security source might provide more filters to help you organize your organization's findings.

For more information see using the Security Command Center dashboard.

Vulnerabilities

Vulnerability detectors can help you find potential weaknesses.

Security Health Analytics vulnerability types

Security Health Analytics managed vulnerability assessment scanning for Google Cloud can automatically detect common vulnerabilities and misconfigurations across:

  • Cloud Monitoring and Cloud Logging
  • Compute Engine
  • Google Kubernetes Engine containers and networks
  • Cloud Storage
  • Cloud SQL
  • Identity and Access Management (IAM)
  • Cloud Key Management Service (Cloud KMS)
  • Cloud DNS

Security Health Analytics is automatically enabled when you select the Security Command Center Standard or Premium tier. When Security Health Analytics is enabled, scans automatically run twice a day, 12-hours apart.

Security Health Analytics scans for many vulnerability types. You can group findings by detector type. Use Security Health Analytics detector names to filter findings by the resource type the finding is for.

To view a complete list of Security Health Analytics detectors and findings, see the Security Health Analytics findings page, or expand the following section.

Web Security Scanner

Web Security Scanner provides managed and custom web vulnerability scanning for public App Engine, GKE, and Compute Engine serviced web applications.

Managed scans

Web Security Scanner managed scans are configured and managed by Security Command Center. Managed scans automatically run once each week to detect and scan public web endpoints. These scans don't use authentication and they send GET-only requests so they don't submit any forms on live websites.

Managed scans run separately from custom scans that you define at the project level. You can use managed scans to centrally manage basic web application vulnerability detection for projects in your organization, without having to involve individual project teams. When findings are discovered, you can work with those teams to set up more comprehensive custom scans.

When you enable Web Security Scanner as a service, managed scan findings are automatically available in the Security Command Center vulnerabilities tab and related reports. For information about how to enable Web Security Scanner managed scans, see configuring Security Command Center.

Custom scans

Web Security Scanner custom scans provide granular information about application vulnerability findings, like outdated libraries, cross-site scripting, or use of mixed content. Custom scan findings are available in Security Command Center after you complete the guide to set up Web Security Scanner custom scans.

These tables include a description of the mapping between supported detectors and the best effort mapping to relevant compliance regimes.

The CIS Google Cloud Foundation 1.0 mappings have been reviewed and certified by the Center for Internet Security for alignment for the CIS Google Cloud Computing Foundations Benchmark v1.0.0. Additional compliance mappings are included for reference and are not provided or reviewed by the Payment Card Industry Data Security Standard or the OWASP Foundation. You should refer to CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0), Payment Card Industry Data Security Standard 3.2.1 (PCI-DSS v3.2.1), OWASP Top Ten, National Institute of Standards and Technology 800-53 (NIST 800-53), and International Organization for Standardization 27001 (ISO 27001) for how to check for these violations manually.

This functionality is only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification or report of compliance of your products or services with any regulatory or industry benchmarks or standards.

Following are finding types that are identified by Web Security Scanner custom and managed scans.

Table 18.Web Security Scanner findings
Category Finding description CIS GCP Foundation 1.0 PCI-DSS v3.2.1 OWASP Top 10 NIST 800-53 ISO-27001
ACCESSIBLE_GIT_REPOSITORY A GIT repository is exposed publicly. To resolve this, remove unintentional public access to the GIT repository. A3
ACCESSIBLE_SVN_REPOSITORY An SVN repository is exposed publicly. To resolve this, remove public unintentional access to the SVN repository. A3
CLEAR_TEXT_PASSWORD Passwords are being transmitted in clear text and can be intercepted. To resolve this, encrypt the password transmitted over the network. A3
INVALID_CONTENT_TYPE A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this, set `X-Content-Type-Options` HTTP header with the correct value. A6
INVALID_HEADER A security header has a syntax error and will be ignored by browsers. To resolve this, set HTTP security headers correctly. A6
MISMATCHING_SECURITY_HEADER_VALUES A security header has duplicated, mismatching values, which results in undefined behavior. To resolve this, set HTTP security headers correctly. A6
MISSPELLED_SECURITY_HEADER_NAME A security header is misspelled and will be ignored. To resolve this, set HTTP security headers correctly. A6
MIXED_CONTENT Resources are being served over HTTP on an HTTPS page. To resolve this, make sure that all resources are served over HTTPS. A6
OUTDATED_LIBRARY A library was detected that has known vulnerabilities. To resolve this, upgrade libraries to a newer version. A9
XSS A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this, validate and escape untrusted user-supplied data. A7
XSS_ANGULAR_CALLBACK A user-provided string isn't escaped and can be interpolated by AngularJS. To resolve this, validate and escape untrusted user-supplied data handled by Angular framework. A7
XSS_ERROR A field in this web application is vulnerable to a cross-site scripting attack. To resolve this, validate and escape untrusted user-supplied data. A7

Threats

Threat detectors can help you find potentially harmful events.

Anomaly Detection

Anomaly Detection is a built-in service that uses behavior signals from outside your system. It displays granular information about security anomalies detected for your projects and Virtual Machine (VM) instances, like potential leaked credentials and coin mining. Anomaly Detection is automatically enabled when you subscribe to Security Command Center Standard or Premium tier, and findings are available in the Security Command Center dashboard.

Example Anomaly Detection findings include the following:

Table B. Anomaly Detection finding types
Potential for Compromise Description
Leaked Service Account Credentials Google Cloud service account credentials that are accidentally leaked online or compromised.
Potential Compromised Machine Potential compromise of a resource in your organization.
Abuse Scenarios Description
Resource used for cryptomining Behavioral signals around a VM in your organization indicate that it might have been compromised and could be getting used for cryptomining.
Resource used for outbound intrusion Intrusion attempts and Port scans: One of the resources or Google Cloud services in your organization is being used for intrusion activities, like an attempt to break in or compromise a target system. These include SSH brute force attacks, Port scans, and FTP brute force attacks.
Resource used for phishing One of the resources or Google Cloud services in your organization is being used for phishing.

Container Threat Detection

Container Threat Detection can detect the most common container runtime attacks and alert you in Security Command Center and optionally in Cloud Logging. Container Threat Detection includes several detection capabilities, an analysis tool, and an API.

Container Threat Detection detection instrumentation collects low-level behavior in the guest kernel to detect the following events:

  • Added Binary Executed
  • Added Library Loaded
  • Reverse Shell

Learn more about Container Threat Detection.

Cloud Data Loss Prevention

Cloud DLP Data Discovery enables you to surface the results of Cloud Data Loss Prevention (Cloud DLP) scans directly in the Security Command Center dashboard and Findings inventory. Cloud DLP can help you to better understand and manage sensitive data and Personally Identifiable Information (PII) like the following:

  • Credit card numbers
  • Names
  • Social security numbers
  • US and selected international identifying numbers
  • Phone numbers
  • Google Cloud credentials

Each Cloud DLP Data Discovery finding only includes the category type of the identified PII data and the resource it was found in. It doesn't include any of the specific underlying data.

After you complete the setup steps described in the guide to send DLP API results to Security Command Center, Cloud DLP scan results display in Security Command Center.

For more information:

Event Threat Detection

Event Threat Detection uses log data from inside your systems. It watches your organization's Cloud Logging stream for one or more projects, and consumes logs as they become available. When a threat is detected, Event Threat Detection writes a Finding to Security Command Center and to a Cloud Logging project. Event Threat Detection is automatically enabled when you subscribe to the Security Command Center Premium tier and findings are available in the Security Command Center dashboard.

Example Event Threat Detection findings include the following:

Table C. Event Threat Detection finding types
Monitoring & Logging Description
Brute force SSH Event Threat Detection detects brute force of SSH by examining SSH logs for repeated failures followed by success.
Cryptomining Event Threat Detection detects coin mining malware by examining VPC logs for connections to known bad domains for mining pools and other log data.
IAM abuse

Malicious grants - Event Threat Detection detects the addition of accounts from outside of your organization's domain that have the Owner or Editor permission at the organization or project level. The malicious grants finding helps you to identify:

  • Which accounts have which permissions
  • The resource the permission applies to
  • The user inside your organization that granted the permissions
Malware Event Threat Detection detects Malware by examining VPC logs for connections to known bad domains and other log data.
Phishing Event Threat Detection detects Phishing by examining VPC logs for connections and other log data.

Learn more about Event Threat Detection.

Forseti Security

Forseti Security gives you tools to understand all the resources you have in Google Cloud. The core Forseti modules work together to provide complete information so you can secure resources and minimize security risks.

To display Forseti violation notifications in Security Command Center, follow the Forseti Security Command Center notification guide.

For more information:

Phishing Protection

Phishing Protection helps prevent users from accessing phishing sites by classifying malicious content that uses your brand and reporting the unsafe URLs to Google Safe Browsing. After a site is propagated to Safe Browsing, users will see warnings across more than three billion devices.

To get started with Phishing Protection, follow the guide to Enable Phishing Protection. After you enable Phishing Protection, results are displayed in Security Command Center in the Phishing Protection card under Findings.

What's next