Security Command Center best practices

This page provides recommendations for managing Security Command Center services and features to help you get the most out of the product.

Security Command Center is a powerful platform for monitoring data and security risks across your organization or individual projects. Security Command Center is designed to provide maximum protection with minimal configuration being necessary. But there are steps you can take to tailor the platform to your workflow and ensure your resources are protected.

Enable Security Command Center Premium tier

The Security Command Center Premium tier includes many more features than the Standard tier.

Security Command Center Standard includes Security Health Analytics, Anomaly Detection, and unmanaged scans in Web Security Scanner, which together detect common vulnerabilities and anomalies in your website or application projects. In the Standard tier, Security Health Analytics only includes a basic group of medium and high-severity detectors.

Security Command Center Premium includes Standard tier services and adds compliance reporting, managed Web Security Scanner scans, all Security Health Analytics detectors, and the following premium-only, built-in services:

Security Command Center Premium also includes attack exposure scores that you can use to prioritize vulnerability and misconfiguration findings, as well as interactive attack paths that help you visualize how a potential attacker might access your high-value resources.

You can activate the Premium tier for organizations or individual projects yourself in the Google Cloud console.

With project-level activations, certain features that require organization-level access are not available, regardless of tier. For more information, see Feature availability with project-level activations.

Activations of the Premium tier are billed based on resource consumption, unless you purchase an organization-level subscription. For more information, see Pricing.

For more information about activating either tier of Security Command Center, see Overview of activating Security Command Center.

For more information about using Security Command Center to improve your security posture, see:

We recommend enabling all built-in services, subject to the best practice recommendations of individual services.

If Security Command Center is already activated, you can confirm which services are enabled on the Settings page.

You can disable any service, but it's best to keep all services in your tier turned on all the time. Keeping all services enabled lets you take advantage of continuous updates and helps ensure that protections are provided for new and changed resources.

Before enabling Rapid Vulnerability Detection or Web Security Scanner in production, review their best practice information:

For example, during scans, Rapid Vulnerability Detection performs actions that can negatively impact your production resources, like accessing administrator interfaces and attempting to log into your VMs. As a best practice, use Rapid Vulnerability Detection to scan resources in non-production environments before you deploy them to production.

Also, consider enabling integrated services (Anomaly Detection, Sensitive Data Protection, and Google Cloud Armor), exploring third-party security services, and turning on Cloud Logging for Event Threat Detection and Container Threat Detection. Depending on the quantity of information, Sensitive Data Protection and Google Cloud Armor costs can be significant. Follow best practices for keeping Sensitive Data Protection costs under control and read the Google Cloud Armor pricing guide.

To learn more about Security Command Center services, watch the following videos:

Enable logs for Event Threat Detection

If you use Event Threat Detection, you might need to turn on certain logs that Event Threat Detection scans. Although some logs are always on, such as Cloud Logging Admin Activity audit logs, other logs, such as most Data Access audit logs, are off by default and need to be enabled before Event Threat Detection can scan them.

Some of the logs that you should consider enabling include:

  • Cloud Logging Data Access audit logs
  • Google Workspace logs (organization-level activations only)

Which logs you need to enable depends on:

  • The Google Cloud services you are using
  • The security needs of your business

Logging might charge for the ingestion and storage of certain logs. Before enabling any logs, review Logging Pricing.

After a log is enabled, Event Threat Detection starts scanning it automatically.

For more detailed information about which detection modules require which logs and which of those logs you need to turn on, see Logs that you need to turn on.

Define your high-value resource set

To help you prioritize vulnerability and misconfiguration findings that expose the resources that are the most important to you to protect, specify which of your high-value resources belong in your high-value resource set.

Findings that expose the resources in your high-value resource set get higher attack exposure scores.

You specify the resources that belong in your high-value resource set by creating resource value configurations. Until you create your first resource value configuration, Security Command Center uses a default high-value resource set that is not customized to your security priorities.

Use Security Command Center in the Google Cloud console

In the Google Cloud console, Security Command Center provides features and visual elements that are not yet available in the Security Command Center API. The features, including an intuitive interface, formatted charts, compliance reports, and visual hierarchies of resources, give you greater insight into your organization. For more information, see Using Security Command Center in the Google Cloud console.

Extend functionality with the API and gcloud

If you need programmatic access, try out the Security Command Center API, which lets you access and control your Security Command Center environment. You can use API Explorer, labeled "Try This API" in panels on API reference pages, to interactively explore the Security Command Center API without an API key. You can check out available methods and parameters, execute requests, and see responses in real time.

The Security Command Center API lets analysts and administrators manage your resources and findings. Engineers can use the API to build custom reporting and monitoring solutions. In one example, see how our solutions architects used the Security Command Center API to Report Policy Controller audit violations in Security Command Center.

Extend functionality with custom detection modules

If you need detectors that meet the unique needs of your organization, consider creating custom modules:

Review and manage resources

Security Command Center displays all of your assets on the Assets page in the Google Cloud console, where you can query your assets and view information about them, including related findings, their change history, their metadata, and IAM policies.

The asset information on the Assets page is read from Cloud Asset Inventory. To receive real-time notifications about resource and policy changes, create and subscribe to a feed.

For more information, see Assets page.

Rapidly respond to vulnerabilities and threats

Security Command Center findings provide records of detected security issues that include extensive details on the affected resources and step-by-step suggested instructions for investigating and remediating vulnerabilities and threats.

Vulnerabilities findings describe the detected vulnerability or misconfiguration, calculate an attack exposure score, and an estimated severity. Vulnerabilities findings also alert you to violations of security standards or benchmarks. For more information, see Supported benchmarks.

With Security Command Center Premium, vulnerability findings also include information from Mandiant about the exploitability and potential impact of the vulnerability based on the vulnerability's corresponding CVE record. You can use this information to help prioritize the remediation of the vulnerability. For more information, see Prioritize by CVE impact and exploitability.

Threat findings include data from the MITRE ATT&CK framework, which explains techniques for attacks against cloud resources and provides remediation guidance, and VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.

The following guides are a starting point to help you fix issues and protect your resources.

Control finding volume

To control the volume of findings in Security Command Center, you can manually or programmatically mute individual findings, or create mute rules that automatically mute current and future findings based on filters you define.

Muted findings are hidden and silenced, but continue to be logged for audit and compliance purposes. You can view muted findings or unmute them at any time. To learn more, see Mute findings in Security Command Center.

Muting findings is the recommended, and most effective, approach for controlling finding volume. Alternatively, you can use security marks to add assets to allowlists.

Each Security Health Analytics detector has a dedicated mark type that enables you to exclude marked resources from the detection policy. This feature is helpful when you don't want findings created for specific resources or projects.

To learn more about security marks, see Using security marks.

Set up notifications

Notifications alert you to new and updated findings in near-real time and, with email and chat notifications, can do so even when you're not logged in to Security Command Center. Learn more in Setting up finding notifications.

Security Command Center Premium lets you create Continuous Exports, which simplify the process of exporting findings to Pub/Sub.

Explore Cloud Functions

Cloud Functions is a Google Cloud service that lets you connect cloud services and run code in response to events. You can use the Notifications API and Cloud Functions to send findings to third-party remediation and ticketing systems or take automated actions, like automatically closing findings.

To get started, visit Security Command Center's open source repository of Cloud Functions code. The repository contains solutions to help you take automated actions on security findings.

Keep communications on

Security Command Center is regularly updated with new detectors and features. Release notes inform you about product changes and updates to documentation. But you can set your communication preferences in the Google Cloud console to receive product updates and special promotions by email or mobile. You can also let us know whether you're interested in participating in user surveys and pilot programs.

If you have comments or questions, you can give feedback by talking with your salesperson, contacting our Cloud Support staff, or filing a bug.

What's next