Security Command Center best practices

This page provides recommendations for managing Security Command Center services and features to help you get the most out of the product.

Security Command Center is a powerful platform for monitoring data and security risks across your organization or individual projects. Security Command Center is designed to provide maximum protection with minimal configuration being necessary. But there are steps you can take to tailor the platform to your workflow and ensure your resources are protected.

Enable the Premium tier or Enterprise tier

The Premium and Enterprise tiers of Security Command Center provide the most protection through the a broad set of cloud security and security operations capabilities, including threat detection, software vulnerability detection, compliance assessments, security operations capabilities, and much more. The Standard tier offers only limited services and features.

For more information about all of the Security Command Center capabilities, see Security Command Center overview.

For information about the capabilities that are included with each tier, see the following information:

Use project-level activations of the Premium tier

You can activate the Premium tier for organizations or individual projects yourself in the Google Cloud console.

With project-level activations, certain features that require organization-level access are not available, regardless of tier. For more information, see Feature availability with project-level activations.

Activations of the Premium tier are billed based on resource consumption, unless you purchase an organization-level subscription. For more information, see Pricing.

For more information about activating either tier of Security Command Center, see Overview of activating Security Command Center.

Enable all built-in services

We recommend enabling all built-in services, subject to the best practice recommendations of individual services.

If Security Command Center is already activated, you can confirm which services are enabled on the Settings page.

You can disable any service, but it's best to keep all services in your tier turned on all the time. Keeping all services enabled lets you take advantage of continuous updates and helps ensure that protections are provided for new and changed resources.

Before enabling Web Security Scanner in production, review Web Security Scanner best practices.

Also, consider enabling integrated services (Anomaly Detection, Sensitive Data Protection, and Google Cloud Armor), exploring third-party security services, and turning on Cloud Logging for Event Threat Detection and Container Threat Detection. Depending on the quantity of information, Sensitive Data Protection and Google Cloud Armor costs can be significant. Follow best practices for keeping Sensitive Data Protection costs under control and read the Google Cloud Armor pricing guide.

Enable logs for Event Threat Detection

If you use Event Threat Detection, you might need to turn on certain logs that Event Threat Detection scans. Although some logs are always on, such as Cloud Logging Admin Activity audit logs, other logs, such as most Data Access audit logs, are off by default and need to be enabled before Event Threat Detection can scan them.

Some of the logs that you should consider enabling include:

  • Cloud Logging Data Access audit logs
  • Google Workspace logs (organization-level activations only)

Which logs you need to enable depends on:

  • The Google Cloud services you are using
  • The security needs of your business

Logging might charge for the ingestion and storage of certain logs. Before enabling any logs, review Logging Pricing.

After a log is enabled, Event Threat Detection starts scanning it automatically.

For more detailed information about which detection modules require which logs and which of those logs you need to turn on, see Logs that you need to turn on.

Define your high-value resource set

To help you prioritize vulnerability and misconfiguration findings that expose the resources that are the most important to you to protect, specify which of your high-value resources belong in your high-value resource set.

Findings that expose the resources in your high-value resource set get higher attack exposure scores.

You specify the resources that belong in your high-value resource set by creating resource value configurations. Until you create your first resource value configuration, Security Command Center uses a default high-value resource set that is not customized to your security priorities.

Use Security Command Center in the Google Cloud console

In the Google Cloud console, Security Command Center provides features and visual elements that are not yet available in the Security Command Center API. The features, including an intuitive interface, formatted charts, compliance reports, and visual hierarchies of resources, give you greater insight into your organization. For more information, see Using Security Command Center in the Google Cloud console.

Extend functionality with the API and gcloud

If you need programmatic access, try out the Security Command Center API, which lets you access and control your Security Command Center environment. You can use API Explorer, labeled "Try This API" in panels on API reference pages, to interactively explore the Security Command Center API without an API key. You can check out available methods and parameters, execute requests, and see responses in real time.

The Security Command Center API lets analysts and administrators manage your resources and findings. Engineers can use the API to build custom reporting and monitoring solutions.

Extend functionality with custom detection modules

If you need detectors that meet the unique needs of your organization, consider creating custom modules:

Review and manage resources

Security Command Center displays all of your assets on the Assets page in the Google Cloud console, where you can query your assets and view information about them, including related findings, their change history, their metadata, and IAM policies.

The asset information on the Assets page is read from Cloud Asset Inventory. To receive real-time notifications about resource and policy changes, create and subscribe to a feed.

For more information, see Assets page.

Rapidly respond to vulnerabilities and threats

Security Command Center findings provide records of detected security issues that include extensive details on the affected resources and step-by-step suggested instructions for investigating and remediating vulnerabilities and threats.

Vulnerabilities findings describe the detected vulnerability or misconfiguration, calculate an attack exposure score, and an estimated severity. Vulnerabilities findings also alert you to violations of security standards or benchmarks. For more information, see Supported benchmarks.

With Security Command Center Premium, vulnerability findings also include information from Mandiant about the exploitability and potential impact of the vulnerability based on the vulnerability's corresponding CVE record. You can use this information to help prioritize the remediation of the vulnerability. For more information, see Prioritize by CVE impact and exploitability.

Threat findings include data from the MITRE ATT&CK framework, which explains techniques for attacks against cloud resources and provides remediation guidance, and VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.

The following guides are a starting point to help you fix issues and protect your resources.

Control finding volume

To control the volume of findings in Security Command Center, you can manually or programmatically mute individual findings, or create mute rules that automatically mute current and future findings based on filters you define.

Muted findings are hidden and silenced, but continue to be logged for audit and compliance purposes. You can view muted findings or unmute them at any time. To learn more, see Mute findings in Security Command Center.

Muting findings is the recommended, and most effective, approach for controlling finding volume. Alternatively, you can use security marks to add assets to allowlists.

Each Security Health Analytics detector has a dedicated mark type that enables you to exclude marked resources from the detection policy. This feature is helpful when you don't want findings created for specific resources or projects.

To learn more about security marks, see Using security marks.

Set up notifications

Notifications alert you to new and updated findings in near-real time and, with email and chat notifications, can do so even when you're not logged in to Security Command Center. Learn more in Setting up finding notifications.

Security Command Center Premium lets you create Continuous Exports, which simplify the process of exporting findings to Pub/Sub.

Explore Cloud Functions

Cloud Functions is a Google Cloud service that lets you connect cloud services and run code in response to events. You can use the Notifications API and Cloud Functions to send findings to third-party remediation and ticketing systems or take automated actions, like automatically closing findings.

To get started, visit Security Command Center's open source repository of Cloud Functions code. The repository contains solutions to help you take automated actions on security findings.

Keep communications on

Security Command Center is regularly updated with new detectors and features. Release notes inform you about product changes and updates to documentation. But you can set your communication preferences in the Google Cloud console to receive product updates and special promotions by email or mobile. You can also let us know whether you're interested in participating in user surveys and pilot programs.

If you have comments or questions, you can give feedback by talking with your salesperson, contacting our Cloud Support staff, or filing a bug.

What's next