Optimize Security Command Center

This topic provides recommendations for managing Security Command Center services and features to help you get the most out of the product.

Security Command Center is a powerful platform for monitoring data and security risks across your organization and is designed to provide maximum protection with minimal configuration being necessary. But there are steps you can take to tailor the platform to your workflow and ensure your resources are protected.

Enable Security Command Center Premium

Security Command Center Premium includes many more features than the Standard tier.

Security Command Center Standard includes Security Health Analytics, Anomaly Detection, and unmanaged scans in Web Security Scanner, which together detect common vulnerabilities and anomalies in your website or application projects. In the Standard tier, Security Health Analytics only includes a basic group of medium and high-severity detectors.

Security Command Center Premium includes Standard tier services and adds compliance reporting, managed Web Security Scanner scans, and all Security Health Analytics detectors. The Premium tier also includes Container Threat Detection and Event Threat Detection, which provide near-real time threat detection for your organization and containers.

To subscribe to the Premium tier, contact your sales representative or fill out our inquiry form. If you decide you don't need Premium, you can downgrade to Standard.

The following links provide more information about using Security Command Center to improve your security posture:

Enable all built-in services

By default, Security Command Center enables all built-in services, in the tier you select, after onboarding. You can disable any service, but it's best to keep all services in your tier turned on all the time (consider best practices when using Web Security Scanner on production resources). Keeping all services enabled lets you take advantage of continuous updates and helps ensure that protections are provided for new and changed resources.

Also, consider enabling integrated services (Anomaly Detection, Cloud Data Loss Prevention, and Google Cloud Armor), exploring third-party security services, and turning on Cloud Logging for Event Threat Detection and Container Threat Detection. Depending on the quantity of information, Cloud DLP and Google Cloud Armor costs can be significant. Follow best practices for keeping Cloud DLP costs under control and read the Google Cloud Armor pricing guide.

To learn more about Security Command Center services, watch the following videos:

Use the dashboard

The Security Command Center dashboard provides features and visual elements that are not yet available in the Security Command Center API. The features, including an intuitive interface, formatted charts, compliance reports, and visual hierarchies of resources, give you greater insight into your organization. To learn about dashboard features, see Using the Security Command Center dashboard.

Extend functionality with the API and gcloud

If you need programmatic access, try out the Security Command Center API, which lets you access and control your Security Command Center environment. You can use API Explorer, labeled "Try This API" in panels on API reference pages, to interactively explore the Security Command Center API without an API key. You can check out available methods and parameters, execute requests, and see responses in real time.

The Security Command Center API lets analysts and administrators manage your resources and findings. Engineers can use the API to build custom reporting and monitoring solutions. In one example, see how our solutions architects used the Security Command Center API to Report Policy Controller audit violations in Security Command Center.

Review and manage resources

Security Command Center ingests data about supported assets from Cloud Asset Inventory and lets you discover and view your Google Cloud resources in Google Cloud Console. You can use the Assets page in the Security Command Center dashboard to review historical discovery scans and identify new, modified, or deleted assets. You can also look for underused resources, like virtual machines or idle IP addresses. Resources that are not maintained can increase your costs and widen your organization's attack surface.

To receive real-time notifications about resource and policy changes, create and subscribe to a feed.

For more advice on managing resources, see Best practices for enterprise organizations.

Rapidly respond to vulnerabilities and threats

Security Command Center provides extensive details on affected resources and step-by-step suggested instructions for investigating and remediating vulnerabilities and threats.

Vulnerabilities findings alert you to violations of security benchmarks. Supported compliance standards include CIS Google Cloud Computing Foundations Benchmark v1.0.0 (CIS Google Cloud Foundation 1.0), Payment Card Industry Data Security Standard 3.2.1 (PCI-DSS v3.2.1), OWASP Top Ten, National Institute of Standards and Technology 800-53 (NIST 800-53), and International Organization for Standardization 27001 (ISO 27001)

Threat findings include data from the MITRE ATT&CK framework, which explains techniques for attacks against cloud resources and provides remediation guidance, and VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.

The following guides are a starting point to help you fix issues and protect your resources.

Control Security Health Analytics output

To control the volume of findings in Security Health Analytics, use security marks to add assets to allowlists.

Each Security Health Analytics detector has a dedicated mark type that enables you to exclude marked resources from the detection policy. This feature is helpful when you don't want findings created for specific resources or projects.

To learn more about security marks, see Using security marks.

Set up notifications

Notifications alert you to new and updated findings in near-real time and, with email and chat notifications, can do so even when you're not logged in to Security Command Center. Learn more in Setting up finding notifications.

Security Command Center Premium lets you create Continuous Exports, which simplify the process of exporting findings to Pub/Sub.

Explore Cloud Functions

Cloud Functions is a Google Cloud service that lets you connect cloud services and run code in response to events. You can use the Notifications API and Cloud Functions to send findings to third-party remediation and ticketing systems or take automated actions, like automatically closing findings.

To get started, visit Security Command Center's open source repository of Cloud Functions code. The repository contains solutions to help you take automated actions on security findings.

Keep communications on

Security Command Center is regularly updated with new detectors and features. Release notes inform you about product changes and updates to documentation. But you can set your communication preferences in the Cloud Console to receive product updates and special promotions by email or mobile. You can also let us know whether you're interested in participating in user surveys and pilot programs.

If you have comments or questions, you can give feedback by talking with your salesperson, contacting our Cloud Support staff, or filing a bug.

What's next