Google Cloud Security Command Center 2023

Setup and evaluation of Google Cloud Security Command Center March 2023

When setting up GCSCC for the first time the following options are presented. By default only the Standard Edition features are available.

The Standard tier includes the following services and features:

• Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types:
  • Dataproc image outdated
  • Legacy authorization enabled
  • MFA not enforced
  • Non org IAM member
  • Open ciscosecure websm port
  • Open directory services port
  • Open firewall
  • Open group IAM member
  • Open RDP port
  • Open SSH port
  • Open Telnet port
  • Public bucket ACL
  • Public Compute image
  • Public dataset
  • Public IP address
  • Public log bucket
  • Public SQL instance
  • SSL not enforced
  • Web UI enabled
• Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IP addresses that aren’t behind a firewall. Scans are manually configured, managed, and executed for all projects, and support a subset of categories in the OWASP Top Ten.
• Security Command Center errors: Security Command Center provides detection and remediation guidance for configuration errors that prevent Security Command Center and its services from functioning properly.
• Continuous Exports feature, which automatically manages the export of new findings to Pub/Sub.
• Access to integrated Google Cloud services, including the following:
  • Cloud Data Loss Prevention discovers, classifies, and protects sensitive data.
  • Google Cloud Armor protects Google Cloud deployments against threats.
  • Anomaly Detection identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and cryptocurrency mining.
• Integration with BigQuery, which exports findings to BigQuery for analysis.
• Integration with Forseti Security, the open source security toolkit for Google Cloud, and third-party security information and event management (SIEM) applications.
• When Security Command Center is activated at the organization level, you can grant users IAM roles at the organization, folder, and project levels.

Grant Permissions

Security Command Center created a service account that doesn’t have Cloud IAM permissions. The account must be granted the required IAM roles in order to scan resources for vulnerabilities, store findings, and detect threats.

Required Roles

• securitycenter.serviceAgent
• serviceusage.serviceUsageAdmin
• cloudfunctions.serviceAgent

Service Account Created

• service-org-id@security-center-api.iam.gserviceaccount.com

Alternately: grant roles manually (gcloud)

$gcloud organizations add-iam-policy-binding id\
    --member serviceAccount:service-org-id@security-center-api.iam.gserviceaccount.com\
    --role roles/securitycenter.serviceAgent &&\
gcloud organizations add-iam-policy-binding id\
    --member serviceAccount:service-org-id@security-center-api.iam.gserviceaccount.com\
    --role roles/serviceusage.serviceUsageAdmin &&\
gcloud organizations add-iam-policy-binding id\
    --member serviceAccount:service-org-id@security-center-api.iam.gserviceaccount.com\
    --role roles/cloudfunctions.serviceAgent

SCC Integrations

Integrate sumo logic with Google Cloud SCC

https://help.sumologic.com/docs/send-data/hosted-collectors/google-source/google-cloud-platform-source/

Log data for Google Cloud Platform (GCP) services is collected and exposed through the Google Cloud Stackdriver service. You can export, in real time, the data collected by Stackdriver to Google Cloud Pub/Sub. We use this Pub/Sub integration to push logs to Sumo Logic in real time.

The Google Cloud Platform (GCP) Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Kubernetes Engine containers and App Engine Flex. The Sumo Logic App for Google Cloud VPC provides visibility into the activities, traffic, and VPC flow in your GCP. The preconfigured dashboards provide you details on the VPC flows, source and destination IP addresses, ports, protocols, and messages.

Compute Engine VPC Flow Logs. These logs provide information from Compute Engine ​VMs ​for ​network ​operations ​such ​as ​Network ​monitoring, ​forensics, ​real-time security ​analysis ​and ​expense ​optimization.

SCC Services

https://console.cloud.google.com/security/command-center/config/services

Select the services that you want to be enabled by default in Security Command Center. You can change these defaults to limit the services to certain folders or projects using advanced settings. Learn more about services

There may be latency between initial activation of services and the availability of findings. Learn more about latency

Security Health Analytics

Identify common misconfigurations in your environment such as open firewalls and public buckets, and CIS violations. Learn more about Security Health Analytics

Manage Premium enablement

These services are not available for Security Command Center Standard. These services are available for projects that are individually activated with Premium tier or for your organization when it is upgraded to Premium tier.

Web Security Scanner

Uncover common vulnerabilities such as cross-site scripting (XSS) and outdated libraries, that put your web applications at risk. Learn more about Web Security Scanner

Rapid Vulnerability Detection

Automatically scan your networks and web applications for critical vulnerabilities that have a high likelihood of being exploited. Learn more about Rapid Vulnerability Detection

During scans, Rapid Vulnerability Detection performs actions that can negatively impact your production resources, like accessing administrator interfaces and attempting to log into your VMs. As a best practice, scan resources in non-production environments before you deploy them to production. Learn more 

Event Threat Detection

Detect threats to your cloud platform, identities, data, and compute instances in realtime. Learn more about Event Threat Detection

Container Threat Detection

Use kernel-level instrumentation to identify potential compromise of containers, including suspicious binaries. Learn more about Container Threat Detection

Virtual Machine Threat Detection

Analyze Compute Engine instances to identify threats, including cryptomining abuse. Learn more about Virtual Machine Threat Detection