Setup and evaluation of Google Cloud Security Command Center March 2023
When setting up GCSCC for the first time the following options are presented. By default only the Standard Edition features are available.
The Standard tier includes the following services and features:
- Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types:
Dataproc image outdated
Legacy authorization enabled
MFA not enforced
Non org IAM member
Open ciscosecure websm port
Open directory services port
Open firewall
Open group IAM member
Open RDP port
Open SSH port
Open Telnet port
Public bucket ACL
Public Compute image
Public dataset
Public IP address
Public log bucket
Public SQL instance
SSL not enforced
Web UI enabled
- Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IP addresses that aren’t behind a firewall. Scans are manually configured, managed, and executed for all projects, and support a subset of categories in the OWASP Top Ten.
- Security Command Center errors: Security Command Center provides detection and remediation guidance for configuration errors that prevent Security Command Center and its services from functioning properly.
- Continuous Exports feature, which automatically manages the export of new findings to Pub/Sub.
- Access to integrated Google Cloud services, including the following:
- Cloud Data Loss Prevention discovers, classifies, and protects sensitive data.
- Google Cloud Armor protects Google Cloud deployments against threats.
- Anomaly Detection identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and cryptocurrency mining.
- Integration with BigQuery, which exports findings to BigQuery for analysis.
- Integration with Forseti Security, the open source security toolkit for Google Cloud, and third-party security information and event management (SIEM) applications.
- When Security Command Center is activated at the organization level, you can grant users IAM roles at the organization, folder, and project levels.
Grant Permissions
Security Command Center created a service account that doesn’t have Cloud IAM permissions. The account must be granted the required IAM roles in order to scan resources for vulnerabilities, store findings, and detect threats.
Required Roles
- securitycenter.serviceAgent
- serviceusage.serviceUsageAdmin
- cloudfunctions.serviceAgent
Service Account Created
- service-org-id@security-center-api.iam.gserviceaccount.com
Alternately: grant roles manually (gcloud)
$gcloud organizations add-iam-policy-binding id\
--member serviceAccount:service-org-id@security-center-api.iam.gserviceaccount.com\
--role roles/securitycenter.serviceAgent &&\
gcloud organizations add-iam-policy-binding id\
--member serviceAccount:service-org-id@security-center-api.iam.gserviceaccount.com\
--role roles/serviceusage.serviceUsageAdmin &&\
gcloud organizations add-iam-policy-binding id\
--member serviceAccount:service-org-id@security-center-api.iam.gserviceaccount.com\
--role roles/cloudfunctions.serviceAgent
SCC Integrations
Integrate sumo logic with Google Cloud SCC
Log data for Google Cloud Platform (GCP) services is collected and exposed through the Google Cloud Stackdriver service. You can export, in real time, the data collected by Stackdriver to Google Cloud Pub/Sub. We use this Pub/Sub integration to push logs to Sumo Logic in real time.
The Google Cloud Platform (GCP) Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Kubernetes Engine containers and App Engine Flex. The Sumo Logic App for Google Cloud VPC provides visibility into the activities, traffic, and VPC flow in your GCP. The preconfigured dashboards provide you details on the VPC flows, source and destination IP addresses, ports, protocols, and messages.
Compute Engine VPC Flow Logs. These logs provide information from Compute Engine VMs for network operations such as Network monitoring, forensics, real-time security analysis and expense optimization.
SCC Services
https://console.cloud.google.com/security/command-center/config/services
Select the services that you want to be enabled by default in Security Command Center. You can change these defaults to limit the services to certain folders or projects using advanced settings. Learn more about services
There may be latency between initial activation of services and the availability of findings. Learn more about latency
Security Health Analytics
Identify common misconfigurations in your environment such as open firewalls and public buckets, and CIS violations. Learn more about Security Health Analytics
Manage Premium enablement
These services are not available for Security Command Center Standard. These services are available for projects that are individually activated with Premium tier or for your organization when it is upgraded to Premium tier.
Web Security Scanner
Uncover common vulnerabilities such as cross-site scripting (XSS) and outdated libraries, that put your web applications at risk. Learn more about Web Security Scanner
Rapid Vulnerability Detection
Automatically scan your networks and web applications for critical vulnerabilities that have a high likelihood of being exploited. Learn more about Rapid Vulnerability Detection
During scans, Rapid Vulnerability Detection performs actions that can negatively impact your production resources, like accessing administrator interfaces and attempting to log into your VMs. As a best practice, scan resources in non-production environments before you deploy them to production. Learn more
Event Threat Detection
Detect threats to your cloud platform, identities, data, and compute instances in realtime. Learn more about Event Threat Detection
Container Threat Detection
Use kernel-level instrumentation to identify potential compromise of containers, including suspicious binaries. Learn more about Container Threat Detection
Virtual Machine Threat Detection
Analyze Compute Engine instances to identify threats, including cryptomining abuse. Learn more about Virtual Machine Threat Detection