GSP1124

Overview

Security Command Center (SCC) is a security monitoring platform that helps users accomplish the following:

• Discover security-related misconfigurations of Google Cloud resources.
• Report on active threats in Google Cloud environments.
• Fix vulnerabilities across Google Cloud assets.

In this lab, you take your first steps with Security Command Center by exploring the service's interface, configurations, and vulnerability findings.

Objectives

In this lab, you learn how to perform the following tasks:

• Explore SCC interface elements.
• Configure SCC settings at the project level.
• Analyze and fix SCC vulnerability findings.

Prerequisites

It is recommended, but not required, that you are familiar with the following before starting this lab:

• Cloud computing concepts.
• The Google Cloud console.
• The severity classifications for findings.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.

This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

• Time to complete the lab—remember, once you start, you cannot pause a lab.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method. On the left is the Lab Details pane with the following:

   • The Open Google Cloud console button
   • Time remaining
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

   The lab spins up resources, and then opens another tab that shows the Sign in page.

   Tip: Arrange the tabs in separate windows, side-by-side.

   Note: If you see the Choose an account dialog, click Use Another Account.

3. If necessary, copy the Username below and paste it into the Sign in dialog.

   {{{user_0.username | "Username"}}}

   You can also find the Username in the Lab Details pane.

4. Click Next.

5. Copy the Password below and paste it into the Welcome dialog.

   {{{user_0.password | "Password"}}}

   You can also find the Password in the Lab Details pane.

6. Click Next.

   Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

7. Click through the subsequent pages:

   • Accept the terms and conditions.
   • Do not add recovery options or two-factor authentication (because this is a temporary account).
   • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

1. Click Activate Cloud Shell at the top of the Google Cloud console.

2. Click through the following windows:

   • Continue through the Cloud Shell information window.
   • Authorize Cloud Shell to use your credentials to make Google Cloud API calls.

When you are connected, you are already authenticated, and the project is set to your Project_ID, . The output contains a line that declares the Project_ID for this session:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

3. (Optional) You can list the active account name with this command:

4. Click Authorize.

Output:

5. (Optional) You can list the project ID with this command:

Output:

Scenario

Cymbal Bank is an American retail bank with over 2,000 branches in all 50 states. It offers comprehensive debit and credit services that are built on top of a robust payments platform. Cymbal Bank is a digitally transforming legacy financial services institution.

Cymbal Bank was founded in 1920 under the name Troxler. Cymbal Group acquired the company in 1975 after it had been investing heavily in Cymbal Group's proprietary ATMs. As the bank grew into a national leader, they put strategic emphasis on modernizing the customer experience both in-person at their branches and digitally through an app they released in 2014. Cymbal Bank employs 42,000 people nationwide and, in 2019, reported $24 billion in revenue.

Cymbal Bank is interested in integrating a centralized security monitoring platform to help monitor threats and remediate vulnerabilities across their Google Cloud resources in their corporate banking applications. As a Cloud Security Engineer, you are tasked with learning about Security Command Center's cutting-edge features so you can deliver a presentation to the CTO on the services' benefits.

Task 1. Explore SCC interface elements

In this task, you explore the Security Command Center (SCC) interface to learn about the service's chief features.

1. In the Cloud console, on the Navigation menu (), select Security > Risk Overview.

2. On the Risk overview page, scroll down and investigate the information panels that refer to New threats over time and Vulnerabilities per resource type.

Threats and vulnerabilities are two different types of finding classes, which SCC uses to categorize and report security issues in your environment. Refer to the Finding classes documentation to learn more about finding classes.

• Threats notify Google Cloud users about current suspicious activities happening in their Google Cloud environments, such as a service account investigating its own permissions.
• Vulnerabilities provide information on misconfigurations or vulnerabilities of resources, such as an open TCP port or an outdated library running on a virtual machine.

A finding is a record generated by SCC, which provides details on vulnerability or threat data in the Security Command Center dashboard.

3. On the New threats over time card, click the Findings by resource type tab.

This card enumerates currently active threats that have happened in your project during the period of time determined by the "Time range" dropdown on the right side of this information panel.

By default, the time range dropdown shows all threats that appeared during the last 7 days, but you can view all threats that happened during the last 180 days.

4. From the Time range selector, select Last 180 days.
5. Scroll down to the Vulnerabilities per resource type card.

There should be around 80 active vulnerabilities listed.

A majority of these findings are generated because you are using a default VPC network, which is insecure by design, for the purposes of this lab. For example, it contains firewall rules that allow SSH and RDP access from any IP address.

6. Now scroll down to the Active vulnerabilities card.

7. If it isn't selected by default, click the Findings by category tab.

This shows your environment's vulnerabilities organized by different categories of vulnerabilities and their severity. The severity is a property of the finding that helps to estimate the potential risk that an issue poses to the Google Cloud environment.

The level of severity cannot be changed—each type of finding has a severity level that is predetermined by SCC. Below is a list of the different types of severities and common examples:

• Critical - For example, a Reverse Shell session launched from inside of a GKE Pod.
• High - For example, an SSH port opened to the entire Internet (0.0.0.0/0);
• Medium - For example, one of primitive IAM roles (Owner/Editor/Viewer) has been granted to a user or a service account.
• Low - For example, no VPC Flow logs are collected.
• Unspecified - Can appear in SCC, but is not common.

Detailed criteria for how SCC sets a finding's severity are described on the Finding severities page.

8. Now click the Findings by resource type tab. This shows vulnerabilities categorized by the different types of Google Cloud resources that are available.

9. Finally, click the Findings by project tab. This tab is intended for use with SCC on the level of a folder or organization root node.

10. From the Security portal, which you access if you select Security from the Navigation menu (), note the various tabs listed under the Security Command Center header. Here is a description of each.

Task 2. Configure SCC settings at the project level

In this task, you explore how to configure SCC settings at the project level.

1. Click Settings in the top right corner of the Risk overview page.

2. Ensure you are on the Services tab.

This tab allows you to set up parameters of SCC's integrated services, which are also called sources ("the brains of SCC" that you explored in the previous task). For the purposes of this lab, the terms services and sources are interchangeable.

Services detect threats and vulnerabilities and provide information to SCC. Most of them are available only in the Premium edition of SCC, which is provisioned in this lab.

The following are built-in services that you can configure:

• Security Health Analytics (SHA)—Finds and reports misconfigurations of resources (disabled logs, extra IAM permissions, publicly exposed services). This is what we have currently enabled in our project and what detected the 76 vulnerabilities in our project.
• Web Security Scanner (WSS)—Scans publicly available web applications exposed via external IP addresses and checks for OWASP top 10 vulnerabilities.
• Container Threat Detection (CTD)—Detects the most common container runtime attacks in a Container Optimized OS.
• Event Threat Detection (ETD)—Provides log-based threat analysis that continuously monitors Google Cloud and Google Workspace logs to scan for potential threats.
• Virtual Machine Threat Detection—Analyzes memory of VM instances on the level of a Hypervisor and can detect suspicious activities happening in VM memory. Examples are unexpected kernel modules or running crypto-mining software.

3. Click on the Manage settings link for Security Health Analytics.

4. Click on the Modules tab.

Modules are pre-defined, or custom units of detection logic. As you can see, SCC offers many different types of modules that can help you detect different misconfigurations of resources. SCC makes it easy to enable and disable different types of modules to support your security posture and the resources you are interested in monitoring.

5. In the filter field, type VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED and press Enter.

6. Select Enable from the Status dropdown.

With this enabled, Security Health Analytics checks whether the enableFlowLogs property of VPC subnetworks is missing or set to false.

Now that you are familiar with Security Command Center's different services and how to configure them, you can explore how to identify and fix a vulnerability with SCC.

Task 3. Analyze and fix SCC vulnerability findings

In this task, you learn how to manage and mitigate vulnerability findings.

Mark a finding as INACTIVE to change its state

1. From the Navigation menu (), select Security > Risk Overview.
2. In the left-hand menu, click on the Findings tab.
3. Set the Timge range selector in the top-right corner to All time.

4. In the top-left corner of the screen, find the Query preview window, which contains a filter for sorting through all available findings.

By default, the Findings tab displays unmuted findings with a state of ACTIVE.

The two properties state and mute of every finding define visibility of findings in many filters used for SCC.

• The mute value can be set on findings by the security analyst or it can be set automatically if the analyst does not want to see irrelevant and noisy findings in the SCC interface.
• The state property indicates whether a finding requires attention and has not been addressed yet, or if it's been fixed or otherwise addressed and is no longer active.

A recommended way to manage the lifecycle of findings and hide them is to use the mute property. Changing the state property is typically handled by software sources.

5. On the Quick filters card, select the checkbox associated with the Default network category.

6. Notice that the query string in the Query preview has changed (it now has AND category="DEFAULT_NETWORK" attached to it).

7. In the Findings query results section, select the checkbox associated with Default network and select More actions () > Change active state.

8. Set the state to Inactive for this finding.

Now the finding has been deactivated and hidden from the screen because by default only active and unmuted findings are listed.

Filter findings results by applying a query

1. You can reset the Findings tab view. To do this, select Risk Overview and then choose Findings under the SCC header.

2. Click the Edit query button.

3. Change the query string in the Query editor to category="DEFAULT_NETWORK".

4. When you're finished editing, click the Apply button.

   It may take a minute or two for the change to take effect. Once it does, only one finding for Default network is listed.

In the left-hand menu under Quick filters, note that the Show inactive checkbox is selected. SCC gives you the flexibility to search for active and inactive findings. Now, you can revert the state of this finding.

5. In the Findings query results section, select the checkbox for Default network and select More actions () > Change active state.

6. Set the state for this finding to Active.

Findings can be activated and deactivated manually, but they can never be deleted by a user. They are deleted automatically only when a finding has not been refreshed by scanners during a period of 13 months.

When a security scanner checks the same finding and does not detect the misconfiguration that kicked off the finding, it marks it as INACTIVE. If the vulnerability still presents in the system, the finding stays in an ACTIVE state.

7. Click the Clear All button next to Quick Filters to reset the findings tab.

8. In the Query preview window, click Edit Query.

9. Now copy and paste the the following query:

10. When you're finished editing, click the Apply button.

Now all findings related to subnetworks display. For this lab, the default VPC network is created with the --subnet-mode=auto parameter, so none of its subnets have Private Google Access enabled and all subnets do not write VPC Flow logs.

Filter findings by category and mute them

When working in a test environment, you sometimes want to hide certain findings. In this instance, you do not want to see SCC findings about Private Google Access in this network, so you want to mute those findings.

1. In the Quick filters window, select the category, Private google access disabled.

2. In the Finding query results pane, select the uppermost Category checkbox so all "Private google access disabled" findings are selected.

3. Select More actions () and click the Mute options button.

4. In the dropdown, select Apply mute override. This operation mutes existing findings.

5. Select Risk Overview in the left-hand menu and then select Findings to reset the findings view.

Notice that the Private google access disabled findings are now muted and no longer display. Muting is a powerful way to filter SCC results and provides you the fine-grained control over your resources and findings you are interested in.

Create a mute rule to hide certain findings

Another misconfiguration of the default network is that VPC Flow Logs are also disabled in the subnets of this network. Since you are working in a test environment, you don't need VPC Flow Logs enabled.

In this section, you mute all existing and all future findings related to this category.

1. In the Findings query results window, select More actions () > Mute options > Manage mute rules.
2. Click the Create mute rule button.

3. In the new window, enter a Mute rule with ID: muting-pga-findings.

4. For the mute rule description, enter Mute rule for VPC Flow Logs.

5. In the Findings query filter input field, enter the following filter:

6. Click the Save button.

You should get a notification statig that a mute rule has been created.

Click Check my progress to verify you've completed this objective. Create a mute rule

7. Now refresh the main SCC Dashboard by selecting Findings from the left-hand menu.

   Ensure that you no longer get any Private google access disabled or Flow logs disabled findings.

Create another VPC network to test the findings mute rule

In this section, you create one more network with automatically configured subnets to test out the recent modifications to your finding rules.

1. Open a new Cloud Shell session () and run the following command to create the network:

Ensure the output you receive is similar to the following.

Output:

Click Check my progress to verify you've completed this objective. Create a network

2. Close the Cloud Shell window after you have verified the above message.

3. Refresh the SCC findings window and note the newly created Private google access disabled finding. However, there are no findings about VPC Flow Logs (this is because of the mute rule you created earlier).

   Although you created mute rules for VPC Flow Logs, SCC still allows you to view them using the query editor.

4. Click the Edit Query button and paste in the following to overwrite the existing query filter text:

5. Click Apply.

   Check the Findings query results window and note that in the Resource display name column, both the "defaults" and "SCC-lab-net" networks are listed.

6. In the Query preview window, click Edit Query.

7. Now copy and paste the the following query to overwrite the previous query text:

8. When you're finished editing, click the Apply button.

   This shows you the findings you had muted previously.

Investigate and fix two findings with high severity.

In this section, you investigate and explore how to fix two findings with high severity.

1. In the Quick Filters section, scroll down to the Severity type and select High from the list of severity options.

You should see two findings: Open RDP port and Open SSH port. They have been initiated because the "default" network contains two firewall rules enabling SSH and RDP traffic to all instances in this network from the whole Internet.

2. In the Findings query results window, click on the Open RDP port finding.

A new window appears, which provides a detailed description of the issue itself, a list of affected resources, and "Next steps" to help you remediate it.

3. In the Next steps section, click on the link to go to the firewall rules page, which opens in a new tab.

4. Click the default-allow-rdp firewall rule.

5. Click Edit.

6. Delete the source IP range, 0.0.0.0/0.

7. Add the following source IP range 35.235.240.0/20 and press Enter.

Do not change any other parameters!

8. Click Save.

9. Once saved, close the browser tab where you edited the firewall rule.

10. Refresh the SCC findings browser tab.

    You should now see only one finding with High severity - Open SSH Port.

Update the firewall rules to address a finding

1. Click on the Open SSH port finding.

2. Scroll down to the Next steps section and click on the link to go to the firewall rules page, which opens in a new tab.

3. Click the default-allow-ssh firewall rule.

4. Click Edit.

5. Delete the source IP range, 0.0.0.0/0.

6. Add the following source IP range 35.235.240.0/20 and press Enter.

   Do not change any other parameters!

7. Click Save.

8. Once saved, close the browser tab where you edited the firewall rule.

Click Check my progress to verify you've completed this objective. Update the firewall rules

9. Now close the window with an open finding description and refresh the browser window.

   You should see no findings with High severity.

Congratulations!

Throughout this lab, you learned how to explore the Security Command Center interface elements, configure SCC settings at the project level, and analyze and fix SCC vulnerability. You have also used SCC to identify and remediate critical security vulnerabilities in your Google Cloud environment.

Next steps / Learn more

• Check out the lab titled Analyze Findings with Security Command Center.

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated November 26, 2024

Lab Last Tested April 29, 2024

Copyright 2025 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.