Table of ContentsCloud Google’s Shield for Data and Threats
Google Cloud provides a robust security framework designed to protect data, applications, and infrastructure, It combines identity management, threat detection, and compliance tools to ensure workloads (applications, services, or tasks running on cloud infrastructure) stay secure in the cloud.
Key security solutions include Identity and Access Management (IAM) for controlling access, Cloud Key Management Service (KMS) for encryption, VPC Service Controls for network security, Cloud Armor for DDoS protection, and Security Command Center (SCC) for centralized risk visibility.
These solutions, along with advanced monitoring and logging, help organizations detect risks early and respond efficiently.
Intro to Security Command Center (SCC)
Google Cloud’s Security Command Center (SCC) is a centralized security and risk management platform that helps you discover, monitor, and protect your GCP assets. It identifies vulnerabilities, misconfigurations, and threats across your cloud environment in one place.
Overview of the Security Command Center (SCC) Interface
We start by navigating to the https://console.cloud.google.com/, which serves as the main portal for managing GCP resources. Within the console, you can access sections related to VPC networks, IAM, and other services. To manage security features, select the Security section, where you can access the Security Command Center, SecOps tools, and other security-related controls.
Risk Overview Shows weak points in your environment grouped by type and severity.
Threats Lists detected attacks or suspicious activity, Example: SSH brute-force attempt, crypto mining software, or reverse shell in a GKE container.
Vulnerabilities Shows misconfiguration or software flaws in your project, folder, or organization, Example: Open MySQL port to the internet, use of primitive roles (Owner/Editor/Viewer), or a web app vulnerable to XSS.
Compliance Checks how well your project matches security standards (CIS, PCI DSS, NIST 800-53, etc.).
Assets Lists and monitors all cloud assets from Cloud Asset Inventory.
Findings Central place to view all issues (threats, vulnerabilities, misconfiguration) detected by SCC.
Sources built-in modules that analyze cloud configurations, logs, and processes to detect risks, threats, and misconfiguration. Examples include Security Health Analytics, Event Threat Detection, Web Security Scanner, and Container Threat Detection.
Posture Management Lets you manage overall security posture and apply security best practices.
Note: While SCC offers some integration options for Azure, it does not provide native support for on-premises devices. For comprehensive security coverage across on-premises and multi-cloud environments, solutions like Microsoft Defender for Cloud or Trend Micro Vision One may be more suitable.
Detailed Exploration of SCC Risk Overview
Using the Cloud console, you navigate to Security → Risk Overview to examine panels showing New threats over time and Vulnerabilities per resource type, SCC classifies findings as either threats or vulnerabilities.
Threats alert users to suspicious activities, such as a service account checking its own permissions, while vulnerabilities indicate misconfiguration or outdated software on resources like virtual machines, Findings provide detailed records of these issues, and you can filter them by time range, resource type (Groups findings based on the type of Google Cloud resource affected, such as VM, firewall, or network) or category (Groups findings based on the nature of the issue, like misconfiguration, vulnerabilities, or suspicious activity, regardless of the resource type) to better understand your environment’s security posture.
The Vulnerabilities per resource type and Active vulnerabilities cards display the number and severity of security issues, which are predetermined by SCC.
Severity levels range from Critical (e.g., reverse shell in a GKE pod) to High (e.g., SSH open to the Internet), Medium (e.g., excessive IAM roles), Low (e.g., missing VPC Flow logs), and Unspecified.
Many vulnerabilities stem from using a default VPC network (is a private, isolated network in Google Cloud where you can launch your resources) with insecure firewall rules. You can view findings by resource type (Shows that a VM has an outdated library and a firewall has an open SSH port) or by project (Shows all findings in Project A, including the VM issue, firewall issue, and any other resource problems within that project) helping to categorize issues and plan mitigations.
Tailor Your SCC Project Level Configuration Secrets
How to configure Security Command Center (SCC) settings at the project level. From the Risk overview page, you access Settings and review the Services tab, where SCC’s integrated services (also called sources) can be managed.
These services detect threats and vulnerabilities, providing security data to SCC.
Key built-in services include Security Health Analytics (SHA), which identifies misconfiguration such as excessive IAM permissions or public exposure
Web Security Scanner (WSS), which checks external web apps for OWASP top 10 vulnerabilities
Container Threat Detection (CTD), which detects runtime attacks in containerized environments
Event Threat Detection (ETD) which analyzes logs for suspicious activity,
and Virtual Machine Threat Detection, which inspects VM memory for issues like unauthorized kernel modules or crypto-mining software.
You then configure Security Health Analytics (SHA) by selecting Manage settings and enabling specific modules. Modules are detection rules that monitor resources for common misconfiguration, and SCC allows you to toggle them based on your needs.
For example, enabling the VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED module checks whether VPC sub networks have flow logs disabled or not configured properly. Enabling it helps detect potential network monitoring gaps that could hide suspicious traffic.
While you can view and manage the findings generated by these modules through the SCC interface, the underlying detection rules are not exposed to users, Although changes may take time to apply, this process demonstrates how SCC can be fine-tuned at the project level to detect and mitigate vulnerabilities effectively
Hunt, Analyze, and Remediate By Tackling SCC Vulnerability Findings
How to manage and mitigate vulnerability findings in Security Command Center (SCC). Starting from the Risk Overview page, you navigate to the Findings tab and set the time range to view all findings.
Each finding has two key properties: state and mute, which control its visibility and relevance. The state indicates whether a finding is active and requires attention, or inactive if it has been addressed or is no longer detected. The mute property allows analysts to hide findings that are irrelevant or noisy.
state="ACTIVE" AND NOT mute="MUTED"state="ACTIVE" ensures you only see findings that require attention and haven’t been resolved.
NOT mute="MUTED" excludes any findings that have been muted, meaning you won’t see noisy or ignored findings.
Changing a finding’s state to inactive, filtering results using queries, and applying quick filters to focus on specific categories like Default network. SCC enables you to manually activate or deactivate findings, though findings are never deleted by users and are automatically removed only after 13 months of inactivity.
You can explore muting findings to manage visibility more effectively. You can mute Private Google Access (Lets VMs without public IPs connect to Google services. If off, these VMs can’t reach Google APIs) and VPC Flow Logs (Records network traffic in a subnet. If off, traffic data isn’t collected for monitoring) findings to hide unnecessary alerts, and create a mute rule to automatically mute future findings in the same category or using Use Quick Filters.
Use Quick Filters to select the Private Google Access disabled category and check all related findings. Click Mute options and choose Apply mute override to mute them. Refresh the Findings view under Risk Overview to update the dashboard.
By navigating to Mute options → Manage mute rules and creating a rule with the ID muting-pga-findings and filter category="FLOW_LOGS_DISABLED", you ensure that these findings are automatically hidden from the dashboard.
After saving the mute rule, you refresh the SCC dashboard to confirm that Flow Logs findings are no longer displayed. This process allows you to focus only on relevant findings while keeping the ability to query muted findings when needed.
Next, you test the mute rule by creating a new VPC network (scc-lab-net) with automatically configured subnets using Cloud Shell.
Cloud Shell is a browser-based command-line environment provided by Google Cloud that gives you instant access to a virtual machine with the gcloud CLI, pre-installed tools, and 5 GB of persistent storage. It allows you to manage and interact with Google Cloud resources without installing anything locally.
Launch a new Cloud Shell session and execute the following command to create the network. Verify that the output matches the example shown below.
gcloud compute networks create scc-lab-net --subnet-mode=auto
Created [https://www.googleapis.com/compute/v1/projects/...../SCC-lab-net].
NAME: SCC-lab-net
SUBNET_MODE: AUTO
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:Upon refreshing the SCC findings view, muted Flow Logs findings are not displayed, but they remain accessible via the query editor. You then move on to investigate and remediate high-severity findings.
Using Quick Filters, you identify two high-severity issues: open RDP and SSH ports in the default network, caused by permissive firewall rules.
By editing these firewall rules and restricting source IP ranges to 35.XXX.XXX.0/20 for secure access, both findings are resolved.
Once the changes are applied and the dashboard refreshed, no high-severity findings remain, demonstrating how SCC allows both automated and manual management of vulnerabilities while maintaining control over network security.