Security Command Center Premium: Now more accessible

PAYG FTW

Google have long recommended the use of Security Command Center (SCC) Premium as the centralised security dashboard for your Google Cloud based workloads. Increasingly they surface security related metrics in it by default, but previously its ‘org level’ structure and up front cost have made it difficult for many organisations to implement.

Getting agreement at large enterprises to enable this across their entire GCP org can be difficult, especially when the cost could run into the hundreds of thousands. For smaller businesses, the minimum payment terms were not exactly friendly: 5% of your current annualised run rate of Google Cloud spend with a $15,000 minimum cost? Err, maybe not just now…

But, as of January 2023, Google have launched the ability to switch SCC Premium on at a per project level and bill by usage. This means no upfront cost and you’re not necessarily paying for all the non-production ‘stuff’ that can end up in a busy environment.

It’s billed per vCore-hour or by operations on storage working out around $30 p/m for a single Quad Core Compute Engine instance — but at least that project with your shiny Kubernetes cluster in can now be protected for a few hundred bucks a month!

SCC Premium has some great features, especially if you are running containerised workloads. The biggest wins are its Threat Detection tools, out of the box compliance monitoring and its integrations with any SIEM systems you (or your security team) may use.

Mandatory picture of some blurry lines of code — Security.

Threat Detection

The threat detection functionality falls into three main categories:

Event Threat Detection which looks at your logs can detect things like DNS active scans from Cloud DNS logs, log4j compromise attempts via Cloud Load Balancing logs, and Malware via VPC flow logs.

VM Threat detection can see if a machine is compromised and being used for nefarious deeds such as crypto mining.

Container Threat Detection can see remote access attempts and runtime attacks via the container host kernel. Container threats that can be detected include things like:

• Unauthorised binaries in the container
• Unexpected Libraries in your code
• Malicious scripts or URLS

Rapid Vulnerability Detection gives you automated N-Day vulnerability scans for your external facing systems, e.g Cloud Load Balancers, K8 Ingress, Cloud Run etc.

Combine all of that with the ability to surface alerts for these things from SCC Premium directly into your alerting tool of choice and it becomes a pretty compelling offering.

Compliance Monitoring

Ugh. Nobody really wants to spend weeks auditing their estate manually for compliance with the various national and international standards required of modern IT systems.

While certain scanning options do require an org level implementation of SCC Premium there are some metrics available on the project level tier.

As you would imagine, anything that lives outside of the context of a project doesn’t necessarily get picked up. However, the metrics that are available will still get you most of the way towards auditing for compliance with:

• PCI-DSS
• NIST800
• ISO-2700

Security Tooling Integration

Of course, none of this useful information can be centrally triaged without plugging into your security orchestration and event monitoring tools. There are a number of plugins available for software such as Splunk, ServiceNow, QRadar and XSOAR, you can do some jiggery pokery to export to ElasticSearch if you are that way inclined, or of course there is the black magic that is Google Chronicle.

Was This Just a Sales Pitch?

Well, sort of. But having a sane mechanism to surface security events picked up by your application stack is often overlooked. History is littered with unloved and unwatched event logs. Someone went to all the effort of writing grok filters for every bizarre output and legacy log format only for the valuable data to be left gathering dust, and that strange log line that popped up once every 20 minutes remained a mystery. And bad actors know this…

About CTS

CTS is the largest dedicated Google Cloud practice in Europe and one of the world’s leading Google Cloud experts, winning 2020 Google Partner of the Year Awards for both Workspace and GCP.

We offer a unique full stack Google Cloud solution for businesses, encompassing cloud migration and infrastructure modernisation. Our data practice focuses on analysis and visualisation, providing industry specific solutions for; Retail, Financial Services, Media and Entertainment.

We’re building talented teams ready to change the world using Google technologies. So if you’re passionate, curious and keen to get stuck in — take a look at our Careers Page and join us for the ride!