Security Command Center Enterprise: Step 1.1 - Administration | Initial Setup

The Security Command Center Enterprise tier provides security enhancements such as advanced security operations, integrations with other Google Cloud products such as Sensitive Data Protection and Assured OSS, multi-cloud support, and risk analysis.

Prerequisites

Users should have valid authentication and the ability to access the homepage and its features.
Entitlement for Security Command Center Enterprise
Create an organization
Create the management project
Appropriate Role(s) to configure Permissions

Actions

Permissions

The Security Command Center Enterprise's permissions required for initial setup include Identity and Access Management roles that must be granted to the organization and management project.

Steps

In the Google Cloud Console, users will select Navigation Menu.
User will need to make sure that they have the following role or roles on the organization:
1. Organization Administrator (roles/resourcemanager.organizationAdmin)
2. Cloud Asset Owner (roles/cloudasset.owner)
3. Security Center Admin (roles/securitycenter.admin)
4. Security Admin (roles/iam.securityAdmin)
In the Google Cloud Console, in the left Navigation side-bar, users will select IAM & Admin, and navigate to the IAM page by selecting IAM at the top of the popout.
Users will select their organization and choose the Allow tab in the IAM dashboard.
In the Principal column, users will find all rows that identify the user or a group that they are included in.
For all rows that specify or include the user, check the Role column to see whether the list of Roles includes the required roles.
Verify that the user has the following Role or Roles on the organization:
1. Organization Administrator (roles/resourcemanager.organizationAdmin)
2. Cloud Asset Owner (roles/cloudasset.owner)
3. Security Center Admin (roles/securitycenter.admin)
4. Security Admin (roles/iam.securityAdmin)
If the user does not, select the checkbox by the user in the Principal column and select the Grant Access button.
A Grant Access To popout will appear. From there users can assign:
1. New Principals
2. Select a Role
Enter the Select a Role field, and in the Filter field, enter the required Role(s).
If users need to change or Manage the Role, select Manage Role at the bottom of the Select a Role popup.
To add additional roles, users will select the Add Another Role button.
Once all of the Roles have been selected, users will select the Save button.

Relevant Documentation Links

https://cloud.google.com/security-command-center/docs/activate-enterprise-tier#configure_permissions_on_the_organization

Activate - SCCE

Activating SCCE is a key step in your onboarding journey. Follow the steps below to get started.

Steps

In the Google Cloud Console, users will select Navigation Menu.
In the Google Cloud Console, in the left Navigation side-bar, users will see the Security Command Center dropdown.
Verify that you are viewing the organization that you want to activate the Security Command Center Enterprise tier on.
Users will select Risk Overview.
At the top of the page, users will select, under Activate Security Command Center Enterprise, the Start Activation button. The Activate Security Command Center Enterprise page will appear.
In the center of the page, users will see instructions on how to Get Started with Security Command Center Enterprise. To begin, users will select the Activate Enterprise button.
The Provide Setup Details page will appear. Users will enter information Under:
1. Set Up Threat Detection, Response, and Case Management
2. Set Up a Management Project
3. Enable API
Under Set Up Threat Detection, Response, and Case Management, users will enter customer and company information.
Under Set Up a Management Project, users will specify a SCCE Management Project.
Under Enable API, user will acknowledge and enable the API needed to create Google SecOps instance for threat detection, response, and case management, by selecting the Enable Google Security Operations API button.
Once clicked, the user will see a confirmation message replacing the Enable Google Security Operations API button with a API Enabled message.
Then when users see the API Enabled message, users will select the Activate Button.

Relevant Documentation Links

tAll Steps] https://cloud.google.com/security-command-center/docs/activate-scc-overview

Configure - SCCE

Let’s configure the instance! Follow the steps below to complete the setup.

Steps

At the top of the page of the SCCE Setup section on the Risk Overview page, after selecting the Activate button in the Activation stage, there will be a new page appearing when activation begins. A message will appear at the top of the page stating that Provisioning in Progress.
Users will see three sections with individual steps and tasks:
1. Configure Basic Settings and Integrations
2. Configure Functionality
3. Configure Advanced Settings
Under the Configure Basic Settings and Integrations section, users will see six tasks, listed as steps:
1. Step 1: Grant Permissions to Service Accounts
2. Step 2: Provision Security Command Center Enterprise Services
3. Step 3: Set Up Amazon Web Services (AWS) Integration
4. Step 4: Set Up Users and Groups
5. Step 5: Configure Integrations
6. Step 6: Configure Log Ingestion
Under the Configure Functionality section, users will see four tasks, listed as steps:
1. Learn About How to Set Up Identity Search
2. Set Up Sensitive Data Protection
3. Set Up Code Security
4. Set Up Vulnerability Assessment
Under the Configure Advanced Settings section, users will see seven tasks, listed as steps:
1. Create a Resource Value Configuration
2. Review Services
3. Customize Alerts
4. Create a Playbook
5. Configure Group Logic
6. Configure Issue Owners
7. Create a Mute Rule
Upon the start of the Provisioning in Progress process, users will see the status of each task to the right stating whether the task is:
1. Completed
2. In Progress
3. Blank (If task has yet to be started or is not available at this stage).
Upon start of the Provisioning in Progress process, users will see the first two steps should be automatically completed, as they see the Provisioning in Progress process updates:
1. Step 1: Grant Permissions to Service Accounts
2. Step 2: Provision Security Command Center Enterprise Services
In Step 3: Set Up Multi-cloud Connectors, users will select the title of the step, to bring up the Settings page of Security Connectors. On that page, users will select the Add Connectors selection at the top of the table, next to the word Connector. and select a Connector from the dropdown menu and the Configure Connector page opens.
In Delegated Account ID function, users will enter (AWS in this example) the AWS account ID for the AWS Account that you can use as the delegated account.
To let Sensitive Data Protection profile your AWS Data, keep Grant Permissions for Sensitive Data Protection Discovery selected, by selecting the check box.
Optionally, users can review and edit the Advanced options. Click Continue and the Connect to AWS page opens.
Users can't change the role names after they create the connection. Do not click Create. Instead, Configure the AWS environment, then select Create.
In Step 4: Set Up Users and Groups, users will select the title of the step, to bring up the Google SecOps platform page for SOAR Settings> IAM Role Mapping, to map IAM Roles with the relevant Google SecOps permission sets.
Users with IAM roles that are not mapped in the table will be given the default settings below the table, which consist of the following selections:
1. Default Role selection toggle
2. SOC Role
3. Permission Group
4. Environments
When complete, users will select to Save.
In Step 5: Configure Integrations, users will select the title of the step, to bring up the Google SecOps platform page for Response> Integrations Set Up> Shared Instances.
Users will select the Create a New Instance button to the right of the Search function at the top right of the page.
Users will see a Configure Instance pop-up, with the following fields to fill in:
1. Environment
2. Instance Name
3. Description
Users will be able to Test the Instance by selecting Test.
In Step 6: Configure Log Ingestion, users will select the title of the step, to bring up the Google SecOps platform page for Settings> SIEM Settings> Feeds page.
On the Feeds page, users will click Add New.
In the Add Feed field, users will enter the Source Type dialog to select the Ingest Feed.
In the Log Type menu, users will select the service and click Next.
Users will enter the input parameters for the selected feed in the fields, and select Next, then Finish.
The Set Up Guide has additional options under:
1. Configure Functionality
2. Configure Advanced Settings
Under Configure Functionality, users have the following options:
1. Learn About How to Set Up identity Security
2. Set Up Sensitive Data Protection
3. Set Up Code Security
4. Set Up Vulnerability Assessment
Under Configure Advanced Settings, users have the following options:
1. Create a Resource Value Configuration
2. Review Services
3. Customize Alerts
4. Create a Playbook
5. Configure Group Logic
6. Configure Issue Owners
7. Create a Mute Rule

Relevant Documentation Links

eAll Steps] https://cloud.google.com/security-command-center/docs/how-to-configure-security-command-center
-Additional Steps] https://cloud.google.com/security-command-center/docs/activate-enterprise-tier

Settings

The Settings section allows you to customize and manage your preferences, configurations, and system options.

Steps

At the top of the page of all SCCE pages, users will see at the top right, a Settings selection button.
When selected, the Settings page for SCCE will appear.

Note: These options are only visible if you are the Organizational Level.
Users can select Settings from all sections under SCCE, which will bring users back to the Risk Overview section, but display the Settings page.
The Settings page consists of seven options:
1. Services
2. Integrated Services
3. Continuous Exports
4. Mute Rules
5. Attack Path Simulations
6. Connectors
7. Tier Details
Under the Services section, users can choose from the following Settings:
1. Security Health Analytics
2. Web Security Scanner
3. Event Threat Detection
4. Container Threat Detection
5. Virtual Machine Threat Detection
6. Vulnerability Assessment
Under the Integrated Services section, users can choose from the from several Settings from Marketplace, to include (Note: Turning off the following services does not stop them from operating, but their findings will no longer appear in Security Command Center):
1. Cloud Anomaly Detection
2. Cloud Armor
3. Sensitive Data Protection
4. IAM Recommender
5. VM Manager
Under the Continuous Exports section, users can choose to create a Pub or Sub Export. Continuous Exports let’s users transfer security findings to other tools for further analysis.
Users will then select:
1. Name
2. Description
3. Project Name
4. Where to Export to
5. Findings Query
6. Matching Findings
After completion, users will select Save.
Note: After saving users can manage Pub/Sub Exports by visiting Security Command Center Settings > Continuous Exports.
Under the Mute Rules section, users can choose to Create a Mute Rule by selecting the Create Mute Rule button.
Users will select between the two following options in the dropdown menu:
1. Dynamic Mute Rule
2. Static Mute Rule
A Create Dynamic/ Static Mute Rule page will appear, with the following options:
1. Mute Rule ID
2. Description
3. Parent Resource
4. Choose Mute Rule Actions
5. Choose Findings to Mute
6. Findings Query w/ Filter
When complete, users will select Save.
Under the Attack Path Simulations section, users can choose to:
1. Create New Configuration
2. View Valued Resources Used in Last Simulation
When users select Create New Configuration, the Create Resource Value Configuration page will appear. On the page, users will be able to enter the following information:
1. Name
2. Description
3. Cloud Provider
4. Scope
5. Select Resource Type
6. Label
7. Tag
8. Assign Resource Value
When complete, users will select Save.
Under the Connectors section, users will choose to Add a Connector, and the Add a Connector page will appear.
In the Add a Connector page, users will enter the following information:
1. Configure the Connector
2. Connect to Connector
3. Test Connector (Optional)
When complete, users will select Create.
In the Connect to…. (Example: Connect to AWS) section, users will complete one of the following:
1. Download and review the Cloud Formation templates for the delegated role and the collector role.
2. If the user configured the advanced options or need to change the default role names (aws-delegated-role, aws-collector-role, and aws-sensitive-data-protection-role), select Configure Accounts manually. Copy the Service Agent ID, delegated role name, collector role name, and the Sensitive Data Protection Collector role name. (Note: Users can't change the role names after they create the connection
Users will not click Create. Instead, configure their environment.
Once complete, users will Test the connector to verify that SCCE can connect to the environment.
When finished, users will select Create.
Under the Tier Details section, users will see their:
1. Resource
2. Tier
3. Coverage Detail
4. Billing Status
Users can select to Manage their Tier by selecting the Manage Tier button.
In the Manage Your Tier page, users can:
1. Change Tier
2. Review Services
In the Change Tier tab, users can view their:
1. Tier Subscription
2. Pricing
3. Feature Benefits
In the Review Services tab, users can view their:
1. View Current Services
2. Enable/ Disable
3. Update Your Tier
If users select Update Your Tier, they will see an option to Upgrade or Downgrade their Tier Subscription. (Note: Please do not downgrade the Tier Level without contacting your Sales Team).