Centrally manage alerts and logs of multiple cloud services within different accounts in multiple clouds - Security Center

In the increasingly complex network security environment, organizations and enterprises face challenges on how to effectively monitor and manage large amounts of alerts and logs in distributed systems. To handle these challenges, Security Center provides the Cloud Threat Detection and Response (CTDR) feature. You can use the feature to centrally manage alerts and logs of multiple cloud services within different accounts in a multi-cloud environment. The feature helps you improve O&M efficiency and respond to potential risks.

Background information

How it works

The CTDR feature provides a cloud-native management solution for security information and events. The feature provides capabilities such as log collection, alert generation, event aggregation and analysis, and event response and orchestration.

The feature collects logs from different accounts and cloud services of multiple cloud service providers. The feature also analyzes the collected logs based on predefined and custom detection rules to identify attacks, build complete attack chains, and generate security events with detailed information. When the feature detects security threats, it enables Security Orchestration Automation Response (SOAR) and handles threat sources in collaboration with related Alibaba Cloud services. The handling operation includes blocking and quarantine. This helps improve the handling efficiency of security events.

Benefits

Standardized data collection
The feature collects various logs, such as alert logs, network logs, system logs, and application logs, across services, accounts, and cloud platforms. This way, data is standardized and context is enhanced.
Multi-dimension threat detection
The feature strengthens the single-point threat detection capabilities of southbound security devices by using threat detection methods, such as multi-source data association analysis, AI image-based computing and inference, and threat intelligence that is updated in real time. The feature provides predefined cross-data-source threat detection rules and the following types of event analysis models: expert rule, graph computing, alert transmission, and same-type aggregation.
Efficient event investigation
The feature aggregates related alerts to generate security events, and automatically reconstructs the attack timeline and path. The error rate of security events triggered by alerts is only 0.0001%. This enriches event investigation context and accelerates alerting and event handling.
Automated response and orchestration
The feature automatically handles malicious entities based on automatic response rules and playbooks in collaboration with multiple services. The malicious entities include malicious IP addresses, files, and processes. This way, the emergency response experience is streamlined, normalized, and automated.

Supported services and log types

The CTDR feature supports more than 20 cloud services and more than 50 log types. The following table describes the supported cloud services and log types.

Service provider	Service	Log type
Alibaba Cloud	Security Center	Alert logs, configuration assessment logs, vulnerability logs, and baseline logs of Security Center Logon logs, network connection logs, process startup logs, file read and write logs, failed host logon logs, and failed MySQL and FTP logon logs Account snapshot logs, network snapshot logs, account snapshot logs, process snapshot logs, and port snapshot logs Internet HTTP logs, Internet session logs, Internet Domain Name System (DNS) logs, and DNS logs
	Web Application Firewall (WAF)	Alert logs and flow logs of WAF, and flow logs of WAF 3.0
	Cloud Firewall	Alert logs and flow logs of Cloud Firewall
	Anti-DDoS	Flow logs of Anti-DDoS Proxy (Chinese Mainland), flow logs of Anti-DDoS Proxy, and logs of Anti-DDoS Origin
	Bastionhost	Bastionhost logs
	CDN	Flow logs of Alibaba Cloud CDN (CDN) and flow logs of CDN WAF
	API Gateway	API Gateway logs
	Container Service for Kubernetes (ACK)	Audit logs of Kubernetes resources
	PolarDB	Audit logs of PolarDB-X 1.0 and PolarDB-X 2.0
	ApsaraDB for MongoDB	Operational logs and audit logs of ApsaraDB for MongoDB
	ApsaraDB RDS	Audit logs of ApsaraDB RDS
	Virtual Private Cloud (VPC)	Flow logs of VPC
	Elastic IP Address (EIP)	Flow logs of EIP
	Server Load Balancer (SLB)	Layer 7 logs of Classic Load Balancer (CLB) and flow logs of Application Load Balancer (ALB)
	Object Storage Service (OSS)	Batch deletion logs, metering logs, and flow logs of OSS
	File Storage NAS	Operational logs of NAS NFS
	Function Compute (FC)	Operational logs of Function Compute
	ActionTrail	ActionTrail logs
	CloudConfig	Cloud Config logs
	Edge Security Acceleration (ESA)	EdgeRoutine logs, access logs, and WAF logs of DCDN
Tencent Cloud	WAF	Alert logs of WAF
Tencent Cloud	Cloud Firewall	Alert logs of Cloud Firewall
Huawei Cloud	WAF	Alert logs of WAF
Huawei Cloud	Cloud Firewall	Alert logs of Cloud Firewall

Scenarios

The CTDR feature provides a cloud-native management platform for security information and events with multiple capabilities. The feature helps enterprises efficiently manage and respond to security threats and simplifies the security O&M procedure. The feature is suitable for the following scenarios:

Centralized collection and audit of data across cloud environments, accounts, and services
The CTDR feature collects log data across cloud environments, accounts, and services in a centralized manner. This way, you can view and audit the collected data in the Security Center console by using the global administrator account that you specify. The feature helps you monitor security events across cloud platforms and simplifies data analysis and security audit.
Centralized threat operations and monitoring
The CTDR feature provides a global monitoring and analysis insight that allows you to monitor and manage the threats of multiple services in the Security Center console. This helps enterprises identify and respond to security events at the earliest opportunity.
Global risk analysis and alert denoising
The CTDR feature reduces the quantity and frequency of alerts, and optimizes the processing of log data by aggregating and filtering alert data. This way, your security team can focus on threats with high priorities, and alert overload and false positives are reduced.
Automated response and handling of security events
The CTDR feature provides automated response and handling capabilities to help your security team handle the detected threats at the earliest opportunity. For example, the security team can block malicious sources and quarantine affected resources. The feature helps improve the efficiency of response to security events and overall security.

Purchase and enable the CTDR feature

Go to the Security Center buy page and log on with your Alibaba Cloud account.
Set the Cloud Threat Detection and Response parameter to Yes and configure the Log Data to Add and Log Storage Capacity parameters.
The following information describes the related parameters. For more information about how to select the edition of Security Center and purchase other features, see Purchase Security Center.
- Log Data to Add: required. Specify the amount of log data that you want to add to the CTDR feature for analysis each day. Unit: GB-day. You can use one of the following methods to evaluate the value of the Log Data to Add parameter:
  - Evaluate the value based on the log storage capacity that you purchased.
    Value of the Log Data to Add parameter (GB-day) = Log storage capacity/TTL × 4
    - The log storage capacity specifies the storage capacity used by logs that you want to add to the CTDR feature.
    - Time to live (TTL) specifies the log retention period.
    - 4 represents the log compression ratio, which is the ratio of log access traffic to the log storage capacity of the disk. The log compression ratio ranges from 3 to 6. We recommend that you set the ratio to 4.
  - Evaluate the value based on the Event Per Second (EPS) of logs that you want to add to the CTDR feature.
    Value of the Log Data to Add parameter (GB-day) = EPS × 86,400s × SIZE/(1,024 × 1,024)
    - EPS specifies the number of raw logs that are added to the CTDR feature within one day.
    - SIZE specifies the size of each log. In most cases, the size ranges from 3 KB to 7 KB.
- Log Storage Capacity: optional. Specify the amount of log data that you want to store. We recommend that you purchase 120 GB of log storage capacity for each server. If you purchased the log storage capacity for the log analysis feature, we recommend that you set the Log Storage Capacity parameter of the CTDR feature to a value that is three times the purchased log storage capacity for the log analysis feature. For more information, see Manage logs.
Read and select Security Center Terms of Service, click Buy Now, and then complete payment.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Detection and Response > CTDR.
On the CTDR page, click Authorize Now.
By default, Alert logs of Security Center, WAF, and Cloud Firewall are automatically added to identify security events is selected. After the authorization is complete, alert logs of Security Center, WAF, and Cloud Firewall that belong to the current logon account are added. To view more information, go to the Service Integration page. Security Center automatically creates the AliyunServiceRoleForSasCloudSiem service-linked role. The CTDR feature assumes this role to access the resources of other cloud services. For more information about AliyunServiceRoleForSasCloudSiem, see Service-linked roles for Security Center.

Changes in the Security Center console after the CTDR feature is enabled

After you enable the CTDR feature, the layout of some modules in the Security Center console is changed.

Module

Description

Detection and Response

The Detection and Response module in the left-side navigation pane is renamed CTDR. Pages such as Security Event Handling and Log Management are added to the CTDR module. In addition, the following pages are changed:

Alert Handling: This page is renamed Alert, which displays information about global alerts of CTDR.
In the upper-right corner of the Alert page, you can click Alerts on Host and Container to go to the Alerts page.
Attack Analysis: The entry point to the Attack Analysis page is not provided in the left-side navigation pane after the CTDR feature is enabled.
In the upper-right corner of the Alert page, you can click View Attack Analysis Results Within Current Account to go to the Attack Analysis page. For more information, see Attack awareness.
Investigation: The entry point to the Investigation page is not provided in the left-side navigation pane after the CTDR feature is enabled.
In the upper-right corner of the Alert page, you can click Alerts on Host and Container. On the Alerts page, you can click the icon in the Alert Name column to go to the Investigation page. For more information, see View and handle alerts.

System Configuration > Multi-account Management

The Account Monitored by Threat Analysis tab is added.

On this tab, you can add Alibaba Cloud accounts to the CTDR feature.

Terms

Before you use the CTDR feature, you must understand the terms that are related to the feature. The following table describes the terms.

Term	Description
handling policy	A handling policy describes the details of scenario-specific alert handling. A handling policy is generated based on the handling result of an entity in a scenario.
handling task	A handling task describes the details of scope-specific alert handling. The event handling process of an entity in a scenario is divided into multiple handling tasks based on scopes.
entity	An entity is the core object of an alert, which can be an IP address, a file, or a process.
SOAR	SOAR is a solution that provides automated tools and procedures to organize and manage event response measures. SOAR helps enterprises efficiently respond to security events, reduces manual interference, and improves the handling efficiency of events.
playbook	A playbook provided by SOAR is an automated security management process that consists of predefined response policies. A playbook can be automatically executed after specific events are triggered. You can create a playbook in the same manner as you draw a flowchart. A playbook contains start, judgment, action, and end nodes. You can define actions for each component on a canvas in a visualized manner. For example, you can define the network disabling action for the terminal management component.
component	A component is used to connect to an external system or service, such as WAF, Cloud Firewall, a database service, or a notification service. To serve as a connector to an external system or service, a component does not process complex logic. Complex logic is processed by the connected external system or service. After you select a component, you must select resource instances and actions for the component. Components are classified into process orchestration components, basic orchestration components, and security application components.
resource instance	A resource instance specifies an external service to which a component is connected. For example, if you want to use a MySQL component and your enterprise has multiple MySQL databases, you must specify the database to which you want to connect the MySQL component.
action	An action specifies the execution capability of a component. A component can have multiple actions. For example, the terminal management component supports actions such as disabling accounts, isolating networks, and sending notifications.

References

After you enable the CTDR feature, you can add logs of cloud services to the feature to monitor and analyze alerts and logs across resources in a centralized manner. For more information, see Add logs of cloud services.
Does the CTDR feature support devices in a data center?
Is the number of alerts reduced after the CTDR feature is enabled?