All Products
Search
Document Center

Security Center:Overview

更新時間:Nov 04, 2024

In the increasingly complex network security environment, organizations and enterprises face challenges on how to effectively monitor and manage large amounts of alerts and logs in distributed systems. To handle these challenges, Security Center provides the Cloud Threat Detection and Response (CTDR) feature. You can use the feature to centrally manage alerts and logs of multiple cloud services within different accounts in a multi-cloud environment. The feature helps you improve O&M efficiency and respond to potential risks.

Background information

How it works

The CTDR feature provides a cloud-native management solution for security information and events. The feature provides capabilities such as log collection, alert generation, event aggregation and analysis, and event response and orchestration.

The feature collects logs from different accounts and cloud services of multiple cloud service providers. The feature also analyzes the collected logs based on predefined and custom detection rules to identify attacks, build complete attack chains, and generate security events with detailed information. When the feature detects security threats, it enables Security Orchestration Automation Response (SOAR) and handles threat sources in collaboration with related Alibaba Cloud services. The handling operation includes blocking and quarantine. This helps improve the handling efficiency of security events.

image

Benefits

  • Standardized data collection

    The feature collects various logs, such as alert logs, network logs, system logs, and application logs, across services, accounts, and cloud platforms. This way, data is standardized and context is enhanced.

  • Multi-dimension threat detection

    The feature strengthens the single-point threat detection capabilities of southbound security devices by using threat detection methods, such as multi-source data association analysis, AI image-based computing and inference, and threat intelligence that is updated in real time. The feature provides predefined cross-data-source threat detection rules and the following types of event analysis models: expert rule, graph computing, alert transmission, and same-type aggregation.

  • Efficient event investigation

    The feature aggregates related alerts to generate security events, and automatically reconstructs the attack timeline and path. The error rate of security events triggered by alerts is only 0.0001%. This enriches event investigation context and accelerates alerting and event handling.

  • Automated response and orchestration

    The feature automatically handles malicious entities based on automatic response rules and playbooks in collaboration with multiple services. The malicious entities include malicious IP addresses, files, and processes. This way, the emergency response experience is streamlined, normalized, and automated.

Supported services and log types

The CTDR feature supports more than 20 cloud services and more than 50 log types. The following table describes the supported cloud services and log types.

Service provider

Service

Log type

Alibaba Cloud

Security Center

  • Alert logs, configuration assessment logs, vulnerability logs, and baseline logs of Security Center

  • Logon logs, network connection logs, process startup logs, file read and write logs, failed host logon logs, and failed MySQL and FTP logon logs

  • Account snapshot logs, network snapshot logs, account snapshot logs, process snapshot logs, and port snapshot logs

  • Internet HTTP logs, Internet session logs, Internet Domain Name System (DNS) logs, and DNS logs

Web Application Firewall (WAF)

Alert logs and flow logs of WAF, and flow logs of WAF 3.0

Cloud Firewall

Alert logs and flow logs of Cloud Firewall

Anti-DDoS

Flow logs of Anti-DDoS Proxy (Chinese Mainland), flow logs of Anti-DDoS Proxy, and logs of Anti-DDoS Origin

Bastionhost

Bastionhost logs

CDN

Flow logs of Alibaba Cloud CDN (CDN) and flow logs of CDN WAF

API Gateway

API Gateway logs

Container Service for Kubernetes (ACK)

Audit logs of Kubernetes resources

PolarDB

Audit logs of PolarDB-X 1.0 and PolarDB-X 2.0

ApsaraDB for MongoDB

Operational logs and audit logs of ApsaraDB for MongoDB

ApsaraDB RDS

Audit logs of ApsaraDB RDS

Virtual Private Cloud (VPC)

Flow logs of VPC

Elastic IP Address (EIP)

Flow logs of EIP

Server Load Balancer (SLB)

Layer 7 logs of Classic Load Balancer (CLB) and flow logs of Application Load Balancer (ALB)

Object Storage Service (OSS)

Batch deletion logs, metering logs, and flow logs of OSS

File Storage NAS

Operational logs of NAS NFS

Function Compute (FC)

Operational logs of Function Compute

ActionTrail

ActionTrail logs

CloudConfig

Cloud Config logs

Edge Security Acceleration (ESA)

EdgeRoutine logs, access logs, and WAF logs of DCDN

Tencent Cloud

WAF

Alert logs of WAF

Cloud Firewall

Alert logs of Cloud Firewall

Huawei Cloud

WAF

Alert logs of WAF

Cloud Firewall

Alert logs of Cloud Firewall

Scenarios

The CTDR feature provides a cloud-native management platform for security information and events with multiple capabilities. The feature helps enterprises efficiently manage and respond to security threats and simplifies the security O&M procedure. The feature is suitable for the following scenarios:

  • Centralized collection and audit of data across cloud environments, accounts, and services

    The CTDR feature collects log data across cloud environments, accounts, and services in a centralized manner. This way, you can view and audit the collected data in the Security Center console by using the global administrator account that you specify. The feature helps you monitor security events across cloud platforms and simplifies data analysis and security audit.

  • Centralized threat operations and monitoring

    The CTDR feature provides a global monitoring and analysis insight that allows you to monitor and manage the threats of multiple services in the Security Center console. This helps enterprises identify and respond to security events at the earliest opportunity.

  • Global risk analysis and alert denoising

    The CTDR feature reduces the quantity and frequency of alerts, and optimizes the processing of log data by aggregating and filtering alert data. This way, your security team can focus on threats with high priorities, and alert overload and false positives are reduced.

  • Automated response and handling of security events

    The CTDR feature provides automated response and handling capabilities to help your security team handle the detected threats at the earliest opportunity. For example, the security team can block malicious sources and quarantine affected resources. The feature helps improve the efficiency of response to security events and overall security.

Purchase and enable the CTDR feature

  1. Go to the Security Center buy page and log on with your Alibaba Cloud account.

  2. Set the Cloud Threat Detection and Response parameter to Yes and configure the Log Data to Add and Log Storage Capacity parameters.

    The following information describes the related parameters. For more information about how to select the edition of Security Center and purchase other features, see Purchase Security Center.

    • Log Data to Add: required. Specify the amount of log data that you want to add to the CTDR feature for analysis each day. Unit: GB-day. You can use one of the following methods to evaluate the value of the Log Data to Add parameter:

      • Evaluate the value based on the log storage capacity that you purchased.

        Value of the Log Data to Add parameter (GB-day) = Log storage capacity/TTL × 4

        • The log storage capacity specifies the storage capacity used by logs that you want to add to the CTDR feature.

        • Time to live (TTL) specifies the log retention period.

        • 4 represents the log compression ratio, which is the ratio of log access traffic to the log storage capacity of the disk. The log compression ratio ranges from 3 to 6. We recommend that you set the ratio to 4.

      • Evaluate the value based on the Event Per Second (EPS) of logs that you want to add to the CTDR feature.

        Value of the Log Data to Add parameter (GB-day) = EPS × 86,400s × SIZE/(1,024 × 1,024)

        • EPS specifies the number of raw logs that are added to the CTDR feature within one day.

        • SIZE specifies the size of each log. In most cases, the size ranges from 3 KB to 7 KB.

    • Log Storage Capacity: optional. Specify the amount of log data that you want to store. We recommend that you purchase 120 GB of log storage capacity for each server. If you purchased the log storage capacity for the log analysis feature, we recommend that you set the Log Storage Capacity parameter of the CTDR feature to a value that is three times the purchased log storage capacity for the log analysis feature. For more information, see Manage logs.

    image

  3. Read and select Security Center Terms of Service, click Buy Now, and then complete payment.

  4. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  5. In the left-side navigation pane, choose Detection and Response > CTDR.

  6. On the CTDR page, click Authorize Now.

    By default, Alert logs of Security Center, WAF, and Cloud Firewall are automatically added to identify security events is selected. After the authorization is complete, alert logs of Security Center, WAF, and Cloud Firewall that belong to the current logon account are added. To view more information, go to the Service Integration page. Security Center automatically creates the AliyunServiceRoleForSasCloudSiem service-linked role. The CTDR feature assumes this role to access the resources of other cloud services. For more information about AliyunServiceRoleForSasCloudSiem, see Service-linked roles for Security Center.

Changes in the Security Center console after the CTDR feature is enabled

After you enable the CTDR feature, the layout of some modules in the Security Center console is changed.

Module

Description

Detection and Response

The Detection and Response module in the left-side navigation pane is renamed CTDR. Pages such as Security Event Handling and Log Management are added to the CTDR module. In addition, the following pages are changed:

  • Alert Handling: This page is renamed Alert, which displays information about global alerts of CTDR.

    In the upper-right corner of the Alert page, you can click Alerts on Host and Container to go to the Alerts page.

  • Attack Analysis: The entry point to the Attack Analysis page is not provided in the left-side navigation pane after the CTDR feature is enabled.

    In the upper-right corner of the Alert page, you can click View Attack Analysis Results Within Current Account to go to the Attack Analysis page. For more information, see Attack awareness.

  • Investigation: The entry point to the Investigation page is not provided in the left-side navigation pane after the CTDR feature is enabled.

    In the upper-right corner of the Alert page, you can click Alerts on Host and Container. On the Alerts page, you can click the image.png icon in the Alert Name column to go to the Investigation page. For more information, see View and handle alerts.

    image.png

System Configuration > Multi-account Management

The Account Monitored by Threat Analysis tab is added.

On this tab, you can add Alibaba Cloud accounts to the CTDR feature.

Terms

Before you use the CTDR feature, you must understand the terms that are related to the feature. The following table describes the terms.

Term

Description

handling policy

A handling policy describes the details of scenario-specific alert handling. A handling policy is generated based on the handling result of an entity in a scenario.

handling task

A handling task describes the details of scope-specific alert handling. The event handling process of an entity in a scenario is divided into multiple handling tasks based on scopes.

entity

An entity is the core object of an alert, which can be an IP address, a file, or a process.

SOAR

SOAR is a solution that provides automated tools and procedures to organize and manage event response measures. SOAR helps enterprises efficiently respond to security events, reduces manual interference, and improves the handling efficiency of events.

playbook

A playbook provided by SOAR is an automated security management process that consists of predefined response policies. A playbook can be automatically executed after specific events are triggered.

You can create a playbook in the same manner as you draw a flowchart. A playbook contains start, judgment, action, and end nodes. You can define actions for each component on a canvas in a visualized manner. For example, you can define the network disabling action for the terminal management component.

component

A component is used to connect to an external system or service, such as WAF, Cloud Firewall, a database service, or a notification service. To serve as a connector to an external system or service, a component does not process complex logic. Complex logic is processed by the connected external system or service. After you select a component, you must select resource instances and actions for the component.

Components are classified into process orchestration components, basic orchestration components, and security application components.

resource instance

A resource instance specifies an external service to which a component is connected. For example, if you want to use a MySQL component and your enterprise has multiple MySQL databases, you must specify the database to which you want to connect the MySQL component.

action

An action specifies the execution capability of a component. A component can have multiple actions. For example, the terminal management component supports actions such as disabling accounts, isolating networks, and sending notifications.

References