Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to use cloud native SOC for cloud detection and response. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

In traditional enterprise security, enterprises that deploy EDR (Endpoint Detection and Response) and NDR (Network Detection and Response) products can locate lost assets in time, respond to terminal threats, and reduce the harm caused by attacks. EDR and NDR play an important role in traditional enterprise security. However, with the arrival of cloud computing, more and more enterprises put their business on the cloud, cloud native security has been paid more and more attention by enterprises, and then the concept of cloud detection and response (Cloud Detection and Response,CDR) came into being.

Next, we will focus on some of the features of Tencent Cloud Security Operations Center to introduce how to rely on the advantages of the cloud to carry out timely risk detection and response disposal, and ultimately protect customers' cloud security.

Prior safety prevention

Cloud Security configuration Management

Gartner recently pointed out in the "How to Make Cloud More Secure You're your Own Data Center" report (how to make the cloud more secure than your own data center) that most successful cloud attacks are caused by errors. Examples include configuration errors, lack of patches, or improper credential management for the infrastructure. By clearly leveraging the built-in security capabilities and a high degree of automation of IaaS computing and network architecture, enterprises can actually reduce opportunities for configuration, mismanagement, and other errors. This not only reduces the attack surface, but also helps improve the enterprise cloud security posture.

The main task of the Cloud Security Operations Center in the pre-prevention phase is to conduct regular automatic risk assessment of cloud assets, check gaps and fill gaps, identify risk points in time and repair and dispose of them. The Security Operations Center can help tenants sort out the details of asset vulnerabilities, detect high-risk ports open to the public, identify asset types, check cloud security configuration projects, and automatically help tenants comprehensively assess the risk of assets on the cloud. Here is a brief introduction to Cloud Security configuration Management (CSPM) to give you a more intuitive sense of how to carry out security prevention in advance.

The image above is the cloud security configuration management page of the Security Operations Center. With the help of the interfaces provided by various products of Tencent Cloud, the Security Operations Center inspects and visually displays 8 types of assets and nearly 20 inspection items. You can see that the page lists the total number of check items, the total number of failed check items, the total number of assets checked, and the number of risky assets allocated. In addition, detailed detection items are listed below, including: cloud platform-cloud audit configuration check, SSL certificate-validity check, CLB- high-risk port exposure, cloud mirror-CVM security protection status, COS- file permission settings, CVM- key pair login, and so on.

Take the CVM- key pair login check, which mainly detects whether the CVM uses the SSH key to log in. Because of the traditional "account + password" login method, there is the possibility of being violently cracked. If the brute force is cracked successfully, the assets may be reduced to hackers' broilers and become a springboard for further intranet horizontal penetration. Therefore, pre-defense inspection against this risk can evade a large part of the security incidents.

Compliance management

Isobao 2.0 puts forward "one center, triple protection", in which "one center" refers to the security management center, that is, the scheme is designed for the security compliance of the security management center and computing environment security, regional boundary security and communication network security. it is based on computing environment security and guaranteed by regional boundary security and communication network security. The overall guarantee system of information security with the security management center as the core. On the basis of providing log audit, internal-to-external threat awareness and other security management center requirements to meet the isoinsurance 2.0 compliance requirements, the Security Operations Center provides customers with automatic assessment functions for some isoinsurance 2.0 requirements to achieve continuous and dynamic automated compliance assessment and management. Compliance risks on the cloud can be assessed according to compliance standards such as grade protection, and recommendations for risk disposal can be provided.

In-process monitoring and detection

Network Security-Internet Traffic threat Awareness

When a security incident occurs on the cloud, it is particularly important to be able to detect and alarm in time to help customers prescribe the right medicine, and to conduct asset inspection and disposal for customers. The following figure shows the network security page of the Security Operations Center.

Network security is mainly aimed at the security detection of the north-south network traffic of tenant assets. With the security capabilities of Tencent Cloud platform, you can monitor the anomalies in the Internet traffic of tenants' assets in real time, and give warnings and reminders to tenants. At present, the detection ability of network security covers 45 types of network attacks.

Here are 10 types of high-risk threats:

1.SQL injection attack

two。 Sensitive file detection

3. Command injection attack

4. Certified violent conjecture

5. Malicious file upload

6.XSS attack

7.webshell probe

8. Various vulnerabilities are exploited (including important components such as * * blood drops, struts,weblogic vulnerabilities, etc.)

9. Rebound shell behavior, etc.

10. Main engine mining.

Alarms include source IP, destination IP, victim assets, frequency, type, threat level and time, etc. You can see more details by clicking on details.

In addition to the information of the five tuples, it also shows the detailed data of the attack payload, which can clearly see the payload content, and the attack payload can sometimes understand the attack intention of the hacker, which can help the security team to conduct more targeted troubleshooting. Taking the attack in the figure above as an example, you can see that the attack payload exists in the http header:

/ public/index.php?s=/index/\ think\ app/invokefunction&function=call_user_func_array&vars [0] = system&vars [1] [] = echo ^

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.