Updated on 2023-12-22 GMT+08:00

Overall Situation Screen

There are always such scenarios as presentation, reporting, or real-time monitoring where you need to present the analysis results of SecMaster on big screens to achieve better demonstration effect. It is not ideal to just zoom in the console. Now, SecMaster Large Screen is a good choice for you to display the service console on bigger screens for a better visual effect.

By default, SecMaster provides a large screen for comprehensive situation awareness by displaying the attack history, attack status, and attack trend. This allows you to manage security incidents before, when, and after they happen.

Prerequisites

SecMaster large screen is available.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane on the left, choose Security Situation > Large Screen.

    Figure 2 Large Screen

  5. Click the Overall Situation screen. The large screen for overall situation awareness is displayed. Figure 3 shows an example.

    This screen includes many graphs.
    Figure 3 Large screen for comprehensive situation awareness

Security Score

The security score of the current assets is displayed, as shown in Figure 4.

Table 1 Security Score

Parameter

Reference Period

Update Frequency

Description

Security Score

Real-time

  • Automatic update at 02:00 every day
  • Updated about 5 minutes after you click Check Again in the Security Score panel on the Situation Overview page in a workspace.

The score is calculated based on what security services are enabled, and the levels and numbers of unhandled configuration issues, vulnerabilities, and threats. Each calculation item is assigned a weight.

  • There are five risk severity levels, Secure, Informational, Low, Medium, High, and Critical.
  • The score ranges from 0 to 100. The higher the security score, the lower the risk severity level.
  • The security score starts from 0 and the risk severity level is escalated up from Secure to the next level every 20 points. For example, for scores ranging from 40 to 60, the risk severity is Medium.
  • The color keys listed on the right of the chart show the names of donut slices. Different color represents different risk severity levels. For example, the yellow slice indicates that your asset risk severity is Medium.
Figure 4 Security Score

Alert Statistics

The alert statistics of interconnected services are displayed, as shown in Figure 5.

To view details about the alert statistics, choose Threat Operation > Alerts in the current workspace.

Table 2 Alert statistics

Parameter

Reference Period

Update Frequency

Description

New Alerts

Today

5 minutes

Number of new alerts generated on the current day.

Threat Alerts

Last 7 days

5 minutes

Number of new alerts generated in the last seven days.

Unhandled Alerts

Last 7 days

5 minutes

Number of alerts that have not been cleared in the last seven days.

Handled Alerts

Last 7 days

5 minutes

Number of alerts that have been cleared in the last seven days.

Figure 5 Alert Statistics

Asset Protection

The protection status of servers and websites is displayed, including the proportion of protected and unprotected assets, as shown in Figure 6. You can hover the cursor over a module to view the number of protected/unprotected assets.

Table 3 Asset protection rate

Parameter

Reference Period

Update Frequency

Description

Asset Protection (%)

Last 7 days

5 minutes

The protection status of servers and websites is displayed, including the proportion of protected and unprotected assets.

  • Servers: numbers of ECSs protected and not protected by HSS
  • Websites: Numbers of websites protected and not protected by WAF
Figure 6 Asset protection rate

Baseline Inspection

The fixing status of the baseline configuration and vulnerabilities of your assets, distribution of risky resources, and vulnerability fixing trend within seven days are displayed, as shown in Figure 7.

  • To view details about the baseline data, choose Risk Prevention > Baseline Inspection in the current workspace.
  • To view details about the vulnerability data, choose Risk Prevention > Vulnerabilities in the current workspace.
Table 4 Baseline inspection

Parameter

Reference Period

Update Frequency

Description

Baseline Settings

Real-time

5 minutes

Numbers of baseline settings that passed and failed the last baseline inspection.

Vulnerabilities

Last 7 days

5 minutes

Numbers of fixed and unfixed vulnerabilities in the last seven days.

Resources by Severity

Real-time

5 minutes

Numbers of unsafe resources at different severities in the last baseline inspection. Severity: Critical, High, Medium, Low, and Info.

Vulnerabilities

Last 7 days

5 minutes

New vulnerabilities by the day for the last seven days and vulnerability distribution.

Figure 7 Baseline Inspection

Recent Threats

The numbers of threatened assets and security logs reported every day in the last seven days are displayed, as shown in Figure 8.

The x-axis indicates time, the y-axis on the left indicates the number of threatened assets, and the y-axis on the right indicates the number of logs. Hover the cursor over a date to view the number of threatened assets of that day.

Table 5 Recent threats

Parameter

Reference Period

Update Frequency

Description

Attacks

Last 7 days

5 minutes

Number of alerts reported every day in the last seven days.

To view details about the alert statistics, choose Threat Operation > Alerts in the current workspace.

Logs

Last 7 days

5 minutes

Number of security logs reported every day in the last seven days.

Figure 8 Recent threats

To-Dos

The to-do items in the current workspace are displayed, as shown in Figure 9.

Table 6 To-dos

Parameter

Reference Period

Update Frequency

Description

To-Dos

Real-time

5 minutes

To-do items on the Security Situation > Task Center in the current workspace.

Figure 9 To-Dos

Resolved Issues

The alert handling status, SLA and MTTR fulfillment rate in the last seven days, and automatic incident handling statistics in the last seven days are displayed, as shown in Figure 10.

To view details about the alert statistics, choose Threat Operation > Alerts in the current workspace.

Table 7 Resolved issues

Parameter

Reference Period

Update Frequency

Description

Alerts

Alerts

Last 7 days

5 minutes

Number of new alerts generated in the last seven days.

Handled

Number of alerts that have been cleared in the last seven days.

Manual

Number of alerts that were handled within the SLA time in the last seven days.

Alerts handled as planned and earlier than planned are counted.

Auto

Number of alerts that were automatically handled by SecMaster playbooks.

To determine how an alert was handled, check whether the value of close_comment is ClosedByCSB in the alert details. If it is, the alert was automatically handled. If it is not, the alert was manually handled.

SLA and MTTR [Last 7 Days]

SLA Statistics

Last 7 days

5 minutes

Alert handling timeliness in the last seven days. The formula is as follows:

For an alert with Service-Level Agreement (SLA) specified, if Alert closure time - Alert generation time ≤ SLA, it indicates the alert was handled in a timely manner. Otherwise, the alert fails to meet SLA requirements.

  • Compliant: The alert closure time is the same as or earlier than planned.
  • Non-compliant: The alert closure time is later than planned.

MTTR

Average alert closure time in the last seven days. The formula is as follows:

Mean Time To Repair (MTTR) = Total processing time of each alert/Total number of alerts. Processing time of each alert = Closure time – Creation time.

Handled Incidents [Last 7 Days]

Last 7 days

5 minutes

Total number of alerts handled in the last seven days.

  • Manual: Number of alerts manually closed on the Alerts page.
  • Auto: Number of alerts automatically closed by SecMaster playbooks.

To determine how an alert was handled, check whether the value of close_comment is ClosedByCSB in the alert details. If it is, the alert was automatically handled. If it is not, the alert was manually handled.

Figure 10 Resolved issues