How to Buy and Use SecMaster Basic Edition

Scenario

SecMaster is a next-generation cloud native security operations center Huawei Cloud provides for you. With SecMaster, you can enjoy one-stop cloud security management. You can centrally manage cloud assets, security posture, security information, and incidents, improving security operations efficiency and responding to threats faster.

The following describes how to buy SecMaster in the AP-Bangkok region for the first time and how to use the first workspace with only default settings for security operations.

• Billing mode: yearly/monthly
• Edition: basic edition
• ECS quota: 50

The following shows the operation process in this scenario.

Figure 1 Operation Process

Operation Process

Preparations

1. Before purchasing SecMaster, sign up for a Huawei ID and enable Huawei Cloud services. For details, see Signing up for a HUAWEI ID and Enabling Huawei Cloud Services.

   If you have enabled Huawei Cloud, skip this step.

2. Ensure that the SecMaster FullAccess permission has been assigned to the account. For details, see Creating a User and Granting Permissions.

   When purchasing SecMaster, you also need to grant the BSS Administrator permission to the account.

Step 1: Buy SecMaster Basic Edition

SecMaster provides basic, standard, and professional editions. Each edition has situation awareness, baseline inspection, query and analysis, and security orchestration functions.

This step shows how to configure parameters for buying SecMaster basic edition. For details about how to buy other SecMaster editions, see Buying SecMaster.

1. Log in to Huawei Cloud management console.
2. In the upper part of the page, select a region and choose Security & Compliance > SecMaster from the service list.
3. On the overview page, click Buy SecMaster. On the access authorization panel displayed, select Agree and click OK.
4. On the purchase page, configure required parameters.

   This example only introduces mandatory parameters. Configure other parameters as needed.

   Table 1 Parameters for buying SecMaster

   Parameter	Example Value	Description
   Billing Mode	Yearly/Monthly	Billing mode of your SecMaster. Select Yearly/Monthly.
   Region	AP-Bangkok	Select the region based on where your cloud resources are located.
   Edition	Basic	SecMaster provides basic, standard, and professional editions for your choice. For details about their differences, see Edition Differences.
   Quota	1	The maximum number of ECSs you want to protect. The quota must be greater than or equal to the total number of ECSs within your account. This value cannot be changed to a smaller one after your purchase is complete. The maximum quota is 10,000. If some of your ECSs are not protected by SecMaster, threats to them cannot be detected in a timely manner, which may result in security risks, such as data leakage. To prevent this, increase the quota upon an increase of your host quantity.
   Required Duration	1 month	How long you want to use the service. Select a duration based on your needs.

5. Confirm the product details and click Next.
6. After confirming that the order details are correct, read the SecMaster Disclaimer and select "I have read and agree to the SecMaster Disclaimer", and click Pay Now.
7. On the payment page, select a payment method and complete the payment.
8. Return to the SecMaster console.

Step 2: Create a Workspace

Workspaces are top-level workbenches in SecMaster. Before using SecMaster, you need to create a workspace first.

Step 3: Start Security Operations

After the first workspace is created, SecMaster automatically initializes it. After the initialization is complete, you can experience SecMaster functions.

1. Managing assets and risks

   The essence of security operations is security risk management. According to the definition of ISO, there are three elements, assets, vulnerabilities, and threats, during security operations. Sorting the assets you want to protect is the starting point of the security operations service flow.

   • Asset management

     SecMaster helps you enable cross-region, cross-account, and cross-environment aggregation of assets. For assets from other environments, SecMaster will mark the environments these assets belong to. After the aggregation, SecMaster marks asset security status to show whether there are unsafe settings, OS or application vulnerabilities, suspicious intrusions, or unprotected cloud services. For example, all ECSs must be protected with HSS, and all domain names must be protected with WAF. This makes it possible for you to view security of all your assets in one place.

     For details, see Managing Assets.

   • Detecting and clearing unsafe settings

     During security operations, the most common vulnerabilities are unsafe settings. Based on security compliance experience, SecMaster forms a baseline for automatic checks and provides baseline check packages based on common specifications and standards in the industry.

     • SecMaster can automatically check cloud service settings. For example, SecMaster can check whether permissions are assigned by role in IAM, whether security groups allow all inbound access in VPC, and whether WAF protection policies are enabled. You can harden the configuration based on the recommended methods.

     For details, see Security Governance and Baseline Inspection.

2. On the dashboard for security situation, you can check security scores of resources in the current workspace and quickly learn about the overall security.

   For details, see Situation Overview.

Related Information

Since you have experienced the SecMaster basic edition, you may need SecMaster standard and professional editions to meet your ever-changing security requirements. These two editions provide more features, such as more security data sources, comprehensive security models, and threat response playbooks. You will get more in-depth, comprehensive security analysis and tailored security strategies. Specifically, you can:

• Enable log access: You can enable access to logs of cloud services for centralized log management, retrieval, and analysis. So, you can monitor your service environment in real time and detect abnormal behavior and potential threats in a timely manner.
• Collect logs: You can also use SecMaster to collect logs from non-Huawei Cloud services. Security data from a variety of sources is aggregated in SecMaster. This makes it possible for you to analyze security situation more deeply and comprehensively, locate fault causes more easily, and address security issues more quickly.
• Manage vulnerabilities: After configuration risks are fixed, SecMaster can help detect and fix security vulnerabilities. You can use SecMaster to centrally manage Linux, Windows, Web-CMS, application, and website vulnerabilities. You will have an overview of vulnerabilities in real time, including vulnerability scan details, vulnerability statistics, vulnerability types and distribution, top 5 vulnerabilities, and top 5 risky servers.
• Check alerts: Threat detection models in SecMaster analyze a large number of logs reported by security cloud services to identify suspected intrusions and generate alerts. An alert in SecMaster contains the following fields: name, severity, asset/threat that initiates suspicious activities, and compromised assets. Security operations engineers need to analyze and investigate alerts to find out real threats. If the risk is low, they will close the alert (such as repeated alerts and O&M operations). If the risk is high, they will convert the alert into an incident.
• Check Incidents: If an alert is converted into an incident, you can check the incident on the Incidents page. You can investigate the incident and take an emergency response. You can associate an incident with entities related to suspicious activities. The entities include assets (such as VMs), indicators (such as attack source IP addresses), accounts (such as leaked accounts), and processes (such as Trojans). You can also associate an incident with similar historical alerts or incidents.
• Create an alert model: You can use models to monitor logs in pipelines. If a log matches any trigger condition set in a model, the model will report an alert.
• Start security analysis: You can further analyze logs and filter threats precisely.
• Enable a playbook: You can use playbooks to enable automated security incident responses. This will greatly reduce the mean time to repair (MTTR) and improve the overall protection.
• Configure defense line policies: This allows you to associate SecMaster with other security services to build a multi-layer and all-round security system.
• Create an emergency policy: You can use emergency policies to quickly handle cyber security threats and restrict or block access from specific IP addresses, protecting your network resources and customers' data.
• Create a security report: SecMaster will send security reports to you in the way you specify. You will see security scores, baseline check results, security vulnerabilities, and policy coverage in a security report. This helps you learn about asset security status in a timely manner.
• Enable large screens: Through large screens, you can check real-time resource security situation and handles attacks. This function helps security operations teams monitor and analyze security threats and incidents in real time and quickly respond to them.