Updated on 2023-05-16 GMT+08:00

Features

With SA, you can manage security posture of all your cloud assets in one place. SA provides many functional modules, including Security Overview, Resource Manager, Event Analyses, Threat Alarms, Baseline Inspection, Events, Logs, and Integrations.

Security Overview

The Security Overview page gives you a comprehensive overview of your asset security posture together with other linked cloud security services to collectively display security assessment findings.

Table 1 Security Overview Functions

Function Module

Description

Security Score

SA evaluates and scores your cloud asset security. You can quickly learn of unhandled risks and their threats to your assets.

The lower the security score, the greater the overall asset security risk.

Security Monitoring

You can view how many threats, vulnerabilities, and compliance violations that are not handled and view their details.

Your Security Score over Time

You can view your security scores for the last 7 days.

Threat Detection

You can view how many alarms are detected for the last 7 days and their types.

Resource Manager

SA displays the real-time security status of assets on the cloud.

Table 2 Resources functions

Function Module

Description

Resource Manager

SA synchronizes the security status statistics of all resources in the current account.

You can quickly locate unhealthy resources and find the solutions by viewing the resource name and security status as well as cloud services and regions involved.

Currently, you can view the security status of the following resources:

Elastic Cloud Server (ECS), Virtual Private Cloud (VPC), Object Storage Service (OBS), Elastic IP (EIP), Domain Name Service (DNS), Elastic Load Balance (ELB), Relational Database Service (RDS), Bare Metal Server (BMS), Cloud Container Engine (CCE), Cloud Container Instance (CCI), Web Application Firewall (WAF), SSL Certificate Manager (SCM), and Elastic Volume Service (EVS)

Event Analyses

This module displays security status and potential security risks on your cloud assets.

Table 3 Event analysis functions

Function Module

Description

HSS

SA aggregates alarms from HSS to centrally analyze security status and risks of your ECSs. To use this function, buy HSS first.

WAF

SA aggregates alarms from WAF to centrally analyze security status and risks of your web applications. To use this function, buy WAF first.

DBSS

SA aggregates alarms from DBSS to centrally analyze security status and risks of your databases. To use this function, buy DBSS audit first.

Threat Alarms

In this module, SA reports alarms based on real-time monitoring, displays details of alarms for the last 180 days, and defends against typical threats by using varied preset protection policies.

SA can detect and display varied types of threats, including distributed denial of service (DDoS) attacks, brute-force attacks, web attacks, Trojans, zombie computers, Command-and-Control (C&C) attacks, abnormal behavior, and exploits. For details, see Threat Alarm Events.

Table 4 Function modules in Threat Alarms

Function Module

Description

Alarms

SA lists statistics on threat alarms. You can view details of threat alarms and details of threatened assets. You can also export all alarms.

Threat Analysis

SA allows you to query threats or attacks by Attack source or Attacked asset.

Alarm Monitoring

SA allows you to customize the threat list, alarm type, and risk severity to view only concerned threat alarms.

Alarm Notifications

SA allows you to customize alarm notifications. You can set scheduled daily alarm notifications and real-time alarm notifications to learn about threat risks in a timely manner.

Threat Alarm Events

SA monitors your network in rea time and reports alarms when threats are detected. SA can detect varied types of threats, including DDoS attacks, brute-force attacks, web attacks, backdoor Trojans, zombies, abnormal behavior, exploits, and C&C attacks.

Table 5 Threat alarm event description

Alarm Name

Alarm Description

DDoS

SA detects DDoS attacks on any of your protected hosts in real time.

More than 100 types of DDoS threats can be detected, including:

  • Network layer attacks

    NTP flood and CC attacks

  • Transport layer DDoS attacks

    SYN and ACK flood attacks

  • Session layer attacks

    SSL DDoS attacks

  • Application layer attacks

    HTTP-GET DDoS flood attacks and HTTP-POST DDoS flood attacks

Brute-force attacks

SA detects intrusions and internal risks on your hosts in real time, including brute force attacks on accounts, such as SSH, RDP, FTP, SQL Server and MySQL accounts, as well as abnormal logins.

The following 22 types of brute-force attacks can be reported, including:

  • Brute-force attacks that can be detected by SA

    SSH (2 types), RDP, Microsoft SQL, MySQL, FTP, SMB (3 types), HTTP (4 types), and Telnet brute force attacks

  • Alarms reported by HSS

    SSH, RDP, FTP, MySQL, IRC, and Webmin brute force attacks, brute force attacks on other ports, and brute force attacks on OSs

Web attacks

SA detects web threats such as malicious web scanners, malicious IP addresses, and web Trojans in real time.

The following 38 types of web threats can be detected:

  • Web attacks

    Web shell attacks (3 types), cross-site scripting (XSS) attacks, code injection attacks (7 types), SQL injection attacks (9 types), and command injection attacks.

  • Alarms reported by HSS

    Web shells, Linux web page tampering, and Windows web page tampering.

  • Alarms reported by WAF

    Cross-site scripting (XSS) attacks, command injection attacks, SQL injection attacks, directory traversal attacks, local file inclusion, remote file inclusion, remote code execution, back doors, website information leakage, exploits, IP reputation databases exploits, malicious web crawlers, web page tampering, and web page crawlers

Trojan

SA detects Trojans and malicious requests to compromised hosts in real time.

The following 5 types of Trojans can be detected:

  • Trojan files, such as PHP and JSP files, in the web directory on hosts
  • Characteristics of Trojans on compromised hosts

    Trojan: Win32/Ramnit Checkin, WannaCry ransomware request resolution, Trojan downloading, and access to HTTP File Server (HFS) download servers

Zombie

SA detects threats initiated by zombies in real time.

The following 7 types of attacks initiated by zombie hosts can be detected:

  • SSH brute-force attacks
  • RDP brute-force attacks
  • Web brute-force attacks
  • MySQL brute-force attacks
  • SQL Server brute-force attacks
  • DDoS attacks
  • Mining software

Abnormal behavior

SA detects abnormal changes and operations to the operating systems (OSs) on assets in real time.

The following 21 types of abnormal behavior can be detected:
  • Abnormal behavior that can be detected by SA

    Unauthorized file system scans, CMS V1.0 vulnerabilities, and unauthorized sensitive file access

  • Alarms reported by HSS

    Alarms generated by abnormal logins, critical file changes, network interface cards (NICs) in promiscuous mode, unsafe accounts, reverse shells, abnormal shells, high-risk command execution, abnormal automatic startups, file privilege escalation, process privilege escalation, and rootkits

  • Alarms reported by WAF

    Alarms generated against custom rules, whitelist, blacklist, geographical access control rules, malicious scanners & crawlers, IP blacklist or whitelist rules, and unauthorized access blocking

Exploit

SA detects in real time the potential compromised assets that may be used to initiate attacks.

The following 2 types of vulnerabilities can be detected:

  • Web-CMS exploits

CommandControl

SA detects command and control (C&C) servers in real time. A C&C server may remotely control host assets to access or establish links with malware.

The following 3 types of C&C threats can be detected:

  • Access to Domain Generation Algorithm (DGA) domain names
  • Access to malicious C&C domain names
  • Malicious communication channels between C&C servers and host assets

Baseline Inspection

SA can scan cloud baseline configurations to find out unsafe settings, report alarms for events, and offer hardening suggestions to you.

Table 6 Baseline inspection description

Function Module

Description

Cloud Service Baseline

You can start manual scans and configure periodic scans. SA will then display events by category, report non-compliant items, and offer hardening suggestions and guidance.

SA can check your workloads based on three security standards, Cloud Security Compliance Check 1.0 and Network Security.

  • Cloud Security Compliance Check

    SA checks the identity and access management, detection, infrastructure protection, data protection, and incident response risks of cloud service products you are using.

  • Network Security

    SA checks network security risks and provides hardening suggestions.

Events

SA aggregates detection data from a variety of related services so that you can monitor all events in one place.

Table 7 Description of events

Function Module

Description

Events

Multiple event types are included. You can mark and export events, and customize the event list.

  • Event types include:

    Threat alarms, vulnerabilities, risks, compliance checks, violations, public opinions, and security notices

Logs

You can authorize Object Storage Service (OBS) to store SA logs in OBS buckets. This makes it easier for you to store and export SA logs securely and meet audit requirements for storing logs for 180 days.

Table 8 Log management description

Function Module

Description

Logs

You can store SA logs in OBS to meet log audit and disaster recovery requirements.

For SA log disaster recovery, you can use Data Ingestion Service (DIS) to transmit the logs dumped to OBS buckets to your offline security information and event management (SIEM) system. You can also upload logs in the offline SIEM system to the cloud through DIS for analysis and storage.

With DIS, you can use a wide range of data transmission tools, such as Kafka Adapter, DIS Agent, DIS Flume Plugin, DIS Flink Connector, DIS Spark Streaming, and DIS Logstash Plugin. For details, see Using DIS.

Integrations

SA integrates a variety of security products to aggregate their detection data and manage the data sources of events.

Table 9 Product integration function descriptions

Function Module

Description

Integrations

By integrating other security services, SA makes it easy for you to aggregate detection results or events reported by different products, manage the sources of events, view the transmitted data volume, and manage the health status of reporting detection data to SA.

SA can aggregate detection data from Huawei Cloud HSS, WAF, and Anti-DDoS.