Help Center/ Managed Threat Detection/ Service Overview/ Comparison with Other Services
Updated on 2024-06-11 GMT+08:00

Comparison with Other Services

Differences Between MTD and SA

Situation Awareness (SA) is a UI-based security management platform for threat detection and analysis. SA focuses on the security threat attack posture of all your cloud assets. By aggregating detection results or events from many security products and analyzing threat data and cloud security threats, it helps you build a security system covering all your cloud assets.

MTD detects potential threats in your cloud services. It uses the AI engine, threat intelligence, and detection policies to detect threats in cloud service logs, generates alarms for detected threats, and displays statistics on the alarms.

Table 1 Differences between MTD and SA

Feature

MTD

SA

Supported product/service

  • Identity and Access Management (IAM)
  • Domain Name Service (DNS)
  • Cloud Trace Service (CTS)
  • Virtual Private Cloud (VPC)
  • Object Storage Service (OBS)
  • Host Security Service (HSS)
  • Anti-DDoS
  • Web Application Firewall (WAF)
  • Cloud Bastion Host (CBH)
  • Container Guard Service (CGS)
  • Vulnerability Scan Service (VSS)

Data source detection/analysis

  • IAM full logs
  • DNS full logs
  • CTS full logs
  • Full logs of global service VPC
  • OBS full logs
  • Network-wide traffic
  • Logs from the security defense devices
  • DNS requests
  • Threat intelligence
  • Security Information

Threat detection

  • Alarms

    MTD can report more than 40 types of alarms for the threats detected on the basis of the AI engine, threat intelligence, and detection policies.

  • Alarm events

    SA detects and displays eight types of alarm events, including more than 200 sub-types. SA also reports alarm notifications.

  • Security orchestration

    SA allows you to implement preset security orchestration policies to harden asset security.

Anti-Brute-Force Cracking Differences Between MTD and HSS

Host Security Service (HSS) improves the overall security of hosts on Huawei Cloud. HSS focuses on identifying and managing information assets on your hosts, monitoring risks on your hosts in real time, preventing unauthorized intrusions, and reducing security risks on your hosts.

In addition to detecting threats based on detection policies and intelligence, MTD uses an AI-powered detection model to detect abnormal IAM activities. Additionally, the abnormal behavior detection model of MTD detects distributed brute-force attacks on IAM accounts.

Table 2 Differences between MTD and HSS

Feature

MTD

Host Security Service (HSS)

Object

  • All accounts of your services
  • SSH account
  • RDP account
  • FTP account
  • SQL Server account
  • MySQL account
  • Other accounts

Brute-force attacks

  • MTD allows you to import threat intelligence and a whitelist to set the detection scope. It ignores the activities of whitelisted IP addresses and reports alarms for access from IP addresses or domain names that are similar to historical intelligence.
  • MTD reports alarms when a user attempts to log in to the system within IAM lock time, or when a user logs in to the system or obtains the token across regions.
  • If the number of brute-force attacks from an IP address reaches 5 within 30 seconds, the IP address will be blocked.
  • You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.

Abnormal login

  • MTD reports alarms if login or token obtaining success rate changes abruptly or the total number of logins or token obtaining increases sharply.
  • MTD reports an alarm if an IP address attempts to log in or obtain a token for the first time.
  • MTD reports an alarm if an IP address is used for remote login.
  • HSS detects remote logins to your hosts and reports alarms.

    HSS checks the blocked login IP addresses, and who used them to log in to which servers at what time.

  • HSS reports an alarm if a user's login location is not any common login location.
  • Trigger an alarm if a user logs in to the host by a brute-force attack.

Abnormal behavior

  • MTD identifies distributed brute-force attacks.

    MTD can effectively detect continuous attacks on IAM accounts using random public IP addresses through HTTP tunnels. Each attacking IP address is used for less than three times. These distributed brute-force attacks cannot be detected by conventional security system.

  • MTD detects AK/SK leakage.
  • MTD detects malicious agency.
  • MTD detects suspicious malicious use of tokens.
  • MTD detects suspicious password cracking behavior.
  • HSS monitors abnormal CPU usage.
  • HSS monitors malicious IP addresses accessing processes
  • HSS monitors abnormal increase in concurrent process connections