Step 6: Start Security Operations

You can now start security operations, such as asset management, threat detection, and alert investigation, based on the integrated data.

Figure 1 Secure operations

1. Manage assets and risks.
   The essence of security operations is security risk management. According to the definition of ISO, there are three elements, assets, vulnerabilities, and threats involved in security operations. Sorting the assets you want to protect is the starting point of the security operations service flow.

   Table 1 Managing assets and risks

   Operation	Description
   Sorting out and managing assets	SecMaster helps you: Aggregate cloud assets from different accounts and regions into one place. Import off-cloud assets to SecMaster and mark the environment assets belong to. SecMaster marks asset security status to show whether there are unsafe settings, OS or application vulnerabilities, suspicious intrusions, or unprotected cloud services. For example, all ECSs must be protected with HSS, and all domain names must be protected with WAF. For details, see Managing Assets.
   Checking and clearing unsafe settings	During security operations, the most common vulnerabilities are unsafe settings. Based on security compliance experience, SecMaster forms a baseline for automatic checks and provides baseline check packages based on common specifications and standards in the industry. SecMaster can automatically check cloud service settings. For example, SecMaster can check whether permissions are assigned by role in IAM, whether security groups allow all inbound access in VPC, and whether WAF protection policies are enabled. You can harden the configuration based on the recommended methods. For details, see Baseline Inspection.
   Discovering and fixing vulnerabilities	SecMaster can also help you detect and fix security vulnerabilities. You can manage Linux, Windows, Web-CMS, and application vulnerabilities in SecMaster. You will have an overview of vulnerabilities in real time, including vulnerability scan details, vulnerability statistics, vulnerability types and distribution, top 5 vulnerabilities, and top 5 risky servers. For details, see Vulnerability Management.

2. Detect threats.

   As we have sorted out assets we need to protect and fixed unsafe settings and vulnerabilities, after data sources are connected to SecMaster, the next move is to identify suspicious activities and threats.

   SecMaster provides multiple preconfigured models to detect threats. These models were designed by security experts and analysis teams based on known threats, common attack media, and suspicious activities. You will receive notifications once suspicious activities trigger those models. These models automatically search the entire environment for suspicious activities. You can also create custom threat detection models to meet your needs.

   SecMaster also provides the log data query function to help you discover threats.

   For details, see Creating a Model and Security Analysis.

3. Investigate alerts and incidents.

   Table 2 Investigating alerts and incidents

   Operation	Description
   Investigating alerts	Threat detection models analyze security cloud service logs to find suspected intrusion behaviors and generate alerts. An alert in SecMaster contains the following fields: name, severity, asset/threat that initiates suspicious activities, and compromised assets. Security operations personnel need to analyze and investigate alerts to find out real threats. If the risk is low, they will disable the alert (such as repeated alerts and O&M operations). If the risk is high, they will convert the alert to an incident. For more details, see Viewing Alerts and Converting an Alert to an Incident.
   Investigating incidents	After an alert is converted to an incident, you can view incident in the incident management module. You can investigate and analyze the incident and initiate emergency response to it. You can associate an incident with entities related to suspicious activities. The entities include assets (such as VMs), indicators (such as attack source IP addresses), accounts (such as leaked accounts), and processes (such as Trojans). You can also associate an incident with similar historical alerts or incidents. For details, see Viewing an Incident and Editing an Incident.

4. Respond to threats.

   You can use playbooks to enable automated alert and incident responses.

   For details, see Security Orchestration.

5. Use Security Overview, Large Screen, and Security Reports.

   Table 3 Security Overview, Large Screen, and Security Reports

   Function	Description
   Security Overview	This page displays the security scores of resources in the current workspace, so you can quickly learn about the security status. For details, see Situation Overview.
   Large Screen	You can view the real-time situation of resources and handle attack incidents. This function helps security operations teams monitor and analyze security threats and incidents in real time and quickly respond to them. For details, see Large Screen.
   Security Reports	Security reports are sent by SecMaster automatically. You will see security scores, baseline check results, security vulnerabilities, and policy coverage in a security report. This helps you learn about asset security status in a timely manner. For details, see Security Reports.