Help Center/ SecMaster/ Getting Started/ How to Buy and Use SecMaster Standard Edition
Updated on 2024-12-05 GMT+08:00

How to Buy and Use SecMaster Standard Edition

Scenario

SecMaster is ready for out-of-the-box. By default, for the first workspace in each region, all assets in the current region are automatically loaded, access to recommended cloud service logs enabled, and select preconfigured models and playbooks enabled. This frees you from complex manual configurations, simplifies the use process, and improves efficiency. For non-first workspaces, you need to manually configure and enable security and asset data access.

After purchasing SecMaster and creating the first workspace, you can view the resource security situation, manage assets centrally, comprehensively analyze log data, and automate security orchestration and incident response. These help you build a comprehensive security system for your assets, implement automated security operations and management, and meet your security requirements with ease.

The following describes how to buy SecMaster in the AP-Bangkok region for the first time and how to use the first workspace with only default settings for security operations.

  • Billing mode: yearly/monthly
  • Edition: standard edition
  • ECS quota: 50

The following shows the operation process in this scenario.

Figure 1 Operation Process

Operation Process

Procedure

Description

Preparations

Sign up for a Huawei account (HUAWEI ID), enable Huawei Cloud services, top up your account, and assign SecMaster permissions to the account.

Step 1: Buy SecMaster Standard Edition

Select a SecMaster edition, configure the ECS quota, and complete the purchase. (The standard edition is used as an example in this topic.)

Step 2: Create a Workspace

Create the first workspace for security operations.

Step 3: Start Security Operations

After the first workspace in a region is created, SecMaster automatically initializes it. After the initialization completes, you can start managing assets, checking for threats, investigating alerts, handling threats, as well as other security operations activities. You can also view the security situation on the situation overview page and large screens.

During the initialization, SecMaster enables access to all assets and recommended cloud service logs, such as WAF attack logs, in the current account in the current region on the cloud, as well as select preconfigured threat models and playbooks, such as the model of HSS abnormal network connection and playbook of automatic notification of high-risk vulnerabilities.

Preparations

  1. Before purchasing SecMaster, sign up for a Huawei ID and enable Huawei Cloud services. For details, see Registering a Huawei ID and Enabling Huawei Cloud Services and Real-Name Authentication.

    If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

  2. Ensure that your account has sufficient balance or has a valid payment method configured. For details, see Top-Up and Payment.
  3. Ensure that the SecMaster FullAccess permission has been assigned to the account. For details, see Creating a User and Granting Permissions.

    When purchasing SecMaster, you also need to grant the BSS Administrator permission to the account.

Step 1: Buy SecMaster Standard Edition

SecMaster provides basic, standard, and professional editions. Each edition has situation awareness, baseline inspection, query and analysis, and security orchestration functions.

This step shows how to configure parameters for buying SecMaster standard edition. For details about how to buy other SecMaster editions, see Buying SecMaster.

  1. Log in to Huawei Cloud management console.
  2. In the upper part of the page, select a region and choose Security & Compliance > SecMaster from the service list.
  3. On the overview page, click Buy SecMaster. On the access authorization panel displayed, select Agree and click OK.
  4. On the purchase page, configure required parameters.
    Table 1 Parameters for buying SecMaster

    Parameter

    Example Value

    Description

    Billing Mode

    Yearly/Monthly

    Billing mode of your SecMaster.

    • Yearly/Monthly billing is a prepaid mode in which you pay for the service before using it. Your bill is settled based on the required period. The longer you use the service, the more discounts you got.
    • Pay-per-use billing is a postpaid mode in which you pay for what you use. You are billed by second based on the actual usage. Your bill is settled by the hour. With the pay-per-use billing mode, you can easily adapt to resource requirement changes, reducing the risk of over-provisioning of resources or lacking capacity. In this mode, there are no upfront commitments required.

    Region

    AP-Bangkok

    Select the region based on where your cloud resources are located.

    Edition

    Standard

    SecMaster provides basic, standard, and professional editions for your choice. For details about their differences, see Edition Differences.

    Quota

    50

    The maximum number of ECSs you want to protect. The quota must be greater than or equal to the total number of ECSs within your account. This value cannot be changed to a smaller one after your purchase is complete.

    • The maximum quota is 10,000.
    • If some of your ECSs are not protected by SecMaster, threats to them cannot be detected in a timely manner, which may result in security risks, such as data leakage. To prevent this, increase the quota upon an increase of your host quantity.

    Large Screen

    Disabled

    Large Screen, Log Audit, Security Analysis, and Security Orchestration are optional functions. To buy them, set the purchase quantity as required.

    For details about the value-added package and recommended configurations, see Value-Added Package Description.

    Log Audit

    Buy later

    Security Analysis

    Buy later

    Security Orchestration

    Buy later

    Tag

    • Tag key: test
    • Tag value: 01

    Tags attached to SecMaster to identify resources. For details about tags, see Tag Management Service.

    Required Duration

    1 month

    Select the required duration as required. You do not need to configure this parameter in pay-per-use mode.

    The Auto-renew option enables the system to renew your service by the purchased period when the service is about to expire.

  5. Confirm the product details and click Next.
  6. After confirming that the order details are correct, read the SecMaster Disclaimer and select "I have read and agree to the SecMaster Disclaimer", and click Pay Now.
  7. On the payment page, select a payment method and complete the payment.
  8. Return to the SecMaster console.

Step 2: Create a Workspace

Workspaces are top-level workbenches in SecMaster. Before using SecMaster, you need to create a workspace first.

  1. In the navigation pane on the left, choose Workspaces > Management.
    Figure 2 Workspaces > Management
  2. On the displayed page for assigning permissions, select all required permissions (which are selected by default), select Agree to authorize, and click Confirm.

    SecMaster depends on some other cloud services, so to better use SecMaster, you can authorize SecMaster to perform some operations on certain cloud services on your behalf. For example, you can allow SecMaster to execute scheduling tasks and manage resources.

    Your authorization is required first time you try to use SecMaster.

  3. On the workspace management page, click Create and set workspace parameters.

    This example only introduces mandatory parameters. Configure other parameters as needed.

    Table 2 Parameters for creating a workspace

    Parameter

    Example Value

    Description

    Region

    AP-Bangkok

    Select the region based on where your cloud resources are deployed.

    Project Type

    Common Project

    Project that the workspace belongs to

    Workspace Name

    SecMaster

    Name of the workspace used for security operations.

  4. Click OK

Step 3: Start Security Operations

After the first workspace is created, SecMaster automatically initializes it. After the initialization completes, you can start managing assets, checking for threats, investigating alerts, handling threats, as well as other security operations activities. You can also view the security situation on the situation overview page and large screens.

Figure 3 Secure operations
  1. Managing assets and risks

    The essence of security operations is security risk management. According to the definition of ISO, there are three elements, assets, vulnerabilities, and threats, in security operations. Sorting the assets you want to protect is the starting point of the security operations service flow.

    • Asset management

      SecMaster helps you enable cross-region, cross-account, and cross-environment aggregation of assets. For assets from other environments, SecMaster will mark the environments these assets belong to. After the aggregation, SecMaster marks asset security status to show whether there are unsafe settings, OS or application vulnerabilities, suspicious intrusions, or unprotected cloud services. For example, all ECSs must be protected with HSS, and all domain names must be protected with WAF. This makes it possible for you to view security of all your assets in one place.

      For details, see Managing Assets.

    • Detecting and clearing unsafe settings

      During security operations, the most common vulnerabilities are unsafe settings. Based on security compliance experience, SecMaster forms a baseline for automatic checks and provides baseline check packages based on common specifications and standards in the industry.

      • SecMaster can automatically check cloud service settings. For example, SecMaster can check whether permissions are assigned by role in IAM, whether security groups allow all inbound access in VPC, and whether WAF protection policies are enabled. You can harden the configuration based on the recommended methods.

      For details, see Security Governance and Baseline Inspection.

    • Discovering and fixing vulnerabilities

      SecMaster can also help you detect and fix security vulnerabilities. You can use SecMaster to centrally manage Linux, Windows, Web-CMS, application, and website vulnerabilities. You will have an overview of vulnerabilities in real time, including vulnerability scan details, vulnerability statistics, vulnerability types and distribution, top 5 vulnerabilities, and top 5 risky servers.

      For details, see Vulnerability Management.

  2. Detecting threats

    As we have sorted out the assets we need to protect and fixed unsafe settings and vulnerabilities, after data sources are connected to SecMaster, the next move is to identify suspicious activities and threats.

    SecMaster provides many preconfigured threat detection models. These models were designed by security experts and analysis teams based on known threats, common attack media, and suspicious activities. You will receive notifications once suspicious activities trigger those models. These models automatically search the entire environment for suspicious activities. You can also create custom threat detection models to support your needs.

    SecMaster also provides the log data query function to help you discover threats.

    For details, see Viewing Existing Model Templates and Security Analysis Overview.

  3. Investigating alerts and incidents
    • Investigating alerts

      Threat detection models analyze security cloud service logs to find suspected intrusion behaviors and generate alerts. An alert in SecMaster contains the following fields: name, severity, asset/threat that initiates suspicious activities, and compromised assets. Security operations engineers need to analyze and investigate alerts to find out real threats. If the risk is low, they will disable the alert (such as repeated alerts and O&M operations). If the risk is high, they will convert the alert into an incident.

      For more details, see Viewing Alerts and Converting an Alert into an Incident.

    • Investigating incidents

      After an alert is converted into an incident, you can view incident in the incident management module. You can investigate the incident and take emergency response to it. You can associate an incident with entities related to suspicious activities. The entities include assets (such as VMs), indicators (such as attack source IP addresses), accounts (such as leaked accounts), and processes (such as Trojans). You can also associate an incident with similar historical alerts or incidents.

      For details, see Viewing an Incident and Editing an Incident.

  4. Responding to threats

    You can use playbooks to enable automated alert and incident responses.

    For details, see Security Orchestration.

  5. Use Security Overview, Large Screen, and Security Reports.
    • Security Overview

      This page displays the security scores of resources in the current workspace, so you can quickly learn about the security status.

    • Large Screen

      You can view the real-time situation of resources and handle attack incidents. This function helps security operations teams monitor and analyze security threats and incidents in real time and quickly respond to them.

    • Security reports

      Security reports are sent by SecMaster automatically. You will see security scores, baseline check results, security vulnerabilities, and policy coverage in a security report. This helps you learn about asset security status in a timely manner.

    For more details, see Situation Overview, Large Screen, and Security Reports.

Related Information

You can also enable access to a variety of data sources, activate all models and playbooks to analyze security status deeply and comprehensively, and configure security policies best fit your environment.

  • Enable log access: You can enable access to logs of cloud services for centralized log management, retrieval, and analysis. So, you can monitor your service environment in real time and detect abnormal behavior and potential threats in a timely manner.

    You are advised to enable access to asset details, asset alerts, baseline inspection results, vulnerability data, and logs in one workspace. This will make it easier for centralized security operations and association analysis.

  • Collect logs: You can also use SecMaster to collect logs from non-Huawei Cloud services. Security data from a variety of sources is aggregated in SecMaster. This makes it possible for you to analyze security situation more deeply and comprehensively, locate fault causes more easily, and address security issues more quickly.
  • Create an alert model: You can use models to monitor logs in pipelines. If a log matches any trigger condition set in a model, the model will report an alert.
  • Enable a playbook: You can use playbooks to enable automated security incident responses. This will greatly reduce the mean time to repair (MTTR) and improve the overall protection capabilities.
  • Start a baseline check: You can start a baseline check to assess how secure your OSs, software, databases are. This helps you rectify security risks, mitigate potential threats, and meet compliance requirements.
  • Configure defense line policies: This allows you to associate SecMaster with other security services to build a multi-layer and all-round security system.
  • Create an emergency policy: You can use emergency policies to quickly handle cyber security threats and restrict or block access from specific IP addresses, protecting your network resources and customers' data.
  • Create a security report: SecMaster will send security reports to you in the way you specify. You will see security scores, baseline check results, security vulnerabilities, and policy coverage in a security report. This helps you learn about asset security status in a timely manner.