How to Buy and Use SecMaster Standard Edition

Scenario

SecMaster is ready for out-of-the-box. By default, for the first workspace in each region, all assets in the current region are automatically loaded, access to recommended cloud service logs enabled, and select preconfigured models and playbooks enabled. This frees you from complex manual configurations, simplifies the use process, and improves efficiency. For non-first workspaces, you need to manually configure and enable security and asset data access.

After purchasing SecMaster and creating the first workspace, you can view the resource security situation, manage assets centrally, comprehensively analyze log data, and automate security orchestration and incident response. These help you build a comprehensive security system for your assets, implement automated security operations and management, and meet your security requirements with ease.

The following describes how to buy SecMaster in the AP-Bangkok region for the first time and how to use the first workspace with only default settings for security operations.

• Billing mode: yearly/monthly
• Edition: standard edition
• ECS quota: 50

The following shows the operation process in this scenario.

Figure 1 Operation Process

Operation Process

Preparations

1. Before purchasing SecMaster, sign up for a Huawei ID and enable Huawei Cloud services. For details, see Registering a Huawei ID and Enabling Huawei Cloud Services and Real-Name Authentication.

   If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

2. Ensure that your account has sufficient balance or has a valid payment method configured. For details, see Top-Up and Payment.
3. Ensure that the SecMaster FullAccess permission has been assigned to the account. For details, see Creating a User and Granting Permissions.

   When purchasing SecMaster, you also need to grant the BSS Administrator permission to the account.

Step 1: Buy SecMaster Standard Edition

SecMaster provides basic, standard, and professional editions. Each edition has situation awareness, baseline inspection, query and analysis, and security orchestration functions.

This step shows how to configure parameters for buying SecMaster standard edition. For details about how to buy other SecMaster editions, see Buying SecMaster.

1. Log in to Huawei Cloud management console.
2. In the upper part of the page, select a region and choose Security & Compliance > SecMaster from the service list.
3. On the overview page, click Buy SecMaster. On the access authorization panel displayed, select Agree and click OK.
4. On the purchase page, configure required parameters.

   Table 1 Parameters for buying SecMaster

   Parameter	Example Value	Description
   Billing Mode	Yearly/Monthly	Billing mode of your SecMaster. Yearly/Monthly billing is a prepaid mode in which you pay for the service before using it. Your bill is settled based on the required period. The longer you use the service, the more discounts you got. Pay-per-use billing is a postpaid mode in which you pay for what you use. You are billed by second based on the actual usage. Your bill is settled by the hour. With the pay-per-use billing mode, you can easily adapt to resource requirement changes, reducing the risk of over-provisioning of resources or lacking capacity. In this mode, there are no upfront commitments required.
   Region	AP-Bangkok	Select the region based on where your cloud resources are located.
   Edition	Standard	SecMaster provides basic, standard, and professional editions for your choice. For details about their differences, see Edition Differences.
   Quota	50	The maximum number of ECSs you want to protect. The quota must be greater than or equal to the total number of ECSs within your account. This value cannot be changed to a smaller one after your purchase is complete. The maximum quota is 10,000. If some of your ECSs are not protected by SecMaster, threats to them cannot be detected in a timely manner, which may result in security risks, such as data leakage. To prevent this, increase the quota upon an increase of your host quantity.
   Large Screen	Disabled	Large Screen, Log Audit, Security Analysis, and Security Orchestration are optional functions. To buy them, set the purchase quantity as required. For details about the value-added package and recommended configurations, see Value-Added Package Description.
   Log Audit	Buy later
   Security Analysis	Buy later
   Security Orchestration	Buy later
   Tag	Tag key: test Tag value: 01	Tags attached to SecMaster to identify resources. For details about tags, see Tag Management Service.
   Required Duration	1 month	Select the required duration as required. You do not need to configure this parameter in pay-per-use mode. The Auto-renew option enables the system to renew your service by the purchased period when the service is about to expire.

5. Confirm the product details and click Next.
6. After confirming that the order details are correct, read the SecMaster Disclaimer and select "I have read and agree to the SecMaster Disclaimer", and click Pay Now.
7. On the payment page, select a payment method and complete the payment.
8. Return to the SecMaster console.

Step 2: Create a Workspace

Workspaces are top-level workbenches in SecMaster. Before using SecMaster, you need to create a workspace first.

Step 3: Start Security Operations

After the first workspace is created, SecMaster automatically initializes it. After the initialization completes, you can start managing assets, checking for threats, investigating alerts, handling threats, as well as other security operations activities. You can also view the security situation on the situation overview page and large screens.

Figure 3 Secure operations

1. Managing assets and risks

   The essence of security operations is security risk management. According to the definition of ISO, there are three elements, assets, vulnerabilities, and threats, in security operations. Sorting the assets you want to protect is the starting point of the security operations service flow.

   • Asset management

     SecMaster helps you enable cross-region, cross-account, and cross-environment aggregation of assets. For assets from other environments, SecMaster will mark the environments these assets belong to. After the aggregation, SecMaster marks asset security status to show whether there are unsafe settings, OS or application vulnerabilities, suspicious intrusions, or unprotected cloud services. For example, all ECSs must be protected with HSS, and all domain names must be protected with WAF. This makes it possible for you to view security of all your assets in one place.

     For details, see Managing Assets.

   • Detecting and clearing unsafe settings

     During security operations, the most common vulnerabilities are unsafe settings. Based on security compliance experience, SecMaster forms a baseline for automatic checks and provides baseline check packages based on common specifications and standards in the industry.

     • SecMaster can automatically check cloud service settings. For example, SecMaster can check whether permissions are assigned by role in IAM, whether security groups allow all inbound access in VPC, and whether WAF protection policies are enabled. You can harden the configuration based on the recommended methods.

     For details, see Security Governance and Baseline Inspection.

   • Discovering and fixing vulnerabilities

     SecMaster can also help you detect and fix security vulnerabilities. You can use SecMaster to centrally manage Linux, Windows, Web-CMS, application, and website vulnerabilities. You will have an overview of vulnerabilities in real time, including vulnerability scan details, vulnerability statistics, vulnerability types and distribution, top 5 vulnerabilities, and top 5 risky servers.

     For details, see Vulnerability Management.

2. Detecting threats

   As we have sorted out the assets we need to protect and fixed unsafe settings and vulnerabilities, after data sources are connected to SecMaster, the next move is to identify suspicious activities and threats.

   SecMaster provides many preconfigured threat detection models. These models were designed by security experts and analysis teams based on known threats, common attack media, and suspicious activities. You will receive notifications once suspicious activities trigger those models. These models automatically search the entire environment for suspicious activities. You can also create custom threat detection models to support your needs.

   SecMaster also provides the log data query function to help you discover threats.

   For details, see Viewing Existing Model Templates and Security Analysis Overview.

3. Investigating alerts and incidents
   • Investigating alerts

     Threat detection models analyze security cloud service logs to find suspected intrusion behaviors and generate alerts. An alert in SecMaster contains the following fields: name, severity, asset/threat that initiates suspicious activities, and compromised assets. Security operations engineers need to analyze and investigate alerts to find out real threats. If the risk is low, they will disable the alert (such as repeated alerts and O&M operations). If the risk is high, they will convert the alert into an incident.

     For more details, see Viewing Alerts and Converting an Alert into an Incident.

   • Investigating incidents

     After an alert is converted into an incident, you can view incident in the incident management module. You can investigate the incident and take emergency response to it. You can associate an incident with entities related to suspicious activities. The entities include assets (such as VMs), indicators (such as attack source IP addresses), accounts (such as leaked accounts), and processes (such as Trojans). You can also associate an incident with similar historical alerts or incidents.

     For details, see Viewing an Incident and Editing an Incident.

4. Responding to threats

   You can use playbooks to enable automated alert and incident responses.

   For details, see Security Orchestration.

5. Use Security Overview, Large Screen, and Security Reports.
   • Security Overview

     This page displays the security scores of resources in the current workspace, so you can quickly learn about the security status.

   • Large Screen

     You can view the real-time situation of resources and handle attack incidents. This function helps security operations teams monitor and analyze security threats and incidents in real time and quickly respond to them.

   • Security reports

     Security reports are sent by SecMaster automatically. You will see security scores, baseline check results, security vulnerabilities, and policy coverage in a security report. This helps you learn about asset security status in a timely manner.

   For more details, see Situation Overview, Large Screen, and Security Reports.

Related Information

You can also enable access to a variety of data sources, activate all models and playbooks to analyze security status deeply and comprehensively, and configure security policies best fit your environment.

• Enable log access: You can enable access to logs of cloud services for centralized log management, retrieval, and analysis. So, you can monitor your service environment in real time and detect abnormal behavior and potential threats in a timely manner.
  

  You are advised to enable access to asset details, asset alerts, baseline inspection results, vulnerability data, and logs in one workspace. This will make it easier for centralized security operations and association analysis.

• Collect logs: You can also use SecMaster to collect logs from non-Huawei Cloud services. Security data from a variety of sources is aggregated in SecMaster. This makes it possible for you to analyze security situation more deeply and comprehensively, locate fault causes more easily, and address security issues more quickly.
• Create an alert model: You can use models to monitor logs in pipelines. If a log matches any trigger condition set in a model, the model will report an alert.
• Enable a playbook: You can use playbooks to enable automated security incident responses. This will greatly reduce the mean time to repair (MTTR) and improve the overall protection capabilities.
• Start a baseline check: You can start a baseline check to assess how secure your OSs, software, databases are. This helps you rectify security risks, mitigate potential threats, and meet compliance requirements.
• Configure defense line policies: This allows you to associate SecMaster with other security services to build a multi-layer and all-round security system.
• Create an emergency policy: You can use emergency policies to quickly handle cyber security threats and restrict or block access from specific IP addresses, protecting your network resources and customers' data.
• Create a security report: SecMaster will send security reports to you in the way you specify. You will see security scores, baseline check results, security vulnerabilities, and policy coverage in a security report. This helps you learn about asset security status in a timely manner.