您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 安全中心检测功能Azure Security Center detection capabilities

本文档讨论 Azure 安全中心的高级检测功能,帮助用户确定以 Microsoft Azure 资源为目标的活跃威胁,了解进行快速响应所需的知识。This document discusses Azure Security Center’s advanced detection capabilities, which helps identify active threats targeting your Microsoft Azure resources and provides you with the insights needed to respond quickly.

Azure 安全中心的标准层提供高级检测功能。Advanced detections are available in the Standard Tier of Azure Security Center. 可免费试用 60 天。A free 60-day trial is available. 可以在 安全策略中从选择定价层开始升级。You can upgrade from the Pricing Tier selection in the Security Policy. 访问 “安全中心”页 ,了解详细的定价情况。Visit Security Center page to learn more about pricing.

备注

安全中心在功能有限的预览版中发布了新的一组检测。这些检测利用审核记录这种常用审核框架,检测 Linux 计算机上的恶意行为。Security Center has released to limited preview a new set of detections that leverage audited records, a common auditing framework, to detect malicious behaviors on Linux machines. 若要体验预览版,请向我们发送包含订阅 ID 的电子邮件。Please send an email with your subscription IDs to us to join the preview.

应对当前的威胁Responding to today’s threats

过去 20 年里,威胁态势有了很大的改变。There have been significant changes in the threat landscape over the last 20 years. 在过去,公司通常只需担心网站被各个攻击者改头换面。许多情况下,这些攻击者感兴趣的是看看“自己能够做什么”。In the past, companies typically only had to worry about web site defacement by individual attackers who were mostly interested in seeing “what they could do". 而现在,攻击者则更为复杂,更有组织性。Today’s attackers are much more sophisticated and organized. 他们通常有具体的经济和战略目标。They often have specific financial and strategic goals. 他们的可用资源也更多,因为他们可能是由国家提供资金支持的,可能是有组织犯罪。They also have more resources available to them, as they may be funded by nation states or organized crime.

因此,攻击者的专业水准前所未有地高。This approach has led to an unprecedented level of professionalism in the attacker ranks. 他们不再对篡改网页感兴趣。No longer are they interested in web defacement. 他们现在感兴趣的是窃取信息、金融帐户和私人数据 – 所有这些都可以用来在公开市场上换钱;他们还感兴趣的是特定的有利用价值的商业、政治或军事职位。They are now interested in stealing information, financial accounts, and private data – all of which they can use to generate cash on the open market or to leverage a particular business, political or military position. 比这更引人关注的是,这些以财务为目标的攻击者在侵入网络后会破坏基础结构,对人们造成伤害。Even more concerning than those attackers with a financial objective are the attackers who breach networks to do harm to infrastructure and people.

作为响应,组织通常会部署各种点解决方案,查找已知的攻击特征,重点做好企业外围防护或终结点防护。In response, organizations often deploy various point solutions, which focus on defending either the enterprise perimeter or endpoints by looking for known attack signatures. 这些解决方案会生成大量的低保真警报,需要安全分析师进行会审和调查。These solutions tend to generate a high volume of low fidelity alerts, which require a security analyst to triage and investigate. 大多数组织缺乏必要的时间和专业技术来响应此类警报 – 许多警报被置之不理。Most organizations lack the time and expertise required to respond to these alerts – so many go unaddressed. 同时,攻击者的攻击方法也在逐渐改进,可以突破许多基于攻击特征的防御,并且可以 适应云环境Meanwhile, attackers have evolved their methods to subvert many signature-based defenses and adapt to cloud environments. 必须采用新方法更快地确定新出现的威胁,加快检测和应对速度。New approaches are required to more quickly identify emerging threats and expedite detection and response.

Azure 安全中心如何检测和应对威胁How Azure Security Center detects and responds to threats

Microsoft 安全研究人员始终在不断地寻找威胁。Microsoft security researchers are constantly on the lookout for threats. 得益于 Microsoft 在云中和本地的广泛存在,他们可以访问大量的遥测数据。They have access to an expansive set of telemetry gained from Microsoft’s global presence in the cloud and on-premises. 由于能够广泛访问和收集各种数据集,Microsoft 可以通过本地消费者产品和企业产品以及联机服务发现新的攻击模式和趋势。This wide-reaching and diverse collection of datasets enables Microsoft to discover new attack patterns and trends across its on-premises consumer and enterprise products, as well as its online services. 因此,当攻击者发布新的越来越复杂的漏斗利用方式时,安全中心就可以快速更新其检测算法。As a result, Security Center can rapidly update its detection algorithms as attackers release new and increasingly sophisticated exploits. 此方法可以让用户始终跟上变化莫测的威胁环境。This approach helps you keep pace with a fast moving threat environment.

安全中心可以自动从 Azure 资源、网络以及连接的合作伙伴解决方案收集安全信息,对威胁进行检测。Security Center threat detection works by automatically collecting security information from your Azure resources, the network, and connected partner solutions. 分析该信息(通常需将多个来源的信息关联起来)即可确定威胁。It analyzes this information, often correlating information from multiple sources, to identify threats. 安全中心会对安全警报进行重要性分类,并提供威胁处置建议。Security alerts are prioritized in Security Center along with recommendations on how to remediate the threat.

安全中心数据收集和呈现

安全中心使用各种高级安全分析,远不止几种基于攻击特征的方法。Security Center employs advanced security analytics, which go far beyond signature-based approaches. 可以充分利用大数据和 机器学习 技术的突破跨整个云结构对事件进行评估,检测那些使用手动方式不可能发现的威胁,并预测攻击的发展方式。Breakthroughs in big data and machine learning technologies are leveraged to evaluate events across the entire cloud fabric – detecting threats that would be impossible to identify using manual approaches and predicting the evolution of attacks. 此类安全分析包括:These security analytics include:

  • 集成威胁情报:充分利用 Microsoft 产品和服务、Microsoft 数字犯罪部门 (DCU)、Microsoft 安全响应中心 (MSRC) 以及外部源提供的全球威胁情报,搜寻已知的行为不端的攻击者。Integrated threat intelligence: looks for known bad actors by leveraging global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds.
  • 行为分析:运用已知模式发现恶意行为。Behavioral analytics: applies known patterns to discover malicious behavior.
  • 异常检测:使用统计分析生成历史基线。Anomaly detection: uses statistical profiling to build a historical baseline. 如果出现与已知基线偏离的情况,并且这些情况符合潜在攻击载体的行为,则会发出警报。It alerts on deviations from established baselines that conform to a potential attack vector.

威胁情报Threat intelligence

Microsoft 提供大量的全球威胁情报。Microsoft has an immense amount of global threat intelligence. 遥测数据的来源包括:Azure、Office 365、Microsoft CRM Online、Microsoft Dynamics AX、outlook.com、MSN.com、Microsoft 数字犯罪部门 (DCU)、Microsoft 安全响应中心 (MSRC)。Telemetry flows in from multiple sources, such as Azure, Office 365, Microsoft CRM online, Microsoft Dynamics AX, outlook.com, MSN.com, the Microsoft Digital Crimes Unit (DCU) and Microsoft Security Response Center (MSRC). 研究人员也会收到在主要的云服务提供者之间共享的威胁情报信息,以及通过第三方的威胁情报源订阅的此类信息。Researchers also receive threat intelligence information that is shared among major cloud service providers and subscribes to threat intelligence feeds from third parties. Azure 安全中心可能会在分析该信息后发出警报,提醒用户注意来自行为不端攻击者的威胁。Azure Security Center can use this information to alert you to threats from known bad actors. 示例包括:Some examples include:

  • 发往恶意 IP 地址的出站通信:如果出站流量流向已知的僵尸网络或暗网,则很有可能用户的资源已受攻击,攻击者正尝试在该系统上执行命令或迫使数据泄露。Outbound communication to a malicious IP address: outbound traffic to a known botnet or darknet likely indicates that your resource has been compromised and an attacker it attempting to execute commands on that system or exfiltrate data. Azure 安全中心会将网络流量与 Microsoft 的全球威胁数据库进行对比,如果检测到与恶意 IP 地址的通信,则会向用户发出警报。Azure Security Center compares network traffic to Microsoft’s global threat database and alerts you if it detects communication to a malicious IP address.

行为分析Behavioral analytics

行为分析是一种技术,该技术会对数据进行分析并将数据与一系列已知模式对比。Behavioral analytics is a technique that analyzes and compares data to a collection of known patterns. 不过,这些模式不是简单的特征,However, these patterns are not simple signatures. 需要对大型数据集运用复杂的机器学习算法来确定,They are determined through complex machine learning algorithms that are applied to massive datasets. 或者由分析专家通过仔细分析恶意行为来确定。They are also determined through careful analysis of malicious behaviors by expert analysts. Azure 安全中心可以使用行为分析对虚拟机日志、虚拟网络设备日志、结构日志、故障转储和其他资源进行分析,确定受攻击的资源。Azure Security Center can use behavioral analytics to identify compromised resources based on analysis of virtual machine logs, virtual network device logs, fabric logs, crash dumps and other sources.

此外,还可以通过与其他信号的关联性,查看是否存在某个广泛传播活动的支持证据。In addition, there is correlation with other signals to check for supporting evidence of a widespread campaign. 此关联性也可用于确定那些符合已确定的攻击特征的事件。This correlation helps to identify events that are consistent with established indicators of compromise. 示例包括:Some examples include:

  • 执行可疑进程:为了执行恶意软件而不被检测到,攻击者会运用多种技巧。Suspicious process execution: Attackers employ several techniques to execute malicious software without detection. 例如,攻击者可能会为恶意软件取一个与合法的系统文件相同的名称,但却将这些文件置于其他位置,可能会使用与正常文件非常类似的名称,或者会掩盖文件的实际扩展名。For example, an attacker might give malware the same names as legitimate system files but place these files in an alternate location, use a name that is very similar to a benign file, or mask the file’s true extension. 安全中心会对进程行为建模,监视进程的执行情况,检测此类异常行为。Security Center models processes behaviors and monitors process executions to detect outliers such as these.
  • 隐藏恶意软件和漏洞利用尝试:复杂的恶意软件从不向磁盘写入内容,或者会加密存储在磁盘上的软件组件,借此逃避传统的反恶意软件产品的检测。Hidden malware and exploitation attempts: Sophisticated malware is able to evade traditional antimalware products by either never writing to disk or encrypting software components stored on disk. 但是,此类恶意软件可以通过内存分析检测到,因为恶意软件一运行就必然会在内存中留下踪迹。However, such malware can be detected using memory analysis, as the malware must leave traces in memory in order to function. 当软件故障时,故障转储可捕获故障时的部分内存。When software crashes, a crash dump captures a portion of memory at the time of the crash. 通过分析故障转储中的内存,Azure 安全中心可以检测到用于利用软件漏洞、访问机密数据以及偷偷存留在受攻击计算机中而不影响计算机性能的技术。By analyzing the memory in the crash dump, Azure Security Center can detect techniques used to exploit vulnerabilities in software, access confidential data, and surreptitiously persist with-in a compromised machine without impacting the performance of your machine.
  • 横向移动和内部侦测:为了留存在受攻击的网络中以及查找/获取有价值的数据,攻击者通常会尝试从受攻击的计算机横向移动到同一网络中的其他计算机。Lateral movement and internal reconnaissance: To persist in a compromised network and locate/harvest valuable data, attackers often attempt to move laterally from the compromised machine to others within the same network. 安全中心会监视进程和登录活动,目的是发现是否有人尝试在网络中扩大攻击者据点,例如是否存在远程执行命令式的网络探测、是否存在帐户枚举。Security Center monitors process and login activities in order to discover attempts to expand an attacker’s foothold within the network, such as remote command execution network probing, and account enumeration.
  • 恶意 PowerShell 脚本:攻击者出于各种目的,使用 PowerShell 在目标虚拟机上执行恶意代码。Malicious PowerShell Scripts: PowerShell is being used by attackers to execute malicious code on target virtual machines for a variety of purposes. 安全中心会检查 PowerShell 活动中是否存在可疑活动的证据。Security Center inspects PowerShell activity for evidence of suspicious activity.
  • 传出攻击:攻击者通常会以云资源为目标,目的是使用这些资源发起更多攻击。Outgoing attacks: Attackers often target cloud resources with the goal of using those resources to mount additional attacks. 例如,可以通过受攻击的虚拟机对其他虚拟机发起暴力破解攻击,可以发送垃圾邮件,也可以扫描 Internet 上的开放端口和其他设备。Compromised virtual machines, for example, might be used to launch brute force attacks against other virtual machines, send SPAM, or scan open ports and other devices on the internet. 将机器学习应用到网络流量以后,安全中心即可检测到出站网络通信何时超出标准。By applying machine learning to network traffic, Security Center can detect when outbound network communications exceed the norm. 就垃圾邮件来说,安全中心也可将非正常的电子邮件流量与 Office 365 提供的情报信息关联起来,确定该邮件到底是恶意邮件,还是合法的电子邮件促销活动。In the case of SPAM, Security Center also correlates unusual email traffic with intelligence from Office 365 to determine whether the mail is likely nefarious or the result of a legitimate email campaign.

异常检测Anomaly detection

Azure 安全中心也通过异常检测确定威胁。Azure Security Center also uses anomaly detection to identify threats. 与行为分析(依赖于已知的从大型数据集派生的模式)相比,异常检测更“个性化”,注重特定于用户部署的基线。In contrast to behavioral analytics (which depends on known patterns derived from large data sets), anomaly detection is more “personalized” and focuses on baselines that are specific to your deployments. 运用机器学习确定部署的正常活动,并生成规则,定义可能表示安全事件的异常条件。Machine learning is applied to determine normal activity for your deployments and then rules are generated to define outlier conditions that could represent a security event. 下面是一个示例:Here’s an example:

  • 入站 RDP/SSH 暴力破解攻击:部署中的有些虚拟机可能很忙,每天需要处理大量的登录,而其他虚拟机可能只有寥寥数个登录。Inbound RDP/SSH brute force attacks: Your deployments may have busy virtual machines with a lot of logins each day and other virtual machines that have very few or any logins. Azure 安全中心可以确定这些虚拟机的基线登录活动,并通过机器学习定义异常登录活动。Azure Security Center can determine baseline login activity for these virtual machines and use machine learning to define what is outside of normal login activity. 如果登录次数、一天中登录的时间、请求登录的位置或其他与登录相关的特征显著不同于基线,则可能会生成警报。If the number of logins, or the time of day of the logins, or the location from which the logins are requested, or other login-related characteristics are significantly different from the baseline, then an alert may be generated. 同样,是否具有显著性由机器学习决定。Again, machine learning determines what is significant.

连续威胁情报监视Continuous threat intelligence monitoring

Azure 安全中心建立了安全研究和数据科学团队,持续监视威胁态势的变化情况。Azure Security Center operates security research and data science teams that continuously monitor for changes in the threat landscape. 其中包括以下计划:This includes the following initiatives:

  • 威胁情报监视:威胁情报包括现有的或新出现的威胁的机制、指示器、影响和可操作建议。Threat intelligence monitoring: Threat intelligence includes mechanisms, indicators, implications and actionable advice about existing or emerging threats. 此信息在安全社区共享,Microsoft 会持续监视内部和外部源提供的威胁情报源。This information is shared in the security community and Microsoft continuously monitors threat intelligence feeds from internal and external sources.
  • 信号共享:安全团队的见解会跨 Microsoft 的一系列云服务和本地服务、服务器、客户端终结点设备进行共享和分析。Signal sharing: Insights from security teams across Microsoft’s broad portfolio of cloud and on-premises services, servers, and client endpoint devices are shared and analyzed.
  • Microsoft 安全专家:持续接触 Microsoft 的各个工作在专业安全领域(例如取证和 Web 攻击检测)的团队。Microsoft security specialists: Ongoing engagement with teams across Microsoft that work in specialized security fields, like forensics and web attack detection.
  • 检测优化:针对实际的客户数据集运行相关算法,安全研究人员与客户一起验证结果。Detection tuning: Algorithms are run against real customer data sets and security researchers work with customers to validate the results. 通过检出率和误报率优化机器学习算法。True and false positives are used to refine machine learning algorithms.

将这些措施结合起来,形成新的改进型检测方法,使用户能够即时受益,而用户不需采取任何措施。These combined efforts culminate in new and improved detections, which you can benefit from instantly – there’s no action for you to take.

另请参阅See also

本文档介绍了如何使用 Azure 安全中心的检测功能。In this document, you learned how to Azure Security Center detection capabilities work. 若要了解有关安全中心的详细信息,请参阅以下文章:To learn more about Security Center, see the following: