Azure 進階威脅偵測Azure advanced threat detection

Azure 提供內建的進階的威脅偵測功能,透過 Azure Active Directory (Azure AD)、 Azure 監視器記錄檔和 Azure 資訊安全中心等服務。Azure offers built in advanced threat detection functionality through services such as Azure Active Directory (Azure AD), Azure Monitor logs, and Azure Security Center. 這個安全性服務和功能集合提供簡單且快速的方式,來了解您 Azure 部署內的一舉一動。This collection of security services and capabilities provides a simple and fast way to understand what is happening within your Azure deployments.

Azure 提供各種選項來設定和自訂安全性,以符合您應用程式部署的需求。Azure provides a wide array of options to configure and customize security to meet the requirements of your app deployments. 本文討論如何滿足這些需求。This article discusses how to meet these requirements.

Azure Active Directory Identity ProtectionAzure Active Directory Identity Protection

Azure AD Identity ProtectionAzure Active Directory Premium P2 版本的功能,能針對可影響組織身分識別的風險事件和潛在弱點提供概觀。Azure AD Identity Protection is an Azure Active Directory Premium P2 edition feature that provides an overview of the risk events and potential vulnerabilities that can affect your organization’s identities. Identity Protection 使用現有 Azure AD 異常偵測功能 (可透過 Azure AD 異常活動報告取得),並引進可即時偵測異常的新風險事件類型。Identity Protection uses existing Azure AD anomaly-detection capabilities that are available through Azure AD Anomalous Activity Reports, and introduces new risk event types that can detect real time anomalies.

Azure AD Identity Protection 圖表

Identity Protection 會使用調適性機器學習演算法和啟發學習法,來偵測異常事件和風險事件,而這些事件都可能表示身分識別已遭到入侵。Identity Protection uses adaptive machine learning algorithms and heuristics to detect anomalies and risk events that might indicate that an identity has been compromised. Identity Protection 會使用此資料來產生報告和警示,讓您可以調查這些風險事件並採取適當的補救動作或緩和措施。Using this data, Identity Protection generates reports and alerts so that you can investigate these risk events and take appropriate remediation or mitigation action.

Azure Active Directory Identity Protection 不只是監視和報告工具而已。Azure Active Directory Identity Protection is more than a monitoring and reporting tool. Identity Protection 會根據風險事件,計算每位使用者的使用者風險層級,讓您設定風險原則來自動保護您組織的身分識別。Based on risk events, Identity Protection calculates a user risk level for each user, so that you can configure risk-based policies to automatically protect the identities of your organization.

除了 Azure Active Directory 與 EMS 所提供的其他條件式存取控制以外,這些以風險為根據的原則可以自動封鎖或提供調適性補救動作,包括重設密碼,以及強制執行 Multi-Factor Authentication。These risk-based policies, in addition to other conditional access controls that are provided by Azure Active Directory and EMS, can automatically block or offer adaptive remediation actions that include password resets and multi-factor authentication enforcement.

Identity Protection 功能Identity Protection capabilities

Azure Active Directory Identity Protection 不只是監視和報告工具而已。Azure Active Directory Identity Protection is more than a monitoring and reporting tool. 若要保護您組織的身分識別,您可以設定以風險為基礎的原則,當達到指定風險層級時自動回應偵測到的問題。To protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. 除了 Azure Active Directory 與 EMS 所提供的其他條件式存取控制以外,這些的原則可以自動封鎖或起始調適性補救動作,包括重設密碼以及強制 Multi-Factor Authentication。These policies, in addition to other conditional access controls provided by Azure Active Directory and EMS, can either automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement.

Azure Identity Protection 可用以協助保護您的帳戶和身分識別的一些方法範例包括:Examples of some of the ways that Azure Identity Protection can help secure your accounts and identities include:

偵測風險事件和有風險的帳戶Detecting risk events and risky accounts

  • 使用機器學習和啟發式規則偵測六種風險事件類型。Detect six risk event types using machine learning and heuristic rules.
  • 計算使用者風險層級。Calculate user risk levels.
  • 提供自訂建議,藉由將弱點醒目提示來改善整體安全性狀態。Provide custom recommendations to improve overall security posture by highlighting vulnerabilities.

調查風險事件Investigating risk events

  • 傳送風險事件的通知。Send notifications for risk events.
  • 使用相關和內容資訊來調查風險事件。Investigate risk events using relevant and contextual information.
  • 提供基本工作流程來追蹤調查。Provide basic workflows to track investigations.
  • 讓您輕鬆存取補救動作 (例如重設密碼)。Provide easy access to remediation actions such as password reset.

風險條件式存取原則Risk-based, conditional-access policies

  • 封鎖登入或要求 Multi-Factor Authentication 挑戰,以阻止高風險登入。Mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges.
  • 封鎖或保護有風險的使用者帳戶。Block or secure risky user accounts.
  • 要求使用者註冊 Multi-Factor Authentication。Require users to register for multi-factor authentication.

Azure AD 特殊權限身分識別管理Azure AD Privileged Identity Management

您可以使用 Azure Active Directory Privileged Identity Management (PIM) 來管理、控制和監視組織內的存取。With Azure Active Directory Privileged Identity Management (PIM), you can manage, control, and monitor access within your organization. 此功能包括存取 Azure AD 中的資源和其他 Microsoft 線上服務 (例如 Office 365 或 Microsoft Intune)。This feature includes access to resources in Azure AD and other Microsoft online services, such as Office 365 or Microsoft Intune.

Azure AD Privileged Identity Management 圖表

PIM 可協助您:PIM helps you:

  • 針對 Azure AD 系統管理員以及 Office 365 和 Intune 這類 Microsoft 線上服務的 Just-In-Time (JIT) 系統取得管理存取權的警示和報告。Get alerts and reports about Azure AD administrators and just-in-time (JIT) administrative access to Microsoft online services, such as Office 365 and Intune.

  • 取得有關系統管理員存取記錄與系統管理員指派變更的報告。Get reports about administrator access history and changes in administrator assignments.

  • 取得有關特殊權限角色存取的警示。Get alerts about access to a privileged role.

Azure 監視器記錄Azure Monitor logs

Azure 監視器記錄是 Microsoft 雲端型 IT 管理解決方案,可協助您管理並保護您內部部署和雲端基礎結構。Azure Monitor logs is a Microsoft cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. 由於 Azure 監視器記錄檔會實作為雲端服務中,您可以將它啟動並執行快速且最少的投資,基礎結構服務中。Because Azure Monitor logs is implemented as a cloud-based service, you can have it up and running quickly with minimal investment in infrastructure services. 會自動提供新的安全性功能,以節省持續維護和升級成本。New security features are delivered automatically, saving ongoing maintenance and upgrade costs.

除了提供重要服務,Azure 監視器上記錄檔可以整合 System Center 元件,例如System Center Operations Manager,以您現存的安全性管理投資擴充到雲端。In addition to providing valuable services on its own, Azure Monitor logs can integrate with System Center components, such as System Center Operations Manager, to extend your existing security management investments into the cloud. System Center 和 Azure 監視器的記錄檔可一起運作來提供完整的混合式管理體驗。System Center and Azure Monitor logs can work together to provide a full hybrid management experience.

整體安全性與合規性狀態Holistic security and compliance posture

Log Analytics 安全性與稽核儀表板針對值得您注意的問題,使用內建的搜尋查詢,為您組織的 IT 安全性狀態提供全面檢視。The Log Analytics Security and Audit dashboard provides a comprehensive view into your organization’s IT security posture, with built-in search queries for notable issues that require your attention. 安全性和稽核儀表板是與 Azure 監視器記錄檔中的安全性相關的所有項目的主畫面。The Security and Audit dashboard is the home screen for everything related to security in Azure Monitor logs. 它可讓您深入了解您的電腦的安全性狀態。It provides high-level insight into the security state of your computers. 您也可以檢視過去 24 小時、7 天或任何其他自訂時間範圍內的所有事件。You can also view all events from the past 24 hours, 7 days, or any other custom timeframe.

Azure 監視器記錄檔幫助您快速且輕鬆地了解任何環境中,所有內容中的 IT 作業,包括軟體更新評估、 反惡意程式碼評估和設定基準的整體安全性狀態。Azure Monitor logs help you quickly and easily understand the overall security posture of any environment, all within the context of IT Operations, including software update assessment, antimalware assessment, and configuration baselines. 可立即存取安全性記錄資料,以簡化安全性與合規性稽核程序。Security log data is readily accessible to streamline the security and compliance audit processes.

Log Analytics 安全性與稽核儀表板

[Log Analytics 安全性與稽核] 儀表板分為四個主要類別︰The Log Analytics Security and Audit dashboard is organized into four major categories:

  • 安全性網域︰可讓您進一步探索一段時間的安全性記錄;存取惡意程式碼評定;更新評定;檢視網路安全性、身分識別和存取資訊;檢視具有安全性事件的電腦,以及快速存取 Azure 資訊安全中心儀表板。Security Domains: Lets you further explore security records over time; access malware assessments; update assessments; view network security, identity, and access information; view computers with security events; and quickly access the Azure Security Center dashboard.

  • 值得注意的問題︰可讓您快速識別作用中的問題數目和問題嚴重性。Notable Issues: Lets you quickly identify the number of active issues and the severity of the issues.

  • 偵測 (預覽)︰可讓您顯示資源所發生的安全性警示,進而識別攻擊模式。Detections (Preview): Lets you identify attack patterns by displaying security alerts as they occur against your resources.

  • 威脅情報:可讓您藉由下列方式來識別攻擊模式:顯示呈現具有惡意輸出 IP 流量的伺服器總數、惡意威脅類型,以及 IP 位置的地圖。Threat Intelligence: Lets you identify attack patterns by displaying the total number of servers with outbound malicious IP traffic, the malicious threat type, and a map of the IPs locations.

  • 常見安全性查詢︰列出最常見的安全性查詢,以用來監視您的環境。Common security queries: Lists the most common security queries that you can use to monitor your environment. 當您選取任何查詢時,即會開啟 [搜尋] 窗格,並顯示該查詢的結果。When you select any query, the Search pane opens and displays the results for that query.

見解與分析Insight and analytics

在中央Azure 監視器記錄由 Azure 託管的存放庫。At the center of Azure Monitor logs is the repository, which is hosted by Azure.

見解和分析圖表

您可以藉由設定資料來源並將解決方案新增至訂用帳戶,將資料從連線的來源收集到存放庫。You collect data into the repository from connected sources by configuring data sources and adding solutions to your subscription.

Azure 監視器記錄儀表板

資料來源和解決方案各會建立具有其專屬屬性集的不同記錄類型,但仍能一起分析來查詢存放庫。Data sources and solutions each create separate record types with their own set of properties, but you can still analyze them together in queries to the repository. 您可以使用相同的工具和方法,來處理各種來源所收集的各種資料。You can use the same tools and methods to work with a variety of data that's collected by various sources.

Azure 監視器記錄檔與您互動的大部分是透過 Azure 入口網站中,它在任何瀏覽器中執行,並讓您存取組態設定和多項工具來分析及處理收集到的資料。Most of your interaction with Azure Monitor logs is through the Azure portal, which runs in any browser and provides you with access to configuration settings and multiple tools to analyze and act on collected data. 從入口網站中,您可以使用:From the portal, you can use:

  • 記錄搜尋,以建構查詢來分析收集的資料。Log searches where you construct queries to analyze collected data.
  • 儀表板,可使用最有價值搜尋的圖形檢視來自訂。Dashboards, which you can customize with graphical views of your most valuable searches.
  • 解決方案,提供額外的功能和分析工具。Solutions, which provide additional functionality and analysis tools.

分析工具

解決方案會將功能加入 Azure 監視器記錄檔。Solutions add functionality to Azure Monitor logs. 它們主要是在雲端中執行,並提供分析在 log analytics 存放庫中收集的資料。They primarily run in the cloud and provide analysis of data that's collected in the log analytics repository. 解決方案可能也會定義新記錄類型來收集,可以使用記錄搜尋,或使用此解決方案會提供 log analytics 儀表板中的其他使用者介面進行分析。Solutions might also define new record types to be collected that can be analyzed with log searches or by using an additional user interface that the solution provides in the log analytics dashboard.

[安全性與稽核] 儀表板是這類解決方案的範例。The Security and Audit dashboard is an example of these types of solutions.

自動化與控制︰有關安全性設定漂移的警示Automation and control: Alert on security configuration drifts

Azure 自動化會使用以 PowerShell 為基礎並在雲端中執行的 Runbook,來將管理程序自動化。Azure Automation automates administrative processes with runbooks that are based on PowerShell and run in the cloud. Runbook 也可以在本機資料中心的伺服器上執行,以管理本機資源。Runbooks can also be executed on a server in your local data center to manage local resources. Azure 自動化會使用 PowerShell Desired State Configuration (DSC) 來提供設定管理。Azure Automation provides configuration management with PowerShell Desired State Configuration (DSC).

Azure 自動化圖表

您可以建立和管理裝載於 Azure 的 DSC 資源,以及將它們套用到雲端和內部部署系統。You can create and manage DSC resources that are hosted in Azure and apply them to cloud and on-premises systems. 藉由這麼做,您可以定義和自動強制執行其設定或取得有關漂移的報告,以協助確保安全性設定保留在原則內。By doing so, you can define and automatically enforce their configuration or get reports on drift to help ensure that security configurations remain within policy.

Azure 資訊安全中心Azure Security Center

Azure 資訊安全中心可協助保護您的 Azure 資源。Azure Security Center helps protect your Azure resources. 它提供您 Azure 訂用帳戶之間的整合式安全性監視和原則管理。It provides integrated security monitoring and policy management across your Azure subscriptions. 在服務內,您可以定義對 Azure 訂用帳戶和資源群組的原則,以取得更詳細的資料。Within the service, you can define polices against both your Azure subscriptions and resource groups for greater granularity.

Azure 資訊安全中心圖表

Microsoft 資訊安全研究人員會持續監視威脅。Microsoft security researchers are constantly on the lookout for threats. 他們可以存取從 Microsoft 在雲端和內部部署中的全域支援取得的一組廣泛遙測。They have access to an expansive set of telemetry gained from Microsoft’s global presence in the cloud and on-premises. 這組包羅萬象的資料集,可讓 Microsoft 探索其內部部署消費性和企業產品及其線上服務的新攻擊模式和趨勢。This wide-reaching and diverse collection of datasets enables Microsoft to discover new attack patterns and trends across its on-premises consumer and enterprise products, as well as its online services.

因此,資訊安全中心可以在攻擊者發行新的和日益複雜的攻擊時,快速地更新其偵測演算法。Thus, Security Center can rapidly update its detection algorithms as attackers release new and increasingly sophisticated exploits. 這種方法可協助您跟上瞬息萬變的威脅環境。This approach helps you keep pace with a fast-moving threat environment.

資訊安全中心威脅偵測

資訊安全中心威脅偵測的運作方式如下:從您的 Azure 資源、網路及已連線的協力廠商解決方案自動收集安全性資訊。Security Center threat detection works by automatically collecting security information from your Azure resources, the network, and connected partner solutions. 它會分析這項資訊 (來自多個來源的相互關聯資訊) 以識別威脅。It analyzes this information, correlating information from multiple sources, to identify threats.

資訊安全中心的安全性警示會排定優先順序,並提供如何補救威脅的建議。Security alerts are prioritized in Security Center along with recommendations on how to remediate the threat.

資訊安全中心會運用進階安全性分析,其遠勝於以簽章為基礎的方法。Security Center employs advanced security analytics, which go far beyond signature-based approaches. 巨量資料和機器學習技術中的突破用來評估整個雲端網狀架構中的所有事件。Breakthroughs in big data and machine learning technologies are used to evaluate events across the entire cloud fabric. 進階分析可以偵測無法透過手動方法識別並預測攻擊進化的威脅。Advanced analytics can detect threats that would be impossible to identify through manual approaches and predicting the evolution of attacks. 下列各節涵蓋這些安全性分析類型。These security analytics types are covered in the next sections.

威脅情報Threat intelligence

Microsoft 可以存取大量的全域威脅情報。Microsoft has access to an immense amount of global threat intelligence.

遙測會從多個來源流入,例如 Azure、Office 365、Microsoft CRM Online、Microsoft Dynamics AX、outlook.com、MSN.com、Microsoft 數位犯罪防治中心 (DCU) 和 Microsoft 安全性回應中心 (MSRC)。Telemetry flows in from multiple sources, such as Azure, Office 365, Microsoft CRM online, Microsoft Dynamics AX, outlook.com, MSN.com, the Microsoft Digital Crimes Unit (DCU), and Microsoft Security Response Center (MSRC).

威脅情報結果

研究人員也會收到主要雲端服務提供者之間共用的威脅情報資訊,並訂閱來自協力廠商的威脅情報摘要。Researchers also receive threat intelligence information that is shared among major cloud service providers, and they subscribe to threat intelligence feeds from third parties. Azure 資訊安全中心可以使用這項資訊來警示您來自已知不良執行者的威脅。Azure Security Center can use this information to alert you to threats from known bad actors. 部分範例包括:Some examples include:

  • 運用機器學習服務的力量:Azure 資訊安全中心可以存取雲端網路活動的大量資料,可用來偵測目標為您 Azure 部署的潛在威脅。Harnessing the power of machine learning: Azure Security Center has access to a vast amount of data about cloud network activity, which can be used to detect threats targeting your Azure deployments.

  • 暴力密碼破解偵測:使用機器學習來建立嘗試遠端存取的歷程記錄模式,使其得以偵測到對於安全殼層 (SSH)、遠端桌面通訊協定 (RDP) 和 SQL 連接埠的暴力密碼破解攻擊。Brute force detection: Machine learning is used to create a historical pattern of remote access attempts, which allows it to detect brute force attacks against Secure Shell (SSH), Remote Desktop Protocol (RDP), and SQL ports.

  • 輸出 DDoS 和 Botnet 偵測:當雲端資源淪為攻擊的目標時,攻擊者常常是為了使用那些資源的計算能力來執行更多攻擊。Outbound DDoS and botnet detection: A common objective of attacks that target cloud resources is to use the compute power of these resources to execute other attacks.

  • 新的行為分析伺服器和 VM:在伺服器或虛擬機器遭到入侵之後,攻擊者就能用各種不同的技術,在該系統上執行惡意程式碼,同時避開偵測、確保持續性,並迴避安全性控制。New behavioral analytics servers and VMs: After a server or virtual machine is compromised, attackers employ a wide variety of techniques to execute malicious code on that system while avoiding detection, ensuring persistence, and obviating security controls.

  • Azure SQL Database 威脅偵測:適用於 Azure SQL Database 的威脅偵測,它會識別異常的資料庫活動,指出發生不尋常且可能有害的嘗試存取或惡意探索資料庫。Azure SQL Database Threat Detection: Threat detection for Azure SQL Database, which identifies anomalous database activities that indicate unusual and potentially harmful attempts to access or exploit databases.

行為分析Behavioral analytics

行為分析是一種可分析及比較資料與一組已知模式的技術。Behavioral analytics is a technique that analyzes and compares data to a collection of known patterns. 不過,這些模式並非簡單的簽章。However, these patterns are not simple signatures. 它們會透過已套用至大型資料集的複雜機器學習演算法來決定。They are determined through complex machine learning algorithms that are applied to massive datasets.

行為分析結果

這些模式也能透過專業分析師仔細分析惡意行為來判定。The patterns are also determined through careful analysis of malicious behaviors by expert analysts. Azure 資訊安全中心可以使用行為分析,根據虛擬機器記錄、虛擬網路裝置記錄、網狀架構記錄、毀損傾印和其他來源的分析,來識別遭到入侵的資源。Azure Security Center can use behavioral analytics to identify compromised resources based on analysis of virtual machine logs, virtual network device logs, fabric logs, crash dumps, and other sources.

此外,模式會與其他訊號相互關聯,以檢查廣泛行銷活動的支援證明。In addition, patterns are correlated with other signals to check for supporting evidence of a widespread campaign. 此相互關聯有助於識別與已確立危害指標一致的事件。This correlation helps to identify events that are consistent with established indicators of compromise.

部分範例包括:Some examples include:

  • 可疑處理程序執行︰攻擊者不需要偵測,即可運用數種技術來執行惡意軟體。Suspicious process execution: Attackers employ several techniques to execute malicious software without detection. 例如,攻擊者可能會讓惡意程式碼具有與合法系統檔案相同的名稱,但會將這些檔案放在替代位置、使用類似良性檔案名稱的名稱,或為檔案的真正副檔名加上遮罩。For example, an attacker might give malware the same names as legitimate system files but place these files in an alternate location, use a name that is similar to that of a benign file, or mask the file’s true extension. 資訊安全中心會建立處理序行為的模型,並監視處理序執行以偵測這類極端值。Security Center models process behaviors and monitor process executions to detect outliers such as these.

  • 隱藏的惡意程式碼和弱點攻擊嘗試︰複雜的惡意程式碼可藉由永遠不要寫入至磁碟或加密磁碟上儲存的軟體元件,來避開傳統的反惡意程式碼產品。Hidden malware and exploitation attempts: Sophisticated malware can evade traditional antimalware products by either never writing to disk or encrypting software components stored on disk. 不過,可以使用記憶體分析來偵測這類惡意程式碼,因為惡意程式碼必須在記憶體中留下蹤跡才能運作。However, such malware can be detected by using memory analysis, because the malware must leave traces in memory to function. 當軟體損毀時,損毀傾印會在損毀時擷取部分的記憶體。When software crashes, a crash dump captures a portion of memory at the time of the crash. 藉由分析損毀傾印中的記憶體,Azure 資訊安全中心可以偵測到用來惡意探索軟體中的弱點、存取機密資料,以及暗中保存於遭入侵電腦的技術,而不會影響您電腦的效能。By analyzing the memory in the crash dump, Azure Security Center can detect techniques used to exploit vulnerabilities in software, access confidential data, and surreptitiously persist within a compromised machine without affecting the performance of your machine.

  • 橫向移動和內部偵察︰為了保存於遭入侵的網路內並找出和獲取重要資料,攻擊者經常會試圖從遭入侵的電腦橫向移到相同網路內的其他電腦。Lateral movement and internal reconnaissance: To persist in a compromised network and locate and harvest valuable data, attackers often attempt to move laterally from the compromised machine to others within the same network. 資訊安全中心會監視處理和登入活動,以探索在網路內展開攻擊者據點的嘗試,例如,遠端命令執行、網路探查和帳戶列舉。Security Center monitors process and login activities to discover attempts to expand an attacker’s foothold within the network, such as remote command execution, network probing, and account enumeration.

  • 惡意 PowerShell 指令碼︰攻擊者會針對各種目的,使用 PowerShell 在目標虛擬機器上執行惡意程式碼。Malicious PowerShell scripts: PowerShell can be used by attackers to execute malicious code on target virtual machines for various purposes. 資訊安全中心會檢查 PowerShell 活動,以找到可疑活動的證明。Security Center inspects PowerShell activity for evidence of suspicious activity.

  • 傳出攻擊︰攻擊者通常會以雲端資源為目標,目的在於使用這些資源來掛載其他攻擊。Outgoing attacks: Attackers often target cloud resources with the goal of using those resources to mount additional attacks. 例如,遭入侵的虛擬機器可用來對其他虛擬機器發動暴力密碼破解攻擊、傳送垃圾郵件,或掃描開啟的連接埠和網際網路上的其他裝置。Compromised virtual machines, for example, might be used to launch brute force attacks against other virtual machines, send spam, or scan open ports and other devices on the internet. 藉由將機器學習服務套用到網路流量,資訊安全中心可以偵測輸出網路通訊何時超出規範。By applying machine learning to network traffic, Security Center can detect when outbound network communications exceed the norm. 偵測到垃圾郵件時,資訊安全中心也會讓不尋常的電子郵件流量與 Office 365 提供的情報相互關聯,以判斷郵件是否可能有惡意或合法電子郵件行銷活動的結果。When spam is detected, Security Center also correlates unusual email traffic with intelligence from Office 365 to determine whether the mail is likely nefarious or the result of a legitimate email campaign.

異常偵測Anomaly detection

Azure 資訊安全中心也會使用異常偵測來識別威脅。Azure Security Center also uses anomaly detection to identify threats. 相較於行為分析 (這取決於衍生自大型資料集的已知模式),異常偵測更加「個人化」,且著重於您的部署專用的基準。In contrast to behavioral analytics (which depends on known patterns derived from large data sets), anomaly detection is more “personalized” and focuses on baselines that are specific to your deployments. 機器學習適用於判斷您部署的正常活動,然後產生規則來定義可能代表安全性事件的極端狀況。Machine learning is applied to determine normal activity for your deployments, and then rules are generated to define outlier conditions that could represent a security event. 範例如下:Here’s an example:

  • 輸入 RDP/SSH 暴力密碼破解攻擊︰您的部署中可能包含每天都有許多登入的繁忙虛擬機器,以及有少量 (如果有的話) 登入的其他虛擬機器。Inbound RDP/SSH brute force attacks: Your deployments might have busy virtual machines with many logins each day and other virtual machines that have few, if any, logins. Azure 資訊安全中心可以判斷這些虛擬機器的基準登入活動,並使用要定義於正常登入活動周圍的機器學習服務。Azure Security Center can determine baseline login activity for these virtual machines and use machine learning to define around the normal login activities. 如果與針對登入相關特性所定義的基準有任何差異,則可能會產生警示。If there is any discrepancy with the baseline defined for login related characteristics, an alert might be generated. 同樣地,機器學習服務會判斷何者值得關注。Again, machine learning determines what is significant.

連續威脅情報監視Continuous threat intelligence monitoring

Azure 資訊安全中心在世界各地設有資訊安全研究和資料科學小組,負責持續監視威脅態勢中的變化。Azure Security Center operates with security research and data science teams throughout the world that continuously monitor for changes in the threat landscape. 這包括下列計劃︰This includes the following initiatives:

  • 威脅情報監視︰威脅情報包含關於現有或新興威脅的機制、指標、影響和可採取動作的建議。Threat intelligence monitoring: Threat intelligence includes mechanisms, indicators, implications, and actionable advice about existing or emerging threats. 安全性社群會共用此資訊,而 Microsoft 會持續監視來自內部和外部來源的威脅情報摘要。This information is shared in the security community, and Microsoft continuously monitors threat intelligence feeds from internal and external sources.

  • 訊號共用︰共用和分析 Microsoft 的資訊安全小組對於各種雲端和內部部署服務、伺服器及用戶端端點裝置組合所提供的見解。Signal sharing: Insights from security teams across the broad Microsoft portfolio of cloud and on-premises services, servers, and client endpoint devices are shared and analyzed.

  • Microsoft 資訊安全專家︰持續與擅長特殊資訊安全領域 (例如鑑識與 Web 攻擊偵測) 的 Microsoft 小組攜手合作。Microsoft security specialists: Ongoing engagement with teams across Microsoft that work in specialized security fields, such as forensics and web attack detection.

  • 偵測微調︰對真正的客戶資料集執行演算法,而資訊安全研究人員會與客戶一起驗證結果。Detection tuning: Algorithms are run against real customer data sets, and security researchers work with customers to validate the results. 真肯定和誤判可用來縮小機器學習演算法的範圍。True and false positives are used to refine machine learning algorithms.

結合上述努力終於獲得全新及改善的偵測功能,您因而立即受惠。These combined efforts culminate in new and improved detections, which you can benefit from instantly. 您不需採取任何動作。There’s no action for you to take.

進階威脅偵測功能:其他 Azure 服務Advanced threat detection features: Other Azure services

虛擬機器:Microsoft AntimalwareVirtual machines: Microsoft antimalware

適用於 Azure 的 Microsoft Antimalware 是針對應用程式和租用戶環境所提供的單一代理程式解決方案,其設計可於無人為介入的情況下在背景中執行。Microsoft antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. 您可依據應用程式工作負載需求,選擇預設的基本安全性或進階的自訂組態 (包括反惡意程式碼監視) 來部署保護。You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring. Azure Antimalware 是自動安裝在所有 Azure PaaS 虛擬機器之 Azure 虛擬機器的安全性選項。Azure antimalware is a security option for Azure virtual machines that's automatically installed on all Azure PaaS virtual machines.

Microsoft Antimalware 核心功能Microsoft antimalware core features

以下是部署和啟用您應用程式之 Microsoft Antimalware 的 Azure 功能:Here are the features of Azure that deploy and enable Microsoft antimalware for your applications:

  • 即時保護:監視雲端服務和虛擬機器上的活動,以偵測和封鎖惡意程式碼執行。Real-time protection: Monitors activity in cloud services and on virtual machines to detect and block malware execution.

  • 排程掃描:定期執行目標掃描以偵測惡意程式碼,包括主動執行程式。Scheduled scanning: Periodically performs targeted scanning to detect malware, including actively running programs.

  • 惡意程式碼補救:自動處理偵測到的惡意程式碼,例如刪除或隔離惡意檔案及清除惡意的登錄項目。Malware remediation: Automatically acts on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.

  • 簽章更新:自動安裝最新的保護簽章 (病毒定義) 以確保依預定頻率維持最新的保護狀態。Signature updates: Automatically installs the latest protection signatures (virus definitions) to ensure that protection is up to date on a pre-determined frequency.

  • Antimalware 引擎更新:自動更新 Microsoft Antimalware 引擎。Antimalware Engine updates: Automatically updates the Microsoft Antimalware Engine.

  • Antimalware 平台更新:自動更新 Microsoft Antimalware 平台。Antimalware platform updates: Automatically updates the Microsoft antimalware platform.

  • 主動保護:向 Microsoft Azure 報告有關偵測到的威脅和可疑資源的遙測中繼資料,以確保能針對不斷演變的威脅型態做出快速的回應,並透過 Microsoft Active Protection System 啟用即時同步簽章傳遞。Active protection: Reports telemetry metadata about detected threats and suspicious resources to Microsoft Azure to ensure rapid response to the evolving threat landscape, enabling real-time synchronous signature delivery through the Microsoft active protection system.

  • 範例報告:將範例提供並報告至 Microsoftt Antimalware 服務,以協助改善服務並啟用疑難排解。Samples reporting: Provides and reports samples to the Microsoft antimalware service to help refine the service and enable troubleshooting.

  • 排除項目:可讓應用程式和服務管理員設定特定的檔案、處理序及磁碟機,以因應效能和其他原因將其從保護和掃描中排除。Exclusions: Allows application and service administrators to configure certain files, processes, and drives for exclusion from protection and scanning for performance and other reasons.

  • Antimalware 事件收集:記錄作業系統事件記錄檔中反惡意程式碼軟體服務健康狀態、可疑的活動以及其所採取的補救動作,並將它們收集至客戶的 Azure 儲存體帳戶。Antimalware event collection: Records the antimalware service health, suspicious activities, and remediation actions taken in the operating system event log and collects them into the customer’s Azure storage account.

Azure SQL Database 威脅偵測Azure SQL Database Threat Detection

Azure SQL Database 威脅偵測是內建於 Azure SQL Database 服務的新安全性智慧型功能。Azure SQL Database Threat Detection is a new security intelligence feature built into the Azure SQL Database service. Azure SQL Database 威脅偵測可藉由全天候學習、分析及偵測異常資料庫活動,來識別資料庫的潛在威脅。Working around the clock to learn, profile, and detect anomalous database activities, Azure SQL Database Threat Detection identifies potential threats to the database.

資訊安全人員或其他指定的系統管理員可以在發生可疑的資料庫活動時立即取得通知。Security officers or other designated administrators can get an immediate notification about suspicious database activities as they occur. 每個通知都會提供可疑活動的詳細資料,以及建議如何進一步調查並減輕威脅。Each notification provides details of the suspicious activity and recommends how to further investigate and mitigate the threat.

目前,Azure SQL Database 威脅偵測會偵測潛在的弱點與 SQL 插入式攻擊,以及異常的資料庫存取模式。Currently, Azure SQL Database Threat Detection detects potential vulnerabilities and SQL injection attacks, and anomalous database access patterns.

在收到威脅偵測電子郵件通知時,使用者可以透過電子郵件中的深層連結來巡覽和檢視相關稽核記錄。Upon receiving a threat-detection email notification, users are able to navigate and view the relevant audit records through a deep link in the mail. 連結會開啟稽核檢視器或預先設定的稽核 Excel 範本,以根據下表顯示可疑事件發生時間前後的相關稽核記錄:The link opens an audit viewer or a preconfigured auditing Excel template that shows the relevant audit records around the time of the suspicious event, according to the following:

  • 適用於具有資料庫異常活動之資料庫/伺服器的稽核儲存體。Audit storage for the database/server with the anomalous database activities.

  • 將事件寫入稽核記錄時所使用的相關稽核儲存體資料表。Relevant audit storage table that was used at the time of the event to write the audit log.

  • 緊接在發生事件後該小時的稽核記錄。Audit records of the hour immediately following the event occurrence.

  • 事件發生時具有類似事件識別碼的稽核記錄 (對於某些偵測器而言是選擇性的)。Audit records with a similar event ID at the time of the event (optional for some detectors).

SQL Database 威脅偵測器會使用下列其中一種偵測方法:SQL Database threat detectors use one of the following detection methodologies:

  • 具決定性的偵測:偵測 SQL 用戶端查詢中符合已知攻擊的可疑模式 (規則)。Deterministic detection: Detects suspicious patterns (rules based) in the SQL client queries that match known attacks. 這種方法具有高偵測度和低誤判率,但其涵蓋範圍有限,因為它屬於「不可部分完成的偵測」類別。This methodology has high detection and low false positive, but limited coverage because it falls within the category of “atomic detections.”

  • 行為偵測:偵測異常活動,此為資料庫中未曾在最近 30 天期間看到的異常行為。Behavioral detection: Detects anomalous activity, which is abnormal behavior in the database that was not seen during the most recent 30 days. SQL 用戶端異常活動的範例可以是失敗的登入或查詢數目突然增加、擷取大量的資料、不尋常的標準查詢,或用來存取資料庫的陌生 IP 位址。Examples of SQL client anomalous activity can be a spike of failed logins or queries, a high volume of data being extracted, unusual canonical queries, or unfamiliar IP addresses used to access the database.

應用程式閘道 Web 應用程式防火牆Application Gateway Web Application Firewall

Web 應用程式防火牆 (WAF)Azure 應用程式閘道的功能,可保護使用應用程式閘道執行標準應用程式傳遞控制功能的 Web 應用程式。Web Application Firewall (WAF) is a feature of Azure Application Gateway that provides protection to web applications that use an application gateway for standard application delivery control functions. Web 應用程式防火牆的做法是保護應用程式,以防範 Open Web Application Security Project (OWASP) top 10 common web vulnerabilities (Open Web Application Security Project (OWASP) 前 10 個最常見的 Web 弱點)。Web Application Firewall does this by protecting them against most of the Open Web Application Security Project (OWASP) top 10 common web vulnerabilities.

應用程式閘道 Web 應用程式防火牆圖表

保護包括:Protections include:

  • SQL 插入保護。SQL injection protection.

  • 跨網站指令碼保護。Cross site scripting protection.

  • 常見 Web 攻擊保護,例如命令插入、HTTP 要求走私、HTTP 回應分割和遠端檔案包含攻擊。Common Web Attacks Protection, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack.

  • 防範 HTTP 通訊協定違規。Protection against HTTP protocol violations.

  • 防範 HTTP 通訊協定異常 (例如遺漏主機使用者代理程式和接受標頭)。Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.

  • 防範 Bot、編目程式和掃描器。Prevention against bots, crawlers, and scanners.

  • 偵測一般應用程式錯誤設定 (即 Apache、IIS 等)。Detection of common application misconfigurations (that is, Apache, IIS, and so on).

在應用程式閘道上設定 WAF 可提供下列優點:Configuring WAF at your application gateway provides the following benefits:

  • 不需修改後端程式碼就能保護 Web 應用程式不受 Web 弱點和攻擊的威脅。Protects your web application from web vulnerabilities and attacks without modification of the back-end code.

  • 在應用程式閘道背後同時保護多個 Web 應用程式。Protects multiple web applications at the same time behind an application gateway. 應用程式閘道支援裝載最多 20 個網站。An application gateway supports hosting up to 20 websites.

  • 使用應用程式閘道 WAF 記錄所產生的即時報告,監視 Web 應用程式對抗攻擊。Monitors web applications against attacks by using real-time reports that are generated by application gateway WAF logs.

  • 協助符合合規性需求。Helps meet compliance requirements. 某些合規性控制項需要由 WAF 解決方案保護所有網際網路對向端點。Certain compliance controls require all internet-facing endpoints to be protected by a WAF solution.

異常偵測 API:使用 Azure Machine Learning 所建置Anomaly Detection API: Built with Azure Machine Learning

異常偵測 API 可用於偵測時間序列資料中的各種異常模式。The Anomaly Detection API is an API that's useful for detecting a variety of anomalous patterns in your time series data. API 會為時間序列中的每個資料點指派異常分數,可用來產生警示、透過儀表板監視或與您的票證系統連線。The API assigns an anomaly score to each data point in the time series, which can be used for generating alerts, monitoring through dashboards, or connecting with your ticketing systems.

異常偵測 API 可在時間序列資料上偵測下列異常類型:The Anomaly Detection API can detect the following types of anomalies on time series data:

  • 尖峰和下降:當您監視服務的登入失敗數目或電子商務網站的簽出數目時,不尋常的尖峰或下降可能表示遭到安全性攻擊或服務中斷。Spikes and dips: When you're monitoring the number of login failures to a service or number of checkouts in an e-commerce site, unusual spikes or dips could indicate security attacks or service disruptions.

  • 正面和負面趨勢:當您監視運算中的記憶體使用量時,縮小可用的記憶體大小表示記憶體可能流失。Positive and negative trends: When you're monitoring memory usage in computing, shrinking free memory size indicates a potential memory leak. 針對服務佇列長度監視,持續增加的趨勢可能表示基礎軟體問題。For service queue length monitoring, a persistent upward trend might indicate an underlying software issue.

  • 層級變更和動態值範圍中的變更:服務升級後的服務延遲層級變更或升級後的例外狀況層級降低,都是值得監視的重點。Level changes and changes in dynamic range of values: Level changes in latencies of a service after a service upgrade or lower levels of exceptions after upgrade can be interesting to monitor.

機器學習 API 能夠進行下列動作:The machine learning-based API enables:

  • 具彈性且健全的偵測:異常偵測模型允許使用者設定具敏感性的設定,並偵測季節性和非季節性資料集之間的異常行為。Flexible and robust detection: The anomaly detection models allow users to configure sensitivity settings and detect anomalies among seasonal and non-seasonal data sets. 使用者可以根據自己的需求來調整異常偵測模型,以降低或提高偵測 API 的敏感度。Users can adjust the anomaly detection model to make the detection API less or more sensitive according to their needs. 這表示會在包含和不含季節性模式的資料中偵測較不常見或較常見的異常。This would mean detecting the less or more visible anomalies in data with and without seasonal patterns.

  • 可調整的即時偵測:使用透過專家網域知識所設定之現有閾值進行監視的傳統方式既昂貴,又無法調整為數百萬個動態變更的資料集。Scalable and timely detection: The traditional way of monitoring with present thresholds set by experts' domain knowledge are costly and not scalable to millions of dynamically changing data sets. 會學習此 API 中的異常偵測模型,而且會從歷程記錄和即時資料自動調整模型。The anomaly detection models in this API are learned, and models are tuned automatically from both historical and real-time data.

  • 主動且可採取動作的偵測:緩慢的趨勢和層級變更偵測可應用於早期異常偵測。Proactive and actionable detection: Slow trend and level change detection can be applied for early anomaly detection. 偵測到的早期異常訊號可用來引導使用者調查及處理問題區域。The early abnormal signals that are detected can be used to direct humans to investigate and act on the problem areas. 此外,還可以在此異常偵測 API 服務上,開發根本原因分析模型和警示工具。In addition, root cause analysis models and alerting tools can be developed on top of this anomaly-detection API service.

異常偵測 API 是適用於各種案例之有效且有效率的解決方案,例如服務健康狀態和 KPI 監視、IoT、效能監視以及網路流量監視。The anomaly-detection API is an effective and efficient solution for a wide range of scenarios, such as service health and KPI monitoring, IoT, performance monitoring, and network traffic monitoring. 以下提供一些常見案例,此 API 在這類案例中非常實用:Here are some popular scenarios where this API can be useful:

  • IT 部門需要工具來即時追蹤事件、錯誤碼、使用量記錄及效能 (CPU、記憶體等)。IT departments need tools to track events, error code, usage log, and performance (CPU, memory, and so on) in a timely manner.

  • 線上電子商務網站想要追蹤客戶活動、頁面檢視、點擊次數等項目。Online commerce sites want to track customer activities, page views, clicks, and so on.

  • 公用事業公司想要追蹤水、天然氣、電力和其他資源的耗用量。Utility companies want to track consumption of water, gas, electricity, and other resources.

  • 設備或大樓管理服務想要監視溫度、濕度、流量等項目。Facility or building management services want to monitor temperature, moisture, traffic, and so on.

  • IoT/製造商想要使用時間序列中的感應器資料來監視工作流程、品質等項目。IoT/manufacturers want to use sensor data in time series to monitor work flow, quality, and so on.

  • 服務提供者 (例如話務中心) 需要監視服務需求趨勢、事件量、等候佇列長度等項目。Service providers, such as call centers, need to monitor service demand trend, incident volume, wait queue length, and so on.

  • 商務分析群組想要即時監視商務 KPI (例如銷售量、客戶人氣或定價) 的異常移動。Business analytics groups want to monitor business KPIs' (such as sales volume, customer sentiments, or pricing) abnormal movement in real time.

Cloud App SecurityCloud App Security

Cloud App Security 是 Microsoft Cloud 安全性堆疊的一個重要元件。Cloud App Security is a critical component of the Microsoft Cloud Security stack. 它是全方位的解決方案,可協助您的組織在您移動時能夠充分運用雲端應用程式的承諾。It's a comprehensive solution that can help your organization as you move to take full advantage of the promise of cloud applications. 它透過提高對活動的可見度來保持控制。It keeps you in control, through improved visibility into activity. 它也有助於跨雲端應用程式提高對重要資料的保護。It also helps increase the protection of critical data across cloud applications.

利用有助於揭露影子 IT、評估風險、強制執行原則、調查活動及停止威脅的工具,您的組織可以更安全的移至雲端,同時仍能控制重要資料。With tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, your organization can more safely move to the cloud while maintaining control of critical data.

探索Discover 利用 Cloud App Security 來揭露影子 IT。Uncover shadow IT with Cloud App Security. 藉由探索雲端環境中的應用程式、活動、使用者、資料和檔案,來取得可見度。Gain visibility by discovering apps, activities, users, data, and files in your cloud environment. 探索連接到您雲端的協力廠商應用程式。Discover third-party apps that are connected to your cloud.
調查Investigate 使用雲端鑑識工具深入探討有風險的應用程式、特定的使用者及您網路中的檔案,藉以調查您的雲端應用程式。Investigate your cloud apps by using cloud forensics tools to deep-dive into risky apps, specific users, and files in your network. 在收集自您雲端的資料中尋找模式。Find patterns in the data collected from your cloud. 產生報告來監視您的雲端。Generate reports to monitor your cloud.
控制Control 藉由設定原則和警示以便能充分控制網路雲端流量來降低風險。Mitigate risk by setting policies and alerts to achieve maximum control over network cloud traffic. 使用 Cloud App Security,將您的使用者移轉至安全且獲批准的雲端應用程式替代項目。Use Cloud App Security to migrate your users to safe, sanctioned cloud app alternatives.
ProtectProtect 使用 Cloud App Security 來批准或禁止應用程式、強制執行資料損失防範措施、控制權限和共用,並產生自訂報告和警示。Use Cloud App Security to sanction or prohibit applications, enforce data loss prevention, control permissions and sharing, and generate custom reports and alerts.
控制Control 藉由設定原則和警示以便能充分控制網路雲端流量來降低風險。Mitigate risk by setting policies and alerts to achieve maximum control over network cloud traffic. 使用 Cloud App Security,將您的使用者移轉至安全且獲批准的雲端應用程式替代項目。Use Cloud App Security to migrate your users to safe, sanctioned cloud app alternatives.

Cloud App Security 圖表

Cloud App Security 會透過下列方式來整合雲端的可見性:Cloud App Security integrates visibility with your cloud by:

  • 使用 Cloud Discovery 來對應和識別您的雲端環境,以及您組織所使用的雲端應用程式。Using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is using.

  • 批准和禁止您雲端中的應用程式。Sanctioning and prohibiting apps in your cloud.

  • 使用易於部署的應用程式連接器,利用提供者 API 來取得您所連接之應用程式的可見度和控管。Using easy-to-deploy app connectors that take advantage of provider APIs, for visibility and governance of apps that you connect to.

  • 透過設定,接著持續微調原則,協助您持續進行控制。Helping you have continuous control by setting, and then continually fine-tuning, policies.

從這些來源收集資料時,Cloud App Security 會對資料執行複雜分析。On collecting data from these sources, Cloud App Security runs sophisticated analysis on it. 它會在發生異常活動時立即警示您,並讓您能深入檢視您的雲端環境。It immediately alerts you to anomalous activities, and gives you deep visibility into your cloud environment. 您可以在 Cloud App Security 中設定原則,並使用它來保護您雲端環境中的一切。You can configure a policy in Cloud App Security and use it to protect everything in your cloud environment.

透過 Azure Marketplace 的協力廠商進階威脅偵測功能Third-party Advanced Threat Detection capabilities through the Azure Marketplace

Web 應用程式防火牆Web Application Firewall

Web 應用程式防火牆會檢查輸入的 Web 流量和並封鎖 SQL 插入、跨網站指令碼、惡意程式碼上傳和應用程式 DDoS 攻擊,以及目標為您 Web 應用程式的其他攻擊。Web Application Firewall inspects inbound web traffic and blocks SQL injections, cross-site scripting, malware uploads, application DDoS attacks, and other attacks targeted at your web applications. 它也會針對資料外洩防護 (DLP) 檢查來自後端 Web 伺服器的回應。It also inspects the responses from the back-end web servers for data loss prevention (DLP). 整合式存取控制引擎讓系統管理員能夠建立細微的存取控制原則以用於驗證、授權和帳戶處理 (AAA),其可為組織提供增強式驗證和使用者控制。The integrated access control engine enables administrators to create granular access control policies for authentication, authorization, and accounting (AAA), which gives organizations strong authentication and user control.

Web 應用程式防火牆提供下列優點:Web Application Firewall provides the following benefits:

  • 偵測並封鎖 SQL 插入、跨網站指令碼、惡意程式碼上傳、應用程式 DDoS 或針對您應用程式的任何其他攻擊。Detects and blocks SQL injections, Cross-Site Scripting, malware uploads, application DDoS, or any other attacks against your application.

  • 驗證和存取控制。Authentication and access control.

  • 掃描輸出流量以偵測敏感性資料,並且可為資訊加上遮罩或封鎖以防止外洩。Scans outbound traffic to detect sensitive data and can mask or block the information from being leaked out.

  • 使用快取、壓縮及其他流量最佳化等功能,來加速 Web 應用程式內容的傳遞。Accelerates the delivery of web application contents, using capabilities such as caching, compression, and other traffic optimizations.

如需 Azure Marketplace 中可用 Web 應用程式防火牆的範例,請參閱 Barracuda WAF, Brocade virtual web application firewall (vWAF), Imperva SecureSphere, and the ThreatSTOP IP firewall (Barracuda WAF、Brocade 虛擬 Web 應用程式防火牆 (vWAF)、Imperva SecureSphere 和 ThreatSTOP IP 防火牆)。For examples of web application firewalls that are available in the Azure Marketplace, see Barracuda WAF, Brocade virtual web application firewall (vWAF), Imperva SecureSphere, and the ThreatSTOP IP firewall.

後續步驟Next steps