规划和操作指南Planning and operations guide

本指南适用于计划使用 Azure 安全中心的信息技术 (IT) 专业人员、IT 架构师、信息安全分析师和云管理员。This guide is for information technology (IT) professionals, IT architects, information security analysts, and cloud administrators planning to use Azure Security Center.

规划指南Planning guide

本指南介绍如何通过一系列任务,根据组织的安全要求和云管理模型优化安全中心的使用。This guide covers tasks that you can follow to optimize your use of Security Center based on your organization's security requirements and cloud management model. 若要充分利用安全中心,必须了解在需要进行安全开发和操作、监视、管理和事件响应的情况下,组织中的不同个人或团队是如何使用服务的。To take full advantage of Security Center, it is important to understand how different individuals or teams in your organization use the service to meet secure development and operations, monitoring, governance, and incident response needs. 规划安全中心的使用时,需要考虑的重要方面包括:The key areas to consider when planning to use Security Center are:

  • 安全角色和访问控制Security Roles and Access Controls

  • 安全策略和建议Security Policies and Recommendations

  • 数据收集和存储Data Collection and Storage

  • 持续安全监视Ongoing Security Monitoring

  • 事件响应Incident Response

下一部分介绍如何针对每个方面进行计划,并根据要求应用相关建议。In the next section, you will learn how to plan for each one of those areas and apply those recommendations based on your requirements.

备注

阅读 Azure Security Center frequently asked questions (FAQ) (Azure 安全中心常见问题 (FAQ)),了解一系列常见问题,这些问题在设计和规划阶段可能也会有用。Read Azure Security Center frequently asked questions (FAQ) for a list of common questions that can also be useful during the designing and planning phase.

安全角色和访问控制Security roles and access controls

很多个人和团队可能会使用安全中心执行不同的安全相关任务,具体取决于组织的大小和结构。Depending on the size and structure of your organization, multiple individuals and teams may use Security Center to perform different security-related tasks. 下图示例性地说明了各种虚构性的人员及其相应的角色和安全责任:In the following diagram, you have an example of fictitious personas and their respective roles and security responsibilities:

角色

这些人员通过安全中心行使不同的责任。Security Center enables these individuals to meet these various responsibilities. 例如:For example:

Jeff(工作负荷所有者)Jeff (Workload Owner)

  • 管理云工作负荷及其相关资源Manage a cloud workload and its related resources
  • 负责根据公司安全策略实施和维护各种保护措施Responsible for implementing and maintaining protections in accordance with company security policy

Ellen(首席信息安全官/首席信息官)Ellen (CISO/CIO)

  • 负责公司安全的各个方面Responsible for all aspects of security for the company
  • 需要跨云工作负荷了解公司的安全状况Wants to understand the company's security posture across cloud workloads
  • 需要了解各种主要攻击和风险Needs to be informed of major attacks and risks

David(IT 安全)David (IT Security)

  • 制定公司安全策略,确保实施适当的保护措施Sets company security policies to ensure the appropriate protections are in place
  • 监视合规性Monitors compliance with policies
  • 生成领导力报表或审核报表Generates reports for leadership or auditors

Judy(安全操作)Judy (Security Operations)

  • 全天候监视和响应安全警报Monitors and responds to security alerts 24/7
  • 将案例上报到云工作负荷所有者或 IT 安全分析师Escalates to Cloud Workload Owner or IT Security Analyst

Sam(安全分析师)Sam (Security Analyst)

  • 调查各种攻击Investigate attacks
  • 与云工作负荷所有者协作应用补救措施Work with Cloud Workload Owner to apply remediation

安全中心使用基于角色的访问控制 (RBAC) 提供可在 Azure 中分配给用户、组和服务的内置角色Security Center uses Role-Based Access Control (RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure. 用户打开安全中心时,只能看到有权访问的资源的相关信息。When a user opens Security Center, they only see information related to resources they have access to. 这意味着,可以将资源所属的订阅或资源组的“所有者”、“参与者”或“读者”角色分配给用户。Which means the user is assigned the role of Owner, Contributor, or Reader to the subscription or resource group that a resource belongs to. 除这些角色外,还有两个特定的安全中心角色:In addition to these roles, there are two specific Security Center roles:

  • 安全读取者:属于此角色的用户只能查看安全中心配置(包括建议、警报、策略和运行状况),无法进行更改。Security reader: a user that belongs to this role is able to view only Security Center configurations, which include recommendations, alerts, policy, and health, but it won't be able to make changes.
  • 安全管理员:与安全读取者一样,但它还可更新安全策略,消除建议和警报。Security admin: same as security reader but it can also update the security policy, dismiss recommendations and alerts.

上述安全中心角色无权访问存储、Web 和移动或物联网等其他 Azure 服务区域。The Security Center roles described above do not have access to other service areas of Azure such as Storage, Web & Mobile, or Internet of Things.

根据上图介绍的人员,需要以下 RBAC:Using the personas explained in the previous diagram, the following RBAC would be needed:

Jeff(工作负荷所有者)Jeff (Workload Owner)

  • 资源组所有者/参与者Resource Group Owner/Contributor

Ellen(首席信息安全官/首席信息官)Ellen (CISO/CIO)

  • 订阅所有者/参与者或安全管理员Subscription Owner/Contributor or Security Admin

David(IT 安全)David (IT Security)

  • 订阅所有者/参与者或安全管理员Subscription Owner/Contributor or Security Admin

Judy(安全操作)Judy (Security Operations)

  • 查看警报的订阅读取者或安全读取者Subscription Reader or Security Reader to view Alerts
  • 需要订阅所有者/参与者或安全管理员身份以消除警报Subscription Owner/Contributor or Security Admin required to dismiss Alerts

Sam(安全分析师)Sam (Security Analyst)

  • 查看警报的订阅读者Subscription Reader to view Alerts
  • 需要订阅所有者/参与者身份以消除警报Subscription Owner/Contributor required to dismiss Alerts
  • 可能需要工作区的访问权限Access to the workspace may be required

其他一些需要考虑的重要信息:Some other important information to consider:

  • 只有订阅所有者/参与者和安全管理员可以编辑安全策略。Only subscription Owners/Contributors and Security Admins can edit a security policy.
  • 只有订阅和资源组的所有者和参与者可以应用针对某个资源的安全建议。Only subscription and resource group Owners and Contributors can apply security recommendations for a resource.

使用安全中心的 RBAC 规划访问控制时,请确保了解组织中的哪些人员会使用安全中心。When planning access control using RBAC for Security Center, be sure to understand who in your organization will be using Security Center. 另外还需了解这些人员所执行的任务的类型,才能进行相应的 RBAC 配置。Also, what types of tasks they will be performing and then configure RBAC accordingly.

备注

对于需要完成任务的用户,建议尽可能为其分配权限最小的角色。We recommend that you assign the least permissive role needed for users to complete their tasks. 例如,如果用户只需查看资源的安全状况信息而不需执行操作(例如应用建议或编辑策略),则应为其分配“读者”角色。For example, users who only need to view information about the security state of resources but not take action, such as applying recommendations or editing policies, should be assigned the Reader role.

安全策略和建议Security policies and recommendations

安全策略定义了工作负载的相应配置,有助于确保用户遵守公司或法规方面的安全要求。A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. 在安全中心内,可以定义 Azure 订阅策略,即根据工作负载类型或数据机密性量身定制。In Security Center, you can define policies for your Azure subscriptions, which can be tailored to the type of workload or the sensitivity of data.

安全中心策略由以下部分组成:Security Center policies contain the following components:

  • 数据收集:代理预配和数据收集设置。Data collection: agent provisioning and data collection settings.
  • 安全策略:可以通过 Azure Policy 来决定安全中心所监视和建议的控件,还可以通过 Azure Policy 来创建新的定义、定义其他策略,以及跨管理组分配策略。Security policy: an Azure Policy that determines which controls are monitored and recommended by Security Center, or use Azure Policy to create new definitions, define additional policies, and assign policies across management groups.
  • 电子邮件通知:安全联系人和通知设置。Email notifications: security contacts and notification settings.
  • 定价层:在选择定价时,可以选择“免费”或“标准”,这决定了相应范围内的资源可以使用哪些安全中心功能(可以针对订阅、资源组和工作区进行指定)。Pricing tier: free or standard pricing selection, which determine which Security Center features are available for resources in scope (can be specified for subscriptions, resource groups and workspaces).

备注

指定安全联系人可以确保在发生安全事件时,Azure 能够联系到贵组织中的合适人员。Specifying a security contact will ensure that Azure can reach the right person in your organization if a security incident occurs. 若要详细了解如何启用此建议,请阅读 Provide security contact details in Azure Security Center (在 Azure 安全中心提供安全方面的联系细节)。Read Provide security contact details in Azure Security Center for more information on how to enable this recommendation.

安全策略定义和建议Security policies definitions and recommendations

安全中心自动为每个 Azure 订阅创建默认的安全策略。Security Center automatically creates a default security policy for each of your Azure subscriptions. 可以在安全中心编辑该策略,也可以使用 Azure Policy 创建新的定义、定义其他策略、跨管理组(可以代表整个组织、组织中的某个业务部门,等等)分配策略,以及跨相应范围监视对这些策略的遵循情况。You can edit the policy in Security Center or use Azure Policy to create new definitions, define additional policies, and assign policies across Management Groups (which can represent the entire organization, a business unit in it etc.), and monitor compliance to these policies across these scopes.

在配置安全策略之前,请查看每项 安全建议,确定这些策略是否适合各种订阅和资源组。Before configuring security policies, review each of the security recommendations, and determine whether these policies are appropriate for your various subscriptions and resource groups. 此外,请务必了解解决安全建议应采取的行动,以及组织中负责采纳新建议并采取必要措施的人员。It is also important to understand what action should be taken to address Security Recommendations and who in your organization will be responsible for monitoring for new recommendations and taking the needed steps.

数据收集和存储Data collection and storage

Azure 安全中心使用 Log Analytics 代理(Azure Monitor 服务同样使用此代理)从虚拟机中收集安全数据。Azure Security Center uses the Log Analytics agent – this is the same agent used by the Azure Monitor service – to collect security data from your virtual machines. 通过此代理收集的数据将存储在 Log Analytics 工作区中。Data collected from this agent will be stored in your Log Analytics workspace(s).

工作区Workspace

工作区是一种 Azure 资源,用作数据容器。A workspace is an Azure resource that serves as a container for data. 你或组织中的其他成员可以使用多个工作区,管理收集自所有或部分 IT 基础结构的不同数据集。You or other members of your organization might use multiple workspaces to manage different sets of data that is collected from all or portions of your IT infrastructure.

通过 Log Analytics 代理(代表 Azure 安全中心)收集的数据存储在与 Azure 订阅关联的现有 Log Analytics 工作区或新工作区中,具体取决于 VM 的地理位置。Data collected from the Log Analytics agent (on behalf of Azure Security Center) will be stored in either an existing Log Analytics workspace(s) associated with your Azure subscription or a new workspace(s), taking into account the Geo of the VM.

在 Azure 门户中,可浏览查看 Log Analytics 工作区的列表,其中包括 Azure 安全中心创建的任何工作区。In the Azure portal, you can browse to see a list of your Log Analytics workspaces, including any created by Azure Security Center. 系统会为新工作区创建相关资源组。A related resource group will be created for new workspaces. 二者均遵循此命名约定:Both will follow this naming convention:

  • 工作区:DefaultWorkspace-[subscription-ID]-[geo]Workspace: DefaultWorkspace-[subscription-ID]-[geo]
  • 资源组:DefaultResourceGroup-[geo]Resource Group: DefaultResourceGroup-[geo]

对于 Azure 安全中心创建的工作区,数据将保留 30 天。For workspaces created by Azure Security Center, data is retained for 30 days. 对于现有工作区,保留期取决于工作区定价层。For existing workspaces, retention is based on the workspace pricing tier. 还可以根据需要使用现有工作区。If you want, you can also use an existing workspace.

备注

Microsoft 坚决承诺保护此类数据的隐私和安全性。Microsoft makes strong commitment to protect the privacy and security of this data. 从编程到服务运营,Microsoft 都严格遵守相关法规与安全准则。Microsoft adheres to strict compliance and security guidelines—from coding to operating a service. 有关数据处理和隐私的详细信息,请参阅 Azure 安全中心数据安全For more information about data handling and privacy, read Azure Security Center Data Security.

持续安全监视Ongoing security monitoring

对安全中心建议进行初始配置和应用以后,下一步是考虑安全中心的操作过程。After initial configuration and application of Security Center recommendations, the next step is considering Security Center operational processes.

“安全中心概览”提供了一个统一的视图,介绍了已连接的所有 Azure 资源和非 Azure 资源的安全情况。The Security Center Overview provides a unified view of security across all your Azure resources and any non-Azure resources you have connected. 以下示例显示了一个有许多问题需要解决的环境:The example below shows an environment with many issues to be addressed:

仪表板

备注

安全中心不会干扰正常的操作过程,而是被动监视部署,根据启用的安全策略提供建议。Security Center will not interfere with your normal operational procedures, it will passively monitor your deployments and provide recommendations based on the security policies you enabled.

如果首次选择为当前 Azure 环境使用安全中心,请务必查看所有建议,此操作可在“建议”磁贴中进行,也可按资源(“计算”、“网络”、“存储和数据”、“应用程序”)进行 。When you first opt in to use Security Center for your current Azure environment, make sure that you review all recommendations, which can be done in the Recommendations tile or per resource (Compute, Networking, Storage & data, Application).

解决所有建议的问题以后,所有已解决问题的资源的“预防”部分应显示为绿色。Once you address all recommendations, the Prevention section should be green for all resources that were addressed. 此时进行持续监视会变得更容易,因为用户只需根据“资源安全运行状况和建议”磁贴中的变化进行操作。Ongoing monitoring at this point becomes easier since you will only take actions based on changes in the resource security health and recommendations tiles.

“检测”部分更具响应性。这些是与问题相关的警报,这些问题可能发生在现在,也可能发生在过去,并且被安全中心控件和第三方系统检测到过。The Detection section is more reactive, these are alerts regarding issues that are either taking place now, or occurred in the past and were detected by Security Center controls and 3rd party systems. “安全警报”磁贴将显示条形图,表示每天都会出现的警报数,以及在不同严重性类别(低、中、高)的分布情况。The Security Alerts tile will show bar graphs that represent the number of alerts that were found in each day, and their distribution among the different severity categories (low, medium, high). 有关安全警报的详细信息,请参阅管理和响应 Azure 安全中心的安全警报For more information about Security Alerts, read Managing and responding to security alerts in Azure Security Center.

计划访问威胁智能选项,将其作为日常安全操作的一部分。Plan to visit the threat intelligence option as part of your daily security operations. 可以在其中确定对环境的安全威胁,例如,确定特定计算机是否为僵尸网络的一部分。There you can identify security threats against the environment, such as identify if a particular computer is part of a botnet.

监视新的或更改的资源Monitoring for new or changed resources

大多数 Azure 环境是动态的,其中资源会定期创建、开启或关闭、重新配置和更改。Most Azure environments are dynamic, with resources regularly being created, spun up or down, reconfigured, and changed. 安全中心可确保用户能够查看这些新资源的安全状态。Security Center helps ensure that you have visibility into the security state of these new resources.

将新资源(VM、SQL 数据库)添加到 Azure 环境时,安全中心会自动发现这些资源,并开始监视其安全性。When you add new resources (VMs, SQL DBs) to your Azure Environment, Security Center will automatically discover these resources and begin to monitor their security. 这还包括 PaaS Web 角色和辅助角色。This also includes PaaS web roles and worker roles. 如果在 安全策略中启用了数据收集功能,则会自动为虚拟机启用更多监视功能。If Data Collection is enabled in the Security Policy, additional monitoring capabilities will be enabled automatically for your virtual machines.

关键领域

  1. 对于虚拟机,请单击“资源安全性保障”部分下的“计算与应用” 。For virtual machines, click Compute & apps, under the Resource Security Hygiene section. 如果在启用数据或相关建议时出现问题,该问题会显示在“概述”选项卡和“监视建议”部分 。Any issues with enabling data or related recommendations will be surfaced in the Overview tab, and Monitoring Recommendations section.
  2. 查看“建议”,了解为新资源确定了何种安全风险(如果有)。View the Recommendations to see what, if any, security risks were identified for the new resource.
  3. 将新的 VM 添加到环境时,只在一开始安装了操作系统,这很常见。It is very common that when new VMs are added to your environment, only the operating system is initially installed. 资源所有者可能需要一些时间来部署其他应用供这些 VM 使用。The resource owner might need some time to deploy other apps that will be used by these VMs. 理想情况下,用户应该知道此工作负荷的最终目的。Ideally, you should know the final intent of this workload. 它将用作应用程序服务器?Is it going to be an Application Server? 根据这个新的工作负荷的用途,可以启用相应的 安全策略,这在此工作流中是第三步。Based on what this new workload is going to be, you can enable the appropriate Security Policy, which is the third step in this workflow.
  4. 随着新的资源添加到 Azure 环境,“安全警报”磁贴中可能会显示新的警报。As new resources are added to your Azure environment, new alerts may appear in the Security Alerts tile. 在此磁贴中查找新警报并遵循建议。Look for new alerts in this tile and follow the recommendations.

此外还应定期监视现有资源,确定可能造成安全风险、偏离建议基线和安全警报的配置更改。You should also regularly monitor existing resources for configuration changes that could have created security risks, drift from recommended baselines, and security alerts. 从“安全中心”仪表板开始。Start at the Security Center dashboard. 在那里需要在保持一致性的基础上查看三个主要方面。From there, you have three major areas to review on a consistent basis.

操作

  1. 可通过“预防”部分面板快速访问关键资源。The Prevention section panel provides you quick access to your key resources. 使用此选项来监视“计算”、“网络”、“存储和数据”以及“应用程序”。Use this option to monitor Compute, Networking, Storage & data and Applications.
  2. 可以通过“建议”面板查看安全中心的建议。The Recommendations panel enables you to review Security Center recommendations. 在持续监视过程中,用户可能会发现并不是每天都有建议出现,这是正常的,因为在一开始设置安全中心时,所有建议的问题都已解决。During your ongoing monitoring, you may find that you don’t have recommendations on a daily basis, which is normal since you addressed all recommendations on the initial Security Center setup. 因此,此部分可能不是每天都有新信息,只需根据需要进行访问即可。For this reason, you may not have new information in this section every day and will just need to access it as needed.
  3. “检测”部分可能会特别频繁地或特别不频繁地发生更改。The Detection section might change on either a very frequent or very infrequent basis. 请始终查看安全警报,根据安全中心建议采取行动。Always review your security alerts and take actions based on Security Center recommendations.

强化对访问权限和应用程序的控制Hardening access and applications

在进行安全操作时,还应采取预防性措施,限制对 VM 的访问,并控制在 VM 上运行的应用程序。As part of your security operations, you should also adopt preventative measures to restrict access to VMs, and control the applications that are running on VMs. 锁定到 Azure VM 的入站流量即可降低受攻击的风险,同时可以轻松进行访问,视需要连接到 VM。By locking down inbound traffic to your Azure VMs, you are reducing the exposure to attacks, and at the same time providing easy access to connect to VMs when needed. 使用实时 VM 访问功能,以强化 VM 访问控制。Use just-in-time VM access feature to hardening access to your VMs.

可以使用自适应应用程序控制来限制可在 Azure 中的 VM 上运行的应用程序。You can use Adaptive Application Controls to limit which applications can run on your VMs located in Azure. 除其他优势外,这种控制还强化了 VM 抵御恶意软件侵害的能力。Among other benefits, this helps harden your VMs against malware. 安全中心可以使用机器学习分析在 VM 中运行的进程,以帮助创建允许列表规则。Using machine learning, Security Center analyzes processes running in the VM to help you create whitelisting rules.

事件响应Incident response

安全中心会检测威胁并在威胁出现时向用户发出警报。Security Center detects and alerts you to threats as they occur. 组织应监视是否有新的安全警报,并根据需要采取行动,进一步进行调查,或采取应对攻击的补救措施。Organizations should monitor for new security alerts and take action as needed to investigate further or remediate the attack. 有关安全中心威胁防护工作原理的详细信息,请参阅 Azure 安全中心如何检测和响应威胁For more information on how Security Center threat protection works, read How Azure Security Center detects and responds to threats.

虽然本文不会协助用户创建自己的事件响应计划,但仍会在云的生命周期中使用 Microsoft Azure 安全响应作为事件响应阶段的基础。While this article doesn’t have the intent to assist you creating your own Incident Response plan, we are going to use Microsoft Azure Security Response in the Cloud lifecycle as the foundation for incident response stages. 下图显示了这些阶段:The stages are shown in the following diagram:

可疑活动

备注

若要构建自己的事件响应计划,用户可以使用国家标准和技术协会 (NIST) 提供的 Computer Security Incident Handling Guide (计算机安全事件处理指南)作为参考。You can use the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide as a reference to assist you building your own.

可以在以下阶段使用安全中心警报:You can use Security Center Alerts during the following stages:

  • 检测:确定一个或多个资源中的可疑活动。Detect: identify a suspicious activity in one or more resources.
  • 评估:进行初始评估,了解可疑活动的详细信息。Assess: perform the initial assessment to obtain more information about the suspicious activity.
  • 诊断:通过补救步骤采用技术过程解决问题。Diagnose: use the remediation steps to conduct the technical procedure to address the issue.

每个安全警报所提供的信息都可以用来更好地了解攻击的性质,并提供可能的缓解措施建议。Each Security Alert provides information that can be used to better understand the nature of the attack and suggest possible mitigations. 某些警报还提供链接,单击这些链接即可获取更多信息或访问 Azure 中的其他信息源。Some alerts also provide links to either more information or to other sources of information within Azure. 可使用提供的信息进一步研究并开始缓解操作,还可搜索存储于工作区中的安全相关数据。You can use the information provided for further research and to begin mitigation, and you can also search security-related data that is stored in your workspace.

后续步骤Next steps

本文档介绍如何进行规划,为采用安全中心做准备。In this document, you learned how to plan for Security Center adoption. 若要了解有关安全中心的详细信息,请参阅以下文章:To learn more about Security Center, see the following: