安全控制:事件响应Security Control: Incident Response

通过以下方式保护组织的信息及其声誉:开发并实施事件响应基础结构(如计划、定义的角色、训练、通信、管理监督),以便快速发现攻击,然后有效地控制损害,消除攻击者的存在,恢复网络和系统的完整性。Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.

10.1:创建事件响应指导10.1: Create an incident response guide

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
10.110.1 19.1、19.2、19.319.1, 19.2, 19.3 客户Customer

为组织制定事件响应指南。Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
10.210.2 19.819.8 客户Customer

安全中心为每条警报分配严重性,以帮助你优先处理应该最先调查的警报。Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请用标记明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产)并创建命名系统来对 Azure 资源进行明确标识和分类,特别是处理敏感数据的资源。production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

10.3:测试安全响应过程10.3: Test security response procedures

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
10.310.3 1919 客户Customer

定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Conduct exercises to test your systems incident response capabilities on a regular cadence to help protect your Azure resources. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
10.410.4 19.519.5 客户Customer

如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的一方访问了你的数据,Microsoft 将使用安全事件联系人信息来与你取得联系。Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

后续步骤Next steps