安全控制 V2:事件响应Security Control V2: Incident Response

事件响应涵盖事件响应生命周期中的控制 - 准备、检测和分析、遏制以及事件后活动。Incident Response covers controls in the incident response life cycle - preparation, detection and analysis, containment, and post-incident activities. 这包括使用 Azure 服务(例如 Azure 安全中心)自动执行事件响应过程。This includes using Azure services such as Azure Security Center to automate the incident response process.

IR-1:准备 - 更新 Azure 的事件响应流程IR-1: Preparation - update incident response process for Azure

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IR-1IR-1 1919 IR-4、IR-8IR-4, IR-8

确保组织具有响应安全事件的流程,已为 Azure 更新了这些流程,并定期执行这些流程以确保准备就绪。Ensure your organization has processes to respond to security incidents, has updated these processes for Azure, and is regularly exercising them to ensure readiness.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IR-2:准备 - 设置事件通知IR-2: Preparation - setup incident notification

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IR-2IR-2 19.519.5 IR-4、IR-5、IR-6、IR-8IR-4, IR-5, IR-6, IR-8

在 Azure 安全中心中设置安全事件联系信息。Set up security incident contact information in Azure Security Center. 如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的一方访问了你的数据,Microsoft 将使用此联系信息来与你取得联系。This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 还可以选择基于事件响应需求在不同的 Azure 服务中自定义事件警报和通知。You also have options to customize incident alert and notification in different Azure services based on your incident response needs.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IR-3:检测和分析 - 基于高质量警报创建事件IR-3: Detection and analysis - create incidents based on high quality alerts

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IR-3IR-3 19.619.6 IR-4、IR-5IR-4, IR-5

确保你具有创建高质量警报和衡量警报质量的流程。Ensure you have a process to create high quality alerts and measure the quality of alerts. 这样,你就可以从过去的事件中吸取经验,并为分析人员确定警报的优先级,这样他们就不会浪费时间来处理误报。This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don’t waste time on false positives.

可以基于从过去的事件中吸取的经验、经过验证的社区来源以及各种工具来生成高质量警报,这些工具旨在通过融合和关联各种信号源来生成和清除警报。High quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.

Azure 安全中心可跨许多 Azure 资产提供高质量的警报。Azure Security Center provides high quality alerts across many Azure assets.

使用导出功能导出 Azure 安全中心警报和建议,以帮助识别 Azure 资源的风险。Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. 手动导出或持续导出警报和建议。Export alerts and recommendations either manually or in an ongoing, continuous fashion.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IR-4:检测和分析 - 调查事件IR-4: Detection and analysis - investigate an incident

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IR-4IR-4 1919 IR-4IR-4

确保分析人员在调查潜在事件时可以查询和使用各种数据源,以全面了解发生的情况。Ensure analysts can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. 应收集各种各样的日志,以跟踪整个终止链中潜在攻击者的活动,避免出现盲点。Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. 还应确保收集见解和经验,以供其他分析人员使用和用作将来的历史参考资料。You should also ensure insights and learnings are captured for other analysts and for future historical reference.

用于调查的数据源包括已从作用域内服务和正在运行的系统中收集的集中式日志记录源,但还可以包括以下内容:The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:

  • 网络数据 - 使用网络安全组的流日志、Azure 网络观察程序和 Azure Monitor 来捕获网络流日志和其他分析信息。Network data - use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information.

  • 正在运行的系统的快照:Snapshots of running systems:

    • 使用 Azure 虚拟机的快照功能创建正在运行的系统磁盘的快照。Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.

    • 使用操作系统的本机内存转储功能来创建正在运行的系统内存的快照。Use the operating system's native memory dump capability to create a snapshot of the running system's memory.

    • 使用 Azure 服务的快照功能或软件自带的功能来创建正在运行的系统的快照。Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.

  • Windows 计算机的磁盘快照Snapshot a Windows machine's disk

  • Linux 计算机的磁盘快照Snapshot a Linux machine's disk

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IR-5:检测和分析 - 确定事件的优先级IR-5: Detection and analysis - prioritize incidents

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IR-5IR-5 19.819.8 CA-2、IR-4CA-2, IR-4

根据警报严重性和资产敏感性,为分析人员提供优先处理的事件的上下文。Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.

Azure 安全中心为每条警报分配严重性,方便你根据优先级来确定应该最先调查的警报。Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心对调查结果或用于发出警报的分析的可信度,以及对导致警报的活动背后存在恶意意图的可信度级别。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,使用标记来标记资源,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IR-6:遏制、根除和恢复 - 自动执行事件处理IR-6: Containment, eradication and recovery - automate the incident handling

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IR-6IR-6 1919 IR-4、IR-5、IR-6IR-4, IR-5, IR-6

自动执行手动重复性任务,以加快响应时间并减轻分析人员的负担。Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. 执行手动任务需要更长的时间,这会导致减慢每个事件的速度,并减少分析人员可以处理的事件数量。Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. 手动任务还会使分析人员更加疲劳,这会增加可导致延迟的人为错误的风险,并降低分析人员专注于复杂任务的工作效率。Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):