Security Center provides all-round security checks and protection capabilities to your assets deployed on Alibaba Cloud, multi-cloud environments, and data centers. Security Center provides the following editions: Basic, Anti-virus, Advanced, Enterprise, Ultimate, and Value-added Plan. This topic describes the features provided by Security Center and the differences in the features among these editions.
If you require only the value-added features of Security Center, you can purchase the Value-added Plan edition of Security Center. The value-added features include web tamper proofing and anti-ransomware. You are charged only for the selected value-added features when you use the Value-added Plan edition. This edition provides the same basic services as the Basic edition.
The following symbols are used in the tables of this topic:
Value-added: indicates a value-added feature. You can use value-added features by enabling them when you purchase or upgrade Security Center.
Pricing
Billable item | Basic | Anti-virus | Advanced | Enterprise | Ultimate | Value-added Plan | |
Basic service fees | Free | USD 1 per core-month | USD 9.5 per server-month | USD 23.5 per server-month | USD 23.5 per server-month + USD 1 per core-month | Free | |
Value-added service fees | Vulnerability Fixing | Not supported | USD 0.3 per time-month (The minimum quota that you can purchase is 20.) | No additional fees are generated. | USD 0.3 per time-month (The minimum quota that you can purchase is 20.) | ||
Application protection | Not supported | The fee varies based on the quota for application protection that you purchase and is calculated by tier.
| |||||
Web tamper proofing | Not supported | USD 165 per server-month | |||||
Threat analysis | Not supported | USD 0.44 per GB-month | |||||
Anti-ransomware | Not supported | USD 0.045 per GB-month | |||||
Log analysis | Not supported | USD 0.1 per GB-month | Not supported | ||||
Container image scan | Not supported | Not supported | USD 0.3 per image-month | ||||
Cloud honeypot | Not supported | USD 333.33 per probe-month (The minimum number of probes that you can purchase is 20.) Note You are charged for cloud honeypot based on the number of probes. | |||||
Configuration assessment | Not supported | USD 0.002 per time-month for each check item on an instance (The minimum quota that you can purchase is 1,000.) Note An instance refers to the instance of a specific network device or an application, such as an Object Storage Service (OSS) bucket or an Elastic Compute Service (ECS) security group. For more information, see Configuration assessment. | |||||
SDK for malicious file detection | Not supported | USD 1.5 per 10,000 detections-month (The minimum quota that you can purchase is 100,000.) Note You are charged based on the number of times that files are detected. | |||||
Subscription duration | Unlimited | Monthly subscription supported |
On July 21, 2022, the basic service fees for Security Center Ultimate is changed from USD 3 per core-month to USD 23.5 per server-month + USD 1 per core-month. You can no longer purchase the product expert service but you can still renew the product expert service that you purchased.
If you purchased Security Center Ultimate before July 21, 2022, you are charged based on the original prices when you renew, upgrade, or downgrade Security Center.
Starting from July 21, 2022, you are charged the basic service fees for Security Center Ultimate in scenarios when you purchase Security Center Ultimate or upgrade Security Center to the Ultimate edition. Basic service fees = USD 23.5 per server-month + USD 1 per core-month.
Overview
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center evaluates your assets and assigns a security score that provides a reference on the security of your assets. |
Assets
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center provides an overview of your cloud assets, and allows you to view network topology, security score, and security risks. Security Center also provides a unified portal where you can manage your cloud assets. | ||||||
Security Center provides a GUI that simplifies the management of your assets such as clusters, containers, images, and applications. Security Center also displays the network topology of your container assets. This gives you a birds-eye view of the security status of your containers and the network connections between them. | ||||||
Security Center displays security information about each protected server. The information includes the risk status, group, region, and virtual private cloud (VPC). | ||||||
Security Center collects the following types of server fingerprints: accounts, ports, and processes. | ||||||
After you perform a quick check task, Security Center performs checks such as vulnerability detection and baseline checks on specified servers based on your configurations. | ||||||
Security Center provides the security statistics of your clusters, pods, containers, and images. | ||||||
Security Center displays the security information about cloud services. The information includes at-risk cloud services and their service types. The service types include Server Load Balancer (SLB) and ApsaraDB RDS. | ||||||
Security Center displays security information about each protected website. The information includes the root domain, subdomains, risk status, and alerts. |
Risk Management
Exposure Analysis
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center visualizes the communication links between your Elastic Compute Service (ECS) instances and the Internet. Security Center also provides a unified portal to display the vulnerabilities of your ECS instances that are exposed on the Internet as well as the suggestions for handling them. You can quickly identify the exposures of your assets on the Internet. |
Vulnerabilities
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center compares software versions by using the matching engine of Open Vulnerability and Assessment Language (OVAL). Security Center generates alerts when the Linux software vulnerabilities that are recorded in the Common Vulnerabilities and Exposures (CVE) database are detected in the current version. | Only automatic detection is supported. | Only automatic detection is supported. | ||||
Security Center supports the automatic fixing of vulnerabilities and automatic creation of snapshots. This allows you to undo fixes by using snapshots. | Value-added | |||||
Security Center obtains Microsoft updates for Windows operating systems, detects high-risk vulnerabilities, and generates alerts for these vulnerabilities. | Only automatic detection is supported. | Only automatic detection is supported. | ||||
Security Center automatically identifies pre-patches that are used to fix vulnerabilities to prevent failures caused by the lack of the required pre-patches. This allows you to fix Windows vulnerabilities with a few clicks. Security Center also generates alerts for vulnerabilities that require a system restart after the vulnerabilities are fixed. This allows you to fix Windows system vulnerabilities in an efficient manner. | Value-added | |||||
Security Center monitors web directories, recognizes common website builders, and checks the vulnerability database to identify vulnerabilities in website builders. | Only automatic detection is supported. | Only automatic detection is supported. | ||||
Security Center uses patches developed by Alibaba Cloud to replace and modify source code. This allows you to fix vulnerabilities with a few clicks. | ||||||
Security Center detects urgent vulnerabilities when they are made public. Security Center does not support automatic fixing of urgent vulnerabilities. You must follow the instructions provided by Security Center to manually fix the vulnerabilities. | ||||||
Security Center detects weak passwords for system services and vulnerabilities in system services and applications. | ||||||
Security Center allows you to run quick scan tasks on your assets to detect vulnerabilities in real time. | Only urgent vulnerabilities can be detected. |
|
| |||
Entry point to vulnerabilities that require immediate fixing | Security Center provides a centralized entry point for you to view and fix all vulnerabilities with high priorities. | |||||
YUM/APT Source Configuration | Security Center allows you to preferentially use YUM or APT sources maintained by Alibaba Cloud to fix vulnerabilities. After you turn on YUM/APT Source Configuration, Security Center automatically selects YUM or APT sources maintained by Alibaba Cloud. This improves the success rate of vulnerability fixing. Note Before you fix a Linux software vulnerability, you must specify a valid YUM or APT source. If you specify an invalid YUM or APT source, the vulnerability fails to be fixed. |
Baseline Check
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center dispatches tasks to check server configurations. Security Center generates alerts when configuration risks are detected. Security Center allows you to specify check items, detection intervals, and servers to create custom check policies. Custom check scripts are not supported. Security Center allows you to customize weak password rules. Security Center checks the configurations of your cloud services by using the check policy that you specify. Security Center generates alerts when weak passwords are detected. | Only weak passwords can be detected. | |||||
Security Center performs security checks on the baseline configurations of containers. Security Center also generates alerts for the detected risks. | ||||||
Security Center mitigates risks that are detected from the baseline checks on Alibaba Cloud security and classified protection compliance. |
Config Assessment
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center detects configuration errors and security risks on cloud services from the following dimensions: identity and permission management, security risks in Alibaba Cloud services, and compliance risks. This ensures the security of the running environment of your cloud services. Note Starting July 7, 2023, you are charged for the configuration assessment feature based on the number of scans. For more information, see Billing overview. If you can use the feature before July 7, 2023, you can continue to use some of the check items for configuration assessment free of charge until your Security Center expires and is released. You can view which check items you can use for free in the Security Center console. If you want to use other check items, you must purchase the quota for configuration assessment. For more information, see Use the configuration assessment feature. |
AK leak detection
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center monitors code hosting platforms such as GitHub in real time to detect AccessKey leaks of Alibaba Cloud assets in source code. |
Cloud Honeypot
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center provides capabilities such as attack discovery and defense within and outside the cloud. You can create honeypots in VPCs and servers that are protected by Security Center. This protects the servers from attacks that are launched within and outside the cloud and reinforces the security of the servers. | Value-added | Value-added | Value-added | Value-added |
SDK for malicious file detection
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
SDK for malicious file detection is supported. The SDK provides the following capabilities:
| Value-added | Value-added | Value-added | Value-added |
Detection and Response
Alerts
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Suspicious process | Security Center traces intrusion sources based on real attack-defense scenarios in the cloud and creates a process whitelist. Security Center generates alerts when unauthorized processes or intrusion attacks are detected. Security Center builds approximately 1,000 process patterns for hundreds of processes and compares the processes against these patterns to detect suspicious processes. | |||||
Webshell | Security Center supports detection of website script files, such as PHP, ASP, and JSP files, based on both servers and networks. Security Center performs the following detection:
| Only some webshells can be detected. | ||||
Security Center also supports webshell detection and removal, which allows you to manually quarantine detected webshell files. Files that are quarantined can be restored within 30 days. | ||||||
Unusual logon | Security Center provides basic detection services. | |||||
Security Center provides advanced detection services. | ||||||
Sensitive file tampering | Security Center monitors sensitive directories and files, and generates alerts when suspicious read, write, or delete operations are detected. | |||||
Malicious process (cloud threat detection) | Security Center scans processes on a regular basis, monitors process startups, and detects viruses and trojans by using the cloud threat detection mechanism. You can terminate malicious processes and manually quarantine malicious files with a few clicks in the Security Center console. | |||||
Suspicious network connection | Security Center monitors connections on servers and networks. Security Center generates alerts when suspicious connections are detected. | |||||
Other features | Security Center performs the following detection:
| |||||
Abnormal account | Security Center detects suspicious accounts that attempt to log on to your system based on user behavior analysis. | |||||
Intrusion into applications | Security Center detects intrusion into applications, such as SQL Server. | |||||
Cloud threat detection | Security Center detects unusual use of cloud services based on user behavior analysis. For example, an attacker uses your AccessKey pair to purchase a large number of ECS instances for data mining. | |||||
Precision defense | Security Center automatically blocks common Internet viruses, such as ransomware, DDoS trojans, mining and trojan programs, malicious programs, webshells, and computer worms. | |||||
Persistent webshell | Security Center detects persistent webshells on servers. After an attacker gains control over a server, the attacker typically places webshells, such as scripts, processes, and links, to persistently exploit the intrusion. Common persistent webshells include crontab jobs, automatic tasks, and system replacement files. | |||||
Web application threat detection | Security Center detects intrusion activities that use web applications. | |||||
Malicious script | Security Center detects malicious scripts on servers. Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts to carry out the actual attack. For example, the attacker may insert mining programs and webshells, and add administrator accounts to your system. Languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript. | |||||
Threat detection during container runtime | Security Center detects threats to Container Service for Kubernetes in real time. The threats include viruses and malicious programs in containers or on hosts, intrusion into containers, and container escapes. Security Center also generates alerts for these threats and warnings for high-risk operations. Security Center detects the threats to containers and generates alerts for detected threats. | |||||
Security Center archives the alerts that are handled prior to 30 days ago and allows you to download the archived alerts. This facilitates event tracing and audit. |
Threat Analysis
The threat analysis feature allows you to manage security information and events of multiple cloud services that belong to different Alibaba Cloud accounts. The cloud services include Cloud Firewall and VPC. The feature allows you to focus on events and identifies unknown threats. The feature also provides various context and tracing information, and supports one-click event handling to improve operational efficiency on events. For more information, see Overview of threat analysis.
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Service Integration | This feature allows you to add the security information of multiple cloud services to threat analysis. The cloud services include Security Center, Cloud Firewall, SLB, and VPC. | Value-added | Value-added | Value-added | Value-added | |
Rule management | This feature provides various system rules to generate alerts and events when threats are detected. This feature also allows you to configure custom rules. | |||||
SOAR | This feature orchestrates and connects different systems and services based on specific logic. This feature supports automated orchestration and quick response during security O&M and helps enterprises improve the efficiency of responses to security events. | |||||
Incidents Management | This feature analyzes collected security information, displays detected security events, and provides suggestions on handling the events. | |||||
Alerts | This feature displays the aggregated alert data of multiple accounts and cloud services. You can view alerts in a centralized manner. | |||||
Log Analysis | This feature allows you to search for and view the aggregated logs of multiple accounts and cloud services. |
Attack Awareness
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center displays the details of web attacks and brute-force attacks on your server. Security Center traces the attacker IP addresses and finds the flaws of the attacks. |
Log Analysis
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center allows you to retrieve and analyze raw logs, including process startup logs, outbound connection logs, system logon logs, 5-tuple logs, DNS request logs, security logs, and alert logs. Note Security Center Enterprise and Security Center Ultimate support 16 subtypes of logs. Security Center Anti-virus and Security Center Advanced support only 12 subtypes of host logs and security logs. Security Center Anti-virus and Security Center Advanced do not support network logs. | Value-added | Value-added | Value-added | Value-added |
Host Protection
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
The agentless detection feature adopts the agentless technology to scan and then detect security risks on ECS instances, precluding the need to install the Security Center agent. | ||||||
The anti-ransomware feature allows you to back up and restore data on your servers and databases. This protects your servers and databases from ransomware. | Value-added | Value-added | Value-added | Value-added | ||
The security experts of Security Center conduct automated analysis on persistence and attack methods based on a large number of persistent virus samples. Then, the security experts release an engine that can detect and remove viruses based on machine learning results. You can use the engine to detect and remove viruses with a few clicks. | ||||||
Security Center monitors website directories and restores maliciously modified files or directories by using backups. Security Center protects websites from malicious modification, trojans, hidden links, and insertion of violence or pornography content. | Value-added | Value-added | Value-added | Value-added | ||
The malicious behavior defense feature provides system rules and allows you to create custom defense rules. You can use the rules to enhance the security of your servers. | ||||||
The feature of defense against brute-force attacks allows you to configure a defense rule to protect your servers from brute-force attacks. If the number of logon failures from an IP address to the same server exceeds a specified limit during a specified statistical period, the IP address is blocked. | ||||||
Security Center allows you to specify approved logon locations, IP addresses, time ranges, and accounts to identify unusual logons that may be initiated by attackers. | Only approved logon locations can be specified. | Only approved logon locations can be specified. |
Container Protection
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center detects the following image vulnerabilities, image baseline risks, and malicious image samples:
Note Only image system vulnerabilities can be fixed with a few clicks. Image application vulnerabilities, image baseline risks, malicious image samples, and sensitive image files can only be detected. | Value-added | Value-added | Value-added | |||
| ||||||
This feature can monitor directories and files in containers in real time, and generate alerts or intercept tampering operations when the directories or files are tampered with. This prevents your applications from being inserted with illegal information or malicious code. | ||||||
This feature delivers firewall capabilities to protect containers. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container firewall feature generates alerts or blocks attacks. | ||||||
Security Center signs trusted container images and verifies the signatures to ensure that only trusted images are deployed. This prevents unauthorized container images from being started and improves asset security. Note Only Kubernetes clusters that are deployed in the China (Hong Kong) region support the image signature feature. | ||||||
Security Center detects image risks in the project building stage on Jenkins and GitHub in an efficient manner and provides solutions to detected image risks. Image risks include high-risk system vulnerabilities, application vulnerabilities, viruses, webshells, execution of malicious scripts, configuration risks, and sensitive data. |
Application Protection
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
This feature adopts the Runtime Application Self Protection (RASP) technology to detect attacks during application runtime, and then block the attacks or generate alerts for the attacks. This helps protect applications. | Value-added | Value-added | Value-added | Value-added |
System Configuration
Playbook
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center provides the task management feature. You can run tasks to enable automatic fixing of vulnerabilities in multiple servers at a time. |
Reports
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center allows you to configure security reports. After you enable this feature, Security Center sends emails that contain security statistics to the specified recipients. |
Feature Settings
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Proactive Defense - Malicious Behavior Defense This feature automatically blocks common network viruses, such as common ransomware, DDoS trojans, mining programs, trojans, malicious programs, webshells, and computer worms. | ||||||
Proactive Defense - Anti-ransomware (Bait Capture) This feature uses bait to capture the new types of ransomware and analyzes the patterns of the new types of ransomware to protect your assets. | ||||||
Proactive Defense - Webshell Protection This feature automatically intercepts suspicious connections that are initiated by attackers by using known webshells. This feature also allows you to manually quarantine related files. | ||||||
Proactive Defense - Behavior prevention This feature intercepts the abnormal network behavior between your servers and disclosed malicious access sources, which reinforces the security of your servers. | ||||||
Proactive Defense - Active defense experience optimization If your server unexpectedly shuts down or the defense capability is unavailable, Security Center collects server data by using the kdump service for protection analysis. This enhances the protection capability of Security Center on an ongoing basis. | ||||||
Webshell Detection Security Center periodically scans web directories to detect webshells and trojans on your servers. | ||||||
Dynamic adaptive threat detection capability If a high-risk intrusion is detected on your server after the adaptive threat detection feature is enabled, the Security Center agent on your server automatically runs in strict alert mode. This mode helps detect intrusions in a faster and more comprehensive manner. | ||||||
Alert modes Security Center supports different alert modes for servers to meet your security requirements in different scenarios. By default, Security Center enables Balanced Mode for all servers that are added to Security Center. | ||||||
K8s Threat Detection Security Center monitors the status of running containers in a Kubernetes cluster. This allows you to detect security risks and attacker intrusions at the earliest opportunity. Security Center detects the following items:
| ||||||
Container Escape Prevention The feature of container escape prevention detects high-risk operations from multiple dimensions such as processes, files, and system calls, and establishes protection barriers between containers and hosts. This effectively blocks escape behavior and ensures the runtime security of containers. | ||||||
Client Protection After you enable the client protection feature, Security Center automatically intercepts unauthorized agent uninstallation. This feature prevents the agent from being uninstalled by attackers or terminated by other software. | ||||||
Local File Detection Engine The local file detection engine performs security checks on new script files and binary files on your server. If threats are detected, the engine reports alerts. | ||||||
Client Resource Management The feature of client resource management allows you to manually change the running mode of the Security Center agent to limit the amount of resources that the agent can consume. This meets the protection requirements of servers in various scenarios and enhances security. | ||||||
Global Log Filter The global log filtering feature ensures security, and helps you effectively use your log storage and improve operational efficiency. | Value-added | Value-added | Value-added | Value-added | ||
Security Control Security control allows you to configure the IP address whitelist. Requests initiated from IP addresses in the whitelist are directly forwarded to destination servers. This prevents normal network traffic from being blocked. | ||||||
Access Control Resource Access Management (RAM) allows you to create and manage RAM users, such as individuals, system administrators, and application administrators. You can manage RAM user permissions to control access to Alibaba Cloud resources. | ||||||
Installation and uninstallation of the Security Center agent | Security Center allows you to install and uninstall the Security Center agent. | |||||
This feature allows you to add the following types of servers to Security Center: ECS instances that are deployed in VPCs, servers that are deployed in data centers, and servers that are deployed in hybrid clouds and are inaccessible over the Internet. You can also use the feature to manage uplink traffic of the servers. Uplink traffic refers to traffic from servers to Security Center. | ||||||
This feature allows you to add third-party cloud servers and servers in data centers to Security Center for protection and management. | ||||||
Security Center allows you to create IDC probes to scan servers and identify the servers that have the Security Center agent installed in a data center. Then, you can synchronize the information about the identified servers to the Assets module of the Security Center console. This way, Security Center can manage the servers in a centralized manner. | ||||||
This feature allows you to configure rule conditions. You can manage servers that meet the specified rule conditions by group or tag in a simple and efficient manner. |
Notification Settings
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center allows you to customize notification methods and alert severities of alert notifications. Security Center sends alert notifications by using text messages, emails, internal messages, or DingTalk chatbots. Note Only the Enterprise and Ultimate editions of Security Center support DingTalk chatbots. |
Multi-account Control
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center allows you to manage the assets of multiple members in the resource directory of your enterprise. You can monitor the security status of the members in real time. |
Compliance
Feature | Description | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security Center checks whether your assets comply with classified protection regulations, including those on communication networks, region borders, computing environments, and management centers. Security Center also generates compliance reports. | ||||||
Security Center checks whether your system meets ISO 27001 requirements from aspects such as asset management, access control, cryptography, and operation security. |
Limits on threat detection
Security Center sends alerts in real time when risks are detected. You can manage security alerts, scan for and fix vulnerabilities, analyze attacks, and perform configuration assessment in the Security Center console. Security Center can analyze alerts and trace attacks. This reinforces the security of your assets. To protect your assets against attacks, we recommend that you regularly install the latest security patches on your server, and use other security services together with Security Center, such as Cloud Firewall and Web Application Firewall (WAF).
After you install the Security Center agent on a server, the defense process of Security Center requires a specific period of time to take effect on the server. During this period of time, Security Center cannot block threats such as ransomware and DDoS trojans.
Attacks and viruses are always changing, and actual workloads run in different environments. Therefore, Security Center cannot ensure that all unknown threats are detected in real time. We recommend that you use Security Center features such as alerting, vulnerability detection, baseline check, and configuration assessment to enhance security and prevent intrusions, data thefts, and data damage.