In an increasingly complex cybersecurity environment, challenges such as complex IT environments, fragmented data, slow security response, difficulty in detecting sophisticated attacks, and compliance requirements increase the difficulty of security operations for organizations and enterprises. The cloud threat detection and response (CTDR) feature of Security Center helps you centrally manage alerts and logs of multiple cloud services within different accounts in a multi-cloud environment. This enhances security O&M efficiency and strengthens the capability to respond to potential risks.
How it works
The CTDR feature offers a cloud-native management solution for security information and events, including log standardization, alert generation, event aggregation and analysis, and event response orchestration.
It collects logs from various accounts and cloud services of multiple providers and analyzes them using predefined and custom detection rules to identify attacks, restore complete attack chains, and generate detailed security incidents. When security threats are detected, it activates Security Orchestration Automation Response (SOAR) to collaborate with Alibaba Cloud services, performing blocking and quarantine operations. This enhances the efficiency of handling security incidents.
Functions
CTDR is a security operations solution that integrates the AI Agent core engine. It supports "intelligent autonomous driving" mode, allowing for fully automated handling of security incidents.
Rapid threat detection
CTDR identifies new and unknown threats from alerts using Alibaba Cloud's global threat intelligence. It employs graph computing and cloud-native log analysis to assess concealed malicious risks. The average detection time for security incidents generated from alerts is just a few minutes, with 99.94% of alerts being aggregable.
Automated handling
Utilizing the AI Agent core engine, CTDR offers one-click handling policies, eliminating manual configuration. Recommended handling policies address 95% of security incidents and include built-in playbooks that can be activated with one click. CTDR also supports custom playbook orchestration and coordinates with various security services for automated analysis and response.
Threat visualization
CTDR combines graph computing and security LLMs to automatically trace attack paths and reconstruct intrusion timelines.
Unified data management
CTDR centralizes log collection across cloud environments, accounts, and products, simplifying hybrid cloud security operations. With a 90% cross-asset security incident discovery rate, it enables global visibility into security insights. A global account administrator can centrally view and audit security incidents in the Security Center console, facilitating efficient data analysis and security audits.
Benefits
In security operations, Mean Time To Detect (MTTD), Mean Time To Acknowledge (MTTA), and Mean Time To Respond (MTTR) are essential metrics for evaluating the efficiency and effectiveness of security teams. These indicators help organizations identify strengths and weaknesses in their security processes while providing empirical evidence for continuous improvement.
This section examines the impact of CTDR on security incidentincident management through these three metrics, with data derived from a statistical analysis of actual CTDR usage.
MTTD: 5 minutes.
Reflects the average time from when an attack event occurs until it is first detected. While manual detection typically takes hours, using CTDR reduces the detection window to under 5 minutes.
MTTA: 35 minutes.
Measures the duration from event detection to formal acknowledgment by the security team that the event constitutes a real threat. Traditionally, confirmation takes days, but with CTDR automation for investigation and tracing, this timeframe is reduced to an average of 35 minutes.
MTTR: 90 minutes.
Measures the average time from identifying an attack event as a genuine threat to its resolution and the restoration of normal operations. Traditionally, this process can take days or weeks due to time-consuming manual verification and response. However, with CTDR, this workflow is streamlined, enabling resolution and system reinforcement within 90 minutes.
CTDR-recommended strategies can execute predefined playbooks in seconds, significantly accelerating the transition from event confirmation to resolution. This swift response buys precious time for security teams to perform thorough analysis and system hardening.
Supported services and log types
The CTDR feature supports more than 30 cloud services and more than 60 log types. The following table describes the supported cloud services and log types.
Service provider | Service | Log type |
Alibaba Cloud | Security Center |
|
Web Application Firewall (WAF) | Alert logs, CDN flow logs (only supported in China), full/block/block and monitor logs of WAF 2.0, and full/block/block and monitor logs of WAF 3.0 | |
Cloud Firewall | Alert logs, real-time alert logs, and traffic logs of Cloud Firewall | |
Anti-DDoS | Anti-DDoS Proxy full logs, Anti-DDoS Proxy flow logs (previous version), and Anti-DDoS Origin logs | |
Bastionhost | Bastionhost logs | |
CDN | Flow logs of Alibaba Cloud CDN (CDN) and flow logs of CDN WAF | |
Edge Security Acceleration (ESA) | EdgeRoutine logs, access logs, and WAF logs of DCDN | |
API Gateway | API Gateway logs | |
Container Service for Kubernetes (ACK) | Audit logs of Kubernetes resources | |
PolarDB | PolarDB-X 1.0 SQL audit logs and PolarDB-X 2.0 SQL audit logs | |
ApsaraDB for MongoDB | Operational logs and audit logs of ApsaraDB for MongoDB | |
ApsaraDB RDS | RDS SQL audit logs | |
Virtual Private Cloud (VPC) | Flow logs of VPC | |
Elastic IP Address (EIP) | EIP logs | |
Server Load Balancer (SLB) | ALB access logs, CLB access logs | |
Object Storage Service (OSS) | OSS access logs, OSS batch deletion logs, OSS hourly metering logs | |
File Storage NAS | Operation logs of NAS NFS | |
Function Compute (FC) | Operational logs of Function Compute | |
ActionTrail | ActionTrail event logs | |
CloudConfig | Cloud Config logs | |
Tencent Cloud | WAF | Tencent Cloud WAF alert logs |
Cloud Firewall | Tencent Cloud Cloud Firewall alert logs | |
Huawei Cloud | WAF | Huawei Cloud WAF alert logs |
Cloud Firewall | Huawei Cloud Cloud Firewall alert logs |
Terms
Before you use the CTDR feature, you must understand the terms that are related to the feature. The following table describes the terms.
Term | Description |
handling policy | A handling policy describes the details of scenario-specific alert handling. A handling policy is generated based on the handling result of an entity in a scenario. |
handling task | A handling task describes the details of scope-specific alert handling. The event handling process of an entity in a scenario is divided into multiple handling tasks based on scopes. |
entity | An entity is the core object of an alert, which can be an IP address, a file, or a process. |
SOAR | SOAR is a solution that provides automated tools and procedures to organize and manage event response measures. SOAR helps enterprises efficiently respond to security incidents, reduces manual interference, and improves the handling efficiency of events. |
playbook | A playbook provided by SOAR is an automated security management process that consists of predefined response policies. A playbook can be automatically executed after specific events are triggered. You can create a playbook in the same manner as you draw a flowchart. A playbook contains start, judgment, action, and end nodes. You can define actions for each component on a canvas in a visualized manner. For example, you can define the network disabling action for the terminal management component. |
component | A component is used to connect to an external system or service, such as WAF, Cloud Firewall, a database service, or a notification service. To serve as a connector to an external system or service, a component does not process complex logic. Complex logic is processed by the connected external system or service. After you select a component, you must select resource instances and actions for the component. Components are classified into process orchestration components, basic orchestration components, and security application components. |
resource instance | A resource instance specifies an external service to which a component is connected. For example, if you want to use a MySQL component and your enterprise has multiple MySQL databases, you must specify the database to which you want to connect the MySQL component. |
action | An action specifies the execution capability of a component. A component can have multiple actions. For example, the terminal management component supports actions such as disabling accounts, isolating networks, and sending notifications. |
References
To learn more about the features and usage of CTDR, see User guide.
After you enable the CTDR feature, you can add logs of cloud services to the feature to monitor and analyze alerts and logs across resources in a centralized manner. For more information, see Add logs of cloud services and Add logs of security services.
Is the number of alerts reduced after the CTDR feature is enabled?