Cloud Security Monitoring
Security BSides Seattle Eugene Kogan - @eugk - February 4, 2017
(for startups, mostly)
1. Who
2. Why
3. What
4. How
5. When
1. Who
CloudSecurityAlliance.org
2. Why
3. What
鈥揚resident Ronald Reagan
Trust, but verify.
Awareness
Visualization
Misuse detection
Change detection
Incident detection
Incident response
Splunk Graylog
Elastic Stack Loggly
Logentries Fluentd
Sumo Logic
AWS G Suite Dropbox GitHub GitLab Slack Zendesk Salesforce Jenkins Syslog Webhooks
4. How
_sourceCategory=cloudtrail_aws_logs* | json auto | where event_name matches "*Trail" or event_name matches "StartLogging" or event_name matches "StopLogging" | lookup awsaccountname from /shared/awsaccounts on recipient_account_id = awsaccountid | count as count by event_name, recipient_account_id, awsaccountname, user_name, principle_id, accesskey_id
github.com/auth0/audit-droid
github.com/a2o/snoopy
github.com/nccgroup/Scout2
5. When
You should be doing cloud security monitoring
today.
Action items
Know which cloud services your organization uses
Have a modern platform for collection, analysis, alerting
Collect the right data from cloud and internal systems
Use this data wisely
Ensure your staff has the right skills to do all of the above
The end 馃枛
auth0.engineering/tagged/security
twitter.com/eugk