Cloud Security Monitoring

Security BSides Seattle Eugene Kogan - @eugk - February 4, 2017

(for startups, mostly)

1. Who

2. Why

3. What

4. How

5. When

1. Who

CloudSecurityAlliance.org

2. Why

3. What

–President Ronald Reagan

Trust, but verify.

Awareness

Visualization

Misuse detection

Change detection

Incident detection

Incident response

Splunk Graylog

Elastic Stack Loggly

Logentries Fluentd

Sumo Logic

AWS G Suite Dropbox GitHub GitLab Slack Zendesk Salesforce Jenkins Syslog Webhooks

4. How

_sourceCategory=cloudtrail_aws_logs* | json auto | where event_name matches "*Trail" or event_name matches "StartLogging" or event_name matches "StopLogging" | lookup awsaccountname from /shared/awsaccounts on recipient_account_id = awsaccountid | count as count by event_name, recipient_account_id, awsaccountname, user_name, principle_id, accesskey_id

github.com/auth0/audit-droid

github.com/a2o/snoopy

github.com/nccgroup/Scout2

5. When

You should be doing cloud security monitoring

today.

Action items

Know which cloud services your organization uses

Have a modern platform for collection, analysis, alerting

Collect the right data from cloud and internal systems

Use this data wisely

Ensure your staff has the right skills to do all of the above

The end 🖖

auth0.engineering/tagged/security

twitter.com/eugk