Presented at
BSides Austin 2017,
May 4, 2017, 5 p.m.
(60 minutes).
Security monitoring is the foundation of a good information security program but how you monitor all your things is changing as companies use cloud services by default. This talk draws from:
* My experience implementing security monitoring at Auth0 (a startup running exclusively in the cloud).
* A realisation that a lot of companies are not collecting this data.
* A feeling that this is a positive change for security engineering and, I want to publicise an opportunity for the community to build and share security technology.
The talk will cover the following:
1. What is security monitoring and why do you want to monitor all the things?
* To give yourself both a detection + response capability.
* It's also as important to look for config errors as it is for attackers.
2. What are your options for collection and storage?
* Very briefly discuss self managed vs cloud hosted.
3. How do you monitor cloud services?
* APIs, webhooks and various log formats
* Discuss the main services: Google G Suite API, Github API and AWS Cloudtrail
* Present slack-audit (https://github.com/auth0/slack-audit)
5. Don't forget about your servers!
* Unless you've gone serverless you don't want to forget about your servers (log tailers, snoopy and osquery)
6. What should you do with the data when you have collected it?
* Create Security events!
* I will walk through some real examples of how to create events and best practice guides.
7. How do you keep up and keep sane?
* The importance of tuning
* Using Bots+ChatOps to scale how many security events you can manage
* Present Audit-droid (https://github.com/auth0/audit-droid)
Takeaways:
1. Why security monitoring is important and how you can monitor your cloud services.
2. Real examples of how to use the service APIs to generate security events (with example code)
3. Real examples of how to manage your security events using tuning and ChatOps (with example code)
Presenters:
-
Duncan Godfrey
Duncan is a consultant security engineer specialising in infrastructure security. Earlier in his career infra-sec was focused on physical DCs, networks and servers - now it's all about securing cloud infrastructure and services. Duncan spent a number of years working in network defence undertaking top secret work for the British government and had a diversion helping a telco in Mozambique re-engineer their networks. Before becoming a consultant he spent a few years at Amazon.com deploying network monitoring at scale and helping establish a new security monitoring team.
Links:
Similar Presentations: