
Cloud Security Monitoring

Art into Science: A Conference for Defense Eugene Kogan - @eugk - January, 2017

1. Who

2. Why

3. What

4. How

5. When

1. Who

... Y2K ...

2. Why

3. What

鈥揚resident Ronald Reagan

Trust, but verify.



Misuse detection

Change detection

Incident detection

Incident response

Splunk Graylog

Elastic Stack Loggly

Logentries Fluentd

Sumo Logic

AWS G Suite Dropbox GitHub GitLab Slack Zendesk Salesforce Jenkins Syslog Webhooks

4. How

_sourceCategory=cloudtrail_aws_logs* | json auto | where event_name matches "*Trail" or event_name matches "StartLogging" or event_name matches "StopLogging" | lookup awsaccountname from /shared/awsaccounts on recipient_account_id = awsaccountid | count as count by event_name, recipient_account_id, awsaccountname, user_name, principle_id, accesskey_id

5. When


You should be doing cloud security monitoring


Action items

Know which cloud services your organization uses

Have a modern platform for collection, analysis, alerting

Collect the right data from cloud and internal systems

Use this data wisely

Ensure your staff has the right skills to do all of the above

That's all, folks! 馃枛

Top Related