cloud security monitoring at auth0 - security bsides seattle
TRANSCRIPT
![Page 1: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/1.jpg)
Cloud Security Monitoring
Security BSides Seattle Eugene Kogan - @eugk - February 4, 2017
(for startups, mostly)
![Page 2: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/2.jpg)
1. Who
2. Why
3. What
4. How
5. When
![Page 3: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/3.jpg)
1. Who
![Page 4: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/4.jpg)
![Page 5: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/5.jpg)
CloudSecurityAlliance.org
![Page 6: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/6.jpg)
![Page 7: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/7.jpg)
2. Why
![Page 8: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/8.jpg)
![Page 9: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/9.jpg)
![Page 10: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/10.jpg)
![Page 11: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/11.jpg)
![Page 12: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/12.jpg)
3. What
![Page 13: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/13.jpg)
![Page 14: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/14.jpg)
–President Ronald Reagan
Trust, but verify.
![Page 15: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/15.jpg)
Awareness
Visualization
Misuse detection
Change detection
Incident detection
Incident response
![Page 16: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/16.jpg)
Splunk Graylog
Elastic Stack Loggly
Logentries Fluentd
Sumo Logic
AWS G Suite Dropbox GitHub GitLab Slack Zendesk Salesforce Jenkins Syslog Webhooks
![Page 17: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/17.jpg)
4. How
![Page 18: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/18.jpg)
![Page 19: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/19.jpg)
![Page 20: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/20.jpg)
![Page 21: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/21.jpg)
![Page 22: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/22.jpg)
_sourceCategory=cloudtrail_aws_logs* | json auto | where event_name matches "*Trail" or event_name matches "StartLogging" or event_name matches "StopLogging" | lookup awsaccountname from /shared/awsaccounts on recipient_account_id = awsaccountid | count as count by event_name, recipient_account_id, awsaccountname, user_name, principle_id, accesskey_id
![Page 23: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/23.jpg)
![Page 24: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/24.jpg)
![Page 25: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/25.jpg)
![Page 26: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/26.jpg)
![Page 27: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/27.jpg)
![Page 28: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/28.jpg)
![Page 29: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/29.jpg)
github.com/auth0/audit-droid
![Page 30: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/30.jpg)
github.com/a2o/snoopy
![Page 31: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/31.jpg)
github.com/nccgroup/Scout2
![Page 32: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/32.jpg)
5. When
![Page 33: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/33.jpg)
You should be doing cloud security monitoring
today.
![Page 34: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/34.jpg)
Action items
Know which cloud services your organization uses
Have a modern platform for collection, analysis, alerting
Collect the right data from cloud and internal systems
Use this data wisely
Ensure your staff has the right skills to do all of the above
![Page 35: Cloud Security Monitoring at Auth0 - Security BSides Seattle](https://reader033.vdocument.in/reader033/viewer/2022042723/58f3039c1a28ab79768b45bf/html5/thumbnails/35.jpg)
The end 🖖
auth0.engineering/tagged/security
twitter.com/eugk