Monitor all the

cloud things

@duncangodfrey

Security monitoring for everyone

Me:

https://auth0.com

@radekk@alecpesola@eugk

Introduction

• A brisk introduction to security monitoring

• How do you monitor cloud services?

• What should you do with the data you collect?

• Keeping up and keeping sane

• Opportunities for security engineering

A very brisk

introduction to Security

Monitoring

“Security monitoring is the process

of generating security events

based on data gathered from your

IT environment.”

“Ability to detect threats in

near real time”

“Ability to respond after

a successful attack”

CSC 6

Maintenance, Monitoring, and Analysis of Audit

Logs

“Collect, manage, and analyze audit logs of

events that could help detect, understand, or

recover from an attack.”

How do you monitor

Cloud Services?

log created

collection / storage

search (for events)

Action

APIs, webhooks and

sorry JSON

$ curl https://slack.com/api/team.accessLogs\?token\=$yourtoken\&pretty\=1

https://github.com/auth0/slack-audit

Setup a platform for collection,

storage and search

• Splunk

• Greylog

• Elastic stack (ELK, Logstash or fluentd)

• Loggly

• Logentries

• Airbnb Streamalert

• Sumo Logic

What should you do

with the data you have

collected?

Create Security

Events

Take Action

log created

Sumo Logic

SL Query

Slack Message

#security-alerts

Where to start?

– Me

“It’s as important to look for config

errors as it is to look for attackers.”

CIS AWS Foundations Benchmark

Keeping up

and keeping sane

Have a process

Tuning

Triagehttps://github.com/auth0/triage

audit-droid

https://github.com/auth0/audit-droid

Canaries

Opportunities for

security engineering

Security monitoring for

everyone

“Everything is an API call

now”

Open Source

Fin.

Questions?

@duncangodfrey

https://auth0.engineering/