SOURCE Boston 2019
May 1 - 3, 2019 (Wed - Fri)
Cloud Intrusion Detection and Threat Hunting With Open Source Tools
By popular request, this is a sequel to a 2017 talk entitled “Engineering Challenges Doing Intrusion Detection in the Cloud.” Security teams often ask for “network intrusion detection” but conventional, specification-based intrusion detection paradigms, particularly around network intrusion detection, are not easily applied to the software defined network abstractions that power multi-tenant public clouds. The 2017 talk was about the experience of doing intrusion detection at scale at one of the ten largest AWS environments at the time. One of the major lessons learned during this time is that in the public cloud, where direct network instrumentation is unavailable, doing behavioral detection with endpoint data is often more effective and more efficient. Mandating the installation of terrestrial network security products onto software defined networks of the sort utilized in public clouds is not always the most productive approach.
This talk presents a practical demonstration of doing behavioral intrusion detection, threat hunting and security analytics using free and open source tools. Most security analytics use cases including compliance monitoring, behavioral and specification based intrusion detection, database monitoring, data loss detection, machine learning, security analytics and threat hunting can be accomplished through the coordinated usage of open source tools. This approach avoids numerous pitfalls facing security teams today such as managing fleets of complex and expensive security agents and operating metered data analytics platforms whose bills force difficult decisions about which data to ingest. Another, and perhaps the most compelling, advantage of the open source approach is the freedom to engage in community driven development and sharing of searches and analytics, which is sometimes missing in the black-box security product space. Demo included.
Craig is a seasoned security leader with twenty years experience in security including service as a cloud security lead in one of the larger AWS environments. He is a patent holder; published researcher; advisor to various security product plays and VCs; credited bug hunter; and a veteran of four startups including two successful exits. A devotee of the "purple team" movement, he studies both offensive and defensive security art in order to better detect all the things. He has contributed, as an architect and / or core business logic developer, to three successful security products, and six large-scale security monitoring and threat hunting projects, in both cloud and terrestrial environments. He has been a SIEM / security analytics developer and / or threat hunter in the defense, financial, government, military and software manufacturing sectors. He has presented at the MISTI NetSec ESummit, B-Sides Boston, SOURCE Boston, OpenSec Boston, Cloud Security World, and, a long time ago in a galaxy far away, ACSAC and the DHS Science & Technology Conference.