There is no denying the ubiquity of cloud computing, and for most organizations, Infrastructure as a Service (IaaS) in particular as the new norm. The model for cloud security is typically a shared responsibility between the provider and the consumer, which really means the consumer is ultimately responsible. Whether your infrastructure is completely hosted, is partly hosted, or is soon-to-be hosted in the cloud, your security posture must adapt appropriately if your monitoring and Incident response capabilities are to remain effective. Developing an accurate view of nefarious activity in cloud environments still requires the multi-layered approach it did in the enterprise; however, it must adapt to include sources such as Amazon Web Services (AWS) CloudTrail IaaS logs, VPC Flow logs, endpoint logs, and more. This data must be captured and arranged in a manner to make it actionable, requiring you to have a plan for the IR lifecycle even though you might not own the mitigation process. Approaching Parity is a talk about adapting your security posture for monitoring and IR in IaaS environments, through native capabilities, third-party products, via workaround, or any combination of the three, and then operationalizing this telemetry with the CSIRT playbook. Though this talk provides AWS IaaS examples, the topics presented are applicable to other IaaS providers too.

As an information security practitioner with 20 years of IT experience, Matt helps protect Cisco’s network and assets as a first responder on the Computer Security Incident Response Team (CSIRT). Matt shares his monitoring and incident response expertise with the InfoSec community by participating in groups such as the Defense Security Information Exchange (DSIE) and the North Carolina InfraGard. Matt’s hobbies include making his own sauerkraut and competitive rifle shooting, both activities that have absolutely nothing to do with information security.

@realmattheinze

Back to Derbycon 2018 video list