Cloud Intrusion Detection and Threat Hunting With Open Source Tools with Craig Chamberlain
"Security teams often ask for “network intrusion detection” but conventional, specification-based intrusion detection paradigms, particularly around network intrusion detection, are not easily applied to the software defined network abstractions that power multi-tenant public clouds. The 2017 talk was about the experience of doing intrusion detection at scale at one of the ten largest AWS environments at the time. One of the major lessons learned during this time is that in the public cloud, where direct network instrumentation is unavailable, doing behavioral detection with endpoint data is often more effective and more efficient. Mandating the installation of terrestrial network security products onto software defined networks of the sort utilized in public clouds is not always the most productive approach. This talk presents a practical demonstration of doing behavioral intrusion detection, threat hunting and security analytics using free and open source tools. Most security analytics use cases including compliance monitoring, behavioral and specification based intrusion detection, database monitoring, data loss detection, machine learning, security analytics and threat hunting can be accomplished through the coordinated usage of open source tools. This approach avoids numerous pitfalls facing security teams today such as managing fleets of complex and expensive security agents and operating metered data analytics platforms whose bills force difficult decisions about which data to ingest. Another, and perhaps the most compelling, advantage of the open source approach is the freedom to engage in community driven development and sharing of searches and analytics, which is sometimes missing in the black-box security product space.