AT&T Cybersecurity36
Q5: How do you monitor cloud activity / usage / appropriateness?
Garrett Gross
One way is to look at it form a user level. i.e. "Why is my new helpdesk employee cloning databases and creating new users??"
Javvad Malik v2.0
By checking the monthly usage bills... :)
Javvad Malik v2.0
Although some provides are better at alerting than others.
Javvad Malik v2.0
It's not a consistent experience.
Garrett Gross
@J4vv4D You're right - Usage is actually a great indicator of compromise. Hijacked machines are usually used for high volume/quick return attacks (bitcoin mining, hosting 2nd stage malware, etc)
Martin Hepworth
push it down to the business heads. But then I work for a tech company...also work with finance to monitor the billls
SPCoulson
unusual admin access at unusual times of the day - but its identifying that : "what does unusual look like"
Javvad Malik v2.0
Yep - Rich Mogul wrote a good piece on his experience when he accidentally left AWS access keys on github https://securosis.co...
Javvad Malik v2.0
@maxsec A fortunate position indeed!
Javvad Malik v2.0
@SPCoulson Baselining behvaiour has never been easy. But a good way to find statistical outliers
Garrett Gross
@SPCoulson Which leaves a lot of folks scratching their heads. While they may be security pros, they aren't necessarily cloud experts.
SPCoulson
@garretthgross exactly - masters of none.
Javvad Malik v2.0
@SPCoulson If they have tech, they lack skills or resources... unfortunately.
Garrett Gross
@SPCoulson I think the number is irrelevant. Percentage-wise? Thats the operative figure IMO
Martin Hepworth
tech isn;t the be-all and end-all, Just a tool that helps
Javvad Malik v2.0
@maxsec And a fool with a tool ... is still a fool!
Martin Hepworth
yes jav-mate, but policy ;-)
John Furrier
software using unstructured data is huge; Spark in memory has implications here
Garrett Gross
@J4vv4D I thought I told you to not call me that in public? ;)
Javvad Malik v2.0
@maxsec haha - please don't undo my years of therapy! :)