Over the years I’ve done a lot of webinars on monitoring security events from your on-prem network: Top 10 Workstation Events, Top Events to Monitor in AD, and so on. But many of the same kind of incidents can occur in the cloud and we need to know when they do by collecting and monitoring the many different logs in the cloud. For this webinar, I’ll be using Azure and Office 365 for my examples, but the same principles apply to AWS and other clouds.
With on-prem technology, there are many different kinds of log sources, each with their own format and unfortunately, it’s the same story in the cloud.
In this real training for free event, I’ve selected 8 different real-world security events that can or could be happening in your organization’s cloud resources.
- Storage account accessed via stolen key
- Privileged logon to Azure Resource Manager with stolen password
- Windows level intrusion of Virtual Machine
- Azure SQL Database level intrusion
- Backdoor account created in Azure AD
- Traffic restriction loosened on Virtual Network
- Subscription Administrator added
- CEO’s mailbox accessed by another user
For each of these incidents, I will show you where and how this gets logged. In addition to selecting incidents for their possibility and risk, I’ve also sought to span the breadth and depth of the Azure/O365 stack including infrastructure, platform, storage, database and application as a service. Because that’s the real world and it shows how fractured your overall audit trail of activity really is. We’ll be looking at logs such as:
- O365 management activity
- Azure Active Directory logs
- Azure Resource Manager activity
- SQL Audit logs
- Storage Account access logs
- Azure AD sign-in logs
- Mailbox audit logs
- Virtual Machine Windows Security Logs
I will identify how you ensure auditing is enabled for each of these areas, options for collecting each log type and I’ll endeavor to have an actual example of each one of the events so that you can see what they really look like and what data they provide. This is going to be a down and dirty logging deep dive.
Today’s security monitoring and the technology you depend on like SIEM and log management, need to bring together on-prem and cloud-based logs so that you can see what’s happening at every level and component, regardless where it’s deployed. That’s where Rapid7, our sponsor, comes in. Alex Teng and Felipe Legorreta will show you how Rapid7’s cloud SIEM, InsightIDR, automatically applies security analytics to data across your modern network—on-premises, remote workers, SaaS, and IaaS.
Please join us for this real training for free session.