EP96 Cloud Security Observability for Detection and Response

Guest:

• Jeff Bollinger, Director of Incident Response and Detection Engineering @ Linkedin

Topics:

• Observability sounds cool (please define it for us BTW), but relating it to security has been "hand-wavy" at best. What is your opinion on the relevance of observability data for security use cases? What use cases are those, apart from saving the data for IR just in case?
• How can we best approach observability in the cloud, particularly around network communications, so that we improve security as a result?
• Are there other areas of cloud where observability might be more relevant? Does the massive shift to TLS 1.3 impact this?
• If the Internet is shifting towards an end-user/device centric model with everything as a service (SaaS), how does security monitoring even work anymore?
• Does it mean the end of both endpoint and network eras and the arrival of the application security monitoring era?
• Can we do deep monitoring of complex applications and app clusters for abuse or should we just focus on identity and profiling?

Resources:

• "Instrumenting Modern Application Stack for Detection and Response" (ep34)
• "Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan" by Jeff Bollinger, Brandon Enright, Matthew Valites (book)
• RFC 7258 Pervasive Monitoring Is an Attack
• RFC 8890 Internet is for end users
• "(Re)building Threat Detection and Incident Response at LinkedIn"
• "Martian Chronicles" by Ray Bradberry (because migrating to cloud is like flying to Mars)