Threat Hunting in the Microsoft Cloud: Times They Are a-Changin' | John Stoner

John Stoner @stonerPSU, Principal Security Strategist, Splunk
#SANSCloudSummit

So you are moving (or have just moved) to the cloud and excitement abounds! Do you and your leadership understand that this changes everything? This isn't a bad thing by any stretch, but everyone needs to understand the impact of this decision. We will discuss the implications of moving to the cloud using Microsoft's cloud services, Azure Active Directory and Office 365, as an example. We will look at the services that are available in the cloud compared to on-premise, how the logging changes, the attack surface and potential pitfalls in a cloud provider handling access to the log stream. From there, we will use Azure AD and Office 365 logging to perform a hunt and observe the fidelity of the events that a hunter would have access to. We will also identify where cloud logging is not enough and where on-premise logs are still needed to round out our hunt. Finally, we will wrap up by looking at MITRE ATT&CK's cloud matrix that was introduced in November 2019 and see how our hunt aligns to the those techniques. Our goal is to demonstrate how a threat hunter would adapt their hunting to this new terrain.

View upcoming Summits: http://www.sans.org/u/DuS