Real world detection engineering in a multi-cloud environment

This talk is about the real world challenges of protecting a fully remote workforce and a multi cloud environment with details about how we overcome these challenges.

Thanks to COVID many companies accelerated their plans to move to the cloud and to allow employees to work remotely. Unfortunately many Infosec Teams are still trying to figure out how to protect their networks in this new paradigm. At Elastic we were lucky in that from the very beginning we have been a cloud first company with a primarily remote workforce. My goal in this talk is to show you how we built our Infosec Threat, Detections, and Response team that can monitor and protect our remote workers and cloud environment, no matter where they are in the world.

In this talk, I will provide an overview of our SIEM environments architecture that monitors and protects employees in over 40 countries and the Elastic Cloud environment that ingests more than 150 Petabytes per day across 60+ cloud regions in 4 different cloud providers. I will show you how we use Cross Cluster Search to create a single central cluster that we can use for both Observability and for SIEM for alerting while storing all of the data locally within each cloud region saving millions per year in cloud data transfer fees.

I will then discuss some real world attack scenarios against cloud environments, what keeps the cloud defenders up at night, and how to build custom detections for your cloud environment to detect and stop those attacks. We are a relatively small team so we rely heavily on automation to enrich, investigate, and respond to alerts as quickly and efficiently as possible. Because many attacks look similar to admin activity, and admin activity often looks a lot like an attack, we distribute many of our alerts directly to the system owners via Slack in order to get instant feedback for the investigation. I will show you how we built many of these automations and what to consider when building them yourself.