BSidesSATX 2023

Cover your SaaS: Cloud threat Detection beyond Endpoints
2023-06-10, 14:30–14:55, Track 3 (Moody Rm 102)

As businesses around the world continue to rapidly adopt SaaS solutions and products, defenders need to evolve their threat detection and response capabilities to this new landscape, which means thinking beyond the standard endpoint and into the SaaS applications themselves. Defense-in-depth means not just monitoring activity on your own systems and infrastructure but actively looking for threats and suspicious activities within the myriad SaaS applications in use at your organization.

Most threat detection and response programs are built around monitoring infrastructure and endpoint logs such as: Windows/Linux/MacOS logs, EDR/XDR logs, AWS/Azure cloud logs, and various network logs. These are all critical to monitor in order to maintain security but, they leave a dangerously incomplete picture of the threats you can detect. As more employees and businesses rely on SaaS tools, defenders need to use novel detection methods to find and stop malicious activity on these platforms. This talk aims to introduce attendees to the concept and process of monitoring SaaS platforms for suspicious activity as well as creating practical detections to catch attacker activity.

Jeremy Galloway has been active in the security scene since 2002, focusing on the dark corners of the internet, hacktivism, penetration testing, intelligence gathering, privacy technologies, threat detection, incident response, cybercrime, building security products and just about everything in between. He's previously spoken at BSides Austin, BSides San Antonio, BSides Las Vegas, ISSW, BlackHat, and SecTor. Jeremy is a proud member of both the Electronic Frontier Foundation and the Austin chapter of The Satanic Temple.