Aviata Cloud Solo Flight Challenge Chapter 5: Centralizing Cross Cloud Security Events

Thursday, 29 Aug 2024 10:00AM EDT (29 Aug 2024 14:00 UTC)
Speaker: Eric Johnson

Captain KubeAce Maverick and the Aviata team are still reeling from the Kubernetes attack that resulted in the theft of their valuable flight plan and pilot data. While the cloud team was able to hunt down the Baron Von Herrington crew member responsible for the breach, a critical design flaw was exposed. Captain Maverick’s Kubernetes network and audit logs were stored locally in the Aviata team’s AWS account, rather than centrally monitored by the security operations team.

Recognizing the logging architecture deficiency, Captain Maverick is bringing in expert Chief Architect Bessie Coleman to design a new logging strategy. Architect Coleman is recommending that the Aviata team’s Kubernetes audit logs be sent into the security operation team’s centralized Microsoft Sentinel workspace, where security events can be quickly detected and contained.

The new logging architecture requires your help. Permissions must be granted for the Microsoft Sentinel workspace to read the logs from the Aviata team’s AWS account. Event triggers are needed to notify Sentinel when new data is available. Log transformation and loading may be required for Sentinel to process the data. Join us to help Captain Maverick and the Aviata team bring their centralized monitoring, detection, and alerting capabilities to new heights.

Each monthly workshop in the series is independent of the others. There are no technical or educational dependencies from one to the others.

Who Should Attend

This workshop is ideal for cloud security professionals, DevOps engineers, system administrators, and anyone involved in cross-cloud security operations. Attendees will gain expertise in centralizing security event monitoring across multiple cloud platforms using Microsoft Sentinel and AWS.

Learning Objectives

Create a Microsoft Sentinel workspace
Understand how workload identity can allow an Azure service to assume an AWS IAM Role
Connect Microsoft Sentinel to Amazon Web Services to ingest Kubernetes log data
Write KQL queries to detect malicious Kubneretes events

Please scroll down for prerequisites and laptop requirements.

Login to Register

Chapter 5: Centralizing Cross Cloud Security Events

System Requirements

Personal AWS account with administrator access
Personal Azure subscription with administrator access
Firefox, with the SmartProxy add-on published by Salar K

Prerequisite Knowledge

Familiarity with the Bash Command Line
Understanding of the AWS and Azure Web Console
Basic understanding of Terraform configuration

This workshop supports content and knowledge from SEC549: Cloud Security Architecture

Workshop Series

Follow the Aviata Cloud Solo Flight Challenge Workshop Series throughout 2024 with free monthly cloud security workshops that will walk you through how various knowledge and hands-on skills work together to create a secure cloud environment for your organization. Read the associated blog post here.

Related Content

CLD_-_Aviata_Cloud_Solo_Flight_Challenge_-_General_-_Workshop_340_x_340.jpg

November 14, 2024

Aviata Cloud Solo Flight Challenge

Master cloud security by tackling this free series of workshops.

SANS Cloud Security

November 12, 2024

Cloud Security Strategy: First Principles and Future Opportunities (Part 3 of 5), Modernizing Identity: Navigating Challenges and Embracing Cloud Solutions

Legacy systems pose significant challenges in today’s cloud landscape.

SANS Cloud Security

November 12, 2024

Cloud Security Strategy: First Principles and Future Opportunities (Part 2 of 5), Secure by Design: Elevating Security Beyond Defaults

The Secure by Design approach benefits organizations by building long-term security and sustainability into their systems.

SANS Cloud Security