Nov 14, 2022
Guest:
- Jeff Bollinger, Director of Incident Response and Detection Engineering @ Linkedin
Topics:
- Observability sounds cool (please define it for us BTW), but relating it to security has been “hand-wavy” at best. What is your opinion on the relevance of observability data for security use cases? What use cases are those, apart from saving the data for IR just in case?
- How can we best approach observability in the cloud, particularly around network communications, so that we improve security as a result?
- Are there other areas of cloud where observability might be more relevant? Does the massive shift to TLS 1.3 impact this?
- If the Internet is shifting towards an end-user/device centric model with everything as a service (SaaS), how does security monitoring even work anymore?
- Does it mean the end of both endpoint and network eras and the arrival of the application security monitoring era?
- Can we do deep monitoring of complex applications and app clusters for abuse or should we just focus on identity and profiling?
Resources:
- “Instrumenting Modern Application Stack for Detection and Response” (ep34)
- “Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan” by Jeff Bollinger, Brandon Enright, Matthew Valites (book)
- RFC 7258 Pervasive Monitoring Is an Attack
- RFC 8890 Internet is for end users
- “(Re)building Threat Detection and Incident Response at LinkedIn”
- “Martian Chronicles“ by Ray Bradberry (because migrating to cloud is like flying to Mars)