Dmitriy Beryoza is a Senior Security Researcher with Vectra AI, working on threat detection in the cloud and on-prem networks.
Before that he was a penetration tester and secure software development advocate at IBM. He has been a software developer for many years, before switching to security full-time.
Dmitriy presented talks at security conferences such as DEF CON Cloud Village, HackFest, BSides, and others.
His interests include reverse engineering, secure software development, and CTF competitions.
Between a Log and a Hard Place: (mis)Adventures in Azure Logs
Security monitoring in any environment is made or broken by the signal quality in the event logs. With mass migration to the cloud, defenders are putting all of their logging capability "eggs" in one provider's "basket". This works when the logging facilities are well designed and work robustly, but what do you do when issues arise?
In this talk, we will examine logging facilities in Azure (concentrating on events generated by Azure AD and Microsoft 365) and discuss multiple problems that we have observed in monitoring them.
- Blind spots hiding critical security events
- Poorly documented events, attributes and magic values
- Missing important information about user actions
- Bugs in log records
- Unannounced changes that break detection queries
- Log pollution opportunities, potentially leading to RCE
- and more
We will examine impact of these issues on defense and monitoring, opportunities for red-teamers, and the ways the cloud provider can address the problems going forward.