2023-10-14, 10:00–10:50, Track #2
Security monitoring in any environment is made or broken by the signal quality in the event logs. With mass migration to the cloud, defenders are putting all of their logging capability "eggs" in one provider's "basket". This works when the logging facilities are well designed and work robustly, but what do you do when issues arise?
In this talk, we will examine logging facilities in Azure (concentrating on events generated by Azure AD and Microsoft 365) and discuss multiple problems that we have observed in monitoring them.
These include:
- Blind spots hiding critical security events
- Poorly documented events, attributes and magic values
- Missing important information about user actions
- Bugs in log records
- Unannounced changes that break detection queries
- Log pollution opportunities, potentially leading to RCE
- and more
We will examine impact of these issues on defense and monitoring, opportunities for red-teamers, and the ways the cloud provider can address the problems going forward.
Security monitoring in any environment is made or broken by the signal quality in the event logs.
Cloud-based solutions have transformed the computing landscape with advantages like on-demand resource availability, scalability, cost-effectiveness, and enhanced collaboration capabilities. For defenders, this new world offered many benefits: robust identity management, patching at scale, improved incident detection and response, and more.
Cloud providers expose detailed logs that are consumed by security monitoring tools and SOC analysts. One would expect a common, streamlined logging solution to be a clear win in attack detection functionality, but the reality is more complicated.
We have spent the last three years studying and monitoring Azure logs and have seen many problems that can complicate incident detection and response. With no alternatives to the provider's logging solution and slow problem mitigation speed, these issues go beyond mere annoyances and can help attackers avoid detection.
In this talk, we will examine logging facilities in Azure, concentrating on events generated by Azure AD and Microsoft 365, and discuss multiple problems that we have observed in monitoring them.
These include:
- Blind spots hiding critical security events
- Poorly documented events, attributes and magic values
- Missing important information about user actions
- Bugs in log records
- Unannounced changes that break detection queries
- Log pollution opportunities, potentially leading to RCE
- and more
For all these issues, we will:
- examine their impact on defense and monitoring
- discuss how attackers (and red teamers) may take advantage of them
- suggest how defenders can mitigate the negative impact, where possible
- and propose ways the cloud provider can address the problems going forward