Detecting in AWS

Frameworks to improve your cloud security

Join Expel’s top detection and response engineers, analysts and special guests for an afternoon full of tips, tricks and even mind-maps on how to take your AWS security to the next level.

October 20, 2021 11AM – 3PM EDT

AWS is a cloud giant with seemingly endless services to build shiny new apps. But as a security professional, you know more services means more attack vectors. And it’s up to you to keep the business secure. Starting with Amazon’s native alerting signal is the first step, but where do you go from there? We’ve got you covered. Come join us, our customers and our partners at AWS and Lacework for an AWS detection deep-dive.

Wednesday, October 20 11:00 AM ET

Keynote: Getting better at [cloud] security

AWS Sr. Security Specialist, Lior Cohen, will give an overview of cultural, procedural and technical perspectives of how to effectively and continuously improve cloud security. He’ll review highlights from AWS’s internal culture of security, the use of frameworks to continuously improve security and give guidance on how to improve your AWS security posture now. You’ll also learn more about the shared responsibility model, AWS’s Well Architected Framework, cloud security design patterns, the NIST Cyber Security Framework and native AWS security services.

Lior Cohen, Sr. Security Specialist – AWS

Wednesday, October 20 11:45 AM ET

A walk through Expel’s AWS Mind Map

We’ve seen quite a few incidents in AWS. And we noticed a few common themes about when and why attackers use different AWS APIs – and they mapped nicely to the MITRE ATT&CK tactics. Follow along as we walk you through Expel’s AWS mind map and share why constructing a mind map can assist in developing detections, performing timeline analyses and identify attacker paths in AWS.

Brandon Dossantos, Detection & Response Engineer – Expel

Wednesday, October 20 12:05 PM ET

Mining your data to find Coin Miners

Join Expel in the data caves to see how we dig for coin miners in customer environments. You’ll leave this session with some tips on how you can use signal to find unauthorized coin mining in your AWS environment.

Sam Lipton, Detection & Response Engineer – Expel

Wednesday, October 20 12:25 PM ET

Iterating on detections in AWS

Learn how Expel approaches detection writing by iterating upon previous research and detection work. We’ll explore how our detection coverage evolves as we learn more about a technology and brainstorm ways to iterate upon your own detections. Then you’ll get a glimpse of our detections for lesser known AWS controls that can be used to unseat security in your environment.

Ian Cooper, Associate Detection & Response Engineer – Expel

Wednesday, October 20 1:00 PM ET

Fireside Chat: Free up your time with automation

Alerts in any environment, but especially the cloud, are only as useful as the investigative time put into them. Digging through logs and sorting through false-positives is time consuming and every second can matter. The solution? Automating the right things at the right time. Join a panel of Expel customers who have built their own automation and taken advantage of Expel’s automation to free up their time.

In this panel we’ll discuss:

  • Benefits from automation (ex: staffing, faster time to detect and respond, improved visibility)
  • Challenges with automation
  • How it’s freed up resources and the follow-on effect of what else they were able to focus on

Peter Silberman, CTO – Expel
Brandon Maxwell, Senior Manager, Detection & Response – Auth0
Jeremy Stinson, Chief Architect of SaaS – Precisely
Aaron Blum, Lead Security Engineer – Cockroach Labs

Wednesday, October 20 2:00 PM ET

Breaking down container security

Containers are complex, and securing them is even more complicated. It all starts with understanding the different components from the bottom up. Join our partners at Lacework to unpack each part of a container with insights on how to best secure each using AWS native tools as well as additional monitoring from the Lacework platform.

Tim Chase, Field CTO, Enterprise and Partners – Lacework

Wednesday, October 20 2:20 PM ET

Automating AWS alert enrichment

Enrichments help you up-level your detections capabilities by giving you the full picture of what’s going on and a baseline for your users’ activity. Find out how Expel automates AWS alerts enrichment with the help of the Expel Workbench™ and our bot, Ruxie™. We’ll cover the key questions our automations help us quickly answer and how these automations make spotting true positives in the complexity of the cloud easier.

Britton Manahan, Senior Detection & Response Analyst – Expel

Wednesday, October 20 2:40 PM ET

Optimizing AWS GuardDuty alerts for your environment

If you’ve got GuardDuty set up in your AWS environment, then your security is already heading in the right direction. But knowing what to do with the alerts and how to make the most out of them isn’t always as clear. I’ll break down the classes of GuardDuty alerts and discuss different strategies to identify quality alerts using levers to tweak the volume and mapping of alerts based on your business needs.

Chris Vantine, Detection & Response Engineer – Expel

Keynote Speaker

Lior Cohen

Sr. Security Specialist, AWS

Fireside Chat Speakers

Aaron Blum

Lead Security Engineer, Cockroach Labs

Brandon Maxwell

Senior Manager, Detection & Response, Auth0

Peter Silberman

CTO, Expel

Jeremy Stinson

Chief Architect of SaaS, Precisely


Tim Chase

Field CTO, Enterprise and Partners, Lacework

Ian Cooper

Associate Detection & Response Engineer, Expel

Brandon Dossantos

Detection & Response Engineer, Expel

Britton Manahan

Senior Detection & Response Analyst, Expel

Sam Lipton

Detection & Response Engineer, Expel

Chris Vantine

Senior Detection & Response Analyst, Expel

Need help today with your AWS alerts? Learn more about Expel Workbench™ for AWS