fwd:cloudsec

Fwd:cloudsec
  • 5.0(1개의 평가)
  • 교육
  • 매월 업데이트

fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies, and generally the types of things cloud practitioners want to know, but that don't fit neatly into a vendor conference schedule.

  1. 4일 전

    Velocity of a Whisper: When One Vulnerability Cascades Across Cloud Infrastructure - Albin Vattakattu & Ryan Nolette

    Speakers: Albin Vattakattu & Ryan Nolette Albin leads the global Vulnerability Disclosure Program (VDP) for Amazon Web Services (AWS). He co-authored the inaugural AI security whitepaper, jointly published by AWS and SANS institute. Prior to AWS, Albin led incident response teams across North and South America, defending foreign governments and fortune 100 companies against DDoS campaigns orchestrated by APTs. He holds a Master’s degree in cybersecurity from New York University (NYU). Ryan is AWS's Senior Security Engineer for the Outreach Team and CoAuthor of AWS Detective. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With almost 2 decades in the infosec field, Ryan has been on the development and operations side of companies such as Postman, Sqrrl, Carbon Black, Crossbeam Systems, SecureWorks and Fidelity Investments. Ryan has been an active speaker and writer on threat hunting and endpoint security. Talk: A security researcher submits a report. It looks small -maybe even trivial. But in cloud environments, what starts as a whisper can become a roar that echoes across infrastructure you didn't know was connected. This talk reveals what happens behind the scenes when vulnerability reports reach cloud providers at scale. What makes cloud vulnerabilities unique when distributed architectures are in play? How do you prioritize remediation when you're working backwards from customer impact across services you don't directly control? Through a real-world case study told from both the researcher and practitioner perspective, you'll see the crucial trade-offs no one talks about publicly, and a series of challenges that textbook CVD was not designed to handle. And the challenge is growing. AI is accelerating the velocity of vulnerability discovery, and the traditional vulnerability disclosure program (VDP) model was not built for it. This talk introduces three principles for modern VDP: a framework for building programs that don't just survive scale, but use it as a force multiplier. Whether you're finding vulnerabilities or fixing them, you'll leave with practical strategies for navigating today's reality. Recorded at fwd:cloudsec North America 2026 - Bellevue, WA https://fwdcloudsec.org/conference/north-america/

    27분

  2. 4일 전

    Barbarians at the Gate: Visualizing and Blocking SDLC Infrastructure Threats with SITF - Shay Berkovich

    Speaker: Shay Berkovich Shay is part of the Threat Research team in Wiz (now acquired by Google) working on various aspects of container and SDLC infrastructure security with the emphasis on (on one hand) Kubernetes emerging threats and (on another hand) CI/CD and VCS security posture. He worked previously at BlackBerry, Symantec and BlueCoat on a range of security products (CWPP, WAF, SWG) doing applied security research and security architecture. Shay holds a Masters’ degree from UW with (somewhat unexpected) thesis in runtime verification and has delivered multiple talks in academic and industrial security conferences. Talk: A security researcher submits a report. It looks small -maybe even trivial. But in cloud environments, what starts as a whisper can become a roar that echoes across infrastructure you didn't know was connected. This talk reveals what happens behind the scenes when vulnerability reports reach cloud providers at scale. What makes cloud vulnerabilities unique when distributed architectures are in play? How do you prioritize remediation when you're working backwards from customer impact across services you don't directly control? Through a real-world case study told from both the researcher and practitioner perspective, you'll see the crucial trade-offs no one talks about publicly, and a series of challenges that textbook CVD was not designed to handle. And the challenge is growing. AI is accelerating the velocity of vulnerability discovery, and the traditional vulnerability disclosure program (VDP) model was not built for it. This talk introduces three principles for modern VDP: a framework for building programs that don't just survive scale, but use it as a force multiplier. Whether you're finding vulnerabilities or fixing them, you'll leave with practical strategies for navigating today's reality. Recorded at fwd:cloudsec North America 2026 - Bellevue, WA https://fwdcloudsec.org/conference/north-america/

    25분

  3. 4일 전

    Transforming Security Incident Metadata to Security Outcomes: the Threat Technique Catalog for AWS Journey - Cydney Stude & Steve de Vera

    Speakers: Cydney Stude & Steve de Vera Cydney is a security researcher and incident responder on the AWS Customer Incident Response Team (CIRT). Cydney studies emerging attack patterns and focuses on translating real-world incident response metadata into actionable detection and prevention strategies for cloud defenders. Cydney leads the quarterly Threat Technique Catalog for AWS releases. Steve de Vera is a security minded professional with over 20 years of experience in various roles including digital forensics and incident response, red teaming, and security engineering. He is currently a senior security engineer for the AWS Security Incident Response Service where he specializes in incident response and threat intelligence. Talk: When a cloud IR team can’t systematically categorize what they’re seeing across incidents, every engagement starts from scratch. In 2019, when a security incident response team tried to discuss incident patterns internally, they hit the same wall every time—no shared vocabulary, no common framework. One responder would describe an attack as 'credential theft,' another as 'privilege escalation,' and they'd spend 20 minutes just aligning on what actually happened before we could extract any lessons. That's when we realized: if we couldn't discuss patterns among ourselves, how could we possibly share impactful lessons learned with customers or the broader security community? This talk chronicles our journey from that frustrating moment to launching an open-source threat intelligence resource now used globally—the Threat Technique Catalog for AWS, written and released by the AWS Customer Incident Response Team. The Threat Technique Catalog for AWS was built out of necessity, and it transformed how CIRT operated. For the first time, they could track incident types and threat actor activity systematically. This visibility enabled the ability to prioritize authoring playbooks for the most common incidents, identify gaps in our response capabilities, and take action on opportunities that we hadn't known existed before. We’ll talk through how systemic incident categorization enabled a cloud IR team to identify response capability gaps, prioritize playbook development for the most frequently observed techniques, and build an evidence base that drove platform-level security improvements – including contributing to the decision to enforce mandatory MFA for root users across all AWS account types. Since the first launch in June 2025, the catalog has become a living resource—the March 2026 update just added new techniques like Cogito that we're seeing in active campaigns right now. Every quarter brings fresh intelligence: novel attack patterns, emerging threat actor behaviors, and the techniques CIRT observes most frequently in the wild. This isn't a static reference—it's an evolving playbook that turns every security incident into an opportunity to educate the community while we work in parallel to make AWS more secure by default. The Talk covers three phases: building the internal taxonomy and the operational improvements it unlocked; using aggregated incident data to advocate for systemic security changes; and the process of taking internal threat intelligence public through a quarterly-updated open-source catalog. We’ll share specific examples of how incident metadata revealed patterns that weren’t visibile at the individual case level, and how those patterns translated into concrete actions – from new detection logic to publicly available IR workshops covering scenarios like unauthorized credential use, ransomware, cryptomining, and SSRF. Attendees will leave with a practical framework for building their own incident categorization system, concrete examples of how threat intelligence devised from IR engagements can drive both tactical and strategic improvements, and an understanding of how to evaluate whether their current monitoring would catch the techniques cloud IR teams see most frequently.

    25분

  4. 4일 전

    Slaying the Sprawl: A Hero’s Guide to Building (or Re-Forging) a Cloud Security Program Without a 20-Person Guild - Steve Turner

    Speaker: Steve Turner Steve leads cloud security at Zelis Healthcare. He started his career through the trial by fire that is MSP life. He pivoted to securing everything from waste facilities and transportation infrastructure to huge financial services organizations, and even mixed in some industry analysis in for good measure. He’s passionate about coming up with security solutions that make colleagues happy and bad actors sad. He helps security leaders and practitioners fully understand their existing security investments, what gaps they may have, and how they can build a path to realizing Zero Trust within their organizations. Talk: Whether you are standing before a pristine, untouched Cloud Kingdom or inherited a crumbling fortress held together by "Native Tooling" duct tape and hope, the quest remains the same: How do you defend the realm without hiring an army you can’t afford? In this 20-minute campaign, we aren’t just looking at the map, we’re looking at the scars. Building a cloud security program from scratch is one thing; evolving an established one while the dragons are already circling is another. Drawing from real-world lessons learned in the DevOps trenches, this session explores the "Day 0" decisions and the "Year 2" regrets of choosing between Native Security Tooling and a unified CNAPP. We’ll sit around the tavern table to discuss the hard-won truths of cloud defense: - The "Free" Sword’s Hidden Cost: Real-life tales of how "built-in" tools led to siloed alerts, requiring a 20-person "manual correlation guild" just to find a single critical risk. - Re-Forging the Armor: For those with established programs—how to transition from a "Franken-stack" of point tools to a unified platform without breaking the kingdom’s production. - The "Agentless" Treaty: Lessons learned from the "Agent Wars." How moving to agentless visibility (the Rogue's Cloak) saved our DevOps relationships and gave us 100% visibility in hours, not months. - The Multi-Cloud Map: Navigating the treacherous terrain of AWS, Azure, and beyond without losing your mind or your budget to "Console Swapping" fatigue. Whether you are a Solo Adventurer starting a new program or a War-Weary Veteran trying to consolidate a sprawling one, you’ll leave with a battle-tested blueprint for a security program that scales with your magic, not your headcount, HUZZAH! Recorded at fwd:cloudsec North America 2026 - Bellevue, WA https://fwdcloudsec.org/conference/north-america/

    17분

  5. 4일 전

    Schrödinger’s Detection: Finding the "Zombie" Rules in Your SIEM - Gowthamaraj

    Speaker: Gowthamaraj Gowthamaraj Rajendran is a Threat Detection Engineer on Meta’s Infrastructure Security Monitoring team, where he focuses on building and operationalizing detections for large-scale surfaces. His work centers on translating real-world adversary behaviors into measurable detection coverage, improving telemetry quality, and reducing time-to-detect for high-impact incidents. He is particularly interested in detection engineering methodology, breach-informed validation, and practical approaches to strengthening security monitoring at scale. Talk: Nine months. That's how long a Sigma detection rule for AWS IAM privilege escalation sat in a production SIEM without firing. Not because there were no attacks because the rule referenced a CloudTrail field that doesn't exist. It matched nothing. It looked healthy. It was dead. We built sigma-lens, an open-source quality analyzer, and ran it against the two largest public cloud rule repositories: SigmaHQ and Elastic. Across 2,000+ cloud detection rules, we found that 1 in 3 contained significant quality defects. This talk reveals the results of our audit: rules referencing non-existent log fields, logic that misses 80% of realistic attack variants, and "hallucinated" fields in AI-generated rules. We will release sigma-lens and a new database of 400+ validated CloudTrail log schemas, equipping you to test your detection rules with the same rigor you apply to application code. Recorded at fwd:cloudsec North America 2026 - Bellevue, WA https://fwdcloudsec.org/conference/north-america/

    19분

  6. 4일 전

    Beyond the Checkbox: What Breaks When You Actually Stress-Test Cloud Incident Response - Matthew Harvey

    Speaker: Matthew Harvey Matthew Harvey is a cloud security professional with 8+ years in cloud incident response and 15+ years in it Security. With a focus on incident response and system resilience, he leads technical "game days" to help organizations identify and bridge gaps in their security operations. Matthew combines deep tactical expertise with a hands-on approach to building and defending modern cloud environments. Talk: Cloud incident response plans look great on paper – until you run them under pressure. This talk presents findings from dozens of cloud IR simulations conducted across multiple industries in 2025, revealing the recurring failure mode that no tool can catch. From “narrative bending” - where the teams unconsciously steer breach scenarios toward comfortable outcomes – to the discovery that most teams can’t execute their own log-query runbooks under time pressure, we expose the human and process gaps that silently erode cloud resilience. We’ll discover why in-person engagement and "psychological safety" pledges are non-negotiable for success. You’ll leave with a concrete framework for running simulations that surface real weaknesses instead of confirming comfortable assumptions. Recorded at fwd:cloudsec North America 2026 - Bellevue, WA https://fwdcloudsec.org/conference/north-america/

    26분

  7. 4일 전

    Do Apps Have Imposter Syndrome? Unmasking Token Theft Campaigns - Shahar Dorfman & Sapir Federovsky

    Speakers: Shahar Dorfman & Sapir Federovsky Shahar is a threat intelligence researcher at Wiz, where she focuses on identifying and analyzing emerging cyber threats to enhance security defenses. Sapir is a security researcher specializing in identity security. Passionate about understanding how identity works, she spends her time exploring the depths of Active Directory and Entra, uncovering security risks, attack techniques, and ways to defend against them. Talk: What began as a simple search for an OAuth application named “0365” quickly uncovered a broader threat: three distinct malicious OAuth application campaigns abusing the relationship between Azure applications and service principals. Using a pivoting methodology and detection model, we expanded beyond known indicators to map the full scope of these campaigns, identifying activity across more than 20 organizations. The talk opens by outlining the OAuth application attack surface in Azure AD (Entra ID), explaining how attackers abuse consent flows, permissions, and application registrations, and why traditional security controls often fail to detect this activity. We then introduce our “Next Campaign Finder,” a structured detection approach built on four components: establishing baselines of legitimate OAuth applications, identifying recurring malicious traits, correlating metadata such as ownership, naming conventions, and reply URLs across tenants, and applying a weighted scoring model to prioritize high-risk applications. Using this model, we reveal a malicious OAuth campaign impersonating trusted services such as Adobe and DocuSign, highlighting its defining characteristics. We then compare this activity with an earlier OAuth campaign discovered by the model dating back to 2019 and examine how attackers' tradecraft has evolved over time. A key focus of the talk is practical pivoting. We demonstrate how defenders can expand from a single known malicious app to a broader set of indicators. All techniques are presented in a way that allows any attendee to implement them directly in their own environment using standard identity and audit logs, without relying on vendor-exclusive telemetry. We conclude with actionable defensive guidance, including detection strategies and mitigations enterprise defenders can apply today, lessons learned from the research process, and our perspective on how OAuth-based attacks are likely to evolve. Recorded at fwd:cloudsec North America 2026 - Bellevue, WA https://fwdcloudsec.org/conference/north-america/

    27분

  8. 4일 전

    The Double Trouble: One Architectural Sin, Two Clouds, and a Universal Attack Technique for Data Hijacking - Yahav Festinger

    Speaker: Yahav Festinger Yahav Festinger is a Cloud Security Researcher at Palo Alto Networks. As a key member of the Cloud Detection and Response (CDR) team, their work focuses on identifying novel attack vectors and tracking adversaries in real-time. Their career in security began at the national center for encryption and information security in the IDF, where they focused on web and cloud research, building a strong foundation in offensive and defensive security principles. With this background, Yahav combines rigorous technical analysis with a data-driven approach to identify attackers effectively. Talk: As organizations scale their cloud presence, the complexity of data movement grows exponentially. Modern cloud architectures rely on a "configure and forget" approach for streaming sensitive data. But what if the trust established at the moment of configuration is static, while the cloud environment itself is dynamic? This session introduces a novel data hijacking technique targeting a systematic architectural flaw present across multiple major cloud providers. Our research reveals a critical decoupling between service configurations and resource ownership verification. We have identified an attack technique where high-value data streams continue to honor original routing instructions even when the destination environment undergoes fundamental changes in ownership or state. By analyzing multiple services across different cloud ecosystems, we show that this isn't a localized bug, but a shared architectural blind spot in how cloud providers handle resource identity, making this attack technique relevant for multiple services and multiple cloud providers. Attendees will gain insight into how fundamental architectural design choices made by cloud providers directly influence the security boundaries of their environments. A key takeaway is that while cloud platforms are often viewed as distinct ecosystems, their shared design decisions allow identical attack techniques to be applied across providers, turning a specific architectural observation into a cross-cloud exploitation methodology. Recorded at fwd:cloudsec North America 2026 - Bellevue, WA https://fwdcloudsec.org/conference/north-america/

    23분
모두 보기(59개)

소개

fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies, and generally the types of things cloud practitioners want to know, but that don't fit neatly into a vendor conference schedule.

정보

  • 제작진
    Fwd:cloudsec
  • 방송 연도
    2025년 - 2026년
  • 에피소드
    59
  • 등급
    무삭제판
  • 저작권
    © Fwd:cloudsec
  • 웹사이트 보기
    fwd:cloudsec