from Hacker News

Say you're a newly hired security architect for a global cloud environment that involves dozens of teams and services employing a variety of access patterns, protocols, etc. You observe that the org has a number of best-practices prevention mechanisms in place (e.g., decent auth-auth between services, team-based RBAC) and you conclude that it's not trivial for adversaries to gain access. However, you learn that there's no intrusion detection, so if someone did gain access, it would be difficult to identify that such access had been obtained. Where do you start?

In no particular order, here are some options that come to mind:

0. Ignore detection and focus primarily on prevention measures (better bang for the buck?)

1. Deploy a SaaS solution like CloudStrike/Falcon (and hope they don't take down your network or get compromised themselves)

2. Deploy something like Snort https://news.ycombinator.com/item?id=31534316

3. Setup/review generic monitoring of VPC flow logs for obvious anomalies

4. Focus on access log anomalies rather than network-level anomalies

5. Deploy honeypots and set up alerts for attempts to access them

6. Run a small red team experiment to measure how much noise would be necessary for someone to notice

7. Read a book to learn the fundamentals (which one...?)

8. Organize a task force without knowing which of the above options to recommend

What would you do? Where would you start?

--

(In real life, the situation is more complicated and nuanced. I'm a SWE, not an architect, and I am acting from imperfect information — my employers may indeed have intrusion detection but exactly what/how isn't visible to me. Because those tools tend to be accessible only to certain IT/InfoSec teams, I have developed a blind spot for what is considered best practices. I hope that some HN opinions can help me frame the harder problem of how to advocate for this stuff internally.)