In the last few years, detection of cloud misconfigurations, aka Cloud Security Posture Management, has evolved from a specialized technology into a commodity technology. First came the proliferation of vendors, then came native cloud provider capabilities and open-source solutions, and finally vendor consolidation and a rush to incorporate other selling points such as workload vulnerability management and nebulous support for "supply chain security".

In this talk, we'll take a whistlestop tour of CSPM options then we'll discuss why your SIEM and CSPM should actually be one and the same. Wait, what? I thought SIEMs were dying a death? And why should your CloudSec team be going anywhere near your SIEM!?

Hear me out. If you combine transactional cloud logs (CloudTrail) with asset management data (AWS Config or similar), and you put a general purpose query engine on top of this (Elasticsearch, Splunk), CSPM rules are not only easy to write, but it also opens up a whole new world of enrichment (who actually launched that Windows EC2 server exposing RDP to the internet?) and "hybrid" checks that neither your CSPM nor your SIEM can provide you on their own. In short, we can turn everything into a query.

For a concrete example, we'll focus on subdomain takeovers in AWS, a continual source of bug bounty fodder. We'll explain the root cause of two types (spoiler: it's an "order of operations" problem) and walk through building hybrid checks to detect these in real-time.