Zoe Rabi
I'm a cybersecurity researcher at Wiz, currently working on the threat hunting CDR team.
My role involves proactively identifying malicious activity and analyzing data anomalies across the three major cloud providers - AWS, Azure and GCP. I come from a background in penetration testing, which gives me a strong understanding of attacker techniques and tactics. This offensive experience helps me interpret anomalous data through an adversarial lens, allowing me to build more precise and resilient detections that reflect real-world threats.
Session
Storage access is one of the most critical signals in cloud environments, especially as organizations shift more sensitive workloads to S3, Blob, and GCS buckets. It seems simple: log who accessed what and when, and you’re good to go. But once you start digging into the actual DataEvents across AWS, Azure, and GCP, the reality gets messy fast.
Each cloud tells a different story. AWS provides deep operational detail, Azure logs vary wildly based on the type of token used, and GCP favors identity over object context. These differences aren’t just cosmetic, they shape how you investigate incidents, detect threats, and even reason about risk. For example, in Azure, the main threat scenario is leaked credentials (e.g., storage‐account keys or SAS tokens), whereas in AWS and GCP, the emphasis shifts to detecting activity that stems from compromised user or role identities. Then there's the scale. Storage activity generates an overwhelming amount of logs, and parsing real signals from routine access isn't trivial. Building efficient detections for that? Even harder.
In this talk, we’ll walk through the real-world challenges of working with storage data logs across cloud providers, the inconsistencies, the blind spots, and the assumptions that break at scale. We’ll share how we tackled these problems and aggregated the logs to build a scalable, signal-driven detection approach that cuts through the noise and surfaces what matters most.