2025-09-15 –, Main Room
Storage access is one of the most critical signals in cloud environments, especially as organizations shift more sensitive workloads to S3, Blob, and GCS buckets. It seems simple: log who accessed what and when, and you’re good to go. But once you start digging into the actual DataEvents across AWS, Azure, and GCP, the reality gets messy fast.
Each cloud tells a different story. AWS provides deep operational detail, Azure logs vary wildly based on the type of token used, and GCP favors identity over object context. These differences aren’t just cosmetic, they shape how you investigate incidents, detect threats, and even reason about risk. For example, in Azure, the main threat scenario is leaked credentials (e.g., storage‐account keys or SAS tokens), whereas in AWS and GCP, the emphasis shifts to detecting activity that stems from compromised user or role identities. Then there's the scale. Storage activity generates an overwhelming amount of logs, and parsing real signals from routine access isn't trivial. Building efficient detections for that? Even harder.
In this talk, we’ll walk through the real-world challenges of working with storage data logs across cloud providers, the inconsistencies, the blind spots, and the assumptions that break at scale. We’ll share how we tackled these problems and aggregated the logs to build a scalable, signal-driven detection approach that cuts through the noise and surfaces what matters most.
I’m a cloud-threat researcher at Wiz, where I design and test advanced detections that protect companies across AWS, GCP, and Azure and more. Before Wiz, I worked as a cloud-threat researcher at Gem Security, which was later acquired by Wiz. Earlier in my career, I spent several years as a network-security researcher, honing my skills in traffic analysis and threat hunting.
I specialize in AWS and GCP, diving deep into data-access logs, AWS S3 Data Events, GCP Storage Data logs, CloudTrail, GCP Audit Logs, Azure Resource and Activity Logs, and more, to surface attacker tradecraft and subtle anomalies. By correlating signals across these diverse sources, I hunt sophisticated adversaries and build resilient, data-layer detections for all three major clouds.
Cloud security is my passion, and I thrive on turning complex technical challenges into practical, high-impact defenses that keep organizations safe at scale.
I'm a cybersecurity researcher at Wiz, currently working on the threat hunting CDR team.
My role involves proactively identifying malicious activity and analyzing data anomalies across the three major cloud providers - AWS, Azure and GCP. I come from a background in penetration testing, which gives me a strong understanding of attacker techniques and tactics. This offensive experience helps me interpret anomalous data through an adversarial lens, allowing me to build more precise and resilient detections that reflect real-world threats.