Netflow auditing is just as good and doesn't require extra infra.
Threat hunting is my pet peeve: it's cool, so engineers rush to it, when much lower hanging fruits are still uncovered.
- Can you tell which version of openssl is installed across your production infra?
- Is Kevin over there on vacation in Moscow, or is this access fraudulent?
- What's this new dependency?
Gone the puppetmaster, turn off that jenkins, get rid of the central syslogs. All of this can be done by your provider, for less money and more security.
Doesn't include the infra provisioning piece, like AWS IAM or Kubernetes. This is to be continued...