I'll be talking at @BSidesLV today on how my team had to rejig the way we think about cloud security to empower security analysts through machine learning to host, identity and cloud services.

Time: 2.00 - 2.55
Location: Tuscany

Preview below:

@BSidesLV Mindshift 1: My team's goal is not produce anomalies or outliers. We may use anomaly detection, but we understand that security analysts only want to see "Security Interesting alerts"

This means focus on domain knowledge relying on MSTIC titans like
@TimbMsft @PrakashAjeet

Mindshift 2: Tap into your product portfolio for interesting labels. Attackers manifest in different products, and you want to lay a siege from multiple vantage points.

Bug bounty's work interestingly well, to help get interesting labels.

And FFS: Analysts != Mechanical Turks

Mindshift 3: Learning to defend the cloud

There are lots of interesting nuances when defending the cloud compared to on-prem. Some ways are similar: the WHY in Protecting SQL server is similar to protecting Azure Storage.

The HOW is obviously very different.

Mindshift 4: Reframing "new" problems to recycle "old" solutions

We are now a team of 32 combined applied ML engineers, and we still have a healthy backlog of items to get through every semester.

Point: Want to identify unusual SSH logins? Reuse your unusual AAD login model

Mindshift 5: Embrace Empathy

If you want to build products and solutions that analysts actually want to use, respect their time and feedback

This means:
- Grade your own detection
- Meet weekly with your customers
- Have biweekly reflection across partners
- Keep KPI real