Cloud Incident Response: DevSecOps Style (Room 1K)

We have red teams, blue teams, purple teams, black hats, white hats, SOCs and SIEMS… yet few organizations understand the fundamentals of incident response in a world where attackers use Terraform and serverless. This hands-on session will show DevOps pros how to leverage their skills for security incident response, and security pros how to adopt DevOps techniques to respond at the speed of Bash. Through a mix of presentation, demonstration, and a live-fire exercise we will:

  • Highlight the differences between a cloud native breach and a “legacy” hack of instances or containers.
  • Review the top methods of credential exposure and privilege escalation.
  • Enhance the existing incident response framework with cloud and DevOps-specific modifications.
  • Demonstrate the following IR techniques and include materials for attendees to follow along and try them out for themselves:
    • Use of SCPs/policies and organization units to contain an incident
    • Perform a prioritized cloud management plane IR sweep with both manual and automated techniques
    • Use of deployment pipelines for maintaining operations while containing breaches
    • Event-based notifications and response for near-instant reactions
    • How to build security and response guardrails and automations
    • DevOps-driven forensics for instances and containers

During the session we will also release an incident response simulator that emulates common cloud attack techniques so attendees can practice defense and response. Prepare to move fast as we cram in days worth of material into a single session!



Rich Mogull


Rich has twenty years experience in information security, physical security, and risk management. These days he specializes in cloud security and DevSecOps, having starting working hands-on in cloud