SANS 2021 features 30+ Interactive Courses, Three NetWars Tournaments, Trivia Night, and Bonus Talks. Save $150 thru Tomorrow!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Secure Monitoring

Featuring 6 Papers as of February 8, 2021

  • Cloud Security Monitoring on AWS by Sherif Talaat - February 8, 2021 

    Cloud services adoption is growing massively year over year. In most cases, moving to the cloud decision is driven by cost optimization goals. Organizations usually start the cloud journey with the lift-and-shift approach, migrating the datacenter as-is, including the security services and controls, even the physical appliances, to the equivalent virtual appliances from the respective vendor. In some cases, the security controls used on- premises are not as effective with cloud services. Moreover, in some other cases, it can be expensive as well. This paper illustrates Amazon Web Services (AWS) security services a security professional can use to aid the cloud service's continuous security monitoring operations.


  • Detect and Track Security Attacks with NetWitness by RSA Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - January 22, 2021 

    In this product review, SANS explores the RSA NetWitness platform. The platform includes many advanced features focused on reducing detection and response time for security operations and investigations, and processing large quantities of data from numerous sources in real time.


  • Looking for Linux: WSL Key Evidence SANS.edu Graduate Student Research
    by Amanda Draeger - December 11, 2019 

    Microsoft released Windows Subsystem for Linux (WSL) in 2016 to much fanfare, but little research into the security implications of installing this feature followed. This lack of research, and lack of documentation, is a problem for the administrators who want to take advantage of its feature set while monitoring their systems for unusual behavior. Native Windows logging can provide visibility into WSL’s behavior, but there has been no research on which logs can provide this visibility, and what exact information they can provide. This paper examines how to monitor a Windows 10 system with WSL installed for common indicators of malicious activity.


  • JumpStart Guide to Investigations and Cloud Security Posture Management in AWS Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - November 8, 2019 

    Cloud security posture management ( CSPM) has gained popularity as organizations move to a cloud-first mentality. CSPM enables efficient investigations because it centralizes data sources that provide operational and security insight. When an organization moves to the cloud, the security team needs visibility into its AWS accounts, which can be a complex undertaking. This paper focuses on the tactics that can aid in an investigation.


  • Security Monitoring of Windows Containers SANS.edu Graduate Student Research
    by Peter Di Giorgio - March 27, 2019 

    The information technology community has utilized container technology since the LXC project began in 2008 (Hildred, 2015). Containers are a form of virtualization that package application code and its dependencies together. Containers share the operating system kernel but maintain isolated processes. Until recently, it was not possible for the Windows operating system to share its kernel. As such, developers were long unable to package many Windows-specific applications into containers. However, after ten years of waiting, Microsoft finally delivered Windows containers in 2018. Today, container security best practices focus on container integrity and container host security. The industry is just beginning to consider techniques to monitor Windows containers. This research focuses on the possibility of using known techniques and open source tools to extract Windows event logs, processes, services, and registry data from containers to observe attacks.


  • Continuous Security Monitoring in non-Active Directory Environments by Blair Gillam - February 20, 2019 

    Active Directory-centric monitoring techniques, tools, and methodologies have dominated information security conferences in recent years. Many alternative centralized directory services, including FreeIPA and OpenLDAP, are found in modern enterprises. Diagnostic and performance monitoring for these alternatives is well documented; however, security-related events can be recorded in different formats and multiple locations across both directory servers and clients. This paper investigates continuous security monitoring techniques for FreeIPA that can be leveraged by defenders to analyze and visualize common directory service security events in non-Active Directory environments. It explores change detection rules that can be applied at the user, group, and directory levels and presents example security metrics for detecting anomalous activity.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.