To enhance the convenience of software services, vendors are increasingly offering products via SaaS. However, as enterprises heavily adopt SaaS, their straightforward usage evolves into a cloud migration opportunity, inadvertently entering a realm of cloud complexity, which also eases hacker intrusion. Users often remain unaware of the extent of their cloud service usage until an attack occurs. This session diverges from the usual pre-incident cloud log configurations and post-incident threat hunting using logs. Instead, it focuses on real-time monitoring, particularly on Azure Entra ID and related cloud service logs, identifying key monitoring points during incidents. This provides a direction for attendees to apply in daily operations. Additionally, it includes case studies on cloud intrusions, demonstrating how well-designed monitoring rules can facilitate early detection and immediate response to enterprise breaches.

In the cloud era, identity management becomes a formidable challenge for enterprises due to complex usage patterns and diverse identities and permissions. According to Gartner’s 2023 report, 'Managing Privileged Access in Cloud Infrastructure', it is predicted that 75% of cloud breaches will involve misconfigurations in Identity and Access Management (IAM), highlighting the crucial importance of identity visibility. To address this, we propose a system designed to identify and visualize the identity attack surface, presenting relationships between all cloud-related identities and assets graphically. 

Various types of accounts exist in the cloud environment, including CI / CD service accounts and on-premise synced accounts. Often, users may overlook these account types if they are not included in standard cloud inventory tools, focusing primarily on cloud-only accounts. Additionally, trusted relationships significantly extend the identity perimeter. This situation requires users to manage not only their own account permissions but also those of guest accounts, which can vary significantly in terms of risk.

In this talk, we will provide an inventory list of assets and configurations related to cloud initial access. Afterward, we will discuss a case study involving a cloud managed service provider that uses guest accounts to manage cloud services, highlighting issues related to identity and IAM misconfigurations. We will introduce how to reduce the attack surface of identities.

In the cloud world, it's not just about being a mature container; it's about learning to protect yourself. When it comes to RASP (Runtime Application Self-Protection) technology, many folks are still scratching their heads about its principles and practical applications. This session dives deep into the core principles of RASP and explores its versatility in safeguarding cloud applications. From tweaking foundational containers to hooking PHP opcode for real-time detection, to monitoring network traffic through a cloud-sidecar, and even delving into the realm of automated detection techniques enhanced with RASP – we'll unravel concrete examples of RASP applications in various forms.