Hackers of India

DIAL: Did I just alert Lambda? A centralized security misconfiguration detection system

By Saransh Rana , Divyanshu Mehta , Harsh Varagiya on 04 Nov 2021 @ Ekoparty
πŸ’» Source Code πŸ“Ή Video πŸ”— Link
#aws #security-monitoring #iam #devsecops
Focus Areas: πŸ›‘οΈ Security Operations & Defense , πŸ” Application Security , ☁️ Cloud Security , πŸͺͺ Identity & Access Management
This talk covers following tools where the speaker has contributed or authored
DIAL

Presentation Material

Abstract

DIAL: Did I just alert lambda?”, is a centralized monitoring and alerting system completely running stateless, which gives us end-to-end visibility on internal threats, security misconfigurations like database going public, over permissive IAM policies, happening across different AWS accounts. It runs on the top of AWS Lambda, thus making it infinitely scalable which is easily deployable across multiple AWS accounts.

AI Generated Summary

This presentation described the design and implementation of a centralized security monitoring and incident response system, focusing on a hierarchical controller architecture for real-time event processing. The core research addressed the challenge of aggregating and classifying security events from diverse, distributed sources within large-scale IT environments.

The system employed a modular architecture with distinct “child controllers” responsible for collecting and pre-processing events from specific segments (e.g., network devices, applications, cloud services). These child controllers forwarded normalized events to a central “parent controller.” A key technical component was a configurable classification engine that applied rules and policies to categorize events by severity and type, enabling prioritized alerting. The presentation detailed the system’s ability to generate automated, actionable incident reports and its integration with existing security workflows for response.

Practical implications included the system’s flexibility in handling high-volume event streams, its support for customizable alert thresholds, and its role in reducing mean time to detection (MTTD) and response (MTTR). The architecture was presented as a method to overcome the limitations of siloed security tools by providing a unified, real-time view of an organization’s security posture. The design emphasized scalability and the importance of separating data collection (child controllers) from correlation and management (parent controller) to maintain performance during peak loads. The talk concluded that such a structured approach is necessary for effective security operations in complex, modern infrastructures.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.