Ask HN: Intruder detection 101 in cloud environments – where to start?

Say you&#x27;re a newly hired security architect for a global cloud environment that involves dozens of teams and services employing a variety of access patterns, protocols, etc. You observe that the org has a number of best-practices prevention mechanisms in place (e.g., decent auth-auth between services, team-based RBAC) and you conclude that it&#x27;s not trivial for adversaries to gain access. However, you learn that there&#x27;s no intrusion detection, so if someone did gain access, it would be difficult to identify that such access had been obtained. Where do you start?<p>In no particular order, here are some options that come to mind:<p>0. Ignore detection and focus primarily on prevention measures (better bang for the buck?)<p>1. Deploy a SaaS solution like CloudStrike&#x2F;Falcon (and hope they don&#x27;t take down your network or get compromised themselves)<p>2. Deploy something like Snort https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=31534316<p>3. Setup&#x2F;review generic monitoring of VPC flow logs for obvious anomalies<p>4. Focus on access log anomalies rather than network-level anomalies<p>5. Deploy honeypots and set up alerts for attempts to access them<p>6. Run a small red team experiment to measure how much noise would be necessary for someone to notice<p>7. Read a book to learn the fundamentals (which one...?)<p>8. Organize a task force without knowing which of the above options to recommend<p>What would you do? Where would you start?<p>--<p>(In real life, the situation is more complicated and nuanced. I&#x27;m a SWE, not an architect, and I am acting from imperfect information — my employers may indeed have intrusion detection but exactly what&#x2F;how isn&#x27;t visible to me. Because those tools tend to be accessible only to certain IT&#x2F;InfoSec teams, I have developed a blind spot for what is considered best practices. I hope that some HN opinions can help me frame the harder problem of how to advocate for this stuff internally.)