Diffy: Quickly Find an Attacker Hiding in Your Cloud Instances

Forest Monsen
Netflix

Kevin Glisson
Netflix

Track 1

Diffy is a triage tool for incident responders on cloud architectures. Diffy helps you quickly identify which instance characteristics differ in interesting, security-relevant ways from an established baseline (as created from both a typical app instance, and other instances in the set), and pivot to deeper investigation or response actions. Diffy is developed by the Netflix Security Intelligence and Response Team (SIRT). We are currently focusing on AWS, but look forward to contributions to open up other cloud providers.

Forest Monsen
Forest Monsen is a senior security engineer at Netflix with experience in both offensive and defensive security. He works to improve digital forensics and incident response on cloud architectures.

Kevin Glisson
Kevin is a Senior Cloud Security Engineer at Netflix who has previously conquered SSL/TLS Automation (Lemur) and Distributed application security scanning (Monterey). Previously working as a Cyber Intelligence Analyst and Computer Security Incident Responder for JPMorgan Chase & Co. He is deeply interested in all things related to security automation including infrastructure security, intelligence gathering, and forensic data collection. In his free time, he is an avid mountain biker and ultimate frisbee player.