Guests: Mitchell Rudoll, Specialist Master, Deloitte Alex Glowacki, Senior Consultant, Deloitte Topics: The paper outlines two paths for SOCs: optimization or transformation. Can you elaborate on the key differences between these two approaches and the factors that should influence an organization's decision on which path to pursue?  The paper also mentions that alert overload is still a major challenge for SOCs. What are some of the practices that work in 2024 for reducing alert fatigue and improving the signal-to-noise ratio in security signals? You also discuss the importance of automation for SOCs. What are some of the key areas where automation can be most beneficial, and what are some of the challenges of implementing automation in SOCs? Automation is often easier said than done… What specific skills and knowledge will be most important for SOC analysts in the future that people didn’t think of 5-10 years ago? Looking ahead, what are your predictions for the future of SOCs? What emerging technologies do you see having the biggest impact on how SOCs operate?  Resources: “Future of the SOC: Evolution or Optimization —Choose Your Path” paper and highlights blog “Meet the Ghost of SecOps Future” video based on the paper EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond The original Autonomic Security Operations (ASO) paper (2021) “New Paper: “Future of the SOC: Forces shaping modern security operations” (Paper 1 of 4)” “New Paper: “Future of the SOC: SOC People — Skills, Not Tiers” (Paper 2 of 4)” “New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)”

Guests: Robin Shostack, Security Program Manager, Google Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud Topics: You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means? You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?   Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge? If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team? How do we create it in an existing team or an under-performing team?   Resources: EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster? “Take a few of these: Cybersecurity lessons for 21st century healthcare professionals” blog Getting More by Stuart Diamond book Who Moved My Cheese by Spencer Johnson  book

Guest: Brandon Wood, Product Manager for Google Threat Intelligence Topics: Threat intelligence is one of those terms that means different things to everyone–can you tell us what this term has meant in the different contexts of your career?  What do you tell people who assume that “TI = lists of bad IPs”? We heard while prepping for this show that you were involved in breaking up a human trafficking ring: tell us about that! In Anton’s experience, a lot  of cyber TI is stuck in “1. Get more TI 2. ??? 3. Profit!” How do you move past that? One aspect of threat intelligence that’s always struck me as goofy is the idea that we can “monitor the dark web” and provide something useful. Can you change my mind on this one? You told us your story of getting into sales, you recently did a successful rotation into the role of Product Manager,, can you tell us about what motivated you to do this and what the experience was like? Are there other parts of your background that inform the work you’re doing and how you see yourself at Google?  How does that impact our go to market for threat intelligence, and what’re we up to when it comes to keeping the Internet and broader world safe? Resources: Video EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons EP128 Building Enterprise Threat Intelligence: The Who, What, Where, and Why EP112 Threat Horizons - How Google Does Threat Intelligence Introducing Google Threat Intelligence: Actionable threat intelligence at Google scale A Requirements-Driven Approach to Cyber Threat Intelligence  

Guests: Omar ElAhdan, Principal Consultant, Mandiant, Google Cloud Will Silverstone, Senior Consultant, Mandiant, Google Cloud Topics: Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments? You do IR so in your experience, what are top 5  mistakes organizations make that lead to cloud incidents? How and why do organizations get the attack surface wrong? Are there pillars of attack surface? We talk a lot about how IAM matters in the cloud.  Is that true that AD is what gets you in many cases even for other clouds? What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well? Resources: Next 2024 LIVE Video of this episode / LinkedIn version (sorry for the audio quality!) “Lessons Learned from Cloud Compromise” podcast at The Defender’s Advantage “Cloud compromises: Lessons learned from Mandiant investigations” in 2023 from Next 2024 EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

Guest: Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google Topics: Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right? Where are we like other clients of GCP?  Where are we not like other cloud users? Do we have any unique cloud security technology that we use that others may benefit from? How does our cloud usage inform our cloud security products? So is our cloud use profile similar to cloud natives or traditional companies? What are some of the most interesting cloud security practices and controls that we use that are usable by others? How do we make them work at scale?  Resources: EP12 Threat Models and Cloud Security (previous episode with Seth) EP66 Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics IAM Deny Seth Vargo blog “Attention Is All You Need” paper (yes, that one)

Guest: Crystal Lister, Technical Program Manager, Google Cloud Security Topics: Your background can be sheepishly called “public sector”, what’s your experience been transitioning from public to private? How did you end up here doing what you are doing? We imagine you learned a lot from what you just described – how’s that impacted your work at Google? How have you seen risk management practices and outcomes differ? You now lead Google Threat Horizons reports, do you have a vision for this? How does your past work inform it? Given the prevalence of ransomware attacks, many organizations are focused on external threats. In your experience, does the risk of insider threats still hold significant weight? What type of company needs a dedicated and separate insider threat program? Resources: Video on YouTube Google Cybersecurity Action Team Threat Horizons Report #9 Is Out! Google Cybersecurity Action Team site for previous Threat Horizons Reports EP112 Threat Horizons - How Google Does Threat Intelligence Psychology of Intelligence Analysis by Richards J. Heuer The Coming Wave by Mustafa Suleyman  Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects  

Guest: Angelika Rohrer, Sr. Technical Program Manager , Cyber Security Response at Alphabet Topics: Incident response (IR) is by definition “reactive”, but ultimately incident prep determines your IR success. What are the broad areas where one needs to prepare? You have created a new framework for measuring how ready you are for an incident, what is the approach you took to create it? Can you elaborate on the core principles behind the Continuous Improvement (CI) Framework for incident response? Why is continuous improvement crucial for effective incident response, especially in cloud environments? Can’t you just make a playbook and use it? How to overcome the desire to focus on the easy metrics and go to more valuable ones? What do you think Google does best in this area? Can you share examples of how the CI Framework could have helped prevent or mitigate a real-world cloud security incident? How can other organizations practically implement the CI Framework to enhance their incident response capabilities after they read the paper? Resources: “How do you know you are "Ready  to Respond"? paper EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?  

Guest: Shan  Rao, Group Product Manager, Google  Topics: What are the unique challenges when securing AI for cloud environments, compared to traditional IT systems? Your talk covers 5 risks, why did you pick these five? What are the five, and are these the worst? Some of the mitigation seems the same for all risks. What are the popular SAIF mitigations that cover more of the risks? Can we move quickly and securely with AI? How? What future trends and developments do you foresee in the field of securing AI for cloud environments, and how can organizations prepare for them? Do you think in 2-3 years AI security will be a separate domain or a part of … application security? Data security? Cloud security?  Resource: Video (LinkedIn, YouTube)  [live audio is not great in these] “A cybersecurity expert's guide  to securing AI products with Google SAIF“ presentation SAIF Site “To securely build AI on Google Cloud, follow these best practices” (paper) “Secure AI Framework (SAIF): A Conceptual Framework for Secure AI Systems” resources Corey Quinn on X (long story why this is here… listen to the episode)

Guests: None Topics: What have we seen at RSA 2024? Which buzzwords are rising (AI! AI! AI!) and which ones are falling (hi XDR)? Is this really all about AI? Is this all marketing? Security platforms or focused tools, who is winning at RSA? Anything fun going on with SecOps? Is cloud security still largely about CSPM? Any interesting presentations spotted? Resources: EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side (RSA 2024 episode 1 of 2) “From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis” blog “Decoupled SIEM: Brilliant or Stupid?” blog “Introducing Google Security Operations: Intel-driven, AI-powered SecOps” blog “Advancing the art of AI-driven security with Google Cloud” blog

Guest: Elie Bursztein, Google DeepMind Cybersecurity Research Lead, Google  Topics: Given your experience, how afraid or nervous are you about the use of GenAI by the criminals (PoisonGPT, WormGPT and such)? What can a top-tier state-sponsored threat actor do better with LLM? Are there “extra scary” examples, real or hypothetical? Do we really have to care about this “dangerous capabilities” stuff (CBRN)? Really really? Why do you think that AI favors the defenders? Is this a long term or a short term view? What about vulnerability discovery? Some people are freaking out that LLM will discover new zero days, is this a real risk?  Resources: “How Large Language Models Are Reshaping the Cybersecurity Landscape” RSA 2024 presentation by Elie (May 6 at 9:40AM) “Lessons Learned from Developing Secure AI Workflows” RSA 2024 presentation by Elie (May 8, 2:25PM) EP50 The Epic Battle: Machine Learning vs Millions of Malicious Documents EP40 2021: Phishing is Solved? EP135 AI and Security: The Good, the Bad, and the Magical EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It PyRIT LLM red-teaming tool Accelerating incident response using generative AI Threat Actors are Interested in Generative AI, but Use Remains Limited OpenAI’s Approach to Frontier Risk  

Guest: Payal Chakravarty, Director of Product Management, Google SecOps, Google Cloud Topics: What are the different use cases for GenAI in security operations and how can organizations  prioritize them for maximum impact to their organization? We’ve heard a lot of worries from people that GenAI will replace junior team members–how do you see GenAI enabling more people to be part of the security mission? What are the challenges and risks associated with using GenAI in security operations? We’ve been down the road of automation for SOCs before–UEBA and SOAR both claimed it–and AI looks a lot like those but with way more matrix math-what are we going to get right this time that we didn’t quite live up to last time(s) around? Imagine a SOC or a D&R team of 2029. What AI-based magic is routine at this time? What new things are done by AI? What do humans do? Resources: Live video (LinkedIn, YouTube) [live audio is not great in these] Practical use cases for AI in security operations, Cloud Next 2024 session by Payal EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It EP169 Google Cloud Next 2024 Recap: Is Cloud an Island, So Much AI, Bots in SecOps 15 must-attend security sessions at Next '24  

Guests:  no guests (just us!) Topics: What are some of the fun security-related launches from Next 2024 (sorry for our brief “marketing hat” moment!)? Any fun security vendors we spotted “in the clouds”? OK, what are our favorite sessions? Our own, right? Anything else we had time to go to? What are the new security ideas inspired by the event (you really want to listen to this part! Because “freatures”...) Any tricky questions at the end? Resources: Live video (LinkedIn, YouTube) [live audio is not great in these] 15 must-attend security sessions at Next '24 Cloud CISO Perspectives: 20 major security announcements from Next ‘24 EP137 Next 2023 Special: Conference Recap - AI, Cloud, Security, Magical Hallway Conversations (last year!) EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It? EP90 Next Special - Google Cybersecurity Action Team: One Year Later! A cybersecurity expert's guide to securing AI products with Google SAIF Next 2024 session How AI can transform your approach to security Next 2024 session

Guests:  Umesh Shankar, Distinguished Engineer, Chief Technologist for Google Cloud Security Scott Coull, Head of Data Science Research, Google Cloud Security Topics: What does it mean to “teach AI security”? How did we make SecLM? And also: why did we make SecLM? What can “security trained LLM” do better vs regular LLM? Does making it better at security make it worse at other things that we care about? What can a security team do with it today?  What are the “starter use cases” for SecLM? What has been the feedback so far in terms of impact - both from practitioners but also from team leaders? Are we seeing the limits of LLMs for our use cases? Is the “LLM is not magic” finally dawning? Resources: “How to tackle security tasks and workflows with generative AI” (Google Cloud Next 2024 session on SecLM) EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It? EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models Supercharging security with generative AI  Secure, Empower, Advance: How AI Can Reverse the Defender’s Dilemma? Considerations for Evaluating Large Language Models for Cybersecurity Tasks Introducing Google’s Secure AI Framework Deep Learning Security and Privacy Workshop  Security Architectures for Generative AI Systems ACM Workshop on Artificial Intelligence and Security Conference on Applied Machine Learning in Information Security  

Speakers:  Maria Riaz, Cloud Counter-Abuse, Engineering Lead, Google Cloud Topics: What is “counter abuse”? Is this the same as security? What does counter-abuse look like for GCP? What are the popular abuse types we face?  Do people use stolen cards to get accounts to then violate the terms with? How do we deal with this, generally? Beyond core technical skills, what are some of the relevant competencies for working in this space that would appeal to a diverse set of audience? You have worked in academia and industry. What similarities or differences have you observed? Resources / reading: Video EP165 Your Cloud Is Not a Pet - Decoding 'Shifting Left' for Cloud Security P161 Cloud Compliance: A Lawyer - Turned Technologist! - Perspective on Navigating the Cloud “Art of War” by Sun Tzu “Dare to Lead” by Brene Brown "Multipliers" by Liz Wiseman

Guests: Evan Gilman, co-founder CEO of Spirl Eli Nesterov, co-founder CTO of Spril Topics: Today we have IAM,  zero trust and security made easy. With that intro, could you give us the 30 second version of what a workload identity is and why people need them?  What’s so spiffy about SPIFFE anyway?  What’s different between this and micro segmentation of your network–why is one better or worse?  You call your book “solving the bottom turtle” could you tell us what that means? What are the challenges you’re seeing large organizations run into when adopting this approach at scale?  Of all the things a CISO could prioritize, why should this one get added to the list? What makes this, which is so core to our internal security model–ripe for the outside world? How people do it now, what gets thrown away when you deploy SPIFFE? Are there alternative? SPIFFE is interesting, yet can a startup really “solve for the bottom turtle”?  Resources: SPIFFE  and Spirl “Solving the Bottom Turtle” book [PDF, free] “Surely You're Joking, Mr. Feynman!” book [also, one of Anton’s faves for years!] “Zero Trust Networks” book Workload Identity Federation in GCP

Guest: Ahmad Robinson,  Cloud Security Architect, Google Cloud Topics: You’ve done a BlackHat webinar where you discuss a Pets vs Cattle mentality when it comes to cloud operations. Can you explain this mentality and how it applies to security? What in your past led you to these insights?  Tell us more about your background and your journey to Google.  How did that background contribute to your team? One term that often comes up on the show and with our customers is 'shifting left.'  Could you explain what 'shifting left' means in the context of cloud security? What’s hard about shift left, and where do orgs get stuck too far right? A lot of “cloud people” talk about IaC and PaC but the terms and the concepts are occasionally confusing to those new to cloud. Can you briefly explain Policy as Code  and its security implications? Does PaC help or hurt security? Resources: “No Pets Allowed - Mastering The Basics Of Cloud Infrastructure” webinar EP33 Cloud Migrations: Security Perspectives from The Field EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment? EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud  

Guest: Jennifer Fernick, Senor Staff Security Engineer and UTL, Google Topics: Since one of us (!) doesn't have a PhD in quantum mechanics, could you explain what a quantum computer is and how do we know they are on a credible path towards being real threats to cryptography? How soon do we need to worry about this one? We’ve heard that quantum computers are more of a threat to asymmetric/public key crypto than symmetric crypto. First off, why? And second, what does this difference mean for defenders? Why (how) are we sure this is coming? Are we mitigating a threat that is perennially 10 years ahead and then vanishes due to some other broad technology change? What is a post-quantum algorithm anyway? If we’re baking new key exchange crypto into our systems, how confident are we that we are going to be resistant to both quantum and traditional cryptanalysis?  Why does NIST think it's time to be doing the PQC thing now? Where is the rest of the industry on this evolution? How can a person tell the difference here between reality and snakeoil? I think Anton and I both responded to your initial email with a heavy dose of skepticism, and probably more skepticism than it deserved, so you get the rare on-air apology from both of us! Resources: Securing tomorrow today: Why Google now protects its internal communications from quantum threats How Google is preparing for a post-quantum world NIST PQC standards PQ Crypto conferences “Quantum Computation & Quantum Information” by Nielsen & Chuang book “Quantum Computing Since Democritus” by Scott Aaronson book EP154 Mike Schiffman: from Blueboxing to LLMs via Network Security at Google  

Guest: Phil Venables, Vice President, Chief Information Security Officer (CISO) @ Google Cloud  Topics:  You had this epic 8 megatrends idea in 2021, where are we now with them? We now have 9 of them, what made you add this particular one (AI)? A lot of CISOs fear runaway AI. Hence good governance is key! What is your secret of success for AI governance?  What questions are CISOs asking you about AI? What questions about AI should they be asking that they are not asking? Which one of the megatrends is the most contentious based on your presenting them worldwide? Is cloud really making the world of IT simpler (megatrend #6)? Do most enterprise cloud users appreciate the software-defined nature of cloud (megatrend #5) or do they continue to fight it? Which megatrend is manifesting the most strongly in your experience? Resources: Megatrends drive cloud adoption—and improve security for all and infographic “Keynote | The Latest Cloud Security Megatrend: AI for Security” “Lessons from the future: Why shared fate shows us a better cloud roadmap” blog and shared fate page SAIF page “Spotlighting ‘shadow AI’: How to protect against risky AI practices” blog EP135 AI and Security: The Good, the Bad, and the Magical EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security Secure by Design by CISA  

Guest: Kat Traxler, Security Researcher, TrustOnCloud Topics: What is your reaction to “in the cloud you are one IAM mistake away from a breach”? Do you like it or do you hate it? A lot of people say “in the cloud, you must do IAM ‘right’”. What do you think that means? What is the first or the main idea that comes to your mind when you hear it? How have you seen the CSPs take different approaches to IAM? What does it mean for the cloud users? Why do people still screw up IAM in the cloud so badly after years of trying? Deeper, why do people still screw up resource hierarchy and resource management?  Are the identity sins of cloud IAM users truly the sins of the creators? How did the "big 3" get it wrong and how does that continue to manifest today? Your best cloud IAM advice is “assign roles at the lowest resource-level possible”, please explain this one? Where is the magic? Resources: Video (Linkedin, YouTube) Kat blog “Diving Deeply into IAM Policy Evaluation” blog “Complexity: a Guided Tour” book EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same? EP129 How CISO Cloud Dreams and Realities Collide  

Guest: Victoria Geronimo, Cloud Security Architect, Google Cloud Topics: You work with technical folks at the intersection of compliance, security, and cloud. So  what do you do, and where do you find the biggest challenges in communicating across those boundaries? How does cloud make compliance easier? Does it ever make compliance harder?  What is your best advice to organizations that approach cloud compliance as they did for the 1990s data centers and classic IT? What has been the most surprising compliance challenge you’ve helped teams debug in your time here?  You also work on standards development –can you tell us about how you got into that and what’s been surprising in that for you?  We often say on this show that an organization’s ability to threat model is only as good as their team’s perspectives are diverse: how has your background shaped your work here?   Resources: Video (YouTube) EP14 Making Compliance Cloud-native EP25 Beyond Compliance: Cloud Security in Europe  Fordham University Law and Technology site IAPP  site  

Guest: Merritt Baer, Field CTO,  Lacework, ex-AWS, ex-USG Topics: How can organizations ensure that their security posture is maintained or improved during a cloud migration? Is cloud migration a risk reduction move? What are some of the common security challenges that organizations face during a cloud migration? Are there different gotchas between the three public clouds? What advice would you give to those security leaders who insist on lift/shift or on lift/shift first? How should security and compliance teams approach their engineering and DevOps colleagues to make sure things are starting on the right foot? In your view, what is the essence of a cloud-native approach to security? How can organizations ensure that their security posture scales as their cloud usage grows? Resources: Video (LinkedIn, YouTube) EP69 Cloud Threats and How to Observe Them EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win? 9 Megatrends drive cloud adoption—and improve security for all Darknet Diaries podcast  

Guests: Emre Kanlikilicer, Senior Engineering Manager @ Google Sophia Gu, Engineering Manager at Google  Topics Workspace makes the claim that unlike other productivity suites available today, it’s architectured for the modern threat landscape. That’s a big claim! What gives Google the ability to make this claim? Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work?  What are some of the common mistakes you see customers making with Workspace security? What are some of the ways context aware access and DLP (now SDP) help with this? What are the cool future plans for DLP and CAA? Resources: Google Workspace blog & Workspace Update blog EP99 Google Workspace Security: from Threats to Zero Trust CISA Zero Trust Maturity Model 2.0  

Guest: Jason Solomon, Security Engineer, Google Topics: Could you share a bit about when you get pulled into incidents and what are your goals when you are? How does that change in the cloud? How do you establish a chain of custody and prove it for law enforcement, if needed? What tooling do you rely on for cloud forensics and is that tooling available to "normal people"?  How do we at Google know when it’s time to call for help, and how should our customers know that it’s time?  Can I quote Ray Parker Jr and ask, who you gonna call? What’s your advice to a security leader on how to “prepare for the inevitable” in this context?  Cloud forensics - is it easier or harder than the 1990s classic forensics?  Resource: EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster? EP103 Security Incident Response and Public Cloud - Exploring with Mandiant Google SRE Workbook (Ch 9) GRR Cloud Logging LibCloudForensics, Turbinia, Timesketch tools

Guest: Arie Zilberstein, CEO and Co-Founder at Gem Security Topics:  How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response? What are the key challenges of cloud detection and response? Often we lift and shift our teams to Cloud, and not always for bad reasons, so  what’s your advice on how to teach the old dogs new tricks: “on-premise-trained” D&R teams and cloud D&R? What is this new CIRA thing that Gartner just cooked up?  Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps? What do you tell people who say that “SIEM is their CDR”? What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?  Resources: Video version of this episode Cloud breaches databases EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster? EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response? 9 Megatrends drive cloud adoption—and improve security for all “Emerging Tech: Security — Cloud Investigation and Response Automation (CIRA) Offers Transformation Opportunities” (Gartner access required) “Does the World Need Cloud Detection and Response (CDR)?” blog

Guest: Sandra Joyce, VP at Mandiant Intelligence Topics: Could you give us a brief overview of what this power disruption incident was about? This incident involved both Living Off the Land and attacks on operational technology (OT). Could you explain to our audience what these mean and what the attacker did here? We also saw a wiper used to hide forensics, is that common these days? Did the attacker risk tipping their hand about upcoming physical attacks? If we’d seen this intrusion earlier, might we have understood the attacker’s next moves? How did your team establish robust attribution in this case, and how they do it in general? How sure are we, really?  Could you share how this came about and maybe some of the highlights in our relationship helping defend that country? Resources: Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Mandiant Andy Greenberg’s book Sandworm  EP155 Cyber, Geopolitics, AI, Cloud - All in One Book?  

Guests: Derek Reveron, Professor and Chair of National Security at the US Naval War College John Savage, An Wang Professor Emeritus of Computer Science of Brown University Topics: You wrote a book on cyber and war, how did this come about and what did you most enjoy learning from the other during the writing process? Is generative AI going to be a game changer in international relations and war, or is it just another tool? You also touch briefly on lethal autonomous weapons systems and ethics–that feels like the genie is right in the very neck of the bottle right now, is it too late? Aside from this book, and the awesome course you offered at Brown that sparked Tim’s interest in this field, how can we democratize this space better?  How does the emergence and shift to Cloud impact security in the cyber age? What are your thoughts on the intersection of Cloud as a set of technologies and operating model and state security (like sovereignty)? Does Cloud make espionage harder or easier?  Resources: “Security in the Cyber Age” book (and their other books’) “Thinking, Fast and Slow” book “No Shortcuts: Why States Struggle to Develop a Military Cyber-Force” book “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age“ book “Active Cyber Defense: Applying Air Defense to the Cyber Domain” EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same? EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith?  

Guest: Mike Schiffman, Network Security “UTL” Topics: Given your impressive and interesting history, tell us a few things about yourself? What are the biggest challenges facing network security today based on your experience? You came to Google to work on Network Security challenges. What are some of the surprising ones you’ve uncovered here? What lessons from Google's approach to network security absolutely don’t apply to others? Which ones perhaps do? If you have to explain the difference between network security in the cloud and on-premise, what comes to mind first? How do we balance better encryption with better network security monitoring and detection? Speaking of challenges in cryptography, we’re all getting fired up about post-quantum and network security. Could you give us the maybe 5 minute teaser version of this because we have an upcoming episode dedicated to this? I hear you have some interesting insight on LLMs, something to do with blueboxing or something. What is that about? Resources: Video EP113 Love it or Hate it, Network Security is Coming to the Cloud EP122 Firewalls in the Cloud: How to Implement Trust Boundaries for Access Control “A History of Fake Things on the Internet” by WALTER J. SCHEIRER Why Google now protects its internal communications from quantum threats How Google is preparing for a post-quantum world NIST on PQC “Smashing The Stack For Fun And Profit” (yes, really)  

Guest: Kevin Mandia, CEO at Mandiant, part of Google Cloud Topics: When you look back, what were the most surprising cloud breaches in 2023, and what can we learn from them? How were they different from the “old world” of on-prem breaches?  For a long time it’s felt like incident response has been an on-prem specialization, and that adversaries are primarily focused on compromising on-prem infrastructure. Who are we seeing go after cloud environments? The same threat actors or not? Could you share a bit about the mistakes and risks that you saw organizations make that made their cloud breaches possible or made them worse? Conversely, what ended up being helpful to organizations in limiting the blast radius or making response easier?  Tim’s mother worked in a network disaster recovery team for a long time–their motto was “preparing for the inevitable.” What advice do you have for helping security teams and IT teams get ready for cloud breaches? Especially for recent cloud entrants? Anton tells his “2000 IDS story” (need to listen for details!) and asks: what approaches for detecting threats actually detects threats today? Resources: EP148 Decoding SaaS Security: Demystifying Breaches, Vulnerabilities, and Vendor Responsibilities "Microsoft lost its keys, and the government got hacked" news article SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures  (must read by every CISO!)

Guest: Michee Smith, Director, Product Management for Global Affairs Works, Google Topics: What is Google Annual Transparency Report and how did we get started doing this?  Surely the challenge of a transparency report is that there are things we can’t be transparent about, how do we balance this? What are those? Is it a safe question? What Access Transparency Logs are and if they are connected to the report –other than in Tim's mind and your career?  Beyond building the annual transparency report, you also work on our central risk data platform. Every business has a problem managing risk–what’s special here? Do we have any Google magic here?  Could you tell us about your path in Product Management here? You have been here eight years, and recently became Director. Do you have any advice for the ambitious Google PMs listening to the show?   Resources: Google Annual Transparency report Access Transparency Logs “Digital Asset Valuation and Cyber Risk Measurement: Principles of Cybernomics“ book Keyun Ruan “Trapped in a frame: Why leaders should avoid security framework traps”  blog

Guest: Monica Shokrai, Head Of Business Risk and Insurance For Google Cloud  Topics: Could you give us the 30 second run down of what cyber insurance is and isn't? Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks? What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it? We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security? Doesn't cyber insurance have a difficult reputation with clients? “Will they even pay?” “Will it be enough?” “Is this a cyberwar exception?” type stuff? How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers? How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many “non cyber” risks?   Resources: Video (LinkedIn, YouTube) Google Cloud Risk Protection program “Cyber Insurance Policy”  by Josephine Wolff  InsureSec

Guest: Dr Gary McGraw, founder of the Berryville Institute of Machine Learning Topics: Gary, you’ve been doing software security for many decades, so tell us: are we really behind on securing ML and AI systems?  If not SBOM for data or “DBOM”, then what? Can data supply chain tools or just better data governance practices help? How would you threat model a system with ML in it or a new ML system you are building?  What are the key differences and similarities between securing AI and securing a traditional, complex enterprise system? What are the key differences between securing the AI you built and AI you buy or subscribe to? Which security tools and frameworks will solve all of these problems for us?  Resources: EP135 AI and Security: The Good, the Bad, and the Magical Gary McGraw books “An Architectural Risk Analysis Of Machine Learning Systems: Toward More Secure Machine Learning“ paper “What to think about when you’re thinking about securing AI” Annotated ML Security bibliography   Tay bot story (2016) “Can you melt eggs?” “Microsoft AI researchers accidentally leak 38TB of company data” “Random number generator attack” “Google's AI Red Team: the ethical hackers making AI safer” Introducing Google’s Secure AI Framework

Guests: John Stoner, Principal Security Strategist, Google Cloud Security Dave Herrald, Head of Adopt Engineering, Google Cloud Security Topics: In your experience, past and present, what would make clients trust vendor detection content? Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from? What is more important, seeing the detection or being able to change it, or both? If this is about seeing the detection code/content, what about ML and algorithms? What about the SOC analysts who don't read the code? What about “tuning” - is tuning detections a bad word now in 2023? Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic? Resources: Video (Linkedin, YouTube) Github rules for Chronicle DetectionEngineering.net by Zack Allen “On Trust and Transparency in Detection” blog “Detection as Code? No, Detection as COOKING!” blog EP64 Security Operations Center: The People Side and How to Do it Right EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil Why is Threat Detection Hard? Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)  

Guest: Adrian Sanabria,  Director of Valence Threat Labs at Valence Security, ex-analyst Topics: When people talk about “cloud security” they often forget SaaS, what should be the structured approach to using SaaS securely or securing SaaS? What are the incidents telling us about the realistic threats to SaaS tools? Is the Microsoft 365 breach a SaaS breach, a cloud breach or something else? Do we really need CVEs for SaaS vulnerabilities? What are the least understood aspects of securing SaaS? What do you tell the organizations who assume that “SaaS vendor takes care of all SaaS security”? Isn’t CASB the answer to all SaaS security issues? We also have SSPM now too? Do we really need more tools? Resources: VIdeo (LinkedIn, YouTube) EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response? Valence 2023 State of SaaS Security report DHS Launches First-Ever Cyber Safety Review Board Enterprise Security Weekly podcast CloudVulnDb and another cloud vulnerability list Cyber Safety Review Board (CSRB) by CISA

Guest:  Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant at Google Cloud Topics: Can you really forecast threats? Won’t the threat actors ultimately do whatever they want? How can clients use the forecast? Or as Tim would say it, what gets better once you read it? What is the threat forecast for cloud environments? It says “Cyber attacks targeting hybrid and multi-cloud environments will mature and become more impactful“ - what does it mean? Of course AI makes an appearance as well: “LLMs and other gen AI tools will likely be developed and offered as a service to assist attackers with target compromises.” Do we really expect attacker-run LLM SaaS? What models will they use? Will it be good? There are a number of significant elections scheduled for 2024, are there implications for cloud security? Based on the threat information, tell me about something that is going well, what will get better in 2024? Resources: 2024 Google Cloud Security Forecast Report EP112 Threat Horizons - How Google Does Threat Intelligence EP135 AI and Security: The Good, the Bad, and the Magical How to Stop a Ransomware Attack Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto Miner  

Guest: Wei Lien Dan, GP at Unusual Ventures  Topics:  We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you?  What are some of the security problems you're hearing from AI companies that are worth solving?  AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security? Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs?  What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?  Resources: “What to think about when you’re thinking about securing AI” blog / paper EP135 AI and Security: The Good, the Bad, and the Magical EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It? EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models Introducing Google’s Secure AI Framework OWASP Top 10 for Large Language Model Applications Unusual VC Startup Field Guide Demystifing LLMs and Threats by Caleb Sima

Guest: Jay Thoden van Velzen, Strategic Advisor to the CSO, SAP  Topics: What are the challenges with shared responsibility for cloud security? Can you explain "shared" vs "separated" responsibility? In your article, you mention “shared faith”, we have “shared fate”, but we never heard of shared faith. What is this? Can you explain? What about the cloud models (SaaS, PaaS, IaaS), how does this sharing model differ? While at it, what is cloud, really? [yes, we really did ask this!]  Resources: LinkedIn post and  Blog EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge “Security Chaos Engineering” book Shared responsibility failures blog Shared fate at Google Cloud (also see blogs one and two) National Cyber Security strategy

Guest: Kathryn Shih, Group Product Manager, LLM Lead in Google Cloud Security Topics: Could you give our audience the quick version of what is an LLM and what things can they do vs not do?  Is this “baby AGI” or is this a glorified “autocomplete”? Let’s talk about the different ways to tune the models, and when we think about tuning what are the ways that attackers might influence or steal our data? Can you help our security listener leaders have the right vocabulary and concepts to reason about the risk of their information a) going into an LLM and b) getting regurgitated by one? How do I keep the output of a model safe, and what questions do I need to ask a vendor to understand if they’re a) talking nonsense or b) actually keeping their output safe?  Are hallucinations inherent to LLMs and can they ever be fixed? So there are risks to data and new opportunities for attacks and hallucinations. How do we know good opportunities in the area given the risks?  Resources: Retrieval Augmented Generation (or go ask Bard about it) “New Paper: “Securing AI: Similar or Different?“”  blog

Guests: Tomer Schwartz, Dazz CTO Topics: It seems that in many cases the challenge with cloud configuration weaknesses is not their detection, but remediation, is that true? As far as remediation scope, do we need to cover  traditional vulnerabilities (in stock and custom code), configuration weaknesses and other issues too? One of us used to cover vulnerability management at Gartner, and in many cases the remediation failures [on premise] were due to process, not technology, breakdowns. Is this the same in the cloud? If still true, how can any vendor technology help resolve it? Why is cloud security remediation such a headache for so many organizations? Is the friction real between security and engineering teams? Do they have any hope of ever becoming BFFs? Doesn’t every CSPM (and now ASPM too?) vendor say they do automated remediation today? How should security pros evaluate solutions for prioritizing, triaging, and fixing issues? Resources: Video (YouTube, LinkedIn) Cloud Security Remediation for Dummies EP3 Automate and/or Die? EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?’ EP54 Container Security: The Past or The Future? EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity? A Guide to Building a Secure SDLC 8 Megatrends drive cloud adoption—and improve security for all  

Host: Stephanie Wong, Product Manager, Google Cloud Guests (yes, really, we are the guests!): Anton Chuvakin Tim Peacock Topics: Could you tell us how you ended up in security? What was the moment you realized that Cloud security was different from well, regular, security?   Anton is always asking this “3AM test”, where did that come from? How do you source topics for the podcast? What advice would you give to folks who are interested in getting into security? … and other fun questions! Resources: Video (LinkedIn, YouTube) Cloud Security Podcast by Google / Twitter / LinkedIn

Guest:  Jeremiah Kung, Global Head of Information Security, AppLovin Topics: Before we dive into all of the awesome cloud migrations you’ve experienced and your learnings there, could we start with a topic of East vs West CISO mentality? We are talking to more and more CISOs who see the cloud as a net win for security. What’s your take on whether the cloud improves security?  We talked about doing some “big” cloud migrations, could you talk about what you learned back in 2015 about the “right” way to do a cloud migration and how you’ve applied those lessons since?  How are you approaching securing clouds differently in 2023 (vs the dark past of 2015)? What advice would you give your peers to get out of the “saying no” mentality and into a better collaborative mode?  On the topic of giving advice to people who haven’t asked for it, what advice would you give to teams who are stuck in 1990s thinking when it comes to lift and shifting their security technology stack to cloud?  Resources: EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP129 How CISO Cloud Dreams and Realities Collide EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP11 Preparing for Cloud Migrations from a CISO Perspective, Part 2 “How CISOs need to adapt their mental models for cloud security” blog “Superforecasting” book “American Generalship” book  

Guest:  Andrew Hoying, Senior Security Engineering Manager @ Google Topics: What is different about system hardening today vs 20 years ago?  Also, what is special about hardening systems at Google massive scale? Can I just apply CIS templates and be done with it? Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity? A part of hardening has got to be responding to new regulation and compliance regimes, how do you incorporate new controls and stay responsive to the changing world around us? Are there cases where we have taken lessons from hardening at scale and converted those into product improvements? What metrics do you track to keep your teams moving, and what metrics do your leads look at to understand how you’re doing? [Spoiler: the answer here is VERY fun!] Resources: “Why Shared Fate is a Better Way to Manage Cloud Risk” article (and this too) CIS for GCP GCP IAM Deny CloudSecList by Marco Lancini

Guest: Chris Corde, Sr Director of Product Management - Security Operations, Google Cloud Topics: You cover many products, but let’s focus on Chronicle today. An easy question: Chronicle isn’t an XDR, so what is it? Since you’ve joined the team, what’re you most proud of shipping to clients? Could you share more about the Mandiant acquisition,  what’s been a happy surprise and what are you looking forward to making available to customers? Some believe that good security operations success is mostly about process, yet we are also building these amazing products. What is your view of how much security ops success hinges on products vs practices? When it comes to building out Chronicle’s position in the market, how are we leveraging the depth of expertise that people have with other SIEM tools compared to ours? What advice do you have for security professionals who want to transition into product management?  Resources: EP44 Evolving a SIEM for the Future While Learning from the Past EP82 Mega-confused by XDR? You Are Not Alone! This XDR Skeptic Clarifies!  

Guest: Rosemary Wang, Developer Advocate at HashiCorp  Topics: Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams? How can Terraform be used for security automation? How should security teams work with DevOps teams to use it? What are some of the obvious and not so obvious security challenges of using Terraform? How can security best practices be applied to infrastructure instantiated via Terraform? What is the relationship between Terraform and policy as code (PaC)? How do you get started with all this? What do you tell the security teams who want to do cloud security the “old way” and not the cloud-native way?  Resources: Video (LinkedIn, YouTube) “EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?” Policy as Code with HashiCorp Sentinel or Open Policy Agent (OPA) for Terraform “Terraform Cloud adds Vault-backed dynamic credentials” blog Google Cloud Provider for Terraform Security & Authentication Providers for Terraform “Sloth’s Guide to Mindfulness” book

Guests:  no guests, all banter, all very fun :-) Topics: How is Google Next this year? What is new in cloud security? Is Google finally a security vendor? What are some of the fun security presentations we've seen, including our own? Any impactful launches in security? What was the most interesting overall? Resources: “Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?” (ep136) “RSA 2023 - What We Saw, What We Learned, and What We're Excited About” (ep119) “Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?” (ep67) “Detecting, investigating, and responding to threats in your Google Cloud environment” at Cloud Next 2023 by Anton “Prevent cloud compromises: Learn how Uber discovers cyber risks and remediates threats” at Cloud Next 2023 by Tim “Generative AI for defenders with Sec-PaLM 2 and Duet AI” at Cloud Next 2023 by Eric Doerr (his episode) “A blueprint for modern security operations” at Cloud Next 2023 by our future guest, Chris… Kevin Mandia at Next keynote (start at 1:15:00) “New AI capabilities that can help address your security challenges” blog

Guest:  Eric Doerr, VP of Engineering, Google Cloud Security  Topics: You have a Next presentation on AI, what is the most exciting part for you? We care both about securing AI and using AI for security. How do you organize your thinking about it? Executive surveys imply that trusting an AI (for business) is still an issue. How can we trust AI for security? What does it mean to “trust AI” in this context?  How should defenders think about threat modeling AI systems?  Back to using AI for security, what are the absolute worst security use cases for GenAI? Think “generate code and run it on prod” or something like that? What does it mean to “teach AI security” like we did with Sec-PALM2? What is actually involved in this? What were some surprising challenges we ran into here?  Resources: “Generative AI for defenders with Sec-PaLM 2 and Duet AI” presentation at Google Cloud Next 2023 “The Prompt: What to think about when you’re thinking about securing AI” and a new paper on securing AI “AI and Security: The Good, the Bad, and the Magical” (ep135) Monitor and secure Vertex AI “Introducing Google’s Secure AI Framework” blog “Project Hail Mary” book

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: Why is AI a game-changer for security? Can we even have game-changers in cyber security? Is it more detection or is it more reducing toil and making humans more productuve? What are you favorite AI for security use cases? What “AI + security” issue makes you  - a classic CISO question  here - lose sleep at night? Does AI help defenders or attackers more? Won’t attackers adopt faster because they don’t have as many rules (but yes, they have bosses and budgets too)?  Aren’t there cases where defenders benefit a lot more and gain a superpower with AI while attackers are faced with defeat? Is securing AI more similar or more different from securing other enterprise systems? Does shared fate apply to AI?  Resources: “Securing AI: Similar or Different?” paper by Office of the CISO at Google Cloud “Secure AI Framework Approach"  Supercharge security with AI Board of Directors Insights Hub “Lessons from the future: Why shared fate shows us a better cloud roadmap” blog “Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security” (ep47) “Securing Multi-Cloud from a CISO Perspective, Part 3” (ep22) “Google Cybersecurity Action Team: What's the Story?” (ep37) “Google Cybersecurity Action Team: One Year Later!” (ep90)

Guest:  Steph Hay , Director of UX, Google Cloud Security Topics: The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security? UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this? How do you think about prioritizing your team’s time between day zero vs day n experiences for users of security tools? Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security? Can you think of what single UX change in Cloud Security’s portfolio made the biggest impact to actual security outcomes?  We have this new tool/approach for planning called Jobs To Be Done (JTBD)  - give us the value, and the history? In the world of JTBD planning, what gets better? Resources: JTBD Framework GCP IAM Recommender Recaptha Enterprise  

Guest:  Steve McGhee, Reliability Advocate at Google Cloud  Aron Eidelman, Developer Relations Engineer at Google Cloud Topics: What is the shared problem for SRE and security when it comes to alerting? Why is there reluctance to reduce noise? How do SREs, security practitioners, and other stakeholders define “incident” and “risk”? How does involving an “adversary” change the way people think about an incident, even if the impact is identical? Which SRE alerting lessons do NOT apply at all for security? Resources: Video (LinkedIn, YouTube) “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) Steve talk about probability and SLO math at SLOconf   Why Focus on Symptoms, Not Causes? Learning from incidents (LFI) science How to measure anything in cyber security risk book Security chaos engineering book The SRS Book Ch 1 The SRE book Ch 4   

Guest: Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly Topics:  So what is Security Chaos Engineering? “Chapter 5. Operating and Observing” is Anton’s favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection? How chaos engineering (or is it really about software resilience?)  intersects with Cloud security - is this peanut butter and chocolate or more like peanut butter and pickles? How can organizations get started with chaos engineering for software resilience and security? What is your favorite chaos engineering experiment that you have ever done? We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023? Resources: Video (LinkedIn, YouTube) “Security Chaos Engineering: Sustaining Resilience in Software and Systems” by Kelly Shortridge, Aaron Rinehart “Cybersecurity Myths and Misconceptions” book “Designing Data-Intensive Applications: The Big Ideas Behind Reliable, Scalable, and Maintainable Systems“ book “Normal Accidents: Living with High-Risk Technologies” book “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) “The Good, the Bad, and the Epic of Threat Detection at Scale with Panther” (ep123) “Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?” (ep117) IKEA Effect “Modernizing SOC ... Introducing Autonomic Security Operations” blog

Guests: Himanshu Khurana, Engineering Manager, Google Cloud Rahul Gupta, Product Manager for Assured OSS, Google Cloud Topics: For the software you’re supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen?  So what is Assured Open Source? Do we really guarantee its security? What does “guarantee” here mean? What’re users actually paying for here? What’s the Google magic here and why are we doing this?  Do we really audit all code and fuzz for security issues? What’s a supply chain attack and then we’ll talk about how this is plugging into those gaps?  Resources: Assured Open Source Software page “SBOMs: A Step Towards a More Secure Software Supply Chain” (ep116) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) SLSA.dev blog Open Source Security Podcast Mandiant M-Trends 2023  

Guest:  Steve Riley, Field CTO, Netskope, ex-Gartner Research VP Topics: Analysts (well, like Steve and Anton in the past?) say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this today? When clients hear “use cloud securely”, what do you think comes to their minds? How would you approach planning for secure use of the cloud or using cloud securely? What is your view of cloud defense in depth (DiD) or layered defenses? How do you suggest clients think about it? What about DiD for SaaS? What are your thoughts on the evolution of zero trust? How has it changed since its introduction back in 2010? Awareness of and interest in SSE and SASE is growing. But at the same time, plenty of folks seem deeply perplexed by these. How would you explain them to someone not deeply immersed in the details?  Resources: Video (LinkedIn, YouTube) Bruce Schneier books Netskope blog “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?” (ep76) “How to Approach Cloud in a Cloudy Way, not As Somebody Else’s Computer?” (ep115) "Use Cloud Securely? What Does This Even Mean?!" "How to Solve the Mystery of Cloud Defense in Depth?"

Guest: Rick Doten, VP, Information Security at Centene Corporation, CISO Carolina Complete Health  Topics:  What are the realistic cloud risks today for an organization using public cloud?  Is the vendor lock-in on that list?  What other risks everybody thinks are real, but they are not? What do you tell people who in 2023 still think “they can host Exchange better themselves” and have silly cloud fears? What do you tell people who insist on “copy/pasting” all their security technology stack from data centers to the cloud? Cloud providers have greater opportunity not only to see issues, but to learn how to react well. Do you think this argument holds water?  What are the most challenging security issues for multi-cloud and hybrid cloud security? How does security chasm (between security haves and have-notes) affect cloud security? Your best cloud security advice for an organization with a security team of 0 FTEs and no CISO?  Resources: Video (LinkedIn, YouTube) Rick Doten on YouTube Defining Cloud Security by Rick Doten Cloud Security Alliance materials Mandiant M-Trends 2023  

Guest:  John Doyle, Principle Intelligence Enablement Consultant at Mandiant / Google Cloud  Topics: You have created a new intelligence class focused on building enterprise threat intelligence capability, so what is the profile of an organization and profile for a person that benefits the most from the class? There are many places to learn threat intel (TI), what is special about your new class?  You talk about country cyber operations in the class, so what is the defender - relevant difference between, say, DPRK and Iran cyber doctrines? More generally, how do defenders benefit from such per country intel? Can you really predict what the state-affiliated attackers would do to your organization based on the country doctrine? In many minds, TI is connected to attribution. What is your best advice on attribution to CISOs of well-resourced organizations? What about mainstream organizations? Overall we see a lot of organizations still failing to operationalize TI, especially strategic TI, how does this help them? Resources: The new class “Inside the Mind of APT” “Navigating Tradeoffs of Attribution” paper Sands Casino hack 2014 "Threat Horizons - How Google Does Threat Intelligence" (ep112)  

Guest: Ian Glazer, founder at Weave Identity, ex-Gartner, ex-SVP of Products at Salesforce, co-founder of IDPro Topics: OK, tell us why Identity and Access Management (IAM) is exciting (is it exciting?) Could you also explain why IAM is even more exciting in the cloud?  Are you really “one IAM mistake away from a breach” in the cloud?  What advice would you give to someone new to IAM? How to not just “learn IAM in the cloud” but to keep learning IAM? Is what I know about IAM in AWS the same as knowing IAM for GCP? What advice do you have for teams operating in a multi-cloud world? What are the top cloud IAM mistakes? How to avoid them? Resources: Video (LinkedIn, YouTube) IDPro association and BoK SCIM v2 standard EP60 Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM? EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response? EP94 Meet Cloud Security Acronyms with Anna Belak  

Guests:  Dominik Richter, the founder and head of product at Mondoo Cooked questions: What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail?  We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud? Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now? Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams? How do organizations grow into safely rolling out new policy as code code?  You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance"  and this problem has been unsolved for as long as the cloud existed. Will your toolset change this?  There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework? What are some of the success metrics when adopting  Policy as Code?  Resources: Live video (LinkedIn, YouTube) “Why Infrastructure as Code Is Setting You up to Make Bad Things Faster” blog

Guest: David Swift, Security Strategist at Netenrich Topics: Which old Security Information and Event Management (SIEM) lessons apply today? Which old SIEM lessons absolutely do not apply today and will harm you? What are the benefits and costs of SIEM in 2023? What are the top cloud security use cases for SIEM in 2023? What are your favorite challenges with SIEM in 2023 special in the cloud? Are they different from, say, 2013 or perhaps 2003? Do you think SIEM can ever die?   Resources: Live video (LinkedIn, YouTube) “Debating SIEM in 2023, Part 1” and  “Debating SIEM in 2023, Part 2” blogs “Detection as Code? No, Detection as COOKING!” blog “A Process for Continuous Security Improvement Using Log Analysis” (old but good) “UEBA, It's Just a Use Case” blog “Situational Awareness Is Key to Faster, Better Threat Detection” blog and other SIEM reading MITRE 15 detection techniques paper  

Guest: Panos Mavrommatis, Senior Engineering Director at Google Cloud Topics: Could you give us the 30 second overview of our favorite “billion user security product” - SafeBrowsing - and, since you were there, how did it get started? SafeBrowsing is a consumer and business product – are you mitigating the same threats and threat models on each side? Making this work at scale can’t be easy, anytime we’re talking about billion device protection, there are massive scale questions. How did we make it work at such a scale?  Talk to us about the engineering and scaling magic behind the low false positive rate for blocking? Resources: “Foundryside” book

Guest: Jack Naglieri, Founder and CEO at Panther Topics: What is good detection, defined at micro-level for a rule or a piece of detection content?  What is good detection, defined at macro-level for a program at a company?  How to reliably produce good detection content at scale? What is a detection content lifecycle that reliably produces good detections at scale? What is the purpose of a SIEM today? Where do you stand on a classic debate on vendor-written vs customer-created detection content? Resources: “Essentialism” book “The 5 AM Club”  book “Good to Great” book  “Why Is Threat Detection Hard” blog “Think Like a Detection Engineer, Pt. 2: Rule Writing” blog “Detection as Code? No, Detection as COOKING!”  blog Open Cybersecurity Schema Framework (OCSF)  

Guest: Michele Chubirka, Senior Cloud Security Advocate, Google Cloud Topics: So, if somebody wakes you up at 3AM (“Anton’s 3AM test”) and asks “Do we need firewalls in the cloud?” what would you say? Firewalls (=virtual appliances in the cloud or routing cloud traffic through physical firewalls) vs firewalling (=controlling network access) in the cloud, do they match the cloud-native realities? How do you implement trust boundaries for access control with cloud-native options? Can you imagine a modern cloud native security architecture that includes a firewall? Can you imagine a modern cloud native security architecture that excludes any firewalling?  Firewall, NIDS, NIPS, NGFW …. How do these other concepts map to the cloud? How do you build a "traditional-like" network visibility layer in the cloud (and do we need to)? Resources: Video version of this episode: LinkedIn or YouTube “Security Architect View: Cloud Migration Successes, Failures and Lessons” (ep105) “Love it or Hate it, Network Security is Coming to the Cloud” with Martin Roesch (ep113) Gartner Bimodal IT definition Ross Anderson “Security Engineering” book The New Stack blog Trireme tool CNCF site security landscape Google Cloud Firewall

Guests:  Nelly Porter, Group Product Manager, Google Cloud Rene Kolga, Senior Product Manager, Google Cloud Topics: Could you remind our listeners what confidential computing is? What threats does this stop? Are these common at our clients?  Are there other use cases for this technology like compliance or sovereignty? We have a new addition to our Confidential Computing family - Confidential Space. Could you tell us how it came about? What new use cases does this bring for clients? Resources: “Confidentially Speaking” (ep1) “Confidentially Speaking 2: Cloudful of Secrets” (ep48) “Introducing Confidential Space to help unlock the value of secure data collaboration” Confidential Space security overview “The Is How They Tell Me The World Ends” by Nicole Perlroth NIST 800-233 “High-Performance Computing (HPC) Security: Architecture, Threat Analysis, and Security Posture”

Guest: Jeff Reed, VP of Product,  Cloud Security @ Google Cloud Topics: You’ve had a long career in software and security, what brought you to Google Cloud Security for this role? How do you balance the needs of huge global financials that often ask for esoteric controls (say EKM with KAJ) vs the needs of SMBs that want easy yet effective, invisibility security? We’ve got an interesting split within our security business: some of our focus is on making Google Cloud more secure, while some of our focus is on selling security products.  How are you thinking about the strategy and allocation between these functions for business growth? What aspects of Cloud security have you seen cloud customers struggle with the most? What’s been the most surprising or unexpected security challenge you’ve seen with our users? “Google named a Leader in Forrester Wave™ IaaS Platform Native Security” - can you share a little bit about how this came to be and what was involved in this? Is cloud migration a risk reduction move?  Resources: “Google named a Leader in Forrester Wave™ IaaS Platform Native Security” “Sunil Potti on Building Cloud Security at Google” (ep102) Books by Haruki Murakami We are hiring product managers!

Guest: Connie Fan, Senior Product and Business Strategy Lead, Google Cloud Topics: We were at RSA 2023, what did we see that was notable and surprising? Cloud security showed up with three startups with big booths, and one big player with a small demo station. What have we learned here? What visitors might have seen at the Google Cloud booth that we're really excited about? Could you share why we chose these two AI cases - generation of code and summarization of complex content - out of all the possibilities and the sometimes zany things we saw elsewhere on the floor? Could you share a story or two that highlights how we came to this AI launch and what it looked like under the surface?  Resources: “RSA 2023 - How to Protect Your Organization from Cyberattacks in Time of Political Turmoil” (ep118) “RSA 2022 Reflections - Securing the Past vs Securing the Future” (ep70) “How We Attack AI? Learn More at Our RSA Panel!” (ep68) “Security Operations, Reliability, and Securing Google with Heather Adkins” (ep20)

Guests:   Shanyn Ronis, Head of the Mandiant Communication Center John Miller,   Head of Mandiant Intelligence Analysis Topics: It seems like we’re seeing more cyber activity taking place in the context of geopolitical events. A lot of organizations struggle to figure out if/how to respond to these events and any related cyber activity.  What advice do you have for these organizations and their leadership? A  lot of threat intel (TI) suffers from “What does this event mean for threats to our organization?” - sort of how to connect CNN to your IDS? What is your best advice on this to a CISO?  TI also suffers from “1. Get TI 2. ??? 3. Profit!” - how does your model help organizations avoid this trap?  Surely there are different levels of granularity here to TI and its relevance. Is what a CISO needs different from what an IR member needs? Do you differentiate your feed along those axes? What does success look like? How will organizations know when they’re successful? What are good KPIs for these types of threat intelligence? In other words, how would customers know they benefit from it? Is there anything unique that cloud providers can do in this process? Resources: RSA 2023 Session “Intelligently Managing the Geopolitics and Security Interplay” on Wed Apr 26 9:40AM “Sandworm” by Andy Greenberg “Reading Mandiant M-Trends 2023”  

Guest: Maxime Lamothe-Brassard,  Founder @ LimaCharlie Topics: What does an engineering-centric approach to cybersecurity mean? What to tell people who want to "consume" rather than "engineer" security? Is “engineering-centric” approach the same as evidence-based or provable?  In practical terms, what does it mean to adopt an "engineering-centric approach" to cybersecurity for an organization?  How will it differ from what we have today? What will it enable? Can you practice this with a very small team? How about a very small team of “non engineers”? You seem to say that tomorrow's cybersecurity will look a lot like software engineering. Where do we draw the line between these two? Resources: Atomic Red Team Sigma rules/content LimaCharlie blog 8 Megatrends drive cloud adoption—and improve security for all The Cybersecurity Defenders Podcast

Guest: Isaac Hepworth, PM focused on Software Supply Chain Security @ Google Cooked questions: Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader? Some software vendors don’t want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here? One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs than small independent and open source projects. Is that a risk? Is the SBOM requirement setting the government up to be overly reliant on megacorps and are we going to unintentionally ban open source from the government?  What is the relationship between SBOM and software liability? Is SBOM a step to this? Won’t software liability kill open source? How does Google prepare for EO internally; how do we use SBOM and other related tools? To come back to the food analogy, SBOMs are all well and good, but the goal is not that consumers know they’re eating lead, but rather that our food becomes healthier. Where are we heading in the next five years to improve software supply chain "health and safety"? Resources: Full video of this episode (YouTube / LinkedIn) “Executive Order on Improving the Nation’s Cybersecurity” “M-22-18 Memorandum For The Heads of Executive Departments and Agencies“ SLSA.dev  “How to SLSA Part 3 - Putting it all together” Assured Open Source Software NIST Secure Software Development Framework (SSDF) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) “2022 Accelerate State of DevOps Report and Software Supply Chain Security” (ep100)

Guest:  Rafal Los, Head of Services Strategy @ Extrahop and Founder of Down the Security Rabbit Hole podcast Topics: You had a very fun blog where you reminded the world that many organizations still approach cloud as a rented data center, do you still see it now? Do you think this will persist for 3, 5, 10 years? Other than microservices, what’re the most important differences between public cloud and a rented data center for a CISO to keep in mind? Analysts say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this?  Actually, how do you define “use cloud securely”? Have you met any CISOs who are active cloud fans who prefer cloud for security reasons? You also work for an NDR vendor, do you think NDR in the cloud has a future?  Resources: Full video of this episode (YouTube / LinkedIn) Down the Security Rabbithole Podcast (DtSR) podcast “A Little Truth About the Cloud” “Megatrends drive cloud adoption—and improve security for all” “CISO Walks Into the Cloud: And The Magic Starts to Happen!” (ep104) “Threat Models and Cloud Security” (ep12) “Security Architect View: Cloud Migration Successes, Failures and Lessons” (ep105)  “Patrolling Cyberspace” book (2006)

Guest: Chris John Riley, Senior Security Engineer and a Technical Debt Corrector  @ Google  Topics: We’ve heard of MVP, what is MVSP or Minimal Viable Secure Product? What problem is MVSP trying to solve for the industry, community, planet, etc? How does MVSP actually help anybody? Who is the MVSP checklist for? Leaders or engineers? How does MVSP differ from compliance standards like ISO 27001, or even SOC 2? How does Google use MVSP? Has it improved our security in some way? How to balance the dynamic nature of security with minimal security basics? The working group has recently completed a control refresh for 2022, what are some highlights?  Resources: Mvsp.dev  SLSA Levels MVSP (Minimum Viable Secure Product) Compliance “Phantoms in the Brain” book ”Strengthen Basic Security Hygiene With a Two-Pronged Security Architecture Approach” FIRST Impressions podcast  

Guest:  Martin Roesch, CEO at Netography, creator of Snort Topics: What is the role of network security in the public cloud? Networks used to be the perimeter, now we have an API and identity driven perimeter. Are networks still relevant as a layer of defense? We often joke that “you don’t need to get your firewalls with you to the cloud”, is this really true? How do you do network access control if not with firewalls? What about the NIDS? Does NIDS have a place in the cloud? So we agree that some network security things drop off in the cloud, but are there new network security threats and challenges? There’s cloud architecture and then there’s multi cloud and hybrid architectures–how does this story change if we open the aperture to network security for multi cloud and hybrid?  Should solutions that provide cloud network security be in the cloud themselves? Is this an obvious question? Resources: Book “Who: The A Method for Hiring” by Geoff Smart, Randy Street Netography resources Snort ““Hacking Google”, Op Aurora and Insider Threat at Google” (ep91) “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Gathering Data for Zero Trust” (ep4)

Guest:  Charles DeBeck, Cyber Threat Intel Expert @ Google Cloud Topics: What is unique about Google Cloud approach to threat intelligence? Is it the sensor coverage? Size of the team? Other things? Why is Threat Horizons report unique among the threat reports released by other organizations? Based on your research, what are the realistic threats to cloud environments today? What threats are prevalent and what threats are most damaging? Where do you see things in 2023? What should companies look for?  What’s one thing that surprised you when preparing the report? What do you think will surprise audiences? What is the most counter-intuitive hardening and operational advice can we glean from this Threat Horizons report?  What's most important to know when it comes to understanding OT and cloud? Resources: Google Threat Horizons Reports One, Two, Three, Four, Five “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity” Corey Quinn on cloud billing alerts  

Guest:  Brandon Evans, Infosec Consultant and Certified Instructor and Course Author at SANS Topics: What got you interested in security and motivated you to make this your area of focus? You came from a developer background, right? Occasionally, we hear the sentiment that “developers don’t care about security,” how would you counter it (and would you?)? How do we encourage developers and operations to use the appropriate security controls and settings in the cloud? Is “encourage” the right word? Can we really do “secure by default” but for developers? What do you think are the main application security issues that developers need to deal with in the cloud? You mentioned software supply chain security, do you treat this as a part of application security? How important is this, realistically, for an average organization and its developers? Going to our favorite subject of threat detection, how do you think we can better encourage developers to supply the logs necessary for our detection and response teams to act upon? Resources: “Cloud Security: Making Cloud Environments a Safer Place” ebook by SANS SANS.org/cloud site “The Phoenix Project” book by Gene Kim et al “The Unicorn Project” book by Gene Kim “Next Special - Log4j Reflections, Software Dependencies and Open Source Security” (EP87) “2022 Accelerate State of DevOps Report and Software Supply Chain Security” (EP100) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (EP24)

Guest:  David Seidman, Head of Detection and Response @ Robinhood Toipics: Tell us about joining Robinhood and prioritizing focus areas for detection in your environment? Tim and Anton argue a lot about what kind of detection is best - fully bespoke and homemade, or scalable off-the-shelf. First, does our framework here make sense, and second, looking at your suite of detection capabilities, how have you chosen to prioritize detection development and detection triage? You're operating in AWS: there are a lot of vendors doing detection in AWS, including AWS themselves. How have you thought about choosing your detection approaches and data sources? Finding people with as much cloud expertise as you can't be easy: how are you structuring your organization to succeed despite cloud detection and response talent being hard to find? What matters more: detection skills or cloud skills? What has been effective in ramping up your D&R team in the cloud? What are your favorite data sources for detection in the cloud? Resources: “Detection as Code? No, Detection as COOKING!” “On Threat Detection Uncertainty” “Radical Candor” by Kim Scott “Daring Greatly” by Brene Brown “Extreme Ownership” by Jocko Willink “Drive” by Daniel Pink  

Guest:  Ana Oprea, Staff Security Engineer, European Lead of Vulnerability Coordination Center @ Google Topics: What is the scope for the vulnerability management program at Google? Does it cover  OS, off-the-shelf applications, custom code we wrote … or all of the above? Our vulnerability prioritization includes a process called “impact assessment.” What does our impact assessment for a vulnerability look like? How do we prioritize what to remediate? How do we decide on the speed of remediation needed? How do we know if we’ve done a good job? When we look backwards, what are our critical metrics (SLIs and SLOs) and how high up the security stack is the reporting on our progress? What of the “Google Approach” should other companies not try to emulate? Surely some things work because of Google being Google, so what are the weird or surprising things that only work for us? Resources: SRS Book, Chapter 20: Understanding Roles and Responsibilities and Chapter 21: Building a Culture of Security and Reliability  Why Google Stores Billions of Lines of Code in a Single Repository  SRE book and SRE Workbook “How Google Secures It's Google Cloud Usage at Massive Scale” (ep107) “Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance” (ep66) “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)

Guest:  John Stoner, Principal Security Strategist @ Google Cloud Topics: Please define threat hunting  for us quickly, the term has been corrupted a bit What are your favorite beginner hunts to jump start the effort at a new team? How to incorporate hunting lessons in detection? What are the differences for hunting in the cloud? Are there specific data sources you prefer to have access to when threat hunting? In the cloud? Should every organization threat hunt? What are traits you might look for in a threat hunter? Resources: “The Who, What, Where, When, Why and How of Effective Threat Hunting” Awesome Threat Detection and Hunting  “My “Aha!” Moment - Methods, Tips, & Lessons Learned in Threat Hunting” video NIST Computer Security Incident Handling Guide 800-61 “Threat Hunting Is Not for Everyone” (2020) “Formulating An Intelligence-Driven Threat Hunting Methodology”  video

Guest: Karan Dwivedi, Security Engineering Manager, Enterprise Infrastructure Protection @ Google Cloud Topics: Google’s use of Google Cloud is a massive cloud environment with wildly diverse use cases. Could you share, for our listeners, a few examples of the different kinds of things we’re running in GCP? Given that we’re doing these wildly different things in GCP, how do we think about scaling the right security guardrails to the right places in our GCP org? How do you work with application engineering teams and project owner teams to make sure the right controls are there but not getting in the way of business?  How do we scale this exemption management process? Are there things we do here that don’t make sense at a smaller scale? Are there emergent challenges that only we would face? How do you correctly federate security responsibilities between the central team defining policy and the constituent user teams actually using the platform? Burnout is a perennial challenge for security teams–what’re you doing to keep your people happy and engaged? Resources: “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75) ““Hacking Google”, Op Aurora and Insider Threat at Google” (ep91) Google Cloud security foundations guide

Guest: Anoosh Saboori, former Product Manager at Google Cloud Topics: We had zero trust episodes before and definitions vary! When we say zero trust, what do we mean?   What about zero trust for workloads in production? When you say “workload,” what do you mean? What is BeyondProd, for those that are unfamiliar with it? And how is this different from BeyondCorp?  How has BeyondProd actually been implemented at Google?   What threats does it help with? Is this real threats or compliance? Why is now a good time to be thinking about zero trust for production systems?  Companies have many security tools deployed, including microsegmentation and firewalls, how does this toolset fit? Does it replace anything they have deployed? Resources: BeyondProd papers “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Gathering Data for Zero Trust” (ep4) “Google Workspace Security: from Threats to Zero Trust” (ep99) “Zero Trust: So Easy Even a Government Can Do It?” (ep59) “Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance” (ep66)

Guest: Michele Chubirka, Senior Cloud Security Advocate, Google Cloud Topics: We are here to talk about cloud migrations and we are here to talk about failures. What are your favorites? What are your favorite cloud security process failures?  What are your favorite cloud security technical failures?  What are your favorite cloud security container and k8s failures? Is "lift and shift" always wrong from the security point of view?  Can it at least work as step 1 for a full cloud transformation?  Resources: “Automate and/or Die?” (ep3) “More Cloud Migration Security Lessons” (ep18) “The Magic of Cloud Migration: Learn Security Lessons from the Field” (ep55) “Preparing for Cloud Migrations from a CISO Perspective, Part 1” (ep5) “Cloud Migrations: Security Perspectives from The Field”  (ep33) "Dune" by Frank Herbert "The Science of Organizational Change"  by Paul Gibbons  "Servant Leadership: A Journey into the Nature of Legitimate Power and Greatness"  by Robert K. Greenleaf "Finding the Sweet Spot for Change" State of Devops (DORA) Report 2022

Guest:  Gary Hayslip, CISO at Softbank Topics:  "So we're talking about your journey as a CISO migrating to Cloud. Could you give us the 30 second overview of  What triggered your organization's migration to the cloud? When did you and the security organization get brought in? How did you plan your security  organization's journey to the cloud? Did you take going to cloud as an opportunity to change things beyond the tools you were using?  As you got going into the cloud, what was the hardest part for your organization? If that was hardest, what was most surprising? Good surprise and bad surprise? Let’s shift to some tactical gears: How did you design security controls for the cloud? Did your data security practice change? Did your detection  / response practice change? How has the CISO role evolved and is evolving due to the cloud? Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be? Resources: “CISO Desk Reference Guide” book by Gary Hayslip “The Essential Guide to Cybersecurity for SMBs” book by Gary Hayslip “Develop Your Cybersecurity Career Path” book by Gary Hayslip

Guest:   Nader Zaveri, Senior Manager of IR and Remediation at Mandiant, now part of Google Cloud Topics: Could we start with a story of a cloud incident response (IR) failure and where things went wrong?  What should that team have done to get it right?  Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud? What 3 things an IR team leader needs to do to prepare his team for IR in the cloud? Are there on-premise tools that can stay on prem and not join us in the cloud? What processes should we leave behind? Keep with us? What logs and context should we prepare for cloud IR?  What access should we have behind “break glass”? While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation? Resources: “How to Cloud IR or Why Attackers Become Cloud Native Faster?” (ep98) “How to prepare for detection & response in the cloud” Google Cloud Next 2022 presentation “Security Incident Response in the Cloud: A Few Ideas” blog GCP Cloud Logging “Security at Scale: Logging in AWS” paper “AWS Security Incident Response Whitepaper” paper

Guest:  Sunil Potti, VP / GM, Google Cloud Topics: One of the biggest shifts we’ve noticed is the shift from building security because we think security is good, to building security as a business. How did you make that cultural shift happen in our organization?  With organizations migrating to cloud we have a set of tradeoffs between meeting security teams where they are with on-prem expectations of security vs cloud-native approaches. How do you think about investing in next generation products vs holding the hands of CISOs just stepping into the cloud? What matters more to you as a leader, secure cloud (GCP, Workspace) or security products (Chronicle SecOps, BCE, SCC, etc)? Is invisible security the same as “building security in”? Aren’t there security controls where the value is derived from them being visible to users? Mandiant brings services expertise to Google Cloud, typically not our strong area and not our DNA, how do we plan to make the most of Mandiant within Google’s culture? Resources: Simon Sinek “Start With Why” book

Guest:  Jim Higgins, CISO at Snap,  former CISO at Square Topics: You were at Google for a long time, and at Google you sat between Google security and Cloud. Now that you're leading security for a major company, how are you prioritizing your focus between your on-premise resources and your cloud resources?  How are you thinking about threat detection in the Cloud? In detection, how has your technology changed? How has your process changed? What threats do you mostly focus on? Why don’t we talk about the role of automation in detection and response (D&R)? How do you approach automation and eliminating toil? As you're scaling teams, processes and technology for your cloud footprint, what has been easiest to get right and what's been hardest to get right? How do you approach measuring security? What cloud metrics are you sharing upwards to your board? Resources: BeyondCorp Enterprise “Ghost in the Wires: My Adventures as the World's Most Wanted Hacker” book

Guests: John Speed Meyers, Security Data Scientist, Chainguard Todd Kulesza, User Experience Researcher, Google Topics: How did you get involved with this year’s Accelerate State of DevOps Report (DORA report)? So what is DORA and why did you decide to focus on supply chain security for the 2022 report? What are the big learnings from this year’s report? What’s the difference between SLSA and SSDF? Is one spicy and the other savory? How’re companies adopting these and how is adoption going?  Are there other areas that DevOps can be a contributor in the overall security landscape?  How can CISOs rope DevOps fully into their security gang? Operationally, how should security and developers and DevOps come together to keep vulnerabilities out in the first place? How should security and developers and DevOps come together to respond quickly to vulnerabilities when they’re discovered? How do security and developers and DevOps come together to prove to their auditors and customers that they’re doing a good job of the above? Resources: 2022 Accelerate State of DevOps Report "New insights for defending the software supply chain" blog (and new report) SLSA.dev site Secure Software Development Framework at NIST “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) “Sharing The Mic In Cyber with STMIC Hosts Lauren and Christina: Representation, Psychological Safety, Security” (ep92) Go vulncheck tool  “Reflections on Trusting Trust” paper  (1984)

Guests: Nikhil Sinha, Group Product Manager, Workspace Security Kelly Anderson, Product Marketing Manager, Workspace Security Topics: We are talking about Google Workspace security today. What kinds of threats do we have to care about here? Are there compliance-related motivations for security here too? Is compliance in the cloud changing? How’s adoption of hardware keys for MFA going for your users, and how are you helping them?  Is phishing finally solved because of that?  Can you explain why hardware security FIDO/WebAuthn is such a step function compared to, say, RSA number generator tokens?  Have there been assumptions in the Workspace security model we had to change because of WFH? And what changes with RTO and permanent hybrid? Resources: Google BeyondCorp Enterprise “Make zero trust a reality with Google Workspace security solutions” Next 2022 video “2021: Phishing is Solved?” (ep40) “Zero Trust: Fast Forward from 2010 to 2021” (ep8)

Guests: Matt Linton, Chaos Specialist @ Google John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud Topics: Let’s talk about security incident response in the cloud.  Back in 2014 when I [Anton] first touched on this, the #1 challenge was getting the data to investigate as cloud providers had few logs available. What are the top 2022 cloud incident response challenges? Does cloud change the definition of a security incident? Is “exposed storage bucket” an incident? Is vulnerability an incident in the cloud? What should I have in my incident response plans for the cloud? Should I have a separate cloud IR plan? What is our advice on running incident response jointly with a CSP like us? How would 3rd party firms (like, well, Mandiant) work with a client and a CSP during an investigation? We all read the Threat Horizons reports, but can you remind us of the common causes for cloud incidents we observed recently? What goals do the attackers typically pursue there? Resources: “Building Secure and Reliable Systems” book (especially ch 14-16, and ch17) Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! (#3, #2, #1) “Incident Plan vs Incident Planning?” blog (2013)

Guest: Greg Sinclair, Security Engineer @ Google Cloud Topics: Could you tell us a bit about your background and how you ended up here at Google? Also, tell us about your team here? We're very excited about the release of the CobaltStrike rules. Could you share more about what they are looking for and second why this is so valuable? How did CobaltStrike come to be so widely used by bad guys? When you were doing this research what was the most surprising thing you uncovered? Could you tell us about the coordinated disclosure aspects of this work? In the past you've contributed research to our Threat Horizons reports, could you tell us about that? Resources: Making CobaltStike harder for threat actors to abuse blog CobaltStrike YARA-L rules CobaltStrike site “Cobalt Strike Usage Explodes Among Cybercrooks” Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! Detection as Code? No, Detection as COOKING!

Guest: Jeff Bollinger,  Director of Incident Response and Detection Engineering @ Linkedin  Topics: Observability sounds cool (please define it for us BTW), but relating it to security has been “hand-wavy” at best. What is your opinion on the relevance of observability data for security use cases? What use cases are those, apart from saving the data for IR just in case? How can we best approach observability in the cloud, particularly around network communications, so that we improve security as a result? Are there other areas of cloud where observability might be more relevant? Does the massive shift to TLS 1.3 impact this? If the Internet is shifting towards an end-user/device centric model with everything as a service (SaaS), how does security monitoring even work anymore?  Does it mean the end of both endpoint and network eras and the arrival of the application security monitoring era? Can we do deep monitoring of complex applications and app clusters for abuse or should we just focus on identity and profiling? Resources: “Instrumenting Modern Application Stack for Detection and Response” (ep34) “Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan” by Jeff Bollinger, Brandon Enright, Matthew Valites (book) RFC 7258  Pervasive Monitoring Is an Attack RFC 8890 Internet is for end users “(Re)building Threat Detection and Incident Response at LinkedIn” “Martian Chronicles“ by Ray Bradberry (because migrating to cloud is like flying to Mars)

Guests: Alijca Cade, Director, Financial Services, Office of the CISO, Google Cloud Ken Westin, Director, Security Strategy, Cybereason Robert Wallace, Senior Director, Mandiant, now Google Cloud Topics: How are cloud environments attacked and compromised today? Is it still about the configuration mistakes? Do cryptominers represent a serious threat now that they are often mentioned as the most common threat in the cloud? Let’s look at another popular threat - ransomware or, broadly, RansomOps. Based on your research, what can we say about its likely future, especially in the cloud? Are we getting better with detection in the cloud and are we doing it fast enough? Is cloud security a misnomer? Attackers are out to get into an organization, and cloud or on-premise matters less here, right? What does it say about the interdependence of security, on and off cloud? Resources: LIVE @ Security Talks: The Cloud Security Podcast at Cloud Security Talks Q3 2022 Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!

Guest:  Dr Anna Belak, Director of Thought Leadership at Sysdig, former Gartner analyst Questions: Analysts (and vendors) coined a log of “C-something acronyms” for cloud security, and two of the people on this episode were directly involved in some of them. What do you make of all the cloud security acronym proliferation? What is CSPM? What gets better when you deploy it? What is CWPP? Does anything get better when you deploy it? What is CNAPP? What gets better when you deploy it? What is CIEM, Anton’s least fave acronym? Now, what about CDR?  Resources: Gartner acronym glossary “Container Security: The Past or The Future?” (ep54, with Anna as well) “Automate and/or Die?” (ep3) “Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM?” (ep60) “Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?” (ep76) “Does the World Need Cloud Detection and Response (CDR)?” “Announcing Virtual Machine Threat Detection now generally available to Cloud customers” Sysdig Threat Report Blog 2022 Sysdig Cloud-Native Threat Report  Anatomy of Cloud Attacks

Guest: Alicja Cade, Director for Financial Services, Office of the CISO, Google Cloud  Topics: We are talking about your journey as a CISO migrating to the cloud. Could you give us the overview of … What triggered your organization's migration to the cloud? When did you and the security team get brought in? Did you take going to the cloud as an opportunity to change things beyond the tools you were using?  As you got going into the cloud, what was the hardest part for your organization? If that was hardest, what was most surprising? Good surprise and bad surprise? How did you design security controls for the cloud? How do you validate and verify security controls in the cloud? How did you keep both security practitioners and the rest of your IT teams from lift-and-shift thinking? Did your data security practice change? Having covered all that tactical terrain, one final strategic question: is moving to the cloud a net risk reduction? Can it be? Resources: “CISO Walks Into the Cloud: Frustrations, Successes, Lessons ... And Does the Risk Change?” (ep80) “Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects” by Priyanka Vergadia “Cyberpolitics in International Relations” book CSA CCM v4 Cyber Risk Institute “Modernize Data Security with Autonomic Data Security Approach” (ep79) and the paper on autonomic data security. "Preparing for Cloud Migrations from a CISO Perspective, Part 1" (ep5) "Preparing for Cloud Migrations from a CISO Perspective, Part 2" (ep11) “How CISOs need to adapt their mental models for cloud security” blog

Guests: Lauren Zabierek (@lzxdc), Acting Executive Director of the Belfer Center at the Harvard Kennedy School Christina Morillo (@divinetechygirl), Principal Security Consultant at Trimark Security Topics: We are so excited to have you on the show today talking about your awesome effort, Share The Mic in Cyber. I love that we are Sharing our Mic with you today. Could you please introduce yourself to our listeners? Let's talk about representation and what that means, and why it's especially relevant in cyber security?  Psychological safety is super important for so many reasons, including  in cyber. Could you share a definition of what it is, and why it is important?  Can we talk about how psychological safety and representation intersect?  Let’s bring things back to talk about the #ShareTheMicInCyber / #STMIC project. Could you tell us about one of your favorite things that's come from the project?  Any surprises? Lessons? Plans? Futures? How can our listeners help with #ShareTheMicInCyber? Where to learn more? Resources: #ShareTheMicInCyber site and @ShareInCyber on social Lauren Zabierek (@lzxdc), #ShareTheMic in Cyber co-founder Camille Stewart Gloster (@camilleesq), #ShareTheMic in Cyber co-founder “Missing Diversity Hurts Your Security” (ep42) NEXT Special - Cloud Security and DEI: Being an Ally! (ep36)

Guest: Mike Sinno, Security Engineering Director, Detection and Response  @ Google Topics: You recently were featured in “Hacking Google” videos, can you share a bit about this effort and what role you played? How long have you been at Google? What were you doing before, if you can remember after all your time here? What brought you to Google? We hear you now focus on insider threats. Insider threat is back in the news, do you find this surprising? A classic insider question is about “malicious vs well-meaning insiders" and which type is a bigger risk. What is your take here? Trust is the most important thing when people think about Google, we protect their correspondence, their photos, their private thoughts they search for. What role does detection and response play in protecting user trust? One fun thing about working at Google is our tech stack. Your team uses one of our favorite tools in the D&R org! Can you tell us about BrainAuth and how it finds useful things? We talked about Google D&R (ep 17 and ep 75) and the role of automation came up many times. And automation is a key topic for a lot of our cloud customers. What do you automate in your domain of D&R? Resources: “Hacking Google” videos  (EP00 with Mike) The Secure Reliable Systems book The CERT Guide to Insider Threats book Common Sense Guide to Mitigating Insider Threats book Insider Threats (Cornell Studies in Security Affairs) Foreign Espionage in Cyberspace from the NCSC “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75) “Modern Threat Detection at Google” (ep17)

Guest: Phil Venables, Vice President and CISO at Google Cloud Topics: Google Cybersecurity Action Team is your brainchild and it is 1 year old, what comes to mind first when we reflect on this anniversary? The team is primarily about helping clients with security, what did we learn doing this for a year? What challenges have we (Google Cybersecurity Action Team) faced in our first year? We released 4 Threat Horizons reports this year, what is the future for this research here? We often hear that in the cloud we need to move away from products towards solutions, how does that work in security? Your famous 8 megatrends post is several months old - any new thoughts or changes coming to this concept? Recently you had a very interesting blog “Crucial Questions from CISOs and Security Teams”, with a list of questions, can you share some of your thinking here? Resources: Security at Google Cloud Next 2022 Next Special - Log4j Reflections, Software Dependencies and Open Source Security Next Special - Improving Browser Security in the New Era of Work Next Special - Can We Escape Ransomware by Migrating to the Cloud? NEXT Special - Google Cybersecurity Action Team: What's the Story? (Next 2021 special episode) Modernizing SOC ... Introducing Autonomic Security Operations  How autonomic data security can help define cloud’s future Google Cloud Threat Horizons Report #1 #2 #3 #4 8 Megatrends drive cloud adoption—and improve security for all “Demystify Data Sovereignty and Sovereign Cloud Secrets at Google Cloud” (ep81) Crucial Questions from CISOs and Security Teams Google Cybersecurity Action Team

Guest:    Nelly Kassem, Security and Compliance Specialist @ Google Cloud Topics: Why did ransomware attacks become so popular? What type of organizations are targeted by ransomware?  Do these affect mostly the organizations with sub-par security? Ransomware has been raging since 2015 and shows few signs of subsiding. Why are these attacks still successful?  Do we see ransomware in the cloud?  Does migrating to the cloud protect you from ransomware? Which of Google Cloud tools are useful to fight ransomware? Resources: Security at Google Cloud Next 2022 Next Special - Log4j Reflections, Software Dependencies and Open Source Security Next Special - Improving Browser Security in the New Era of Work “Future of EDR: Is It Reason-able to Suggest XDR?” (ep29) “2021: Phishing is Solved?” (ep40) Mandiant M-Trends 2022 Google Cloud Threat Horizons Report #1 #2 #3 #4

Guest: Fletcher Oliver, Chrome Browser Customer Engineer, Google Topics: What is browser security? Isn’t it just application security by another name?  Why is browser security more important now than ever?  Do we have statistical measures or data that tell us if we’re succeeding at browser security? Do we know if we’re doing a good job at making this better?  What are the components of modern browser security?  How does this work with an enterprise’s existing stack?  In fact, how does this work with the rest of Google’s tooling?  Resources: Security at Google Cloud Next 2022 NEXT Special - Log4j Reflections, Software Dependencies and Open Source Security Chrome releases blog Chrome Enterprise

Guest: Dr Nicky Ringland, Product Manager for Open Source Insights, Google Topics: Let's talk Open Source Software - are all these dependencies dependable? Why was log4j such a big thing - at a whole ecosystem level? Was it actually a Java / Maven problem? Are other languages “better” or more secure? Is another log4j inevitable? What can organizations to minimise their own risks?  Resources: Google Cloud Next 2022 Open Source Insights at deps.dev Blog at blog.deps.dev with posts on Understanding the Impact of Apache Log4j Vulnerability and what happens After the Advisory Assured Open Source Software service

Guest: Thiébaut Meyer, Director at Office of the CISO, Google Cloud Topics: Virtualization's arrival caused a major IT upheaval 20 years ago. What can we learn from that revolution for our current cloud transformation? We talk about our three legged security stool of people/process/technology. How do we balance the technical issues (new technology stack, etc.) with the new processes (agile, etc) and the skills? What are the cultural and people transformation differences between the virtualization and cloud revolutions? We do recall how PCI DSS was disrupted by virtualization.  So, how does regulation play into this change - back then and now with the cloud? How do we change the minds of regulators who still think that cloud is a risk to mitigate, rather than a way to mitigate others risks better? Resources: “8 Megatrends drive cloud adoption—and improve security for all” blog “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity” Transform with Google Cloud  Google Cybersecurity Action Team

Guest:  Steve McGhee, Reliability Advocate, Google Cloud Topics: What can security teams  learn from the Site Reliability Engineering (SRE) art of rapid and safe deployment? Is this all about the process or do SREs possess some magical technology to do this? What is SRE approach to automation? What are the pillars / components of SRE approach to deployment? SRE is also about scaling. Some security teams have to manage 1000s of detection rules, how can this be done in a manner that does not conflict or cause other problems? Resources: Google SRE book A companion Google SRE workbook “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75) “Achieving Autonomic Security Operations: Why metrics matter (but not how you think)” blog “Achieving Autonomic Security Operations: Reducing toil” blog.

Guest: Alex Polyakov, CEO of Adversa.ai Topics: You did research by analyzing 2000 papers on AI attacks released in the previous decade. What are the main insights? How do you approach discovering the relevant threat models for various AI systems and scenarios?  Which threats are real today vs in a few years? What are the common attack vectors? What do you see in the field of supply chain attacks on AI, software supply, data? All these reported cyberphysical attacks on computer vision, how real are they, and what are the possible examples of exploitation? Are they a real danger to people? What are the main differences between protecting AI vs protecting traditional enterprise applications? Who should be responsible for Securing AI? What about for building trustworthy AI? Given that the machinery of AI is often opaque, how to go about discovering vulnerabilities? Is there responsible disclosure for AI vulnerabilities, such as in open-source models and in public APIs?  What should companies do first, when embarking on an AI security program? Who should have such a program? Resources: “EP52 Securing AI with DeepMind CISO” (ep52) “EP68 How We Attack AI? Learn More at Our RSA Panel!” (ep68) Adversarial AI attacks work on Humans (!) “Maverick* Research: Your Smart Machine Has Been Conned! Now What?” (2015) “The Road to Secure and Trusted AI” by Adversa AI “Towards Trusted AI Week 37 – What are the security principles of AI and ML?”  Adversa AI blog AIAAIC Repository Machine Learning Security Evasion Competition at MLSec

Guest:  Badr Salmi, Product Manager for reCAPTCHA Topics: What is reCAPTCHA? Aren’t you guys the super annoying 'click on the busses' thing? What is account defender? Why was this a natural next step for you? What are the actual threats that this handles - and handles well? Specific web attacks? Web fraud? Let’s talk about account fraud, what do these attacks look like and how do bad guys monetize today? What about payment fraud? Could you score a payment session as well as a login session risk, or is that different?  How does this work with multi factor authentication? Recommended reading: “Code” book Recapcha page “Protect your users’ accounts with reCAPTCHA Enterprise’s account defender” blog “Double-clicking, but not on fire hydrants, with bot fighters” (ep19)

Guest: Dimitri McKay,  Principal Security Strategist @ Splunk Topics: How do you define that "XDR thing" that you are so skeptical about? So within that definition of XDR, you think it’s not so great, why? If you have to argue pro-XDR, what would you say? Two main XDR camps are “XDR as EDR+” and “XDR as SIEM-”, which camp do you think is more right? Are both wrong? What approach do you think is more useful as a lens to understand the potential upsides/downsides of XDR? What about the cloud? "Cloud XDR" seems a bit illogical, but what do you think is the future of D&R in the cloud? Resources: “Anton and The Great XDR Debate, Part 1” “Anton and The Great XDR Debate, Part 2” “Anton and The Great XDR Debate, Part 3” SURGe content on splunk blog “Today, You Really Want a SaaS SIEM!” Red Canary 2022 Threat Detection report Verizon DBIR 2022 report.

Guest:  Christopher “CJ” Johnson, retired Fire Chief, and Global Regulated Cloud Product Lead @ Google Cloud Topics: In political science, they define sovereignty as a local monopoly on the legitimate use of force. Why are we talking about “sovereignty” in IT? What is a sovereign cloud?  How much of the term is marketing vs engineering? Who cares or should care about sovereign cloud? Is this about technical controls or paper/policy controls? Or both? What is the role for encryption and key management and key access justifications (like say Google Cloud EKM with KAJ) for sovereign cloud? Is sovereign cloud automatically more secure or at least has better data security? What threat models are considered for sovereign cloud technologies? Resources: Google Cloud External Key Manager (EKM)  “Trust Google Cloud more with ubiquitous data encryption” blog “Software-Defined community cloud - a new way to “Government Cloud”” blog

Guest: David Stone,  Staff Consultant  at Office of the CISO, Google Cloud Topics: Speaking as a former CISO, what triggered your organization migration to the cloud? When did you and the security organization get brought in? How did you plan your security organization journey to the cloud? Did you take going to Cloud as an opportunity to change things beyond the tools you were using?  As you got going into the cloud, what was the hardest part for your organization ? What was most surprising? Good surprise and bad surprise? How did you design security controls for the cloud? How do you validate and verify security controls in the cloud?  How did you incorporate your cloud environment into your SOC’s responsibility Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be? Resources: “How CISOs need to adapt their mental models for cloud security” “Megatrends drive cloud adoption—and improve security for all” “EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security“ (ep47) “CISO’s Guide to Cloud Security Transformation“ paper [PDF] Google SRE book GCAT site

Guest:  John Stone,  Chaos Coordinator @ Office of the CISO, Google Cloud Topics: So what is Autonomic Data Security, described in our just released paper?  What are some notorious data security issues today? Perhaps common data security mistakes security leaders commit? What never worked in data security, like say manual data classification? How should organizations think about securing the data they migrated and the data that was created in the cloud? Do you really believe the cloud can make data security better than data security in traditional environments? Resources: “Modern Data Security: A path to autonomic data security” paper (NEW) “How autonomic data security can help define cloud’s future” blog “Megatrends drive cloud adoption—and improve security for all” blog “Modernizing SOC ... Introducing Autonomic Security Operations” blog “Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Data Security in the Cloud” (ep2) and the resource. “Modern Data Security Approaches: Is Cloud More Secure?” (ep16) “Reflections on Trusting Trust” paper (1984).

Guest: Gorka Sadowski,  Chief Strategy Officer @ Exabeam Topics: How do we get a legacy SOC team to think about the cloud? How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same?  How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud? Do content/rules and detection engines need to be different to cover the cloud detection use cases? What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections? Resources: “11 Strategies of a World-Class Cybersecurity Operations Center” paper “Autonomic Security Operations: How to 10X Your SOC” paper “Indicators Of Compromise Vs. Tactics, Techniques, And Procedures” blog “How to Build and Operate a Modern Security Operations Center” (Gartner subscription required) “A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next” blog

Guest: Cyrus Robinson, SOC Director and IR Team lead at Ingalls Information Security Topics: You’ve been using SOAR tools for years, so what do you think of the technology so far? What is driving SOAR adoption today? And what is inhibiting SOAR adoption? Realistically, how hard is SOAR to operationalize for a typical company? What are your favorite SOAR playbooks to start with? How to build, train and keep the SOAR team? Do they need to code to succeed? We like the SOAR maturity model approach. How would you imagine a SOAR adoption maturity model? How to implement SOAR from scratch in scaling operations? How to start? How to plan? How to not fail? Resources: “A Simple SOAR Adoption Maturity Model” blog  “Planning Is Paramount When Adopting SOAR” blog Siemplify community version

Guest: Ben Johnson, CTO/co-founder @ Obsidian Security Topics: Why is there so much attention lately on SaaS security? Doesn’t this area date back to 2015 or so? What do you see as the primary challenges in securing SaaS? What does a SaaS threat model look like? What are the top threats you see? CASB has been the fastest growing security market and it has grown into a broad platform and many assume that “securing SaaS = using CASB”, what are they missing? Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system? Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle? For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology? Resources: Obsidian Security blog and Resource Center Does the World Need Cloud Detection and Response (CDR)? blog Does the world need Cloud Detection and Response (CDR) as a new market segment? poll MITRE ATT&CK for SaaS matrix CISA SCUBA resource “Essentialism” book.

Guest: Tim Nguyen, Director of Detection and Response @ Google Topics: I know we don’t like to say “SOC” here, so why don’t we talk about the role of automation in detection and response (D&R) at Google? One SRE concept we found useful in security operations is “toil” - How do we squeeze toil out of D&R practice at Google? A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey? How do we automate security signal analysis, can you give us a few examples? D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our “not SOC”? How do we avoid falling into the “time to respond” trap that rewards fast response, sometimes at the cost of good? Resource: SRE book, Chapter 5 - Eliminating Toil SRE book, Chapter 4 - Service Level Objectives “Building Secure and Reliable Systems” book “Achieving Autonomic Security Operations: Automation as a Force Multiplier” “Achieving Autonomic Security Operations: Reducing toil” “Taking an autonomic approach to security operations” video “Modern Threat Detection at Google” (ep17)

Guest:  James Luo,   Partner @ CapitalG Topics: You've looked at hundreds of security startups at the growth stage - what is getting funded? What is not getting funded? What is the difference? What's your view on the current market environment for security companies? Is security "recession-proof", whatever that means? How do you think about what problems are worth solving with a new venture vs existing vendors (and/or CSPs) expanding to cover the new area? Why do many cloud security vendors get funded and get high valuations while there is a wide perception that CSP (like us at Google) are doing security really well? How do we solve the challenge that many organizations are barely moving off “antivirus and firewalls” security of the 1990s? What is your best advice to cloud security startups trying to get wider adoption? Resources: “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity” CapitalG blog

Guest: Erik Bloch,  Senior Director of Detection and Response at Sprinklr Topics: You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work? Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that? You refer to a federated approach for Detection and Response”  (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization?  What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams? Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it? The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time? Resources: “RIP SOC. Hello D-IR” “Kill your SOC with a D-IR model” “Security De-Engineering: Solving the Problems in Information Risk Management” book “A SOCless Detection Team at Netflix”  “Achieving Autonomic Security Operations: Automation as a Force Multiplier”  “Start with Why: How Great Leaders Inspire Everyone to Take Action“ book “Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now” book “On “Output-driven” SIEM” “SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond” (ep58)

Guests: Dave “Merk” Merkel, CEO @ Expel Peter Silberman,  CTO @ Expel Topics: Many MDRs claim to be “security from the cloud”, but they actually don’t know much about cloud security. What does good looks like for MDR in the cloud (cloud being a full range from IaaS to SaaS)? What are the key challenges for clients picking an MDR for their cloud environments?  What are the questions to ask your potential MDR? Do clients want the same security outcomes done in the cloud vs on-premise?   Does it mean that MSSP/MDR capabilities must be different for good coverage of the cloud?  Is MDR technology different for Cloud detection and response as opposed to on-prem D&R?  How do you communicate with clients about the importance and value of cloud specific detection vs detection for endpoints running in the cloud?  What are the top threats against client cloud environments that you see, detect and protect from? Which clouds (IaaS?) are easiest for MDR to protect? What makes them easier to handle than the other Clouds? Resources: Who Does What In Cloud Threat Detection? How to Think about Threat Detection in the Cloud Cattle vs Pets reminder Expel Blog - Incident report: Spotting an attacker in GCP  Expel Great eXpeltations 2022: Cybersecurity trends and predictions Expel Quarterly Threat Report: Q1 2022

Guest:  Stefan Friedli,  Senior Security Engineer @ Google Topics: What is our “red team” testing philosophy and approach at Google?  How did we evolve to this approach?  What is the path from testing to making Google and our users more secure? How does our testing power the improvements we make? What is unique about red teaming at Google? Care to share some fun testing stories or examples from your experience? Resources: “Building Secure & Reliable Systems” book (free) Threat Analysis Group (TAG) blog

Guests: none Topics: What have we seen at the RSA 2022 Conference? What was the most interesting and unexpected? What was missing? Resources: “RSA 2022 Musings: The Past and The Future of Security” Google Cloud Security at RSA 2022

Guest: James Condon,  Director of Security Research @  Lacework  Topics: What are realistic and actually observed cloud threats today? How did you observe them at Lacework? Cloud threats: are they on-premise  style threats to cloud assets? We hate the line “cloud is just somebody else’s computer” but apparently threats actors seem to think so? What is the 2nd most dangerous cloud issue after configuration mistakes? Why is it so common for organizations to have insecure configurations in their cloud environments?  Give me a few examples of the most common mistakes organizations make, and what they can do to avoid those configurations. Cloud malware and  ransomware / RansomOps, are these real risks today? Are we finally seeing the rise of Linux malware at scale (in the cloud)? As multi cloud expands in popularity, what are threat actors doing in this area? Are actors customizing their attacks on a per-cloud basis (AWS, GCP, Azure)?  Resources: Lacework 2022 Cloud Threat Report “Securing DevOps: Security in the Cloud” book “Threat Models and Cloud Security” (ep12) Google Threat Horizons Report #1 Google Threat Horizons Report #2

Guest:  Nicholas Carlini, Research Scientist @ Google  Topics: What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks? How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical? Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025? What are the threat-derived lessons for securing AI? Do we practice the same or different approaches for secure AI and reliable AI? How does relative lack of transparency in AI helps (or hurts?) attackers and defenders? Resources: “Red Teaming AI Systems: The Path, the Prospect and the Perils” at RSA 2022 “Killed by AI Much? A Rise of Non-deterministic Security!” Books on Adversarial ML

Guest:  Sounil Yu, CISO and Head of Research at JupiterOne Topics: How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder? Cloud (at least the cloudy-cloud, also called cloud native) definitely supports “Distributed Immutable Ephemeral” (DIE) - your new creation, how does that change security and CDM? Cyber resilience generates a lot of confusion, how do you define and describe it?  BTW, is the cloud more or less cyber resilient based on your definition? Is invisible security a good thing? Can we ever have it? When should security be visible? Intuitively, security and safety are not the same. So, what is the difference between cyber safety and cyber security? What is cyber safety, really? Resources: Cyber Defense Matrix Security DIE Triad Container Security: The Past or The Future? (ep54) This Binary Legit? How Google Uses Binary Authorization and Code Provenance (ep66) What is the useful definition of “cyber resilience”? poll Is the cloud just somebody else’s computer? Poll Cattle vs Pets - DevOps Explained Gartner CIA-PSR model The 2022 State of Cyber Assets Report Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape “Antifragile” book “Thinking, Fast and Slow” book “Security Chaos Engineering” book

Guest: Sandra Guo, Product Manager in Security, Google Cloud Topics: We have a really interesting problem here: if we make great investments in our use of trusted repositories, and great investments in doing code review on every change, and securing our build systems, and having reproducible builds, how do we know that all of what we did upstream is actually what gets deployed to production? What are the realistic threats that Binary Authorization handles? Are there specific organizations that are more at risk from those? What’s the Google inspiration for this work, both development and adoption?  How do we make this work in practice at a real organization that is not Google?  Where do you see organizations “getting it wrong” and where do you see organizations “getting it right”? We’ve had a lot of conversations about rolling out zero-trust for enterprise applications, how do those lessons (start small, be visible, plan plan plan) translate into deploying Binauthz into blocking mode?  Resources: “Binary Authorization for Borg: how Google verifies code provenance and implements code identity“ paper Binary Authorization for deploying trusted images DevOps & SRE at Google

Guests: Charles Carmakal, CTO at Mandiant  Taylor Lehmann, Director at Office of the CISO, Google Cloud Topics: What are the current “popular” incidents at healthcare providers that you handled? Any of them involve cloud?  Do healthcare CISOs have time for anything other than ransomware? Does insider threat matter? What can incident response teach us here? How do you think the threat actors benefit from the health data they steal?  Based on your IR experience, what are the more interesting ways in, other than phishing? Give us your IR-informed take on ransomware pay/not pay focused on healthcare, ideally?  Resources: “The key role ‘visibility’ plays in healthcare’s cybersecurity resilience” “How healthcare can strengthen its own cybersecurity resilience” “M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines” “Future of EDR: Is It Reason-able to Suggest XDR?” (ep29) “MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications”“VS21: A Playbook for Resiliency: Contain and Remediate Ransomware Before It Can Act” “FDA Announces Fix for Pacemaker Security Flaws”

Guest: Dave Herrald @ Principal Security Strategist, Google Cloud Topics: What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)? How do you make SOC training realistic? Should training be about the toolset or should it be about the analyst’s skills? Should you primarily train for engineering skills or analysis skills? Do you need to code to succeed in a modern SOC? Are competitive events like CTFs effective for SOC training? What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity? Resources: Chris Sanders SOC classes SANS Holiday Hack Challenges SEC450: Blue Team Fundamentals: Security Operations and Analysis SANS NetWars “Autonomic Security Operations: 10X Transformation of the Security Operations Center” paper Boss of the SOC (BOTS) Dataset 

Guests: Robert Herjavec, Founder and CEO of Herjavec Group Eric Foster, President of CYDERES  Iman Ghanizada, Global Head of Autonomic Security Operations at Google Cloud. Topics: It’s been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about? How was the ASO story received by your customers? Any particular reactions? Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed? ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations? What else can we do to evolve SOC faster than the threats and assets grow? Resources: This episode is based on a panel from  This Google Cloud Security Talks Q1 2022 Panel “All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites.” “All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites” on YouTube “Autonomic Security Operations: 10X Transformation of the Security Operations Center“ paper “Modernizing the U.S. Federal Government’s Approach to Cyber Threat Management with Autonomic Security Operations“  paper

Guest: Etienne De Burgh, Senior Security and Compliance Specialist, Office of the CISO @ Google Cloud Topics: Why is API security hot now? What happened that made it a priority for many?  Is API security different from application security? Doesn't the first "A" in API  stand for application?  What are the real threats to exposed APIs? APIs are designed for automated use, so how do you tell automated use from automated abuse / attack? What are the biggest challenges that companies are having with API security? What are the components of API security? Is there a “secure by default API”? API threat detection? Just like cloud in general, API misconfigurations seem to be leading to security problems, are APIs hard to configure securely for most organizations? Resources: Google Cloud Security Summit  - come see us on May 17, 2022 “Securing web applications and APIs anywhere” (at our Security Summit) OWASP Top 10 for API Security “Best practices for securing your applications and APIs using Apigee”

No guests - just Anton and Tim Topics: Why cloud security? What do we really think about our podcast name and topic, cloud security? Can you once again explain security for the cloud, in the cloud, from the cloud? What is one thing that we learned from doing a podcast? Favorite cloud security trend that we encountered on the podcast?  What did we learn about security from organization's migrating to the cloud? What are our favorite reading materials related to cloud security? What are our favorite tips from the guests on securing the cloud? Resources: “The Age of AI And Our Human Future” book “Practical Guide to Cloud Migration – Google - Site Reliability Engineering” (book, free) and other SRE books “Cloud Security podcast by Google turns 46 - Reflections and lessons!” “Cloud Security Podcast by Google — Popular Episodes by Topic” Our video trailer

Guest:  Dylan Ayrey, cofounder of Truffle Security Topics: Could you explain briefly why identity is so important in the cloud? A skeptic on cloud security once told us that “in the cloud, we are one identity mistake from a breach.” Is this true? For listeners who aren’t familiar with GCP, could you give us the 30 second story on “what is a service account.” How is it different from a regular IAM account? What are service account impersonations? How can I see if my service accounts can be impersonated? How do I detect it? How can I better secure my organization from impersonation attacks? Resources: Truffle Security blog “GCP Lateral Movement And Privileged Escalation Spill Over And Updates From Google” by Dylan Ayrey “Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments”  blog  “Kat Traxler - Taste the IAM” blogs

Guest:  Sharon Goldberg, CEO and cofounder of BastionZero and a professor at Boston University Topics: What is your favorite definition of zero trust? You had posted a blog analyzing the whitehouse ZT a memo on the federal government’s transition to “zero trust”,  what caught your eye about the Zero Trust memo and why did you decide to write about it? What’s behind the federal government’s recommendations to deprecate VPNs and recommend users “authenticate to applications, not networks”? What do these recommendations mean for cloud security, today and in the future? What do you think would be the hardest things to implement in real US Federal IT environments? Are there other recommendations in the memo to think about as organizations design zero trust strategies for their infrastructure?  What are some of the challenges of implementing zero trust in general? Resources: "Zero Trust: Fast Forward from 2010 to 2021" (ep8) “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” “I read the federal government’s Zero-Trust Memo so you don’t have to”  “F12 isn’t hacking: Missouri governor threatens to prosecute local journalist for finding exposed state data”

New Audio Trailer: Cloud Security Podcast by Google

Guests:  Alexi Wiemer,  Senior Manager at Deloitte Cyber Detection and Response Practice Dan Lauritzen,  Senior Manager at Deloitte Cloud Security Practice. Topics: What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in?  What is your best advice to SOCs that are permanently and woefully understaffed?  Many SOC analysts are drowning in manual work, and it is easy to give advice that “they   need to automate.” What does this actually entail, in real life? What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR?  What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats? Occasionally, we hear that “SOC is dead.” What is your response to such dire SOCless predictions?  Resources: “New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)” “New Paper: “Future of the SOC: Forces shaping modern security operations”” “New Paper: “Future of the SOC: SOC People — Skills, Not Tiers”” “New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center”” “A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next” “Why Your Security Data Lake Project Will FAIL!”

Guest: Maddie Stone, Security Researcher @ Google Topics: How do we judge the real risk of being attacked using an exploit for a zero day vulnerability? Does the zero day risk vary by company, industry, etc?  What does pricing for zero days tell us, if anything? Are prices more driven by supply or demand these days? What security controls or defenses are useful against zero days including against chained zero days? Where are the cloud zero days? We get lots of attention on iOS and Android, what about the cloud platforms?  So, how do we solve the paradox of zero days, are they more scary than risky or more risky than scary? Or both? Resources: Project Zero blog  A walk through Project Zero metrics Threat Analysis Group (TAG) blog

Guest:  Erlander Lo, Security and Compliance Specialist @ Google Cloud Topics: Imagine you are planning a data warehouse in the cloud, how do you think about security? What are the expected threats to a large data store in the cloud? How to create your security approach for a data warehouse project? Are there regulations that force your decisions about security controls or  approaches, no matter what the threats are? How do you approach data governance for this project? What controls are there to implement in Google Cloud for a secure data warehouse effort? Resources: Secure Data Warehouse blueprint (other blueprints) Creativity Inc book “Data Governance: The Definitive Guide” book

Guests: Brandie Anderson, Global Security Practice Lead @ Google Cloud Renzo Cuadros,  Regional Security Practice Lead @ Google Cloud Topics: What are your Cloud migration security lessons? Greatest hits? Near misses? What are the most common cloud security mistakes you see? Any practices or tricks to avoid or mitigate them? How do you talk people out of security “lift and shift”? Do clients understand how threat models change when they migrate to the cloud? How clients typically handle compliance in the cloud? What regulations are the most challenging in the cloud? What is the future for cloud migration security?  Do we foresee a future when most data is created in the cloud and there is no need to migrate anything? Resources: “Building Secure & Reliable Systems” book Google Cloud Architecture Framework “Threat Models and Cloud Security” (ep12) Modernizing compliance: Introducing Risk and Compliance as Code

Guest:  Anna Belak,  Director of Thought Leadership @ Sysdig Topics: One model for container security is “Infrastructure security  | build security | runtime security” -  which is most important to get right? Which is hardest to get right?  How are you helping users get their infrastructure security right, and what do they get wrong most often here? Your report states that “3⁄4 of running containers have at least one "high" or "critical" vulnerability“ and it  sounds like pre-cloud IT, but this is about containers?  This was very true  before cloud, why is this still true in cloud native?  Aren’t containers easy to “patch” and redeploy?  You say  “Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production.“ but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don’t fix things?   “52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline.“ - isn’t pipeline and repo scanning easier and cheaper? Why isn’t this 90/10 but 40/50?  “62% detect shells in containers” sounds (to Anton) that “62% zoos have a dragon in them” i.e. kinda surreal. What’s the real story? Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers?  Resources: Sysdig report Kubernetes podcast episode with Anna Belak  EP15 Scaling Google Kubernetes Engine Security Sysdig learning hub

Guest:  Amos Stern, CEO of SIEMplify, now part of Google Cloud Topics: SOAR is in the news again,  so what can we say about the state of SOAR in 2022? What have we learned trying to get SOAR adopted 2015-2022 (that’s 7 years of SOAR-ing for you)? What are the top playbooks to start your SOC automation using SOAR?  What about the links between SOAR as security automation and general IT automation?  Does the level of consolidation in this market mean that SOAR really is a feature of SIEMs and not a product in its own right? Resources: Siemplify blog Google Cloud Security Talks Q1 2022

Guest: Vijay Bolina, CISO at DeepMind Topics: We spend a lot of time on Artificial Intelligence (AI) safety, but what about security?  What are some of the useful frameworks for thinking about AI security? What is different about securing AI vs securing another data-intensive, complex, enterprise application? What do we know about threat modeling for AI applications? What attacks against AI systems do we expect to see first in real life? What issues with AI security should we expect to face in 3-5 years? Resources: DeepMind Learning Resources DEFCON AI Village and videos CAMLIS 

Guest:  Vandy Ramadurai, Product Manager at Google Cloud Topics: What is Cloud Organization Policy, and how is it different from IaC and Policy as code (PaC)? What does successful organization policy design look like from a business and human standpoint? From a technical standpoint? Granular policy work is always hard. How is Google helping users get org policy right?  What are the uniquely Google strengths here?  Is the AI involved real or is this marketing pixie dust AI? How do users know if something should be a proactive control like a guardrail or if something should be a reactive control like a detection? Resources: Policy Intelligence tools NEXT'21 SEC 203 - Governance guardrails Least privilege for Cloud Functions using Cloud IAM

Guest: Elie Bursztein, security, anti-abuse and privacy researcher @ Google Topics: This episode draws on a talk available in the podcast materials. Could you summarize the gist of your talk for the audience? What makes the malicious document problem a good candidate for machine learning (ML)? Could you have used rules? “Millions of documents in milliseconds,” not sure how to even parse it - what is involved in making it work? Can you explain to the listeners the motivation for reanalyzing old samples, what ground truth means in ML/detection engineering, and how you are using this technique? How fast do the attackers evolve and does this throw ML logic off? Do our efforts at cat-and-mouse with attackers make the mice harder for other people to catch?  Does massive-scale ML detections accelerate the attacker's evolution? Resources: The RSA talk “Malicious Documents Emerging Trends: A Gmail Perspective” “EP40 2021: Phishing is Solved?” episode Elie’s talks on his site

Guest: Taylor Lehmann, Director at the Office of the  CISO @ Google Cloud, member of Cybersecurity Action Team Topics: What’s top of mind for healthcare organizations’ CISOs now? What common advice do you find yourself giving most often to security leaders in healthcare? Is there a list of top 3 items or is this all “it depends”? What regulations are shaping the healthcare industry and its adoption of new technology? HIPAA is from 1996, how does it work for the cloud in the 2020s? Why do you think we aren’t seeing more cloud ransomware? Healthcare orgs are sometimes seen as “IT laggards”, what are the key security lessons from their cloud migrations? How do we convince some of these organizations that cloud is more secure as long as they use it securely?

Guest: Nelly Porter, Group Product Manager @ Google Cloud Topics In the past year, what has changed with Confidential Computing here at Google? Could we please talk about a user or two who has really nailed it with our Confidential Computing?  What have we learned about the threat models of clients who are choosing to deploy Confidential Computing? What are they solving for? Doing Confidential Computing “right” feels like a lot more than having some fancy CPUs with magic math. What challenges do customers face adopting it?  We finally “married” Confidential Computing with EKM. What types of clients are deploying this new technology? What threats are they mitigating? What’s on the horizon for Confidential Computing?  Resources: “Trust Google Cloud more with ubiquitous data encryption” The Confidential Computing Consortium whitepapers Confidential Computing at Google EP12 Threat Models and Cloud Security

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: Explain the whole cloud security megatrend concept to us? How can we better explain that “yes, cloud is more secure than most client’s data centers”? Can you please explain "shared fate" one more time? Shared fate seems to require shared incentives. Do we see the incentives to invest in security changing within organizations migrating to Cloud? Cloud as the Digital Immune System sounds really cool, what does it mean for a typical practitioner - security and developers both? What about the risk aggregation (eggs in one basket) argument against relying on CSP for all security? Does software sovereignty mean that Cloud providers are always going to be held to common standards and lose out on the opportunity to sell highly differentiated software on top? Resources: IT Leaders: Pay Attention To These 8 Security Megatrends In 2022 Megatrends drive cloud adoption—and improve security for all

Guests:  Alison Reyes, Director, Security Solutions, Google Cloud Iman Ghanizada, Solutions Manager for Security Operations & Analytics @ Google Cloud Topics: What is our thinking on solutions vs products for security? Sure, “security is a process, not a product,” but where do solutions fit in? Security as an industry has too many vendors with little understanding of how users secure things, can solutions approach fix that? Google is sometimes known for writing code and just throwing it out there, do solutions change that dynamic for Google Cloud clients who come to us for security? Who are the target users for our security solutions? Why did we choose those solutions and not others? To me, solutions is how our products actually live in the real world. But can we really hope to transform customer operations with solutions? One of the solutions dear to my heart is Autonomic Security Operations that seeks to “10X the SOC”, how was the experience so far? Is 10X real and what does it mean? How do we know if we succeeded, what are metrics for solutions? How do solutions fit with Google Cybersecurity  Action Team launch? Do we need more action figures now?  Resources: Google Cybersecurity Action Team NEXT Special - Google Cybersecurity Action Team: What's the Story? Google SRE books Autonomic Security Operations Web App and API Protection Achieving Autonomic Security Operations: Reducing toil Autonomic Security Operations: 10X Transformation of the Security Operations Center

Guests: Vlad Stolyarov, Security Engineer  @ Threat Analysis Group (TAG) Vicente Diaz,  Threat Intelligence Strategist @ VirusTotal Topics: Why GandCrab / REvil was the most popular ransomware  family in 2020? What is ransomware as a service? Is every scary article about ransomware essentially marketing for the criminals? Some ransomware payoffs are huge, how do you think they spend the money? How else do they profit off stolen data apart from double extortion schemes? Are there triple extortion schemes? What is the concept of a “trusted brand in ransomware”, is it better for clients because they will return the data? Why did non-Windows ransomware fail as a business? Do we expect 0day exploits  to become more popular in ransomware? Based on this research, what is the key reason for ransomware’s wild success? Resources: “Ransomware in a Global Context” report “Malware Hunting with VirusTotal” (ep30) Google TAG blog NoMoreRansom Org “Cybereason: 80% of orgs that paid the ransom were hit again” Google Cybersecurity Action Team Threat  Horizons Report (full, brief)

Guest: Mike Orosz, a Chief Information and Product Security Officer @ Vertiv Topics: What are your views on modern SIEM?  What should it do and what should it be? Should it even be called SIEM?  Is SaaS/cloud-native SIEM the only way to go? Can anybody build a SIEM in the cloud by installing the regular SIEM on IaaS? What are the top challenges for organizations deploying and operationalizing SIEM today? What are some hidden or commonly forgotten costs for a SIEM deployment? Is open source the answer to SIEM? SIEM today should deliver on detection, hunting and investigation use cases, so what does it mean in terms of practical data retention? Resources: "On “Output-driven” SIEM" "Fake Cloud: Now There Are Two Hands in Your Pocket"

Guests: Amber Shafi, Production Manager GSK Svetlin Zamfirov, Senior Platform Engineer at GSK Ivan Angelov, Principal Platform Engineer at GSK Topics: Tell us about your team, what are you responsible for and how is the team setup to make that happen? What components of cloud security do you cover? Tell us about cloud misconfigurations and why these are different from on- premise misconfiguration? How are you discovering these misconfigurations?  You've automated responses to misconfiguration. Beyond the obvious upsides of reducing team toil and time to response, what are the other benefits? Are there risk in this approach and how are they handled? How did this idea to automate come about, and what lessons did you learn along the way? How have you integrated with the cloud provider security tooling? Resources:  “Automate and/or Die?” (ep3) “Automating Response to Security Events on Google Cloud Platform” from GSK blog GCP security blog

Guest: MK Palmore, Director at Office of the CISO,  Google Cloud, member of Cybersecurity Action Team Topics: Why is there such a huge gap in security professionals who are women and people of color? How does the lack of women and people of color in tech impact the industry, cybersecurity & tech overall? Are diverse teams better performing, better morale, happier people? Are there kinds of threats that we miss in threat modeling exercises for lack of diverse team members? We’ve seen countless examples where AI/ML systems have had problems with laundering biases and having frankly appalling issues due to biased training data. What are security implications here?  Are there organizations helping to close the representation gap in the security workforce and the cloud workforce? Why do the big tech companies and even the smaller ones have trouble identifying diverse talent? Why is this hard even for people and organizations who clearly want to improve it? Why do companies have a hard time retaining diverse talent?  Resources: Cyversity Wicys

Guest: Ryan Noon, CEO @ Material Security Topics: When we think about traditional email security, we think anti-spam/phishing. Your company is doing other things, so what are they? In other words, isn’t email security solved with legacy appliance vendors (SEG) and cloud email providers?  What was the combination of technology and security opportunities that really resonated with you and your investors that led to your focus on email security? Security has almost 2000 vendors and they are noisy, how do you get to clients without screaming too loud? How do you build a better security vendor? Related to being better vendors, but more broadly, what can we do as an industry to make it easier to buy and get value out of our investments in new security tooling and technology?  How can we build security tooling that requires less of our precious security team’s time?  

Guests Elie Bursztein, security, anti-abuse and privacy researcher @ Google Kurt Thomas, security, anti-abuse and privacy researcher @ Google Topics: Can we say that “Multi-Factor Authentication - if done well - fixes phishing for good” or is this too much to say? What are the realistic and seen-in-the-wild bypasses for MFA as a protection? How do you think these controls fare vs top tier attackers (clearly, they work vs commodity threats)? What do we know about burden vs value of MFA today? What can we realistically do to increase MFA/2FA adoption to the 90%s? Can we share anything about what we’re seeing as industry benchmarks on MFA adoption so far?  We’ve seen a lot of ugly debates over the value of SMS as MFA, what is your research-based take on this? Resources: Google Titan Security Key “Malicious Documents Emerging Trends: A Gmail Perspective” (RSA 2020) “New research: How effective is basic account hygiene at preventing hijacking” “New Research: Lessons from Password Checkup in action” “New research reveals who’s targeted by email attacks” “New research: Understanding the root cause of account takeover” “"Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns” "Tales from the Trenches: Using AI for Gmail Security" (ep28)

Guests Elie Bursztein, security, anti-abuse and privacy researcher @ Google Kurt Thomas, security, anti-abuse and privacy researcher @ Google Topics: Can we say that “Multi-Factor Authentication - if done well - fixes phishing for good” or is this too much to say? What are the realistic and seen-in-the-wild bypasses for MFA as a protection? How do you think these controls fare vs top tier attackers (clearly, they work vs commodity threats)? What do we know about burden vs value of MFA today? What can we realistically do to increase MFA/2FA adoption to the 90%s? Can we share anything about what we’re seeing as industry benchmarks on MFA adoption so far?  We’ve seen a lot of ugly debates over the value of SMS as MFA, what is your research-based take on this? Resources: Google Titan Security Key “Malicious Documents Emerging Trends: A Gmail Perspective” (RSA 2020) “New research: How effective is basic account hygiene at preventing hijacking” “New Research: Lessons from Password Checkup in action” “New research reveals who’s targeted by email attacks” “New research: Understanding the root cause of account takeover” “"Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns” "Tales from the Trenches: Using AI for Gmail Security" (ep28)

Guest: Jared Atkinson, Adversary Detection Technical Director at SpecterOps Topics: What are bad/good/great detections? Is this all about the Bianco's pyramid? Is high good and low bad? How should we judge the quality of detections? Can there be a quality framework? Is that judgment going to be site specific? What should we do to build more good directions? Is this all about reducing false positives? Can we really measure false negatives? How can we approach this? How can we test for detection goodness in the real world? What are the methods that work? It can’t be just about paper ATT&CK coverage, right? What are your top 3 tips for improving the detection practice at an organization? Resources: “The Pyramid of Pain” post by David Bianco “On Threat Detection Uncertainty” “Detection Coverage and Detection-in-Depth”  “Detection in Depth” by SpecterOps “Philosophy of Science: Rationality Without Foundations" by Karl Popper (yes, really) Red Canary “2021 Threat Detection Report”  "The Black Swan: The Impact of the Highly Improbable" by Nassim Nicholas Taleb John Piaget's theory of cognitive development

Guests: Stephanie Wong Vicente Diaz, Jerome McFarland Scott Ellis Patrick Faucher Il-Sung Lee, Anoosh Saboori Topics: What is your session about? Why would audience care? What is special about your security technology? Resources: Google Cloud Next 2021 SEC212 6 layers of GCP data center security SEC101 Ransomware and cyber resilience SEC204 Take charge  of your sensitive data SEC207 Securing the software supply chain SEC300 Trust the cloud more by trusting it less: Ubiquitous data encryption

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: We are here to talk Google Cybersecurity Action Team, and this is your brainchild, so tell our audience the origin of this idea? How is Cybersecurity Action Team going to help secure GCP enterprise clients? Is there also a “improve the security of the internet” story? Many organizations seem stuck in the pre-cloud thinking and mental models, can Cybersecurity Action Team help them transform their security? How? When we sometimes present our security innovations to clients, they say “but we are not Google”, so how does Cybersecurity Action Team help us bring more of Google Cybersecurity to the world? What else do we plan to do with Cybersecurity Action Team to help customers modernize their security? How should customers engage with Cybersecurity Action Team? Resources: Google Cybersecurity Action Team "Google Announces Cybersecurity Action Team to Support the Security Transformations of Public and Private Sector Organizations” “Site Reliability Engineering” book (free) “Autonomic Security Operations: 10X Transformation of the Security Operations Center” paper

Guest: Aditi Joshi, Manager in Cloud Security Team @ Google Cloud Topics: What is Allyship? How is it defined? What is its main goal? Why is allyship important in Cloud Security, specifically? Are there aspects of security that make allyship particularly important? What specifically has Google Cloud Security deployed and operationalized around Allyship? How does effective allyship look like? More personally, how can I be a better ally? How does it fit into Google Cloud Security’s overarching DEI efforts?

Guest: Rob Sadowski, Trust and Security Lead @  Google Cloud Topics: What are the big security themes at NEXT? Is security still visible? What about invisible security vs autonomic security? Is that just “invisible security” with a neat name? This has got to be your fourth or fifth Next, right? What’s new this year compared to last years, aside from being virtual? Anything particularly uniquely Google we’re talking about? What to watch at NEXT, if you are a CISO? We secure not just GCP with our tools and approaches, so what to watch if not yet a GCP client? If you have only time for 3 security sessions, which 3 to watch? Resources: Google Cloud NEXT

Guest: Matt Svensson, Senior Security Engineer @ BetterCloud Topics: What are the approaches for monitoring serverless and other modern application architectures? What are the challenges with these new environments? What approaches don’t work? What can go wrong with modern stack security monitoring? What should we watch for in a modern application stack? Most new architecture setups are predicated on identities so is identity the center of threat detection here or not?

Guest: Elliott Abraham, Security and Compliance Specialist @ Google Cloud Topics: We talk about lift and shift vs cloud native, what are these and are they fair characterizations? Is lift and shift always negative? Does it always harm security? Are security planning needs different between them? What are the fundamentals with security during cloud migration that you have to get right regardless? What’s your advice to a security team to help make a migration work well? How do you account for threat model differences in the cloud? Are cloud threats being more different or more the same to the classic ones? Resources: “Google Cloud security foundations guide” "The Phoenix Project" book "Threat Models and Cloud Security" (ep12) "Preparing for Cloud Migrations from a CISO Perspective"  Part 1 (ep5) and Part2 (ep11)

Guest: Derek Abdine, CTO @ Censys.io Topics: Attack Surface Management (ASM). Why do we need a new toolset and  a new category? Isn’t this just 1980s asset management or CMDB? How do we find those assets that may have been misplaced by the organizations? How can any technology do this reliably? ASM seems to often rely on network layer 3 and 4. Can’t bad guys just hit the app endpoints and all your network is irrelevant then? When you think about the threats organizations face due to unknown assets, is data theft at the top of the stack? What should organizations keep in mind as a priority here? Who at an organization is best set up to receive, triage, investigate, and respond to the  alerts about the attack surface? Are there proactive steps organizations can take to prevent shadow IT, or are we stuck responding to each new signal? Isn’t preventing new assets the same as preventing business? Resources: “Cloud Misconfiguration Mayhem An Analysis of Service Exposure Across Cloud Providers“ “Attack Surface Management Buyer’s Guide”

Guest: Iman Ghanizada,   Solutions Manager for Security Operations & Analytics @ Google Cloud Topics: What is your book “Google Cloud Certified Professional Cloud Architect All-in-One Exam Guide” about?  What was your journey into writing this book, how long did it take? The book seems to be targeted towards Cloud Architects, but you come from a predominantly security background, how has that influenced your writing of this book? What does this have to do with The Certs Guy (14 certs!?)  and what's his mission? What’s the intersectional thinking on certificates and making our industry more accessible and inclusive? Do certs help or hurt this? So what’s your advice on certs for various career stages? What are some of the biggest architectural challenges you’ve seen in the field of Cloud Security? Resources: Book "Google Cloud Certified Professional Cloud Architect All-in-One Exam Guide" TheCertsGuy site

Guest: Vicente Diaz,  Threat Intelligence Strategist @ VirusTotal Topics: How would you describe modern threat hunting process? Share some of the more interesting examples of attacker activities or artifacts you've seen? Do we even hunt for malware? What gets you more concerned, malware or human attackers? How do you handle the risk of attackers knowing how you perform hunting? What is the role of threat research role for hunting? Do you need research to hunt well? Does threat research power attribution? How do you tell a good YARA rule from a bad one, and a great one? What’s the evolutionary journey for a YARA rule? What is your view on the future of hunting? Resources: YARA documentation "Deep Thinking: Where Machine Intelligence Ends and Human Creativity Begins" by Gary Kasparov  

Guest:  Sam Curry,  Chief Security Officer @ Cybereason and Visiting Fellow @ National Security Institute Topics: EDR was “invented” in 2013 and we are now in 2021. What do you consider to be modern EDR components and capabilities? Where has EDR fallen short on its initial hype? How focused are the attackers on bypassing EDR? How do you think EDR works in the cloud? In your view, how would future EDR work for containers, microservices, etc? Why aren’t we winning the war against ransomware? XDR is an interesting concept, so how do you define XDR? Is XDR just EDR++ or is XDR SIEM 4.0? Resources: “The Pyramid of Pain” blog by David Bianco “Named: Endpoint Threat Detection & Response” “Dune” book “The Bomber Mafia“ book

Guest: Andy Wen, Product Lead for Abuse & Security @ Google Cloud Topics: What are you doing with AI for security? What kinds of security problems are addressable with AI, and which ones are harder to address with ML techniques? Tell us where you’ve been surprised by AI’s success? Do you expect a) AI use by adversaries and b) attacks focused on disrupting the AI use by defenders? What advice would you give a PM or technical lead starting out on thinking they want to use AI to solve a problem? Resources: Andy Wen presentation from Cloud Security Talks 2021 “The Future of Machine Learning and Cybersecurity”

Guest: Keith McCammon, Co-founder and Chief Security Officer, Red Canary Topics: What is Detection Engineering? How it differs from just building rules/analytics? How to convert threat intelligence into detections?  How to tell good detections from bad? And perhaps also good from great? How to test detections in the real world? Anything special about building detections for cloud environments? What do you think is the role of “rule-less” (such as ML) detections? Is “ML unicorn cavalry” coming? Resources: The Red Canary Blog 2021 Threat Detection Report Alerting and Detection Strategy Framework Atomic Red Team toolset

Guest: Johnathan Keith, Director of Information Security (CISO) @  ViacomCBS Streaming / Digital (at the time of the recording) Topics: What is the mission for your SOC? Has it evolved in recent years? How do you rate your state of maturity in security operations? I hear that your organization is complex and decentralized, how do you run a SOC in such a case? How do you approach the balance of people, process and technology in your SOC? What is the role of outsourcing in your SOC?  Is cloud included in your SOC mission scope? What are the immediate things you plan to improve? Resources: Security Summit Talk that this podcast episode is based on (all Google Cloud Security Summit 2021 talks)

Guest:  John Stone, Chaos Coordinator at the Office of the CISO @ Google Cloud Topics: What are the top European-specific cloud migration security challenges? Are there interesting cloud adoption barriers related to security in Europe? Are some of these challenges more compliance than security related? Do you think compliance still drives security in the cloud for European companies? Do you think Europe can ever "make their own cloud"? So, what do you make of this entire movement about “data sovereignty”?  

Guests: Eric Brewer, VP of Infrastructure, and Google Fellow @ Google Aparna Sinha, Director of Product Management @ Google Cloud Topics: What is software supply chain security and how is it different from other kinds of supply chain security?  What types of organizations need to care about it? Is supply chain security a concern for large, elite enterprises only?  What’s the relationship between what we’re doing here, and what SBOM is? Can you talk us through a quick threat assessment of a supply chain security issue? What are the realistic threats here and who are the threat actors involved? How does Google try to solve these problems internally? Have we succeeded?  How does this translate into our products? By the way, what’s SLSA? Resources: “Container Security: Building trust in your software supply chain” (live event on July 29, 2021) “Tracking The Trail Of Software: The Key To Boosting Security”  “Introducing SLSA, an End-to-End Framework for Supply Chain Integrity” DORA study

No guests. We interviewed each other! Topics: What would you say are the most things that Chronicle is trying to address today? What are the good ways to use threat intel to detect threats that do not ruin your SOC? What does “autonomic” security mean, anyway? Is this a fancy way of saying “automatic” or something more? For sure, “the Cloud is not JUST someone else’s computer“ - but how does this apply to threat detection? What makes threat detection “cloud-native”? What kinds of ML magic does your mini UEBA inside SCC use? Can you really do automated remediation in the cloud? Resources: Google Cloud Security Summit “Making Invisible Security a Reality with Google” keynote “Security Analytics at Google Speed and Scale” presentation by Anton “Managing Your Security Posture on Google Cloud” presentation by Tim “Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…” blog Chronicle main site Threat Detection in Logs in Google Cloud SCC video “Modern Threat Detection at Google” (episode 17)  “Automate and/or Die?” (episode 3)

Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud  Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud  Topics: As a CISO, would you ever decide to use multiple clouds, if it were in your hands?  How is security typically considered when companies go multi-cloud in their approach? Practically, or operationally, how does one think through securing multiple public cloud environments? What are the top challenges here? Different controls? Lack of tools? Confusing process? Skills on the team? Would you always buy security tools from a 3rd party (not a CSP) if you have to cover more than one cloud provider? Anything to add about compliance across multiple clouds? What is the best approach for securing multiple SaaS services that your company uses? Resources: “IDC: A multicloud strategy can mitigate regulatory, business risks” “Anthos security” SANS papers on securing multiple clouds (example)

Guest: Kelly Anderson, Head of Product Marketing, User Protection Services @ Google Cloud Topics: What is marketing, really? Why is it sometimes reviled by the technologists? What makes a great marketer in cloud security? What’s different about cloud security marketing, as opposed to regular old on-premise security marketing? Is there still FUD in the cloud? Which things are the easiest or hardest to do in Google Cloud Security marketing? How do you talk about products so they stand out from the noise? How’s Google Cloud marketing helping our users stay ahead of the adversaries? Resources: Security insights that help customers stay up to date Customer case studies on our security products Quarterly Google Cloud Security Talks  Cloud security webinars on BrightTALK and Cloud OnAir  Identity and security blogs on the Google Cloud blog

Guest: Heather Adkins, Sr Director, Information Security @ Google Topics: Your RSA presentation has 3 pillars: zero trust, microservices, automation/zero prod, is this all you need to be secure & reliable in the modern world? Let’s drill down again into the “secure and reliable” concept, are you sure that they are interrelated? Is there a risk that microservices could actually increase attack surface? What are the practical security upsides of “no touch production”?  SRE and DevOps revolutionized IT, can we expect a similar revolution for security? Where would it come from? Resources: “Building Secure and Reliable Systems” RSA 2021 presentation by Heather Adkins  “Building Secure and Reliable Systems” book (free) “Modern Threat Detection at Google” (ep 17) Google BeyondCorp Google BeyondProd NIST 800-27 “Zero Trust Architecture”

Guest 1: Sparky Toews, Product Manager for Adobe identity @ Adobe Topics 1: Why are bots a problem to you? Give us a bit of your bot threat assessment? Can you tell us how you think about and practice securing the user experience? What kind of security products or best practices are involved? How do you see what security professionals do to secure the user experience evolving over time? Guests 2: Randy Gingeleski, Senior Staff Security Engineer @ HBO Max Brian Lozada, CISO @ HBO Max Topics 2: Can you tell us how you think about and practice securing the user experience at HBO? What kind of security products or best practices are involved? How does reCAPTCHA Enterprise fit into all of this? How do you see what security professionals do to secure the user experience evolving over time?

Guests: Jane Chung, VP of Cloud @ Palo Alto Joe Crawford, Director of Strategic Technology Partnerships for Google Cloud @ Palo Alto Topics: What are the top security mistakes you’ve seen during cloud migrations? What is your best advice to security leaders who want to go to the cloud using the on-premise playbook? What security technologies may no longer be needed in the cloud? Which are transformed by the cloud? Cloud often implies agility, but sometimes security slows things down, how to fix that? How do security needs change based on adoption architecture (cloud, hybrid with on-premise, multi-cloud, multi cloud with on-premise)? From a security perspective, is there really any such thing as “lift and shift”? How do we teach cloud to security leaders who “grew up” on-premise? Resources: Use “Move and Improve” Instead of “Lift an Shift” “Data Security in the Cloud” (Episode 2) “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age” book CSA CCM v4

Guest: Julien Vehent, Security Engineering Manager in the Detection and Response team @ Google Topics: What is special about detecting modern threats in modern environments? How does the Google team turn the knowledge of threats into detection logic? Run through an example of creating a detection for a new threat? How do we test our detection rules? We use the same people to write detections and to respond to resulting alerts, how is it working? What are the key skills of good security analysts to build cloud threat detection? Resources: “Site Reliability Engineering" book (free) “Building Secure & Reliable Systems” book (free) “Securing DevOps“ by our very guest Julien Vehent  

Guests: Tim Dierks, Engineering Director, Data Protection @ Google Cloud Topics: What are the key components of data security in the public cloud today? Why do companies need specific data security plans and products? Do you think Google Cloud today has enough controls for processing the most sensitive data? Many organizations seem to be unaware of where sensitive data exists in their cloud environments, how do you think this problem will be fixed? What is your view on encryption's role in future cloud security? Do organizations mostly encrypt for security or for compliance? How do we help companies navigate the tradeoffs between complying with nation-state regulations and best practices for availability? I hear you are involved with some interesting key management innovations like HYOK via Cloud EKM, why do these matter for clients today? Resources: Forrester report “The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021”  “New whitepaper: Designing and deploying a data security strategy with Google Cloud” “Hold your own key with Google Cloud External Key Manager” “Building Secure and Resilient Systems” book (free)

Guest: Greg Castle, Senior Staff Security Engineer at Google Topics: How is kubernetes security different from traditional host security? What’s different about securing GKE vs security Kubernetes on-prem? Where does one start with security hardening for GKE? In your view, what are top realistic threats to container deployments? What do users get wrong most often? Did we manage to make containers both more secure and more usable?

Guest: Zeal Somani, Security Solutions Manager @ Google Cloud, former PCI QSA Topics: What are the usable recipes for thinking about compliance in the cloud? What regulations are more challenging for public cloud users? How do you see the client/provider responsibility split for compliance? What is this “shift left” for compliance? How do we educate auditors and regulators who insist on 1980s solutions to 2020s problems? What are the most popular mistakes and blind spots with trying to be compliant in the cloud? Resources: Whitepaper “Risk governance of digital transformation: guide for risk, compliance & audit teams”

Guest: Alyssa Miller,  BISO @ S&P Global Ratings Topics: How do application security practices change as organizations launch their cloud transformations? What bad things happen to you if you lift/shift your big applications to somebody's IaaS? What unique challenges do containers and serverless deployments create for application security? Is there good news here? How can cloud native technologies make application security easier than a traditional on-prem environment? What can organizations do to ensure the security of cloud-based SaaS solutions? How do DevOps and CI/CD impact the ability to secure cloud-based applications? What is your advice to security leaders who still want to practice appsec for cloud apps in the same manner as they did it for on-premise, the old way? What follow-up reading do you recommend on preparing for an application migration to Cloud? Resources: Cloud security trainings DevOps.com

Guest: Seth Vargo, Security Engineer @ Google Cloud Topics: How should security teams change their thinking about threats in the cloud? Where and when should an organization start in building their threat model for their cloud environment? What are the key changes of threat models after cloud migration? More specifically, when it comes to identity, credentials, lateral movement, what are the key ways in which cloud security differs from traditional or on-premises security? How should users who are leading the cloud migration help their colleagues think about security in the cloud? When am I "done" with cloud security planning?

Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud Topics: To continue on the theme from Part 1, is “cloud-native” about thinking? Security tools? Systems? Architecture? How do we practically help CISOs “speak cloud”? What are the first steps to cloud thinking for an “on-premise CISO”? What are the areas of security where it is easier to become a cloud-native? How do you see a CISO transition journey from the on-premise thinking and technologies to cloud thinking and technology? How are CISOs thinking about third party security controls vs native, cloud provider security controls? Resources: “Preparing for Cloud Migrations from a CISO Perspective, Part 1” “CISO’s guide to Cloud Security Transformation”

Guest: Eric Foster, President at CYDERES, a Fishtech Group company Topics: How do you define “modern” SIEM? Does modern SIEM always imply SaaS SIEM? Is there a future for on-premises SIEM? What are your top 3 root causes for SIEM deployment failure today? Modern or not, does SIEM have a future? Can XDR or some other technology drive it off the rails? What features or inputs should SIEM have to detect modern threats such as those to cloud environments but also others? What’s different about threat detection in Cloud? What is your view of the current frenzy about “AI”/ML for security? Resources: “Cyderes CNAP Makes SIEM Modernization a Snap”

Guest: Avi Shua, CEO and Co-founder @ Orca Security Topics: Where do you spend more efforts, on detection of pre-fail issues (like configuration errors) or post-fail issues (like incidents)? How do you prioritize the preventative and detective controls in your platform? When talking to CISOs, how do you explain that cloud threat detection is different from the on-premise type? In your opinion, are agents dead in the cloud? Do you think your customers care more about cloud-specific threats or traditional threats against cloud assets? How do you think about the tradeoff for security teams between using cloud native controls vs a 3rd party vendor like, say, you? Resources: “The Orca Security 2020 State of Public Cloud Security Report“

Guest:  John Kindervag, who is widely considered to be the creator of zero trust model in 2010 (currently works at ON2IT) Topics: What has changed in the world of zero trust since 2010? What must be trusted for a zero trust (ZT) system to work? What are key ZT project success pre-requisites? What is the first step in ZT implementation that increases the chance of its success? Is zero trust hard for most companies? What’s the most spectacular failure you’ve seen in a ZT project? Where do you see ZT heading in the next 10+ years? Resource: John's original zero trust paper (2010)

Guest: Brandon Levene, Malware Inquisitor @ Google Cloud Topics covered: Which malware is scarier, state-sponsored or criminal? How do we approach cybercrime mitigation at Google? How do we actually track malware? Don’t we need “attribution” for it? What are the most useful telemetry sources for study in modern malware? Does ransomware have a bright future? Where do you see threat actors making the biggest investments? Resource: "Crimeware In The Modern Era" paper by Brandon Levene

Guests: no guests, just Tim and Anton  Topics covered: Discussion of the interesting presentations from Cloud Security Talks Q1 2021 focused on trusted cloud, container security, cyber insurance, Chronicle, ML for network security, etc Resources: All Q1 2021 Cloud Security Talks “Cloud Risk Panel Discussion” video “A conversation on overcoming risk management challenges in the Cloud” video  “Better together - expanding the Confidential Computing ecosystem” video “Detect potential threats to your containers” video “Supercharge your security telemetry with Chronicle” video “Tales from the trenches: Using machine learning to create safer networks” video “Chrome Enterprise Security - A deep dive” video

Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud  Nick Godfrey, Director, Financial Services Security & Compliance and a member of Office of the CISO @ Google Cloud Topics covered: Why do you think so many CISOs of traditional organizations fear cloud migrations? What is your best advice to a CISO who wants to migrate to the cloud using the on-premise playbook, or lift and shift?  What are the real tradeoffs in this decision such as using familiar tools/practices vs cloud benefits/effectiveness?  What would you recommend reading for a CISO managing their first cloud migration Resources mentioned: Paper “CISO’s guide to Cloud Security Transformation”  Book “Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems”  Book “Practical Guide to Cloud Migration”

Episode 4 “Gathering Data for Zero Trust” focuses on enabling zero trust access in the real world Guest: Max Saltonstall (@maxsaltonstall), Developer Advocate @ Google Cloud   Topics covered: What should be trusted for a zero trust system to work? What is the first thing you need to do to have a zero trust access project succeed? What data needs to be collected for zero trust system operation?

Episode 3 “Automate and/or Die?” focuses on automated remediation (or is it response!) in the cloud Guest: Joe Crawford, formerly in charge of cloud-native security at a large bank Topics covered: Can we automatically remediate vulnerabilities and threats in the cloud? Did you require humans to be in the loop for your automation? Is that still automation if we do? Does security fear of automation have a place in the cloud?

Episode 2 “Data Security in the Cloud” focuses on data security in the cloud  Guest: Andrew Lance, Sidechain Topics covered: What is special about data security in the cloud? How data security plays in the shift from perimeter and network security to identity-based security? Can I use detective data security controls and turn them into preventative controls? Resources: “Designing and deploying a data security strategy with Google Cloud” paper

“Confidentially Speaking” episode focuses on confidential computing Guest: Nelly Porter, Group Product Manager @ Google. Topics covered: What risks are mitigated by confidential computing? What types of organizations must adopt confidential computing? How and where the data is encrypted? Resources:  Confidential computing at Google Cloud