Cloud Security Podcast by Google

Guests:

• Robin Shostack, Security Program Manager, Google

• Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud

Topics:

• You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means?

• You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?  

• Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge?

• If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team?

• How do we create it in an existing team or an under-performing team?

Resources:

• EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• “Take a few of these: Cybersecurity lessons for 21st century healthcare professionals” blog

• Getting More by Stuart Diamond book

• Who Moved My Cheese by Spencer Johnson  book

Guest:

• Brandon Wood, Product Manager for Google Threat Intelligence

Topics:

• Threat intelligence is one of those terms that means different things to everyone–can you tell us what this term has meant in the different contexts of your career?  What do you tell people who assume that “TI = lists of bad IPs”?

• We heard while prepping for this show that you were involved in breaking up a human trafficking ring: tell us about that!

• In Anton’s experience, a lot  of cyber TI is stuck in “1. Get more TI 2. ??? 3. Profit!” How do you move past that?

• One aspect of threat intelligence that’s always struck me as goofy is the idea that we can “monitor the dark web” and provide something useful. Can you change my mind on this one?

• You told us your story of getting into sales, you recently did a successful rotation into the role of Product Manager,, can you tell us about what motivated you to do this and what the experience was like?

• Are there other parts of your background that inform the work you’re doing and how you see yourself at Google? 

• How does that impact our go to market for threat intelligence, and what’re we up to when it comes to keeping the Internet and broader world safe?

Resources:

• Video

• EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons

• EP128 Building Enterprise Threat Intelligence: The Who, What, Where, and Why

• EP112 Threat Horizons - How Google Does Threat Intelligence

• Introducing Google Threat Intelligence: Actionable threat intelligence at Google scale

• A Requirements-Driven Approach to Cyber Threat Intelligence

Guests:

• Omar ElAhdan, Principal Consultant, Mandiant, Google Cloud

• Will Silverstone, Senior Consultant, Mandiant, Google Cloud

Topics:

• Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments?

• You do IR so in your experience, what are top 5  mistakes organizations make that lead to cloud incidents?

• How and why do organizations get the attack surface wrong? Are there pillars of attack surface?

• We talk a lot about how IAM matters in the cloud.  Is that true that AD is what gets you in many cases even for other clouds?

• What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well?

Resources:

• Next 2024 LIVE Video of this episode / LinkedIn version (sorry for the audio quality!)

• “Lessons Learned from Cloud Compromise” podcast at The Defender’s Advantage

• “Cloud compromises: Lessons learned from Mandiant investigations” in 2023 from Next 2024

• EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

Guest:

• Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google

Topics:

• Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right?

• Where are we like other clients of GCP?  Where are we not like other cloud users?

• Do we have any unique cloud security technology that we use that others may benefit from?

• How does our cloud usage inform our cloud security products?

• So is our cloud use profile similar to cloud natives or traditional companies?

• What are some of the most interesting cloud security practices and controls that we use that are usable by others?

• How do we make them work at scale? 

Resources:

• EP12 Threat Models and Cloud Security (previous episode with Seth)

• EP66 Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

• IAM Deny

• Seth Vargo blog

• “Attention Is All You Need” paper (yes, that one)

Guest:

• Crystal Lister, Technical Program Manager, Google Cloud Security

Topics:

• Your background can be sheepishly called “public sector”, what’s your experience been transitioning from public to private? How did you end up here doing what you are doing?

• We imagine you learned a lot from what you just described – how’s that impacted your work at Google?

• How have you seen risk management practices and outcomes differ?

• You now lead Google Threat Horizons reports, do you have a vision for this? How does your past work inform it?

• Given the prevalence of ransomware attacks, many organizations are focused on external threats. In your experience, does the risk of insider threats still hold significant weight? What type of company needs a dedicated and separate insider threat program?

Resources:

• Video on YouTube

• Google Cybersecurity Action Team Threat Horizons Report #9 Is Out!

• Google Cybersecurity Action Team site for previous Threat Horizons Reports

• EP112 Threat Horizons - How Google Does Threat Intelligence

• Psychology of Intelligence Analysis by Richards J. Heuer

• The Coming Wave by Mustafa Suleyman 

• Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects

Guest:

• Angelika Rohrer, Sr. Technical Program Manager , Cyber Security Response at Alphabet

Topics:

• Incident response (IR) is by definition “reactive”, but ultimately incident prep determines your IR success. What are the broad areas where one needs to prepare?

• You have created a new framework for measuring how ready you are for an incident, what is the approach you took to create it?

• Can you elaborate on the core principles behind the Continuous Improvement (CI) Framework for incident response?

• Why is continuous improvement crucial for effective incident response, especially in cloud environments? Can’t you just make a playbook and use it?

• How to overcome the desire to focus on the easy metrics and go to more valuable ones?

• What do you think Google does best in this area?

• Can you share examples of how the CI Framework could have helped prevent or mitigate a real-world cloud security incident?

• How can other organizations practically implement the CI Framework to enhance their incident response capabilities after they read the paper?

Resources:

• “How do you know you are "Ready  to Respond"? paper

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

Guest:

• Shan  Rao, Group Product Manager, Google 

Topics:

• What are the unique challenges when securing AI for cloud environments, compared to traditional IT systems?

• Your talk covers 5 risks, why did you pick these five? What are the five, and are these the worst?

• Some of the mitigation seems the same for all risks. What are the popular SAIF mitigations that cover more of the risks?

• Can we move quickly and securely with AI? How?

• What future trends and developments do you foresee in the field of securing AI for cloud environments, and how can organizations prepare for them?

• Do you think in 2-3 years AI security will be a separate domain or a part of … application security? Data security? Cloud security? 

Resource:

• Video (LinkedIn, YouTube)  [live audio is not great in these]

• “A cybersecurity expert's guide  to securing AI products with Google SAIF“ presentation

• SAIF Site

• “To securely build AI on Google Cloud, follow these best practices” (paper)

• “Secure AI Framework (SAIF): A Conceptual Framework for Secure AI Systems” resources

• Corey Quinn on X (long story why this is here… listen to the episode)

Guests:

• None

Topics:

• What have we seen at RSA 2024?

• Which buzzwords are rising (AI! AI! AI!) and which ones are falling (hi XDR)?

• Is this really all about AI? Is this all marketing?

• Security platforms or focused tools, who is winning at RSA?

• Anything fun going on with SecOps?

• Is cloud security still largely about CSPM?

• Any interesting presentations spotted?

Resources:

• EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side (RSA 2024 episode 1 of 2)

• “From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis” blog

• “Decoupled SIEM: Brilliant or Stupid?” blog

• “Introducing Google Security Operations: Intel-driven, AI-powered SecOps” blog

• “Advancing the art of AI-driven security with Google Cloud” blog

Guest:

• Elie Bursztein, Google DeepMind Cybersecurity Research Lead, Google

 Topics:

• Given your experience, how afraid or nervous are you about the use of GenAI by the criminals (PoisonGPT, WormGPT and such)?

• What can a top-tier state-sponsored threat actor do better with LLM? Are there “extra scary” examples, real or hypothetical?

• Do we really have to care about this “dangerous capabilities” stuff (CBRN)? Really really?

• Why do you think that AI favors the defenders? Is this a long term or a short term view?

• What about vulnerability discovery? Some people are freaking out that LLM will discover new zero days, is this a real risk?

 Resources:

• “How Large Language Models Are Reshaping the Cybersecurity Landscape” RSA 2024 presentation by Elie (May 6 at 9:40AM)

• “Lessons Learned from Developing Secure AI Workflows” RSA 2024 presentation by Elie (May 8, 2:25PM)

• EP50 The Epic Battle: Machine Learning vs Millions of Malicious Documents

• EP40 2021: Phishing is Solved?

• EP135 AI and Security: The Good, the Bad, and the Magical

• EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC

• EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It

• PyRIT LLM red-teaming tool

• Accelerating incident response using generative AI

• Threat Actors are Interested in Generative AI, but Use Remains Limited

• OpenAI’s Approach to Frontier Risk

Guest:

• Payal Chakravarty, Director of Product Management, Google SecOps, Google Cloud

Topics:

• What are the different use cases for GenAI in security operations and how can organizations  prioritize them for maximum impact to their organization?

• We’ve heard a lot of worries from people that GenAI will replace junior team members–how do you see GenAI enabling more people to be part of the security mission?

• What are the challenges and risks associated with using GenAI in security operations?

• We’ve been down the road of automation for SOCs before–UEBA and SOAR both claimed it–and AI looks a lot like those but with way more matrix math-what are we going to get right this time that we didn’t quite live up to last time(s) around?

• Imagine a SOC or a D&R team of 2029. What AI-based magic is routine at this time? What new things are done by AI? What do humans do?

Resources:

• Live video (LinkedIn, YouTube) [live audio is not great in these]

• Practical use cases for AI in security operations, Cloud Next 2024 session by Payal

• EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It

• EP169 Google Cloud Next 2024 Recap: Is Cloud an Island, So Much AI, Bots in SecOps

• 15 must-attend security sessions at Next '24

Guests: 

• no guests (just us!)

Topics:

• What are some of the fun security-related launches from Next 2024 (sorry for our brief “marketing hat” moment!)?

• Any fun security vendors we spotted “in the clouds”?

• OK, what are our favorite sessions? Our own, right? Anything else we had time to go to?

• What are the new security ideas inspired by the event (you really want to listen to this part! Because “freatures”...)

• Any tricky questions at the end?

Resources:

• Live video (LinkedIn, YouTube) [live audio is not great in these]

• 15 must-attend security sessions at Next '24

• Cloud CISO Perspectives: 20 major security announcements from Next ‘24

• EP137 Next 2023 Special: Conference Recap - AI, Cloud, Security, Magical Hallway Conversations (last year!)

• EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?

• EP90 Next Special - Google Cybersecurity Action Team: One Year Later!

• A cybersecurity expert's guide to securing AI products with Google SAIF Next 2024 session

• How AI can transform your approach to security Next 2024 session

Guests: 

• Umesh Shankar, Distinguished Engineer, Chief Technologist for Google Cloud Security

• Scott Coull, Head of Data Science Research, Google Cloud Security

Topics:

• What does it mean to “teach AI security”? How did we make SecLM? And also: why did we make SecLM?

• What can “security trained LLM” do better vs regular LLM?

• Does making it better at security make it worse at other things that we care about?

• What can a security team do with it today?  What are the “starter use cases” for SecLM?

• What has been the feedback so far in terms of impact - both from practitioners but also from team leaders?

• Are we seeing the limits of LLMs for our use cases? Is the “LLM is not magic” finally dawning?

Resources:

• “How to tackle security tasks and workflows with generative AI” (Google Cloud Next 2024 session on SecLM)

• EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?

• EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models

• Supercharging security with generative AI 

• Secure, Empower, Advance: How AI Can Reverse the Defender’s Dilemma?

• Considerations for Evaluating Large Language Models for Cybersecurity Tasks

• Introducing Google’s Secure AI Framework

• Deep Learning Security and Privacy Workshop 

• Security Architectures for Generative AI Systems

• ACM Workshop on Artificial Intelligence and Security

• Conference on Applied Machine Learning in Information Security

Speakers:

•  Maria Riaz, Cloud Counter-Abuse, Engineering Lead, Google Cloud

Topics:

• What is “counter abuse”? Is this the same as security?

• What does counter-abuse look like for GCP?

• What are the popular abuse types we face? 

• Do people use stolen cards to get accounts to then violate the terms with?

• How do we deal with this, generally?

• Beyond core technical skills, what are some of the relevant competencies for working in this space that would appeal to a diverse set of audience?

• You have worked in academia and industry. What similarities or differences have you observed?

Resources / reading:

• Video

• EP165 Your Cloud Is Not a Pet - Decoding 'Shifting Left' for Cloud Security

• P161 Cloud Compliance: A Lawyer - Turned Technologist! - Perspective on Navigating the Cloud

• “Art of War” by Sun Tzu

• “Dare to Lead” by Brene Brown

• "Multipliers" by Liz Wiseman

Guests:

• Evan Gilman, co-founder CEO of Spirl

• Eli Nesterov, co-founder CTO of Spril

Topics:

• Today we have IAM,  zero trust and security made easy. With that intro, could you give us the 30 second version of what a workload identity is and why people need them? 

• What’s so spiffy about SPIFFE anyway? 

• What’s different between this and micro segmentation of your network–why is one better or worse? 

• You call your book “solving the bottom turtle” could you tell us what that means?

• What are the challenges you’re seeing large organizations run into when adopting this approach at scale? 

• Of all the things a CISO could prioritize, why should this one get added to the list? What makes this, which is so core to our internal security model–ripe for the outside world?

• How people do it now, what gets thrown away when you deploy SPIFFE? Are there alternative?

• SPIFFE is interesting, yet can a startup really “solve for the bottom turtle”? 

Resources:

• SPIFFE  and Spirl

• “Solving the Bottom Turtle” book [PDF, free]

• “Surely You're Joking, Mr. Feynman!” book [also, one of Anton’s faves for years!]

• “Zero Trust Networks” book

• Workload Identity Federation in GCP

Guest:

• Ahmad Robinson,  Cloud Security Architect, Google Cloud

Topics:

• You’ve done a BlackHat webinar where you discuss a Pets vs Cattle mentality when it comes to cloud operations. Can you explain this mentality and how it applies to security?

• What in your past led you to these insights?  Tell us more about your background and your journey to Google.  How did that background contribute to your team?

• One term that often comes up on the show and with our customers is 'shifting left.'  Could you explain what 'shifting left' means in the context of cloud security? What’s hard about shift left, and where do orgs get stuck too far right?

• A lot of “cloud people” talk about IaC and PaC but the terms and the concepts are occasionally confusing to those new to cloud. Can you briefly explain Policy as Code  and its security implications? Does PaC help or hurt security?

Resources:

• “No Pets Allowed - Mastering The Basics Of Cloud Infrastructure” webinar

• EP33 Cloud Migrations: Security Perspectives from The Field

• EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?

• EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud

Guest:

• Jennifer Fernick, Senor Staff Security Engineer and UTL, Google

Topics:

• Since one of us (!) doesn't have a PhD in quantum mechanics, could you explain what a quantum computer is and how do we know they are on a credible path towards being real threats to cryptography? How soon do we need to worry about this one?

• We’ve heard that quantum computers are more of a threat to asymmetric/public key crypto than symmetric crypto. First off, why? And second, what does this difference mean for defenders?

• Why (how) are we sure this is coming? Are we mitigating a threat that is perennially 10 years ahead and then vanishes due to some other broad technology change?

• What is a post-quantum algorithm anyway? If we’re baking new key exchange crypto into our systems, how confident are we that we are going to be resistant to both quantum and traditional cryptanalysis? 

• Why does NIST think it's time to be doing the PQC thing now? Where is the rest of the industry on this evolution?

• How can a person tell the difference here between reality and snakeoil? I think Anton and I both responded to your initial email with a heavy dose of skepticism, and probably more skepticism than it deserved, so you get the rare on-air apology from both of us!

Resources:

• Securing tomorrow today: Why Google now protects its internal communications from quantum threats

• How Google is preparing for a post-quantum world

• NIST PQC standards

• PQ Crypto conferences

• “Quantum Computation & Quantum Information” by Nielsen & Chuang book

• “Quantum Computing Since Democritus” by Scott Aaronson book

• EP154 Mike Schiffman: from Blueboxing to LLMs via Network Security at Google

Guest:

• Phil Venables, Vice President, Chief Information Security Officer (CISO) @ Google Cloud

 Topics: 

• You had this epic 8 megatrends idea in 2021, where are we now with them?

• We now have 9 of them, what made you add this particular one (AI)?

• A lot of CISOs fear runaway AI. Hence good governance is key! What is your secret of success for AI governance? 

• What questions are CISOs asking you about AI? What questions about AI should they be asking that they are not asking?

• Which one of the megatrends is the most contentious based on your presenting them worldwide?

• Is cloud really making the world of IT simpler (megatrend #6)?

• Do most enterprise cloud users appreciate the software-defined nature of cloud (megatrend #5) or do they continue to fight it?

• Which megatrend is manifesting the most strongly in your experience?

Resources:

• Megatrends drive cloud adoption—and improve security for all and infographic

• “Keynote | The Latest Cloud Security Megatrend: AI for Security”

• “Lessons from the future: Why shared fate shows us a better cloud roadmap” blog and shared fate page

• SAIF page

• “Spotlighting ‘shadow AI’: How to protect against risky AI practices” blog

• EP135 AI and Security: The Good, the Bad, and the Magical

• EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security

• Secure by Design by CISA

Guest:

• Kat Traxler, Security Researcher, TrustOnCloud

Topics:

• What is your reaction to “in the cloud you are one IAM mistake away from a breach”? Do you like it or do you hate it?

• A lot of people say “in the cloud, you must do IAM ‘right’”. What do you think that means? What is the first or the main idea that comes to your mind when you hear it?

• How have you seen the CSPs take different approaches to IAM? What does it mean for the cloud users?

• Why do people still screw up IAM in the cloud so badly after years of trying?

• Deeper, why do people still screw up resource hierarchy and resource management? 

• Are the identity sins of cloud IAM users truly the sins of the creators? How did the "big 3" get it wrong and how does that continue to manifest today?

• Your best cloud IAM advice is “assign roles at the lowest resource-level possible”, please explain this one? Where is the magic?

Resources:

• Video (Linkedin, YouTube)

• Kat blog

• “Diving Deeply into IAM Policy Evaluation” blog

• “Complexity: a Guided Tour” book

• EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same?

• EP129 How CISO Cloud Dreams and Realities Collide

Guest:

• Victoria Geronimo, Cloud Security Architect, Google Cloud

Topics:

• You work with technical folks at the intersection of compliance, security, and cloud. So  what do you do, and where do you find the biggest challenges in communicating across those boundaries?

• How does cloud make compliance easier? Does it ever make compliance harder? 

• What is your best advice to organizations that approach cloud compliance as they did for the 1990s data centers and classic IT?

• What has been the most surprising compliance challenge you’ve helped teams debug in your time here? 

• You also work on standards development –can you tell us about how you got into that and what’s been surprising in that for you? 

• We often say on this show that an organization’s ability to threat model is only as good as their team’s perspectives are diverse: how has your background shaped your work here? 

 Resources:

• Video (YouTube)

• EP14 Making Compliance Cloud-native

• EP25 Beyond Compliance: Cloud Security in Europe 

• Fordham University Law and Technology site

• IAPP  site

Guest:

• Merritt Baer, Field CTO,  Lacework, ex-AWS, ex-USG

Topics:

• How can organizations ensure that their security posture is maintained or improved during a cloud migration? Is cloud migration a risk reduction move?

• What are some of the common security challenges that organizations face during a cloud migration?

• Are there different gotchas between the three public clouds?

• What advice would you give to those security leaders who insist on lift/shift or on lift/shift first?

• How should security and compliance teams approach their engineering and DevOps colleagues to make sure things are starting on the right foot?

• In your view, what is the essence of a cloud-native approach to security?

• How can organizations ensure that their security posture scales as their cloud usage grows?

Resources:

• Video (LinkedIn, YouTube)

• EP69 Cloud Threats and How to Observe Them

• EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud

• EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?

• 9 Megatrends drive cloud adoption—and improve security for all

• Darknet Diaries podcast

Guests:

• Emre Kanlikilicer, Senior Engineering Manager @ Google

• Sophia Gu, Engineering Manager at Google

 Topics

• Workspace makes the claim that unlike other productivity suites available today, it’s architectured for the modern threat landscape. That’s a big claim! What gives Google the ability to make this claim?

• Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work? 

• What are some of the common mistakes you see customers making with Workspace security?

• What are some of the ways context aware access and DLP (now SDP) help with this?

• What are the cool future plans for DLP and CAA?

Resources:

• Google Workspace blog & Workspace Update blog

• EP99 Google Workspace Security: from Threats to Zero Trust

• CISA Zero Trust Maturity Model 2.0

Guest:

• Jason Solomon, Security Engineer, Google

Topics:

• Could you share a bit about when you get pulled into incidents and what are your goals when you are?

• How does that change in the cloud? How do you establish a chain of custody and prove it for law enforcement, if needed?

• What tooling do you rely on for cloud forensics and is that tooling available to "normal people"? 

• How do we at Google know when it’s time to call for help, and how should our customers know that it’s time? 

• Can I quote Ray Parker Jr and ask, who you gonna call?

• What’s your advice to a security leader on how to “prepare for the inevitable” in this context? 

• Cloud forensics - is it easier or harder than the 1990s classic forensics?

 Resource:

• EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• Google SRE Workbook (Ch 9)

• GRR

• Cloud Logging

• LibCloudForensics, Turbinia, Timesketch tools

Guest:

• Arie Zilberstein, CEO and Co-Founder at Gem Security

Topics: 

• How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response?

• What are the key challenges of cloud detection and response?

• Often we lift and shift our teams to Cloud, and not always for bad reasons, so  what’s your advice on how to teach the old dogs new tricks: “on-premise-trained” D&R teams and cloud D&R?

• What is this new CIRA thing that Gartner just cooked up?  Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps?

• What do you tell people who say that “SIEM is their CDR”?

• What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?

 Resources:

• Video version of this episode

• Cloud breaches databases

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?

• 9 Megatrends drive cloud adoption—and improve security for all

• “Emerging Tech: Security — Cloud Investigation and Response Automation (CIRA) Offers Transformation Opportunities” (Gartner access required)

• “Does the World Need Cloud Detection and Response (CDR)?” blog

Guest:

• Sandra Joyce, VP at Mandiant Intelligence

Topics:

• Could you give us a brief overview of what this power disruption incident was about?

• This incident involved both Living Off the Land and attacks on operational technology (OT). Could you explain to our audience what these mean and what the attacker did here?

• We also saw a wiper used to hide forensics, is that common these days?

• Did the attacker risk tipping their hand about upcoming physical attacks? If we’d seen this intrusion earlier, might we have understood the attacker’s next moves?

• How did your team establish robust attribution in this case, and how they do it in general? How sure are we, really? 

• Could you share how this came about and maybe some of the highlights in our relationship helping defend that country?

Resources:

• Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Mandiant

• Andy Greenberg’s book Sandworm 

• EP155 Cyber, Geopolitics, AI, Cloud - All in One Book?

Guests:

• Derek Reveron, Professor and Chair of National Security at the US Naval War College
• John Savage, An Wang Professor Emeritus of Computer Science of Brown University

Topics:

• You wrote a book on cyber and war, how did this come about and what did you most enjoy learning from the other during the writing process?

• Is generative AI going to be a game changer in international relations and war, or is it just another tool?

• You also touch briefly on lethal autonomous weapons systems and ethics–that feels like the genie is right in the very neck of the bottle right now, is it too late?

• Aside from this book, and the awesome course you offered at Brown that sparked Tim’s interest in this field, how can we democratize this space better? 

• How does the emergence and shift to Cloud impact security in the cyber age?

• What are your thoughts on the intersection of Cloud as a set of technologies and operating model and state security (like sovereignty)? Does Cloud make espionage harder or easier? 

Resources:

• “Security in the Cyber Age” book (and their other books’)

• “Thinking, Fast and Slow” book

• “No Shortcuts: Why States Struggle to Develop a Military Cyber-Force” book

• “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age“ book

• “Active Cyber Defense: Applying Air Defense to the Cyber Domain”

• EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same?

• EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith?

Guest:

• Mike Schiffman, Network Security “UTL”

Topics:

• Given your impressive and interesting history, tell us a few things about yourself?

• What are the biggest challenges facing network security today based on your experience?

• You came to Google to work on Network Security challenges. What are some of the surprising ones you’ve uncovered here?

• What lessons from Google's approach to network security absolutely don’t apply to others? Which ones perhaps do?

• If you have to explain the difference between network security in the cloud and on-premise, what comes to mind first?

• How do we balance better encryption with better network security monitoring and detection?

• Speaking of challenges in cryptography, we’re all getting fired up about post-quantum and network security. Could you give us the maybe 5 minute teaser version of this because we have an upcoming episode dedicated to this?

• I hear you have some interesting insight on LLMs, something to do with blueboxing or something. What is that about?

Resources:

• Video

• EP113 Love it or Hate it, Network Security is Coming to the Cloud

• EP122 Firewalls in the Cloud: How to Implement Trust Boundaries for Access Control

• “A History of Fake Things on the Internet” by WALTER J. SCHEIRER

• Why Google now protects its internal communications from quantum threats

• How Google is preparing for a post-quantum world

• NIST on PQC

• “Smashing The Stack For Fun And Profit” (yes, really)

Guest:

• Kevin Mandia, CEO at Mandiant, part of Google Cloud

Topics:

• When you look back, what were the most surprising cloud breaches in 2023, and what can we learn from them? How were they different from the “old world” of on-prem breaches? 

• For a long time it’s felt like incident response has been an on-prem specialization, and that adversaries are primarily focused on compromising on-prem infrastructure. Who are we seeing go after cloud environments? The same threat actors or not?

• Could you share a bit about the mistakes and risks that you saw organizations make that made their cloud breaches possible or made them worse? Conversely, what ended up being helpful to organizations in limiting the blast radius or making response easier? 

• Tim’s mother worked in a network disaster recovery team for a long time–their motto was “preparing for the inevitable.” What advice do you have for helping security teams and IT teams get ready for cloud breaches? Especially for recent cloud entrants?

• Anton tells his “2000 IDS story” (need to listen for details!) and asks: what approaches for detecting threats actually detects threats today?

Resources:

• EP148 Decoding SaaS Security: Demystifying Breaches, Vulnerabilities, and Vendor Responsibilities

• "Microsoft lost its keys, and the government got hacked" news article

• SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures  (must read by every CISO!)

Guest:

• Michee Smith, Director, Product Management for Global Affairs Works, Google

Topics:

• What is Google Annual Transparency Report and how did we get started doing this? 

• Surely the challenge of a transparency report is that there are things we can’t be transparent about, how do we balance this? What are those? Is it a safe question?

• What Access Transparency Logs are and if they are connected to the report –other than in Tim's mind and your career? 

• Beyond building the annual transparency report, you also work on our central risk data platform. Every business has a problem managing risk–what’s special here? Do we have any Google magic here? 

• Could you tell us about your path in Product Management here? You have been here eight years, and recently became Director. Do you have any advice for the ambitious Google PMs listening to the show? 

 Resources:

• Google Annual Transparency report

• Access Transparency Logs

• “Digital Asset Valuation and Cyber Risk Measurement: Principles of Cybernomics“ book Keyun Ruan

• “Trapped in a frame: Why leaders should avoid security framework traps”  blog

Guest:

• Monica Shokrai, Head Of Business Risk and Insurance For Google Cloud 

Topics:

• Could you give us the 30 second run down of what cyber insurance is and isn't?

• Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks?

• What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it?

• We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security?

• Doesn't cyber insurance have a difficult reputation with clients? “Will they even pay?” “Will it be enough?” “Is this a cyberwar exception?” type stuff?

• How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers?

• How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many “non cyber” risks?

Resources:

• Video (LinkedIn, YouTube)

• Google Cloud Risk Protection program

• “Cyber Insurance Policy”  by Josephine Wolff 

• InsureSec

Guest:

• Dr Gary McGraw, founder of the Berryville Institute of Machine Learning

Topics:

• Gary, you’ve been doing software security for many decades, so tell us: are we really behind on securing ML and AI systems? 

• If not SBOM for data or “DBOM”, then what? Can data supply chain tools or just better data governance practices help?

• How would you threat model a system with ML in it or a new ML system you are building? 

• What are the key differences and similarities between securing AI and securing a traditional, complex enterprise system?

• What are the key differences between securing the AI you built and AI you buy or subscribe to?

• Which security tools and frameworks will solve all of these problems for us? 

Resources:

• EP135 AI and Security: The Good, the Bad, and the Magical

• Gary McGraw books

• “An Architectural Risk Analysis Of Machine Learning Systems: Toward More Secure Machine Learning“ paper

• “What to think about when you’re thinking about securing AI”

• Annotated ML Security bibliography  

• Tay bot story (2016)

• “Can you melt eggs?”

• “Microsoft AI researchers accidentally leak 38TB of company data”

• “Random number generator attack”

• “Google's AI Red Team: the ethical hackers making AI safer”

• Introducing Google’s Secure AI Framework

Guests:

• John Stoner, Principal Security Strategist, Google Cloud Security

• Dave Herrald, Head of Adopt Engineering, Google Cloud Security

Topics:

• In your experience, past and present, what would make clients trust vendor detection content?

• Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?

• What is more important, seeing the detection or being able to change it, or both?

• If this is about seeing the detection code/content, what about ML and algorithms?

• What about the SOC analysts who don't read the code?

• What about “tuning” - is tuning detections a bad word now in 2023?

• Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?

Resources:

• Video (Linkedin, YouTube)

• Github rules for Chronicle

• DetectionEngineering.net by Zack Allen

• “On Trust and Transparency in Detection” blog

• “Detection as Code? No, Detection as COOKING!” blog

• EP64 Security Operations Center: The People Side and How to Do it Right

• EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• Why is Threat Detection Hard?

• Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)

Guest:

• Adrian Sanabria,  Director of Valence Threat Labs at Valence Security, ex-analyst

Topics:

• When people talk about “cloud security” they often forget SaaS, what should be the structured approach to using SaaS securely or securing SaaS?

• What are the incidents telling us about the realistic threats to SaaS tools?

• Is the Microsoft 365 breach a SaaS breach, a cloud breach or something else?

• Do we really need CVEs for SaaS vulnerabilities?

• What are the least understood aspects of securing SaaS?

• What do you tell the organizations who assume that “SaaS vendor takes care of all SaaS security”?

• Isn’t CASB the answer to all SaaS security issues? We also have SSPM now too? Do we really need more tools?

Resources:

• VIdeo (LinkedIn, YouTube)

• EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?

• Valence 2023 State of SaaS Security report

• DHS Launches First-Ever Cyber Safety Review Board

• Enterprise Security Weekly podcast

• CloudVulnDb and another cloud vulnerability list

• Cyber Safety Review Board (CSRB) by CISA

Guest: 

• Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant at Google Cloud

Topics:

• Can you really forecast threats? Won’t the threat actors ultimately do whatever they want?

• How can clients use the forecast? Or as Tim would say it, what gets better once you read it?

• What is the threat forecast for cloud environments? It says “Cyber attacks targeting hybrid and multi-cloud environments will mature and become more impactful“ - what does it mean?

• Of course AI makes an appearance as well: “LLMs and other gen AI tools will likely be developed and offered as a service to assist attackers with target compromises.” Do we really expect attacker-run LLM SaaS? What models will they use? Will it be good?

• There are a number of significant elections scheduled for 2024, are there implications for cloud security?

• Based on the threat information, tell me about something that is going well, what will get better in 2024?

Resources:

• 2024 Google Cloud Security Forecast Report

• EP112 Threat Horizons - How Google Does Threat Intelligence

• EP135 AI and Security: The Good, the Bad, and the Magical

• How to Stop a Ransomware Attack

• Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto Miner

Guest:

• Wei Lien Dang, GP at Unusual Ventures

 Topics: 

• We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you? 

• What are some of the security problems you're hearing from AI companies that are worth solving? 

• AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security?

• Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs? 

• What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?

 Resources:

• “What to think about when you’re thinking about securing AI” blog / paper

• EP135 AI and Security: The Good, the Bad, and the Magical

• EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?

• EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models

• Introducing Google’s Secure AI Framework

• OWASP Top 10 for Large Language Model Applications

• Unusual VC Startup Field Guide

• Demystifing LLMs and Threats by Caleb Sima

Guest:

• Jay Thoden van Velzen, Strategic Advisor to the CSO, SAP

 Topics:

• What are the challenges with shared responsibility for cloud security?

• Can you explain "shared" vs "separated" responsibility?

• In your article, you mention “shared faith”, we have “shared fate”, but we never heard of shared faith. What is this? Can you explain?

• What about the cloud models (SaaS, PaaS, IaaS), how does this sharing model differ?

• While at it, what is cloud, really? [yes, we really did ask this!]

 Resources:

• LinkedIn post and  Blog

• EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge

• “Security Chaos Engineering” book

• Shared responsibility failures blog

• Shared fate at Google Cloud (also see blogs one and two)

• National Cyber Security strategy

Guest:

• Kathryn Shih, Group Product Manager, LLM Lead in Google Cloud Security

Topics:

• Could you give our audience the quick version of what is an LLM and what things can they do vs not do?  Is this “baby AGI” or is this a glorified “autocomplete”?

• Let’s talk about the different ways to tune the models, and when we think about tuning what are the ways that attackers might influence or steal our data?

• Can you help our security listener leaders have the right vocabulary and concepts to reason about the risk of their information a) going into an LLM and b) getting regurgitated by one?

• How do I keep the output of a model safe, and what questions do I need to ask a vendor to understand if they’re a) talking nonsense or b) actually keeping their output safe? 

• Are hallucinations inherent to LLMs and can they ever be fixed?

• So there are risks to data and new opportunities for attacks and hallucinations. How do we know good opportunities in the area given the risks? 

Resources:

• Retrieval Augmented Generation (or go ask Bard about it)

• “New Paper: “Securing AI: Similar or Different?“”  blog

Guests:

• Tomer Schwartz, Dazz CTO

Topics:

• It seems that in many cases the challenge with cloud configuration weaknesses is not their detection, but remediation, is that true?

• As far as remediation scope, do we need to cover  traditional vulnerabilities (in stock and custom code), configuration weaknesses and other issues too?

• One of us used to cover vulnerability management at Gartner, and in many cases the remediation failures [on premise] were due to process, not technology, breakdowns. Is this the same in the cloud? If still true, how can any vendor technology help resolve it?

• Why is cloud security remediation such a headache for so many organizations?

• Is the friction real between security and engineering teams? Do they have any hope of ever becoming BFFs?

• Doesn’t every CSPM (and now ASPM too?) vendor say they do automated remediation today? How should security pros evaluate solutions for prioritizing, triaging, and fixing issues?

Resources:

• Video (YouTube, LinkedIn)

• Cloud Security Remediation for Dummies

• EP3 Automate and/or Die?

• EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?’

• EP54 Container Security: The Past or The Future?

• EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud

• EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?

• A Guide to Building a Secure SDLC

• 8 Megatrends drive cloud adoption—and improve security for all

Host:

• Stephanie Wong, Product Manager, Google Cloud

Guests (yes, really, we are the guests!):

• Anton Chuvakin

• Tim Peacock

Topics:

• Could you tell us how you ended up in security?

• What was the moment you realized that Cloud security was different from well, regular, security? 

•  Anton is always asking this “3AM test”, where did that come from?

• How do you source topics for the podcast?

• What advice would you give to folks who are interested in getting into security?

• … and other fun questions!

Resources:

• Video (LinkedIn, YouTube)

• Cloud Security Podcast by Google / Twitter / LinkedIn

Guest: 

• Jeremiah Kung, Global Head of Information Security, AppLovin

Topics:

• Before we dive into all of the awesome cloud migrations you’ve experienced and your learnings there, could we start with a topic of East vs West CISO mentality?

• We are talking to more and more CISOs who see the cloud as a net win for security. What’s your take on whether the cloud improves security? 

• We talked about doing some “big” cloud migrations, could you talk about what you learned back in 2015 about the “right” way to do a cloud migration and how you’ve applied those lessons since? 

• How are you approaching securing clouds differently in 2023 (vs the dark past of 2015)?

• What advice would you give your peers to get out of the “saying no” mentality and into a better collaborative mode? 

• On the topic of giving advice to people who haven’t asked for it, what advice would you give to teams who are stuck in 1990s thinking when it comes to lift and shifting their security technology stack to cloud? 

Resources:

• EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen!

• EP129 How CISO Cloud Dreams and Realities Collide

• EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen!

• EP11 Preparing for Cloud Migrations from a CISO Perspective, Part 2

• “How CISOs need to adapt their mental models for cloud security” blog

• “Superforecasting” book

• “American Generalship” book

Guest: 

• Andrew Hoying, Senior Security Engineering Manager @ Google

Topics:

• What is different about system hardening today vs 20 years ago? 

• Also, what is special about hardening systems at Google massive scale?

• Can I just apply CIS templates and be done with it?

• Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity?

• A part of hardening has got to be responding to new regulation and compliance regimes, how do you incorporate new controls and stay responsive to the changing world around us?

• Are there cases where we have taken lessons from hardening at scale and converted those into product improvements?

• What metrics do you track to keep your teams moving, and what metrics do your leads look at to understand how you’re doing? [Spoiler: the answer here is VERY fun!]

Resources:

• “Why Shared Fate is a Better Way to Manage Cloud Risk” article (and this too)

• CIS for GCP

• GCP IAM Deny

• CloudSecList by Marco Lancini

Guest:

• Chris Corde, Sr Director of Product Management - Security Operations, Google Cloud

Topics:

• You cover many products, but let’s focus on Chronicle today. An easy question: Chronicle isn’t an XDR, so what is it?

• Since you’ve joined the team, what’re you most proud of shipping to clients?

• Could you share more about the Mandiant acquisition,  what’s been a happy surprise and what are you looking forward to making available to customers?

• Some believe that good security operations success is mostly about process, yet we are also building these amazing products. What is your view of how much security ops success hinges on products vs practices?

• When it comes to building out Chronicle’s position in the market, how are we leveraging the depth of expertise that people have with other SIEM tools compared to ours?

• What advice do you have for security professionals who want to transition into product management? 

Resources:

• EP44 Evolving a SIEM for the Future While Learning from the Past

• EP82 Mega-confused by XDR? You Are Not Alone! This XDR Skeptic Clarifies!

Guest:

• Rosemary Wang, Developer Advocate at HashiCorp

 Topics:

• Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams?

• How can Terraform be used for security automation? How should security teams work with DevOps teams to use it?

• What are some of the obvious and not so obvious security challenges of using Terraform?

• How can security best practices be applied to infrastructure instantiated via Terraform?

• What is the relationship between Terraform and policy as code (PaC)?

• How do you get started with all this?

• What do you tell the security teams who want to do cloud security the “old way” and not the cloud-native way?

 Resources:

• Video (LinkedIn, YouTube)

• “EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?”

• Policy as Code with HashiCorp Sentinel or Open Policy Agent (OPA) for Terraform

• “Terraform Cloud adds Vault-backed dynamic credentials” blog

• Google Cloud Provider for Terraform

• Security & Authentication Providers for Terraform

• “Sloth’s Guide to Mindfulness” book

Guests: 

• no guests, all banter, all very fun :-)

Topics:

• How is Google Next this year? What is new in cloud security?

• Is Google finally a security vendor?

• What are some of the fun security presentations we've seen, including our own?

• Any impactful launches in security?

• What was the most interesting overall?

• “Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?” (ep136)

• “RSA 2023 - What We Saw, What We Learned, and What We're Excited About” (ep119)

• “Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?” (ep67)

• “Detecting, investigating, and responding to threats in your Google Cloud environment” at Cloud Next 2023 by Anton

• “Prevent cloud compromises: Learn how Uber discovers cyber risks and remediates threats” at Cloud Next 2023 by Tim

• “Generative AI for defenders with Sec-PaLM 2 and Duet AI” at Cloud Next 2023 by Eric Doerr (his episode)

• “A blueprint for modern security operations” at Cloud Next 2023 by our future guest, Chris…

• Kevin Mandia at Next keynote (start at 1:15:00)

• “New AI capabilities that can help address your security challenges” blog

Guest: 

• Eric Doerr, VP of Engineering, Google Cloud Security

 Topics:

• You have a Next presentation on AI, what is the most exciting part for you?

• We care both about securing AI and using AI for security. How do you organize your thinking about it?

• Executive surveys imply that trusting an AI (for business) is still an issue. How can we trust AI for security? What does it mean to “trust AI” in this context? 

• How should defenders think about threat modeling AI systems? 

• Back to using AI for security, what are the absolute worst security use cases for GenAI? Think “generate code and run it on prod” or something like that?

• What does it mean to “teach AI security” like we did with Sec-PALM2? What is actually involved in this?

• What were some surprising challenges we ran into here?

 Resources:

• “Generative AI for defenders with Sec-PaLM 2 and Duet AI” presentation at Google Cloud Next 2023

• “The Prompt: What to think about when you’re thinking about securing AI” and a new paper on securing AI

• “AI and Security: The Good, the Bad, and the Magical” (ep135)

• Monitor and secure Vertex AI

• “Introducing Google’s Secure AI Framework” blog

• “Project Hail Mary” book

Guest:

• Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud

Topics:

• Why is AI a game-changer for security? Can we even have game-changers in cyber security?

• Is it more detection or is it more reducing toil and making humans more productuve? What are you favorite AI for security use cases?

• What “AI + security” issue makes you  - a classic CISO question  here - lose sleep at night?

• Does AI help defenders or attackers more? Won’t attackers adopt faster because they don’t have as many rules (but yes, they have bosses and budgets too)? 

• Aren’t there cases where defenders benefit a lot more and gain a superpower with AI while attackers are faced with defeat?

• Is securing AI more similar or more different from securing other enterprise systems?

• Does shared fate apply to AI?

 Resources:

• “Securing AI: Similar or Different?” paper by Office of the CISO at Google Cloud

• “Secure AI Framework Approach" 

• Supercharge security with AI

• Board of Directors Insights Hub

• “Lessons from the future: Why shared fate shows us a better cloud roadmap” blog

• “Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security” (ep47)

• “Securing Multi-Cloud from a CISO Perspective, Part 3” (ep22)

• “Google Cybersecurity Action Team: What's the Story?” (ep37)

• “Google Cybersecurity Action Team: One Year Later!” (ep90)

Guest: 

• Steph Hay , Director of UX, Google Cloud Security

Topics:

• The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security?

• UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this?

• How do you think about prioritizing your team’s time between day zero vs day n experiences for users of security tools?

• Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security?

• Can you think of what single UX change in Cloud Security’s portfolio made the biggest impact to actual security outcomes? 

• We have this new tool/approach for planning called Jobs To Be Done (JTBD)  - give us the value, and the history? In the world of JTBD planning, what gets better?

Resources:

• JTBD Framework

• GCP IAM Recommender

• Recaptha Enterprise

Guest: 

• Steve McGhee, Reliability Advocate at Google Cloud 

• Aron Eidelman, Developer Relations Engineer at Google Cloud

Topics:

• What is the shared problem for SRE and security when it comes to alerting?

• Why is there reluctance to reduce noise?

• How do SREs, security practitioners, and other stakeholders define “incident” and “risk”?

• How does involving an “adversary” change the way people think about an incident, even if the impact is identical?

• Which SRE alerting lessons do NOT apply at all for security?

Resources:

• Video (LinkedIn, YouTube)

• “Deploy Security Capabilities at Scale: SRE Explains How” (ep85)

• Steve talk about probability and SLO math at SLOconf  

• Why Focus on Symptoms, Not Causes?

• Learning from incidents (LFI) science

• How to measure anything in cyber security risk book

• Security chaos engineering book

• The SRS Book Ch 1

• The SRE book Ch 4 

Guest:

• Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly

Topics:

•  So what is Security Chaos Engineering?

• “Chapter 5. Operating and Observing” is Anton’s favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection?

• How chaos engineering (or is it really about software resilience?)  intersects with Cloud security - is this peanut butter and chocolate or more like peanut butter and pickles?

• How can organizations get started with chaos engineering for software resilience and security?

• What is your favorite chaos engineering experiment that you have ever done?

• We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023?

Resources:

• Video (LinkedIn, YouTube)

• “Security Chaos Engineering: Sustaining Resilience in Software and Systems” by Kelly Shortridge, Aaron Rinehart

• “Cybersecurity Myths and Misconceptions” book

• “Designing Data-Intensive Applications: The Big Ideas Behind Reliable, Scalable, and Maintainable Systems“ book

• “Normal Accidents: Living with High-Risk Technologies” book

• “Deploy Security Capabilities at Scale: SRE Explains How” (ep85)

• “The Good, the Bad, and the Epic of Threat Detection at Scale with Panther” (ep123)

• “Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?” (ep117)

• IKEA Effect

• “Modernizing SOC ... Introducing Autonomic Security Operations” blog

Guests:

• Himanshu Khurana, Engineering Manager, Google Cloud

• Rahul Gupta, Product Manager for Assured OSS, Google Cloud

Topics:

• For the software you’re supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen? 

• So what is Assured Open Source?

• Do we really guarantee its security? What does “guarantee” here mean?

• What’re users actually paying for here?

• What’s the Google magic here and why are we doing this? 

• Do we really audit all code and fuzz for security issues?

• What’s a supply chain attack and then we’ll talk about how this is plugging into those gaps?

 Resources:

• Assured Open Source Software page

• “SBOMs: A Step Towards a More Secure Software Supply Chain” (ep116)

• “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24)

• SLSA.dev blog

• Open Source Security Podcast

• Mandiant M-Trends 2023

Guest: 

• Steve Riley, Field CTO, Netskope, ex-Gartner Research VP

Topics:

• Analysts (well, like Steve and Anton in the past?) say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this today?
• When clients hear “use cloud securely”, what do you think comes to their minds?
• How would you approach planning for secure use of the cloud or using cloud securely?
• What is your view of cloud defense in depth (DiD) or layered defenses? How do you suggest clients think about it? What about DiD for SaaS?
• What are your thoughts on the evolution of zero trust? How has it changed since its introduction back in 2010?
• Awareness of and interest in SSE and SASE is growing. But at the same time, plenty of folks seem deeply perplexed by these. How would you explain them to someone not deeply immersed in the details? 

Resources:

• Video (LinkedIn, YouTube)
• Bruce Schneier books
• Netskope blog
• “Deploy Security Capabilities at Scale: SRE Explains How” (ep85)
• “Zero Trust: Fast Forward from 2010 to 2021” (ep8)
• “Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?” (ep76)
• “How to Approach Cloud in a Cloudy Way, not As Somebody Else’s Computer?” (ep115)
• "Use Cloud Securely? What Does This Even Mean?!"
• "How to Solve the Mystery of Cloud Defense in Depth?"

Guest:

• Rick Doten, VP, Information Security at Centene Corporation, CISO Carolina Complete Health

 Topics: 

• What are the realistic cloud risks today for an organization using public cloud? 

• Is the vendor lock-in on that list?  What other risks everybody thinks are real, but they are not?

• What do you tell people who in 2023 still think “they can host Exchange better themselves” and have silly cloud fears?

• What do you tell people who insist on “copy/pasting” all their security technology stack from data centers to the cloud?

• Cloud providers have greater opportunity not only to see issues, but to learn how to react well. Do you think this argument holds water? 

• What are the most challenging security issues for multi-cloud and hybrid cloud security?

• How does security chasm (between security haves and have-notes) affect cloud security?

• Your best cloud security advice for an organization with a security team of 0 FTEs and no CISO?

 Resources:

• Video (LinkedIn, YouTube)

• Rick Doten on YouTube

• Defining Cloud Security by Rick Doten

• Cloud Security Alliance materials

• Mandiant M-Trends 2023

Guest: 

• John Doyle, Principle Intelligence Enablement Consultant at Mandiant / Google Cloud

 Topics:

• You have created a new intelligence class focused on building enterprise threat intelligence capability, so what is the profile of an organization and profile for a person that benefits the most from the class?

• There are many places to learn threat intel (TI), what is special about your new class? 

• You talk about country cyber operations in the class, so what is the defender - relevant difference between, say, DPRK and Iran cyber doctrines? More generally, how do defenders benefit from such per country intel?

• Can you really predict what the state-affiliated attackers would do to your organization based on the country doctrine?

• In many minds, TI is connected to attribution. What is your best advice on attribution to CISOs of well-resourced organizations? What about mainstream organizations?

• Overall we see a lot of organizations still failing to operationalize TI, especially strategic TI, how does this help them?

Resources:

• The new class “Inside the Mind of APT”

• “Navigating Tradeoffs of Attribution” paper

• Sands Casino hack 2014

• "Threat Horizons - How Google Does Threat Intelligence" (ep112)

Guest:

• Ian Glazer, founder at Weave Identity, ex-Gartner, ex-SVP of Products at Salesforce, co-founder of IDPro

Topics:

• OK, tell us why Identity and Access Management (IAM) is exciting (is it exciting?)

• Could you also explain why IAM is even more exciting in the cloud? 

• Are you really “one IAM mistake away from a breach” in the cloud? 

• What advice would you give to someone new to IAM?

• How to not just “learn IAM in the cloud” but to keep learning IAM?

• Is what I know about IAM in AWS the same as knowing IAM for GCP? What advice do you have for teams operating in a multi-cloud world?

• What are the top cloud IAM mistakes? How to avoid them?

Resources:

• Video (LinkedIn, YouTube)

• IDPro association and BoK

• SCIM v2 standard

• EP60 Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM?

• EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?

• EP94 Meet Cloud Security Acronyms with Anna Belak

Guests: 

• Dominik Richter, the founder and head of product at Mondoo

Cooked questions:

• What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail? 

• We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud?

• Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now?

• Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams?

• How do organizations grow into safely rolling out new policy as code code? 

• You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance"  and this problem has been unsolved for as long as the cloud existed. Will your toolset change this? 

• There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework?

• What are some of the success metrics when adopting  Policy as Code? 

Resources:

• Live video (LinkedIn, YouTube)
• “Why Infrastructure as Code Is Setting You up to Make Bad Things Faster” blog

Guest:

• David Swift, Security Strategist at Netenrich

Topics:

• Which old Security Information and Event Management (SIEM) lessons apply today?

• Which old SIEM lessons absolutely do not apply today and will harm you?

• What are the benefits and costs of SIEM in 2023?

• What are the top cloud security use cases for SIEM in 2023?

• What are your favorite challenges with SIEM in 2023 special in the cloud? Are they different from, say, 2013 or perhaps 2003?

• Do you think SIEM can ever die?  

Resources:

• Live video (LinkedIn, YouTube)

• “Debating SIEM in 2023, Part 1” and  “Debating SIEM in 2023, Part 2” blogs

• “Detection as Code? No, Detection as COOKING!” blog

• “A Process for Continuous Security Improvement Using Log Analysis” (old but good)

• “UEBA, It's Just a Use Case” blog

• “Situational Awareness Is Key to Faster, Better Threat Detection” blog and other SIEM reading

• MITRE 15 detection techniques paper

Guest:

• Panos Mavrommatis, Senior Engineering Director at Google Cloud

Topics:

• Could you give us the 30 second overview of our favorite “billion user security product” - SafeBrowsing - and, since you were there, how did it get started?

• SafeBrowsing is a consumer and business product – are you mitigating the same threats and threat models on each side?

• Making this work at scale can’t be easy, anytime we’re talking about billion device protection, there are massive scale questions. How did we make it work at such a scale? 

• Talk to us about the engineering and scaling magic behind the low false positive rate for blocking?

Resources:

• “Foundryside” book

Guest:

• Jack Naglieri, Founder and CEO at Panther

Topics:

• What is good detection, defined at micro-level for a rule or a piece of detection content? 

• What is good detection, defined at macro-level for a program at a company? 

• How to reliably produce good detection content at scale?

• What is a detection content lifecycle that reliably produces good detections at scale?

• What is the purpose of a SIEM today?

• Where do you stand on a classic debate on vendor-written vs customer-created detection content?

Resources:

• “Essentialism” book

• “The 5 AM Club”  book

• “Good to Great” book 

• “Why Is Threat Detection Hard” blog

• “Think Like a Detection Engineer, Pt. 2: Rule Writing” blog

• “Detection as Code? No, Detection as COOKING!”  blog

• Open Cybersecurity Schema Framework (OCSF)

Guest:

• Michele Chubirka, Senior Cloud Security Advocate, Google Cloud

Topics:

• So, if somebody wakes you up at 3AM (“Anton’s 3AM test”) and asks “Do we need firewalls in the cloud?” what would you say?

• Firewalls (=virtual appliances in the cloud or routing cloud traffic through physical firewalls) vs firewalling (=controlling network access) in the cloud, do they match the cloud-native realities?

• How do you implement trust boundaries for access control with cloud-native options?

• Can you imagine a modern cloud native security architecture that includes a firewall?

• Can you imagine a modern cloud native security architecture that excludes any firewalling? 

• Firewall, NIDS, NIPS, NGFW …. How do these other concepts map to the cloud? How do you build a "traditional-like" network visibility layer in the cloud (and do we need to)?

Resources:

• Video version of this episode: LinkedIn or YouTube

• “Security Architect View: Cloud Migration Successes, Failures and Lessons” (ep105)

• “Love it or Hate it, Network Security is Coming to the Cloud” with Martin Roesch (ep113)

• Gartner Bimodal IT definition

• Ross Anderson “Security Engineering” book

• The New Stack blog

• Trireme tool

• CNCF site security landscape

• Google Cloud Firewall

Guests: 

• Nelly Porter, Group Product Manager, Google Cloud

• Rene Kolga, Senior Product Manager, Google Cloud

Topics:

• Could you remind our listeners what confidential computing is?

• What threats does this stop? Are these common at our clients? 

• Are there other use cases for this technology like compliance or sovereignty?

• We have a new addition to our Confidential Computing family - Confidential Space. Could you tell us how it came about?

• What new use cases does this bring for clients?

Resources:

• “Confidentially Speaking” (ep1)

• “Confidentially Speaking 2: Cloudful of Secrets” (ep48)

• “Introducing Confidential Space to help unlock the value of secure data collaboration”

• Confidential Space security overview

• “The Is How They Tell Me The World Ends” by Nicole Perlroth

• NIST 800-233 “High-Performance Computing (HPC) Security: Architecture, Threat Analysis, and Security Posture”

Guest:

• Jeff Reed, VP of Product,  Cloud Security @ Google Cloud

Topics:

• You’ve had a long career in software and security, what brought you to Google Cloud Security for this role?

• How do you balance the needs of huge global financials that often ask for esoteric controls (say EKM with KAJ) vs the needs of SMBs that want easy yet effective, invisibility security?

• We’ve got an interesting split within our security business: some of our focus is on making Google Cloud more secure, while some of our focus is on selling security products.  How are you thinking about the strategy and allocation between these functions for business growth?

• What aspects of Cloud security have you seen cloud customers struggle with the most?

• What’s been the most surprising or unexpected security challenge you’ve seen with our users?

• “Google named a Leader in Forrester Wave™ IaaS Platform Native Security” - can you share a little bit about how this came to be and what was involved in this?

• Is cloud migration a risk reduction move?

 Resources:

• “Google named a Leader in Forrester Wave™ IaaS Platform Native Security”

• “Sunil Potti on Building Cloud Security at Google” (ep102)

• Books by Haruki Murakami

• We are hiring product managers!

Guest:

• Connie Fan, Senior Product and Business Strategy Lead, Google Cloud

Topics:

• We were at RSA 2023, what did we see that was notable and surprising?

• Cloud security showed up with three startups with big booths, and one big player with a small demo station. What have we learned here?

• What visitors might have seen at the Google Cloud booth that we're really excited about?

• Could you share why we chose these two AI cases - generation of code and summarization of complex content - out of all the possibilities and the sometimes zany things we saw elsewhere on the floor?

• Could you share a story or two that highlights how we came to this AI launch and what it looked like under the surface? 

Resources:

• “RSA 2023 - How to Protect Your Organization from Cyberattacks in Time of Political Turmoil” (ep118)

• “RSA 2022 Reflections - Securing the Past vs Securing the Future” (ep70)

• “How We Attack AI? Learn More at Our RSA Panel!” (ep68)

• “Security Operations, Reliability, and Securing Google with Heather Adkins” (ep20)

Guests:  

• Shanyn Ronis, Head of the Mandiant Communication Center

• John Miller,   Head of Mandiant Intelligence Analysis

Topics:

• It seems like we’re seeing more cyber activity taking place in the context of geopolitical events. A lot of organizations struggle to figure out if/how to respond to these events and any related cyber activity.  What advice do you have for these organizations and their leadership?

• A  lot of threat intel (TI) suffers from “What does this event mean for threats to our organization?” - sort of how to connect CNN to your IDS? What is your best advice on this to a CISO? 

• TI also suffers from “1. Get TI 2. ??? 3. Profit!” - how does your model help organizations avoid this trap? 

• Surely there are different levels of granularity here to TI and its relevance. Is what a CISO needs different from what an IR member needs? Do you differentiate your feed along those axes?

• What does success look like? How will organizations know when they’re successful? What are good KPIs for these types of threat intelligence? In other words, how would customers know they benefit from it?

• Is there anything unique that cloud providers can do in this process?

Resources:

• RSA 2023 Session “Intelligently Managing the Geopolitics and Security Interplay” on Wed Apr 26 9:40AM

• “Sandworm” by Andy Greenberg

• “Reading Mandiant M-Trends 2023”

Guest:

• Maxime Lamothe-Brassard,  Founder @ LimaCharlie

Topics:

• What does an engineering-centric approach to cybersecurity mean?

• What to tell people who want to "consume" rather than "engineer" security?

• Is “engineering-centric” approach the same as evidence-based or provable? 

• In practical terms, what does it mean to adopt an "engineering-centric approach" to cybersecurity for an organization? 

• How will it differ from what we have today? What will it enable?

• Can you practice this with a very small team? How about a very small team of “non engineers”?

• You seem to say that tomorrow's cybersecurity will look a lot like software engineering. Where do we draw the line between these two?

Resources:

• Atomic Red Team

• Sigma rules/content

• LimaCharlie blog

• 8 Megatrends drive cloud adoption—and improve security for all

• The Cybersecurity Defenders Podcast

Guest:

• Isaac Hepworth, PM focused on Software Supply Chain Security @ Google

Cooked questions:

• Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader?
• Some software vendors don’t want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here?
• One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs than small independent and open source projects. Is that a risk?
• Is the SBOM requirement setting the government up to be overly reliant on megacorps and are we going to unintentionally ban open source from the government? 
• What is the relationship between SBOM and software liability? Is SBOM a step to this? Won’t software liability kill open source?
• How does Google prepare for EO internally; how do we use SBOM and other related tools?
• To come back to the food analogy, SBOMs are all well and good, but the goal is not that consumers know they’re eating lead, but rather that our food becomes healthier. Where are we heading in the next five years to improve software supply chain "health and safety"?

Resources:

• Full video of this episode (YouTube / LinkedIn)
• “Executive Order on Improving the Nation’s Cybersecurity”
• “M-22-18 Memorandum For The Heads of Executive Departments and Agencies“
• SLSA.dev 
• “How to SLSA Part 3 - Putting it all together”
• Assured Open Source Software
• NIST Secure Software Development Framework (SSDF)
• “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24)
• “2022 Accelerate State of DevOps Report and Software Supply Chain Security” (ep100)

Guest: 

• Rafal Los, Head of Services Strategy @ Extrahop and Founder of Down the Security Rabbit Hole podcast

Topics:

• You had a very fun blog where you reminded the world that many organizations still approach cloud as a rented data center, do you still see it now? Do you think this will persist for 3, 5, 10 years?

• Other than microservices, what’re the most important differences between public cloud and a rented data center for a CISO to keep in mind?

• Analysts say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this? 

• Actually, how do you define “use cloud securely”?

• Have you met any CISOs who are active cloud fans who prefer cloud for security reasons?

• You also work for an NDR vendor, do you think NDR in the cloud has a future? 

Resources:

• Full video of this episode (YouTube / LinkedIn)

• Down the Security Rabbithole Podcast (DtSR) podcast

• “A Little Truth About the Cloud”

• “Megatrends drive cloud adoption—and improve security for all”

• “CISO Walks Into the Cloud: And The Magic Starts to Happen!” (ep104)

• “Threat Models and Cloud Security” (ep12)

• “Security Architect View: Cloud Migration Successes, Failures and Lessons” (ep105) 

• “Patrolling Cyberspace” book (2006)

Guest:

• Chris John Riley, Senior Security Engineer and a Technical Debt Corrector  @ Google

 Topics:

• We’ve heard of MVP, what is MVSP or Minimal Viable Secure Product?

• What problem is MVSP trying to solve for the industry, community, planet, etc?

• How does MVSP actually help anybody?

• Who is the MVSP checklist for? Leaders or engineers?

• How does MVSP differ from compliance standards like ISO 27001, or even SOC 2?

• How does Google use MVSP? Has it improved our security in some way?

• How to balance the dynamic nature of security with minimal security basics?

• The working group has recently completed a control refresh for 2022, what are some highlights?

 Resources:

• Mvsp.dev 

• SLSA Levels

• MVSP (Minimum Viable Secure Product) Compliance

• “Phantoms in the Brain” book

• ”Strengthen Basic Security Hygiene With a Two-Pronged Security Architecture Approach”

• FIRST Impressions podcast

Guest: 

• Martin Roesch, CEO at Netography, creator of Snort

Topics:

• What is the role of network security in the public cloud? Networks used to be the perimeter, now we have an API and identity driven perimeter. Are networks still relevant as a layer of defense?

• We often joke that “you don’t need to get your firewalls with you to the cloud”, is this really true? How do you do network access control if not with firewalls?

• What about the NIDS? Does NIDS have a place in the cloud?

• So we agree that some network security things drop off in the cloud, but are there new network security threats and challenges?

• There’s cloud architecture and then there’s multi cloud and hybrid architectures–how does this story change if we open the aperture to network security for multi cloud and hybrid? 

• Should solutions that provide cloud network security be in the cloud themselves? Is this an obvious question?

Resources:

• Book “Who: The A Method for Hiring” by Geoff Smart, Randy Street

• Netography resources

• Snort

• ““Hacking Google”, Op Aurora and Insider Threat at Google” (ep91)

• “Zero Trust: Fast Forward from 2010 to 2021” (ep8)

• “Gathering Data for Zero Trust” (ep4)

Guest: 

• Charles DeBeck, Cyber Threat Intel Expert @ Google Cloud

Topics:

• What is unique about Google Cloud approach to threat intelligence? Is it the sensor coverage? Size of the team? Other things?

• Why is Threat Horizons report unique among the threat reports released by other organizations?

• Based on your research, what are the realistic threats to cloud environments today?

• What threats are prevalent and what threats are most damaging?

• Where do you see things in 2023? What should companies look for? 

• What’s one thing that surprised you when preparing the report? What do you think will surprise audiences?

• What is the most counter-intuitive hardening and operational advice can we glean from this Threat Horizons report? 

• What's most important to know when it comes to understanding OT and cloud?

Resources:

• Google Threat Horizons Reports One, Two, Three, Four, Five

• “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity”

• Corey Quinn on cloud billing alerts

Guest: 

• Brandon Evans, Infosec Consultant and Certified Instructor and Course Author at SANS

Topics:

• What got you interested in security and motivated you to make this your area of focus? You came from a developer background, right?

• Occasionally, we hear the sentiment that “developers don’t care about security,” how would you counter it (and would you?)?

• How do we encourage developers and operations to use the appropriate security controls and settings in the cloud? Is “encourage” the right word?

• Can we really do “secure by default” but for developers?

• What do you think are the main application security issues that developers need to deal with in the cloud?

• You mentioned software supply chain security, do you treat this as a part of application security? How important is this, realistically, for an average organization and its developers?

• Going to our favorite subject of threat detection, how do you think we can better encourage developers to supply the logs necessary for our detection and response teams to act upon?

Resources:

• “Cloud Security: Making Cloud Environments a Safer Place” ebook by SANS

• SANS.org/cloud site

• “The Phoenix Project” book by Gene Kim et al

• “The Unicorn Project” book by Gene Kim

• “Next Special - Log4j Reflections, Software Dependencies and Open Source Security” (EP87)

• “2022 Accelerate State of DevOps Report and Software Supply Chain Security” (EP100)

• “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (EP24)

Guest: 

• David Seidman, Head of Detection and Response @ Robinhood

Toipics:

• Tell us about joining Robinhood and prioritizing focus areas for detection in your environment?

• Tim and Anton argue a lot about what kind of detection is best - fully bespoke and homemade, or scalable off-the-shelf. First, does our framework here make sense, and second, looking at your suite of detection capabilities, how have you chosen to prioritize detection development and detection triage?

• You're operating in AWS: there are a lot of vendors doing detection in AWS, including AWS themselves. How have you thought about choosing your detection approaches and data sources?

• Finding people with as much cloud expertise as you can't be easy: how are you structuring your organization to succeed despite cloud detection and response talent being hard to find? What matters more: detection skills or cloud skills?

• What has been effective in ramping up your D&R team in the cloud?

• What are your favorite data sources for detection in the cloud?

Resources:

• “Detection as Code? No, Detection as COOKING!”

• “On Threat Detection Uncertainty”

• “Radical Candor” by Kim Scott

• “Daring Greatly” by Brene Brown

• “Extreme Ownership” by Jocko Willink

• “Drive” by Daniel Pink

Guest: 

• Ana Oprea, Staff Security Engineer, European Lead of Vulnerability Coordination Center @ Google

Topics:

• What is the scope for the vulnerability management program at Google? Does it cover  OS, off-the-shelf applications, custom code we wrote … or all of the above?

• Our vulnerability prioritization includes a process called “impact assessment.” What does our impact assessment for a vulnerability look like?

• How do we prioritize what to remediate? How do we decide on the speed of remediation needed?

• How do we know if we’ve done a good job? When we look backwards, what are our critical metrics (SLIs and SLOs) and how high up the security stack is the reporting on our progress?

• What of the “Google Approach” should other companies not try to emulate? Surely some things work because of Google being Google, so what are the weird or surprising things that only work for us?

Resources:

• SRS Book, Chapter 20: Understanding Roles and Responsibilities and Chapter 21: Building a Culture of Security and Reliability 

• Why Google Stores Billions of Lines of Code in a Single Repository 

• SRE book and SRE Workbook

• “How Google Secures It's Google Cloud Usage at Massive Scale” (ep107)

• “Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance” (ep66)

• “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)

Guest: 

• John Stoner, Principal Security Strategist @ Google Cloud

Topics:

• Please define threat hunting  for us quickly, the term has been corrupted a bit

• What are your favorite beginner hunts to jump start the effort at a new team?

• How to incorporate hunting lessons in detection?

• What are the differences for hunting in the cloud?

• Are there specific data sources you prefer to have access to when threat hunting? In the cloud?

• Should every organization threat hunt?

• What are traits you might look for in a threat hunter?

Resources:

• “The Who, What, Where, When, Why and How of Effective Threat Hunting”

• Awesome Threat Detection and Hunting 

• “My “Aha!” Moment - Methods, Tips, & Lessons Learned in Threat Hunting” video

• NIST Computer Security Incident Handling Guide 800-61

• “Threat Hunting Is Not for Everyone” (2020)

• “Formulating An Intelligence-Driven Threat Hunting Methodology”  video

Guest:

• Karan Dwivedi, Security Engineering Manager, Enterprise Infrastructure Protection @ Google Cloud

Topics:

• Google’s use of Google Cloud is a massive cloud environment with wildly diverse use cases. Could you share, for our listeners, a few examples of the different kinds of things we’re running in GCP?
• Given that we’re doing these wildly different things in GCP, how do we think about scaling the right security guardrails to the right places in our GCP org?
• How do you work with application engineering teams and project owner teams to make sure the right controls are there but not getting in the way of business? 
• How do we scale this exemption management process? Are there things we do here that don’t make sense at a smaller scale? Are there emergent challenges that only we would face?
• How do you correctly federate security responsibilities between the central team defining policy and the constituent user teams actually using the platform?
• Burnout is a perennial challenge for security teams–what’re you doing to keep your people happy and engaged?

Resources:

• “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)
• ““Hacking Google”, Op Aurora and Insider Threat at Google” (ep91)
• Google Cloud security foundations guide

Guest:

• Anoosh Saboori, former Product Manager at Google Cloud

Topics:

• We had zero trust episodes before and definitions vary! When we say zero trust, what do we mean?  
• What about zero trust for workloads in production? When you say “workload,” what do you mean?
• What is BeyondProd, for those that are unfamiliar with it? And how is this different from BeyondCorp? 
• How has BeyondProd actually been implemented at Google?  
• What threats does it help with? Is this real threats or compliance?
• Why is now a good time to be thinking about zero trust for production systems? 
• Companies have many security tools deployed, including microsegmentation and firewalls, how does this toolset fit? Does it replace anything they have deployed?

Resources:

• BeyondProd papers
• “Zero Trust: Fast Forward from 2010 to 2021” (ep8)
• “Gathering Data for Zero Trust” (ep4)
• “Google Workspace Security: from Threats to Zero Trust” (ep99)
• “Zero Trust: So Easy Even a Government Can Do It?” (ep59)
• “Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance” (ep66)

Guest:

• Michele Chubirka, Senior Cloud Security Advocate, Google Cloud

Topics:

• We are here to talk about cloud migrations and we are here to talk about failures. What are your favorites?
• What are your favorite cloud security process failures? 
• What are your favorite cloud security technical failures? 
• What are your favorite cloud security container and k8s failures?
• Is "lift and shift" always wrong from the security point of view? 
• Can it at least work as step 1 for a full cloud transformation?

 Resources:

• “Automate and/or Die?” (ep3)
• “More Cloud Migration Security Lessons” (ep18)
• “The Magic of Cloud Migration: Learn Security Lessons from the Field” (ep55)
• “Preparing for Cloud Migrations from a CISO Perspective, Part 1” (ep5)
• “Cloud Migrations: Security Perspectives from The Field”  (ep33)
• "Dune" by Frank Herbert
• "The Science of Organizational Change"  by Paul Gibbons 
• "Servant Leadership: A Journey into the Nature of Legitimate Power and Greatness"  by Robert K. Greenleaf
• "Finding the Sweet Spot for Change"
• State of Devops (DORA) Report 2022

Guest: 

• Gary Hayslip, CISO at Softbank

Topics: 

• "So we're talking about your journey as a CISO migrating to Cloud. Could you give us the 30 second overview of 
• What triggered your organization's migration to the cloud?
• When did you and the security organization get brought in?
• How did you plan your security  organization's journey to the cloud?
• Did you take going to cloud as an opportunity to change things beyond the tools you were using? 
• As you got going into the cloud, what was the hardest part for your organization?
• If that was hardest, what was most surprising? Good surprise and bad surprise?
• Let’s shift to some tactical gears:
• How did you design security controls for the cloud?
• Did your data security practice change?
• Did your detection  / response practice change?
• How has the CISO role evolved and is evolving due to the cloud?
• Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be?

Resources:

• “CISO Desk Reference Guide” book by Gary Hayslip
• “The Essential Guide to Cybersecurity for SMBs” book by Gary Hayslip
• “Develop Your Cybersecurity Career Path” book by Gary Hayslip

Guest:  

• Nader Zaveri, Senior Manager of IR and Remediation at Mandiant, now part of Google Cloud

Topics:

• Could we start with a story of a cloud incident response (IR) failure and where things went wrong? 
• What should that team have done to get it right? 
• Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud?
• What 3 things an IR team leader needs to do to prepare his team for IR in the cloud?
• Are there on-premise tools that can stay on prem and not join us in the cloud?
• What processes should we leave behind? Keep with us?
• What logs and context should we prepare for cloud IR?  What access should we have behind “break glass”?
• While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation?

Resources:

• “How to Cloud IR or Why Attackers Become Cloud Native Faster?” (ep98)
• “How to prepare for detection & response in the cloud” Google Cloud Next 2022 presentation
• “Security Incident Response in the Cloud: A Few Ideas” blog
• GCP Cloud Logging
• “Security at Scale: Logging in AWS” paper
• “AWS Security Incident Response Whitepaper” paper

Guest: 

• Sunil Potti, VP / GM, Google Cloud

Topics:

• One of the biggest shifts we’ve noticed is the shift from building security because we think security is good, to building security as a business. How did you make that cultural shift happen in our organization? 
• With organizations migrating to cloud we have a set of tradeoffs between meeting security teams where they are with on-prem expectations of security vs cloud-native approaches. How do you think about investing in next generation products vs holding the hands of CISOs just stepping into the cloud?
• What matters more to you as a leader, secure cloud (GCP, Workspace) or security products (Chronicle SecOps, BCE, SCC, etc)?
• Is invisible security the same as “building security in”? Aren’t there security controls where the value is derived from them being visible to users?
• Mandiant brings services expertise to Google Cloud, typically not our strong area and not our DNA, how do we plan to make the most of Mandiant within Google’s culture?

Resources:

• Simon Sinek “Start With Why” book

Guest: 

• Jim Higgins, CISO at Snap,  former CISO at Square

Topics:

1. You were at Google for a long time, and at Google you sat between Google security and Cloud. Now that you're leading security for a major company, how are you prioritizing your focus between your on-premise resources and your cloud resources? 
2. How are you thinking about threat detection in the Cloud?
3. In detection, how has your technology changed? How has your process changed? What threats do you mostly focus on?
4. Why don’t we talk about the role of automation in detection and response (D&R)? How do you approach automation and eliminating toil?
5. As you're scaling teams, processes and technology for your cloud footprint, what has been easiest to get right and what's been hardest to get right?
6. How do you approach measuring security? What cloud metrics are you sharing upwards to your board?

Resources:

• BeyondCorp Enterprise
• “Ghost in the Wires: My Adventures as the World's Most Wanted Hacker” book

Guests:

• John Speed Meyers, Security Data Scientist, Chainguard
• Todd Kulesza, User Experience Researcher, Google

Topics:

• How did you get involved with this year’s Accelerate State of DevOps Report (DORA report)?
• So what is DORA and why did you decide to focus on supply chain security for the 2022 report?
• What are the big learnings from this year’s report?
• What’s the difference between SLSA and SSDF? Is one spicy and the other savory? How’re companies adopting these and how is adoption going? 
• Are there other areas that DevOps can be a contributor in the overall security landscape? 
• How can CISOs rope DevOps fully into their security gang?
• Operationally, how should security and developers and DevOps come together to keep vulnerabilities out in the first place?
• How should security and developers and DevOps come together to respond quickly to vulnerabilities when they’re discovered?
• How do security and developers and DevOps come together to prove to their auditors and customers that they’re doing a good job of the above?

Resources:

• 2022 Accelerate State of DevOps Report
• "New insights for defending the software supply chain" blog (and new report)
• SLSA.dev site
• Secure Software Development Framework at NIST
• “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24)
• “Sharing The Mic In Cyber with STMIC Hosts Lauren and Christina: Representation, Psychological Safety, Security” (ep92)
• Go vulncheck tool 
• “Reflections on Trusting Trust” paper  (1984)

Guests:

• Nikhil Sinha, Group Product Manager, Workspace Security
• Kelly Anderson, Product Marketing Manager, Workspace Security

Topics:

• We are talking about Google Workspace security today. What kinds of threats do we have to care about here?
• Are there compliance-related motivations for security here too? Is compliance in the cloud changing?
• How’s adoption of hardware keys for MFA going for your users, and how are you helping them? 
• Is phishing finally solved because of that? 
• Can you explain why hardware security FIDO/WebAuthn is such a step function compared to, say, RSA number generator tokens? 
• Have there been assumptions in the Workspace security model we had to change because of WFH? And what changes with RTO and permanent hybrid?

Resources:

• Google BeyondCorp Enterprise
• “Make zero trust a reality with Google Workspace security solutions” Next 2022 video
• “2021: Phishing is Solved?” (ep40)
• “Zero Trust: Fast Forward from 2010 to 2021” (ep8)

Guests:

• Matt Linton, Chaos Specialist @ Google
• John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud

Topics:

• Let’s talk about security incident response in the cloud.  Back in 2014 when I [Anton] first touched on this, the #1 challenge was getting the data to investigate as cloud providers had few logs available. What are the top 2022 cloud incident response challenges?
• Does cloud change the definition of a security incident? Is “exposed storage bucket” an incident? Is vulnerability an incident in the cloud?
• What should I have in my incident response plans for the cloud? Should I have a separate cloud IR plan?
• What is our advice on running incident response jointly with a CSP like us?
• How would 3rd party firms (like, well, Mandiant) work with a client and a CSP during an investigation?
• We all read the Threat Horizons reports, but can you remind us of the common causes for cloud incidents we observed recently? What goals do the attackers typically pursue there?

Resources:

• “Building Secure and Reliable Systems” book (especially ch 14-16, and ch17)
• Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! (#3, #2, #1)
• “Incident Plan vs Incident Planning?” blog (2013)

Guest:

• Greg Sinclair, Security Engineer @ Google Cloud

Topics:

• Could you tell us a bit about your background and how you ended up here at Google? Also, tell us about your team here?
• We're very excited about the release of the CobaltStrike rules. Could you share more about what they are looking for and second why this is so valuable?
• How did CobaltStrike come to be so widely used by bad guys?
• When you were doing this research what was the most surprising thing you uncovered?
• Could you tell us about the coordinated disclosure aspects of this work?
• In the past you've contributed research to our Threat Horizons reports, could you tell us about that?

Resources:

• Making CobaltStike harder for threat actors to abuse blog
• CobaltStrike YARA-L rules
• CobaltStrike site
• “Cobalt Strike Usage Explodes Among Cybercrooks”
• Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!
• Detection as Code? No, Detection as COOKING!

Guest:

• Jeff Bollinger,  Director of Incident Response and Detection Engineering @ Linkedin 

Topics:

• Observability sounds cool (please define it for us BTW), but relating it to security has been “hand-wavy” at best. What is your opinion on the relevance of observability data for security use cases? What use cases are those, apart from saving the data for IR just in case?
• How can we best approach observability in the cloud, particularly around network communications, so that we improve security as a result?
• Are there other areas of cloud where observability might be more relevant? Does the massive shift to TLS 1.3 impact this?
• If the Internet is shifting towards an end-user/device centric model with everything as a service (SaaS), how does security monitoring even work anymore? 
• Does it mean the end of both endpoint and network eras and the arrival of the application security monitoring era?
• Can we do deep monitoring of complex applications and app clusters for abuse or should we just focus on identity and profiling?

Resources:

• “Instrumenting Modern Application Stack for Detection and Response” (ep34)
• “Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan” by Jeff Bollinger, Brandon Enright, Matthew Valites (book)
• RFC 7258  Pervasive Monitoring Is an Attack
• RFC 8890 Internet is for end users
• “(Re)building Threat Detection and Incident Response at LinkedIn”
• “Martian Chronicles“ by Ray Bradberry (because migrating to cloud is like flying to Mars)

Guests:

• Alijca Cade, Director, Financial Services, Office of the CISO, Google Cloud
• Ken Westin, Director, Security Strategy, Cybereason
• Robert Wallace, Senior Director, Mandiant, now Google Cloud

Topics:

• How are cloud environments attacked and compromised today? Is it still about the configuration mistakes?
• Do cryptominers represent a serious threat now that they are often mentioned as the most common threat in the cloud?
• Let’s look at another popular threat - ransomware or, broadly, RansomOps. Based on your research, what can we say about its likely future, especially in the cloud?
• Are we getting better with detection in the cloud and are we doing it fast enough?
• Is cloud security a misnomer? Attackers are out to get into an organization, and cloud or on-premise matters less here, right? What does it say about the interdependence of security, on and off cloud?

Resources:

• LIVE @ Security Talks: The Cloud Security Podcast at Cloud Security Talks Q3 2022
• Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!

Guest: 

• Dr Anna Belak, Director of Thought Leadership at Sysdig, former Gartner analyst

Questions:

• Analysts (and vendors) coined a log of “C-something acronyms” for cloud security, and two of the people on this episode were directly involved in some of them. What do you make of all the cloud security acronym proliferation?
• What is CSPM? What gets better when you deploy it?
• What is CWPP? Does anything get better when you deploy it?
• What is CNAPP? What gets better when you deploy it?
• What is CIEM, Anton’s least fave acronym?
• Now, what about CDR? 

Resources:

• Gartner acronym glossary
• “Container Security: The Past or The Future?” (ep54, with Anna as well)
• “Automate and/or Die?” (ep3)
• “Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM?” (ep60)
• “Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?” (ep76)
• “Does the World Need Cloud Detection and Response (CDR)?”
• “Announcing Virtual Machine Threat Detection now generally available to Cloud customers”
• Sysdig Threat Report Blog
• 2022 Sysdig Cloud-Native Threat Report 
• Anatomy of Cloud Attacks

Guest:

• Alicja Cade, Director for Financial Services, Office of the CISO, Google Cloud 

Topics:

• We are talking about your journey as a CISO migrating to the cloud. Could you give us the overview of …
• What triggered your organization's migration to the cloud? When did you and the security team get brought in?
• Did you take going to the cloud as an opportunity to change things beyond the tools you were using? 
• As you got going into the cloud, what was the hardest part for your organization?
• If that was hardest, what was most surprising? Good surprise and bad surprise?
• How did you design security controls for the cloud?
• How do you validate and verify security controls in the cloud?
• How did you keep both security practitioners and the rest of your IT teams from lift-and-shift thinking?
• Did your data security practice change?
• Having covered all that tactical terrain, one final strategic question: is moving to the cloud a net risk reduction? Can it be?

Resources:

• “CISO Walks Into the Cloud: Frustrations, Successes, Lessons ... And Does the Risk Change?” (ep80)
• “Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects” by Priyanka Vergadia
• “Cyberpolitics in International Relations” book
• CSA CCM v4
• Cyber Risk Institute
• “Modernize Data Security with Autonomic Data Security Approach” (ep79) and the paper on autonomic data security.
• "Preparing for Cloud Migrations from a CISO Perspective, Part 1" (ep5)
• "Preparing for Cloud Migrations from a CISO Perspective, Part 2" (ep11)
• “How CISOs need to adapt their mental models for cloud security” blog

Guests:

• Lauren Zabierek (@lzxdc), Acting Executive Director of the Belfer Center at the Harvard Kennedy School
• Christina Morillo (@divinetechygirl), Principal Security Consultant at Trimark Security

Topics:

• We are so excited to have you on the show today talking about your awesome effort, Share The Mic in Cyber. I love that we are Sharing our Mic with you today. Could you please introduce yourself to our listeners?
• Let's talk about representation and what that means, and why it's especially relevant in cyber security? 
• Psychological safety is super important for so many reasons, including  in cyber. Could you share a definition of what it is, and why it is important? 
• Can we talk about how psychological safety and representation intersect? 
• Let’s bring things back to talk about the #ShareTheMicInCyber / #STMIC project. Could you tell us about one of your favorite things that's come from the project?  Any surprises? Lessons? Plans? Futures?
• How can our listeners help with #ShareTheMicInCyber? Where to learn more?

Resources:

• #ShareTheMicInCyber site and @ShareInCyber on social
• Lauren Zabierek (@lzxdc), #ShareTheMic in Cyber co-founder
• Camille Stewart Gloster (@camilleesq), #ShareTheMic in Cyber co-founder
• “Missing Diversity Hurts Your Security” (ep42)
• NEXT Special - Cloud Security and DEI: Being an Ally! (ep36)

Guest:

• Mike Sinno, Security Engineering Director, Detection and Response  @ Google

Topics:

• You recently were featured in “Hacking Google” videos, can you share a bit about this effort and what role you played?
• How long have you been at Google? What were you doing before, if you can remember after all your time here? What brought you to Google?
• We hear you now focus on insider threats. Insider threat is back in the news, do you find this surprising?
• A classic insider question is about “malicious vs well-meaning insiders" and which type is a bigger risk. What is your take here?
• Trust is the most important thing when people think about Google, we protect their correspondence, their photos, their private thoughts they search for. What role does detection and response play in protecting user trust?
• One fun thing about working at Google is our tech stack. Your team uses one of our favorite tools in the D&R org! Can you tell us about BrainAuth and how it finds useful things?
• We talked about Google D&R (ep 17 and ep 75) and the role of automation came up many times. And automation is a key topic for a lot of our cloud customers. What do you automate in your domain of D&R?

Resources:

• “Hacking Google” videos  (EP00 with Mike)
• The Secure Reliable Systems book
• The CERT Guide to Insider Threats book
• Common Sense Guide to Mitigating Insider Threats book
• Insider Threats (Cornell Studies in Security Affairs)
• Foreign Espionage in Cyberspace from the NCSC
• “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)
• “Modern Threat Detection at Google” (ep17)

Guest:

• Phil Venables, Vice President and CISO at Google Cloud

Topics:

• Google Cybersecurity Action Team is your brainchild and it is 1 year old, what comes to mind first when we reflect on this anniversary?
• The team is primarily about helping clients with security, what did we learn doing this for a year?
• What challenges have we (Google Cybersecurity Action Team) faced in our first year?
• We released 4 Threat Horizons reports this year, what is the future for this research here?
• We often hear that in the cloud we need to move away from products towards solutions, how does that work in security?
• Your famous 8 megatrends post is several months old - any new thoughts or changes coming to this concept?
• Recently you had a very interesting blog “Crucial Questions from CISOs and Security Teams”, with a list of questions, can you share some of your thinking here?

Resources:

• Security at Google Cloud Next 2022
• Next Special - Log4j Reflections, Software Dependencies and Open Source Security
• Next Special - Improving Browser Security in the New Era of Work
• Next Special - Can We Escape Ransomware by Migrating to the Cloud?
• NEXT Special - Google Cybersecurity Action Team: What's the Story? (Next 2021 special episode)
• Modernizing SOC ... Introducing Autonomic Security Operations 
• How autonomic data security can help define cloud’s future
• Google Cloud Threat Horizons Report #1 #2 #3 #4
• 8 Megatrends drive cloud adoption—and improve security for all
• “Demystify Data Sovereignty and Sovereign Cloud Secrets at Google Cloud” (ep81)
• Crucial Questions from CISOs and Security Teams
• Google Cybersecurity Action Team

Guest:   

• Nelly Kassem, Security and Compliance Specialist @ Google Cloud

Topics:

• Why did ransomware attacks become so popular?
• What type of organizations are targeted by ransomware?  Do these affect mostly the organizations with sub-par security?
• Ransomware has been raging since 2015 and shows few signs of subsiding. Why are these attacks still successful? 
• Do we see ransomware in the cloud? 
• Does migrating to the cloud protect you from ransomware?
• Which of Google Cloud tools are useful to fight ransomware?

Resources:

• Security at Google Cloud Next 2022
• Next Special - Log4j Reflections, Software Dependencies and Open Source Security
• Next Special - Improving Browser Security in the New Era of Work
• “Future of EDR: Is It Reason-able to Suggest XDR?” (ep29)
• “2021: Phishing is Solved?” (ep40)
• Mandiant M-Trends 2022
• Google Cloud Threat Horizons Report #1 #2 #3 #4

Guest:

• Fletcher Oliver, Chrome Browser Customer Engineer, Google

Topics:

• What is browser security? Isn’t it just application security by another name? 
• Why is browser security more important now than ever? 
• Do we have statistical measures or data that tell us if we’re succeeding at browser security? Do we know if we’re doing a good job at making this better? 
• What are the components of modern browser security? 
• How does this work with an enterprise’s existing stack? 
• In fact, how does this work with the rest of Google’s tooling? 

Resources:

• Security at Google Cloud Next 2022
• NEXT Special - Log4j Reflections, Software Dependencies and Open Source Security
• Chrome releases blog
• Chrome Enterprise

Guest:

• Dr Nicky Ringland, Product Manager for Open Source Insights, Google

Topics:

• Let's talk Open Source Software - are all these dependencies dependable?
• Why was log4j such a big thing - at a whole ecosystem level?
• Was it actually a Java / Maven problem? Are other languages “better” or more secure?
• Is another log4j inevitable? What can organizations to minimise their own risks?

 Resources:

• Google Cloud Next 2022
• Open Source Insights at deps.dev
• Blog at blog.deps.dev with posts on Understanding the Impact of Apache Log4j Vulnerability and what happens After the Advisory
• Assured Open Source Software service

Guest:

• Thiébaut Meyer, Director at Office of the CISO, Google Cloud

Topics:

• Virtualization's arrival caused a major IT upheaval 20 years ago. What can we learn from that revolution for our current cloud transformation?
• We talk about our three legged security stool of people/process/technology. How do we balance the technical issues (new technology stack, etc.) with the new processes (agile, etc) and the skills?
• What are the cultural and people transformation differences between the virtualization and cloud revolutions?
• We do recall how PCI DSS was disrupted by virtualization.  So, how does regulation play into this change - back then and now with the cloud?
• How do we change the minds of regulators who still think that cloud is a risk to mitigate, rather than a way to mitigate others risks better?

Resources:

• “8 Megatrends drive cloud adoption—and improve security for all” blog
• “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity”
• Transform with Google Cloud 
• Google Cybersecurity Action Team

Guest: 

• Steve McGhee, Reliability Advocate, Google Cloud

Topics:

• What can security teams  learn from the Site Reliability Engineering (SRE) art of rapid and safe deployment?
• Is this all about the process or do SREs possess some magical technology to do this?
• What is SRE approach to automation?
• What are the pillars / components of SRE approach to deployment?
• SRE is also about scaling. Some security teams have to manage 1000s of detection rules, how can this be done in a manner that does not conflict or cause other problems?

Resources:

• Google SRE book
• A companion Google SRE workbook
• “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)
• “Achieving Autonomic Security Operations: Why metrics matter (but not how you think)” blog
• “Achieving Autonomic Security Operations: Reducing toil” blog.

Guest:

• Alex Polyakov, CEO of Adversa.ai

Topics:

• You did research by analyzing 2000 papers on AI attacks released in the previous decade. What are the main insights?
• How do you approach discovering the relevant threat models for various AI systems and scenarios? 
• Which threats are real today vs in a few years?
• What are the common attack vectors? What do you see in the field of supply chain attacks on AI, software supply, data?
• All these reported cyberphysical attacks on computer vision, how real are they, and what are the possible examples of exploitation? Are they a real danger to people?
• What are the main differences between protecting AI vs protecting traditional enterprise applications?
• Who should be responsible for Securing AI? What about for building trustworthy AI?
• Given that the machinery of AI is often opaque, how to go about discovering vulnerabilities? Is there responsible disclosure for AI vulnerabilities, such as in open-source models and in public APIs? 
• What should companies do first, when embarking on an AI security program? Who should have such a program?

Resources:

• “EP52 Securing AI with DeepMind CISO” (ep52)
• “EP68 How We Attack AI? Learn More at Our RSA Panel!” (ep68)
• Adversarial AI attacks work on Humans (!)
• “Maverick* Research: Your Smart Machine Has Been Conned! Now What?” (2015)
• “The Road to Secure and Trusted AI” by Adversa AI
• “Towards Trusted AI Week 37 – What are the security principles of AI and ML?” 
• Adversa AI blog
• AIAAIC Repository
• Machine Learning Security Evasion Competition at MLSec

Guest: 

• Badr Salmi, Product Manager for reCAPTCHA

Topics:

• What is reCAPTCHA? Aren’t you guys the super annoying 'click on the busses' thing?
• What is account defender? Why was this a natural next step for you?
• What are the actual threats that this handles - and handles well? Specific web attacks? Web fraud?
• Let’s talk about account fraud, what do these attacks look like and how do bad guys monetize today?
• What about payment fraud? Could you score a payment session as well as a login session risk, or is that different? 
• How does this work with multi factor authentication?

Recommended reading:

• “Code” book
• Recapcha page
• “Protect your users’ accounts with reCAPTCHA Enterprise’s account defender” blog
• “Double-clicking, but not on fire hydrants, with bot fighters” (ep19)

Guest:

• Dimitri McKay,  Principal Security Strategist @ Splunk

Topics:

• How do you define that "XDR thing" that you are so skeptical about?
• So within that definition of XDR, you think it’s not so great, why?
• If you have to argue pro-XDR, what would you say?
• Two main XDR camps are “XDR as EDR+” and “XDR as SIEM-”, which camp do you think is more right? Are both wrong?
• What approach do you think is more useful as a lens to understand the potential upsides/downsides of XDR?
• What about the cloud? "Cloud XDR" seems a bit illogical, but what do you think is the future of D&R in the cloud?

Resources:

• “Anton and The Great XDR Debate, Part 1”
• “Anton and The Great XDR Debate, Part 2”
• “Anton and The Great XDR Debate, Part 3”
• SURGe content on splunk blog
• “Today, You Really Want a SaaS SIEM!”
• Red Canary 2022 Threat Detection report
• Verizon DBIR 2022 report.

Guest: 

• Christopher “CJ” Johnson, retired Fire Chief, and Global Regulated Cloud Product Lead @ Google Cloud

Topics:

• In political science, they define sovereignty as a local monopoly on the legitimate use of force. Why are we talking about “sovereignty” in IT?
• What is a sovereign cloud?  How much of the term is marketing vs engineering?
• Who cares or should care about sovereign cloud?
• Is this about technical controls or paper/policy controls? Or both?
• What is the role for encryption and key management and key access justifications (like say Google Cloud EKM with KAJ) for sovereign cloud?
• Is sovereign cloud automatically more secure or at least has better data security?
• What threat models are considered for sovereign cloud technologies?

Resources:

• Google Cloud External Key Manager (EKM) 
• “Trust Google Cloud more with ubiquitous data encryption” blog
• “Software-Defined community cloud - a new way to “Government Cloud”” blog

Guest:

• David Stone,  Staff Consultant  at Office of the CISO, Google Cloud

Topics:

• Speaking as a former CISO, what triggered your organization migration to the cloud?
• When did you and the security organization get brought in?
• How did you plan your security organization journey to the cloud?
• Did you take going to Cloud as an opportunity to change things beyond the tools you were using? 
• As you got going into the cloud, what was the hardest part for your organization ?
• What was most surprising? Good surprise and bad surprise?
• How did you design security controls for the cloud?
• How do you validate and verify security controls in the cloud? 
• How did you incorporate your cloud environment into your SOC’s responsibility
• Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be?

Resources:

• “How CISOs need to adapt their mental models for cloud security”
• “Megatrends drive cloud adoption—and improve security for all”
• “EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security“ (ep47)
• “CISO’s Guide to Cloud Security Transformation“ paper [PDF]
• Google SRE book
• GCAT site

Guest: 

• John Stone,  Chaos Coordinator @ Office of the CISO, Google Cloud

Topics:

• So what is Autonomic Data Security, described in our just released paper? 
• What are some notorious data security issues today? Perhaps common data security mistakes security leaders commit?
• What never worked in data security, like say manual data classification?
• How should organizations think about securing the data they migrated and the data that was created in the cloud?
• Do you really believe the cloud can make data security better than data security in traditional environments?

Resources:

• “Modern Data Security: A path to autonomic data security” paper (NEW)
• “How autonomic data security can help define cloud’s future” blog
• “Megatrends drive cloud adoption—and improve security for all” blog
• “Modernizing SOC ... Introducing Autonomic Security Operations” blog
• “Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper
• “Zero Trust: Fast Forward from 2010 to 2021” (ep8)
• “Data Security in the Cloud” (ep2) and the resource.
• “Modern Data Security Approaches: Is Cloud More Secure?” (ep16)
• “Reflections on Trusting Trust” paper (1984).

Guest:

• Gorka Sadowski,  Chief Strategy Officer @ Exabeam

Topics:

• How do we get a legacy SOC team to think about the cloud?
• How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same? 
• How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud?
• Do content/rules and detection engines need to be different to cover the cloud detection use cases?
• What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections?

Resources:

• “11 Strategies of a World-Class Cybersecurity Operations Center” paper
• “Autonomic Security Operations: How to 10X Your SOC” paper
• “Indicators Of Compromise Vs. Tactics, Techniques, And Procedures” blog
• “How to Build and Operate a Modern Security Operations Center” (Gartner subscription required)
• “A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next” blog

Guest:

• Cyrus Robinson, SOC Director and IR Team lead at Ingalls Information Security

Topics:

• You’ve been using SOAR tools for years, so what do you think of the technology so far?
• What is driving SOAR adoption today? And what is inhibiting SOAR adoption?
• Realistically, how hard is SOAR to operationalize for a typical company?
• What are your favorite SOAR playbooks to start with?
• How to build, train and keep the SOAR team? Do they need to code to succeed?
• We like the SOAR maturity model approach. How would you imagine a SOAR adoption maturity model?
• How to implement SOAR from scratch in scaling operations? How to start? How to plan? How to not fail?

Resources:

• “A Simple SOAR Adoption Maturity Model” blog 
• “Planning Is Paramount When Adopting SOAR” blog
• Siemplify community version

Guest:

• Ben Johnson, CTO/co-founder @ Obsidian Security

Topics:

• Why is there so much attention lately on SaaS security? Doesn’t this area date back to 2015 or so?
• What do you see as the primary challenges in securing SaaS?
• What does a SaaS threat model look like? What are the top threats you see?
• CASB has been the fastest growing security market and it has grown into a broad platform and many assume that “securing SaaS = using CASB”, what are they missing?
• Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system?
• Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle?
• For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology?

Resources:

• Obsidian Security blog and Resource Center
• Does the World Need Cloud Detection and Response (CDR)? blog
• Does the world need Cloud Detection and Response (CDR) as a new market segment? poll
• MITRE ATT&CK for SaaS matrix
• CISA SCUBA resource
• “Essentialism” book.

Guest:

• Tim Nguyen, Director of Detection and Response @ Google

Topics:

• I know we don’t like to say “SOC” here, so why don’t we talk about the role of automation in detection and response (D&R) at Google?
• One SRE concept we found useful in security operations is “toil” - How do we squeeze toil out of D&R practice at Google?
• A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey?
• How do we automate security signal analysis, can you give us a few examples?
• D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our “not SOC”?
• How do we avoid falling into the “time to respond” trap that rewards fast response, sometimes at the cost of good?

Resource:

• SRE book, Chapter 5 - Eliminating Toil
• SRE book, Chapter 4 - Service Level Objectives
• “Building Secure and Reliable Systems” book
• “Achieving Autonomic Security Operations: Automation as a Force Multiplier”
• “Achieving Autonomic Security Operations: Reducing toil”
• “Taking an autonomic approach to security operations” video
• “Modern Threat Detection at Google” (ep17)

Guest: 

• James Luo,   Partner @ CapitalG

Topics:

• You've looked at hundreds of security startups at the growth stage - what is getting funded? What is not getting funded? What is the difference?
• What's your view on the current market environment for security companies? Is security "recession-proof", whatever that means?
• How do you think about what problems are worth solving with a new venture vs existing vendors (and/or CSPs) expanding to cover the new area?
• Why do many cloud security vendors get funded and get high valuations while there is a wide perception that CSP (like us at Google) are doing security really well?
• How do we solve the challenge that many organizations are barely moving off “antivirus and firewalls” security of the 1990s?
• What is your best advice to cloud security startups trying to get wider adoption?

Resources:

• “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity”
• CapitalG blog

Guest:

• Erik Bloch,  Senior Director of Detection and Response at Sprinklr

Topics:

• You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work?
• Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that?
• You refer to a federated approach for Detection and Response”  (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization? 
• What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams?
• Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it?
• The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time?

Resources:

• “RIP SOC. Hello D-IR”
• “Kill your SOC with a D-IR model”
• “Security De-Engineering: Solving the Problems in Information Risk Management” book
• “A SOCless Detection Team at Netflix” 
• “Achieving Autonomic Security Operations: Automation as a Force Multiplier” 
• “Start with Why: How Great Leaders Inspire Everyone to Take Action“ book
• “Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now” book
• “On “Output-driven” SIEM”
• “SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond” (ep58)

Guests:

• Dave “Merk” Merkel, CEO @ Expel
• Peter Silberman,  CTO @ Expel

Topics:

• Many MDRs claim to be “security from the cloud”, but they actually don’t know much about cloud security. What does good looks like for MDR in the cloud (cloud being a full range from IaaS to SaaS)?
• What are the key challenges for clients picking an MDR for their cloud environments?  What are the questions to ask your potential MDR?
• Do clients want the same security outcomes done in the cloud vs on-premise?  
• Does it mean that MSSP/MDR capabilities must be different for good coverage of the cloud? 
• Is MDR technology different for Cloud detection and response as opposed to on-prem D&R? 
• How do you communicate with clients about the importance and value of cloud specific detection vs detection for endpoints running in the cloud? 
• What are the top threats against client cloud environments that you see, detect and protect from?
• Which clouds (IaaS?) are easiest for MDR to protect? What makes them easier to handle than the other Clouds?

Resources:

• Who Does What In Cloud Threat Detection?
• How to Think about Threat Detection in the Cloud
• Cattle vs Pets reminder
• Expel Blog - Incident report: Spotting an attacker in GCP 
• Expel Great eXpeltations 2022: Cybersecurity trends and predictions
• Expel Quarterly Threat Report: Q1 2022

Guest: 

• Stefan Friedli,  Senior Security Engineer @ Google

Topics:

• What is our “red team” testing philosophy and approach at Google? 
• How did we evolve to this approach? 
• What is the path from testing to making Google and our users more secure? How does our testing power the improvements we make?
• What is unique about red teaming at Google?
• Care to share some fun testing stories or examples from your experience?

Resources:

• “Building Secure & Reliable Systems” book (free)
• Threat Analysis Group (TAG) blog

Guests: none

Topics:

• What have we seen at the RSA 2022 Conference?
• What was the most interesting and unexpected?
• What was missing?

Resources:

• “RSA 2022 Musings: The Past and The Future of Security”
• Google Cloud Security at RSA 2022

Guest:

• James Condon,  Director of Security Research @  Lacework 

Topics:

• What are realistic and actually observed cloud threats today? How did you observe them at Lacework?
• Cloud threats: are they on-premise  style threats to cloud assets? We hate the line “cloud is just somebody else’s computer” but apparently threats actors seem to think so?
• What is the 2nd most dangerous cloud issue after configuration mistakes?
• Why is it so common for organizations to have insecure configurations in their cloud environments? 
• Give me a few examples of the most common mistakes organizations make, and what they can do to avoid those configurations.
• Cloud malware and  ransomware / RansomOps, are these real risks today?
• Are we finally seeing the rise of Linux malware at scale (in the cloud)?
• As multi cloud expands in popularity, what are threat actors doing in this area?
• Are actors customizing their attacks on a per-cloud basis (AWS, GCP, Azure)?

 Resources:

• Lacework 2022 Cloud Threat Report
• “Securing DevOps: Security in the Cloud” book
• “Threat Models and Cloud Security” (ep12)
• Google Threat Horizons Report #1
• Google Threat Horizons Report #2

Guest: 

• Nicholas Carlini, Research Scientist @ Google 

Topics:

• What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks?
• How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical?
• Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025?
• What are the threat-derived lessons for securing AI?
• Do we practice the same or different approaches for secure AI and reliable AI?
• How does relative lack of transparency in AI helps (or hurts?) attackers and defenders?

Resources:

• “Red Teaming AI Systems: The Path, the Prospect and the Perils” at RSA 2022
• “Killed by AI Much? A Rise of Non-deterministic Security!”
• Books on Adversarial ML

Guest: 

• Sounil Yu, CISO and Head of Research at JupiterOne

Topics:

• How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder?
• Cloud (at least the cloudy-cloud, also called cloud native) definitely supports “Distributed Immutable Ephemeral” (DIE) - your new creation, how does that change security and CDM?
• Cyber resilience generates a lot of confusion, how do you define and describe it? 
• BTW, is the cloud more or less cyber resilient based on your definition?
• Is invisible security a good thing? Can we ever have it? When should security be visible?
• Intuitively, security and safety are not the same. So, what is the difference between cyber safety and cyber security? What is cyber safety, really?

Resources:

• Cyber Defense Matrix
• Security DIE Triad
• Container Security: The Past or The Future? (ep54)
• This Binary Legit? How Google Uses Binary Authorization and Code Provenance (ep66)
• What is the useful definition of “cyber resilience”? poll
• Is the cloud just somebody else’s computer? Poll
• Cattle vs Pets - DevOps Explained
• Gartner CIA-PSR model
• The 2022 State of Cyber Assets Report
• Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape
• “Antifragile” book
• “Thinking, Fast and Slow” book