206 avsnitt • Längd: 25 min • Veckovis: Måndag
Cloud Security Podcast by Google focuses on security in the cloud, delivering security from the cloud, and all things at the intersection of security and cloud. Of course, we will also cover what we are doing in Google Cloud to help keep our users’ data safe and workloads secure.
We’re going to do our best to avoid security theater, and cut to the heart of real security questions and issues. Expect us to question threat models and ask if something is done for the data subject’s benefit or just for organizational benefit.
We hope you’ll join us if you’re interested in where technology overlaps with process and bumps up against organizational design. We’re hoping to attract listeners who are happy to hear conventional wisdom questioned, and who are curious about what lessons we can and can’t keep as the world moves from on-premises computing to cloud computing.
The podcast Cloud Security Podcast by Google is created by Anton Chuvakin. The podcast and the artwork on this page are embedded on this page using the public podcast feed (RSS).
Guest:
Topics
Resources:
Guest:
Rich Mogull, SVP of Cloud Security at Firemon and CEO at Securosis
Topics:
Resources:
Guest:
Amine Besson, Tech Lead on Detection Engineering, Behemoth Cyberdefence
Topics:
Resources:
Guest:
Chris Hoff, Chief Secure Technology Officer at Last Pass
Topics:
Resources:
Guest:
Michael Czapinski, Security & Reliability Enthusiast, Google
Topics:
Resources:
Guests:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Travis Lanham, Uber Tech Lead (UTL) for Security Operations Engineering, Google Cloud
Topics:
Resources:
Guest:
Topics:
Resources:
Cross-over hosts:
Kaslin Fields, co-host at Kubernetes Podcast
Abdel Sghiouar, co-host at Kubernetes Podcast
Guest:
Michele Chubirka, Cloud Security Advocate, Google Cloud
Topics:
Resources:
Guest:
Daniel Shechter, Co-Founder and CEO at Miggo Security
Topics:
Resources:
Guests:
Topics
Resources:
Guest:
Topics:
Resources:
Guest:
Dan Nutting, Manager - Cyber Defense, Google Cloud
Topics:
What is the Defender’s Advantage and why did Mandiant decide to put this out there?
This is the second edition. What is different about DA-II?
Why do so few defenders actually realize their Defender’s Advantage?
The book talks about the importance of being "intelligence-led" in cyber defense. Can you elaborate on what this means and how organizations can practically implement this approach?
Detection engineering is presented as a continuous cycle of adaptation. How can organizations ensure their detection capabilities remain effective and avoid fatigue in their SOC?
Many organizations don’t seem to want to make detections at all, what do we tell them?
What is this thing called “Mission Control”- it sounds really cool, can you explain it?
Resources:
Defender’s Advantage book
The Defender's Advantage: Using Artificial Intelligence in Cyber Defense supplemental paper
“Threat-informed Defense Is Hard, So We Are Still Not Doing It!” blog
Guest:
Topics:
Resources:
Guest:
Royal Hansen, CISO, Alphabet
Topics:
What were you thinking before you took that “Google CISO” job?
Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations?
Are there any specific challenges or advantages that arise from operating at such a massive scale?
What has been most surprising about Google’s internal security culture that you wish you could export to the world at large?
What have you learned about scaling teams in the Google context?
How do you design effective metrics for your teams and programs?
So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we’ve done this here?
Resources:
EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
EP20 Security Operations, Reliability, and Securing Google with Heather Adkins
EP91 “Hacking Google”, Op Aurora and Insider Threat at Google
“Delivering Security at Scale: From Artisanal to Industrial”
EP185 SAIF-powered Collaboration to Secure AI: CoSAI and Why It Matters to You
Guest:
Dor Fledel, Founder and CEO of Spera Security, now Sr Director of Product Management at Okta
Topics:
We say “identity is the new perimeter,” but I think there’s a lof of nuance to it. Why and how does it matter specifically in cloud and SaaS security?
How do you do IAM right in the cloud?
Help us with the acronym soup - ITDR, CIEM also ISPM (ITSPM?), why are new products needed?
What were the most important challenges you found users were struggling with when it comes to identity management?
What advice do you have for organizations with considerable identity management debt? How should they start paying that down and get to a better place? Also: what is “identity management debt”?
Can you answer this from both a technical and organizational change management perspective?
It’s one thing to monitor how User identities, Service accounts and API keys are used, it’s another to monitor how they’re set up. When you were designing your startup, how did you pick which side of that coin to focus on first?
What’s your advice for other founders thinking about the journey from zero to 1 and the journey from independent to acquisition?
Resources:
Guest:
Nicole Beckwith, Sr. Security Engineering Manager, Threat Operations @ Kroger
Topics:
What are the most important qualities of a successful SOC leader today?
What is your approach to building and maintaining a high-functioning SOC team?
How do you approach burnout in a SOC team?
What are some of the biggest challenges facing SOC teams today?
Can you share some specific examples of how you have built and - probably more importantly! - maintained a high-functioning SOC team?
What are your thoughts on the current state of SIEM technology? Still a core of SOC or not?
What advice would you give to someone who inherited a SOC? What should his/her 7/30/90 day plan include?
Resources:
EP180 SOC Crossroads: Optimization vs Transformation - Two Paths for Security Operations Center
EP181 Detection Engineering Deep Dive: From Career Paths to Scaling SOC Teams
EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond
EP64 Security Operations Center: The People Side and How to Do it Right
EP73 Your SOC Is Dead? Evolve to Output-driven Detect and Respond!
Guests:
A debate between Tim and Anton, no guests
Debate positions:
You must buy the majority of cloud security tools from a cloud provider, here is why.
You must buy the majority of cloud security tools from a 3rd party security vendor, here is why.
Resources:
EP74 Who Will Solve Cloud Security: A View from Google Investment Side
EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use
“The cloud trust paradox: To trust cloud computing more, you need the ability to trust it less” blog
“Snowcrash” book
Guest:
David LaBianca, Senior Engineering Director, Google
Topics:
The universe of AI risks is broad and deep. We’ve made a lot of headway with our SAIF framework: can you give us a) a 90 second tour of SAIF and b) share how it’s gotten so much traction and c) talk about where we go next with it?
The Coalition for Secure AI (CoSAI) is a collaborative effort to address AI security challenges. What are Google's specific goals and expectations for CoSAI, and how will its success be measured in the long term?
Something we love about CoSAI is that we involved some unexpected folks, notably Microsoft and OpenAI. How did that come about?
How do we plan to work with existing organizations, such as Frontier Model Forum (FMF) and Open Source Security Foundation (OpenSSF)? Does this also complement emerging AI security standards?
AI is moving quickly. How do we intend to keep up with the pace of change when it comes to emerging threat techniques and actors in the landscape?
What do we expect to see out of CoSAI work and when? What should people be looking forward to and what are you most looking forward to releasing from the group?
We have proposed projects for CoSAI, including developing a defender's framework and addressing software supply chain security for AI systems. How can others use them? In other words, if I am a mid-sized bank CISO, do I care? How do I benefit from it?
An off-the-cuff question, how to do AI governance well?
Resources:
CoSAI site, CoSAI 3 projects
Guest:
Questions:
Resources:
Guests:
Jaffa Edwards, Senior Security Manager @ Google Cloud
Lyka Segura, Cloud Security Engineer @ Google Cloud
Topics:
Security transformation is hard, do you have any secret tricks or methods that actually make it happen?
Can you share a story about a time when you helped a customer transform their cloud security posture? Not just improve, but actually transform!
What is your process for understanding their needs and developing a security solution that is tailored to them? What to do if a customer does not want to share what is necessary or does not know themselves?
What are some of the most common security mistakes that you see organizations make when they move to the cloud?
What about the customers who insist on practicing in the cloud the same way they did on-premise? What do you tell the organizations that insist that “cloud is just somebody else’s computer” and they insist on doing security the old-fashioned way?
What advice would you give to organizations that are just starting out on their cloud security journey?
What are the first three cloud security steps you recommend that work for a cloud environment they inherited?
References
EP86 How to Apply Lessons from Virtualization Transition to Make Cloud Transformation Better
For a successful cloud transformation, change your culture first
Building security guardrails for developers with Google Cloud
Guest:
Adam Bateman, Co-founder and CEO, Push Security
Topics:
What is Identity Threat Detection and Response (ITDR)? How do you define it?
What gets better at a client organization once ITDR is deployed?
Do we also need “ISPM” (parallel to CDR/CSPM), and what about CIEM?
Workload identity ITDR vs human identity ITDR? Do we need both? Are these the same?
What are the alternatives to using ITDR? Can’t SIEM/UEBA help - perhaps with browser logs?
What are some of the common types of identity-based threats that ITDR can help detect?
What advice would you give to organizations that are considering implementing ITDR?
Resources:
Guest:
Zack Allen, Senior Director of Detection & Research @ Datadog, creator of Detection Engineering Weekly
Topics:
What are the biggest challenges facing detection engineers today?
What do you tell people who want to consume detections and not engineer them?
What advice would you give to someone who is interested in becoming a detection engineer at her organization?
So, what IS a detection engineer? Do you need software skills to be one? How much breadth and depth do you need?
What should a SOC leader whose team totally lacks such skills do?
You created Detection Engineering Weekly. What motivated you to start this publication, and what are your goals for it? What are the learnings so far?
You work for a vendor, so how should customers think of vendor-made vs customer-made detections and their balance?
What goes into a backlog for detections and how do you inform it?
Resources:
Zacks’s newsletter: https://detectionengineering.net
EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?
“Detection Spectrum” blog
“Delivering Security at Scale: From Artisanal to Industrial” blog (and this too)
“Detection Engineering is Painful — and It Shouldn’t Be (Part 1)” blog series
Guests:
Mitchell Rudoll, Specialist Master, Deloitte
Alex Glowacki, Senior Consultant, Deloitte
Topics:
The paper outlines two paths for SOCs: optimization or transformation. Can you elaborate on the key differences between these two approaches and the factors that should influence an organization's decision on which path to pursue?
The paper also mentions that alert overload is still a major challenge for SOCs. What are some of the practices that work in 2024 for reducing alert fatigue and improving the signal-to-noise ratio in security signals?
You also discuss the importance of automation for SOCs. What are some of the key areas where automation can be most beneficial, and what are some of the challenges of implementing automation in SOCs? Automation is often easier said than done…
What specific skills and knowledge will be most important for SOC analysts in the future that people didn’t think of 5-10 years ago?
Looking ahead, what are your predictions for the future of SOCs? What emerging technologies do you see having the biggest impact on how SOCs operate?
Resources:
“Future of the SOC: Evolution or Optimization —Choose Your Path” paper and highlights blog
“Meet the Ghost of SecOps Future” video based on the paper
EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond
The original Autonomic Security Operations (ASO) paper (2021)
“New Paper: “Future of the SOC: Forces shaping modern security operations” (Paper 1 of 4)”
“New Paper: “Future of the SOC: SOC People — Skills, Not Tiers” (Paper 2 of 4)”
“New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)”
Guests:
Robin Shostack, Security Program Manager, Google
Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud
Topics:
You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means?
You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?
Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge?
If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team?
How do we create it in an existing team or an under-performing team?
Resources:
EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework
EP103 Security Incident Response and Public Cloud - Exploring with Mandiant
EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?
“Take a few of these: Cybersecurity lessons for 21st century healthcare professionals” blog
Guest:
Brandon Wood, Product Manager for Google Threat Intelligence
Topics:
Threat intelligence is one of those terms that means different things to everyone–can you tell us what this term has meant in the different contexts of your career? What do you tell people who assume that “TI = lists of bad IPs”?
We heard while prepping for this show that you were involved in breaking up a human trafficking ring: tell us about that!
In Anton’s experience, a lot of cyber TI is stuck in “1. Get more TI 2. ??? 3. Profit!” How do you move past that?
One aspect of threat intelligence that’s always struck me as goofy is the idea that we can “monitor the dark web” and provide something useful. Can you change my mind on this one?
You told us your story of getting into sales, you recently did a successful rotation into the role of Product Manager,, can you tell us about what motivated you to do this and what the experience was like?
Are there other parts of your background that inform the work you’re doing and how you see yourself at Google?
How does that impact our go to market for threat intelligence, and what’re we up to when it comes to keeping the Internet and broader world safe?
Resources:
EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons
EP128 Building Enterprise Threat Intelligence: The Who, What, Where, and Why
Introducing Google Threat Intelligence: Actionable threat intelligence at Google scale
Guests:
Omar ElAhdan, Principal Consultant, Mandiant, Google Cloud
Will Silverstone, Senior Consultant, Mandiant, Google Cloud
Topics:
Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments?
You do IR so in your experience, what are top 5 mistakes organizations make that lead to cloud incidents?
How and why do organizations get the attack surface wrong? Are there pillars of attack surface?
We talk a lot about how IAM matters in the cloud. Is that true that AD is what gets you in many cases even for other clouds?
What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well?
Resources:
Next 2024 LIVE Video of this episode / LinkedIn version (sorry for the audio quality!)
“Lessons Learned from Cloud Compromise” podcast at The Defender’s Advantage
“Cloud compromises: Lessons learned from Mandiant investigations” in 2023 from Next 2024
EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework
EP103 Security Incident Response and Public Cloud - Exploring with Mandiant
EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler
Guest:
Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google
Topics:
Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right?
Where are we like other clients of GCP? Where are we not like other cloud users?
Do we have any unique cloud security technology that we use that others may benefit from?
How does our cloud usage inform our cloud security products?
So is our cloud use profile similar to cloud natives or traditional companies?
What are some of the most interesting cloud security practices and controls that we use that are usable by others?
How do we make them work at scale?
Resources:
EP12 Threat Models and Cloud Security (previous episode with Seth)
EP66 Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance
EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics
“Attention Is All You Need” paper (yes, that one)
Guest:
Crystal Lister, Technical Program Manager, Google Cloud Security
Topics:
Your background can be sheepishly called “public sector”, what’s your experience been transitioning from public to private? How did you end up here doing what you are doing?
We imagine you learned a lot from what you just described – how’s that impacted your work at Google?
How have you seen risk management practices and outcomes differ?
You now lead Google Threat Horizons reports, do you have a vision for this? How does your past work inform it?
Given the prevalence of ransomware attacks, many organizations are focused on external threats. In your experience, does the risk of insider threats still hold significant weight? What type of company needs a dedicated and separate insider threat program?
Resources:
Google Cybersecurity Action Team Threat Horizons Report #9 Is Out!
Google Cybersecurity Action Team site for previous Threat Horizons Reports
Psychology of Intelligence Analysis by Richards J. Heuer
The Coming Wave by Mustafa Suleyman
Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects
Guest:
Angelika Rohrer, Sr. Technical Program Manager , Cyber Security Response at Alphabet
Topics:
Incident response (IR) is by definition “reactive”, but ultimately incident prep determines your IR success. What are the broad areas where one needs to prepare?
You have created a new framework for measuring how ready you are for an incident, what is the approach you took to create it?
Why is continuous improvement crucial for effective incident response, especially in cloud environments? Can’t you just make a playbook and use it?
How to overcome the desire to focus on the easy metrics and go to more valuable ones?
What do you think Google does best in this area?
Can you share examples of how the CI Framework could have helped prevent or mitigate a real-world cloud security incident?
How can other organizations practically implement the CI Framework to enhance their incident response capabilities after they read the paper?
Resources:
EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
EP103 Security Incident Response and Public Cloud - Exploring with Mandiant
EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics
EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?
Guest:
Shan Rao, Group Product Manager, Google
Topics:
What are the unique challenges when securing AI for cloud environments, compared to traditional IT systems?
Your talk covers 5 risks, why did you pick these five? What are the five, and are these the worst?
Some of the mitigation seems the same for all risks. What are the popular SAIF mitigations that cover more of the risks?
Can we move quickly and securely with AI? How?
What future trends and developments do you foresee in the field of securing AI for cloud environments, and how can organizations prepare for them?
Do you think in 2-3 years AI security will be a separate domain or a part of … application security? Data security? Cloud security?
Resource:
Video (LinkedIn, YouTube) [live audio is not great in these]
“A cybersecurity expert's guide to securing AI products with Google SAIF“ presentation
“To securely build AI on Google Cloud, follow these best practices” (paper)
“Secure AI Framework (SAIF): A Conceptual Framework for Secure AI Systems” resources
Corey Quinn on X (long story why this is here… listen to the episode)
Guests:
None
Topics:
What have we seen at RSA 2024?
Which buzzwords are rising (AI! AI! AI!) and which ones are falling (hi XDR)?
Is this really all about AI? Is this all marketing?
Security platforms or focused tools, who is winning at RSA?
Anything fun going on with SecOps?
Is cloud security still largely about CSPM?
Any interesting presentations spotted?
Resources:
EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side (RSA 2024 episode 1 of 2)
“From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis” blog
“Introducing Google Security Operations: Intel-driven, AI-powered SecOps” blog
“Advancing the art of AI-driven security with Google Cloud” blog
Guest:
Elie Bursztein, Google DeepMind Cybersecurity Research Lead, Google
Topics:
Given your experience, how afraid or nervous are you about the use of GenAI by the criminals (PoisonGPT, WormGPT and such)?
What can a top-tier state-sponsored threat actor do better with LLM? Are there “extra scary” examples, real or hypothetical?
Do we really have to care about this “dangerous capabilities” stuff (CBRN)? Really really?
Why do you think that AI favors the defenders? Is this a long term or a short term view?
What about vulnerability discovery? Some people are freaking out that LLM will discover new zero days, is this a real risk?
Resources:
“How Large Language Models Are Reshaping the Cybersecurity Landscape” RSA 2024 presentation by Elie (May 6 at 9:40AM)
“Lessons Learned from Developing Secure AI Workflows” RSA 2024 presentation by Elie (May 8, 2:25PM)
EP50 The Epic Battle: Machine Learning vs Millions of Malicious Documents
EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC
EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It
Threat Actors are Interested in Generative AI, but Use Remains Limited
Guest:
Payal Chakravarty, Director of Product Management, Google SecOps, Google Cloud
Topics:
What are the different use cases for GenAI in security operations and how can organizations prioritize them for maximum impact to their organization?
We’ve heard a lot of worries from people that GenAI will replace junior team members–how do you see GenAI enabling more people to be part of the security mission?
What are the challenges and risks associated with using GenAI in security operations?
We’ve been down the road of automation for SOCs before–UEBA and SOAR both claimed it–and AI looks a lot like those but with way more matrix math-what are we going to get right this time that we didn’t quite live up to last time(s) around?
Imagine a SOC or a D&R team of 2029. What AI-based magic is routine at this time? What new things are done by AI? What do humans do?
Resources:
Live video (LinkedIn, YouTube) [live audio is not great in these]
Practical use cases for AI in security operations, Cloud Next 2024 session by Payal
EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It
EP169 Google Cloud Next 2024 Recap: Is Cloud an Island, So Much AI, Bots in SecOps
Guests:
Topics:
What are some of the fun security-related launches from Next 2024 (sorry for our brief “marketing hat” moment!)?
Any fun security vendors we spotted “in the clouds”?
OK, what are our favorite sessions? Our own, right? Anything else we had time to go to?
What are the new security ideas inspired by the event (you really want to listen to this part! Because “freatures”...)
Resources:
Live video (LinkedIn, YouTube) [live audio is not great in these]
Cloud CISO Perspectives: 20 major security announcements from Next ‘24
EP137 Next 2023 Special: Conference Recap - AI, Cloud, Security, Magical Hallway Conversations (last year!)
EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?
EP90 Next Special - Google Cybersecurity Action Team: One Year Later!
A cybersecurity expert's guide to securing AI products with Google SAIF Next 2024 session
How AI can transform your approach to security Next 2024 session
Guests:
Umesh Shankar, Distinguished Engineer, Chief Technologist for Google Cloud Security
Scott Coull, Head of Data Science Research, Google Cloud Security
Topics:
What does it mean to “teach AI security”? How did we make SecLM? And also: why did we make SecLM?
What can “security trained LLM” do better vs regular LLM?
Does making it better at security make it worse at other things that we care about?
What can a security team do with it today? What are the “starter use cases” for SecLM?
Are we seeing the limits of LLMs for our use cases? Is the “LLM is not magic” finally dawning?
Resources:
“How to tackle security tasks and workflows with generative AI” (Google Cloud Next 2024 session on SecLM)
EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?
Secure, Empower, Advance: How AI Can Reverse the Defender’s Dilemma?
Considerations for Evaluating Large Language Models for Cybersecurity Tasks
Conference on Applied Machine Learning in Information Security
Speakers:
Maria Riaz, Cloud Counter-Abuse, Engineering Lead, Google Cloud
Topics:
What is “counter abuse”? Is this the same as security?
What does counter-abuse look like for GCP?
What are the popular abuse types we face?
Do people use stolen cards to get accounts to then violate the terms with?
How do we deal with this, generally?
Beyond core technical skills, what are some of the relevant competencies for working in this space that would appeal to a diverse set of audience?
You have worked in academia and industry. What similarities or differences have you observed?
Resources / reading:
Guests:
Evan Gilman, co-founder CEO of Spirl
Eli Nesterov, co-founder CTO of Spril
Topics:
Today we have IAM, zero trust and security made easy. With that intro, could you give us the 30 second version of what a workload identity is and why people need them?
What’s so spiffy about SPIFFE anyway?
What’s different between this and micro segmentation of your network–why is one better or worse?
You call your book “solving the bottom turtle” could you tell us what that means?
What are the challenges you’re seeing large organizations run into when adopting this approach at scale?
Of all the things a CISO could prioritize, why should this one get added to the list? What makes this, which is so core to our internal security model–ripe for the outside world?
How people do it now, what gets thrown away when you deploy SPIFFE? Are there alternative?
SPIFFE is interesting, yet can a startup really “solve for the bottom turtle”?
Resources:
“Solving the Bottom Turtle” book [PDF, free]
“Surely You're Joking, Mr. Feynman!” book [also, one of Anton’s faves for years!]
Guest:
Ahmad Robinson, Cloud Security Architect, Google Cloud
Topics:
You’ve done a BlackHat webinar where you discuss a Pets vs Cattle mentality when it comes to cloud operations. Can you explain this mentality and how it applies to security?
What in your past led you to these insights? Tell us more about your background and your journey to Google. How did that background contribute to your team?
One term that often comes up on the show and with our customers is 'shifting left.' Could you explain what 'shifting left' means in the context of cloud security? What’s hard about shift left, and where do orgs get stuck too far right?
A lot of “cloud people” talk about IaC and PaC but the terms and the concepts are occasionally confusing to those new to cloud. Can you briefly explain Policy as Code and its security implications? Does PaC help or hurt security?
Resources:
“No Pets Allowed - Mastering The Basics Of Cloud Infrastructure” webinar
EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?
EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud
Guest:
Jennifer Fernick, Senor Staff Security Engineer and UTL, Google
Topics:
Since one of us (!) doesn't have a PhD in quantum mechanics, could you explain what a quantum computer is and how do we know they are on a credible path towards being real threats to cryptography? How soon do we need to worry about this one?
We’ve heard that quantum computers are more of a threat to asymmetric/public key crypto than symmetric crypto. First off, why? And second, what does this difference mean for defenders?
Why (how) are we sure this is coming? Are we mitigating a threat that is perennially 10 years ahead and then vanishes due to some other broad technology change?
What is a post-quantum algorithm anyway? If we’re baking new key exchange crypto into our systems, how confident are we that we are going to be resistant to both quantum and traditional cryptanalysis?
Why does NIST think it's time to be doing the PQC thing now? Where is the rest of the industry on this evolution?
How can a person tell the difference here between reality and snakeoil? I think Anton and I both responded to your initial email with a heavy dose of skepticism, and probably more skepticism than it deserved, so you get the rare on-air apology from both of us!
Resources:
Securing tomorrow today: Why Google now protects its internal communications from quantum threats
“Quantum Computation & Quantum Information” by Nielsen & Chuang book
EP154 Mike Schiffman: from Blueboxing to LLMs via Network Security at Google
Guest:
Phil Venables, Vice President, Chief Information Security Officer (CISO) @ Google Cloud
Topics:
You had this epic 8 megatrends idea in 2021, where are we now with them?
We now have 9 of them, what made you add this particular one (AI)?
A lot of CISOs fear runaway AI. Hence good governance is key! What is your secret of success for AI governance?
What questions are CISOs asking you about AI? What questions about AI should they be asking that they are not asking?
Which one of the megatrends is the most contentious based on your presenting them worldwide?
Is cloud really making the world of IT simpler (megatrend #6)?
Do most enterprise cloud users appreciate the software-defined nature of cloud (megatrend #5) or do they continue to fight it?
Which megatrend is manifesting the most strongly in your experience?
Resources:
Megatrends drive cloud adoption—and improve security for all and infographic
“Keynote | The Latest Cloud Security Megatrend: AI for Security”
“Lessons from the future: Why shared fate shows us a better cloud roadmap” blog and shared fate page
“Spotlighting ‘shadow AI’: How to protect against risky AI practices” blog
EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security
Guest:
Kat Traxler, Security Researcher, TrustOnCloud
Topics:
What is your reaction to “in the cloud you are one IAM mistake away from a breach”? Do you like it or do you hate it?
A lot of people say “in the cloud, you must do IAM ‘right’”. What do you think that means? What is the first or the main idea that comes to your mind when you hear it?
How have you seen the CSPs take different approaches to IAM? What does it mean for the cloud users?
Why do people still screw up IAM in the cloud so badly after years of trying?
Deeper, why do people still screw up resource hierarchy and resource management?
Are the identity sins of cloud IAM users truly the sins of the creators? How did the "big 3" get it wrong and how does that continue to manifest today?
Your best cloud IAM advice is “assign roles at the lowest resource-level possible”, please explain this one? Where is the magic?
Resources:
Guest:
Victoria Geronimo, Cloud Security Architect, Google Cloud
Topics:
You work with technical folks at the intersection of compliance, security, and cloud. So what do you do, and where do you find the biggest challenges in communicating across those boundaries?
How does cloud make compliance easier? Does it ever make compliance harder?
What is your best advice to organizations that approach cloud compliance as they did for the 1990s data centers and classic IT?
What has been the most surprising compliance challenge you’ve helped teams debug in your time here?
You also work on standards development –can you tell us about how you got into that and what’s been surprising in that for you?
We often say on this show that an organization’s ability to threat model is only as good as their team’s perspectives are diverse: how has your background shaped your work here?
Resources:
Guest:
Merritt Baer, Field CTO, Lacework, ex-AWS, ex-USG
Topics:
How can organizations ensure that their security posture is maintained or improved during a cloud migration? Is cloud migration a risk reduction move?
What are some of the common security challenges that organizations face during a cloud migration?
What advice would you give to those security leaders who insist on lift/shift or on lift/shift first?
How should security and compliance teams approach their engineering and DevOps colleagues to make sure things are starting on the right foot?
In your view, what is the essence of a cloud-native approach to security?
How can organizations ensure that their security posture scales as their cloud usage grows?
Resources:
EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud
EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?
9 Megatrends drive cloud adoption—and improve security for all
Guests:
Emre Kanlikilicer, Senior Engineering Manager @ Google
Sophia Gu, Engineering Manager at Google
Topics
Workspace makes the claim that unlike other productivity suites available today, it’s architectured for the modern threat landscape. That’s a big claim! What gives Google the ability to make this claim?
Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work?
What are some of the common mistakes you see customers making with Workspace security?
What are some of the ways context aware access and DLP (now SDP) help with this?
Resources:
Guest:
Jason Solomon, Security Engineer, Google
Topics:
Could you share a bit about when you get pulled into incidents and what are your goals when you are?
How does that change in the cloud? How do you establish a chain of custody and prove it for law enforcement, if needed?
What tooling do you rely on for cloud forensics and is that tooling available to "normal people"?
How do we at Google know when it’s time to call for help, and how should our customers know that it’s time?
Can I quote Ray Parker Jr and ask, who you gonna call?
What’s your advice to a security leader on how to “prepare for the inevitable” in this context?
Cloud forensics - is it easier or harder than the 1990s classic forensics?
Resource:
Guest:
Arie Zilberstein, CEO and Co-Founder at Gem Security
Topics:
How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response?
What are the key challenges of cloud detection and response?
Often we lift and shift our teams to Cloud, and not always for bad reasons, so what’s your advice on how to teach the old dogs new tricks: “on-premise-trained” D&R teams and cloud D&R?
What is this new CIRA thing that Gartner just cooked up? Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps?
What do you tell people who say that “SIEM is their CDR”?
What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?
Resources:
EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?
EP103 Security Incident Response and Public Cloud - Exploring with Mandiant
EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?
9 Megatrends drive cloud adoption—and improve security for all
“Emerging Tech: Security — Cloud Investigation and Response Automation (CIRA) Offers Transformation Opportunities” (Gartner access required)
“Does the World Need Cloud Detection and Response (CDR)?” blog
Guest:
Sandra Joyce, VP at Mandiant Intelligence
Topics:
Could you give us a brief overview of what this power disruption incident was about?
This incident involved both Living Off the Land and attacks on operational technology (OT). Could you explain to our audience what these mean and what the attacker did here?
We also saw a wiper used to hide forensics, is that common these days?
Did the attacker risk tipping their hand about upcoming physical attacks? If we’d seen this intrusion earlier, might we have understood the attacker’s next moves?
How did your team establish robust attribution in this case, and how they do it in general? How sure are we, really?
Could you share how this came about and maybe some of the highlights in our relationship helping defend that country?
Resources:
Guests:
Topics:
You wrote a book on cyber and war, how did this come about and what did you most enjoy learning from the other during the writing process?
Is generative AI going to be a game changer in international relations and war, or is it just another tool?
You also touch briefly on lethal autonomous weapons systems and ethics–that feels like the genie is right in the very neck of the bottle right now, is it too late?
Aside from this book, and the awesome course you offered at Brown that sparked Tim’s interest in this field, how can we democratize this space better?
How does the emergence and shift to Cloud impact security in the cyber age?
What are your thoughts on the intersection of Cloud as a set of technologies and operating model and state security (like sovereignty)? Does Cloud make espionage harder or easier?
Resources:
“Security in the Cyber Age” book (and their other books’)
“No Shortcuts: Why States Struggle to Develop a Military Cyber-Force” book
“The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age“ book
“Active Cyber Defense: Applying Air Defense to the Cyber Domain”
EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same?
EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith?
Guest:
Mike Schiffman, Network Security “UTL”
Topics:
Given your impressive and interesting history, tell us a few things about yourself?
What are the biggest challenges facing network security today based on your experience?
You came to Google to work on Network Security challenges. What are some of the surprising ones you’ve uncovered here?
What lessons from Google's approach to network security absolutely don’t apply to others? Which ones perhaps do?
If you have to explain the difference between network security in the cloud and on-premise, what comes to mind first?
How do we balance better encryption with better network security monitoring and detection?
Speaking of challenges in cryptography, we’re all getting fired up about post-quantum and network security. Could you give us the maybe 5 minute teaser version of this because we have an upcoming episode dedicated to this?
I hear you have some interesting insight on LLMs, something to do with blueboxing or something. What is that about?
Resources:
EP113 Love it or Hate it, Network Security is Coming to the Cloud
EP122 Firewalls in the Cloud: How to Implement Trust Boundaries for Access Control
“A History of Fake Things on the Internet” by WALTER J. SCHEIRER
Why Google now protects its internal communications from quantum threats
Guest:
Kevin Mandia, CEO at Mandiant, part of Google Cloud
Topics:
When you look back, what were the most surprising cloud breaches in 2023, and what can we learn from them? How were they different from the “old world” of on-prem breaches?
For a long time it’s felt like incident response has been an on-prem specialization, and that adversaries are primarily focused on compromising on-prem infrastructure. Who are we seeing go after cloud environments? The same threat actors or not?
Could you share a bit about the mistakes and risks that you saw organizations make that made their cloud breaches possible or made them worse? Conversely, what ended up being helpful to organizations in limiting the blast radius or making response easier?
Tim’s mother worked in a network disaster recovery team for a long time–their motto was “preparing for the inevitable.” What advice do you have for helping security teams and IT teams get ready for cloud breaches? Especially for recent cloud entrants?
Anton tells his “2000 IDS story” (need to listen for details!) and asks: what approaches for detecting threats actually detects threats today?
Resources:
Guest:
Michee Smith, Director, Product Management for Global Affairs Works, Google
Topics:
What is Google Annual Transparency Report and how did we get started doing this?
Surely the challenge of a transparency report is that there are things we can’t be transparent about, how do we balance this? What are those? Is it a safe question?
What Access Transparency Logs are and if they are connected to the report –other than in Tim's mind and your career?
Beyond building the annual transparency report, you also work on our central risk data platform. Every business has a problem managing risk–what’s special here? Do we have any Google magic here?
Could you tell us about your path in Product Management here? You have been here eight years, and recently became Director. Do you have any advice for the ambitious Google PMs listening to the show?
Resources:
Guest:
Monica Shokrai, Head Of Business Risk and Insurance For Google Cloud
Topics:
Could you give us the 30 second run down of what cyber insurance is and isn't?
Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks?
What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it?
We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security?
Doesn't cyber insurance have a difficult reputation with clients? “Will they even pay?” “Will it be enough?” “Is this a cyberwar exception?” type stuff?
How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers?
How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many “non cyber” risks?
Resources:
“Cyber Insurance Policy” by Josephine Wolff
Guest:
Dr Gary McGraw, founder of the Berryville Institute of Machine Learning
Topics:
Gary, you’ve been doing software security for many decades, so tell us: are we really behind on securing ML and AI systems?
If not SBOM for data or “DBOM”, then what? Can data supply chain tools or just better data governance practices help?
How would you threat model a system with ML in it or a new ML system you are building?
What are the key differences and similarities between securing AI and securing a traditional, complex enterprise system?
What are the key differences between securing the AI you built and AI you buy or subscribe to?
Resources:
“An Architectural Risk Analysis Of Machine Learning Systems: Toward More Secure Machine Learning“ paper
“What to think about when you’re thinking about securing AI”
“Microsoft AI researchers accidentally leak 38TB of company data”
Guests:
John Stoner, Principal Security Strategist, Google Cloud Security
Dave Herrald, Head of Adopt Engineering, Google Cloud Security
Topics:
In your experience, past and present, what would make clients trust vendor detection content?
Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?
What is more important, seeing the detection or being able to change it, or both?
If this is about seeing the detection code/content, what about ML and algorithms?
What about the SOC analysts who don't read the code?
What about “tuning” - is tuning detections a bad word now in 2023?
Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?
Resources:
DetectionEngineering.net by Zack Allen
EP64 Security Operations Center: The People Side and How to Do it Right
EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting
EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)
Guest:
Adrian Sanabria, Director of Valence Threat Labs at Valence Security, ex-analyst
Topics:
When people talk about “cloud security” they often forget SaaS, what should be the structured approach to using SaaS securely or securing SaaS?
What are the incidents telling us about the realistic threats to SaaS tools?
Is the Microsoft 365 breach a SaaS breach, a cloud breach or something else?
Do we really need CVEs for SaaS vulnerabilities?
What are the least understood aspects of securing SaaS?
What do you tell the organizations who assume that “SaaS vendor takes care of all SaaS security”?
Isn’t CASB the answer to all SaaS security issues? We also have SSPM now too? Do we really need more tools?
Resources:
Guest:
Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant at Google Cloud
Topics:
Can you really forecast threats? Won’t the threat actors ultimately do whatever they want?
How can clients use the forecast? Or as Tim would say it, what gets better once you read it?
What is the threat forecast for cloud environments? It says “Cyber attacks targeting hybrid and multi-cloud environments will mature and become more impactful“ - what does it mean?
Of course AI makes an appearance as well: “LLMs and other gen AI tools will likely be developed and offered as a service to assist attackers with target compromises.” Do we really expect attacker-run LLM SaaS? What models will they use? Will it be good?
There are a number of significant elections scheduled for 2024, are there implications for cloud security?
Based on the threat information, tell me about something that is going well, what will get better in 2024?
Resources:
Guest:
Wei Lien Dang, GP at Unusual Ventures
Topics:
We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you?
What are some of the security problems you're hearing from AI companies that are worth solving?
AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security?
Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs?
What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?
Resources:
Guest:
Jay Thoden van Velzen, Strategic Advisor to the CSO, SAP
Topics:
What are the challenges with shared responsibility for cloud security?
In your article, you mention “shared faith”, we have “shared fate”, but we never heard of shared faith. What is this? Can you explain?
What about the cloud models (SaaS, PaaS, IaaS), how does this sharing model differ?
Resources:
EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge
Shared fate at Google Cloud (also see blogs one and two)
Guest:
Kathryn Shih, Group Product Manager, LLM Lead in Google Cloud Security
Topics:
Could you give our audience the quick version of what is an LLM and what things can they do vs not do? Is this “baby AGI” or is this a glorified “autocomplete”?
Let’s talk about the different ways to tune the models, and when we think about tuning what are the ways that attackers might influence or steal our data?
Can you help our security listener leaders have the right vocabulary and concepts to reason about the risk of their information a) going into an LLM and b) getting regurgitated by one?
How do I keep the output of a model safe, and what questions do I need to ask a vendor to understand if they’re a) talking nonsense or b) actually keeping their output safe?
Are hallucinations inherent to LLMs and can they ever be fixed?
So there are risks to data and new opportunities for attacks and hallucinations. How do we know good opportunities in the area given the risks?
Resources:
Retrieval Augmented Generation (or go ask Bard about it)
Guests:
Topics:
It seems that in many cases the challenge with cloud configuration weaknesses is not their detection, but remediation, is that true?
As far as remediation scope, do we need to cover traditional vulnerabilities (in stock and custom code), configuration weaknesses and other issues too?
One of us used to cover vulnerability management at Gartner, and in many cases the remediation failures [on premise] were due to process, not technology, breakdowns. Is this the same in the cloud? If still true, how can any vendor technology help resolve it?
Why is cloud security remediation such a headache for so many organizations?
Is the friction real between security and engineering teams? Do they have any hope of ever becoming BFFs?
Doesn’t every CSPM (and now ASPM too?) vendor say they do automated remediation today? How should security pros evaluate solutions for prioritizing, triaging, and fixing issues?
Resources:
EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?’
EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud
EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?
8 Megatrends drive cloud adoption—and improve security for all
Host:
Stephanie Wong, Product Manager, Google Cloud
Guests (yes, really, we are the guests!):
Topics:
Could you tell us how you ended up in security?
What was the moment you realized that Cloud security was different from well, regular, security?
Anton is always asking this “3AM test”, where did that come from?
How do you source topics for the podcast?
What advice would you give to folks who are interested in getting into security?
… and other fun questions!
Resources:
Guest:
Jeremiah Kung, Global Head of Information Security, AppLovin
Topics:
Before we dive into all of the awesome cloud migrations you’ve experienced and your learnings there, could we start with a topic of East vs West CISO mentality?
We are talking to more and more CISOs who see the cloud as a net win for security. What’s your take on whether the cloud improves security?
We talked about doing some “big” cloud migrations, could you talk about what you learned back in 2015 about the “right” way to do a cloud migration and how you’ve applied those lessons since?
How are you approaching securing clouds differently in 2023 (vs the dark past of 2015)?
What advice would you give your peers to get out of the “saying no” mentality and into a better collaborative mode?
On the topic of giving advice to people who haven’t asked for it, what advice would you give to teams who are stuck in 1990s thinking when it comes to lift and shifting their security technology stack to cloud?
Resources:
EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen!
EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen!
“How CISOs need to adapt their mental models for cloud security” blog
“Superforecasting” book
Guest:
Andrew Hoying, Senior Security Engineering Manager @ Google
Topics:
What is different about system hardening today vs 20 years ago?
Also, what is special about hardening systems at Google massive scale?
Can I just apply CIS templates and be done with it?
Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity?
A part of hardening has got to be responding to new regulation and compliance regimes, how do you incorporate new controls and stay responsive to the changing world around us?
Are there cases where we have taken lessons from hardening at scale and converted those into product improvements?
What metrics do you track to keep your teams moving, and what metrics do your leads look at to understand how you’re doing? [Spoiler: the answer here is VERY fun!]
Resources:
Guest:
Chris Corde, Sr Director of Product Management - Security Operations, Google Cloud
Topics:
You cover many products, but let’s focus on Chronicle today. An easy question: Chronicle isn’t an XDR, so what is it?
Since you’ve joined the team, what’re you most proud of shipping to clients?
Could you share more about the Mandiant acquisition, what’s been a happy surprise and what are you looking forward to making available to customers?
Some believe that good security operations success is mostly about process, yet we are also building these amazing products. What is your view of how much security ops success hinges on products vs practices?
When it comes to building out Chronicle’s position in the market, how are we leveraging the depth of expertise that people have with other SIEM tools compared to ours?
What advice do you have for security professionals who want to transition into product management?
Resources:
EP44 Evolving a SIEM for the Future While Learning from the Past
EP82 Mega-confused by XDR? You Are Not Alone! This XDR Skeptic Clarifies!
Guest:
Rosemary Wang, Developer Advocate at HashiCorp
Topics:
Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams?
How can Terraform be used for security automation? How should security teams work with DevOps teams to use it?
What are some of the obvious and not so obvious security challenges of using Terraform?
How can security best practices be applied to infrastructure instantiated via Terraform?
What is the relationship between Terraform and policy as code (PaC)?
How do you get started with all this?
What do you tell the security teams who want to do cloud security the “old way” and not the cloud-native way?
Resources:
Guests:
no guests, all banter, all very fun :-)
Topics:
How is Google Next this year? What is new in cloud security?
Is Google finally a security vendor?
What are some of the fun security presentations we've seen, including our own?
Any impactful launches in security?
What was the most interesting overall?
“Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?” (ep136)
“RSA 2023 - What We Saw, What We Learned, and What We're Excited About” (ep119)
“Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?” (ep67)
“Detecting, investigating, and responding to threats in your Google Cloud environment” at Cloud Next 2023 by Anton
“Prevent cloud compromises: Learn how Uber discovers cyber risks and remediates threats” at Cloud Next 2023 by Tim
“Generative AI for defenders with Sec-PaLM 2 and Duet AI” at Cloud Next 2023 by Eric Doerr (his episode)
“A blueprint for modern security operations” at Cloud Next 2023 by our future guest, Chris…
Kevin Mandia at Next keynote (start at 1:15:00)
“New AI capabilities that can help address your security challenges” blog
Guest:
Eric Doerr, VP of Engineering, Google Cloud Security
Topics:
You have a Next presentation on AI, what is the most exciting part for you?
We care both about securing AI and using AI for security. How do you organize your thinking about it?
Executive surveys imply that trusting an AI (for business) is still an issue. How can we trust AI for security? What does it mean to “trust AI” in this context?
How should defenders think about threat modeling AI systems?
Back to using AI for security, what are the absolute worst security use cases for GenAI? Think “generate code and run it on prod” or something like that?
What does it mean to “teach AI security” like we did with Sec-PALM2? What is actually involved in this?
What were some surprising challenges we ran into here?
Resources:
Guest:
Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud
Topics:
Why is AI a game-changer for security? Can we even have game-changers in cyber security?
Is it more detection or is it more reducing toil and making humans more productuve? What are you favorite AI for security use cases?
What “AI + security” issue makes you - a classic CISO question here - lose sleep at night?
Does AI help defenders or attackers more? Won’t attackers adopt faster because they don’t have as many rules (but yes, they have bosses and budgets too)?
Aren’t there cases where defenders benefit a lot more and gain a superpower with AI while attackers are faced with defeat?
Is securing AI more similar or more different from securing other enterprise systems?
Does shared fate apply to AI?
Resources:
“Securing AI: Similar or Different?” paper by Office of the CISO at Google Cloud
“Lessons from the future: Why shared fate shows us a better cloud roadmap” blog
“Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security” (ep47)
“Securing Multi-Cloud from a CISO Perspective, Part 3” (ep22)
“Google Cybersecurity Action Team: What's the Story?” (ep37)
Guest:
Steph Hay , Director of UX, Google Cloud Security
Topics:
The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security?
UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this?
How do you think about prioritizing your team’s time between day zero vs day n experiences for users of security tools?
Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security?
Can you think of what single UX change in Cloud Security’s portfolio made the biggest impact to actual security outcomes?
We have this new tool/approach for planning called Jobs To Be Done (JTBD) - give us the value, and the history? In the world of JTBD planning, what gets better?
Resources:
Guest:
Steve McGhee, Reliability Advocate at Google Cloud
Aron Eidelman, Developer Relations Engineer at Google Cloud
Topics:
What is the shared problem for SRE and security when it comes to alerting?
Why is there reluctance to reduce noise?
How do SREs, security practitioners, and other stakeholders define “incident” and “risk”?
How does involving an “adversary” change the way people think about an incident, even if the impact is identical?
Which SRE alerting lessons do NOT apply at all for security?
Resources:
“Deploy Security Capabilities at Scale: SRE Explains How” (ep85)
Learning from incidents (LFI) science
Guest:
Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly
Topics:
So what is Security Chaos Engineering?
“Chapter 5. Operating and Observing” is Anton’s favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection?
How chaos engineering (or is it really about software resilience?) intersects with Cloud security - is this peanut butter and chocolate or more like peanut butter and pickles?
How can organizations get started with chaos engineering for software resilience and security?
What is your favorite chaos engineering experiment that you have ever done?
We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023?
Resources:
“Deploy Security Capabilities at Scale: SRE Explains How” (ep85)
“The Good, the Bad, and the Epic of Threat Detection at Scale with Panther” (ep123)
“Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?” (ep117)
Guests:
Himanshu Khurana, Engineering Manager, Google Cloud
Rahul Gupta, Product Manager for Assured OSS, Google Cloud
Topics:
For the software you’re supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen?
So what is Assured Open Source?
Do we really guarantee its security? What does “guarantee” here mean?
What’re users actually paying for here?
What’s the Google magic here and why are we doing this?
Do we really audit all code and fuzz for security issues?
What’s a supply chain attack and then we’ll talk about how this is plugging into those gaps?
Resources:
“SBOMs: A Step Towards a More Secure Software Supply Chain” (ep116)
“Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24)
Guest:
Topics:
Resources:
Guest:
Rick Doten, VP, Information Security at Centene Corporation, CISO Carolina Complete Health
Topics:
What are the realistic cloud risks today for an organization using public cloud?
Is the vendor lock-in on that list? What other risks everybody thinks are real, but they are not?
What do you tell people who in 2023 still think “they can host Exchange better themselves” and have silly cloud fears?
Cloud providers have greater opportunity not only to see issues, but to learn how to react well. Do you think this argument holds water?
What are the most challenging security issues for multi-cloud and hybrid cloud security?
How does security chasm (between security haves and have-notes) affect cloud security?
Your best cloud security advice for an organization with a security team of 0 FTEs and no CISO?
Resources:
Defining Cloud Security by Rick Doten
Guest:
John Doyle, Principle Intelligence Enablement Consultant at Mandiant / Google Cloud
Topics:
You have created a new intelligence class focused on building enterprise threat intelligence capability, so what is the profile of an organization and profile for a person that benefits the most from the class?
There are many places to learn threat intel (TI), what is special about your new class?
You talk about country cyber operations in the class, so what is the defender - relevant difference between, say, DPRK and Iran cyber doctrines? More generally, how do defenders benefit from such per country intel?
Can you really predict what the state-affiliated attackers would do to your organization based on the country doctrine?
In many minds, TI is connected to attribution. What is your best advice on attribution to CISOs of well-resourced organizations? What about mainstream organizations?
Overall we see a lot of organizations still failing to operationalize TI, especially strategic TI, how does this help them?
Resources:
The new class “Inside the Mind of APT”
Guest:
Ian Glazer, founder at Weave Identity, ex-Gartner, ex-SVP of Products at Salesforce, co-founder of IDPro
Topics:
OK, tell us why Identity and Access Management (IAM) is exciting (is it exciting?)
Could you also explain why IAM is even more exciting in the cloud?
Are you really “one IAM mistake away from a breach” in the cloud?
What advice would you give to someone new to IAM?
How to not just “learn IAM in the cloud” but to keep learning IAM?
Is what I know about IAM in AWS the same as knowing IAM for GCP? What advice do you have for teams operating in a multi-cloud world?
What are the top cloud IAM mistakes? How to avoid them?
Resources:
EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?
Guests:
Dominik Richter, the founder and head of product at Mondoo
Cooked questions:
What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail?
We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud?
Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now?
Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams?
How do organizations grow into safely rolling out new policy as code code?
You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance" and this problem has been unsolved for as long as the cloud existed. Will your toolset change this?
There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework?
What are some of the success metrics when adopting Policy as Code?
Resources:
Guest:
David Swift, Security Strategist at Netenrich
Topics:
Which old Security Information and Event Management (SIEM) lessons apply today?
Which old SIEM lessons absolutely do not apply today and will harm you?
What are the benefits and costs of SIEM in 2023?
What are the top cloud security use cases for SIEM in 2023?
What are your favorite challenges with SIEM in 2023 special in the cloud? Are they different from, say, 2013 or perhaps 2003?
Do you think SIEM can ever die?
Resources:
“Debating SIEM in 2023, Part 1” and “Debating SIEM in 2023, Part 2” blogs
“A Process for Continuous Security Improvement Using Log Analysis” (old but good)
“Situational Awareness Is Key to Faster, Better Threat Detection” blog and other SIEM reading
Guest:
Panos Mavrommatis, Senior Engineering Director at Google Cloud
Topics:
Could you give us the 30 second overview of our favorite “billion user security product” - SafeBrowsing - and, since you were there, how did it get started?
SafeBrowsing is a consumer and business product – are you mitigating the same threats and threat models on each side?
Making this work at scale can’t be easy, anytime we’re talking about billion device protection, there are massive scale questions. How did we make it work at such a scale?
Talk to us about the engineering and scaling magic behind the low false positive rate for blocking?
Resources:
Guest:
Jack Naglieri, Founder and CEO at Panther
Topics:
What is good detection, defined at micro-level for a rule or a piece of detection content?
What is good detection, defined at macro-level for a program at a company?
How to reliably produce good detection content at scale?
What is a detection content lifecycle that reliably produces good detections at scale?
What is the purpose of a SIEM today?
Where do you stand on a classic debate on vendor-written vs customer-created detection content?
Resources:
Guest:
Michele Chubirka, Senior Cloud Security Advocate, Google Cloud
Topics:
So, if somebody wakes you up at 3AM (“Anton’s 3AM test”) and asks “Do we need firewalls in the cloud?” what would you say?
Firewalls (=virtual appliances in the cloud or routing cloud traffic through physical firewalls) vs firewalling (=controlling network access) in the cloud, do they match the cloud-native realities?
How do you implement trust boundaries for access control with cloud-native options?
Can you imagine a modern cloud native security architecture that includes a firewall?
Can you imagine a modern cloud native security architecture that excludes any firewalling?
Firewall, NIDS, NIPS, NGFW …. How do these other concepts map to the cloud? How do you build a "traditional-like" network visibility layer in the cloud (and do we need to)?
Resources:
“Security Architect View: Cloud Migration Successes, Failures and Lessons” (ep105)
“Love it or Hate it, Network Security is Coming to the Cloud” with Martin Roesch (ep113)
Gartner Bimodal IT definition
CNCF site security landscape
Guests:
Nelly Porter, Group Product Manager, Google Cloud
Rene Kolga, Senior Product Manager, Google Cloud
Topics:
Could you remind our listeners what confidential computing is?
What threats does this stop? Are these common at our clients?
Are there other use cases for this technology like compliance or sovereignty?
We have a new addition to our Confidential Computing family - Confidential Space. Could you tell us how it came about?
What new use cases does this bring for clients?
Resources:
Guest:
Topics:
You’ve had a long career in software and security, what brought you to Google Cloud Security for this role?
How do you balance the needs of huge global financials that often ask for esoteric controls (say EKM with KAJ) vs the needs of SMBs that want easy yet effective, invisibility security?
We’ve got an interesting split within our security business: some of our focus is on making Google Cloud more secure, while some of our focus is on selling security products. How are you thinking about the strategy and allocation between these functions for business growth?
What aspects of Cloud security have you seen cloud customers struggle with the most?
What’s been the most surprising or unexpected security challenge you’ve seen with our users?
“Google named a Leader in Forrester Wave™ IaaS Platform Native Security” - can you share a little bit about how this came to be and what was involved in this?
Is cloud migration a risk reduction move?
Resources:
Guest:
Connie Fan, Senior Product and Business Strategy Lead, Google Cloud
Topics:
We were at RSA 2023, what did we see that was notable and surprising?
Cloud security showed up with three startups with big booths, and one big player with a small demo station. What have we learned here?
What visitors might have seen at the Google Cloud booth that we're really excited about?
Could you share why we chose these two AI cases - generation of code and summarization of complex content - out of all the possibilities and the sometimes zany things we saw elsewhere on the floor?
Could you share a story or two that highlights how we came to this AI launch and what it looked like under the surface?
Resources:
Guests:
Shanyn Ronis, Head of the Mandiant Communication Center
John Miller, Head of Mandiant Intelligence Analysis
Topics:
It seems like we’re seeing more cyber activity taking place in the context of geopolitical events. A lot of organizations struggle to figure out if/how to respond to these events and any related cyber activity. What advice do you have for these organizations and their leadership?
A lot of threat intel (TI) suffers from “What does this event mean for threats to our organization?” - sort of how to connect CNN to your IDS? What is your best advice on this to a CISO?
TI also suffers from “1. Get TI 2. ??? 3. Profit!” - how does your model help organizations avoid this trap?
Surely there are different levels of granularity here to TI and its relevance. Is what a CISO needs different from what an IR member needs? Do you differentiate your feed along those axes?
What does success look like? How will organizations know when they’re successful? What are good KPIs for these types of threat intelligence? In other words, how would customers know they benefit from it?
Is there anything unique that cloud providers can do in this process?
Resources:
RSA 2023 Session “Intelligently Managing the Geopolitics and Security Interplay” on Wed Apr 26 9:40AM
Guest:
Maxime Lamothe-Brassard, Founder @ LimaCharlie
Topics:
What does an engineering-centric approach to cybersecurity mean?
What to tell people who want to "consume" rather than "engineer" security?
Is “engineering-centric” approach the same as evidence-based or provable?
In practical terms, what does it mean to adopt an "engineering-centric approach" to cybersecurity for an organization?
How will it differ from what we have today? What will it enable?
Can you practice this with a very small team? How about a very small team of “non engineers”?
You seem to say that tomorrow's cybersecurity will look a lot like software engineering. Where do we draw the line between these two?
Resources:
Guest:
Cooked questions:
Resources:
Guest:
Rafal Los, Head of Services Strategy @ Extrahop and Founder of Down the Security Rabbit Hole podcast
Topics:
You had a very fun blog where you reminded the world that many organizations still approach cloud as a rented data center, do you still see it now? Do you think this will persist for 3, 5, 10 years?
Other than microservices, what’re the most important differences between public cloud and a rented data center for a CISO to keep in mind?
Analysts say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this?
Actually, how do you define “use cloud securely”?
Have you met any CISOs who are active cloud fans who prefer cloud for security reasons?
You also work for an NDR vendor, do you think NDR in the cloud has a future?
Resources:
Guest:
Chris John Riley, Senior Security Engineer and a Technical Debt Corrector @ Google
Topics:
We’ve heard of MVP, what is MVSP or Minimal Viable Secure Product?
What problem is MVSP trying to solve for the industry, community, planet, etc?
How does MVSP actually help anybody?
Who is the MVSP checklist for? Leaders or engineers?
How does MVSP differ from compliance standards like ISO 27001, or even SOC 2?
How does Google use MVSP? Has it improved our security in some way?
How to balance the dynamic nature of security with minimal security basics?
The working group has recently completed a control refresh for 2022, what are some highlights?
Resources:
”Strengthen Basic Security Hygiene With a Two-Pronged Security Architecture Approach”
Guest:
Martin Roesch, CEO at Netography, creator of Snort
Topics:
What is the role of network security in the public cloud? Networks used to be the perimeter, now we have an API and identity driven perimeter. Are networks still relevant as a layer of defense?
We often joke that “you don’t need to get your firewalls with you to the cloud”, is this really true? How do you do network access control if not with firewalls?
What about the NIDS? Does NIDS have a place in the cloud?
So we agree that some network security things drop off in the cloud, but are there new network security threats and challenges?
There’s cloud architecture and then there’s multi cloud and hybrid architectures–how does this story change if we open the aperture to network security for multi cloud and hybrid?
Should solutions that provide cloud network security be in the cloud themselves? Is this an obvious question?
Resources:
Guest:
Charles DeBeck, Cyber Threat Intel Expert @ Google Cloud
Topics:
What is unique about Google Cloud approach to threat intelligence? Is it the sensor coverage? Size of the team? Other things?
Why is Threat Horizons report unique among the threat reports released by other organizations?
Based on your research, what are the realistic threats to cloud environments today?
What threats are prevalent and what threats are most damaging?
Where do you see things in 2023? What should companies look for?
What’s one thing that surprised you when preparing the report? What do you think will surprise audiences?
What is the most counter-intuitive hardening and operational advice can we glean from this Threat Horizons report?
What's most important to know when it comes to understanding OT and cloud?
Resources:
Guest:
Brandon Evans, Infosec Consultant and Certified Instructor and Course Author at SANS
Topics:
What got you interested in security and motivated you to make this your area of focus? You came from a developer background, right?
Occasionally, we hear the sentiment that “developers don’t care about security,” how would you counter it (and would you?)?
How do we encourage developers and operations to use the appropriate security controls and settings in the cloud? Is “encourage” the right word?
Can we really do “secure by default” but for developers?
What do you think are the main application security issues that developers need to deal with in the cloud?
You mentioned software supply chain security, do you treat this as a part of application security? How important is this, realistically, for an average organization and its developers?
Going to our favorite subject of threat detection, how do you think we can better encourage developers to supply the logs necessary for our detection and response teams to act upon?
Resources:
“Cloud Security: Making Cloud Environments a Safer Place” ebook by SANS
SANS.org/cloud site
“The Phoenix Project” book by Gene Kim et al
“The Unicorn Project” book by Gene Kim
“Next Special - Log4j Reflections, Software Dependencies and Open Source Security” (EP87)
“2022 Accelerate State of DevOps Report and Software Supply Chain Security” (EP100)
“Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (EP24)
Guest:
David Seidman, Head of Detection and Response @ Robinhood
Toipics:
Tell us about joining Robinhood and prioritizing focus areas for detection in your environment?
Tim and Anton argue a lot about what kind of detection is best - fully bespoke and homemade, or scalable off-the-shelf. First, does our framework here make sense, and second, looking at your suite of detection capabilities, how have you chosen to prioritize detection development and detection triage?
You're operating in AWS: there are a lot of vendors doing detection in AWS, including AWS themselves. How have you thought about choosing your detection approaches and data sources?
Finding people with as much cloud expertise as you can't be easy: how are you structuring your organization to succeed despite cloud detection and response talent being hard to find? What matters more: detection skills or cloud skills?
What has been effective in ramping up your D&R team in the cloud?
What are your favorite data sources for detection in the cloud?
Resources:
Guest:
Ana Oprea, Staff Security Engineer, European Lead of Vulnerability Coordination Center @ Google
Topics:
What is the scope for the vulnerability management program at Google? Does it cover OS, off-the-shelf applications, custom code we wrote … or all of the above?
Our vulnerability prioritization includes a process called “impact assessment.” What does our impact assessment for a vulnerability look like?
How do we prioritize what to remediate? How do we decide on the speed of remediation needed?
How do we know if we’ve done a good job? When we look backwards, what are our critical metrics (SLIs and SLOs) and how high up the security stack is the reporting on our progress?
What of the “Google Approach” should other companies not try to emulate? Surely some things work because of Google being Google, so what are the weird or surprising things that only work for us?
Resources:
SRS Book, Chapter 20: Understanding Roles and Responsibilities and Chapter 21: Building a Culture of Security and Reliability
Why Google Stores Billions of Lines of Code in a Single Repository
SRE book and SRE Workbook
“How Google Secures It's Google Cloud Usage at Massive Scale” (ep107)
“Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance” (ep66)
“How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)
Guest:
John Stoner, Principal Security Strategist @ Google Cloud
Topics:
Please define threat hunting for us quickly, the term has been corrupted a bit
What are your favorite beginner hunts to jump start the effort at a new team?
How to incorporate hunting lessons in detection?
What are the differences for hunting in the cloud?
Are there specific data sources you prefer to have access to when threat hunting? In the cloud?
Should every organization threat hunt?
What are traits you might look for in a threat hunter?
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guests:
Topics:
Resources:
Guests:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Questions:
Resources:
Guest:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Recommended reading:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resource:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guests: none
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guests:
Topics:
Resources:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
No guests - just Anton and Tim
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
New Audio Trailer: Cloud Security Podcast by Google
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Guest:
Topics
Resources:
Guest:
Topics:
Resources:
Guests:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
What are your views on modern SIEM? What should it do and what should it be?
Should it even be called SIEM?
Is SaaS/cloud-native SIEM the only way to go?
Can anybody build a SIEM in the cloud by installing the regular SIEM on IaaS?
What are the top challenges for organizations deploying and operationalizing SIEM today?
What are some hidden or commonly forgotten costs for a SIEM deployment?
Is open source the answer to SIEM?
SIEM today should deliver on detection, hunting and investigation use cases, so what does it mean in terms of practical data retention?
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Guests
Topics:
Resources:
Guests
Topics:
Resources:
Guest:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Guest:
Topics:
Resources:
Guest:
Topics:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Guests:
Topics:
Resources:
No guests. We interviewed each other!
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest 1:
Topics 1:
Guests 2:
Topics 2:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guests:
Topics:
Resources:
Guest:
Topics:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Guests:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resources:
Guest:
Topics:
Resource:
Guest:
Topics covered:
Resource:
Guests: no guests, just Tim and Anton
Topics covered:
Resources:
Guests:
Topics covered:
Resources mentioned:
Episode 4 “Gathering Data for Zero Trust” focuses on enabling zero trust access in the real world
Episode 3 “Automate and/or Die?” focuses on automated remediation (or is it response!) in the cloud
Episode 2 “Data Security in the Cloud” focuses on data security in the cloud
Guest: Andrew Lance, Sidechain Topics covered:
Resources: “Designing and deploying a data security strategy with Google Cloud” paper
“Confidentially Speaking” episode focuses on confidential computing
Guest: Nelly Porter, Group Product Manager @ Google. Topics covered:
Resources: Confidential computing at Google Cloud
En liten tjänst av I'm With Friends. Finns även på engelska.