Explorez tous les épisodes de Cloud Security Podcast by Google
Plongez dans la liste complète des épisodes de Cloud Security Podcast by Google. Chaque épisode est catalogué accompagné de descriptions détaillées, ce qui facilite la recherche et l'exploration de sujets spécifiques. Suivez tous les épisodes de votre podcast préféré et ne manquez aucun contenu pertinent.
Rows per page:
50
1–50 of 215
Date
Titre
Durée
18 Dec 2023
EP153 Kevin Mandia on Cloud Breaches: New Threat Actors, Old Mistakes, and Lessons for All
00:28:41
Guest:
Kevin Mandia, CEO at Mandiant, part of Google Cloud
Topics:
When you look back, what were the most surprising cloud breaches in 2023, and what can we learn from them? How were they different from the “old world” of on-prem breaches?
For a long time it’s felt like incident response has been an on-prem specialization, and that adversaries are primarily focused on compromising on-prem infrastructure. Who are we seeing go after cloud environments? The same threat actors or not?
Could you share a bit about the mistakes and risks that you saw organizations make that made their cloud breaches possible or made them worse? Conversely, what ended up being helpful to organizations in limiting the blast radius or making response easier?
Tim’s mother worked in a network disaster recovery team for a long time–their motto was “preparing for the inevitable.” What advice do you have for helping security teams and IT teams get ready for cloud breaches? Especially for recent cloud entrants?
Anton tells his “2000 IDS story” (need to listen for details!) and asks: what approaches for detecting threats actually detects threats today?
The paper outlines two paths for SOCs: optimization or transformation. Can you elaborate on the key differences between these two approaches and the factors that should influence an organization's decision on which path to pursue?
The paper also mentions that alert overload is still a major challenge for SOCs. What are some of the practices that work in 2024 for reducing alert fatigue and improving the signal-to-noise ratio in security signals?
You also discuss the importance of automation for SOCs. What are some of the key areas where automation can be most beneficial, and what are some of the challenges of implementing automation in SOCs? Automation is often easier said than done…
What specific skills and knowledge will be most important for SOC analysts in the future that people didn’t think of 5-10 years ago?
Looking ahead, what are your predictions for the future of SOCs? What emerging technologies do you see having the biggest impact on how SOCs operate?
EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security
00:26:09
Guest:
Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud
Topics:
Explain the whole cloud security megatrend concept to us?
How can we better explain that “yes, cloud is more secure than most client’s data centers”?
Can you please explain "shared fate" one more time?
Shared fate seems to require shared incentives. Do we see the incentives to invest in security changing within organizations migrating to Cloud?
Cloud as the Digital Immune System sounds really cool, what does it mean for a typical practitioner - security and developers both?
What about the risk aggregation (eggs in one basket) argument against relying on CSP for all security?
Does software sovereignty mean that Cloud providers are always going to be held to common standards and lose out on the opportunity to sell highly differentiated software on top?
Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud
Topics:
You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means?
You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?
Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge?
If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team?
How do we create it in an existing team or an under-performing team?
NEXT Special - Cloud Security and DEI: Being an Ally!
00:19:01
Guest:
Aditi Joshi, Manager in Cloud Security Team @ Google Cloud
Topics:
What is Allyship? How is it defined? What is its main goal?
Why is allyship important in Cloud Security, specifically? Are there aspects of security that make allyship particularly important?
What specifically has Google Cloud Security deployed and operationalized around Allyship?
How does effective allyship look like? More personally, how can I be a better ally?
How does it fit into Google Cloud Security’s overarching DEI efforts?
06 Dec 2021
EP46 Products and Solutions: Helping Our Customers Precipitate Change
00:22:47
Guests:
Alison Reyes, Director, Security Solutions, Google Cloud
Iman Ghanizada, Solutions Manager for Security Operations & Analytics @ Google Cloud
Topics:
What is our thinking on solutions vs products for security? Sure, “security is a process, not a product,” but where do solutions fit in?
Security as an industry has too many vendors with little understanding of how users secure things, can solutions approach fix that?
Google is sometimes known for writing code and just throwing it out there, do solutions change that dynamic for Google Cloud clients who come to us for security?
Who are the target users for our security solutions? Why did we choose those solutions and not others?
To me, solutions is how our products actually live in the real world. But can we really hope to transform customer operations with solutions?
One of the solutions dear to my heart is Autonomic Security Operations that seeks to “10X the SOC”, how was the experience so far? Is 10X real and what does it mean?
How do we know if we succeeded, what are metrics for solutions?
What is the role of network security in the public cloud? Networks used to be the perimeter, now we have an API and identity driven perimeter. Are networks still relevant as a layer of defense?
We often joke that “you don’t need to get your firewalls with you to the cloud”, is this really true? How do you do network access control if not with firewalls?
What about the NIDS? Does NIDS have a place in the cloud?
So we agree that some network security things drop off in the cloud, but are there new network security threats and challenges?
There’s cloud architecture and then there’s multi cloud and hybrid architectures–how does this story change if we open the aperture to network security for multi cloud and hybrid?
Should solutions that provide cloud network security be in the cloud themselves? Is this an obvious question?
EP109 How Google Does Vulnerability Management: The Not So Secret Secrets!
00:27:37
Guest:
Ana Oprea, Staff Security Engineer, European Lead of Vulnerability Coordination Center @ Google
Topics:
What is the scope for the vulnerability management program at Google? Does it cover OS, off-the-shelf applications, custom code we wrote … or all of the above?
Our vulnerability prioritization includes a process called “impact assessment.” What does our impact assessment for a vulnerability look like?
How do we prioritize what to remediate? How do we decide on the speed of remediation needed?
How do we know if we’ve done a good job? When we look backwards, what are our critical metrics (SLIs and SLOs) and how high up the security stack is the reporting on our progress?
What of the “Google Approach” should other companies not try to emulate? Surely some things work because of Google being Google, so what are the weird or surprising things that only work for us?
Resources:
SRS Book, Chapter 20: Understanding Roles and Responsibilities and Chapter 21: Building a Culture of Security and Reliability
“How Google protects its production services” paper covers how Google's infrastructure balances several crucial aspects, including security, reliability, development speed, and maintainability. How do you prioritize these competing demands in a real-world setting?
What attack vectors do you consider most critical in the production environment, and how has Google’s defenses against these vectors improved over time?
Can you elaborate on the concept of Foundational services and their significance in Google's security posture?
How does your security approach adapt to this vast spectrum of sensitivity and purpose of our servers and services, actually?
How do you implement this principle of zero touch prod for both human and service accounts within our complex infrastructure?
Can you talk us through the broader approach you take through Workload Security Rings and how this helps?
John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud
Topics:
Let’s talk about security incident response in the cloud. Back in 2014 when I [Anton] first touched on this, the #1 challenge was getting the data to investigate as cloud providers had few logs available. What are the top 2022 cloud incident response challenges?
Does cloud change the definition of a security incident? Is“exposed storage bucket” an incident?Is vulnerability an incident in the cloud?
What should I have in my incident response plans for the cloud? Should I have a separate cloud IR plan?
What is our advice on running incident response jointly with a CSP like us?
How would 3rd party firms (like, well, Mandiant) work with a client and a CSP during an investigation?
We all read theThreat Horizons reports, but can you remind us of the common causes for cloud incidents we observed recently? What goals do the attackers typically pursue there?
Attack Surface Management (ASM). Why do we need a new toolset and a new category? Isn’t this just 1980s asset management or CMDB?
How do we find those assets that may have been misplaced by the organizations? How can any technology do this reliably?
ASM seems to often rely on network layer 3 and 4. Can’t bad guys just hit the app endpoints and all your network is irrelevant then?
When you think about the threats organizations face due to unknown assets, is data theft at the top of the stack? What should organizations keep in mind as a priority here?
Who at an organization is best set up to receive, triage, investigate, and respond to the alerts about the attack surface?
Are there proactive steps organizations can take to prevent shadow IT, or are we stuck responding to each new signal? Isn’t preventing new assets the same as preventing business?
EP110 Detection and Response in a High Velocity and High Complexity Environment
00:27:52
Guest:
David Seidman, Head of Detection and Response @ Robinhood
Toipics:
Tell us about joining Robinhood and prioritizing focus areas for detection in your environment?
Tim and Anton argue a lot about what kind of detection is best - fully bespoke and homemade, or scalable off-the-shelf. First, does our framework here make sense, and second, looking at your suite of detection capabilities, how have you chosen to prioritize detection development and detection triage?
You're operating in AWS: there are a lot of vendors doing detection in AWS, including AWS themselves. How have you thought about choosing your detection approaches and data sources?
Finding people with as much cloud expertise as you can't be easy: how are you structuring your organization to succeed despite cloud detection and response talent being hard to find? What matters more: detection skills or cloud skills?
What has been effective in ramping up your D&R team in the cloud?
What are your favorite data sources for detection in the cloud?
Surely the challenge of a transparency report is that there are things we can’t be transparent about, how do we balance this? What are those? Is it a safe question?
What Access Transparency Logs are and if they are connected to the report –other than in Tim's mind and your career?
Beyond building the annual transparency report, you also work on our central risk data platform. Every business has a problem managing risk–what’s special here? Do we have any Google magic here?
Could you tell us about your path in Product Management here? You have been here eight years, and recently became Director. Do you have any advice for the ambitious Google PMs listening to the show?
Upon hearing this, many experts suggest that “burn the environment with fire” or “nuke it from orbit” are the only feasible approaches? What is your take on that suggestion?
On the opposite side, what if business demands you don't touch anything but “make it secure” regardless?
Could you walk us through some of the first critical steps you do after “inheriting a cloud” and why they are prioritized in this way?
Why not just say “add MFA everywhere”? What may or will blow up?
We also say “address overly permissive users and roles” and this sounds valuable, but also tricky. How do we go about it?
What are the chances that the environment is in fact compromised already? When is Compromise Assessment the right call, it does cost money, right?
How do you balance your team’s current priorities when you’ve just adopted an insecure cloud environment. How do you make tradeoffs among your existing stack and this new one?
Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that?
You refer to a federated approach for Detection and Response” (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization?
What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams?
Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it?
The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time?
EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons
00:26:43
Guest:
Crystal Lister, Technical Program Manager, Google Cloud Security
Topics:
Your background can be sheepishly called “public sector”, what’s your experience been transitioning from public to private? How did you end up here doing what you are doing?
We imagine you learned a lot from what you just described – how’s that impacted your work at Google?
How have you seen risk management practices and outcomes differ?
Given the prevalence of ransomware attacks, many organizations are focused on external threats. In your experience, does the risk of insider threats still hold significant weight? What type of company needs a dedicated and separate insider threat program?
What in your past led you to these insights? Tell us more about your background and your journey to Google. How did that background contribute to your team?
One term that often comes up on the show and with our customers is 'shifting left.' Could you explain what 'shifting left' means in the context of cloud security? What’s hard about shift left, and where do orgs get stuck too far right?
A lot of “cloud people” talk about IaC and PaC but the terms and the concepts are occasionally confusing to those new to cloud. Can you briefly explain Policy as Code and its security implications? Does PaC help or hurt security?
Google’s use of Google Cloud is a massive cloud environment with wildly diverse use cases. Could you share, for our listeners, a few examples of the different kinds of things we’re running in GCP?
Given that we’re doing these wildly different things in GCP, how do we think about scaling the right security guardrails to the right places in our GCP org?
How do you work with application engineering teams and project owner teams to make sure the right controls are there but not getting in the way of business?
How do we scale this exemption management process? Are there things we do here that don’t make sense at a smaller scale? Are there emergent challenges that only we would face?
How do you correctly federate security responsibilities between the central team defining policy and the constituent user teams actually using the platform?
Burnout is a perennial challenge for security teams–what’re you doing to keep your people happy and engaged?
Can you briefly walk us through your CISO career path?
What are some of the key (cloud or otherwise) trends that CISOs should be keeping an eye on? What is the time frame for them?
What are the biggest cloud security challenges CISOs are facing today, and how are those evolving?
Given the rapid change of pace in emerging tech, such as what we’ve seen in the last year or so with gen AI, how do you balance the need to address short-term or imminent issues vs those that are long-term or emergent risks?
What advice do you have for how CISOs can communicate the importance of anticipating threats to their boards and executives?
So, how to be a forward looking and strategic yet not veer into dreaming, paranoia and imaginary risks? How to be futuristic yet realistic?
The CISO role as an official title is a relatively new one, what steps have you taken to build credibility and position yourself for having a seat at the table?
There are many places to learn threat intel (TI), what is special about your new class?
You talk about country cyber operations in the class, so what is the defender - relevant difference between, say, DPRK and Iran cyber doctrines? More generally, how do defenders benefit from such per country intel?
Can you really predict what the state-affiliated attackers would do to your organization based on the country doctrine?
In many minds, TI is connected to attribution. What is your best advice on attribution to CISOs of well-resourced organizations? What about mainstream organizations?
Overall we see a lot of organizations still failing to operationalize TI, especially strategic TI, how does this help them?
Why is there so much attention lately on SaaS security? Doesn’t this area date back to2015 or so?
What do you see as the primary challenges in securing SaaS?
What does a SaaS threat model look like? What are the top threats you see?
CASB has been the fastest growing security market and it has grown into a broad platform and many assume that “securing SaaS = using CASB”, what are they missing?
Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system?
Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle?
For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology?
EP154 Mike Schiffman: from Blueboxing to LLMs via Network Security at Google
00:35:41
Guest:
Mike Schiffman, Network Security “UTL”
Topics:
Given your impressive and interesting history, tell us a few things about yourself?
What are the biggest challenges facing network security today based on your experience?
You came to Google to work on Network Security challenges. What are some of the surprising ones you’ve uncovered here?
What lessons from Google's approach to network security absolutely don’t apply to others? Which ones perhaps do?
If you have to explain the difference between network security in the cloud and on-premise, what comes to mind first?
How do we balance better encryption with better network security monitoring and detection?
Speaking of challenges in cryptography, we’re all getting fired up about post-quantum and network security. Could you give us the maybe 5 minute teaser version of this because we have an upcoming episode dedicated to this?
I hear you have some interesting insight on LLMs, something to do with blueboxing or something. What is that about?
EP119 RSA 2023 - What We Saw, What We Learned, and What We're Excited About
00:24:59
Guest:
Connie Fan, Senior Product and Business Strategy Lead, Google Cloud
Topics:
We were at RSA 2023, what did we see that was notable and surprising?
Cloud security showed up with three startups with big booths, and one big player with a small demo station. What have we learned here?
What visitors might have seen at the Google Cloud booth that we're really excited about?
Could you share why we chose these two AI cases - generation of code and summarization of complex content - out of all the possibilities and the sometimes zany things we saw elsewhere on the floor?
Could you share a story or two that highlights how we came to this AI launch and what it looked like under the surface?
EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective
00:29:34
Guest:
Travis Lanham, Uber Tech Lead (UTL) for Security Operations Engineering, Google Cloud
Topics:
There’s been a ton of discussion in the wake of the three SIEM week about the future of SIEM-like products. We saw a lot of takes on how this augurs the future of disassembled or decoupled SIEMs. Can you explain what these disassembled SIEMs are all about?
What are the expected upsides of detaching your SIEM interface and security capabilities from your data backend?
Tell us about the early days of SecOps (nee Chronicle) and why we didn’t go with this approach?
What are the upsides of a tightly coupled datastore + security experience for a SIEM?
Are there more risks or negatives of the decoupled/decentralized approach? Complexity and the need to assemble “at home” are on the list, right?
One of the 50 things Google knew to be true back in the day was that product innovation comes from technical innovation, what’s the technical innovation driving decoupled SIEMs?
So what about those security data lakes? Any insights?
One of the biggest shifts we’ve noticed is the shift from building security because we think security is good, to building security as a business. How did you make that cultural shift happen in our organization?
With organizations migrating to cloud we have a set of tradeoffs between meeting security teams where they are with on-prem expectations of security vs cloud-native approaches. How do you think about investing in next generation products vs holding the hands of CISOs just stepping into the cloud?
What matters more to you as a leader, secure cloud (GCP, Workspace) or security products (Chronicle SecOps, BCE, SCC, etc)?
Is invisible security the same as “building security in”? Aren’t there security controls where the value is derived from them being visible to users?
Mandiantbrings services expertise to Google Cloud, typically not our strong area and not our DNA, how do we plan to make the most of Mandiant within Google’s culture?
Linking Up The Pieces: Software Supply Chain Security at Google and Beyond
00:23:03
Guests:
Eric Brewer, VP of Infrastructure, and Google Fellow @ Google
Aparna Sinha, Director of Product Management @ Google Cloud
Topics:
What issoftwaresupply chain security and how is it different from other kinds of supply chain security?
What types of organizations need to care about it? Is supply chain security a concern for large, elite enterprises only?
What’s the relationship between what we’re doing here, and what SBOM is?
Can you talk us through a quick threat assessment of a supply chain security issue? What are the realistic threats here and who are the threat actors involved?
How does Google try to solve these problems internally? Have we succeeded?
How does this translate into our products? By the way, what’sSLSA?
Since one of us (!) doesn't have a PhD in quantum mechanics, could you explain what a quantum computer is and how do we know they are on a credible path towards being real threats to cryptography? How soon do we need to worry about this one?
We’ve heard that quantum computers are more of a threat to asymmetric/public key crypto than symmetric crypto. First off, why? And second, what does this difference mean for defenders?
Why (how) are we sure this is coming? Are we mitigating a threat that is perennially 10 years ahead and then vanishes due to some other broad technology change?
What is a post-quantum algorithm anyway? If we’re baking new key exchange crypto into our systems, how confident are we that we are going to be resistant to both quantum and traditional cryptanalysis?
Why does NIST think it's time to be doing the PQC thing now? Where is the rest of the industry on this evolution?
How can a person tell the difference here between reality and snakeoil? I think Anton and I both responded to your initial email with a heavy dose of skepticism, and probably more skepticism than it deserved, so you get the rare on-air apology from both of us!
Episode 4 “Gathering Data for Zero Trust” focuses on enabling zero trust access in the real world
Guest: Max Saltonstall (@maxsaltonstall), Developer Advocate @ Google Cloud
Topics covered:
What should be trusted for a zero trust system to work?
What is the first thing you need to do to have a zero trust access project succeed?
What data needs to be collected for zero trust system operation?
28 Mar 2022
EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond
00:28:04
Guests:
Alexi Wiemer, Senior Manager at Deloitte Cyber Detection and Response Practice
Dan Lauritzen, Senior Manager at Deloitte Cloud Security Practice.
Topics:
What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in?
What is your best advice to SOCs that are permanently and woefully understaffed?
Many SOC analysts are drowning in manual work, and it is easy to give advice that “they need to automate.” What does this actually entail, in real life?
What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR?
What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats?
Occasionally, we hear that “SOC is dead.” What is your response to such dire SOCless predictions?
Workspace makes the claim that unlike other productivity suites available today, it’s architectured for the modern threat landscape. That’s a big claim! What gives Google the ability to make this claim?
Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work?
What are some of the common mistakes you see customers making with Workspace security?
What are some of the ways context aware access and DLP (now SDP) help with this?
Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity?
A part of hardening has got to be responding to new regulation and compliance regimes, how do you incorporate new controls and stay responsive to the changing world around us?
Are there cases where we have taken lessons from hardening at scale and converted those into product improvements?
What metrics do you track to keep your teams moving, and what metrics do your leads look at to understand how you’re doing? [Spoiler: the answer here is VERY fun!]
EP0 New Audio Trailer: Cloud Security Podcast by Google
00:01:15
New Audio Trailer: Cloud Security Podcast by Google
09 Jan 2023
EP103 Security Incident Response and Public Cloud - Exploring with Mandiant
00:24:14
Guest:
Nader Zaveri, Senior Manager of IR and Remediation at Mandiant, now part of Google Cloud
Topics:
Could we start with a story of a cloud incident response (IR) failure and where things went wrong?
What should that team have done to get it right?
Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud?
What 3 things an IR team leader needs to do to prepare his team for IR in the cloud?
Are there on-premise tools that can stay on prem and not join us in the cloud?
What processes should we leave behind? Keep with us?
What logs and context should we prepare for cloud IR? What access should we have behind “break glass”?
While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation?
Could you give us the 30 second overview of our favorite “billion user security product” - SafeBrowsing - and, since you were there, how did it get started?
SafeBrowsing is a consumer and business product – are you mitigating the same threats and threat models on each side?
Making this work at scale can’t be easy, anytime we’re talking about billion device protection, there are massive scale questions. How did we make it work at such a scale?
Talk to us about the engineering and scaling magic behind the low false positive rate for blocking?
The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security?
UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this?
How do you think about prioritizing your team’s time between day zero vs day n experiences for users of security tools?
Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security?
Can you think of what single UX change in Cloud Security’s portfolio made the biggest impact to actual security outcomes?
We have this new tool/approach for planning called Jobs To Be Done (JTBD) - give us the value, and the history? In the world of JTBD planning, what gets better?
Nelly Porter, Director of PM, Cloud Security at Google Cloud
Topics:
Share your story and how you ended here doing confidential AI at Google?
What problem does confidential compute + AI solve and for what clients?
What are some specific real-world applications or use cases where you see the combination of AI and confidential computing making the most significant impact?
What about AI in confidential vs AI on prem? Should those people just do on-prem AI instead?
Which parts of the AI lifecycle need to be run in Confidential AI: Training? Data curation? Operational workloads?
What are the performance (and thus cost) implications of running AI workloads in a confidential computing environment?
Are there new risks that arise out of confidential AI?
What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail?
We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud?
Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now?
Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams?
How do organizations grow into safely rolling out new policy as code code?
You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance" and this problem has been unsolved for as long as the cloud existed. Will your toolset change this?
There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework?
What are some of the success metrics when adopting Policy as Code?
Anna Belak, Director of Thought Leadership @ Sysdig
Topics:
One model for container security is “Infrastructure security | build security | runtime security” - which is most important to get right? Which is hardest to get right?
How are you helping users get their infrastructure security right, and what do they get wrong most often here?
Your report states that “3⁄4 of running containers have at least one "high" or "critical" vulnerability“ and it sounds like pre-cloud IT, but this is about containers? This was very true before cloud, why is this still true in cloud native? Aren’t containers easy to “patch” and redeploy?
You say “Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production.“ but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don’t fix things?
“52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline.“ - isn’t pipeline and repo scanning easier and cheaper? Why isn’t this 90/10 but 40/50?
“62% detect shells in containers” sounds (to Anton) that “62% zoos have a dragon in them” i.e. kinda surreal. What’s the real story?
Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers?
EP188 Beyond the Buzzwords: Identity's True Role in Cloud and SaaS Security
00:29:28
Guest:
Dor Fledel, Founder and CEO of Spera Security, now Sr Director of Product Management at Okta
Topics:
We say “identity is the new perimeter,” but I think there’s a lof of nuance to it. Why and how does it matter specifically in cloud and SaaS security?
How do you do IAM right in the cloud?
Help us with the acronym soup - ITDR, CIEM also ISPM (ITSPM?), why are new products needed?
What were the most important challenges you found users were struggling with when it comes to identity management?
What advice do you have for organizations with considerable identity management debt? How should they start paying that down and get to a better place? Also: what is “identity management debt”?
Can you answer this from both a technical and organizational change management perspective?
It’s one thing to monitor how User identities, Service accounts and API keys are used, it’s another to monitor how they’re set up. When you were designing your startup, how did you pick which side of that coin to focus on first?
What’s your advice for other founders thinking about the journey from zero to 1 and the journey from independent to acquisition?
What were you thinking before you took that “Google CISO” job?
Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations?
Are there any specific challenges or advantages that arise from operating at such a massive scale?
What has been most surprising about Google’s internal security culture that you wish you could export to the world at large?
What have you learned about scaling teams in the Google context?
How do you design effective metrics for your teams and programs?
So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we’ve done this here?
Could you explain briefly why identity is so important in the cloud?
A skeptic on cloud security once told us that “in the cloud, we are one identity mistake from a breach.” Is this true?
For listeners who aren’t familiar with GCP, could you give us the 30 second story on “what is a service account.” How is it different from a regular IAM account?
What are service account impersonations?
How can I see if my service accounts can be impersonated? How do I detect it?
How can I better secure my organization from impersonation attacks?
EP206 Paying the Price: Ransomware's Rising Stakes in the Cloud
00:33:01
Guest:
Allan Liska, CSIRT at Recorded Future, now part of Mastercard
Topics:
Ransomware has become a pervasive threat. Could you provide us with a brief overview of the current ransomware landscape?
It's often said that ransomware is driven by pure profit. Can you remind us of the business model of ransomware gangs, including how they operate, their organizational structures, and their financial motivations?
Ransomware gangs are becoming increasingly aggressive in their extortion tactics. Can you shed some light on these new tactics, such as data leaks, DDoS attacks, and threats to contact victims' customers or partners?
What specific challenges and considerations arise when dealing with ransomware in cloud environments, and how can organizations adapt their security strategies to mitigate these risks?
What are the key factors to consider when deciding whether or not to pay the ransom?
What is the single most important piece of advice you would give to organizations looking to bolster their defenses against ransomware?
EP116 SBOMs: A Step Towards a More Secure Software Supply Chain
00:29:50
Guest:
Isaac Hepworth, PM focused on Software Supply Chain Security @ Google
Cooked questions:
Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader?
Some software vendors don’t want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here?
One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs than small independent and open source projects. Is that a risk?
Is the SBOM requirement setting the government up to be overly reliant on megacorps and are we going to unintentionally ban open source from the government?
What is the relationship between SBOM and software liability? Is SBOM a step to this? Won’t software liability kill open source?
How does Google prepare for EO internally; how do we use SBOM and other related tools?
To come back to the food analogy, SBOMs are all well and good, but the goal is not that consumers know they’re eating lead, but rather that our food becomes healthier. Where are we heading in the next five years to improve software supply chain "health and safety"?
EP91 “Hacking Google”, Op Aurora and Insider Threat at Google
00:26:07
Guest:
Mike Sinno, Security Engineering Director, Detection and Response @ Google
Topics:
You recently were featured in “Hacking Google” videos, can you share a bit about this effort and what role you played?
How long have you been at Google? What were you doing before, if you can remember after all your time here? What brought you to Google?
We hear you now focus on insider threats. Insider threat is back in the news, do you find this surprising?
A classic insider question is about “malicious vs well-meaning insiders" and which type is a bigger risk. What is your take here?
Trust is the most important thing when people think about Google, we protect their correspondence, their photos, their private thoughts they search for. What role does detection and response play in protecting user trust?
One fun thing about working at Google is our tech stack. Your team uses one of our favorite tools in the D&R org! Can you tell us about BrainAuth and how it finds useful things?
We talked about Google D&R (ep 17andep 75) and the role of automation came up many times. And automation is a key topic for a lot of our cloud customers. What do you automate in your domain of D&R?
EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same?
00:25:28
Guest:
Jeremiah Kung, Global Head of Information Security, AppLovin
Topics:
Before we dive into all of the awesome cloud migrations you’ve experienced and your learnings there, could we start with a topic of East vs West CISO mentality?
We are talking to more and more CISOs who see the cloud as a net win for security. What’s your take on whether the cloud improves security?
We talked about doing some “big” cloud migrations, could you talk about what you learned back in 2015 about the “right” way to do a cloud migration and how you’ve applied those lessons since?
How are you approaching securing clouds differently in 2023 (vs the dark past of 2015)?
What advice would you give your peers to get out of the “saying no” mentality and into a better collaborative mode?
On the topic of giving advice to people who haven’t asked for it, what advice would you give to teams who are stuck in 1990s thinking when it comes to lift and shifting their security technology stack to cloud?
EP196 AI+TI: What Happens When Two Intelligences Meet?
00:28:08
Guest:
Vijay Ganti, Director of Product Management, Google Cloud Security
Topics:
What have been the biggest pain points for organizations trying to use threat intelligence (TI)?
Why has it been so difficult to convert threat knowledge into effective security measures in the past?
In the realm of AI, there's often hype (and people who assume “it’s all hype”). What's genuinely different about AI now, particularly in the context of threat intelligence?
Can you explain the concept of "AI-driven operationalization" in Google TI? How does it work in practice?
What's the balance between human expertise and AI in the TI process? Are there specific areas where you see the balance between human and AI involvement shifting in a few years?
Google Threat Intelligence aims to be different. Why are we better from client PoV?
Where do you see a gap between the “promise” of LLMs for security and how they are actually used in the field to solve customer pains?
I know you use LLMs for anomaly detection. Explain how that “trick” works? What is it good for? How effective do you think it will be?
Can you compare this to other anomaly detection methods? Also, won’t this be costly - how do you manage to keep inference costs under control at scale?
SOC teams often grapple with the tradeoff between “seeing everything” so that they never miss any attack, and handling too much noise. What are you seeing emerge in cloud D&R to address this challenge?
We hear from folks who developed an automated approach to handle a reviews queue previously handled by people. Inevitably even if precision and recall can be shown to be superior, executive or customer backlash comes hard with a false negative (or a flood of false positives). Have you seen this phenomenon, and if so, what have you learned about handling it?
What are other barriers that need to be overcome so that LLMs can push the envelope further for improving security?
So from your perspective, LLMs are going to tip the scale in whose favor - cybercriminals or defenders?
EP96 Cloud Security Observability for Detection and Response
00:32:32
Guest:
Jeff Bollinger, Director of Incident Response and Detection Engineering @ Linkedin
Topics:
Observability sounds cool (please define it for us BTW), but relating it to security has been “hand-wavy” at best. What is your opinion on the relevance of observability data for security use cases? What use cases are those, apart from saving the data for IR just in case?
How can we best approach observability in the cloud, particularly around network communications, so that we improve security as a result?
Are there other areas of cloud where observability might be more relevant? Does the massive shift to TLS 1.3 impact this?
If the Internet is shifting towards an end-user/device centric model with everything as a service (SaaS), how does security monitoring even work anymore?
Does it mean the end of both endpoint and network eras and the arrival of the application security monitoring era?
Can we do deep monitoring of complex applications and app clusters for abuse or should we just focus on identity and profiling?
You've looked at hundreds of security startups at the growth stage - what is getting funded? What is not getting funded? What is the difference?
What's your view on the current market environment for security companies? Is security "recession-proof", whatever that means?
How do you think about what problems are worth solving with a new venture vs existing vendors (and/or CSPs) expanding to cover the new area?
Why do many cloud security vendors get funded and get high valuations while there is a wide perception that CSP (like us at Google) are doing security really well?
How do we solve the challenge that many organizations are barely moving off “antivirus and firewalls” security of the 1990s?
What is your best advice to cloud security startups trying to get wider adoption?
EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC
00:27:48
Guest:
Payal Chakravarty, Director of Product Management, Google SecOps, Google Cloud
Topics:
What are the different use cases for GenAI in security operations and how can organizations prioritize them for maximum impact to their organization?
We’ve heard a lot of worries from people that GenAI will replace junior team members–how do you see GenAI enabling more people to be part of the security mission?
What are the challenges and risks associated with using GenAI in security operations?
We’ve been down the road of automation for SOCs before–UEBA and SOAR both claimed it–and AI looks a lot like those but with way more matrix math-what are we going to get right this time that we didn’t quite live up to last time(s) around?
Imagine a SOC or a D&R team of 2029. What AI-based magic is routine at this time? What new things are done by AI? What do humans do?
Resources:
Live video (LinkedIn, YouTube) [live audio is not great in these]
Discussion of the interesting presentations from Cloud Security Talks Q1 2021 focused on trusted cloud, container security, cyber insurance, Chronicle, ML for network security, etc
We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you?
What are some of the security problems you're hearing from AI companies that are worth solving?
AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security?
Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs?
What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?
You work with technical folks at the intersection of compliance, security, and cloud. So what do you do, and where do you find the biggest challenges in communicating across those boundaries?
How does cloud make compliance easier? Does it ever make compliance harder?
What is your best advice to organizations that approach cloud compliance as they did for the 1990s data centers and classic IT?
What has been the most surprising compliance challenge you’ve helped teams debug in your time here?
You also work on standards development –can you tell us about how you got into that and what’s been surprising in that for you?
We often say on this show that an organization’s ability to threat model is only as good as their team’s perspectives are diverse: how has your background shaped your work here?
What is browser security? Isn’t it just application security by another name?
Why is browser security more important now than ever?
Do we have statistical measures or data that tell us if we’re succeeding at browser security? Do we know if we’re doing a good job at making this better?
What are the components of modern browser security?
How does this work with an enterprise’s existing stack?
In fact, how does this work with the rest of Google’s tooling?
EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework
00:21:33
Guest:
Angelika Rohrer, Sr. Technical Program Manager , Cyber Security Response at Alphabet
Topics:
Incident response (IR) is by definition “reactive”, but ultimately incident prep determines your IR success. What are the broad areas where one needs to prepare?
You have created a new framework for measuring how ready you are for an incident, what is the approach you took to create it?
Can you elaborate on the core principles behind the Continuous Improvement (CI) Framework for incident response?
Why is continuous improvement crucial for effective incident response, especially in cloud environments? Can’t you just make a playbook and use it?
How to overcome the desire to focus on the easy metrics and go to more valuable ones?
What do you think Google does best in this area?
Can you share examples of how the CI Framework could have helped prevent or mitigate a real-world cloud security incident?
How can other organizations practically implement the CI Framework to enhance their incident response capabilities after they read the paper?
EP209 vCISO in the Cloud: Navigating the New Security Landscape (and Don’t Forget Resilience!)
00:29:06
Guests:
Beth Cartier, former CISO, vCISO, founder of Initiative Security
Guest host of the CISO mini-series:
Marina Kaganovich, Executive Trust Lead, Office of the CISO @ Google Cloud
Topics:
How is that vCISO’ing going? What is special about vCISO and cloud? Is it easier or harder?
AI, cyber, resilience - all are hot topics these days. In the context of cloud security, how are you seeing organizations realistically address these trends? Are they being managed effectively (finally?) or is security always playing catch up?
Recent events reminded us that cybersecurity may sometimes interfere with resilience. How have you looked to build resilience into your security program?
The topic is perhaps 30+ years old, but security needs to have a seat at the table, and often still doesn’t - why do you think this is the case?
What approaches or tips have you found to work well in elevating security within organizations?
Any tips for how cyber professionals can stay up to date to keep up with the current threat landscape vs the threats that are around the corner?
Iman Ghanizada, Global Head of Autonomic Security Operations at Google Cloud.
Topics:
It’s been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about?
How was the ASO story received by your customers? Any particular reactions?
Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed?
ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations?
What else can we do to evolve SOC faster than the threats and assets grow?
EP155 Cyber, Geopolitics, AI, Cloud - All in One Book?
00:38:36
Guests:
Derek Reveron, Professor and Chair of National Security at the US Naval War College
John Savage, An Wang Professor Emeritus of Computer Science of Brown University
Topics:
You wrote a book on cyber and war, how did this come about and what did you most enjoy learning from the other during the writing process?
Is generative AI going to be a game changer in international relations and war, or is it just another tool?
You also touch briefly on lethal autonomous weapons systems and ethics–that feels like the genie is right in the very neck of the bottle right now, is it too late?
Aside from this book, and the awesome course you offered at Brown that sparked Tim’s interest in this field, how can we democratize this space better?
How does the emergence and shift to Cloud impact security in the cyber age?
What are your thoughts on the intersection of Cloud as a set of technologies and operating model and state security (like sovereignty)? Does Cloud make espionage harder or easier?
We are so excited to have you on the show today talking about your awesome effort, Share The Mic in Cyber. I love that we are Sharing our Mic with you today. Could you please introduce yourself to our listeners?
Let's talk about representation and what that means, and why it's especially relevant in cyber security?
Psychological safety is super important for so many reasons, including in cyber. Could you share a definition of what it is, and why it is important?
Can we talk about how psychological safety and representation intersect?
Let’s bring things back to talk about the#ShareTheMicInCyber/ #STMIC project. Could you tell us about one of your favorite things that's come from the project? Any surprises? Lessons? Plans? Futures?
Améliorez votre compréhension de Cloud Security Podcast by Google avec My Podcast Data
Chez My Podcast Data, nous nous efforçons de fournir des analyses approfondies et basées sur des données tangibles. Que vous soyez auditeur passionné, créateur de podcast ou un annonceur, les statistiques et analyses détaillées que nous proposons peuvent vous aider à mieux comprendre les performances et les tendances de Cloud Security Podcast by Google. De la fréquence des épisodes aux liens partagés en passant par la santé des flux RSS, notre objectif est de vous fournir les connaissances dont vous avez besoin pour vous tenir à jour. Explorez plus d'émissions et découvrez les données qui font avancer l'industrie du podcast.
