Cloud Security Podcast by Google – Détails, épisodes et analyse

Guest:

• Alex Shulman-Peleg, Global CISO at Kraken

 Topics:

• You mentioned that centralized security can't work anymore. Can you elaborate on the key changes—driven by cloud, SaaS, and AI—that have made this traditional model unsustainable for a modern organization?
• Why do some persist at centralized, top down approach to security, despite that?
• What do you mean by "Freedom, Responsibility and distributed security"? 
• Can you explain the difference between "centralized security" and what you define as "security with distributed ownership"?  Is this the same "federated"?
• In our conversation you mentioned "cloud and AI- native", what do you mean by this (especially "AI-native") and how is this changing your approach to security? 
• You introduce the concept of "Security as quality" suggesting that a security-unaware developer is essentially a bad software developer. How do you shift the culture and internal metrics to make security an inherent quality standard, rather than a separate, compliance-driven checklist?
• You likened the central security team's new role to a "911 emergency service." Beyond incident response, what stays central no matter what, and how does the central team successfully influence the security posture of the entire organization without being directly responsible for the day-to-day work.

Resources:

• Video version
• EP129 How CISO Cloud Dreams and Realities Collide
• EP258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen
• EP212 Securing the Cloud at Scale: Modern Bank CISO on Metrics, Challenges, and SecOps

Guest:

• Dennis Chow, Director of Detection Engineering at UKG

 Topics:

• We ended our season talking about the AI apocalypse. In your opinion, are we living in the world that the guests describe in their apocalypse paper? 
• Do you think AI-powered attacks are really here, and if so, what is your plan to respond? Is it faster patching? Better D&R? Something else altogether? 
• Your team has a hybrid agent workflow: could you tell us what that means?  Also, define "AI agent" please.
• What are your production use cases for AI and AI agents in your SOC?
• What are your overall SOC metrics and how does the agentic AI part play into that?
• It's one thing to ask a team "hey what did y'all do last week" and get a good report - how are you measuring the agentic parts of your SOC?
• How are you thinking about what comes next once AI is automatically writing good (!) rules for your team out of research blog posts and TI papers? 

Resources:

• Video version
• Agentic AI in the SOC: Build vs Buy Lessons
• EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking
• EP256 Rewiring Democracy & Hacking Trust: Bruce Schneier on the AI Offense-Defense Balance
• EP252 The Agentic SOC Reality: Governing AI Agents, Data Fidelity, and Measuring Success
• EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI
• EP242 The AI SOC: Is This The Automation We've Been Waiting For?
• Google Cloud Skill Boost

Guests:

• Alexander Pabst, Deputy Group CISO, Allianz
• Lars Koenig,  Global Head of D&R, Allianz

 Topics: 

• Moving from traditional SIEM to an agentic SOC model, especially in a heavily regulated insurer, is a massive undertaking. What did the collaboration model with your vendor look like? 
• Agentic AI introduces a new layer of risk - that of unconstrained or unintended autonomous action. In the context of Allianz, how did you establish the governance framework for the SOC alert triage agents?
• Where did you draw the line between fully automated action and the mandatory "human-in-the-loop" for investigation or response?
• Agentic triage is only as good as the data it analyzes. From your perspective, what were the biggest challenges - and wins - in ensuring the data fidelity, freshness, and completeness in your SIEM to fuel reliable agent decisions?
• We've been talking about SOC automation for years, but this agentic wave feels different. As a deputy CISO, what was your primary, non-negotiable goal for the agent? Was it purely Mean Time to Respond (MTTR) reduction, or was the bigger strategic prize to fundamentally re-skill and uplevel your Tier 2/3 analysts by removing the low-value alert noise?
• As you built this out, were there any surprises along the way that left you shaking your head or laughing at the unexpected AI behaviors?
• We felt a major lack of proof - Anton kept asking for pudding - that any of the agentic SOC vendors we saw at RSA had actually achieved anything beyond hype! When it comes to your org, how are you measuring agent success?  What are the key metrics you are using right now?

Resources:

• EP238 Google Lessons for Using AI Agents for Securing Our Enterprise
• EP242 The AI SOC: Is This The Automation We've Been Waiting For?
• EP249 Data First: What Really Makes Your SOC 'AI Ready'?
• EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI
• "Simple to Ask: Is Your SOC AI Ready? Not Simple to Answer!" blog
• "How Google Does It: Building AI agents for cybersecurity and defense" blog
• Company annual report to look for risk
• "How to Win Friends and Influence People" by Dale Carnegie
• "Will It Make the Boat Go Faster?" book

Guest:

• Kat Traxler, Security Researcher, TrustOnCloud

Topics:

• What is your reaction to "in the cloud you are one IAM mistake away from a breach"? Do you like it or do you hate it?

• A lot of people say "in the cloud, you must do IAM 'right'". What do you think that means? What is the first or the main idea that comes to your mind when you hear it?

• How have you seen the CSPs take different approaches to IAM? What does it mean for the cloud users?

• Why do people still screw up IAM in the cloud so badly after years of trying?

• Deeper, why do people still screw up resource hierarchy and resource management? 

• Are the identity sins of cloud IAM users truly the sins of the creators? How did the "big 3" get it wrong and how does that continue to manifest today?

• Your best cloud IAM advice is "assign roles at the lowest resource-level possible", please explain this one? Where is the magic?

Resources:

• Video (Linkedin, YouTube)

• Kat blog

• "Diving Deeply into IAM Policy Evaluation" blog

• "Complexity: a Guided Tour" book

• EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same?

• EP129 How CISO Cloud Dreams and Realities Collide

Guest:

• Victoria Geronimo, Cloud Security Architect, Google Cloud

Topics:

• You work with technical folks at the intersection of compliance, security, and cloud. So  what do you do, and where do you find the biggest challenges in communicating across those boundaries?

• How does cloud make compliance easier? Does it ever make compliance harder? 

• What is your best advice to organizations that approach cloud compliance as they did for the 1990s data centers and classic IT?

• What has been the most surprising compliance challenge you've helped teams debug in your time here? 

• You also work on standards development –can you tell us about how you got into that and what's been surprising in that for you? 

• We often say on this show that an organization's ability to threat model is only as good as their team's perspectives are diverse: how has your background shaped your work here? 

 Resources:

• Video (YouTube)

• EP14 Making Compliance Cloud-native

• EP25 Beyond Compliance: Cloud Security in Europe 

• Fordham University Law and Technology site

• IAPP  site

Guest:

• Merritt Baer, Field CTO,  Lacework, ex-AWS, ex-USG

Topics:

• How can organizations ensure that their security posture is maintained or improved during a cloud migration? Is cloud migration a risk reduction move?

• What are some of the common security challenges that organizations face during a cloud migration?

• Are there different gotchas between the three public clouds?

• What advice would you give to those security leaders who insist on lift/shift or on lift/shift first?

• How should security and compliance teams approach their engineering and DevOps colleagues to make sure things are starting on the right foot?

• In your view, what is the essence of a cloud-native approach to security?

• How can organizations ensure that their security posture scales as their cloud usage grows?

Resources:

• Video (LinkedIn, YouTube)

• EP69 Cloud Threats and How to Observe Them

• EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud

• EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?

• 9 Megatrends drive cloud adoption—and improve security for all

• Darknet Diaries podcast

Guests:

• Emre Kanlikilicer, Senior Engineering Manager @ Google

• Sophia Gu, Engineering Manager at Google

 Topics

• Workspace makes the claim that unlike other productivity suites available today, it's architectured for the modern threat landscape. That's a big claim! What gives Google the ability to make this claim?

• Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work? 

• What are some of the common mistakes you see customers making with Workspace security?

• What are some of the ways context aware access and DLP (now SDP) help with this?

• What are the cool future plans for DLP and CAA?

Resources:

• Google Workspace blog & Workspace Update blog

• EP99 Google Workspace Security: from Threats to Zero Trust

• CISA Zero Trust Maturity Model 2.0

Guest:

• Jason Solomon, Security Engineer, Google

Topics:

• Could you share a bit about when you get pulled into incidents and what are your goals when you are?

• How does that change in the cloud? How do you establish a chain of custody and prove it for law enforcement, if needed?

• What tooling do you rely on for cloud forensics and is that tooling available to "normal people"? 

• How do we at Google know when it's time to call for help, and how should our customers know that it's time? 

• Can I quote Ray Parker Jr and ask, who you gonna call?

• What's your advice to a security leader on how to "prepare for the inevitable" in this context? 

• Cloud forensics - is it easier or harder than the 1990s classic forensics?

 Resource:

• EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• Google SRE Workbook (Ch 9)

• GRR

• Cloud Logging

• LibCloudForensics, Turbinia, Timesketch tools

Guest:

• Arie Zilberstein, CEO and Co-Founder at Gem Security

Topics: 

• How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response?

• What are the key challenges of cloud detection and response?

• Often we lift and shift our teams to Cloud, and not always for bad reasons, so  what's your advice on how to teach the old dogs new tricks: "on-premise-trained" D&R teams and cloud D&R?

• What is this new CIRA thing that Gartner just cooked up?  Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps?

• What do you tell people who say that "SIEM is their CDR"?

• What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?

 Resources:

• Video version of this episode

• Cloud breaches databases

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?

• 9 Megatrends drive cloud adoption—and improve security for all

• "Emerging Tech: Security — Cloud Investigation and Response Automation (CIRA) Offers Transformation Opportunities" (Gartner access required)

• "Does the World Need Cloud Detection and Response (CDR)?" blog

Guest:

• Sandra Joyce, VP at Mandiant Intelligence

Topics:

• Could you give us a brief overview of what this power disruption incident was about?

• This incident involved both Living Off the Land and attacks on operational technology (OT). Could you explain to our audience what these mean and what the attacker did here?

• We also saw a wiper used to hide forensics, is that common these days?

• Did the attacker risk tipping their hand about upcoming physical attacks? If we'd seen this intrusion earlier, might we have understood the attacker's next moves?

• How did your team establish robust attribution in this case, and how they do it in general? How sure are we, really? 

• Could you share how this came about and maybe some of the highlights in our relationship helping defend that country?

Resources:

• Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Mandiant

• Andy Greenberg's book Sandworm 

• EP155 Cyber, Geopolitics, AI, Cloud - All in One Book?