Explorez tous les épisodes du podcast Cloud Security Podcast by Google
Plongez dans la liste complète des épisodes de Cloud Security Podcast by Google. Chaque épisode est catalogué accompagné de descriptions détaillées, ce qui facilite la recherche et l'exploration de sujets spécifiques. Suivez tous les épisodes de votre podcast préféré et ne manquez aucun contenu pertinent.
Rows per page:
50
1–50 of 264
Titre
Date
Durée
EP262 Freedom, Responsibility, and the Federated Guardrails: A New Model for Modern Security
You mentioned that centralized security can't work anymore. Can you elaborate on the key changes—driven by cloud, SaaS, and AI—that have made this traditional model unsustainable for a modern organization?
Why do some persist at centralized, top down approach to security, despite that?
What do you mean by "Freedom, Responsibility and distributed security"?
Can you explain the difference between "centralized security" and what you define as "security with distributed ownership"? Is this the same "federated"?
In our conversation you mentioned "cloud and AI- native", what do you mean by this (especially "AI-native") and how is this changing your approach to security?
You introduce the concept of "Security as quality" suggesting that a security-unaware developer is essentially a bad software developer. How do you shift the culture and internal metrics to make security an inherent quality standard, rather than a separate, compliance-driven checklist?
You likened the central security team's new role to a "911 emergency service." Beyond incident response, what stays central no matter what, and how does the central team successfully influence the security posture of the entire organization without being directly responsible for the day-to-day work.
Do you think AI-powered attacks are really here, and if so, what is your plan to respond? Is it faster patching? Better D&R? Something else altogether?
Your team has a hybrid agent workflow: could you tell us what that means? Also, define "AI agent" please.
What are your production use cases for AI and AI agents in your SOC?
What are your overall SOC metrics and how does the agentic AI part play into that?
It's one thing to ask a team "hey what did y'all do last week" and get a good report - how are you measuring the agentic parts of your SOC?
How are you thinking about what comes next once AI is automatically writing good (!) rules for your team out of research blog posts and TI papers?
Moving from traditional SIEM to an agentic SOC model, especially in a heavily regulated insurer, is a massive undertaking. What did the collaboration model with your vendor look like?
Agentic AI introduces a new layer of risk - that of unconstrained or unintended autonomous action. In the context of Allianz, how did you establish the governance framework for the SOC alert triage agents?
Where did you draw the line between fully automated action and the mandatory "human-in-the-loop" for investigation or response?
Agentic triage is only as good as the data it analyzes. From your perspective, what were the biggest challenges - and wins - in ensuring the data fidelity, freshness, and completeness in your SIEM to fuel reliable agent decisions?
We've been talking about SOC automation for years, but this agentic wave feels different. As a deputy CISO, what was your primary, non-negotiable goal for the agent? Was it purely Mean Time to Respond (MTTR) reduction, or was the bigger strategic prize to fundamentally re-skill and uplevel your Tier 2/3 analysts by removing the low-value alert noise?
As you built this out, were there any surprises along the way that left you shaking your head or laughing at the unexpected AI behaviors?
We felt a major lack of proof - Anton kept asking for pudding - that any of the agentic SOC vendors we saw at RSA had actually achieved anything beyond hype! When it comes to your org, how are you measuring agent success? What are the key metrics you are using right now?
What is your reaction to "in the cloud you are one IAM mistake away from a breach"? Do you like it or do you hate it?
A lot of people say "in the cloud, you must do IAM 'right'". What do you think that means? What is the first or the main idea that comes to your mind when you hear it?
How have you seen the CSPs take different approaches to IAM? What does it mean for the cloud users?
Why do people still screw up IAM in the cloud so badly after years of trying?
Deeper, why do people still screw up resource hierarchy and resource management?
Are the identity sins of cloud IAM users truly the sins of the creators? How did the "big 3" get it wrong and how does that continue to manifest today?
Your best cloud IAM advice is "assign roles at the lowest resource-level possible", please explain this one? Where is the magic?
You work with technical folks at the intersection of compliance, security, and cloud. So what do you do, and where do you find the biggest challenges in communicating across those boundaries?
How does cloud make compliance easier? Does it ever make compliance harder?
What is your best advice to organizations that approach cloud compliance as they did for the 1990s data centers and classic IT?
What has been the most surprising compliance challenge you've helped teams debug in your time here?
You also work on standards development –can you tell us about how you got into that and what's been surprising in that for you?
We often say on this show that an organization's ability to threat model is only as good as their team's perspectives are diverse: how has your background shaped your work here?
Workspace makes the claim that unlike other productivity suites available today, it's architectured for the modern threat landscape. That's a big claim! What gives Google the ability to make this claim?
Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work?
What are some of the common mistakes you see customers making with Workspace security?
What are some of the ways context aware access and DLP (now SDP) help with this?
How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response?
What are the key challenges of cloud detection and response?
Often we lift and shift our teams to Cloud, and not always for bad reasons, so what's your advice on how to teach the old dogs new tricks: "on-premise-trained" D&R teams and cloud D&R?
What is this new CIRA thing that Gartner just cooked up? Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps?
What do you tell people who say that "SIEM is their CDR"?
What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?
This incident involved both Living Off the Land and attacks on operational technology (OT). Could you explain to our audience what these mean and what the attacker did here?
We also saw a wiper used to hide forensics, is that common these days?
Did the attacker risk tipping their hand about upcoming physical attacks? If we'd seen this intrusion earlier, might we have understood the attacker's next moves?
How did your team establish robust attribution in this case, and how they do it in general? How sure are we, really?
Could you share how this came about and maybe some of the highlights in our relationship helping defend that country?
EP155 Cyber, Geopolitics, AI, Cloud - All in One Book?
15 Jan 2024
00:38:36
Guests:
Derek Reveron, Professor and Chair of National Security at the US Naval War College
John Savage, An Wang Professor Emeritus of Computer Science of Brown University
Topics:
You wrote a book on cyber and war, how did this come about and what did you most enjoy learning from the other during the writing process?
Is generative AI going to be a game changer in international relations and war, or is it just another tool?
You also touch briefly on lethal autonomous weapons systems and ethics–that feels like the genie is right in the very neck of the bottle right now, is it too late?
Aside from this book, and the awesome course you offered at Brown that sparked Tim's interest in this field, how can we democratize this space better?
How does the emergence and shift to Cloud impact security in the cyber age?
What are your thoughts on the intersection of Cloud as a set of technologies and operating model and state security (like sovereignty)? Does Cloud make espionage harder or easier?
EP154 Mike Schiffman: from Blueboxing to LLMs via Network Security at Google
08 Jan 2024
00:35:41
Guest:
Mike Schiffman, Network Security "UTL"
Topics:
Given your impressive and interesting history, tell us a few things about yourself?
What are the biggest challenges facing network security today based on your experience?
You came to Google to work on Network Security challenges. What are some of the surprising ones you've uncovered here?
What lessons from Google's approach to network security absolutely don't apply to others? Which ones perhaps do?
If you have to explain the difference between network security in the cloud and on-premise, what comes to mind first?
How do we balance better encryption with better network security monitoring and detection?
Speaking of challenges in cryptography, we're all getting fired up about post-quantum and network security. Could you give us the maybe 5 minute teaser version of this because we have an upcoming episode dedicated to this?
I hear you have some interesting insight on LLMs, something to do with blueboxing or something. What is that about?
EP153 Kevin Mandia on Cloud Breaches: New Threat Actors, Old Mistakes, and Lessons for All
18 Dec 2023
00:28:41
Guest:
Kevin Mandia, CEO at Mandiant, part of Google Cloud
Topics:
When you look back, what were the most surprising cloud breaches in 2023, and what can we learn from them? How were they different from the "old world" of on-prem breaches?
For a long time it's felt like incident response has been an on-prem specialization, and that adversaries are primarily focused on compromising on-prem infrastructure. Who are we seeing go after cloud environments? The same threat actors or not?
Could you share a bit about the mistakes and risks that you saw organizations make that made their cloud breaches possible or made them worse? Conversely, what ended up being helpful to organizations in limiting the blast radius or making response easier?
Tim's mother worked in a network disaster recovery team for a long time–their motto was "preparing for the inevitable." What advice do you have for helping security teams and IT teams get ready for cloud breaches? Especially for recent cloud entrants?
Anton tells his "2000 IDS story" (need to listen for details!) and asks: what approaches for detecting threats actually detects threats today?
The market already has Breach and Attack Simulation (BAS), for testing known TTPs. You're calling this 'AI-powered' red teaming. Is this just a fancy LLM stringing together known attacks, or is there a genuine agent here that can discover a truly novel attack path that a human hasn't scripted for it?
Let's talk about the 'so what?' problem. Pentest reports are famous for becoming shelf-ware. How do you turn a complex AI finding into an actionable ticket for a developer, and more importantly, how do you help a CISO decide which of the thousand 'criticals' to actually fix first?
You're asking customers to unleash a 'hacker AI' in their production environment. That's terrifying. What are the 'do no harm' guardrails? How do you guarantee your AI won't accidentally rm -rf a critical server or cause a denial of service while it's 'exploring'?
You mentioned the AI is particularly good at finding authentication bugs. Why that specific category? What's the secret sauce there, and what's the reaction from customers when you show them those types of flaws?
Is this AI meant to replace a human red teamer, or make them better? Does it automate the boring stuff so experts can focus on creative business logic attacks, or is the ultimate goal to automate the entire red team function away?
So, is this just about finding holes, or are you closing the loop for the blue team? Can the attack paths your AI finds be automatically translated into high-fidelity detection rules? Is the end goal a continuous purple team engine that's constantly training our defenses?
Also, what about fixing? What makes your findings more fixable?
What will happen to red team testing in 2-3 years if this technology gets better?
Surely the challenge of a transparency report is that there are things we can't be transparent about, how do we balance this? What are those? Is it a safe question?
What Access Transparency Logs are and if they are connected to the report –other than in Tim's mind and your career?
Beyond building the annual transparency report, you also work on our central risk data platform. Every business has a problem managing risk–what's special here? Do we have any Google magic here?
Could you tell us about your path in Product Management here? You have been here eight years, and recently became Director. Do you have any advice for the ambitious Google PMs listening to the show?
EP151 Cyber Insurance in the Cloud Era: Balancing Protection, Data and Risks
04 Dec 2023
00:26:06
Guest:
Monica Shokrai, Head Of Business Risk and Insurance For Google Cloud
Topics:
Could you give us the 30 second run down of what cyber insurance is and isn't?
Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks?
What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it?
We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security?
Doesn't cyber insurance have a difficult reputation with clients? "Will they even pay?" "Will it be enough?" "Is this a cyberwar exception?" type stuff?
How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers?
How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many "non cyber" risks?
EP147 Special: 2024 Google Cloud Security Forecast Report
08 Nov 2023
00:22:51
Guest:
Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant at Google Cloud
Topics:
Can you really forecast threats? Won't the threat actors ultimately do whatever they want?
How can clients use the forecast? Or as Tim would say it, what gets better once you read it?
What is the threat forecast for cloud environments? It says "Cyber attacks targeting hybrid and multi-cloud environments will mature and become more impactful" - what does it mean?
Of course AI makes an appearance as well: "LLMs and other gen AI tools will likely be developed and offered as a service to assist attackers with target compromises." Do we really expect attacker-run LLM SaaS? What models will they use? Will it be good?
There are a number of significant elections scheduled for 2024, are there implications for cloud security?
Based on the threat information, tell me about something that is going well, what will get better in 2024?
We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you?
What are some of the security problems you're hearing from AI companies that are worth solving?
AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security?
Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs?
What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?
EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models
23 Oct 2023
00:29:04
Guest:
Kathryn Shih, Group Product Manager, LLM Lead in Google Cloud Security
Topics:
Could you give our audience the quick version of what is an LLM and what things can they do vs not do? Is this "baby AGI" or is this a glorified "autocomplete"?
Let's talk about the different ways to tune the models, and when we think about tuning what are the ways that attackers might influence or steal our data?
Can you help our security listener leaders have the right vocabulary and concepts to reason about the risk of their information a) going into an LLM and b) getting regurgitated by one?
How do I keep the output of a model safe, and what questions do I need to ask a vendor to understand if they're a) talking nonsense or b) actually keeping their output safe?
Are hallucinations inherent to LLMs and can they ever be fixed?
So there are risks to data and new opportunities for attacks and hallucinations. How do we know good opportunities in the area given the risks?
It seems that in many cases the challenge with cloud configuration weaknesses is not their detection, but remediation, is that true?
As far as remediation scope, do we need to cover traditional vulnerabilities (in stock and custom code), configuration weaknesses and other issues too?
One of us used to cover vulnerability management at Gartner, and in many cases the remediation failures [on premise] were due to process, not technology, breakdowns. Is this the same in the cloud? If still true, how can any vendor technology help resolve it?
Why is cloud security remediation such a headache for so many organizations?
Is the friction real between security and engineering teams? Do they have any hope of ever becoming BFFs?
Doesn't every CSPM (and now ASPM too?) vendor say they do automated remediation today? How should security pros evaluate solutions for prioritizing, triaging, and fixing issues?
EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same?
02 Oct 2023
00:25:28
Guest:
Jeremiah Kung, Global Head of Information Security, AppLovin
Topics:
Before we dive into all of the awesome cloud migrations you've experienced and your learnings there, could we start with a topic of East vs West CISO mentality?
We are talking to more and more CISOs who see the cloud as a net win for security. What's your take on whether the cloud improves security?
We talked about doing some "big" cloud migrations, could you talk about what you learned back in 2015 about the "right" way to do a cloud migration and how you've applied those lessons since?
How are you approaching securing clouds differently in 2023 (vs the dark past of 2015)?
What advice would you give your peers to get out of the "saying no" mentality and into a better collaborative mode?
On the topic of giving advice to people who haven't asked for it, what advice would you give to teams who are stuck in 1990s thinking when it comes to lift and shifting their security technology stack to cloud?
Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity?
A part of hardening has got to be responding to new regulation and compliance regimes, how do you incorporate new controls and stay responsive to the changing world around us?
Are there cases where we have taken lessons from hardening at scale and converted those into product improvements?
What metrics do you track to keep your teams moving, and what metrics do your leads look at to understand how you're doing? [Spoiler: the answer here is VERY fun!]
EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations
18 Sep 2023
00:24:15
Guest:
Chris Corde, Sr Director of Product Management - Security Operations, Google Cloud
Topics:
You cover many products, but let's focus on Chronicle today. An easy question: Chronicle isn't an XDR, so what is it?
Since you've joined the team, what're you most proud of shipping to clients?
Could you share more about the Mandiant acquisition, what's been a happy surprise and what are you looking forward to making available to customers?
Some believe that good security operations success is mostly about process, yet we are also building these amazing products. What is your view of how much security ops success hinges on products vs practices?
When it comes to building out Chronicle's position in the market, how are we leveraging the depth of expertise that people have with other SIEM tools compared to ours?
What advice do you have for security professionals who want to transition into product management?
Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams?
How can Terraform be used for security automation? How should security teams work with DevOps teams to use it?
What are some of the obvious and not so obvious security challenges of using Terraform?
How can security best practices be applied to infrastructure instantiated via Terraform?
What is the relationship between Terraform and policy as code (PaC)?
How do you get started with all this?
What do you tell the security teams who want to do cloud security the "old way" and not the cloud-native way?
We care both about securing AI and using AI for security. How do you organize your thinking about it?
Executive surveys imply that trusting an AI (for business) is still an issue. How can we trust AI for security? What does it mean to "trust AI" in this context?
How should defenders think about threat modeling AI systems?
Back to using AI for security, what are the absolute worst security use cases for GenAI? Think "generate code and run it on prod" or something like that?
What does it mean to "teach AI security" like we did with Sec-PALM2? What is actually involved in this?
What were some surprising challenges we ran into here?
Why is AI a game-changer for security? Can we even have game-changers in cyber security?
Is it more detection or is it more reducing toil and making humans more productuve? What are you favorite AI for security use cases?
What "AI + security" issue makes you - a classic CISO question here - lose sleep at night?
Does AI help defenders or attackers more? Won't attackers adopt faster because they don't have as many rules (but yes, they have bosses and budgets too)?
Aren't there cases where defenders benefit a lot more and gain a superpower with AI while attackers are faced with defeat?
Is securing AI more similar or more different from securing other enterprise systems?
The importance of User Experience (UX) in security is so obvious – though it isn't to a lot of people! Could we talk about the importance of UX in security?
UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this?
How do you think about prioritizing your team's time between day zero vs day n experiences for users of security tools?
Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security?
Can you think of what single UX change in Cloud Security's portfolio made the biggest impact to actual security outcomes?
We have this new tool/approach for planning called Jobs To Be Done (JTBD) - give us the value, and the history? In the world of JTBD planning, what gets better?
We often hear about the aspirational idea of an "IronMan suit" for the SOC—a system that empowers analysts to be faster and more effective. What does this ideal future of security operations look like from your perspective, and what are the primary obstacles preventing SOCs from achieving it today?
You've also raised a metaphor of AI in the SOC as a "Dr. Jekyll and Mr. Hyde" situation. Could you walk us through what you see as the "Jekyll"—the noble, beneficial promise of AI—and what are the factors that can turn it into the dangerous "Mr. Hyde"?
Let's drill down into the heart of the "Mr. Hyde" problem: the data. Many believe that AI can fix a team's messy data, but you've noted that "it's all about the data, duh." What's the story?
"AI ready SOC" - What is the foundational work a SOC needs to do to ensure their data is AI-ready, and what happens when they skip this step?
And is there anything we can do to use AI to help with this foundational problem?
How do we measure progress towards AI SOC? What gets better at what time? How would we know?
What SOC metrics will show improvement? Will anything get worse?
EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge
31 Jul 2023
00:36:27
Guest:
Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly
Topics:
So what is Security Chaos Engineering?
"Chapter 5. Operating and Observing" is Anton's favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection?
How chaos engineering (or is it really about software resilience?) intersects with Cloud security - is this peanut butter and chocolate or more like peanut butter and pickles?
How can organizations get started with chaos engineering for software resilience and security?
What is your favorite chaos engineering experiment that you have ever done?
We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023?
Analysts (well, like Steve and Anton in the past?) say that "cloud is secure, but clients just aren't using it securely", what is your reaction to this today?
When clients hear "use cloud securely", what do you think comes to their minds?
How would you approach planning for secure use of the cloud or using cloud securely?
What is your view of cloud defense in depth (DiD) or layered defenses? How do you suggest clients think about it? What about DiD for SaaS?
What are your thoughts on the evolution of zero trust? How has it changed since its introduction back in 2010?
Awareness of and interest in SSE and SASE is growing. But at the same time, plenty of folks seem deeply perplexed by these. How would you explain them to someone not deeply immersed in the details?
There are many places to learn threat intel (TI), what is special about your new class?
You talk about country cyber operations in the class, so what is the defender - relevant difference between, say, DPRK and Iran cyber doctrines? More generally, how do defenders benefit from such per country intel?
Can you really predict what the state-affiliated attackers would do to your organization based on the country doctrine?
In many minds, TI is connected to attribution. What is your best advice on attribution to CISOs of well-resourced organizations? What about mainstream organizations?
Overall we see a lot of organizations still failing to operationalize TI, especially strategic TI, how does this help them?
What is a policy, is that the same as a control, or is there a difference? And what's the gap between a policy and a guardrail?
We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud?
Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now?
Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams?
How do organizations grow into safely rolling out new policy as code code?
You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance" and this problem has been unsolved for as long as the cloud existed. Will your toolset change this?
There are other frameworks that exist for security testing like HashiCorp's sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework?
What are some of the success metrics when adopting Policy as Code?
Could you give us the 30 second overview of our favorite "billion user security product" - SafeBrowsing - and, since you were there, how did it get started?
SafeBrowsing is a consumer and business product – are you mitigating the same threats and threat models on each side?
Making this work at scale can't be easy, anytime we're talking about billion device protection, there are massive scale questions. How did we make it work at such a scale?
Talk to us about the engineering and scaling magic behind the low false positive rate for blocking?
So, if somebody wakes you up at 3AM ("Anton's 3AM test") and asks "Do we need firewalls in the cloud?" what would you say?
Firewalls (=virtual appliances in the cloud or routing cloud traffic through physical firewalls) vs firewalling (=controlling network access) in the cloud, do they match the cloud-native realities?
How do you implement trust boundaries for access control with cloud-native options?
Can you imagine a modern cloud native security architecture that includes a firewall?
Can you imagine a modern cloud native security architecture that excludes any firewalling?
Firewall, NIDS, NIPS, NGFW …. How do these other concepts map to the cloud? How do you build a "traditional-like" network visibility layer in the cloud (and do we need to)?
We've got an interesting split within our security business: some of our focus is on making Google Cloud more secure, while some of our focus is on selling security products. How are you thinking about the strategy and allocation between these functions for business growth?
What aspects of Cloud security have you seen cloud customers struggle with the most?
What's been the most surprising or unexpected security challenge you've seen with our users?