Cloud Security Podcast by Google – Details, episodes & analysis

Guest:

• Royal Hansen, CISO, Alphabet

Topics:

• What were you thinking before you took that “Google CISO” job?

• Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations?

• Are there any specific challenges or advantages that arise from operating at such a massive scale?

• What has been most surprising about Google’s internal security culture that you wish you could export to the world at large? 

• What have you learned about scaling teams in the Google context?

• How do you design effective metrics for your teams and programs?

• So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we’ve done this here?

Resources:

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• CISA Secure by Design

• EP20 Security Operations, Reliability, and Securing Google with Heather Adkins

• EP91 “Hacking Google”, Op Aurora and Insider Threat at Google

• “Delivering Security at Scale: From Artisanal to Industrial”

• SRE book: CHapter 5: Toil Elimination

• SRS book: Security as an Emergent Property

• What are Security Invariants?

• EP185 SAIF-powered Collaboration to Secure AI: CoSAI and Why It Matters to You

• “Against the Gods - Remarkable Story of Risk” book

Guest:

• Dor Fledel, Founder and CEO of Spera Security, now Sr Director of Product Management at Okta

Topics:

• We say “identity is the new perimeter,” but I think there’s a lof of  nuance to it. Why and how does it matter specifically in cloud and SaaS security?

• How do you do IAM right in the cloud?

• Help us with the acronym soup - ITDR, CIEM also ISPM (ITSPM?), why are new products needed?

• What were the most important challenges you found users were struggling with when it comes to identity management? 

• What advice do you have for organizations with considerable identity management debt? How should they start paying that down and get to a better place?  Also: what is “identity management debt”?

• Can you answer this from both a technical and organizational change management perspective? 

• It’s one thing to monitor how User identities, Service accounts and API keys are used, it’s another to monitor how they’re set up. When you were designing your startup, how did you pick which side of that coin to focus on first? 

• What’s your advice for other founders thinking about the journey from zero to 1 and the journey from independent to acquisition? 

Resources:

• EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

• EP127 Is IAM Really Fun and How to Stay Ahead of the Curve in Cloud IAM?

• EP166 Workload Identity, Zero Trust and SPIFFE (Also Turtles!)

• EP182 ITDR: The Missing Piece in Your Security Puzzle or Yet Another Tool to Buy?

• “Secrets of power negotiating“ book

Guests:

• Robin Shostack, Security Program Manager, Google

• Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud

Topics:

• You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means?

• You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?  

• Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge?

• If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team?

• How do we create it in an existing team or an under-performing team?

Resources:

• EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• “Take a few of these: Cybersecurity lessons for 21st century healthcare professionals” blog

• Getting More by Stuart Diamond book

• Who Moved My Cheese by Spencer Johnson  book

Guest:   

• Nelly Kassem, Security and Compliance Specialist @ Google Cloud

Topics:

• Why did ransomware attacks become so popular?
• What type of organizations are targeted by ransomware?  Do these affect mostly the organizations with sub-par security?
• Ransomware has been raging since 2015 and shows few signs of subsiding. Why are these attacks still successful? 
• Do we see ransomware in the cloud? 
• Does migrating to the cloud protect you from ransomware?
• Which of Google Cloud tools are useful to fight ransomware?

Resources:

• Security at Google Cloud Next 2022
• Next Special - Log4j Reflections, Software Dependencies and Open Source Security
• Next Special - Improving Browser Security in the New Era of Work
• “Future of EDR: Is It Reason-able to Suggest XDR?” (ep29)
• “2021: Phishing is Solved?” (ep40)
• Mandiant M-Trends 2022
• Google Cloud Threat Horizons Report #1 #2 #3 #4

Guest:

• Fletcher Oliver, Chrome Browser Customer Engineer, Google

Topics:

• What is browser security? Isn’t it just application security by another name? 
• Why is browser security more important now than ever? 
• Do we have statistical measures or data that tell us if we’re succeeding at browser security? Do we know if we’re doing a good job at making this better? 
• What are the components of modern browser security? 
• How does this work with an enterprise’s existing stack? 
• In fact, how does this work with the rest of Google’s tooling? 

Resources:

• Security at Google Cloud Next 2022
• NEXT Special - Log4j Reflections, Software Dependencies and Open Source Security
• Chrome releases blog
• Chrome Enterprise

Guest:

• Dr Nicky Ringland, Product Manager for Open Source Insights, Google

Topics:

• Let's talk Open Source Software - are all these dependencies dependable?
• Why was log4j such a big thing - at a whole ecosystem level?
• Was it actually a Java / Maven problem? Are other languages “better” or more secure?
• Is another log4j inevitable? What can organizations to minimise their own risks?

 Resources:

• Google Cloud Next 2022
• Open Source Insights at deps.dev
• Blog at blog.deps.dev with posts on Understanding the Impact of Apache Log4j Vulnerability and what happens After the Advisory
• Assured Open Source Software service

Guest:

• Thiébaut Meyer, Director at Office of the CISO, Google Cloud

Topics:

• Virtualization's arrival caused a major IT upheaval 20 years ago. What can we learn from that revolution for our current cloud transformation?
• We talk about our three legged security stool of people/process/technology. How do we balance the technical issues (new technology stack, etc.) with the new processes (agile, etc) and the skills?
• What are the cultural and people transformation differences between the virtualization and cloud revolutions?
• We do recall how PCI DSS was disrupted by virtualization.  So, how does regulation play into this change - back then and now with the cloud?
• How do we change the minds of regulators who still think that cloud is a risk to mitigate, rather than a way to mitigate others risks better?

Resources:

• “8 Megatrends drive cloud adoption—and improve security for all” blog
• “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity”
• Transform with Google Cloud 
• Google Cybersecurity Action Team

Guest: 

• Steve McGhee, Reliability Advocate, Google Cloud

Topics:

• What can security teams  learn from the Site Reliability Engineering (SRE) art of rapid and safe deployment?
• Is this all about the process or do SREs possess some magical technology to do this?
• What is SRE approach to automation?
• What are the pillars / components of SRE approach to deployment?
• SRE is also about scaling. Some security teams have to manage 1000s of detection rules, how can this be done in a manner that does not conflict or cause other problems?

Resources:

• Google SRE book
• A companion Google SRE workbook
• “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)
• “Achieving Autonomic Security Operations: Why metrics matter (but not how you think)” blog
• “Achieving Autonomic Security Operations: Reducing toil” blog.

Guest:

• Alex Polyakov, CEO of Adversa.ai

Topics:

• You did research by analyzing 2000 papers on AI attacks released in the previous decade. What are the main insights?
• How do you approach discovering the relevant threat models for various AI systems and scenarios? 
• Which threats are real today vs in a few years?
• What are the common attack vectors? What do you see in the field of supply chain attacks on AI, software supply, data?
• All these reported cyberphysical attacks on computer vision, how real are they, and what are the possible examples of exploitation? Are they a real danger to people?
• What are the main differences between protecting AI vs protecting traditional enterprise applications?
• Who should be responsible for Securing AI? What about for building trustworthy AI?
• Given that the machinery of AI is often opaque, how to go about discovering vulnerabilities? Is there responsible disclosure for AI vulnerabilities, such as in open-source models and in public APIs? 
• What should companies do first, when embarking on an AI security program? Who should have such a program?

Resources:

• “EP52 Securing AI with DeepMind CISO” (ep52)
• “EP68 How We Attack AI? Learn More at Our RSA Panel!” (ep68)
• Adversarial AI attacks work on Humans (!)
• “Maverick* Research: Your Smart Machine Has Been Conned! Now What?” (2015)
• “The Road to Secure and Trusted AI” by Adversa AI
• “Towards Trusted AI Week 37 – What are the security principles of AI and ML?” 
• Adversa AI blog
• AIAAIC Repository
• Machine Learning Security Evasion Competition at MLSec

Guest: 

• Badr Salmi, Product Manager for reCAPTCHA

Topics:

• What is reCAPTCHA? Aren’t you guys the super annoying 'click on the busses' thing?
• What is account defender? Why was this a natural next step for you?
• What are the actual threats that this handles - and handles well? Specific web attacks? Web fraud?
• Let’s talk about account fraud, what do these attacks look like and how do bad guys monetize today?
• What about payment fraud? Could you score a payment session as well as a login session risk, or is that different? 
• How does this work with multi factor authentication?

Recommended reading:

• “Code” book
• Recapcha page
• “Protect your users’ accounts with reCAPTCHA Enterprise’s account defender” blog
• “Double-clicking, but not on fire hydrants, with bot fighters” (ep19)