Guest:

• Royal Hansen, CISO, Alphabet

Topics:

• What were you thinking before you took that “Google CISO” job?

• Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations?

• Are there any specific challenges or advantages that arise from operating at such a massive scale?

• What has been most surprising about Google’s internal security culture that you wish you could export to the world at large? 

• What have you learned about scaling teams in the Google context?

• How do you design effective metrics for your teams and programs?

• So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we’ve done this here?

Resources:

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• CISA Secure by Design

• EP20 Security Operations, Reliability, and Securing Google with Heather Adkins

• EP91 “Hacking Google”, Op Aurora and Insider Threat at Google

• “Delivering Security at Scale: From Artisanal to Industrial”

• SRE book: CHapter 5: Toil Elimination

• SRS book: Security as an Emergent Property

• What are Security Invariants?

• EP185 SAIF-powered Collaboration to Secure AI: CoSAI and Why It Matters to You

• “Against the Gods - Remarkable Story of Risk” book

Guest:

• Dor Fledel, Founder and CEO of Spera Security, now Sr Director of Product Management at Okta

Topics:

• We say “identity is the new perimeter,” but I think there’s a lof of  nuance to it. Why and how does it matter specifically in cloud and SaaS security?

• How do you do IAM right in the cloud?

• Help us with the acronym soup - ITDR, CIEM also ISPM (ITSPM?), why are new products needed?

• What were the most important challenges you found users were struggling with when it comes to identity management? 

• What advice do you have for organizations with considerable identity management debt? How should they start paying that down and get to a better place?  Also: what is “identity management debt”?

• Can you answer this from both a technical and organizational change management perspective? 

• It’s one thing to monitor how User identities, Service accounts and API keys are used, it’s another to monitor how they’re set up. When you were designing your startup, how did you pick which side of that coin to focus on first? 

• What’s your advice for other founders thinking about the journey from zero to 1 and the journey from independent to acquisition? 

Resources:

• EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

• EP127 Is IAM Really Fun and How to Stay Ahead of the Curve in Cloud IAM?

• EP166 Workload Identity, Zero Trust and SPIFFE (Also Turtles!)

• EP182 ITDR: The Missing Piece in Your Security Puzzle or Yet Another Tool to Buy?

• “Secrets of power negotiating“ book

Guests:

• Robin Shostack, Security Program Manager, Google

• Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud

Topics:

• You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means?

• You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?  

• Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge?

• If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team?

• How do we create it in an existing team or an under-performing team?

Resources:

• EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• “Take a few of these: Cybersecurity lessons for 21st century healthcare professionals” blog

• Getting More by Stuart Diamond book

• Who Moved My Cheese by Spencer Johnson  book

Guest:   

• Nelly Kassem, Security and Compliance Specialist @ Google Cloud

Topics:

• Why did ransomware attacks become so popular?
• What type of organizations are targeted by ransomware?  Do these affect mostly the organizations with sub-par security?
• Ransomware has been raging since 2015 and shows few signs of subsiding. Why are these attacks still successful? 
• Do we see ransomware in the cloud? 
• Does migrating to the cloud protect you from ransomware?
• Which of Google Cloud tools are useful to fight ransomware?

Resources:

• Security at Google Cloud Next 2022
• Next Special - Log4j Reflections, Software Dependencies and Open Source Security
• Next Special - Improving Browser Security in the New Era of Work
• “Future of EDR: Is It Reason-able to Suggest XDR?” (ep29)
• “2021: Phishing is Solved?” (ep40)
• Mandiant M-Trends 2022
• Google Cloud Threat Horizons Report #1 #2 #3 #4

Guest:

• Fletcher Oliver, Chrome Browser Customer Engineer, Google

Topics:

• What is browser security? Isn’t it just application security by another name? 
• Why is browser security more important now than ever? 
• Do we have statistical measures or data that tell us if we’re succeeding at browser security? Do we know if we’re doing a good job at making this better? 
• What are the components of modern browser security? 
• How does this work with an enterprise’s existing stack? 
• In fact, how does this work with the rest of Google’s tooling? 

Resources:

• Security at Google Cloud Next 2022
• NEXT Special - Log4j Reflections, Software Dependencies and Open Source Security
• Chrome releases blog
• Chrome Enterprise

Guest:

• Dr Nicky Ringland, Product Manager for Open Source Insights, Google

Topics:

• Let's talk Open Source Software - are all these dependencies dependable?
• Why was log4j such a big thing - at a whole ecosystem level?
• Was it actually a Java / Maven problem? Are other languages “better” or more secure?
• Is another log4j inevitable? What can organizations to minimise their own risks?

 Resources:

• Google Cloud Next 2022
• Open Source Insights at deps.dev
• Blog at blog.deps.dev with posts on Understanding the Impact of Apache Log4j Vulnerability and what happens After the Advisory
• Assured Open Source Software service

Guest:

• Thiébaut Meyer, Director at Office of the CISO, Google Cloud

Topics:

• Virtualization's arrival caused a major IT upheaval 20 years ago. What can we learn from that revolution for our current cloud transformation?
• We talk about our three legged security stool of people/process/technology. How do we balance the technical issues (new technology stack, etc.) with the new processes (agile, etc) and the skills?
• What are the cultural and people transformation differences between the virtualization and cloud revolutions?
• We do recall how PCI DSS was disrupted by virtualization.  So, how does regulation play into this change - back then and now with the cloud?
• How do we change the minds of regulators who still think that cloud is a risk to mitigate, rather than a way to mitigate others risks better?

Resources:

• “8 Megatrends drive cloud adoption—and improve security for all” blog
• “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity”
• Transform with Google Cloud 
• Google Cybersecurity Action Team

Guest: 

• Steve McGhee, Reliability Advocate, Google Cloud

Topics:

• What can security teams  learn from the Site Reliability Engineering (SRE) art of rapid and safe deployment?
• Is this all about the process or do SREs possess some magical technology to do this?
• What is SRE approach to automation?
• What are the pillars / components of SRE approach to deployment?
• SRE is also about scaling. Some security teams have to manage 1000s of detection rules, how can this be done in a manner that does not conflict or cause other problems?

Resources:

• Google SRE book
• A companion Google SRE workbook
• “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)
• “Achieving Autonomic Security Operations: Why metrics matter (but not how you think)” blog
• “Achieving Autonomic Security Operations: Reducing toil” blog.

Guest:

• Alex Polyakov, CEO of Adversa.ai

Topics:

• You did research by analyzing 2000 papers on AI attacks released in the previous decade. What are the main insights?
• How do you approach discovering the relevant threat models for various AI systems and scenarios? 
• Which threats are real today vs in a few years?
• What are the common attack vectors? What do you see in the field of supply chain attacks on AI, software supply, data?
• All these reported cyberphysical attacks on computer vision, how real are they, and what are the possible examples of exploitation? Are they a real danger to people?
• What are the main differences between protecting AI vs protecting traditional enterprise applications?
• Who should be responsible for Securing AI? What about for building trustworthy AI?
• Given that the machinery of AI is often opaque, how to go about discovering vulnerabilities? Is there responsible disclosure for AI vulnerabilities, such as in open-source models and in public APIs? 
• What should companies do first, when embarking on an AI security program? Who should have such a program?

Resources:

• “EP52 Securing AI with DeepMind CISO” (ep52)
• “EP68 How We Attack AI? Learn More at Our RSA Panel!” (ep68)
• Adversarial AI attacks work on Humans (!)
• “Maverick* Research: Your Smart Machine Has Been Conned! Now What?” (2015)
• “The Road to Secure and Trusted AI” by Adversa AI
• “Towards Trusted AI Week 37 – What are the security principles of AI and ML?” 
• Adversa AI blog
• AIAAIC Repository
• Machine Learning Security Evasion Competition at MLSec

Guest: 

• Badr Salmi, Product Manager for reCAPTCHA

Topics:

• What is reCAPTCHA? Aren’t you guys the super annoying 'click on the busses' thing?
• What is account defender? Why was this a natural next step for you?
• What are the actual threats that this handles - and handles well? Specific web attacks? Web fraud?
• Let’s talk about account fraud, what do these attacks look like and how do bad guys monetize today?
• What about payment fraud? Could you score a payment session as well as a login session risk, or is that different? 
• How does this work with multi factor authentication?

Recommended reading:

• “Code” book
• Recapcha page
• “Protect your users’ accounts with reCAPTCHA Enterprise’s account defender” blog
• “Double-clicking, but not on fire hydrants, with bot fighters” (ep19)

Guest:

• Dimitri McKay,  Principal Security Strategist @ Splunk

Topics:

• How do you define that "XDR thing" that you are so skeptical about?
• So within that definition of XDR, you think it’s not so great, why?
• If you have to argue pro-XDR, what would you say?
• Two main XDR camps are “XDR as EDR+” and “XDR as SIEM-”, which camp do you think is more right? Are both wrong?
• What approach do you think is more useful as a lens to understand the potential upsides/downsides of XDR?
• What about the cloud? "Cloud XDR" seems a bit illogical, but what do you think is the future of D&R in the cloud?

Resources:

• “Anton and The Great XDR Debate, Part 1”
• “Anton and The Great XDR Debate, Part 2”
• “Anton and The Great XDR Debate, Part 3”
• SURGe content on splunk blog
• “Today, You Really Want a SaaS SIEM!”
• Red Canary 2022 Threat Detection report
• Verizon DBIR 2022 report.

Guest: 

• Christopher “CJ” Johnson, retired Fire Chief, and Global Regulated Cloud Product Lead @ Google Cloud

Topics:

• In political science, they define sovereignty as a local monopoly on the legitimate use of force. Why are we talking about “sovereignty” in IT?
• What is a sovereign cloud?  How much of the term is marketing vs engineering?
• Who cares or should care about sovereign cloud?
• Is this about technical controls or paper/policy controls? Or both?
• What is the role for encryption and key management and key access justifications (like say Google Cloud EKM with KAJ) for sovereign cloud?
• Is sovereign cloud automatically more secure or at least has better data security?
• What threat models are considered for sovereign cloud technologies?

Resources:

• Google Cloud External Key Manager (EKM) 
• “Trust Google Cloud more with ubiquitous data encryption” blog
• “Software-Defined community cloud - a new way to “Government Cloud”” blog

Guest:

• David Stone,  Staff Consultant  at Office of the CISO, Google Cloud

Topics:

• Speaking as a former CISO, what triggered your organization migration to the cloud?
• When did you and the security organization get brought in?
• How did you plan your security organization journey to the cloud?
• Did you take going to Cloud as an opportunity to change things beyond the tools you were using? 
• As you got going into the cloud, what was the hardest part for your organization ?
• What was most surprising? Good surprise and bad surprise?
• How did you design security controls for the cloud?
• How do you validate and verify security controls in the cloud? 
• How did you incorporate your cloud environment into your SOC’s responsibility
• Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be?

Resources:

• “How CISOs need to adapt their mental models for cloud security”
• “Megatrends drive cloud adoption—and improve security for all”
• “EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security“ (ep47)
• “CISO’s Guide to Cloud Security Transformation“ paper [PDF]
• Google SRE book
• GCAT site

Guest:

• Brandon Wood, Product Manager for Google Threat Intelligence

Topics:

• Threat intelligence is one of those terms that means different things to everyone–can you tell us what this term has meant in the different contexts of your career?  What do you tell people who assume that “TI = lists of bad IPs”?

• We heard while prepping for this show that you were involved in breaking up a human trafficking ring: tell us about that!

• In Anton’s experience, a lot  of cyber TI is stuck in “1. Get more TI 2. ??? 3. Profit!” How do you move past that?

• One aspect of threat intelligence that’s always struck me as goofy is the idea that we can “monitor the dark web” and provide something useful. Can you change my mind on this one?

• You told us your story of getting into sales, you recently did a successful rotation into the role of Product Manager,, can you tell us about what motivated you to do this and what the experience was like?

• Are there other parts of your background that inform the work you’re doing and how you see yourself at Google? 

• How does that impact our go to market for threat intelligence, and what’re we up to when it comes to keeping the Internet and broader world safe?

Resources:

• Video

• EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons

• EP128 Building Enterprise Threat Intelligence: The Who, What, Where, and Why

• EP112 Threat Horizons - How Google Does Threat Intelligence

• Introducing Google Threat Intelligence: Actionable threat intelligence at Google scale

• A Requirements-Driven Approach to Cyber Threat Intelligence

Guest: 

• John Stone,  Chaos Coordinator @ Office of the CISO, Google Cloud

Topics:

• So what is Autonomic Data Security, described in our just released paper? 
• What are some notorious data security issues today? Perhaps common data security mistakes security leaders commit?
• What never worked in data security, like say manual data classification?
• How should organizations think about securing the data they migrated and the data that was created in the cloud?
• Do you really believe the cloud can make data security better than data security in traditional environments?

Resources:

• “Modern Data Security: A path to autonomic data security” paper (NEW)
• “How autonomic data security can help define cloud’s future” blog
• “Megatrends drive cloud adoption—and improve security for all” blog
• “Modernizing SOC ... Introducing Autonomic Security Operations” blog
• “Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper
• “Zero Trust: Fast Forward from 2010 to 2021” (ep8)
• “Data Security in the Cloud” (ep2) and the resource.
• “Modern Data Security Approaches: Is Cloud More Secure?” (ep16)
• “Reflections on Trusting Trust” paper (1984).

Guest:

• Gorka Sadowski,  Chief Strategy Officer @ Exabeam

Topics:

• How do we get a legacy SOC team to think about the cloud?
• How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same? 
• How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud?
• Do content/rules and detection engines need to be different to cover the cloud detection use cases?
• What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections?

Resources:

• “11 Strategies of a World-Class Cybersecurity Operations Center” paper
• “Autonomic Security Operations: How to 10X Your SOC” paper
• “Indicators Of Compromise Vs. Tactics, Techniques, And Procedures” blog
• “How to Build and Operate a Modern Security Operations Center” (Gartner subscription required)
• “A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next” blog

Guest:

• Cyrus Robinson, SOC Director and IR Team lead at Ingalls Information Security

Topics:

• You’ve been using SOAR tools for years, so what do you think of the technology so far?
• What is driving SOAR adoption today? And what is inhibiting SOAR adoption?
• Realistically, how hard is SOAR to operationalize for a typical company?
• What are your favorite SOAR playbooks to start with?
• How to build, train and keep the SOAR team? Do they need to code to succeed?
• We like the SOAR maturity model approach. How would you imagine a SOAR adoption maturity model?
• How to implement SOAR from scratch in scaling operations? How to start? How to plan? How to not fail?

Resources:

• “A Simple SOAR Adoption Maturity Model” blog 
• “Planning Is Paramount When Adopting SOAR” blog
• Siemplify community version

Guest:

• Ben Johnson, CTO/co-founder @ Obsidian Security

Topics:

• Why is there so much attention lately on SaaS security? Doesn’t this area date back to 2015 or so?
  
• What do you see as the primary challenges in securing SaaS?
  
• What does a SaaS threat model look like? What are the top threats you see?
  
• CASB has been the fastest growing security market and it has grown into a broad platform and many assume that “securing SaaS = using CASB”, what are they missing?
  
• Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system?
  
• Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle?
  
• For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology?
  

Resources:

• Obsidian Security blog and Resource Center
  
• Does the World Need Cloud Detection and Response (CDR)? blog
  
• Does the world need Cloud Detection and Response (CDR) as a new market segment? poll
  
• MITRE ATT&CK for SaaS matrix
  
• CISA SCUBA resource
  
• “Essentialism” book.
  

Guest:

• Tim Nguyen, Director of Detection and Response @ Google

Topics:

• I know we don’t like to say “SOC” here, so why don’t we talk about the role of automation in detection and response (D&R) at Google?
• One SRE concept we found useful in security operations is “toil” - How do we squeeze toil out of D&R practice at Google?
• A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey?
• How do we automate security signal analysis, can you give us a few examples?
• D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our “not SOC”?
• How do we avoid falling into the “time to respond” trap that rewards fast response, sometimes at the cost of good?

Resource:

• SRE book, Chapter 5 - Eliminating Toil
• SRE book, Chapter 4 - Service Level Objectives
• “Building Secure and Reliable Systems” book
• “Achieving Autonomic Security Operations: Automation as a Force Multiplier”
• “Achieving Autonomic Security Operations: Reducing toil”
• “Taking an autonomic approach to security operations” video
• “Modern Threat Detection at Google” (ep17)

Guest: 

• James Luo,   Partner @ CapitalG

Topics:

• You've looked at hundreds of security startups at the growth stage - what is getting funded? What is not getting funded? What is the difference?
• What's your view on the current market environment for security companies? Is security "recession-proof", whatever that means?
• How do you think about what problems are worth solving with a new venture vs existing vendors (and/or CSPs) expanding to cover the new area?
• Why do many cloud security vendors get funded and get high valuations while there is a wide perception that CSP (like us at Google) are doing security really well?
• How do we solve the challenge that many organizations are barely moving off “antivirus and firewalls” security of the 1990s?
• What is your best advice to cloud security startups trying to get wider adoption?

Resources:

• “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity”
• CapitalG blog

Guest:

• Erik Bloch,  Senior Director of Detection and Response at Sprinklr

Topics:

• You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work?
• Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that?
• You refer to a federated approach for Detection and Response”  (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization? 
• What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams?
• Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it?
• The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time?

Resources:

• “RIP SOC. Hello D-IR”
• “Kill your SOC with a D-IR model”
• “Security De-Engineering: Solving the Problems in Information Risk Management” book
• “A SOCless Detection Team at Netflix” 
• “Achieving Autonomic Security Operations: Automation as a Force Multiplier” 
• “Start with Why: How Great Leaders Inspire Everyone to Take Action“ book
• “Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now” book
• “On “Output-driven” SIEM”
• “SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond” (ep58)

Guests:

• Dave “Merk” Merkel, CEO @ Expel
• Peter Silberman,  CTO @ Expel

Topics:

• Many MDRs claim to be “security from the cloud”, but they actually don’t know much about cloud security. What does good looks like for MDR in the cloud (cloud being a full range from IaaS to SaaS)?
• What are the key challenges for clients picking an MDR for their cloud environments?  What are the questions to ask your potential MDR?
• Do clients want the same security outcomes done in the cloud vs on-premise?  
• Does it mean that MSSP/MDR capabilities must be different for good coverage of the cloud? 
• Is MDR technology different for Cloud detection and response as opposed to on-prem D&R? 
• How do you communicate with clients about the importance and value of cloud specific detection vs detection for endpoints running in the cloud? 
• What are the top threats against client cloud environments that you see, detect and protect from?
• Which clouds (IaaS?) are easiest for MDR to protect? What makes them easier to handle than the other Clouds?

Resources:

• Who Does What In Cloud Threat Detection?
• How to Think about Threat Detection in the Cloud
• Cattle vs Pets reminder
• Expel Blog - Incident report: Spotting an attacker in GCP 
• Expel Great eXpeltations 2022: Cybersecurity trends and predictions
• Expel Quarterly Threat Report: Q1 2022

Guest: 

• Stefan Friedli,  Senior Security Engineer @ Google

Topics:

• What is our “red team” testing philosophy and approach at Google? 
• How did we evolve to this approach? 
• What is the path from testing to making Google and our users more secure? How does our testing power the improvements we make?
• What is unique about red teaming at Google?
• Care to share some fun testing stories or examples from your experience?

Resources:

• “Building Secure & Reliable Systems” book (free)
• Threat Analysis Group (TAG) blog

Guests: none

Topics:

• What have we seen at the RSA 2022 Conference?
• What was the most interesting and unexpected?
• What was missing?

Resources:

• “RSA 2022 Musings: The Past and The Future of Security”
• Google Cloud Security at RSA 2022

Guests:

• Omar ElAhdan, Principal Consultant, Mandiant, Google Cloud

• Will Silverstone, Senior Consultant, Mandiant, Google Cloud

Topics:

• Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments?

• You do IR so in your experience, what are top 5  mistakes organizations make that lead to cloud incidents?

• How and why do organizations get the attack surface wrong? Are there pillars of attack surface?

• We talk a lot about how IAM matters in the cloud.  Is that true that AD is what gets you in many cases even for other clouds?

• What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well?

Resources:

• Next 2024 LIVE Video of this episode / LinkedIn version (sorry for the audio quality!)

• “Lessons Learned from Cloud Compromise” podcast at The Defender’s Advantage

• “Cloud compromises: Lessons learned from Mandiant investigations” in 2023 from Next 2024

• EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

Guest:

• James Condon,  Director of Security Research @  Lacework 

Topics:

• What are realistic and actually observed cloud threats today? How did you observe them at Lacework?
• Cloud threats: are they on-premise  style threats to cloud assets? We hate the line “cloud is just somebody else’s computer” but apparently threats actors seem to think so?
• What is the 2nd most dangerous cloud issue after configuration mistakes?
• Why is it so common for organizations to have insecure configurations in their cloud environments? 
• Give me a few examples of the most common mistakes organizations make, and what they can do to avoid those configurations.
• Cloud malware and  ransomware / RansomOps, are these real risks today?
• Are we finally seeing the rise of Linux malware at scale (in the cloud)?
• As multi cloud expands in popularity, what are threat actors doing in this area?
• Are actors customizing their attacks on a per-cloud basis (AWS, GCP, Azure)?

 Resources:

• Lacework 2022 Cloud Threat Report
• “Securing DevOps: Security in the Cloud” book
• “Threat Models and Cloud Security” (ep12)
• Google Threat Horizons Report #1
• Google Threat Horizons Report #2

Guest: 

• Nicholas Carlini, Research Scientist @ Google 

Topics:

• What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks?
• How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical?
• Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025?
• What are the threat-derived lessons for securing AI?
• Do we practice the same or different approaches for secure AI and reliable AI?
• How does relative lack of transparency in AI helps (or hurts?) attackers and defenders?

Resources:

• “Red Teaming AI Systems: The Path, the Prospect and the Perils” at RSA 2022
• “Killed by AI Much? A Rise of Non-deterministic Security!”
• Books on Adversarial ML

Guest: 

• Sounil Yu, CISO and Head of Research at JupiterOne

Topics:

• How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder?
• Cloud (at least the cloudy-cloud, also called cloud native) definitely supports “Distributed Immutable Ephemeral” (DIE) - your new creation, how does that change security and CDM?
• Cyber resilience generates a lot of confusion, how do you define and describe it? 
• BTW, is the cloud more or less cyber resilient based on your definition?
• Is invisible security a good thing? Can we ever have it? When should security be visible?
• Intuitively, security and safety are not the same. So, what is the difference between cyber safety and cyber security? What is cyber safety, really?

Resources:

• Cyber Defense Matrix
• Security DIE Triad
• Container Security: The Past or The Future? (ep54)
• This Binary Legit? How Google Uses Binary Authorization and Code Provenance (ep66)
• What is the useful definition of “cyber resilience”? poll
• Is the cloud just somebody else’s computer? Poll
• Cattle vs Pets - DevOps Explained
• Gartner CIA-PSR model
• The 2022 State of Cyber Assets Report
• Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape
• “Antifragile” book
• “Thinking, Fast and Slow” book

“Security Chaos Engineering” book

Guest:

• Sandra Guo, Product Manager in Security, Google Cloud

Topics:

• We have a really interesting problem here: if we make great investments in our use of trusted repositories, and great investments in doing code review on every change, and securing our build systems, and having reproducible builds, how do we know that all of what we did upstream is actually what gets deployed to production?
• What are the realistic threats that Binary Authorization handles? Are there specific organizations that are more at risk from those?
• What’s the Google inspiration for this work, both development and adoption? 
• How do we make this work in practice at a real organization that is not Google? 
• Where do you see organizations “getting it wrong” and where do you see organizations “getting it right”?
• We’ve had a lot of conversations about rolling out zero-trust for enterprise applications, how do those lessons (start small, be visible, plan plan plan) translate into deploying Binauthz into blocking mode? 

Resources:

• “Binary Authorization for Borg: how Google verifies code provenance and implements code identity“ paper
• Binary Authorization for deploying trusted images
• DevOps & SRE at Google

Guests:

• Charles Carmakal, CTO at Mandiant 
• Taylor Lehmann, Director at Office of the CISO, Google Cloud

Topics:

• What are the current “popular” incidents at healthcare providers that you handled? Any of them involve cloud? 
• Do healthcare CISOs have time for anything other than ransomware?
• Does insider threat matter? What can incident response teach us here?
• How do you think the threat actors benefit from the health data they steal? 
• Based on your IR experience, what are the more interesting ways in, other than phishing?
• Give us your IR-informed take on ransomware pay/not pay focused on healthcare, ideally? 

Resources:

• “The key role ‘visibility’ plays in healthcare’s cybersecurity resilience”
• “How healthcare can strengthen its own cybersecurity resilience”
• “M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines”
• “Future of EDR: Is It Reason-able to Suggest XDR?” (ep29)
• “MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications”
  “VS21: A Playbook for Resiliency: Contain and Remediate Ransomware Before It Can Act”
• “FDA Announces Fix for Pacemaker Security Flaws”

• Dave Herrald @ Principal Security Strategist, Google Cloud

Topics:

• What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)?
• How do you make SOC training realistic?
• Should training be about the toolset or should it be about the analyst’s skills?
• Should you primarily train for engineering skills or analysis skills?
• Do you need to code to succeed in a modern SOC?
• Are competitive events like CTFs effective for SOC training?
• What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity?

Resources:

• Chris Sanders SOC classes
• SANS Holiday Hack Challenges
• SEC450: Blue Team Fundamentals: Security Operations and Analysis
• SANS NetWars
• “Autonomic Security Operations: 10X Transformation of the Security Operations Center” paper
• Boss of the SOC (BOTS) Dataset 

Guests:

• Robert Herjavec, Founder and CEO of Herjavec Group
• Eric Foster, President of CYDERES 
• Iman Ghanizada, Global Head of Autonomic Security Operations at Google Cloud.

Topics:

• It’s been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about?
• How was the ASO story received by your customers? Any particular reactions?
• Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed?
• ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations?
• What else can we do to evolve SOC faster than the threats and assets grow?

Resources:

• This episode is based on a panel from  This Google Cloud Security Talks Q1 2022
• Panel “All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites.”
• “All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites” on YouTube
• “Autonomic Security Operations: 10X Transformation of the Security Operations Center“ paper
• “Modernizing the U.S. Federal Government’s Approach to Cyber Threat Management with Autonomic Security Operations“  paper

Guest:

• Etienne De Burgh, Senior Security and Compliance Specialist, Office of the CISO @ Google Cloud

Topics:

• Why is API security hot now? What happened that made it a priority for many? 
• Is API security different from application security? Doesn't the first "A" in API  stand for application? 
• What are the real threats to exposed APIs?
• APIs are designed for automated use, so how do you tell automated use from automated abuse / attack?
• What are the biggest challenges that companies are having with API security?
• What are the components of API security? Is there a “secure by default API”? API threat detection?
• Just like cloud in general, API misconfigurations seem to be leading to security problems, are APIs hard to configure securely for most organizations?

Resources:

• Google Cloud Security Summit  - come see us on May 17, 2022
• “Securing web applications and APIs anywhere” (at our Security Summit)
• OWASP Top 10 for API Security
• “Best practices for securing your applications and APIs using Apigee”

No guests - just Anton and Tim

Topics:

• Why cloud security? What do we really think about our podcast name and topic, cloud security?
• Can you once again explain security for the cloud, in the cloud, from the cloud?
• What is one thing that we learned from doing a podcast?
• Favorite cloud security trend that we encountered on the podcast? 
• What did we learn about security from organization's migrating to the cloud?
• What are our favorite reading materials related to cloud security?
• What are our favorite tips from the guests on securing the cloud?

Resources:

• “The Age of AI And Our Human Future” book
• “Practical Guide to Cloud Migration – Google - Site Reliability Engineering” (book, free) and other SRE books
• “Cloud Security podcast by Google turns 46 - Reflections and lessons!”
• “Cloud Security Podcast by Google — Popular Episodes by Topic”
• Our video trailer

Guest: 

• Dylan Ayrey, cofounder of Truffle Security

Topics:

• Could you explain briefly why identity is so important in the cloud?
• A skeptic on cloud security once told us that “in the cloud, we are one identity mistake from a breach.” Is this true?
• For listeners who aren’t familiar with GCP, could you give us the 30 second story on “what is a service account.” How is it different from a regular IAM account?
• What are service account impersonations?
• How can I see if my service accounts can be impersonated? How do I detect it?
• How can I better secure my organization from impersonation attacks?

Resources:

• Truffle Security blog
• “GCP Lateral Movement And Privileged Escalation Spill Over And Updates From Google” by Dylan Ayrey
• “Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments”  blog 
• “Kat Traxler - Taste the IAM” blogs

Guest:

• Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google

Topics:

• Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right?

• Where are we like other clients of GCP?  Where are we not like other cloud users?

• Do we have any unique cloud security technology that we use that others may benefit from?

• How does our cloud usage inform our cloud security products?

• So is our cloud use profile similar to cloud natives or traditional companies?

• What are some of the most interesting cloud security practices and controls that we use that are usable by others?

• How do we make them work at scale? 

Resources:

• EP12 Threat Models and Cloud Security (previous episode with Seth)

• EP66 Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

• IAM Deny

• Seth Vargo blog

• “Attention Is All You Need” paper (yes, that one)

Guest: 

• Sharon Goldberg, CEO and cofounder of BastionZero and a professor at Boston University

Topics:

• What is your favorite definition of zero trust?
• You had posted a blog analyzing the whitehouse ZT a memo on the federal government’s transition to “zero trust”,  what caught your eye about the Zero Trust memo and why did you decide to write about it?
• What’s behind the federal government’s recommendations to deprecate VPNs and recommend users “authenticate to applications, not networks”?
• What do these recommendations mean for cloud security, today and in the future?
• What do you think would be the hardest things to implement in real US Federal IT environments?
• Are there other recommendations in the memo to think about as organizations design zero trust strategies for their infrastructure? 
• What are some of the challenges of implementing zero trust in general?
  
  

Resources:

• "Zero Trust: Fast Forward from 2010 to 2021" (ep8)
• “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”
• “I read the federal government’s Zero-Trust Memo so you don’t have to” 
• “F12 isn’t hacking: Missouri governor threatens to prosecute local journalist for finding exposed state data”

New Audio Trailer: Cloud Security Podcast by Google

Guests: 

• Alexi Wiemer,  Senior Manager at Deloitte Cyber Detection and Response Practice
• Dan Lauritzen,  Senior Manager at Deloitte Cloud Security Practice.
  
  

Topics:

• What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in? 
• What is your best advice to SOCs that are permanently and woefully understaffed? 
• Many SOC analysts are drowning in manual work, and it is easy to give advice that “they   need to automate.” What does this actually entail, in real life?
• What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR? 
• What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats?
• Occasionally, we hear that “SOC is dead.” What is your response to such dire SOCless predictions? 

Resources:

• “New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)”
• “New Paper: “Future of the SOC: Forces shaping modern security operations””
• “New Paper: “Future of the SOC: SOC People — Skills, Not Tiers””
• “New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center””
• “A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next”
• “Why Your Security Data Lake Project Will FAIL!”

Guest:

• Maddie Stone, Security Researcher @ Google

Topics:

• How do we judge the real risk of being attacked using an exploit for a zero day vulnerability? Does the zero day risk vary by company, industry, etc? 
• What does pricing for zero days tell us, if anything? Are prices more driven by supply or demand these days?
• What security controls or defenses are useful against zero days including against chained zero days?
• Where are the cloud zero days? We get lots of attention on iOS and Android, what about the cloud platforms? 
• So, how do we solve the paradox of zero days, are they more scary than risky or more risky than scary? Or both?

Resources:

• Project Zero blog 
• A walk through Project Zero metrics
• Threat Analysis Group (TAG) blog

Guest: 

• Erlander Lo, Security and Compliance Specialist @ Google Cloud

Topics:

• Imagine you are planning a data warehouse in the cloud, how do you think about security?
• What are the expected threats to a large data store in the cloud?
• How to create your security approach for a data warehouse project?
• Are there regulations that force your decisions about security controls or  approaches, no matter what the threats are?
• How do you approach data governance for this project?
• What controls are there to implement in Google Cloud for a secure data warehouse effort?

Resources:

• Secure Data Warehouse blueprint (other blueprints)
• Creativity Inc book
• “Data Governance: The Definitive Guide” book

Guests:

• Brandie Anderson, Global Security Practice Lead @ Google Cloud
• Renzo Cuadros,  Regional Security Practice Lead @ Google Cloud

Topics:

• What are your Cloud migration security lessons? Greatest hits? Near misses?
• What are the most common cloud security mistakes you see? Any practices or tricks to avoid or mitigate them?
• How do you talk people out of security “lift and shift”?
• Do clients understand how threat models change when they migrate to the cloud?
• How clients typically handle compliance in the cloud? What regulations are the most challenging in the cloud?
• What is the future for cloud migration security? 
• Do we foresee a future when most data is created in the cloud and there is no need to migrate anything?

Resources:

• “Building Secure & Reliable Systems” book
• Google Cloud Architecture Framework
• “Threat Models and Cloud Security” (ep12)
• Modernizing compliance: Introducing Risk and Compliance as Code

Guest: 

• Anna Belak,  Director of Thought Leadership @ Sysdig

Topics:

• One model for container security is “Infrastructure security  | build security | runtime security” -  which is most important to get right? Which is hardest to get right? 
• How are you helping users get their infrastructure security right, and what do they get wrong most often here?
• Your report states that “3⁄4 of running containers have at least one "high" or "critical" vulnerability“ and it  sounds like pre-cloud IT, but this is about containers?  This was very true  before cloud, why is this still true in cloud native?  Aren’t containers easy to “patch” and redeploy? 
• You say  “Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production.“ but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don’t fix things? 
•  “52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline.“ - isn’t pipeline and repo scanning easier and cheaper? Why isn’t this 90/10 but 40/50?
•  “62% detect shells in containers” sounds (to Anton) that “62% zoos have a dragon in them” i.e. kinda surreal. What’s the real story?
• Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers? 

Resources:

• Sysdig report
• Kubernetes podcast episode with Anna Belak 
• EP15 Scaling Google Kubernetes Engine Security
• Sysdig learning hub

Guest: 

• Amos Stern, CEO of SIEMplify, now part of Google Cloud

Topics:

• SOAR is in the news again,  so what can we say about the state of SOAR in 2022?
• What have we learned trying to get SOAR adopted 2015-2022 (that’s 7 years of SOAR-ing for you)?
• What are the top playbooks to start your SOC automation using SOAR? 
• What about the links between SOAR as security automation and general IT automation? 
• Does the level of consolidation in this market mean that SOAR really is a feature of SIEMs and not a product in its own right?

Resources:

• Siemplify blog
• Google Cloud Security Talks Q1 2022

Guest:

• Vijay Bolina, CISO at DeepMind

Topics:

• We spend a lot of time on Artificial Intelligence (AI) safety, but what about security? 
• What are some of the useful frameworks for thinking about AI security?
• What is different about securing AI vs securing another data-intensive, complex, enterprise application?
• What do we know about threat modeling for AI applications?
• What attacks against AI systems do we expect to see first in real life?
• What issues with AI security should we expect to face in 3-5 years?

Resources:

• DeepMind Learning Resources
• DEFCON AI Village and videos
• CAMLIS 

Guest: 

• Vandy Ramadurai, Product Manager at Google Cloud

Topics:

• What is Cloud Organization Policy, and how is it different from IaC and Policy as code (PaC)?
• What does successful organization policy design look like from a business and human standpoint? From a technical standpoint?
• Granular policy work is always hard. How is Google helping users get org policy right?  What are the uniquely Google strengths here? 
• Is the AI involved real or is this marketing pixie dust AI?
• How do users know if something should be a proactive control like a guardrail or if something should be a reactive control like a detection?

Resources:

• Policy Intelligence tools
• NEXT'21 SEC 203 - Governance guardrails
• Least privilege for Cloud Functions using Cloud IAM

Guest:

• Crystal Lister, Technical Program Manager, Google Cloud Security

Topics:

• Your background can be sheepishly called “public sector”, what’s your experience been transitioning from public to private? How did you end up here doing what you are doing?

• We imagine you learned a lot from what you just described – how’s that impacted your work at Google?

• How have you seen risk management practices and outcomes differ?

• You now lead Google Threat Horizons reports, do you have a vision for this? How does your past work inform it?

• Given the prevalence of ransomware attacks, many organizations are focused on external threats. In your experience, does the risk of insider threats still hold significant weight? What type of company needs a dedicated and separate insider threat program?

Resources:

• Video on YouTube

• Google Cybersecurity Action Team Threat Horizons Report #9 Is Out!

• Google Cybersecurity Action Team site for previous Threat Horizons Reports

• EP112 Threat Horizons - How Google Does Threat Intelligence

• Psychology of Intelligence Analysis by Richards J. Heuer

• The Coming Wave by Mustafa Suleyman 

• Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects

Guest:

• Elie Bursztein, security, anti-abuse and privacy researcher @ Google

Topics:

• This episode draws on a talk available in the podcast materials. Could you summarize the gist of your talk for the audience?
• What makes the malicious document problem a good candidate for machine learning (ML)? Could you have used rules?
• “Millions of documents in milliseconds,” not sure how to even parse it - what is involved in making it work?
• Can you explain to the listeners the motivation for reanalyzing old samples, what ground truth means in ML/detection engineering, and how you are using this technique?
• How fast do the attackers evolve and does this throw ML logic off?
• Do our efforts at cat-and-mouse with attackers make the mice harder for other people to catch?  Does massive-scale ML detections accelerate the attacker's evolution?

Resources:

• The RSA talk “Malicious Documents Emerging Trends: A Gmail Perspective”
• “EP40 2021: Phishing is Solved?” episode
• Elie’s talks on his site

Guest:

• Taylor Lehmann, Director at the Office of the  CISO @ Google Cloud, member of Cybersecurity Action Team

Topics:

• What’s top of mind for healthcare organizations’ CISOs now?
• What common advice do you find yourself giving most often to security leaders in healthcare? Is there a list of top 3 items or is this all “it depends”?
• What regulations are shaping the healthcare industry and its adoption of new technology? HIPAA is from 1996, how does it work for the cloud in the 2020s?
• Why do you think we aren’t seeing more cloud ransomware?
• Healthcare orgs are sometimes seen as “IT laggards”, what are the key security lessons from their cloud migrations?
• How do we convince some of these organizations that cloud is more secure as long as they use it securely?

Guest:

• Nelly Porter, Group Product Manager @ Google Cloud

Topics

• In the past year, what has changed with Confidential Computing here at Google?
• Could we please talk about a user or two who has really nailed it with our Confidential Computing? 
• What have we learned about the threat models of clients who are choosing to deploy Confidential Computing? What are they solving for?
• Doing Confidential Computing “right” feels like a lot more than having some fancy CPUs with magic math. What challenges do customers face adopting it? 
• We finally “married” Confidential Computing with EKM. What types of clients are deploying this new technology? What threats are they mitigating?
• What’s on the horizon for Confidential Computing? 

Resources:

• “Trust Google Cloud more with ubiquitous data encryption”
• The Confidential Computing Consortium whitepapers
• Confidential Computing at Google
• EP12 Threat Models and Cloud Security