Cloud Security Podcast by Google

Guest: Isaac Hepworth, PM focused on Software Supply Chain Security @ Google Cooked questions: Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader? Some software vendors don’t want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here? One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs than small independent and open source projects. Is that a risk? Is the SBOM requirement setting the government up to be overly reliant on megacorps and are we going to unintentionally ban open source from the government?  What is the relationship between SBOM and software liability? Is SBOM a step to this? Won’t software liability kill open source? How does Google prepare for EO internally; how do we use SBOM and other related tools? To come back to the food analogy, SBOMs are all well and good, but the goal is not that consumers know they’re eating lead, but rather that our food becomes healthier. Where are we heading in the next five years to improve software supply chain "health and safety"? Resources: Full video of this episode (YouTube / LinkedIn) “Executive Order on Improving the Nation’s Cybersecurity” “M-22-18 Memorandum For The Heads of Executive Departments and Agencies“ SLSA.dev  “How to SLSA Part 3 - Putting it all together” Assured Open Source Software NIST Secure Software Development Framework (SSDF) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) “2022 Accelerate State of DevOps Report and Software Supply Chain Security” (ep100)

Guest:  Rafal Los, Head of Services Strategy @ Extrahop and Founder of Down the Security Rabbit Hole podcast Topics: You had a very fun blog where you reminded the world that many organizations still approach cloud as a rented data center, do you still see it now? Do you think this will persist for 3, 5, 10 years? Other than microservices, what’re the most important differences between public cloud and a rented data center for a CISO to keep in mind? Analysts say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this?  Actually, how do you define “use cloud securely”? Have you met any CISOs who are active cloud fans who prefer cloud for security reasons? You also work for an NDR vendor, do you think NDR in the cloud has a future?  Resources: Full video of this episode (YouTube / LinkedIn) Down the Security Rabbithole Podcast (DtSR) podcast “A Little Truth About the Cloud” “Megatrends drive cloud adoption—and improve security for all” “CISO Walks Into the Cloud: And The Magic Starts to Happen!” (ep104) “Threat Models and Cloud Security” (ep12) “Security Architect View: Cloud Migration Successes, Failures and Lessons” (ep105)  “Patrolling Cyberspace” book (2006)

Guest: Chris John Riley, Senior Security Engineer and a Technical Debt Corrector  @ Google  Topics: We’ve heard of MVP, what is MVSP or Minimal Viable Secure Product? What problem is MVSP trying to solve for the industry, community, planet, etc? How does MVSP actually help anybody? Who is the MVSP checklist for? Leaders or engineers? How does MVSP differ from compliance standards like ISO 27001, or even SOC 2? How does Google use MVSP? Has it improved our security in some way? How to balance the dynamic nature of security with minimal security basics? The working group has recently completed a control refresh for 2022, what are some highlights?  Resources: Mvsp.dev  SLSA Levels MVSP (Minimum Viable Secure Product) Compliance “Phantoms in the Brain” book ”Strengthen Basic Security Hygiene With a Two-Pronged Security Architecture Approach” FIRST Impressions podcast  

Guest:  Martin Roesch, CEO at Netography, creator of Snort Topics: What is the role of network security in the public cloud? Networks used to be the perimeter, now we have an API and identity driven perimeter. Are networks still relevant as a layer of defense? We often joke that “you don’t need to get your firewalls with you to the cloud”, is this really true? How do you do network access control if not with firewalls? What about the NIDS? Does NIDS have a place in the cloud? So we agree that some network security things drop off in the cloud, but are there new network security threats and challenges? There’s cloud architecture and then there’s multi cloud and hybrid architectures–how does this story change if we open the aperture to network security for multi cloud and hybrid?  Should solutions that provide cloud network security be in the cloud themselves? Is this an obvious question? Resources: Book “Who: The A Method for Hiring” by Geoff Smart, Randy Street Netography resources Snort ““Hacking Google”, Op Aurora and Insider Threat at Google” (ep91) “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Gathering Data for Zero Trust” (ep4)

Guest:  Charles DeBeck, Cyber Threat Intel Expert @ Google Cloud Topics: What is unique about Google Cloud approach to threat intelligence? Is it the sensor coverage? Size of the team? Other things? Why is Threat Horizons report unique among the threat reports released by other organizations? Based on your research, what are the realistic threats to cloud environments today? What threats are prevalent and what threats are most damaging? Where do you see things in 2023? What should companies look for?  What’s one thing that surprised you when preparing the report? What do you think will surprise audiences? What is the most counter-intuitive hardening and operational advice can we glean from this Threat Horizons report?  What's most important to know when it comes to understanding OT and cloud? Resources: Google Threat Horizons Reports One, Two, Three, Four, Five “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity” Corey Quinn on cloud billing alerts  

Guest:  Brandon Evans, Infosec Consultant and Certified Instructor and Course Author at SANS Topics: What got you interested in security and motivated you to make this your area of focus? You came from a developer background, right? Occasionally, we hear the sentiment that “developers don’t care about security,” how would you counter it (and would you?)? How do we encourage developers and operations to use the appropriate security controls and settings in the cloud? Is “encourage” the right word? Can we really do “secure by default” but for developers? What do you think are the main application security issues that developers need to deal with in the cloud? You mentioned software supply chain security, do you treat this as a part of application security? How important is this, realistically, for an average organization and its developers? Going to our favorite subject of threat detection, how do you think we can better encourage developers to supply the logs necessary for our detection and response teams to act upon? Resources: “Cloud Security: Making Cloud Environments a Safer Place” ebook by SANS SANS.org/cloud site “The Phoenix Project” book by Gene Kim et al “The Unicorn Project” book by Gene Kim “Next Special - Log4j Reflections, Software Dependencies and Open Source Security” (EP87) “2022 Accelerate State of DevOps Report and Software Supply Chain Security” (EP100) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (EP24)

Guest:  David Seidman, Head of Detection and Response @ Robinhood Toipics: Tell us about joining Robinhood and prioritizing focus areas for detection in your environment? Tim and Anton argue a lot about what kind of detection is best - fully bespoke and homemade, or scalable off-the-shelf. First, does our framework here make sense, and second, looking at your suite of detection capabilities, how have you chosen to prioritize detection development and detection triage? You're operating in AWS: there are a lot of vendors doing detection in AWS, including AWS themselves. How have you thought about choosing your detection approaches and data sources? Finding people with as much cloud expertise as you can't be easy: how are you structuring your organization to succeed despite cloud detection and response talent being hard to find? What matters more: detection skills or cloud skills? What has been effective in ramping up your D&R team in the cloud? What are your favorite data sources for detection in the cloud? Resources: “Detection as Code? No, Detection as COOKING!” “On Threat Detection Uncertainty” “Radical Candor” by Kim Scott “Daring Greatly” by Brene Brown “Extreme Ownership” by Jocko Willink “Drive” by Daniel Pink  

Guest:  Ana Oprea, Staff Security Engineer, European Lead of Vulnerability Coordination Center @ Google Topics: What is the scope for the vulnerability management program at Google? Does it cover  OS, off-the-shelf applications, custom code we wrote … or all of the above? Our vulnerability prioritization includes a process called “impact assessment.” What does our impact assessment for a vulnerability look like? How do we prioritize what to remediate? How do we decide on the speed of remediation needed? How do we know if we’ve done a good job? When we look backwards, what are our critical metrics (SLIs and SLOs) and how high up the security stack is the reporting on our progress? What of the “Google Approach” should other companies not try to emulate? Surely some things work because of Google being Google, so what are the weird or surprising things that only work for us? Resources: SRS Book, Chapter 20: Understanding Roles and Responsibilities and Chapter 21: Building a Culture of Security and Reliability  Why Google Stores Billions of Lines of Code in a Single Repository  SRE book and SRE Workbook “How Google Secures It's Google Cloud Usage at Massive Scale” (ep107) “Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance” (ep66) “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)

Guest:  John Stoner, Principal Security Strategist @ Google Cloud Topics: Please define threat hunting  for us quickly, the term has been corrupted a bit What are your favorite beginner hunts to jump start the effort at a new team? How to incorporate hunting lessons in detection? What are the differences for hunting in the cloud? Are there specific data sources you prefer to have access to when threat hunting? In the cloud? Should every organization threat hunt? What are traits you might look for in a threat hunter? Resources: “The Who, What, Where, When, Why and How of Effective Threat Hunting” Awesome Threat Detection and Hunting  “My “Aha!” Moment - Methods, Tips, & Lessons Learned in Threat Hunting” video NIST Computer Security Incident Handling Guide 800-61 “Threat Hunting Is Not for Everyone” (2020) “Formulating An Intelligence-Driven Threat Hunting Methodology”  video

Guest: Karan Dwivedi, Security Engineering Manager, Enterprise Infrastructure Protection @ Google Cloud Topics: Google’s use of Google Cloud is a massive cloud environment with wildly diverse use cases. Could you share, for our listeners, a few examples of the different kinds of things we’re running in GCP? Given that we’re doing these wildly different things in GCP, how do we think about scaling the right security guardrails to the right places in our GCP org? How do you work with application engineering teams and project owner teams to make sure the right controls are there but not getting in the way of business?  How do we scale this exemption management process? Are there things we do here that don’t make sense at a smaller scale? Are there emergent challenges that only we would face? How do you correctly federate security responsibilities between the central team defining policy and the constituent user teams actually using the platform? Burnout is a perennial challenge for security teams–what’re you doing to keep your people happy and engaged? Resources: “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75) ““Hacking Google”, Op Aurora and Insider Threat at Google” (ep91) Google Cloud security foundations guide