Cloud Security Podcast by Google

Guest: Anoosh Saboori, former Product Manager at Google Cloud Topics: We had zero trust episodes before and definitions vary! When we say zero trust, what do we mean?   What about zero trust for workloads in production? When you say “workload,” what do you mean? What is BeyondProd, for those that are unfamiliar with it? And how is this different from BeyondCorp?  How has BeyondProd actually been implemented at Google?   What threats does it help with? Is this real threats or compliance? Why is now a good time to be thinking about zero trust for production systems?  Companies have many security tools deployed, including microsegmentation and firewalls, how does this toolset fit? Does it replace anything they have deployed? Resources: BeyondProd papers “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Gathering Data for Zero Trust” (ep4) “Google Workspace Security: from Threats to Zero Trust” (ep99) “Zero Trust: So Easy Even a Government Can Do It?” (ep59) “Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance” (ep66)

Guest: Michele Chubirka, Senior Cloud Security Advocate, Google Cloud Topics: We are here to talk about cloud migrations and we are here to talk about failures. What are your favorites? What are your favorite cloud security process failures?  What are your favorite cloud security technical failures?  What are your favorite cloud security container and k8s failures? Is "lift and shift" always wrong from the security point of view?  Can it at least work as step 1 for a full cloud transformation?  Resources: “Automate and/or Die?” (ep3) “More Cloud Migration Security Lessons” (ep18) “The Magic of Cloud Migration: Learn Security Lessons from the Field” (ep55) “Preparing for Cloud Migrations from a CISO Perspective, Part 1” (ep5) “Cloud Migrations: Security Perspectives from The Field”  (ep33) "Dune" by Frank Herbert "The Science of Organizational Change"  by Paul Gibbons  "Servant Leadership: A Journey into the Nature of Legitimate Power and Greatness"  by Robert K. Greenleaf "Finding the Sweet Spot for Change" State of Devops (DORA) Report 2022

Guest:  Gary Hayslip, CISO at Softbank Topics:  "So we're talking about your journey as a CISO migrating to Cloud. Could you give us the 30 second overview of  What triggered your organization's migration to the cloud? When did you and the security organization get brought in? How did you plan your security  organization's journey to the cloud? Did you take going to cloud as an opportunity to change things beyond the tools you were using?  As you got going into the cloud, what was the hardest part for your organization? If that was hardest, what was most surprising? Good surprise and bad surprise? Let’s shift to some tactical gears: How did you design security controls for the cloud? Did your data security practice change? Did your detection  / response practice change? How has the CISO role evolved and is evolving due to the cloud? Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be? Resources: “CISO Desk Reference Guide” book by Gary Hayslip “The Essential Guide to Cybersecurity for SMBs” book by Gary Hayslip “Develop Your Cybersecurity Career Path” book by Gary Hayslip

Guest:   Nader Zaveri, Senior Manager of IR and Remediation at Mandiant, now part of Google Cloud Topics: Could we start with a story of a cloud incident response (IR) failure and where things went wrong?  What should that team have done to get it right?  Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud? What 3 things an IR team leader needs to do to prepare his team for IR in the cloud? Are there on-premise tools that can stay on prem and not join us in the cloud? What processes should we leave behind? Keep with us? What logs and context should we prepare for cloud IR?  What access should we have behind “break glass”? While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation? Resources: “How to Cloud IR or Why Attackers Become Cloud Native Faster?” (ep98) “How to prepare for detection & response in the cloud” Google Cloud Next 2022 presentation “Security Incident Response in the Cloud: A Few Ideas” blog GCP Cloud Logging “Security at Scale: Logging in AWS” paper “AWS Security Incident Response Whitepaper” paper

Guest:  Sunil Potti, VP / GM, Google Cloud Topics: One of the biggest shifts we’ve noticed is the shift from building security because we think security is good, to building security as a business. How did you make that cultural shift happen in our organization?  With organizations migrating to cloud we have a set of tradeoffs between meeting security teams where they are with on-prem expectations of security vs cloud-native approaches. How do you think about investing in next generation products vs holding the hands of CISOs just stepping into the cloud? What matters more to you as a leader, secure cloud (GCP, Workspace) or security products (Chronicle SecOps, BCE, SCC, etc)? Is invisible security the same as “building security in”? Aren’t there security controls where the value is derived from them being visible to users? Mandiant brings services expertise to Google Cloud, typically not our strong area and not our DNA, how do we plan to make the most of Mandiant within Google’s culture? Resources: Simon Sinek “Start With Why” book

Guest:  Jim Higgins, CISO at Snap,  former CISO at Square Topics: You were at Google for a long time, and at Google you sat between Google security and Cloud. Now that you're leading security for a major company, how are you prioritizing your focus between your on-premise resources and your cloud resources?  How are you thinking about threat detection in the Cloud? In detection, how has your technology changed? How has your process changed? What threats do you mostly focus on? Why don’t we talk about the role of automation in detection and response (D&R)? How do you approach automation and eliminating toil? As you're scaling teams, processes and technology for your cloud footprint, what has been easiest to get right and what's been hardest to get right? How do you approach measuring security? What cloud metrics are you sharing upwards to your board? Resources: BeyondCorp Enterprise “Ghost in the Wires: My Adventures as the World's Most Wanted Hacker” book

Guests: John Speed Meyers, Security Data Scientist, Chainguard Todd Kulesza, User Experience Researcher, Google Topics: How did you get involved with this year’s Accelerate State of DevOps Report (DORA report)? So what is DORA and why did you decide to focus on supply chain security for the 2022 report? What are the big learnings from this year’s report? What’s the difference between SLSA and SSDF? Is one spicy and the other savory? How’re companies adopting these and how is adoption going?  Are there other areas that DevOps can be a contributor in the overall security landscape?  How can CISOs rope DevOps fully into their security gang? Operationally, how should security and developers and DevOps come together to keep vulnerabilities out in the first place? How should security and developers and DevOps come together to respond quickly to vulnerabilities when they’re discovered? How do security and developers and DevOps come together to prove to their auditors and customers that they’re doing a good job of the above? Resources: 2022 Accelerate State of DevOps Report "New insights for defending the software supply chain" blog (and new report) SLSA.dev site Secure Software Development Framework at NIST “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) “Sharing The Mic In Cyber with STMIC Hosts Lauren and Christina: Representation, Psychological Safety, Security” (ep92) Go vulncheck tool  “Reflections on Trusting Trust” paper  (1984)

Guests: Nikhil Sinha, Group Product Manager, Workspace Security Kelly Anderson, Product Marketing Manager, Workspace Security Topics: We are talking about Google Workspace security today. What kinds of threats do we have to care about here? Are there compliance-related motivations for security here too? Is compliance in the cloud changing? How’s adoption of hardware keys for MFA going for your users, and how are you helping them?  Is phishing finally solved because of that?  Can you explain why hardware security FIDO/WebAuthn is such a step function compared to, say, RSA number generator tokens?  Have there been assumptions in the Workspace security model we had to change because of WFH? And what changes with RTO and permanent hybrid? Resources: Google BeyondCorp Enterprise “Make zero trust a reality with Google Workspace security solutions” Next 2022 video “2021: Phishing is Solved?” (ep40) “Zero Trust: Fast Forward from 2010 to 2021” (ep8)

Guests: Matt Linton, Chaos Specialist @ Google John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud Topics: Let’s talk about security incident response in the cloud.  Back in 2014 when I [Anton] first touched on this, the #1 challenge was getting the data to investigate as cloud providers had few logs available. What are the top 2022 cloud incident response challenges? Does cloud change the definition of a security incident? Is “exposed storage bucket” an incident? Is vulnerability an incident in the cloud? What should I have in my incident response plans for the cloud? Should I have a separate cloud IR plan? What is our advice on running incident response jointly with a CSP like us? How would 3rd party firms (like, well, Mandiant) work with a client and a CSP during an investigation? We all read the Threat Horizons reports, but can you remind us of the common causes for cloud incidents we observed recently? What goals do the attackers typically pursue there? Resources: “Building Secure and Reliable Systems” book (especially ch 14-16, and ch17) Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! (#3, #2, #1) “Incident Plan vs Incident Planning?” blog (2013)

Guest: Greg Sinclair, Security Engineer @ Google Cloud Topics: Could you tell us a bit about your background and how you ended up here at Google? Also, tell us about your team here? We're very excited about the release of the CobaltStrike rules. Could you share more about what they are looking for and second why this is so valuable? How did CobaltStrike come to be so widely used by bad guys? When you were doing this research what was the most surprising thing you uncovered? Could you tell us about the coordinated disclosure aspects of this work? In the past you've contributed research to our Threat Horizons reports, could you tell us about that? Resources: Making CobaltStike harder for threat actors to abuse blog CobaltStrike YARA-L rules CobaltStrike site “Cobalt Strike Usage Explodes Among Cybercrooks” Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! Detection as Code? No, Detection as COOKING!