Cloud Security Podcast by Google

Guest: David Seidman, Head of Detection and Response @ Robinhood Toipics: Tell us about joining Robinhood and prioritizing focus areas for detection in your environment? Tim and Anton argue a lot about what kind of detection is best - fully bespoke and homemade, or scalable off-the-shelf. First, does our framework here make sense, and second, looking at your suite of detection capabilities, how have you chosen to prioritize detection development and detection triage? You're operating in AWS: there are a lot of vendors doing detection in AWS, including AWS themselves. How have you thought about choosing your detection approaches and data sources? Finding people with as much cloud expertise as you can't be easy: how are you structuring your organization to succeed despite cloud detection and response talent being hard to find? What matters more: detection skills or cloud skills? What has been effective in ramping up your D&R team in the cloud? What are your favorite data sources for detection in the cloud? Resources: "Detection as Code? No, Detection as COOKING!" "On Threat Detection Uncertainty" "Radical Candor" by Kim Scott "Daring Greatly" by Brene Brown "Extreme Ownership" by Jocko Willink "Drive" by Daniel Pink

Guest: Ana Oprea, Staff Security Engineer, European Lead of Vulnerability Coordination Center @ Google Topics: What is the scope for the vulnerability management program at Google? Does it cover OS, off-the-shelf applications, custom code we wrote … or all of the above? Our vulnerability prioritization includes a process called "impact assessment." What does our impact assessment for a vulnerability look like? How do we prioritize what to remediate? How do we decide on the speed of remediation needed? How do we know if we've done a good job? When we look backwards, what are our critical metrics (SLIs and SLOs) and how high up the security stack is the reporting on our progress? What of the "Google Approach" should other companies not try to emulate? Surely some things work because of Google being Google, so what are the weird or surprising things that only work for us? Resources: SRS Book, Chapter 20: Understanding Roles and Responsibilities and Chapter 21: Building a Culture of Security and Reliability Why Google Stores Billions of Lines of Code in a Single Repository SRE book and SRE Workbook "How Google Secures It's Google Cloud Usage at Massive Scale" (ep107) "Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance" (ep66) "How We Scale Detection and Response at Google: Automation, Metrics, Toil" (ep75)

Guest: John Stoner, Principal Security Strategist @ Google Cloud Topics: Please define threat hunting for us quickly, the term has been corrupted a bit What are your favorite beginner hunts to jump start the effort at a new team? How to incorporate hunting lessons in detection? What are the differences for hunting in the cloud? Are there specific data sources you prefer to have access to when threat hunting? In the cloud? Should every organization threat hunt? What are traits you might look for in a threat hunter? Resources: "The Who, What, Where, When, Why and How of Effective Threat Hunting" Awesome Threat Detection and Hunting "My "Aha!" Moment - Methods, Tips, & Lessons Learned in Threat Hunting" video NIST Computer Security Incident Handling Guide 800-61 "Threat Hunting Is Not for Everyone" (2020) "Formulating An Intelligence-Driven Threat Hunting Methodology" video

Guest: Karan Dwivedi, Security Engineering Manager, Enterprise Infrastructure Protection @ Google Cloud Topics: Google's use of Google Cloud is a massive cloud environment with wildly diverse use cases. Could you share, for our listeners, a few examples of the different kinds of things we're running in GCP? Given that we're doing these wildly different things in GCP, how do we think about scaling the right security guardrails to the right places in our GCP org? How do you work with application engineering teams and project owner teams to make sure the right controls are there but not getting in the way of business? How do we scale this exemption management process? Are there things we do here that don't make sense at a smaller scale? Are there emergent challenges that only we would face? How do you correctly federate security responsibilities between the central team defining policy and the constituent user teams actually using the platform? Burnout is a perennial challenge for security teams–what're you doing to keep your people happy and engaged? Resources: "How We Scale Detection and Response at Google: Automation, Metrics, Toil" (ep75) ""Hacking Google", Op Aurora and Insider Threat at Google" (ep91) Google Cloud security foundations guide

Guest: Anoosh Saboori, former Product Manager at Google Cloud Topics: We had zero trust episodes before and definitions vary! When we say zero trust, what do we mean? What about zero trust for workloads in production? When you say "workload," what do you mean? What is BeyondProd, for those that are unfamiliar with it? And how is this different from BeyondCorp? How has BeyondProd actually been implemented at Google? What threats does it help with? Is this real threats or compliance? Why is now a good time to be thinking about zero trust for production systems? Companies have many security tools deployed, including microsegmentation and firewalls, how does this toolset fit? Does it replace anything they have deployed? Resources: BeyondProd papers "Zero Trust: Fast Forward from 2010 to 2021" (ep8) "Gathering Data for Zero Trust" (ep4) "Google Workspace Security: from Threats to Zero Trust" (ep99) "Zero Trust: So Easy Even a Government Can Do It?" (ep59) "Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance" (ep66)

Guest: Michele Chubirka, Senior Cloud Security Advocate, Google Cloud Topics: We are here to talk about cloud migrations and we are here to talk about failures. What are your favorites? What are your favorite cloud security process failures? What are your favorite cloud security technical failures? What are your favorite cloud security container and k8s failures? Is "lift and shift" always wrong from the security point of view? Can it at least work as step 1 for a full cloud transformation? Resources: "Automate and/or Die?" (ep3) "More Cloud Migration Security Lessons" (ep18) "The Magic of Cloud Migration: Learn Security Lessons from the Field" (ep55) "Preparing for Cloud Migrations from a CISO Perspective, Part 1" (ep5) "Cloud Migrations: Security Perspectives from The Field" (ep33) "Dune" by Frank Herbert "The Science of Organizational Change" by Paul Gibbons "Servant Leadership: A Journey into the Nature of Legitimate Power and Greatness" by Robert K. Greenleaf "Finding the Sweet Spot for Change" State of Devops (DORA) Report 2022

Guest: Gary Hayslip, CISO at Softbank Topics: "So we're talking about your journey as a CISO migrating to Cloud. Could you give us the 30 second overview of What triggered your organization's migration to the cloud? When did you and the security organization get brought in? How did you plan your security organization's journey to the cloud? Did you take going to cloud as an opportunity to change things beyond the tools you were using? As you got going into the cloud, what was the hardest part for your organization? If that was hardest, what was most surprising? Good surprise and bad surprise? Let's shift to some tactical gears: How did you design security controls for the cloud? Did your data security practice change? Did your detection / response practice change? How has the CISO role evolved and is evolving due to the cloud? Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be? Resources: "CISO Desk Reference Guide" book by Gary Hayslip "The Essential Guide to Cybersecurity for SMBs" book by Gary Hayslip "Develop Your Cybersecurity Career Path" book by Gary Hayslip

Guest: Nader Zaveri, Senior Manager of IR and Remediation at Mandiant, now part of Google Cloud Topics: Could we start with a story of a cloud incident response (IR) failure and where things went wrong? What should that team have done to get it right? Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud? What 3 things an IR team leader needs to do to prepare his team for IR in the cloud? Are there on-premise tools that can stay on prem and not join us in the cloud? What processes should we leave behind? Keep with us? What logs and context should we prepare for cloud IR? What access should we have behind "break glass"? While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation? Resources: "How to Cloud IR or Why Attackers Become Cloud Native Faster?" (ep98) "How to prepare for detection & response in the cloud" Google Cloud Next 2022 presentation "Security Incident Response in the Cloud: A Few Ideas" blog GCP Cloud Logging "Security at Scale: Logging in AWS" paper "AWS Security Incident Response Whitepaper" paper

Guest: Sunil Potti, VP / GM, Google Cloud Topics: One of the biggest shifts we've noticed is the shift from building security because we think security is good, to building security as a business. How did you make that cultural shift happen in our organization? With organizations migrating to cloud we have a set of tradeoffs between meeting security teams where they are with on-prem expectations of security vs cloud-native approaches. How do you think about investing in next generation products vs holding the hands of CISOs just stepping into the cloud? What matters more to you as a leader, secure cloud (GCP, Workspace) or security products (Chronicle SecOps, BCE, SCC, etc)? Is invisible security the same as "building security in"? Aren't there security controls where the value is derived from them being visible to users? Mandiant brings services expertise to Google Cloud, typically not our strong area and not our DNA, how do we plan to make the most of Mandiant within Google's culture? Resources: Simon Sinek "Start With Why" book

Guest: Jim Higgins, CISO at Snap, former CISO at Square Topics: You were at Google for a long time, and at Google you sat between Google security and Cloud. Now that you're leading security for a major company, how are you prioritizing your focus between your on-premise resources and your cloud resources? How are you thinking about threat detection in the Cloud? In detection, how has your technology changed? How has your process changed? What threats do you mostly focus on? Why don't we talk about the role of automation in detection and response (D&R)? How do you approach automation and eliminating toil? As you're scaling teams, processes and technology for your cloud footprint, what has been easiest to get right and what's been hardest to get right? How do you approach measuring security? What cloud metrics are you sharing upwards to your board? Resources: BeyondCorp Enterprise "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker" book