Cloud Security Podcast by Google

Guest: Thiébaut Meyer, Director at Office of the CISO, Google Cloud Topics: Virtualization's arrival caused a major IT upheaval 20 years ago. What can we learn from that revolution for our current cloud transformation? We talk about our three legged security stool of people/process/technology. How do we balance the technical issues (new technology stack, etc.) with the new processes (agile, etc) and the skills? What are the cultural and people transformation differences between the virtualization and cloud revolutions? We do recall how PCI DSS was disrupted by virtualization.  So, how does regulation play into this change - back then and now with the cloud? How do we change the minds of regulators who still think that cloud is a risk to mitigate, rather than a way to mitigate others risks better? Resources: “8 Megatrends drive cloud adoption—and improve security for all” blog “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity” Transform with Google Cloud  Google Cybersecurity Action Team

Guest:  Steve McGhee, Reliability Advocate, Google Cloud Topics: What can security teams  learn from the Site Reliability Engineering (SRE) art of rapid and safe deployment? Is this all about the process or do SREs possess some magical technology to do this? What is SRE approach to automation? What are the pillars / components of SRE approach to deployment? SRE is also about scaling. Some security teams have to manage 1000s of detection rules, how can this be done in a manner that does not conflict or cause other problems? Resources: Google SRE book A companion Google SRE workbook “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75) “Achieving Autonomic Security Operations: Why metrics matter (but not how you think)” blog “Achieving Autonomic Security Operations: Reducing toil” blog.

Guest: Alex Polyakov, CEO of Adversa.ai Topics: You did research by analyzing 2000 papers on AI attacks released in the previous decade. What are the main insights? How do you approach discovering the relevant threat models for various AI systems and scenarios?  Which threats are real today vs in a few years? What are the common attack vectors? What do you see in the field of supply chain attacks on AI, software supply, data? All these reported cyberphysical attacks on computer vision, how real are they, and what are the possible examples of exploitation? Are they a real danger to people? What are the main differences between protecting AI vs protecting traditional enterprise applications? Who should be responsible for Securing AI? What about for building trustworthy AI? Given that the machinery of AI is often opaque, how to go about discovering vulnerabilities? Is there responsible disclosure for AI vulnerabilities, such as in open-source models and in public APIs?  What should companies do first, when embarking on an AI security program? Who should have such a program? Resources: “EP52 Securing AI with DeepMind CISO” (ep52) “EP68 How We Attack AI? Learn More at Our RSA Panel!” (ep68) Adversarial AI attacks work on Humans (!) “Maverick* Research: Your Smart Machine Has Been Conned! Now What?” (2015) “The Road to Secure and Trusted AI” by Adversa AI “Towards Trusted AI Week 37 – What are the security principles of AI and ML?”  Adversa AI blog AIAAIC Repository Machine Learning Security Evasion Competition at MLSec

Guest:  Badr Salmi, Product Manager for reCAPTCHA Topics: What is reCAPTCHA? Aren’t you guys the super annoying 'click on the busses' thing? What is account defender? Why was this a natural next step for you? What are the actual threats that this handles - and handles well? Specific web attacks? Web fraud? Let’s talk about account fraud, what do these attacks look like and how do bad guys monetize today? What about payment fraud? Could you score a payment session as well as a login session risk, or is that different?  How does this work with multi factor authentication? Recommended reading: “Code” book Recapcha page “Protect your users’ accounts with reCAPTCHA Enterprise’s account defender” blog “Double-clicking, but not on fire hydrants, with bot fighters” (ep19)

Guest: Dimitri McKay,  Principal Security Strategist @ Splunk Topics: How do you define that "XDR thing" that you are so skeptical about? So within that definition of XDR, you think it’s not so great, why? If you have to argue pro-XDR, what would you say? Two main XDR camps are “XDR as EDR+” and “XDR as SIEM-”, which camp do you think is more right? Are both wrong? What approach do you think is more useful as a lens to understand the potential upsides/downsides of XDR? What about the cloud? "Cloud XDR" seems a bit illogical, but what do you think is the future of D&R in the cloud? Resources: “Anton and The Great XDR Debate, Part 1” “Anton and The Great XDR Debate, Part 2” “Anton and The Great XDR Debate, Part 3” SURGe content on splunk blog “Today, You Really Want a SaaS SIEM!” Red Canary 2022 Threat Detection report Verizon DBIR 2022 report.

Guest:  Christopher “CJ” Johnson, retired Fire Chief, and Global Regulated Cloud Product Lead @ Google Cloud Topics: In political science, they define sovereignty as a local monopoly on the legitimate use of force. Why are we talking about “sovereignty” in IT? What is a sovereign cloud?  How much of the term is marketing vs engineering? Who cares or should care about sovereign cloud? Is this about technical controls or paper/policy controls? Or both? What is the role for encryption and key management and key access justifications (like say Google Cloud EKM with KAJ) for sovereign cloud? Is sovereign cloud automatically more secure or at least has better data security? What threat models are considered for sovereign cloud technologies? Resources: Google Cloud External Key Manager (EKM)  “Trust Google Cloud more with ubiquitous data encryption” blog “Software-Defined community cloud - a new way to “Government Cloud”” blog

Guest: David Stone,  Staff Consultant  at Office of the CISO, Google Cloud Topics: Speaking as a former CISO, what triggered your organization migration to the cloud? When did you and the security organization get brought in? How did you plan your security organization journey to the cloud? Did you take going to Cloud as an opportunity to change things beyond the tools you were using?  As you got going into the cloud, what was the hardest part for your organization ? What was most surprising? Good surprise and bad surprise? How did you design security controls for the cloud? How do you validate and verify security controls in the cloud?  How did you incorporate your cloud environment into your SOC’s responsibility Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be? Resources: “How CISOs need to adapt their mental models for cloud security” “Megatrends drive cloud adoption—and improve security for all” “EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security“ (ep47) “CISO’s Guide to Cloud Security Transformation“ paper [PDF] Google SRE book GCAT site

Guest:  John Stone,  Chaos Coordinator @ Office of the CISO, Google Cloud Topics: So what is Autonomic Data Security, described in our just released paper?  What are some notorious data security issues today? Perhaps common data security mistakes security leaders commit? What never worked in data security, like say manual data classification? How should organizations think about securing the data they migrated and the data that was created in the cloud? Do you really believe the cloud can make data security better than data security in traditional environments? Resources: “Modern Data Security: A path to autonomic data security” paper (NEW) “How autonomic data security can help define cloud’s future” blog “Megatrends drive cloud adoption—and improve security for all” blog “Modernizing SOC ... Introducing Autonomic Security Operations” blog “Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Data Security in the Cloud” (ep2) and the resource. “Modern Data Security Approaches: Is Cloud More Secure?” (ep16) “Reflections on Trusting Trust” paper (1984).

Guest: Gorka Sadowski,  Chief Strategy Officer @ Exabeam Topics: How do we get a legacy SOC team to think about the cloud? How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same?  How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud? Do content/rules and detection engines need to be different to cover the cloud detection use cases? What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections? Resources: “11 Strategies of a World-Class Cybersecurity Operations Center” paper “Autonomic Security Operations: How to 10X Your SOC” paper “Indicators Of Compromise Vs. Tactics, Techniques, And Procedures” blog “How to Build and Operate a Modern Security Operations Center” (Gartner subscription required) “A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next” blog

Guest: Cyrus Robinson, SOC Director and IR Team lead at Ingalls Information Security Topics: You’ve been using SOAR tools for years, so what do you think of the technology so far? What is driving SOAR adoption today? And what is inhibiting SOAR adoption? Realistically, how hard is SOAR to operationalize for a typical company? What are your favorite SOAR playbooks to start with? How to build, train and keep the SOAR team? Do they need to code to succeed? We like the SOAR maturity model approach. How would you imagine a SOAR adoption maturity model? How to implement SOAR from scratch in scaling operations? How to start? How to plan? How to not fail? Resources: “A Simple SOAR Adoption Maturity Model” blog  “Planning Is Paramount When Adopting SOAR” blog Siemplify community version