Cloud Security Podcast by Google

Guest: Ben Johnson, CTO/co-founder @ Obsidian Security Topics: Why is there so much attention lately on SaaS security? Doesn’t this area date back to 2015 or so? What do you see as the primary challenges in securing SaaS? What does a SaaS threat model look like? What are the top threats you see? CASB has been the fastest growing security market and it has grown into a broad platform and many assume that “securing SaaS = using CASB”, what are they missing? Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system? Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle? For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology? Resources: Obsidian Security blog and Resource Center Does the World Need Cloud Detection and Response (CDR)? blog Does the world need Cloud Detection and Response (CDR) as a new market segment? poll MITRE ATT&CK for SaaS matrix CISA SCUBA resource “Essentialism” book.

Guest: Tim Nguyen, Director of Detection and Response @ Google Topics: I know we don’t like to say “SOC” here, so why don’t we talk about the role of automation in detection and response (D&R) at Google? One SRE concept we found useful in security operations is “toil” - How do we squeeze toil out of D&R practice at Google? A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey? How do we automate security signal analysis, can you give us a few examples? D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our “not SOC”? How do we avoid falling into the “time to respond” trap that rewards fast response, sometimes at the cost of good? Resource: SRE book, Chapter 5 - Eliminating Toil SRE book, Chapter 4 - Service Level Objectives “Building Secure and Reliable Systems” book “Achieving Autonomic Security Operations: Automation as a Force Multiplier” “Achieving Autonomic Security Operations: Reducing toil” “Taking an autonomic approach to security operations” video “Modern Threat Detection at Google” (ep17)

Guest:  James Luo,   Partner @ CapitalG Topics: You've looked at hundreds of security startups at the growth stage - what is getting funded? What is not getting funded? What is the difference? What's your view on the current market environment for security companies? Is security "recession-proof", whatever that means? How do you think about what problems are worth solving with a new venture vs existing vendors (and/or CSPs) expanding to cover the new area? Why do many cloud security vendors get funded and get high valuations while there is a wide perception that CSP (like us at Google) are doing security really well? How do we solve the challenge that many organizations are barely moving off “antivirus and firewalls” security of the 1990s? What is your best advice to cloud security startups trying to get wider adoption? Resources: “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity” CapitalG blog

Guest: Erik Bloch,  Senior Director of Detection and Response at Sprinklr Topics: You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work? Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that? You refer to a federated approach for Detection and Response”  (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization?  What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams? Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it? The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time? Resources: “RIP SOC. Hello D-IR” “Kill your SOC with a D-IR model” “Security De-Engineering: Solving the Problems in Information Risk Management” book “A SOCless Detection Team at Netflix”  “Achieving Autonomic Security Operations: Automation as a Force Multiplier”  “Start with Why: How Great Leaders Inspire Everyone to Take Action“ book “Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now” book “On “Output-driven” SIEM” “SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond” (ep58)

Guests: Dave “Merk” Merkel, CEO @ Expel Peter Silberman,  CTO @ Expel Topics: Many MDRs claim to be “security from the cloud”, but they actually don’t know much about cloud security. What does good looks like for MDR in the cloud (cloud being a full range from IaaS to SaaS)? What are the key challenges for clients picking an MDR for their cloud environments?  What are the questions to ask your potential MDR? Do clients want the same security outcomes done in the cloud vs on-premise?   Does it mean that MSSP/MDR capabilities must be different for good coverage of the cloud?  Is MDR technology different for Cloud detection and response as opposed to on-prem D&R?  How do you communicate with clients about the importance and value of cloud specific detection vs detection for endpoints running in the cloud?  What are the top threats against client cloud environments that you see, detect and protect from? Which clouds (IaaS?) are easiest for MDR to protect? What makes them easier to handle than the other Clouds? Resources: Who Does What In Cloud Threat Detection? How to Think about Threat Detection in the Cloud Cattle vs Pets reminder Expel Blog - Incident report: Spotting an attacker in GCP  Expel Great eXpeltations 2022: Cybersecurity trends and predictions Expel Quarterly Threat Report: Q1 2022

Guest:  Stefan Friedli,  Senior Security Engineer @ Google Topics: What is our “red team” testing philosophy and approach at Google?  How did we evolve to this approach?  What is the path from testing to making Google and our users more secure? How does our testing power the improvements we make? What is unique about red teaming at Google? Care to share some fun testing stories or examples from your experience? Resources: “Building Secure & Reliable Systems” book (free) Threat Analysis Group (TAG) blog

Guests: none Topics: What have we seen at the RSA 2022 Conference? What was the most interesting and unexpected? What was missing? Resources: “RSA 2022 Musings: The Past and The Future of Security” Google Cloud Security at RSA 2022

Guest: James Condon,  Director of Security Research @  Lacework  Topics: What are realistic and actually observed cloud threats today? How did you observe them at Lacework? Cloud threats: are they on-premise  style threats to cloud assets? We hate the line “cloud is just somebody else’s computer” but apparently threats actors seem to think so? What is the 2nd most dangerous cloud issue after configuration mistakes? Why is it so common for organizations to have insecure configurations in their cloud environments?  Give me a few examples of the most common mistakes organizations make, and what they can do to avoid those configurations. Cloud malware and  ransomware / RansomOps, are these real risks today? Are we finally seeing the rise of Linux malware at scale (in the cloud)? As multi cloud expands in popularity, what are threat actors doing in this area? Are actors customizing their attacks on a per-cloud basis (AWS, GCP, Azure)?  Resources: Lacework 2022 Cloud Threat Report “Securing DevOps: Security in the Cloud” book “Threat Models and Cloud Security” (ep12) Google Threat Horizons Report #1 Google Threat Horizons Report #2

Guest:  Nicholas Carlini, Research Scientist @ Google  Topics: What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks? How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical? Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025? What are the threat-derived lessons for securing AI? Do we practice the same or different approaches for secure AI and reliable AI? How does relative lack of transparency in AI helps (or hurts?) attackers and defenders? Resources: “Red Teaming AI Systems: The Path, the Prospect and the Perils” at RSA 2022 “Killed by AI Much? A Rise of Non-deterministic Security!” Books on Adversarial ML

Guest:  Sounil Yu, CISO and Head of Research at JupiterOne Topics: How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder? Cloud (at least the cloudy-cloud, also called cloud native) definitely supports “Distributed Immutable Ephemeral” (DIE) - your new creation, how does that change security and CDM? Cyber resilience generates a lot of confusion, how do you define and describe it?  BTW, is the cloud more or less cyber resilient based on your definition? Is invisible security a good thing? Can we ever have it? When should security be visible? Intuitively, security and safety are not the same. So, what is the difference between cyber safety and cyber security? What is cyber safety, really? Resources: Cyber Defense Matrix Security DIE Triad Container Security: The Past or The Future? (ep54) This Binary Legit? How Google Uses Binary Authorization and Code Provenance (ep66) What is the useful definition of “cyber resilience”? poll Is the cloud just somebody else’s computer? Poll Cattle vs Pets - DevOps Explained Gartner CIA-PSR model The 2022 State of Cyber Assets Report Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape “Antifragile” book “Thinking, Fast and Slow” book “Security Chaos Engineering” book