Cloud Security Podcast by Google

Guest: Phil Venables, Vice President and CISO at Google Cloud Topics: Google Cybersecurity Action Team is your brainchild and it is 1 year old, what comes to mind first when we reflect on this anniversary? The team is primarily about helping clients with security, what did we learn doing this for a year? What challenges have we (Google Cybersecurity Action Team) faced in our first year? We released 4 Threat Horizons reports this year, what is the future for this research here? We often hear that in the cloud we need to move away from products towards solutions, how does that work in security? Your famous 8 megatrends post is several months old - any new thoughts or changes coming to this concept? Recently you had a very interesting blog "Crucial Questions from CISOs and Security Teams", with a list of questions, can you share some of your thinking here? Resources: Security at Google Cloud Next 2022 Next Special - Log4j Reflections, Software Dependencies and Open Source Security Next Special - Improving Browser Security in the New Era of Work Next Special - Can We Escape Ransomware by Migrating to the Cloud? NEXT Special - Google Cybersecurity Action Team: What's the Story? (Next 2021 special episode) Modernizing SOC ... Introducing Autonomic Security Operations How autonomic data security can help define cloud's future Google Cloud Threat Horizons Report #1 #2 #3 #4 8 Megatrends drive cloud adoption—and improve security for all "Demystify Data Sovereignty and Sovereign Cloud Secrets at Google Cloud" (ep81) Crucial Questions from CISOs and Security Teams Google Cybersecurity Action Team

Guest: Nelly Kassem, Security and Compliance Specialist @ Google Cloud Topics: Why did ransomware attacks become so popular? What type of organizations are targeted by ransomware? Do these affect mostly the organizations with sub-par security? Ransomware has been raging since 2015 and shows few signs of subsiding. Why are these attacks still successful? Do we see ransomware in the cloud? Does migrating to the cloud protect you from ransomware? Which of Google Cloud tools are useful to fight ransomware? Resources: Security at Google Cloud Next 2022 Next Special - Log4j Reflections, Software Dependencies and Open Source Security Next Special - Improving Browser Security in the New Era of Work "Future of EDR: Is It Reason-able to Suggest XDR?" (ep29) "2021: Phishing is Solved?" (ep40) Mandiant M-Trends 2022 Google Cloud Threat Horizons Report #1 #2 #3 #4

Guest: Fletcher Oliver, Chrome Browser Customer Engineer, Google Topics: What is browser security? Isn't it just application security by another name? Why is browser security more important now than ever? Do we have statistical measures or data that tell us if we're succeeding at browser security? Do we know if we're doing a good job at making this better? What are the components of modern browser security? How does this work with an enterprise's existing stack? In fact, how does this work with the rest of Google's tooling? Resources: Security at Google Cloud Next 2022 NEXT Special - Log4j Reflections, Software Dependencies and Open Source Security Chrome releases blog Chrome Enterprise

Guest: Dr Nicky Ringland, Product Manager for Open Source Insights, Google Topics: Let's talk Open Source Software - are all these dependencies dependable? Why was log4j such a big thing - at a whole ecosystem level? Was it actually a Java / Maven problem? Are other languages "better" or more secure? Is another log4j inevitable? What can organizations to minimise their own risks? Resources: Google Cloud Next 2022 Open Source Insights at deps.dev Blog at blog.deps.dev with posts on Understanding the Impact of Apache Log4j Vulnerability and what happens After the Advisory Assured Open Source Software service

Guest: Thiébaut Meyer, Director at Office of the CISO, Google Cloud Topics: Virtualization's arrival caused a major IT upheaval 20 years ago. What can we learn from that revolution for our current cloud transformation? We talk about our three legged security stool of people/process/technology. How do we balance the technical issues (new technology stack, etc.) with the new processes (agile, etc) and the skills? What are the cultural and people transformation differences between the virtualization and cloud revolutions? We do recall how PCI DSS was disrupted by virtualization. So, how does regulation play into this change - back then and now with the cloud? How do we change the minds of regulators who still think that cloud is a risk to mitigate, rather than a way to mitigate others risks better? Resources: "8 Megatrends drive cloud adoption—and improve security for all" blog "Demystifying 'shared Fate' - A New Approach To Understand Cybersecurity" Transform with Google Cloud Google Cybersecurity Action Team

Guest: Steve McGhee, Reliability Advocate, Google Cloud Topics: What can security teams learn from the Site Reliability Engineering (SRE) art of rapid and safe deployment? Is this all about the process or do SREs possess some magical technology to do this? What is SRE approach to automation? What are the pillars / components of SRE approach to deployment? SRE is also about scaling. Some security teams have to manage 1000s of detection rules, how can this be done in a manner that does not conflict or cause other problems? Resources: Google SRE book A companion Google SRE workbook "How We Scale Detection and Response at Google: Automation, Metrics, Toil" (ep75) "Achieving Autonomic Security Operations: Why metrics matter (but not how you think)" blog "Achieving Autonomic Security Operations: Reducing toil" blog.

Guest: Alex Polyakov, CEO of Adversa.ai Topics: You did research by analyzing 2000 papers on AI attacks released in the previous decade. What are the main insights? How do you approach discovering the relevant threat models for various AI systems and scenarios? Which threats are real today vs in a few years? What are the common attack vectors? What do you see in the field of supply chain attacks on AI, software supply, data? All these reported cyberphysical attacks on computer vision, how real are they, and what are the possible examples of exploitation? Are they a real danger to people? What are the main differences between protecting AI vs protecting traditional enterprise applications? Who should be responsible for Securing AI? What about for building trustworthy AI? Given that the machinery of AI is often opaque, how to go about discovering vulnerabilities? Is there responsible disclosure for AI vulnerabilities, such as in open-source models and in public APIs? What should companies do first, when embarking on an AI security program? Who should have such a program? Resources: "EP52 Securing AI with DeepMind CISO" (ep52) "EP68 How We Attack AI? Learn More at Our RSA Panel!" (ep68) Adversarial AI attacks work on Humans (!) "Maverick* Research: Your Smart Machine Has Been Conned! Now What?" (2015) "The Road to Secure and Trusted AI" by Adversa AI "Towards Trusted AI Week 37 – What are the security principles of AI and ML?" Adversa AI blog AIAAIC Repository Machine Learning Security Evasion Competition at MLSec

Guest: Badr Salmi, Product Manager for reCAPTCHA Topics: What is reCAPTCHA? Aren't you guys the super annoying 'click on the busses' thing? What is account defender? Why was this a natural next step for you? What are the actual threats that this handles - and handles well? Specific web attacks? Web fraud? Let's talk about account fraud, what do these attacks look like and how do bad guys monetize today? What about payment fraud? Could you score a payment session as well as a login session risk, or is that different? How does this work with multi factor authentication? Recommended reading: "Code" book Recapcha page "Protect your users' accounts with reCAPTCHA Enterprise's account defender" blog "Double-clicking, but not on fire hydrants, with bot fighters" (ep19)

Guest: Dimitri McKay, Principal Security Strategist @ Splunk Topics: How do you define that "XDR thing" that you are so skeptical about? So within that definition of XDR, you think it's not so great, why? If you have to argue pro-XDR, what would you say? Two main XDR camps are "XDR as EDR+" and "XDR as SIEM-", which camp do you think is more right? Are both wrong? What approach do you think is more useful as a lens to understand the potential upsides/downsides of XDR? What about the cloud? "Cloud XDR" seems a bit illogical, but what do you think is the future of D&R in the cloud? Resources: "Anton and The Great XDR Debate, Part 1" "Anton and The Great XDR Debate, Part 2" "Anton and The Great XDR Debate, Part 3" SURGe content on splunk blog "Today, You Really Want a SaaS SIEM!" Red Canary 2022 Threat Detection report Verizon DBIR 2022 report.

Guest: Christopher "CJ" Johnson, retired Fire Chief, and Global Regulated Cloud Product Lead @ Google Cloud Topics: In political science, they define sovereignty as a local monopoly on the legitimate use of force. Why are we talking about "sovereignty" in IT? What is a sovereign cloud? How much of the term is marketing vs engineering? Who cares or should care about sovereign cloud? Is this about technical controls or paper/policy controls? Or both? What is the role for encryption and key management and key access justifications (like say Google Cloud EKM with KAJ) for sovereign cloud? Is sovereign cloud automatically more secure or at least has better data security? What threat models are considered for sovereign cloud technologies? Resources: Google Cloud External Key Manager (EKM) "Trust Google Cloud more with ubiquitous data encryption" blog "Software-Defined community cloud - a new way to "Government Cloud"" blog