Cloud Security Podcast by Google

Guests:  Alexi Wiemer,  Senior Manager at Deloitte Cyber Detection and Response Practice Dan Lauritzen,  Senior Manager at Deloitte Cloud Security Practice. Topics: What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in?  What is your best advice to SOCs that are permanently and woefully understaffed?  Many SOC analysts are drowning in manual work, and it is easy to give advice that “they   need to automate.” What does this actually entail, in real life? What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR?  What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats? Occasionally, we hear that “SOC is dead.” What is your response to such dire SOCless predictions?  Resources: “New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)” “New Paper: “Future of the SOC: Forces shaping modern security operations”” “New Paper: “Future of the SOC: SOC People — Skills, Not Tiers”” “New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center”” “A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next” “Why Your Security Data Lake Project Will FAIL!”

Guest: Maddie Stone, Security Researcher @ Google Topics: How do we judge the real risk of being attacked using an exploit for a zero day vulnerability? Does the zero day risk vary by company, industry, etc?  What does pricing for zero days tell us, if anything? Are prices more driven by supply or demand these days? What security controls or defenses are useful against zero days including against chained zero days? Where are the cloud zero days? We get lots of attention on iOS and Android, what about the cloud platforms?  So, how do we solve the paradox of zero days, are they more scary than risky or more risky than scary? Or both? Resources: Project Zero blog  A walk through Project Zero metrics Threat Analysis Group (TAG) blog

Guest:  Erlander Lo, Security and Compliance Specialist @ Google Cloud Topics: Imagine you are planning a data warehouse in the cloud, how do you think about security? What are the expected threats to a large data store in the cloud? How to create your security approach for a data warehouse project? Are there regulations that force your decisions about security controls or  approaches, no matter what the threats are? How do you approach data governance for this project? What controls are there to implement in Google Cloud for a secure data warehouse effort? Resources: Secure Data Warehouse blueprint (other blueprints) Creativity Inc book “Data Governance: The Definitive Guide” book

Guests: Brandie Anderson, Global Security Practice Lead @ Google Cloud Renzo Cuadros,  Regional Security Practice Lead @ Google Cloud Topics: What are your Cloud migration security lessons? Greatest hits? Near misses? What are the most common cloud security mistakes you see? Any practices or tricks to avoid or mitigate them? How do you talk people out of security “lift and shift”? Do clients understand how threat models change when they migrate to the cloud? How clients typically handle compliance in the cloud? What regulations are the most challenging in the cloud? What is the future for cloud migration security?  Do we foresee a future when most data is created in the cloud and there is no need to migrate anything? Resources: “Building Secure & Reliable Systems” book Google Cloud Architecture Framework “Threat Models and Cloud Security” (ep12) Modernizing compliance: Introducing Risk and Compliance as Code

Guest:  Anna Belak,  Director of Thought Leadership @ Sysdig Topics: One model for container security is “Infrastructure security  | build security | runtime security” -  which is most important to get right? Which is hardest to get right?  How are you helping users get their infrastructure security right, and what do they get wrong most often here? Your report states that “3⁄4 of running containers have at least one "high" or "critical" vulnerability“ and it  sounds like pre-cloud IT, but this is about containers?  This was very true  before cloud, why is this still true in cloud native?  Aren’t containers easy to “patch” and redeploy?  You say  “Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production.“ but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don’t fix things?   “52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline.“ - isn’t pipeline and repo scanning easier and cheaper? Why isn’t this 90/10 but 40/50?  “62% detect shells in containers” sounds (to Anton) that “62% zoos have a dragon in them” i.e. kinda surreal. What’s the real story? Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers?  Resources: Sysdig report Kubernetes podcast episode with Anna Belak  EP15 Scaling Google Kubernetes Engine Security Sysdig learning hub

Guest:  Amos Stern, CEO of SIEMplify, now part of Google Cloud Topics: SOAR is in the news again,  so what can we say about the state of SOAR in 2022? What have we learned trying to get SOAR adopted 2015-2022 (that’s 7 years of SOAR-ing for you)? What are the top playbooks to start your SOC automation using SOAR?  What about the links between SOAR as security automation and general IT automation?  Does the level of consolidation in this market mean that SOAR really is a feature of SIEMs and not a product in its own right? Resources: Siemplify blog Google Cloud Security Talks Q1 2022

Guest: Vijay Bolina, CISO at DeepMind Topics: We spend a lot of time on Artificial Intelligence (AI) safety, but what about security?  What are some of the useful frameworks for thinking about AI security? What is different about securing AI vs securing another data-intensive, complex, enterprise application? What do we know about threat modeling for AI applications? What attacks against AI systems do we expect to see first in real life? What issues with AI security should we expect to face in 3-5 years? Resources: DeepMind Learning Resources DEFCON AI Village and videos CAMLIS 

Guest:  Vandy Ramadurai, Product Manager at Google Cloud Topics: What is Cloud Organization Policy, and how is it different from IaC and Policy as code (PaC)? What does successful organization policy design look like from a business and human standpoint? From a technical standpoint? Granular policy work is always hard. How is Google helping users get org policy right?  What are the uniquely Google strengths here?  Is the AI involved real or is this marketing pixie dust AI? How do users know if something should be a proactive control like a guardrail or if something should be a reactive control like a detection? Resources: Policy Intelligence tools NEXT'21 SEC 203 - Governance guardrails Least privilege for Cloud Functions using Cloud IAM

Guest: Elie Bursztein, security, anti-abuse and privacy researcher @ Google Topics: This episode draws on a talk available in the podcast materials. Could you summarize the gist of your talk for the audience? What makes the malicious document problem a good candidate for machine learning (ML)? Could you have used rules? “Millions of documents in milliseconds,” not sure how to even parse it - what is involved in making it work? Can you explain to the listeners the motivation for reanalyzing old samples, what ground truth means in ML/detection engineering, and how you are using this technique? How fast do the attackers evolve and does this throw ML logic off? Do our efforts at cat-and-mouse with attackers make the mice harder for other people to catch?  Does massive-scale ML detections accelerate the attacker's evolution? Resources: The RSA talk “Malicious Documents Emerging Trends: A Gmail Perspective” “EP40 2021: Phishing is Solved?” episode Elie’s talks on his site

Guest: Taylor Lehmann, Director at the Office of the  CISO @ Google Cloud, member of Cybersecurity Action Team Topics: What’s top of mind for healthcare organizations’ CISOs now? What common advice do you find yourself giving most often to security leaders in healthcare? Is there a list of top 3 items or is this all “it depends”? What regulations are shaping the healthcare industry and its adoption of new technology? HIPAA is from 1996, how does it work for the cloud in the 2020s? Why do you think we aren’t seeing more cloud ransomware? Healthcare orgs are sometimes seen as “IT laggards”, what are the key security lessons from their cloud migrations? How do we convince some of these organizations that cloud is more secure as long as they use it securely?