Cloud Security Podcast by Google

Guest: Erik Bloch, Senior Director of Detection and Response at Sprinklr Topics: You recently coined a concept of "output-driven Detection and Response" and even perhaps broader "output-driven security." What is it and how does it work? Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that? You refer to a federated approach for Detection and Response" ("route the outcomes to the teams that need them or can address them"), but is it workable for any organization? What about the separation of duty concerns that some raise in response to this? What about the organizations that don't have any security talent in those teams? Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it? The model of "security team as a decision-maker, not an implementer" has a bit of a painful history, as this is what led to "GRC-only teams" who lack any technical knowledge. Why will this approach work this time? Resources: "RIP SOC. Hello D-IR" "Kill your SOC with a D-IR model" "Security De-Engineering: Solving the Problems in Information Risk Management" book "A SOCless Detection Team at Netflix" "Achieving Autonomic Security Operations: Automation as a Force Multiplier" "Start with Why: How Great Leaders Inspire Everyone to Take Action" book "Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now" book "On "Output-driven" SIEM" "SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond" (ep58)

Guests: Dave "Merk" Merkel, CEO @ Expel Peter Silberman, CTO @ Expel Topics: Many MDRs claim to be "security from the cloud", but they actually don't know much about cloud security. What does good looks like for MDR in the cloud (cloud being a full range from IaaS to SaaS)? What are the key challenges for clients picking an MDR for their cloud environments? What are the questions to ask your potential MDR? Do clients want the same security outcomes done in the cloud vs on-premise? Does it mean that MSSP/MDR capabilities must be different for good coverage of the cloud? Is MDR technology different for Cloud detection and response as opposed to on-prem D&R? How do you communicate with clients about the importance and value of cloud specific detection vs detection for endpoints running in the cloud? What are the top threats against client cloud environments that you see, detect and protect from? Which clouds (IaaS?) are easiest for MDR to protect? What makes them easier to handle than the other Clouds? Resources: Who Does What In Cloud Threat Detection? How to Think about Threat Detection in the Cloud Cattle vs Pets reminder Expel Blog - Incident report: Spotting an attacker in GCP Expel Great eXpeltations 2022: Cybersecurity trends and predictions Expel Quarterly Threat Report: Q1 2022

Guest: Stefan Friedli, Senior Security Engineer @ Google Topics: What is our "red team" testing philosophy and approach at Google? How did we evolve to this approach? What is the path from testing to making Google and our users more secure? How does our testing power the improvements we make? What is unique about red teaming at Google? Care to share some fun testing stories or examples from your experience? Resources: "Building Secure & Reliable Systems" book (free) Threat Analysis Group (TAG) blog

Guests: none Topics: What have we seen at the RSA 2022 Conference? What was the most interesting and unexpected? What was missing? Resources: "RSA 2022 Musings: The Past and The Future of Security" Google Cloud Security at RSA 2022

Guest: James Condon, Director of Security Research @ Lacework Topics: What are realistic and actually observed cloud threats today? How did you observe them at Lacework? Cloud threats: are they on-premise style threats to cloud assets? We hate the line "cloud is just somebody else's computer" but apparently threats actors seem to think so? What is the 2nd most dangerous cloud issue after configuration mistakes? Why is it so common for organizations to have insecure configurations in their cloud environments? Give me a few examples of the most common mistakes organizations make, and what they can do to avoid those configurations. Cloud malware and ransomware / RansomOps, are these real risks today? Are we finally seeing the rise of Linux malware at scale (in the cloud)? As multi cloud expands in popularity, what are threat actors doing in this area? Are actors customizing their attacks on a per-cloud basis (AWS, GCP, Azure)? Resources: Lacework 2022 Cloud Threat Report "Securing DevOps: Security in the Cloud" book "Threat Models and Cloud Security" (ep12) Google Threat Horizons Report #1 Google Threat Horizons Report #2

Guest: Nicholas Carlini, Research Scientist @ Google Topics: What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks? How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical? Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025? What are the threat-derived lessons for securing AI? Do we practice the same or different approaches for secure AI and reliable AI? How does relative lack of transparency in AI helps (or hurts?) attackers and defenders? Resources: "Red Teaming AI Systems: The Path, the Prospect and the Perils" at RSA 2022 "Killed by AI Much? A Rise of Non-deterministic Security!" Books on Adversarial ML

Guest: Sounil Yu, CISO and Head of Research at JupiterOne Topics: How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder? Cloud (at least the cloudy-cloud, also called cloud native) definitely supports "Distributed Immutable Ephemeral" (DIE) - your new creation, how does that change security and CDM? Cyber resilience generates a lot of confusion, how do you define and describe it? BTW, is the cloud more or less cyber resilient based on your definition? Is invisible security a good thing? Can we ever have it? When should security be visible? Intuitively, security and safety are not the same. So, what is the difference between cyber safety and cyber security? What is cyber safety, really? Resources: Cyber Defense Matrix Security DIE Triad Container Security: The Past or The Future? (ep54) This Binary Legit? How Google Uses Binary Authorization and Code Provenance (ep66) What is the useful definition of "cyber resilience"? poll Is the cloud just somebody else's computer? Poll Cattle vs Pets - DevOps Explained Gartner CIA-PSR model The 2022 State of Cyber Assets Report Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape "Antifragile" book "Thinking, Fast and Slow" book "Security Chaos Engineering" book

Guest: Sandra Guo, Product Manager in Security, Google Cloud Topics: We have a really interesting problem here: if we make great investments in our use of trusted repositories, and great investments in doing code review on every change, and securing our build systems, and having reproducible builds, how do we know that all of what we did upstream is actually what gets deployed to production? What are the realistic threats that Binary Authorization handles? Are there specific organizations that are more at risk from those? What's the Google inspiration for this work, both development and adoption? How do we make this work in practice at a real organization that is not Google? Where do you see organizations "getting it wrong" and where do you see organizations "getting it right"? We've had a lot of conversations about rolling out zero-trust for enterprise applications, how do those lessons (start small, be visible, plan plan plan) translate into deploying Binauthz into blocking mode? Resources: "Binary Authorization for Borg: how Google verifies code provenance and implements code identity" paper Binary Authorization for deploying trusted images DevOps & SRE at Google

Guests: Charles Carmakal, CTO at Mandiant Taylor Lehmann, Director at Office of the CISO, Google Cloud Topics: What are the current "popular" incidents at healthcare providers that you handled? Any of them involve cloud? Do healthcare CISOs have time for anything other than ransomware? Does insider threat matter? What can incident response teach us here? How do you think the threat actors benefit from the health data they steal? Based on your IR experience, what are the more interesting ways in, other than phishing? Give us your IR-informed take on ransomware pay/not pay focused on healthcare, ideally? Resources: "The key role 'visibility' plays in healthcare's cybersecurity resilience" "How healthcare can strengthen its own cybersecurity resilience" "M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines" "Future of EDR: Is It Reason-able to Suggest XDR?" (ep29) "MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications""VS21: A Playbook for Resiliency: Contain and Remediate Ransomware Before It Can Act" "FDA Announces Fix for Pacemaker Security Flaws"

Guest: Dave Herrald @ Principal Security Strategist, Google Cloud Topics: What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)? How do you make SOC training realistic? Should training be about the toolset or should it be about the analyst's skills? Should you primarily train for engineering skills or analysis skills? Do you need to code to succeed in a modern SOC? Are competitive events like CTFs effective for SOC training? What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity? Resources: Chris Sanders SOC classes SANS Holiday Hack Challenges SEC450: Blue Team Fundamentals: Security Operations and Analysis SANS NetWars "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper Boss of the SOC (BOTS) Dataset