Cloud Security Podcast by Google

Guests: none Topics: What have we seen at the RSA 2022 Conference? What was the most interesting and unexpected? What was missing? Resources: "RSA 2022 Musings: The Past and The Future of Security" Google Cloud Security at RSA 2022

Guest: James Condon, Director of Security Research @ Lacework Topics: What are realistic and actually observed cloud threats today? How did you observe them at Lacework? Cloud threats: are they on-premise style threats to cloud assets? We hate the line "cloud is just somebody else's computer" but apparently threats actors seem to think so? What is the 2nd most dangerous cloud issue after configuration mistakes? Why is it so common for organizations to have insecure configurations in their cloud environments? Give me a few examples of the most common mistakes organizations make, and what they can do to avoid those configurations. Cloud malware and ransomware / RansomOps, are these real risks today? Are we finally seeing the rise of Linux malware at scale (in the cloud)? As multi cloud expands in popularity, what are threat actors doing in this area? Are actors customizing their attacks on a per-cloud basis (AWS, GCP, Azure)? Resources: Lacework 2022 Cloud Threat Report "Securing DevOps: Security in the Cloud" book "Threat Models and Cloud Security" (ep12) Google Threat Horizons Report #1 Google Threat Horizons Report #2

Guest: Nicholas Carlini, Research Scientist @ Google Topics: What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks? How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical? Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025? What are the threat-derived lessons for securing AI? Do we practice the same or different approaches for secure AI and reliable AI? How does relative lack of transparency in AI helps (or hurts?) attackers and defenders? Resources: "Red Teaming AI Systems: The Path, the Prospect and the Perils" at RSA 2022 "Killed by AI Much? A Rise of Non-deterministic Security!" Books on Adversarial ML

Guest: Sounil Yu, CISO and Head of Research at JupiterOne Topics: How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder? Cloud (at least the cloudy-cloud, also called cloud native) definitely supports "Distributed Immutable Ephemeral" (DIE) - your new creation, how does that change security and CDM? Cyber resilience generates a lot of confusion, how do you define and describe it? BTW, is the cloud more or less cyber resilient based on your definition? Is invisible security a good thing? Can we ever have it? When should security be visible? Intuitively, security and safety are not the same. So, what is the difference between cyber safety and cyber security? What is cyber safety, really? Resources: Cyber Defense Matrix Security DIE Triad Container Security: The Past or The Future? (ep54) This Binary Legit? How Google Uses Binary Authorization and Code Provenance (ep66) What is the useful definition of "cyber resilience"? poll Is the cloud just somebody else's computer? Poll Cattle vs Pets - DevOps Explained Gartner CIA-PSR model The 2022 State of Cyber Assets Report Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape "Antifragile" book "Thinking, Fast and Slow" book "Security Chaos Engineering" book

Guest: Sandra Guo, Product Manager in Security, Google Cloud Topics: We have a really interesting problem here: if we make great investments in our use of trusted repositories, and great investments in doing code review on every change, and securing our build systems, and having reproducible builds, how do we know that all of what we did upstream is actually what gets deployed to production? What are the realistic threats that Binary Authorization handles? Are there specific organizations that are more at risk from those? What's the Google inspiration for this work, both development and adoption? How do we make this work in practice at a real organization that is not Google? Where do you see organizations "getting it wrong" and where do you see organizations "getting it right"? We've had a lot of conversations about rolling out zero-trust for enterprise applications, how do those lessons (start small, be visible, plan plan plan) translate into deploying Binauthz into blocking mode? Resources: "Binary Authorization for Borg: how Google verifies code provenance and implements code identity" paper Binary Authorization for deploying trusted images DevOps & SRE at Google

Guests: Charles Carmakal, CTO at Mandiant Taylor Lehmann, Director at Office of the CISO, Google Cloud Topics: What are the current "popular" incidents at healthcare providers that you handled? Any of them involve cloud? Do healthcare CISOs have time for anything other than ransomware? Does insider threat matter? What can incident response teach us here? How do you think the threat actors benefit from the health data they steal? Based on your IR experience, what are the more interesting ways in, other than phishing? Give us your IR-informed take on ransomware pay/not pay focused on healthcare, ideally? Resources: "The key role 'visibility' plays in healthcare's cybersecurity resilience" "How healthcare can strengthen its own cybersecurity resilience" "M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines" "Future of EDR: Is It Reason-able to Suggest XDR?" (ep29) "MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications""VS21: A Playbook for Resiliency: Contain and Remediate Ransomware Before It Can Act" "FDA Announces Fix for Pacemaker Security Flaws"

Guest: Dave Herrald @ Principal Security Strategist, Google Cloud Topics: What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)? How do you make SOC training realistic? Should training be about the toolset or should it be about the analyst's skills? Should you primarily train for engineering skills or analysis skills? Do you need to code to succeed in a modern SOC? Are competitive events like CTFs effective for SOC training? What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity? Resources: Chris Sanders SOC classes SANS Holiday Hack Challenges SEC450: Blue Team Fundamentals: Security Operations and Analysis SANS NetWars "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper Boss of the SOC (BOTS) Dataset

Guests: Robert Herjavec, Founder and CEO of Herjavec Group Eric Foster, President of CYDERES Iman Ghanizada, Global Head of Autonomic Security Operations at Google Cloud. Topics: It's been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about? How was the ASO story received by your customers? Any particular reactions? Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed? ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations? What else can we do to evolve SOC faster than the threats and assets grow? Resources: This episode is based on a panel from This Google Cloud Security Talks Q1 2022 Panel "All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites." "All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites" on YouTube "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper "Modernizing the U.S. Federal Government's Approach to Cyber Threat Management with Autonomic Security Operations" paper

Guest: Etienne De Burgh, Senior Security and Compliance Specialist, Office of the CISO @ Google Cloud Topics: Why is API security hot now? What happened that made it a priority for many? Is API security different from application security? Doesn't the first "A" in API stand for application? What are the real threats to exposed APIs? APIs are designed for automated use, so how do you tell automated use from automated abuse / attack? What are the biggest challenges that companies are having with API security? What are the components of API security? Is there a "secure by default API"? API threat detection? Just like cloud in general, API misconfigurations seem to be leading to security problems, are APIs hard to configure securely for most organizations? Resources: Google Cloud Security Summit - come see us on May 17, 2022 "Securing web applications and APIs anywhere" (at our Security Summit) OWASP Top 10 for API Security "Best practices for securing your applications and APIs using Apigee"

No guests - just Anton and Tim Topics: Why cloud security? What do we really think about our podcast name and topic, cloud security? Can you once again explain security for the cloud, in the cloud, from the cloud? What is one thing that we learned from doing a podcast? Favorite cloud security trend that we encountered on the podcast? What did we learn about security from organization's migrating to the cloud? What are our favorite reading materials related to cloud security? What are our favorite tips from the guests on securing the cloud? Resources: "The Age of AI And Our Human Future" book "Practical Guide to Cloud Migration – Google - Site Reliability Engineering" (book, free) and other SRE books "Cloud Security podcast by Google turns 46 - Reflections and lessons!" "Cloud Security Podcast by Google — Popular Episodes by Topic" Our video trailer