Cloud Security Podcast by Google

Guest: Dylan Ayrey, cofounder of Truffle Security Topics: Could you explain briefly why identity is so important in the cloud? A skeptic on cloud security once told us that "in the cloud, we are one identity mistake from a breach." Is this true? For listeners who aren't familiar with GCP, could you give us the 30 second story on "what is a service account." How is it different from a regular IAM account? What are service account impersonations? How can I see if my service accounts can be impersonated? How do I detect it? How can I better secure my organization from impersonation attacks? Resources: Truffle Security blog "GCP Lateral Movement And Privileged Escalation Spill Over And Updates From Google" by Dylan Ayrey "Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments" blog "Kat Traxler - Taste the IAM" blogs

Guest: Sharon Goldberg, CEO and cofounder of BastionZero and a professor at Boston University Topics: What is your favorite definition of zero trust? You had posted a blog analyzing the whitehouse ZT a memo on the federal government's transition to "zero trust", what caught your eye about the Zero Trust memo and why did you decide to write about it? What's behind the federal government's recommendations to deprecate VPNs and recommend users "authenticate to applications, not networks"? What do these recommendations mean for cloud security, today and in the future? What do you think would be the hardest things to implement in real US Federal IT environments? Are there other recommendations in the memo to think about as organizations design zero trust strategies for their infrastructure? What are some of the challenges of implementing zero trust in general? Resources: "Zero Trust: Fast Forward from 2010 to 2021" (ep8) "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles" "I read the federal government's Zero-Trust Memo so you don't have to" "F12 isn't hacking: Missouri governor threatens to prosecute local journalist for finding exposed state data"

New Audio Trailer: Cloud Security Podcast by Google

Guests: Alexi Wiemer, Senior Manager at Deloitte Cyber Detection and Response Practice Dan Lauritzen, Senior Manager at Deloitte Cloud Security Practice. Topics: What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in? What is your best advice to SOCs that are permanently and woefully understaffed? Many SOC analysts are drowning in manual work, and it is easy to give advice that "they need to automate." What does this actually entail, in real life? What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR? What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats? Occasionally, we hear that "SOC is dead." What is your response to such dire SOCless predictions? Resources: "New Paper: "Future Of The SOC: Process Consistency and Creativity: a Delicate Balance" (Paper 3 of 4)" "New Paper: "Future of the SOC: Forces shaping modern security operations"" "New Paper: "Future of the SOC: SOC People — Skills, Not Tiers"" "New Paper: "Autonomic Security Operations — 10X Transformation of the Security Operations Center"" "A SOC Tried To Detect Threats in the Cloud … You Won't Believe What Happened Next" "Why Your Security Data Lake Project Will FAIL!"

Guest: Maddie Stone, Security Researcher @ Google Topics: How do we judge the real risk of being attacked using an exploit for a zero day vulnerability? Does the zero day risk vary by company, industry, etc? What does pricing for zero days tell us, if anything? Are prices more driven by supply or demand these days? What security controls or defenses are useful against zero days including against chained zero days? Where are the cloud zero days? We get lots of attention on iOS and Android, what about the cloud platforms? So, how do we solve the paradox of zero days, are they more scary than risky or more risky than scary? Or both? Resources: Project Zero blog A walk through Project Zero metrics Threat Analysis Group (TAG) blog

Guest: Erlander Lo, Security and Compliance Specialist @ Google Cloud Topics: Imagine you are planning a data warehouse in the cloud, how do you think about security? What are the expected threats to a large data store in the cloud? How to create your security approach for a data warehouse project? Are there regulations that force your decisions about security controls or approaches, no matter what the threats are? How do you approach data governance for this project? What controls are there to implement in Google Cloud for a secure data warehouse effort? Resources: Secure Data Warehouse blueprint (other blueprints) Creativity Inc book "Data Governance: The Definitive Guide" book

Guests: Brandie Anderson, Global Security Practice Lead @ Google Cloud Renzo Cuadros, Regional Security Practice Lead @ Google Cloud Topics: What are your Cloud migration security lessons? Greatest hits? Near misses? What are the most common cloud security mistakes you see? Any practices or tricks to avoid or mitigate them? How do you talk people out of security "lift and shift"? Do clients understand how threat models change when they migrate to the cloud? How clients typically handle compliance in the cloud? What regulations are the most challenging in the cloud? What is the future for cloud migration security? Do we foresee a future when most data is created in the cloud and there is no need to migrate anything? Resources: "Building Secure & Reliable Systems" book Google Cloud Architecture Framework "Threat Models and Cloud Security" (ep12) Modernizing compliance: Introducing Risk and Compliance as Code

Guest: Anna Belak, Director of Thought Leadership @ Sysdig Topics: One model for container security is "Infrastructure security | build security | runtime security" - which is most important to get right? Which is hardest to get right? How are you helping users get their infrastructure security right, and what do they get wrong most often here? Your report states that "3⁄4 of running containers have at least one "high" or "critical" vulnerability" and it sounds like pre-cloud IT, but this is about containers? This was very true before cloud, why is this still true in cloud native? Aren't containers easy to "patch" and redeploy? You say "Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production." but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don't fix things? "52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline." - isn't pipeline and repo scanning easier and cheaper? Why isn't this 90/10 but 40/50? "62% detect shells in containers" sounds (to Anton) that "62% zoos have a dragon in them" i.e. kinda surreal. What's the real story? Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers? Resources: Sysdig report Kubernetes podcast episode with Anna Belak EP15 Scaling Google Kubernetes Engine Security Sysdig learning hub

Guest: Amos Stern, CEO of SIEMplify, now part of Google Cloud Topics: SOAR is in the news again, so what can we say about the state of SOAR in 2022? What have we learned trying to get SOAR adopted 2015-2022 (that's 7 years of SOAR-ing for you)? What are the top playbooks to start your SOC automation using SOAR? What about the links between SOAR as security automation and general IT automation? Does the level of consolidation in this market mean that SOAR really is a feature of SIEMs and not a product in its own right? Resources: Siemplify blog Google Cloud Security Talks Q1 2022

Guest: Vijay Bolina, CISO at DeepMind Topics: We spend a lot of time on Artificial Intelligence (AI) safety, but what about security? What are some of the useful frameworks for thinking about AI security? What is different about securing AI vs securing another data-intensive, complex, enterprise application? What do we know about threat modeling for AI applications? What attacks against AI systems do we expect to see first in real life? What issues with AI security should we expect to face in 3-5 years? Resources: DeepMind Learning Resources DEFCON AI Village and videos CAMLIS