Cloud Security Podcast by Google

Guest: Anna Belak, Director of Thought Leadership @ Sysdig Topics: One model for container security is "Infrastructure security | build security | runtime security" - which is most important to get right? Which is hardest to get right? How are you helping users get their infrastructure security right, and what do they get wrong most often here? Your report states that "3⁄4 of running containers have at least one "high" or "critical" vulnerability" and it sounds like pre-cloud IT, but this is about containers? This was very true before cloud, why is this still true in cloud native? Aren't containers easy to "patch" and redeploy? You say "Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production." but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don't fix things? "52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline." - isn't pipeline and repo scanning easier and cheaper? Why isn't this 90/10 but 40/50? "62% detect shells in containers" sounds (to Anton) that "62% zoos have a dragon in them" i.e. kinda surreal. What's the real story? Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers? Resources: Sysdig report Kubernetes podcast episode with Anna Belak EP15 Scaling Google Kubernetes Engine Security Sysdig learning hub

Guest: Amos Stern, CEO of SIEMplify, now part of Google Cloud Topics: SOAR is in the news again, so what can we say about the state of SOAR in 2022? What have we learned trying to get SOAR adopted 2015-2022 (that's 7 years of SOAR-ing for you)? What are the top playbooks to start your SOC automation using SOAR? What about the links between SOAR as security automation and general IT automation? Does the level of consolidation in this market mean that SOAR really is a feature of SIEMs and not a product in its own right? Resources: Siemplify blog Google Cloud Security Talks Q1 2022

Guest: Vijay Bolina, CISO at DeepMind Topics: We spend a lot of time on Artificial Intelligence (AI) safety, but what about security? What are some of the useful frameworks for thinking about AI security? What is different about securing AI vs securing another data-intensive, complex, enterprise application? What do we know about threat modeling for AI applications? What attacks against AI systems do we expect to see first in real life? What issues with AI security should we expect to face in 3-5 years? Resources: DeepMind Learning Resources DEFCON AI Village and videos CAMLIS

Guest: Vandy Ramadurai, Product Manager at Google Cloud Topics: What is Cloud Organization Policy, and how is it different from IaC and Policy as code (PaC)? What does successful organization policy design look like from a business and human standpoint? From a technical standpoint? Granular policy work is always hard. How is Google helping users get org policy right? What are the uniquely Google strengths here? Is the AI involved real or is this marketing pixie dust AI? How do users know if something should be a proactive control like a guardrail or if something should be a reactive control like a detection? Resources: Policy Intelligence tools NEXT'21 SEC 203 - Governance guardrails Least privilege for Cloud Functions using Cloud IAM

Guest: Elie Bursztein, security, anti-abuse and privacy researcher @ Google Topics: This episode draws on a talk available in the podcast materials. Could you summarize the gist of your talk for the audience? What makes the malicious document problem a good candidate for machine learning (ML)? Could you have used rules? "Millions of documents in milliseconds," not sure how to even parse it - what is involved in making it work? Can you explain to the listeners the motivation for reanalyzing old samples, what ground truth means in ML/detection engineering, and how you are using this technique? How fast do the attackers evolve and does this throw ML logic off? Do our efforts at cat-and-mouse with attackers make the mice harder for other people to catch? Does massive-scale ML detections accelerate the attacker's evolution? Resources: The RSA talk "Malicious Documents Emerging Trends: A Gmail Perspective" "EP40 2021: Phishing is Solved?" episode Elie's talks on his site

Guest: Taylor Lehmann, Director at the Office of the CISO @ Google Cloud, member of Cybersecurity Action Team Topics: What's top of mind for healthcare organizations' CISOs now? What common advice do you find yourself giving most often to security leaders in healthcare? Is there a list of top 3 items or is this all "it depends"? What regulations are shaping the healthcare industry and its adoption of new technology? HIPAA is from 1996, how does it work for the cloud in the 2020s? Why do you think we aren't seeing more cloud ransomware? Healthcare orgs are sometimes seen as "IT laggards", what are the key security lessons from their cloud migrations? How do we convince some of these organizations that cloud is more secure as long as they use it securely?

Guest: Nelly Porter, Group Product Manager @ Google Cloud Topics In the past year, what has changed with Confidential Computing here at Google? Could we please talk about a user or two who has really nailed it with our Confidential Computing? What have we learned about the threat models of clients who are choosing to deploy Confidential Computing? What are they solving for? Doing Confidential Computing "right" feels like a lot more than having some fancy CPUs with magic math. What challenges do customers face adopting it? We finally "married" Confidential Computing with EKM. What types of clients are deploying this new technology? What threats are they mitigating? What's on the horizon for Confidential Computing? Resources: "Trust Google Cloud more with ubiquitous data encryption" The Confidential Computing Consortium whitepapers Confidential Computing at Google EP12 Threat Models and Cloud Security

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: Explain the whole cloud security megatrend concept to us? How can we better explain that "yes, cloud is more secure than most client's data centers"? Can you please explain "shared fate" one more time? Shared fate seems to require shared incentives. Do we see the incentives to invest in security changing within organizations migrating to Cloud? Cloud as the Digital Immune System sounds really cool, what does it mean for a typical practitioner - security and developers both? What about the risk aggregation (eggs in one basket) argument against relying on CSP for all security? Does software sovereignty mean that Cloud providers are always going to be held to common standards and lose out on the opportunity to sell highly differentiated software on top? Resources: IT Leaders: Pay Attention To These 8 Security Megatrends In 2022 Megatrends drive cloud adoption—and improve security for all

Guests: Alison Reyes, Director, Security Solutions, Google Cloud Iman Ghanizada, Solutions Manager for Security Operations & Analytics @ Google Cloud Topics: What is our thinking on solutions vs products for security? Sure, "security is a process, not a product," but where do solutions fit in? Security as an industry has too many vendors with little understanding of how users secure things, can solutions approach fix that? Google is sometimes known for writing code and just throwing it out there, do solutions change that dynamic for Google Cloud clients who come to us for security? Who are the target users for our security solutions? Why did we choose those solutions and not others? To me, solutions is how our products actually live in the real world. But can we really hope to transform customer operations with solutions? One of the solutions dear to my heart is Autonomic Security Operations that seeks to "10X the SOC", how was the experience so far? Is 10X real and what does it mean? How do we know if we succeeded, what are metrics for solutions? How do solutions fit with Google Cybersecurity Action Team launch? Do we need more action figures now? Resources: Google Cybersecurity Action Team NEXT Special - Google Cybersecurity Action Team: What's the Story? Google SRE books Autonomic Security Operations Web App and API Protection Achieving Autonomic Security Operations: Reducing toil Autonomic Security Operations: 10X Transformation of the Security Operations Center

Guests: Vlad Stolyarov, Security Engineer @ Threat Analysis Group (TAG) Vicente Diaz, Threat Intelligence Strategist @ VirusTotal Topics: Why GandCrab / REvil was the most popular ransomware family in 2020? What is ransomware as a service? Is every scary article about ransomware essentially marketing for the criminals? Some ransomware payoffs are huge, how do you think they spend the money? How else do they profit off stolen data apart from double extortion schemes? Are there triple extortion schemes? What is the concept of a "trusted brand in ransomware", is it better for clients because they will return the data? Why did non-Windows ransomware fail as a business? Do we expect 0day exploits to become more popular in ransomware? Based on this research, what is the key reason for ransomware's wild success? Resources: "Ransomware in a Global Context" report "Malware Hunting with VirusTotal" (ep30) Google TAG blog NoMoreRansom Org "Cybereason: 80% of orgs that paid the ransom were hit again" Google Cybersecurity Action Team Threat Horizons Report (full, brief)