Cloud Security Podcast by Google

Guest: Vandy Ramadurai, Product Manager at Google Cloud Topics: What is Cloud Organization Policy, and how is it different from IaC and Policy as code (PaC)? What does successful organization policy design look like from a business and human standpoint? From a technical standpoint? Granular policy work is always hard. How is Google helping users get org policy right? What are the uniquely Google strengths here? Is the AI involved real or is this marketing pixie dust AI? How do users know if something should be a proactive control like a guardrail or if something should be a reactive control like a detection? Resources: Policy Intelligence tools NEXT'21 SEC 203 - Governance guardrails Least privilege for Cloud Functions using Cloud IAM

Guest: Elie Bursztein, security, anti-abuse and privacy researcher @ Google Topics: This episode draws on a talk available in the podcast materials. Could you summarize the gist of your talk for the audience? What makes the malicious document problem a good candidate for machine learning (ML)? Could you have used rules? "Millions of documents in milliseconds," not sure how to even parse it - what is involved in making it work? Can you explain to the listeners the motivation for reanalyzing old samples, what ground truth means in ML/detection engineering, and how you are using this technique? How fast do the attackers evolve and does this throw ML logic off? Do our efforts at cat-and-mouse with attackers make the mice harder for other people to catch? Does massive-scale ML detections accelerate the attacker's evolution? Resources: The RSA talk "Malicious Documents Emerging Trends: A Gmail Perspective" "EP40 2021: Phishing is Solved?" episode Elie's talks on his site

Guest: Taylor Lehmann, Director at the Office of the CISO @ Google Cloud, member of Cybersecurity Action Team Topics: What's top of mind for healthcare organizations' CISOs now? What common advice do you find yourself giving most often to security leaders in healthcare? Is there a list of top 3 items or is this all "it depends"? What regulations are shaping the healthcare industry and its adoption of new technology? HIPAA is from 1996, how does it work for the cloud in the 2020s? Why do you think we aren't seeing more cloud ransomware? Healthcare orgs are sometimes seen as "IT laggards", what are the key security lessons from their cloud migrations? How do we convince some of these organizations that cloud is more secure as long as they use it securely?

Guest: Nelly Porter, Group Product Manager @ Google Cloud Topics In the past year, what has changed with Confidential Computing here at Google? Could we please talk about a user or two who has really nailed it with our Confidential Computing? What have we learned about the threat models of clients who are choosing to deploy Confidential Computing? What are they solving for? Doing Confidential Computing "right" feels like a lot more than having some fancy CPUs with magic math. What challenges do customers face adopting it? We finally "married" Confidential Computing with EKM. What types of clients are deploying this new technology? What threats are they mitigating? What's on the horizon for Confidential Computing? Resources: "Trust Google Cloud more with ubiquitous data encryption" The Confidential Computing Consortium whitepapers Confidential Computing at Google EP12 Threat Models and Cloud Security

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: Explain the whole cloud security megatrend concept to us? How can we better explain that "yes, cloud is more secure than most client's data centers"? Can you please explain "shared fate" one more time? Shared fate seems to require shared incentives. Do we see the incentives to invest in security changing within organizations migrating to Cloud? Cloud as the Digital Immune System sounds really cool, what does it mean for a typical practitioner - security and developers both? What about the risk aggregation (eggs in one basket) argument against relying on CSP for all security? Does software sovereignty mean that Cloud providers are always going to be held to common standards and lose out on the opportunity to sell highly differentiated software on top? Resources: IT Leaders: Pay Attention To These 8 Security Megatrends In 2022 Megatrends drive cloud adoption—and improve security for all

Guests: Alison Reyes, Director, Security Solutions, Google Cloud Iman Ghanizada, Solutions Manager for Security Operations & Analytics @ Google Cloud Topics: What is our thinking on solutions vs products for security? Sure, "security is a process, not a product," but where do solutions fit in? Security as an industry has too many vendors with little understanding of how users secure things, can solutions approach fix that? Google is sometimes known for writing code and just throwing it out there, do solutions change that dynamic for Google Cloud clients who come to us for security? Who are the target users for our security solutions? Why did we choose those solutions and not others? To me, solutions is how our products actually live in the real world. But can we really hope to transform customer operations with solutions? One of the solutions dear to my heart is Autonomic Security Operations that seeks to "10X the SOC", how was the experience so far? Is 10X real and what does it mean? How do we know if we succeeded, what are metrics for solutions? How do solutions fit with Google Cybersecurity Action Team launch? Do we need more action figures now? Resources: Google Cybersecurity Action Team NEXT Special - Google Cybersecurity Action Team: What's the Story? Google SRE books Autonomic Security Operations Web App and API Protection Achieving Autonomic Security Operations: Reducing toil Autonomic Security Operations: 10X Transformation of the Security Operations Center

Guests: Vlad Stolyarov, Security Engineer @ Threat Analysis Group (TAG) Vicente Diaz, Threat Intelligence Strategist @ VirusTotal Topics: Why GandCrab / REvil was the most popular ransomware family in 2020? What is ransomware as a service? Is every scary article about ransomware essentially marketing for the criminals? Some ransomware payoffs are huge, how do you think they spend the money? How else do they profit off stolen data apart from double extortion schemes? Are there triple extortion schemes? What is the concept of a "trusted brand in ransomware", is it better for clients because they will return the data? Why did non-Windows ransomware fail as a business? Do we expect 0day exploits to become more popular in ransomware? Based on this research, what is the key reason for ransomware's wild success? Resources: "Ransomware in a Global Context" report "Malware Hunting with VirusTotal" (ep30) Google TAG blog NoMoreRansom Org "Cybereason: 80% of orgs that paid the ransom were hit again" Google Cybersecurity Action Team Threat Horizons Report (full, brief)

Guest: Mike Orosz, a Chief Information and Product Security Officer @ Vertiv Topics: What are your views on modern SIEM? What should it do and what should it be? Should it even be called SIEM? Is SaaS/cloud-native SIEM the only way to go? Can anybody build a SIEM in the cloud by installing the regular SIEM on IaaS? What are the top challenges for organizations deploying and operationalizing SIEM today? What are some hidden or commonly forgotten costs for a SIEM deployment? Is open source the answer to SIEM? SIEM today should deliver on detection, hunting and investigation use cases, so what does it mean in terms of practical data retention? Resources: "On "Output-driven" SIEM" "Fake Cloud: Now There Are Two Hands in Your Pocket"

Guests: Amber Shafi, Production Manager GSK Svetlin Zamfirov, Senior Platform Engineer at GSK Ivan Angelov, Principal Platform Engineer at GSK Topics: Tell us about your team, what are you responsible for and how is the team setup to make that happen? What components of cloud security do you cover? Tell us about cloud misconfigurations and why these are different from on- premise misconfiguration? How are you discovering these misconfigurations? You've automated responses to misconfiguration. Beyond the obvious upsides of reducing team toil and time to response, what are the other benefits? Are there risk in this approach and how are they handled? How did this idea to automate come about, and what lessons did you learn along the way? How have you integrated with the cloud provider security tooling? Resources: "Automate and/or Die?" (ep3) "Automating Response to Security Events on Google Cloud Platform" from GSK blog GCP security blog

Guest: MK Palmore, Director at Office of the CISO, Google Cloud, member of Cybersecurity Action Team Topics: Why is there such a huge gap in security professionals who are women and people of color? How does the lack of women and people of color in tech impact the industry, cybersecurity & tech overall? Are diverse teams better performing, better morale, happier people? Are there kinds of threats that we miss in threat modeling exercises for lack of diverse team members? We've seen countless examples where AI/ML systems have had problems with laundering biases and having frankly appalling issues due to biased training data. What are security implications here? Are there organizations helping to close the representation gap in the security workforce and the cloud workforce? Why do the big tech companies and even the smaller ones have trouble identifying diverse talent? Why is this hard even for people and organizations who clearly want to improve it? Why do companies have a hard time retaining diverse talent? Resources: Cyversity Wicys