Cloud Security Podcast by Google

Guest: Andy Wen, Product Lead for Abuse & Security @ Google Cloud Topics: What are you doing with AI for security? What kinds of security problems are addressable with AI, and which ones are harder to address with ML techniques? Tell us where you’ve been surprised by AI’s success? Do you expect a) AI use by adversaries and b) attacks focused on disrupting the AI use by defenders? What advice would you give a PM or technical lead starting out on thinking they want to use AI to solve a problem? Resources: Andy Wen presentation from Cloud Security Talks 2021 “The Future of Machine Learning and Cybersecurity”

Guest: Keith McCammon, Co-founder and Chief Security Officer, Red Canary Topics: What is Detection Engineering? How it differs from just building rules/analytics? How to convert threat intelligence into detections?  How to tell good detections from bad? And perhaps also good from great? How to test detections in the real world? Anything special about building detections for cloud environments? What do you think is the role of “rule-less” (such as ML) detections? Is “ML unicorn cavalry” coming? Resources: The Red Canary Blog 2021 Threat Detection Report Alerting and Detection Strategy Framework Atomic Red Team toolset

Guest: Johnathan Keith, Director of Information Security (CISO) @  ViacomCBS Streaming / Digital (at the time of the recording) Topics: What is the mission for your SOC? Has it evolved in recent years? How do you rate your state of maturity in security operations? I hear that your organization is complex and decentralized, how do you run a SOC in such a case? How do you approach the balance of people, process and technology in your SOC? What is the role of outsourcing in your SOC?  Is cloud included in your SOC mission scope? What are the immediate things you plan to improve? Resources: Security Summit Talk that this podcast episode is based on (all Google Cloud Security Summit 2021 talks)

Guest:  John Stone, Chaos Coordinator at the Office of the CISO @ Google Cloud Topics: What are the top European-specific cloud migration security challenges? Are there interesting cloud adoption barriers related to security in Europe? Are some of these challenges more compliance than security related? Do you think compliance still drives security in the cloud for European companies? Do you think Europe can ever "make their own cloud"? So, what do you make of this entire movement about “data sovereignty”?  

Guests: Eric Brewer, VP of Infrastructure, and Google Fellow @ Google Aparna Sinha, Director of Product Management @ Google Cloud Topics: What is software supply chain security and how is it different from other kinds of supply chain security?  What types of organizations need to care about it? Is supply chain security a concern for large, elite enterprises only?  What’s the relationship between what we’re doing here, and what SBOM is? Can you talk us through a quick threat assessment of a supply chain security issue? What are the realistic threats here and who are the threat actors involved? How does Google try to solve these problems internally? Have we succeeded?  How does this translate into our products? By the way, what’s SLSA? Resources: “Container Security: Building trust in your software supply chain” (live event on July 29, 2021) “Tracking The Trail Of Software: The Key To Boosting Security”  “Introducing SLSA, an End-to-End Framework for Supply Chain Integrity” DORA study

No guests. We interviewed each other! Topics: What would you say are the most things that Chronicle is trying to address today? What are the good ways to use threat intel to detect threats that do not ruin your SOC? What does “autonomic” security mean, anyway? Is this a fancy way of saying “automatic” or something more? For sure, “the Cloud is not JUST someone else’s computer“ - but how does this apply to threat detection? What makes threat detection “cloud-native”? What kinds of ML magic does your mini UEBA inside SCC use? Can you really do automated remediation in the cloud? Resources: Google Cloud Security Summit “Making Invisible Security a Reality with Google” keynote “Security Analytics at Google Speed and Scale” presentation by Anton “Managing Your Security Posture on Google Cloud” presentation by Tim “Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…” blog Chronicle main site Threat Detection in Logs in Google Cloud SCC video “Modern Threat Detection at Google” (episode 17)  “Automate and/or Die?” (episode 3)

Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud  Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud  Topics: As a CISO, would you ever decide to use multiple clouds, if it were in your hands?  How is security typically considered when companies go multi-cloud in their approach? Practically, or operationally, how does one think through securing multiple public cloud environments? What are the top challenges here? Different controls? Lack of tools? Confusing process? Skills on the team? Would you always buy security tools from a 3rd party (not a CSP) if you have to cover more than one cloud provider? Anything to add about compliance across multiple clouds? What is the best approach for securing multiple SaaS services that your company uses? Resources: “IDC: A multicloud strategy can mitigate regulatory, business risks” “Anthos security” SANS papers on securing multiple clouds (example)

Guest: Kelly Anderson, Head of Product Marketing, User Protection Services @ Google Cloud Topics: What is marketing, really? Why is it sometimes reviled by the technologists? What makes a great marketer in cloud security? What’s different about cloud security marketing, as opposed to regular old on-premise security marketing? Is there still FUD in the cloud? Which things are the easiest or hardest to do in Google Cloud Security marketing? How do you talk about products so they stand out from the noise? How’s Google Cloud marketing helping our users stay ahead of the adversaries? Resources: Security insights that help customers stay up to date Customer case studies on our security products Quarterly Google Cloud Security Talks  Cloud security webinars on BrightTALK and Cloud OnAir  Identity and security blogs on the Google Cloud blog

Guest: Heather Adkins, Sr Director, Information Security @ Google Topics: Your RSA presentation has 3 pillars: zero trust, microservices, automation/zero prod, is this all you need to be secure & reliable in the modern world? Let’s drill down again into the “secure and reliable” concept, are you sure that they are interrelated? Is there a risk that microservices could actually increase attack surface? What are the practical security upsides of “no touch production”?  SRE and DevOps revolutionized IT, can we expect a similar revolution for security? Where would it come from? Resources: “Building Secure and Reliable Systems” RSA 2021 presentation by Heather Adkins  “Building Secure and Reliable Systems” book (free) “Modern Threat Detection at Google” (ep 17) Google BeyondCorp Google BeyondProd NIST 800-27 “Zero Trust Architecture”

Guest 1: Sparky Toews, Product Manager for Adobe identity @ Adobe Topics 1: Why are bots a problem to you? Give us a bit of your bot threat assessment? Can you tell us how you think about and practice securing the user experience? What kind of security products or best practices are involved? How do you see what security professionals do to secure the user experience evolving over time? Guests 2: Randy Gingeleski, Senior Staff Security Engineer @ HBO Max Brian Lozada, CISO @ HBO Max Topics 2: Can you tell us how you think about and practice securing the user experience at HBO? What kind of security products or best practices are involved? How does reCAPTCHA Enterprise fit into all of this? How do you see what security professionals do to secure the user experience evolving over time?