Cloud Security Podcast by Google

Guest: Derek Abdine, CTO @ Censys.io Topics: Attack Surface Management (ASM). Why do we need a new toolset and a new category? Isn't this just 1980s asset management or CMDB? How do we find those assets that may have been misplaced by the organizations? How can any technology do this reliably? ASM seems to often rely on network layer 3 and 4. Can't bad guys just hit the app endpoints and all your network is irrelevant then? When you think about the threats organizations face due to unknown assets, is data theft at the top of the stack? What should organizations keep in mind as a priority here? Who at an organization is best set up to receive, triage, investigate, and respond to the alerts about the attack surface? Are there proactive steps organizations can take to prevent shadow IT, or are we stuck responding to each new signal? Isn't preventing new assets the same as preventing business? Resources: "Cloud Misconfiguration Mayhem An Analysis of Service Exposure Across Cloud Providers" "Attack Surface Management Buyer's Guide"

Guest: Iman Ghanizada, Solutions Manager for Security Operations & Analytics @ Google Cloud Topics: What is your book "Google Cloud Certified Professional Cloud Architect All-in-One Exam Guide" about? What was your journey into writing this book, how long did it take? The book seems to be targeted towards Cloud Architects, but you come from a predominantly security background, how has that influenced your writing of this book? What does this have to do with The Certs Guy (14 certs!?) and what's his mission? What's the intersectional thinking on certificates and making our industry more accessible and inclusive? Do certs help or hurt this? So what's your advice on certs for various career stages? What are some of the biggest architectural challenges you've seen in the field of Cloud Security? Resources: Book "Google Cloud Certified Professional Cloud Architect All-in-One Exam Guide" TheCertsGuy site

Guest: Vicente Diaz, Threat Intelligence Strategist @ VirusTotal Topics: How would you describe modern threat hunting process? Share some of the more interesting examples of attacker activities or artifacts you've seen? Do we even hunt for malware? What gets you more concerned, malware or human attackers? How do you handle the risk of attackers knowing how you perform hunting? What is the role of threat research role for hunting? Do you need research to hunt well? Does threat research power attribution? How do you tell a good YARA rule from a bad one, and a great one? What's the evolutionary journey for a YARA rule? What is your view on the future of hunting? Resources: YARA documentation "Deep Thinking: Where Machine Intelligence Ends and Human Creativity Begins" by Gary Kasparov

Guest: Sam Curry, Chief Security Officer @ Cybereason and Visiting Fellow @ National Security Institute Topics: EDR was "invented" in 2013 and we are now in 2021. What do you consider to be modern EDR components and capabilities? Where has EDR fallen short on its initial hype? How focused are the attackers on bypassing EDR? How do you think EDR works in the cloud? In your view, how would future EDR work for containers, microservices, etc? Why aren't we winning the war against ransomware? XDR is an interesting concept, so how do you define XDR? Is XDR just EDR++ or is XDR SIEM 4.0? Resources: "The Pyramid of Pain" blog by David Bianco "Named: Endpoint Threat Detection & Response" "Dune" book "The Bomber Mafia" book

Guest: Andy Wen, Product Lead for Abuse & Security @ Google Cloud Topics: What are you doing with AI for security? What kinds of security problems are addressable with AI, and which ones are harder to address with ML techniques? Tell us where you've been surprised by AI's success? Do you expect a) AI use by adversaries and b) attacks focused on disrupting the AI use by defenders? What advice would you give a PM or technical lead starting out on thinking they want to use AI to solve a problem? Resources: Andy Wen presentation from Cloud Security Talks 2021 "The Future of Machine Learning and Cybersecurity"

Guest: Keith McCammon, Co-founder and Chief Security Officer, Red Canary Topics: What is Detection Engineering? How it differs from just building rules/analytics? How to convert threat intelligence into detections? How to tell good detections from bad? And perhaps also good from great? How to test detections in the real world? Anything special about building detections for cloud environments? What do you think is the role of "rule-less" (such as ML) detections? Is "ML unicorn cavalry" coming? Resources: The Red Canary Blog 2021 Threat Detection Report Alerting and Detection Strategy Framework Atomic Red Team toolset

Guest: Johnathan Keith, Director of Information Security (CISO) @ ViacomCBS Streaming / Digital (at the time of the recording) Topics: What is the mission for your SOC? Has it evolved in recent years? How do you rate your state of maturity in security operations? I hear that your organization is complex and decentralized, how do you run a SOC in such a case? How do you approach the balance of people, process and technology in your SOC? What is the role of outsourcing in your SOC? Is cloud included in your SOC mission scope? What are the immediate things you plan to improve? Resources: Security Summit Talk that this podcast episode is based on (all Google Cloud Security Summit 2021 talks)

Guest: John Stone, Chaos Coordinator at the Office of the CISO @ Google Cloud Topics: What are the top European-specific cloud migration security challenges? Are there interesting cloud adoption barriers related to security in Europe? Are some of these challenges more compliance than security related? Do you think compliance still drives security in the cloud for European companies? Do you think Europe can ever "make their own cloud"? So, what do you make of this entire movement about "data sovereignty"?

Guests: Eric Brewer, VP of Infrastructure, and Google Fellow @ Google Aparna Sinha, Director of Product Management @ Google Cloud Topics: What is software supply chain security and how is it different from other kinds of supply chain security? What types of organizations need to care about it? Is supply chain security a concern for large, elite enterprises only? What's the relationship between what we're doing here, and what SBOM is? Can you talk us through a quick threat assessment of a supply chain security issue? What are the realistic threats here and who are the threat actors involved? How does Google try to solve these problems internally? Have we succeeded? How does this translate into our products? By the way, what's SLSA? Resources: "Container Security: Building trust in your software supply chain" (live event on July 29, 2021) "Tracking The Trail Of Software: The Key To Boosting Security" "Introducing SLSA, an End-to-End Framework for Supply Chain Integrity" DORA study

No guests. We interviewed each other! Topics: What would you say are the most things that Chronicle is trying to address today? What are the good ways to use threat intel to detect threats that do not ruin your SOC? What does "autonomic" security mean, anyway? Is this a fancy way of saying "automatic" or something more? For sure, "the Cloud is not JUST someone else's computer" - but how does this apply to threat detection? What makes threat detection "cloud-native"? What kinds of ML magic does your mini UEBA inside SCC use? Can you really do automated remediation in the cloud? Resources: Google Cloud Security Summit "Making Invisible Security a Reality with Google" keynote "Security Analytics at Google Speed and Scale" presentation by Anton "Managing Your Security Posture on Google Cloud" presentation by Tim "Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…" blog Chronicle main site Threat Detection in Logs in Google Cloud SCC video "Modern Threat Detection at Google" (episode 17) "Automate and/or Die?" (episode 3)