Cloud Security Podcast by Google

Guest: Dr Gary McGraw, founder of the Berryville Institute of Machine Learning Topics: Gary, you’ve been doing software security for many decades, so tell us: are we really behind on securing ML and AI systems?  If not SBOM for data or “DBOM”, then what? Can data supply chain tools or just better data governance practices help? How would you threat model a system with ML in it or a new ML system you are building?  What are the key differences and similarities between securing AI and securing a traditional, complex enterprise system? What are the key differences between securing the AI you built and AI you buy or subscribe to? Which security tools and frameworks will solve all of these problems for us?  Resources: EP135 AI and Security: The Good, the Bad, and the Magical Gary McGraw books “An Architectural Risk Analysis Of Machine Learning Systems: Toward More Secure Machine Learning“ paper “What to think about when you’re thinking about securing AI” Annotated ML Security bibliography   Tay bot story (2016) “Can you melt eggs?” “Microsoft AI researchers accidentally leak 38TB of company data” “Random number generator attack” “Google's AI Red Team: the ethical hackers making AI safer” Introducing Google’s Secure AI Framework

Guests: John Stoner, Principal Security Strategist, Google Cloud Security Dave Herrald, Head of Adopt Engineering, Google Cloud Security Topics: In your experience, past and present, what would make clients trust vendor detection content? Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from? What is more important, seeing the detection or being able to change it, or both? If this is about seeing the detection code/content, what about ML and algorithms? What about the SOC analysts who don't read the code? What about “tuning” - is tuning detections a bad word now in 2023? Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic? Resources: Video (Linkedin, YouTube) Github rules for Chronicle DetectionEngineering.net by Zack Allen “On Trust and Transparency in Detection” blog “Detection as Code? No, Detection as COOKING!” blog EP64 Security Operations Center: The People Side and How to Do it Right EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil Why is Threat Detection Hard? Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)  

Adrian Sanabria, Director of Valence Threat Labs, talks about the structured approach to securing SaaS and the realistic threats to SaaS tools. They discuss the Microsoft 365 breach and the need for CVEs in SaaS vulnerabilities. The least understood aspects of securing SaaS are also addressed. The misconception that SaaS vendors handle all security responsibilities is debunked. The importance of IAM culture and hygiene governance in SaaS security is emphasized.

Kelli Vanderlee, Senior Manager at Mandiant, discusses the 2024 Google Cloud Security forecast report. Topics include predicting threats, implications for cloud security in upcoming elections, and the role of AI in assisting attackers. The podcast also explores real-world events' impact on the cyber threat landscape and tactics used by threat actors to evade detection.

Guest: Wei Lien Dang, GP at Unusual Ventures  Topics:  We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you?  What are some of the security problems you're hearing from AI companies that are worth solving?  AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security? Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs?  What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?  Resources: “What to think about when you’re thinking about securing AI” blog / paper EP135 AI and Security: The Good, the Bad, and the Magical EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It? EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models Introducing Google’s Secure AI Framework OWASP Top 10 for Large Language Model Applications Unusual VC Startup Field Guide Demystifing LLMs and Threats by Caleb Sima

Guest: Jay Thoden van Velzen, Strategic Advisor to the CSO, SAP  Topics: What are the challenges with shared responsibility for cloud security? Can you explain "shared" vs "separated" responsibility? In your article, you mention “shared faith”, we have “shared fate”, but we never heard of shared faith. What is this? Can you explain? What about the cloud models (SaaS, PaaS, IaaS), how does this sharing model differ? While at it, what is cloud, really? [yes, we really did ask this!]  Resources: LinkedIn post and  Blog EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge “Security Chaos Engineering” book Shared responsibility failures blog Shared fate at Google Cloud (also see blogs one and two) National Cyber Security strategy

Kathryn Shih, Group Product Manager in Google Cloud Security, discusses the capabilities and risks of Large Language Models (LLMs). Topics covered include understanding LLMs, their association with intelligence, risks of model tuning, data access control, and security considerations. The podcast provides insights into the nuances and challenges of working with LLMs and offers tips for improving outcomes with them.

In this episode, Tomer Schwartz, CTO at Dazz, discusses the challenges of cloud security remediation, including detecting vulnerabilities, overcoming process breakdowns, and addressing automation. The chapter topics cover difficulties in vulnerability management, patching containers, and the need for alignment between security and development teams.

Guests Anton Chuvakin and Tim Peacock discuss their journeys into security, the '3am test' for effective alerts, sourcing topics for the podcast, and hopes for the future of security.

Jeremiah Kung, Global Head of Information Security at AppLovin, discusses East vs West CISO mentality and the cloud's impact on security. He shares lessons from cloud migrations in 2015 and offers advice for securing clouds in 2023. Kung also provides tips for collaborative mindset and transforming outdated security technology stack.