Cloud Security Podcast by Google

Sandra Joyce, VP at Mandiant Intelligence, discusses a complex incident targeting critical infrastructure in Ukraine, involving living off the land and attacks on operational technology. The podcast explores the challenges of investigating incidents with living off the land techniques and wipers. The chapter also discusses the challenges faced by North Korea in moving money and the shift in focus by attackers during the invasion period.

Guests: Derek Reveron, Professor and Chair of National Security at the US Naval War College John Savage, An Wang Professor Emeritus of Computer Science of Brown University Topics: You wrote a book on cyber and war, how did this come about and what did you most enjoy learning from the other during the writing process? Is generative AI going to be a game changer in international relations and war, or is it just another tool? You also touch briefly on lethal autonomous weapons systems and ethics–that feels like the genie is right in the very neck of the bottle right now, is it too late? Aside from this book, and the awesome course you offered at Brown that sparked Tim’s interest in this field, how can we democratize this space better?  How does the emergence and shift to Cloud impact security in the cyber age? What are your thoughts on the intersection of Cloud as a set of technologies and operating model and state security (like sovereignty)? Does Cloud make espionage harder or easier?  Resources: “Security in the Cyber Age” book (and their other books’) “Thinking, Fast and Slow” book “No Shortcuts: Why States Struggle to Develop a Military Cyber-Force” book “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age“ book “Active Cyber Defense: Applying Air Defense to the Cyber Domain” EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same? EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith?  

Guest: Mike Schiffman, Network Security “UTL” Topics: Given your impressive and interesting history, tell us a few things about yourself? What are the biggest challenges facing network security today based on your experience? You came to Google to work on Network Security challenges. What are some of the surprising ones you’ve uncovered here? What lessons from Google's approach to network security absolutely don’t apply to others? Which ones perhaps do? If you have to explain the difference between network security in the cloud and on-premise, what comes to mind first? How do we balance better encryption with better network security monitoring and detection? Speaking of challenges in cryptography, we’re all getting fired up about post-quantum and network security. Could you give us the maybe 5 minute teaser version of this because we have an upcoming episode dedicated to this? I hear you have some interesting insight on LLMs, something to do with blueboxing or something. What is that about? Resources: Video EP113 Love it or Hate it, Network Security is Coming to the Cloud EP122 Firewalls in the Cloud: How to Implement Trust Boundaries for Access Control “A History of Fake Things on the Internet” by WALTER J. SCHEIRER Why Google now protects its internal communications from quantum threats How Google is preparing for a post-quantum world NIST on PQC “Smashing The Stack For Fun And Profit” (yes, really)  

Kevin Mandia, CEO at Mandiant, discusses surprising cloud breaches in 2023 and the lessons learned from them. He explains the differences between cloud breaches and on-prem breaches. Mandia also highlights the mistakes and risks that led to cloud breaches and shares insights on how organizations can limit the impact. The episode emphasizes the importance of preparing for cloud breaches and detecting threats effectively. The hosts conclude by asking for advice on handling cloud breaches and recommend reading materials for CISOs.

Guest: Michee Smith, Director, Product Management for Global Affairs Works, Google Topics: What is Google Annual Transparency Report and how did we get started doing this?  Surely the challenge of a transparency report is that there are things we can’t be transparent about, how do we balance this? What are those? Is it a safe question? What Access Transparency Logs are and if they are connected to the report –other than in Tim's mind and your career?  Beyond building the annual transparency report, you also work on our central risk data platform. Every business has a problem managing risk–what’s special here? Do we have any Google magic here?  Could you tell us about your path in Product Management here? You have been here eight years, and recently became Director. Do you have any advice for the ambitious Google PMs listening to the show?   Resources: Google Annual Transparency report Access Transparency Logs “Digital Asset Valuation and Cyber Risk Measurement: Principles of Cybernomics“ book Keyun Ruan “Trapped in a frame: Why leaders should avoid security framework traps”  blog

Guest: Monica Shokrai, Head Of Business Risk and Insurance For Google Cloud  Topics: Could you give us the 30 second run down of what cyber insurance is and isn't? Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks? What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it? We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security? Doesn't cyber insurance have a difficult reputation with clients? “Will they even pay?” “Will it be enough?” “Is this a cyberwar exception?” type stuff? How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers? How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many “non cyber” risks?   Resources: Video (LinkedIn, YouTube) Google Cloud Risk Protection program “Cyber Insurance Policy”  by Josephine Wolff  InsureSec

Guest: Dr Gary McGraw, founder of the Berryville Institute of Machine Learning Topics: Gary, you’ve been doing software security for many decades, so tell us: are we really behind on securing ML and AI systems?  If not SBOM for data or “DBOM”, then what? Can data supply chain tools or just better data governance practices help? How would you threat model a system with ML in it or a new ML system you are building?  What are the key differences and similarities between securing AI and securing a traditional, complex enterprise system? What are the key differences between securing the AI you built and AI you buy or subscribe to? Which security tools and frameworks will solve all of these problems for us?  Resources: EP135 AI and Security: The Good, the Bad, and the Magical Gary McGraw books “An Architectural Risk Analysis Of Machine Learning Systems: Toward More Secure Machine Learning“ paper “What to think about when you’re thinking about securing AI” Annotated ML Security bibliography   Tay bot story (2016) “Can you melt eggs?” “Microsoft AI researchers accidentally leak 38TB of company data” “Random number generator attack” “Google's AI Red Team: the ethical hackers making AI safer” Introducing Google’s Secure AI Framework

Guests: John Stoner, Principal Security Strategist, Google Cloud Security Dave Herrald, Head of Adopt Engineering, Google Cloud Security Topics: In your experience, past and present, what would make clients trust vendor detection content? Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from? What is more important, seeing the detection or being able to change it, or both? If this is about seeing the detection code/content, what about ML and algorithms? What about the SOC analysts who don't read the code? What about “tuning” - is tuning detections a bad word now in 2023? Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic? Resources: Video (Linkedin, YouTube) Github rules for Chronicle DetectionEngineering.net by Zack Allen “On Trust and Transparency in Detection” blog “Detection as Code? No, Detection as COOKING!” blog EP64 Security Operations Center: The People Side and How to Do it Right EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil Why is Threat Detection Hard? Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)  

Adrian Sanabria, Director of Valence Threat Labs, talks about the structured approach to securing SaaS and the realistic threats to SaaS tools. They discuss the Microsoft 365 breach and the need for CVEs in SaaS vulnerabilities. The least understood aspects of securing SaaS are also addressed. The misconception that SaaS vendors handle all security responsibilities is debunked. The importance of IAM culture and hygiene governance in SaaS security is emphasized.

Kelli Vanderlee, Senior Manager at Mandiant, discusses the 2024 Google Cloud Security forecast report. Topics include predicting threats, implications for cloud security in upcoming elections, and the role of AI in assisting attackers. The podcast also explores real-world events' impact on the cyber threat landscape and tactics used by threat actors to evade detection.