Cloud Security Podcast by Google

Guest: Christopher "CJ" Johnson, retired Fire Chief, and Global Regulated Cloud Product Lead @ Google Cloud Topics: In political science, they define sovereignty as a local monopoly on the legitimate use of force. Why are we talking about "sovereignty" in IT? What is a sovereign cloud? How much of the term is marketing vs engineering? Who cares or should care about sovereign cloud? Is this about technical controls or paper/policy controls? Or both? What is the role for encryption and key management and key access justifications (like say Google Cloud EKM with KAJ) for sovereign cloud? Is sovereign cloud automatically more secure or at least has better data security? What threat models are considered for sovereign cloud technologies? Resources: Google Cloud External Key Manager (EKM) "Trust Google Cloud more with ubiquitous data encryption" blog "Software-Defined community cloud - a new way to "Government Cloud"" blog

Guest: David Stone, Staff Consultant at Office of the CISO, Google Cloud Topics: Speaking as a former CISO, what triggered your organization migration to the cloud? When did you and the security organization get brought in? How did you plan your security organization journey to the cloud? Did you take going to Cloud as an opportunity to change things beyond the tools you were using? As you got going into the cloud, what was the hardest part for your organization ? What was most surprising? Good surprise and bad surprise? How did you design security controls for the cloud? How do you validate and verify security controls in the cloud? How did you incorporate your cloud environment into your SOC's responsibility Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be? Resources: "How CISOs need to adapt their mental models for cloud security" "Megatrends drive cloud adoption—and improve security for all" "EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security" (ep47) "CISO's Guide to Cloud Security Transformation" paper [PDF] Google SRE book GCAT site

Guest: John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud Topics: So what is Autonomic Data Security, described in our just released paper? What are some notorious data security issues today? Perhaps common data security mistakes security leaders commit? What never worked in data security, like say manual data classification? How should organizations think about securing the data they migrated and the data that was created in the cloud? Do you really believe the cloud can make data security better than data security in traditional environments? Resources: "Modern Data Security: A path to autonomic data security" paper (NEW) "How autonomic data security can help define cloud's future" blog "Megatrends drive cloud adoption—and improve security for all" blog "Modernizing SOC ... Introducing Autonomic Security Operations" blog "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper "Zero Trust: Fast Forward from 2010 to 2021" (ep8) "Data Security in the Cloud" (ep2) and the resource. "Modern Data Security Approaches: Is Cloud More Secure?" (ep16) "Reflections on Trusting Trust" paper (1984).

Guest: Gorka Sadowski, Chief Strategy Officer @ Exabeam Topics: How do we get a legacy SOC team to think about the cloud? How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same? How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud? Do content/rules and detection engines need to be different to cover the cloud detection use cases? What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections? Resources: "11 Strategies of a World-Class Cybersecurity Operations Center" paper "Autonomic Security Operations: How to 10X Your SOC" paper "Indicators Of Compromise Vs. Tactics, Techniques, And Procedures" blog "How to Build and Operate a Modern Security Operations Center" (Gartner subscription required) "A SOC Tried To Detect Threats in the Cloud … You Won't Believe What Happened Next" blog

Guest: Cyrus Robinson, SOC Director and IR Team lead at Ingalls Information Security Topics: You've been using SOAR tools for years, so what do you think of the technology so far? What is driving SOAR adoption today? And what is inhibiting SOAR adoption? Realistically, how hard is SOAR to operationalize for a typical company? What are your favorite SOAR playbooks to start with? How to build, train and keep the SOAR team? Do they need to code to succeed? We like the SOAR maturity model approach. How would you imagine a SOAR adoption maturity model? How to implement SOAR from scratch in scaling operations? How to start? How to plan? How to not fail? Resources: "A Simple SOAR Adoption Maturity Model" blog "Planning Is Paramount When Adopting SOAR" blog Siemplify community version

Guest: Ben Johnson, CTO/co-founder @ Obsidian Security Topics: Why is there so much attention lately on SaaS security? Doesn't this area date back to 2015 or so? What do you see as the primary challenges in securing SaaS? What does a SaaS threat model look like? What are the top threats you see? CASB has been the fastest growing security market and it has grown into a broad platform and many assume that "securing SaaS = using CASB", what are they missing? Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system? Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle? For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology? Resources: Obsidian Security blog and Resource Center Does the World Need Cloud Detection and Response (CDR)? blog Does the world need Cloud Detection and Response (CDR) as a new market segment? poll MITRE ATT&CK for SaaS matrix CISA SCUBA resource "Essentialism" book.

Guest: Tim Nguyen, Director of Detection and Response @ Google Topics: I know we don't like to say "SOC" here, so why don't we talk about the role of automation in detection and response (D&R) at Google? One SRE concept we found useful in security operations is "toil" - How do we squeeze toil out of D&R practice at Google? A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey? How do we automate security signal analysis, can you give us a few examples? D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our "not SOC"? How do we avoid falling into the "time to respond" trap that rewards fast response, sometimes at the cost of good? Resource: SRE book, Chapter 5 - Eliminating Toil SRE book, Chapter 4 - Service Level Objectives "Building Secure and Reliable Systems" book "Achieving Autonomic Security Operations: Automation as a Force Multiplier" "Achieving Autonomic Security Operations: Reducing toil" "Taking an autonomic approach to security operations" video "Modern Threat Detection at Google" (ep17)

Guest: James Luo, Partner @ CapitalG Topics: You've looked at hundreds of security startups at the growth stage - what is getting funded? What is not getting funded? What is the difference? What's your view on the current market environment for security companies? Is security "recession-proof", whatever that means? How do you think about what problems are worth solving with a new venture vs existing vendors (and/or CSPs) expanding to cover the new area? Why do many cloud security vendors get funded and get high valuations while there is a wide perception that CSP (like us at Google) are doing security really well? How do we solve the challenge that many organizations are barely moving off "antivirus and firewalls" security of the 1990s? What is your best advice to cloud security startups trying to get wider adoption? Resources: "Demystifying 'shared Fate' - A New Approach To Understand Cybersecurity" CapitalG blog

Guest: Erik Bloch, Senior Director of Detection and Response at Sprinklr Topics: You recently coined a concept of "output-driven Detection and Response" and even perhaps broader "output-driven security." What is it and how does it work? Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that? You refer to a federated approach for Detection and Response" ("route the outcomes to the teams that need them or can address them"), but is it workable for any organization? What about the separation of duty concerns that some raise in response to this? What about the organizations that don't have any security talent in those teams? Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it? The model of "security team as a decision-maker, not an implementer" has a bit of a painful history, as this is what led to "GRC-only teams" who lack any technical knowledge. Why will this approach work this time? Resources: "RIP SOC. Hello D-IR" "Kill your SOC with a D-IR model" "Security De-Engineering: Solving the Problems in Information Risk Management" book "A SOCless Detection Team at Netflix" "Achieving Autonomic Security Operations: Automation as a Force Multiplier" "Start with Why: How Great Leaders Inspire Everyone to Take Action" book "Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now" book "On "Output-driven" SIEM" "SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond" (ep58)

Guests: Dave "Merk" Merkel, CEO @ Expel Peter Silberman, CTO @ Expel Topics: Many MDRs claim to be "security from the cloud", but they actually don't know much about cloud security. What does good looks like for MDR in the cloud (cloud being a full range from IaaS to SaaS)? What are the key challenges for clients picking an MDR for their cloud environments? What are the questions to ask your potential MDR? Do clients want the same security outcomes done in the cloud vs on-premise? Does it mean that MSSP/MDR capabilities must be different for good coverage of the cloud? Is MDR technology different for Cloud detection and response as opposed to on-prem D&R? How do you communicate with clients about the importance and value of cloud specific detection vs detection for endpoints running in the cloud? What are the top threats against client cloud environments that you see, detect and protect from? Which clouds (IaaS?) are easiest for MDR to protect? What makes them easier to handle than the other Clouds? Resources: Who Does What In Cloud Threat Detection? How to Think about Threat Detection in the Cloud Cattle vs Pets reminder Expel Blog - Incident report: Spotting an attacker in GCP Expel Great eXpeltations 2022: Cybersecurity trends and predictions Expel Quarterly Threat Report: Q1 2022

Guest: Stefan Friedli, Senior Security Engineer @ Google Topics: What is our "red team" testing philosophy and approach at Google? How did we evolve to this approach? What is the path from testing to making Google and our users more secure? How does our testing power the improvements we make? What is unique about red teaming at Google? Care to share some fun testing stories or examples from your experience? Resources: "Building Secure & Reliable Systems" book (free) Threat Analysis Group (TAG) blog

Guests: none Topics: What have we seen at the RSA 2022 Conference? What was the most interesting and unexpected? What was missing? Resources: "RSA 2022 Musings: The Past and The Future of Security" Google Cloud Security at RSA 2022

Guest: James Condon, Director of Security Research @ Lacework Topics: What are realistic and actually observed cloud threats today? How did you observe them at Lacework? Cloud threats: are they on-premise style threats to cloud assets? We hate the line "cloud is just somebody else's computer" but apparently threats actors seem to think so? What is the 2nd most dangerous cloud issue after configuration mistakes? Why is it so common for organizations to have insecure configurations in their cloud environments? Give me a few examples of the most common mistakes organizations make, and what they can do to avoid those configurations. Cloud malware and ransomware / RansomOps, are these real risks today? Are we finally seeing the rise of Linux malware at scale (in the cloud)? As multi cloud expands in popularity, what are threat actors doing in this area? Are actors customizing their attacks on a per-cloud basis (AWS, GCP, Azure)? Resources: Lacework 2022 Cloud Threat Report "Securing DevOps: Security in the Cloud" book "Threat Models and Cloud Security" (ep12) Google Threat Horizons Report #1 Google Threat Horizons Report #2

Guest: Nicholas Carlini, Research Scientist @ Google Topics: What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks? How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical? Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025? What are the threat-derived lessons for securing AI? Do we practice the same or different approaches for secure AI and reliable AI? How does relative lack of transparency in AI helps (or hurts?) attackers and defenders? Resources: "Red Teaming AI Systems: The Path, the Prospect and the Perils" at RSA 2022 "Killed by AI Much? A Rise of Non-deterministic Security!" Books on Adversarial ML

Guest: Sounil Yu, CISO and Head of Research at JupiterOne Topics: How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder? Cloud (at least the cloudy-cloud, also called cloud native) definitely supports "Distributed Immutable Ephemeral" (DIE) - your new creation, how does that change security and CDM? Cyber resilience generates a lot of confusion, how do you define and describe it? BTW, is the cloud more or less cyber resilient based on your definition? Is invisible security a good thing? Can we ever have it? When should security be visible? Intuitively, security and safety are not the same. So, what is the difference between cyber safety and cyber security? What is cyber safety, really? Resources: Cyber Defense Matrix Security DIE Triad Container Security: The Past or The Future? (ep54) This Binary Legit? How Google Uses Binary Authorization and Code Provenance (ep66) What is the useful definition of "cyber resilience"? poll Is the cloud just somebody else's computer? Poll Cattle vs Pets - DevOps Explained Gartner CIA-PSR model The 2022 State of Cyber Assets Report Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape "Antifragile" book "Thinking, Fast and Slow" book "Security Chaos Engineering" book

Guest: Sandra Guo, Product Manager in Security, Google Cloud Topics: We have a really interesting problem here: if we make great investments in our use of trusted repositories, and great investments in doing code review on every change, and securing our build systems, and having reproducible builds, how do we know that all of what we did upstream is actually what gets deployed to production? What are the realistic threats that Binary Authorization handles? Are there specific organizations that are more at risk from those? What's the Google inspiration for this work, both development and adoption? How do we make this work in practice at a real organization that is not Google? Where do you see organizations "getting it wrong" and where do you see organizations "getting it right"? We've had a lot of conversations about rolling out zero-trust for enterprise applications, how do those lessons (start small, be visible, plan plan plan) translate into deploying Binauthz into blocking mode? Resources: "Binary Authorization for Borg: how Google verifies code provenance and implements code identity" paper Binary Authorization for deploying trusted images DevOps & SRE at Google

Guests: Charles Carmakal, CTO at Mandiant Taylor Lehmann, Director at Office of the CISO, Google Cloud Topics: What are the current "popular" incidents at healthcare providers that you handled? Any of them involve cloud? Do healthcare CISOs have time for anything other than ransomware? Does insider threat matter? What can incident response teach us here? How do you think the threat actors benefit from the health data they steal? Based on your IR experience, what are the more interesting ways in, other than phishing? Give us your IR-informed take on ransomware pay/not pay focused on healthcare, ideally? Resources: "The key role 'visibility' plays in healthcare's cybersecurity resilience" "How healthcare can strengthen its own cybersecurity resilience" "M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines" "Future of EDR: Is It Reason-able to Suggest XDR?" (ep29) "MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications""VS21: A Playbook for Resiliency: Contain and Remediate Ransomware Before It Can Act" "FDA Announces Fix for Pacemaker Security Flaws"

Guest: Dave Herrald @ Principal Security Strategist, Google Cloud Topics: What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)? How do you make SOC training realistic? Should training be about the toolset or should it be about the analyst's skills? Should you primarily train for engineering skills or analysis skills? Do you need to code to succeed in a modern SOC? Are competitive events like CTFs effective for SOC training? What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity? Resources: Chris Sanders SOC classes SANS Holiday Hack Challenges SEC450: Blue Team Fundamentals: Security Operations and Analysis SANS NetWars "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper Boss of the SOC (BOTS) Dataset

Guests: Robert Herjavec, Founder and CEO of Herjavec Group Eric Foster, President of CYDERES Iman Ghanizada, Global Head of Autonomic Security Operations at Google Cloud. Topics: It's been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about? How was the ASO story received by your customers? Any particular reactions? Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed? ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations? What else can we do to evolve SOC faster than the threats and assets grow? Resources: This episode is based on a panel from This Google Cloud Security Talks Q1 2022 Panel "All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites." "All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites" on YouTube "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper "Modernizing the U.S. Federal Government's Approach to Cyber Threat Management with Autonomic Security Operations" paper

Guest: Etienne De Burgh, Senior Security and Compliance Specialist, Office of the CISO @ Google Cloud Topics: Why is API security hot now? What happened that made it a priority for many? Is API security different from application security? Doesn't the first "A" in API stand for application? What are the real threats to exposed APIs? APIs are designed for automated use, so how do you tell automated use from automated abuse / attack? What are the biggest challenges that companies are having with API security? What are the components of API security? Is there a "secure by default API"? API threat detection? Just like cloud in general, API misconfigurations seem to be leading to security problems, are APIs hard to configure securely for most organizations? Resources: Google Cloud Security Summit - come see us on May 17, 2022 "Securing web applications and APIs anywhere" (at our Security Summit) OWASP Top 10 for API Security "Best practices for securing your applications and APIs using Apigee"

No guests - just Anton and Tim Topics: Why cloud security? What do we really think about our podcast name and topic, cloud security? Can you once again explain security for the cloud, in the cloud, from the cloud? What is one thing that we learned from doing a podcast? Favorite cloud security trend that we encountered on the podcast? What did we learn about security from organization's migrating to the cloud? What are our favorite reading materials related to cloud security? What are our favorite tips from the guests on securing the cloud? Resources: "The Age of AI And Our Human Future" book "Practical Guide to Cloud Migration – Google - Site Reliability Engineering" (book, free) and other SRE books "Cloud Security podcast by Google turns 46 - Reflections and lessons!" "Cloud Security Podcast by Google — Popular Episodes by Topic" Our video trailer

Guest: Dylan Ayrey, cofounder of Truffle Security Topics: Could you explain briefly why identity is so important in the cloud? A skeptic on cloud security once told us that "in the cloud, we are one identity mistake from a breach." Is this true? For listeners who aren't familiar with GCP, could you give us the 30 second story on "what is a service account." How is it different from a regular IAM account? What are service account impersonations? How can I see if my service accounts can be impersonated? How do I detect it? How can I better secure my organization from impersonation attacks? Resources: Truffle Security blog "GCP Lateral Movement And Privileged Escalation Spill Over And Updates From Google" by Dylan Ayrey "Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments" blog "Kat Traxler - Taste the IAM" blogs

Guest: Sharon Goldberg, CEO and cofounder of BastionZero and a professor at Boston University Topics: What is your favorite definition of zero trust? You had posted a blog analyzing the whitehouse ZT a memo on the federal government's transition to "zero trust", what caught your eye about the Zero Trust memo and why did you decide to write about it? What's behind the federal government's recommendations to deprecate VPNs and recommend users "authenticate to applications, not networks"? What do these recommendations mean for cloud security, today and in the future? What do you think would be the hardest things to implement in real US Federal IT environments? Are there other recommendations in the memo to think about as organizations design zero trust strategies for their infrastructure? What are some of the challenges of implementing zero trust in general? Resources: "Zero Trust: Fast Forward from 2010 to 2021" (ep8) "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles" "I read the federal government's Zero-Trust Memo so you don't have to" "F12 isn't hacking: Missouri governor threatens to prosecute local journalist for finding exposed state data"

New Audio Trailer: Cloud Security Podcast by Google

Guests: Alexi Wiemer, Senior Manager at Deloitte Cyber Detection and Response Practice Dan Lauritzen, Senior Manager at Deloitte Cloud Security Practice. Topics: What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in? What is your best advice to SOCs that are permanently and woefully understaffed? Many SOC analysts are drowning in manual work, and it is easy to give advice that "they need to automate." What does this actually entail, in real life? What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR? What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats? Occasionally, we hear that "SOC is dead." What is your response to such dire SOCless predictions? Resources: "New Paper: "Future Of The SOC: Process Consistency and Creativity: a Delicate Balance" (Paper 3 of 4)" "New Paper: "Future of the SOC: Forces shaping modern security operations"" "New Paper: "Future of the SOC: SOC People — Skills, Not Tiers"" "New Paper: "Autonomic Security Operations — 10X Transformation of the Security Operations Center"" "A SOC Tried To Detect Threats in the Cloud … You Won't Believe What Happened Next" "Why Your Security Data Lake Project Will FAIL!"

Guest: Maddie Stone, Security Researcher @ Google Topics: How do we judge the real risk of being attacked using an exploit for a zero day vulnerability? Does the zero day risk vary by company, industry, etc? What does pricing for zero days tell us, if anything? Are prices more driven by supply or demand these days? What security controls or defenses are useful against zero days including against chained zero days? Where are the cloud zero days? We get lots of attention on iOS and Android, what about the cloud platforms? So, how do we solve the paradox of zero days, are they more scary than risky or more risky than scary? Or both? Resources: Project Zero blog A walk through Project Zero metrics Threat Analysis Group (TAG) blog

Guest: Erlander Lo, Security and Compliance Specialist @ Google Cloud Topics: Imagine you are planning a data warehouse in the cloud, how do you think about security? What are the expected threats to a large data store in the cloud? How to create your security approach for a data warehouse project? Are there regulations that force your decisions about security controls or approaches, no matter what the threats are? How do you approach data governance for this project? What controls are there to implement in Google Cloud for a secure data warehouse effort? Resources: Secure Data Warehouse blueprint (other blueprints) Creativity Inc book "Data Governance: The Definitive Guide" book

Guests: Brandie Anderson, Global Security Practice Lead @ Google Cloud Renzo Cuadros, Regional Security Practice Lead @ Google Cloud Topics: What are your Cloud migration security lessons? Greatest hits? Near misses? What are the most common cloud security mistakes you see? Any practices or tricks to avoid or mitigate them? How do you talk people out of security "lift and shift"? Do clients understand how threat models change when they migrate to the cloud? How clients typically handle compliance in the cloud? What regulations are the most challenging in the cloud? What is the future for cloud migration security? Do we foresee a future when most data is created in the cloud and there is no need to migrate anything? Resources: "Building Secure & Reliable Systems" book Google Cloud Architecture Framework "Threat Models and Cloud Security" (ep12) Modernizing compliance: Introducing Risk and Compliance as Code

Guest: Anna Belak, Director of Thought Leadership @ Sysdig Topics: One model for container security is "Infrastructure security | build security | runtime security" - which is most important to get right? Which is hardest to get right? How are you helping users get their infrastructure security right, and what do they get wrong most often here? Your report states that "3⁄4 of running containers have at least one "high" or "critical" vulnerability" and it sounds like pre-cloud IT, but this is about containers? This was very true before cloud, why is this still true in cloud native? Aren't containers easy to "patch" and redeploy? You say "Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production." but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don't fix things? "52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline." - isn't pipeline and repo scanning easier and cheaper? Why isn't this 90/10 but 40/50? "62% detect shells in containers" sounds (to Anton) that "62% zoos have a dragon in them" i.e. kinda surreal. What's the real story? Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers? Resources: Sysdig report Kubernetes podcast episode with Anna Belak EP15 Scaling Google Kubernetes Engine Security Sysdig learning hub

Guest: Amos Stern, CEO of SIEMplify, now part of Google Cloud Topics: SOAR is in the news again, so what can we say about the state of SOAR in 2022? What have we learned trying to get SOAR adopted 2015-2022 (that's 7 years of SOAR-ing for you)? What are the top playbooks to start your SOC automation using SOAR? What about the links between SOAR as security automation and general IT automation? Does the level of consolidation in this market mean that SOAR really is a feature of SIEMs and not a product in its own right? Resources: Siemplify blog Google Cloud Security Talks Q1 2022

Guest: Vijay Bolina, CISO at DeepMind Topics: We spend a lot of time on Artificial Intelligence (AI) safety, but what about security? What are some of the useful frameworks for thinking about AI security? What is different about securing AI vs securing another data-intensive, complex, enterprise application? What do we know about threat modeling for AI applications? What attacks against AI systems do we expect to see first in real life? What issues with AI security should we expect to face in 3-5 years? Resources: DeepMind Learning Resources DEFCON AI Village and videos CAMLIS

Guest: Vandy Ramadurai, Product Manager at Google Cloud Topics: What is Cloud Organization Policy, and how is it different from IaC and Policy as code (PaC)? What does successful organization policy design look like from a business and human standpoint? From a technical standpoint? Granular policy work is always hard. How is Google helping users get org policy right? What are the uniquely Google strengths here? Is the AI involved real or is this marketing pixie dust AI? How do users know if something should be a proactive control like a guardrail or if something should be a reactive control like a detection? Resources: Policy Intelligence tools NEXT'21 SEC 203 - Governance guardrails Least privilege for Cloud Functions using Cloud IAM

Guest: Elie Bursztein, security, anti-abuse and privacy researcher @ Google Topics: This episode draws on a talk available in the podcast materials. Could you summarize the gist of your talk for the audience? What makes the malicious document problem a good candidate for machine learning (ML)? Could you have used rules? "Millions of documents in milliseconds," not sure how to even parse it - what is involved in making it work? Can you explain to the listeners the motivation for reanalyzing old samples, what ground truth means in ML/detection engineering, and how you are using this technique? How fast do the attackers evolve and does this throw ML logic off? Do our efforts at cat-and-mouse with attackers make the mice harder for other people to catch? Does massive-scale ML detections accelerate the attacker's evolution? Resources: The RSA talk "Malicious Documents Emerging Trends: A Gmail Perspective" "EP40 2021: Phishing is Solved?" episode Elie's talks on his site

Guest: Taylor Lehmann, Director at the Office of the CISO @ Google Cloud, member of Cybersecurity Action Team Topics: What's top of mind for healthcare organizations' CISOs now? What common advice do you find yourself giving most often to security leaders in healthcare? Is there a list of top 3 items or is this all "it depends"? What regulations are shaping the healthcare industry and its adoption of new technology? HIPAA is from 1996, how does it work for the cloud in the 2020s? Why do you think we aren't seeing more cloud ransomware? Healthcare orgs are sometimes seen as "IT laggards", what are the key security lessons from their cloud migrations? How do we convince some of these organizations that cloud is more secure as long as they use it securely?

Guest: Nelly Porter, Group Product Manager @ Google Cloud Topics In the past year, what has changed with Confidential Computing here at Google? Could we please talk about a user or two who has really nailed it with our Confidential Computing? What have we learned about the threat models of clients who are choosing to deploy Confidential Computing? What are they solving for? Doing Confidential Computing "right" feels like a lot more than having some fancy CPUs with magic math. What challenges do customers face adopting it? We finally "married" Confidential Computing with EKM. What types of clients are deploying this new technology? What threats are they mitigating? What's on the horizon for Confidential Computing? Resources: "Trust Google Cloud more with ubiquitous data encryption" The Confidential Computing Consortium whitepapers Confidential Computing at Google EP12 Threat Models and Cloud Security

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: Explain the whole cloud security megatrend concept to us? How can we better explain that "yes, cloud is more secure than most client's data centers"? Can you please explain "shared fate" one more time? Shared fate seems to require shared incentives. Do we see the incentives to invest in security changing within organizations migrating to Cloud? Cloud as the Digital Immune System sounds really cool, what does it mean for a typical practitioner - security and developers both? What about the risk aggregation (eggs in one basket) argument against relying on CSP for all security? Does software sovereignty mean that Cloud providers are always going to be held to common standards and lose out on the opportunity to sell highly differentiated software on top? Resources: IT Leaders: Pay Attention To These 8 Security Megatrends In 2022 Megatrends drive cloud adoption—and improve security for all

Guests: Alison Reyes, Director, Security Solutions, Google Cloud Iman Ghanizada, Solutions Manager for Security Operations & Analytics @ Google Cloud Topics: What is our thinking on solutions vs products for security? Sure, "security is a process, not a product," but where do solutions fit in? Security as an industry has too many vendors with little understanding of how users secure things, can solutions approach fix that? Google is sometimes known for writing code and just throwing it out there, do solutions change that dynamic for Google Cloud clients who come to us for security? Who are the target users for our security solutions? Why did we choose those solutions and not others? To me, solutions is how our products actually live in the real world. But can we really hope to transform customer operations with solutions? One of the solutions dear to my heart is Autonomic Security Operations that seeks to "10X the SOC", how was the experience so far? Is 10X real and what does it mean? How do we know if we succeeded, what are metrics for solutions? How do solutions fit with Google Cybersecurity Action Team launch? Do we need more action figures now? Resources: Google Cybersecurity Action Team NEXT Special - Google Cybersecurity Action Team: What's the Story? Google SRE books Autonomic Security Operations Web App and API Protection Achieving Autonomic Security Operations: Reducing toil Autonomic Security Operations: 10X Transformation of the Security Operations Center

Guests: Vlad Stolyarov, Security Engineer @ Threat Analysis Group (TAG) Vicente Diaz, Threat Intelligence Strategist @ VirusTotal Topics: Why GandCrab / REvil was the most popular ransomware family in 2020? What is ransomware as a service? Is every scary article about ransomware essentially marketing for the criminals? Some ransomware payoffs are huge, how do you think they spend the money? How else do they profit off stolen data apart from double extortion schemes? Are there triple extortion schemes? What is the concept of a "trusted brand in ransomware", is it better for clients because they will return the data? Why did non-Windows ransomware fail as a business? Do we expect 0day exploits to become more popular in ransomware? Based on this research, what is the key reason for ransomware's wild success? Resources: "Ransomware in a Global Context" report "Malware Hunting with VirusTotal" (ep30) Google TAG blog NoMoreRansom Org "Cybereason: 80% of orgs that paid the ransom were hit again" Google Cybersecurity Action Team Threat Horizons Report (full, brief)

Guest: Mike Orosz, a Chief Information and Product Security Officer @ Vertiv Topics: What are your views on modern SIEM? What should it do and what should it be? Should it even be called SIEM? Is SaaS/cloud-native SIEM the only way to go? Can anybody build a SIEM in the cloud by installing the regular SIEM on IaaS? What are the top challenges for organizations deploying and operationalizing SIEM today? What are some hidden or commonly forgotten costs for a SIEM deployment? Is open source the answer to SIEM? SIEM today should deliver on detection, hunting and investigation use cases, so what does it mean in terms of practical data retention? Resources: "On "Output-driven" SIEM" "Fake Cloud: Now There Are Two Hands in Your Pocket"

Guests: Amber Shafi, Production Manager GSK Svetlin Zamfirov, Senior Platform Engineer at GSK Ivan Angelov, Principal Platform Engineer at GSK Topics: Tell us about your team, what are you responsible for and how is the team setup to make that happen? What components of cloud security do you cover? Tell us about cloud misconfigurations and why these are different from on- premise misconfiguration? How are you discovering these misconfigurations? You've automated responses to misconfiguration. Beyond the obvious upsides of reducing team toil and time to response, what are the other benefits? Are there risk in this approach and how are they handled? How did this idea to automate come about, and what lessons did you learn along the way? How have you integrated with the cloud provider security tooling? Resources: "Automate and/or Die?" (ep3) "Automating Response to Security Events on Google Cloud Platform" from GSK blog GCP security blog

Guest: MK Palmore, Director at Office of the CISO, Google Cloud, member of Cybersecurity Action Team Topics: Why is there such a huge gap in security professionals who are women and people of color? How does the lack of women and people of color in tech impact the industry, cybersecurity & tech overall? Are diverse teams better performing, better morale, happier people? Are there kinds of threats that we miss in threat modeling exercises for lack of diverse team members? We've seen countless examples where AI/ML systems have had problems with laundering biases and having frankly appalling issues due to biased training data. What are security implications here? Are there organizations helping to close the representation gap in the security workforce and the cloud workforce? Why do the big tech companies and even the smaller ones have trouble identifying diverse talent? Why is this hard even for people and organizations who clearly want to improve it? Why do companies have a hard time retaining diverse talent? Resources: Cyversity Wicys

Guest: Ryan Noon, CEO @ Material Security Topics: When we think about traditional email security, we think anti-spam/phishing. Your company is doing other things, so what are they? In other words, isn't email security solved with legacy appliance vendors (SEG) and cloud email providers? What was the combination of technology and security opportunities that really resonated with you and your investors that led to your focus on email security? Security has almost 2000 vendors and they are noisy, how do you get to clients without screaming too loud? How do you build a better security vendor? Related to being better vendors, but more broadly, what can we do as an industry to make it easier to buy and get value out of our investments in new security tooling and technology? How can we build security tooling that requires less of our precious security team's time?

Guests Elie Bursztein, security, anti-abuse and privacy researcher @ Google Kurt Thomas, security, anti-abuse and privacy researcher @ Google Topics: Can we say that "Multi-Factor Authentication - if done well - fixes phishing for good" or is this too much to say? What are the realistic and seen-in-the-wild bypasses for MFA as a protection? How do you think these controls fare vs top tier attackers (clearly, they work vs commodity threats)? What do we know about burden vs value of MFA today? What can we realistically do to increase MFA/2FA adoption to the 90%s? Can we share anything about what we're seeing as industry benchmarks on MFA adoption so far? We've seen a lot of ugly debates over the value of SMS as MFA, what is your research-based take on this? Resources: Google Titan Security Key "Malicious Documents Emerging Trends: A Gmail Perspective" (RSA 2020) "New research: How effective is basic account hygiene at preventing hijacking" "New Research: Lessons from Password Checkup in action" "New research reveals who's targeted by email attacks" "New research: Understanding the root cause of account takeover" ""Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns" "Tales from the Trenches: Using AI for Gmail Security" (ep28)

Guests Elie Bursztein, security, anti-abuse and privacy researcher @ Google Kurt Thomas, security, anti-abuse and privacy researcher @ Google Topics: Can we say that "Multi-Factor Authentication - if done well - fixes phishing for good" or is this too much to say? What are the realistic and seen-in-the-wild bypasses for MFA as a protection? How do you think these controls fare vs top tier attackers (clearly, they work vs commodity threats)? What do we know about burden vs value of MFA today? What can we realistically do to increase MFA/2FA adoption to the 90%s? Can we share anything about what we're seeing as industry benchmarks on MFA adoption so far? We've seen a lot of ugly debates over the value of SMS as MFA, what is your research-based take on this? Resources: Google Titan Security Key "Malicious Documents Emerging Trends: A Gmail Perspective" (RSA 2020) "New research: How effective is basic account hygiene at preventing hijacking" "New Research: Lessons from Password Checkup in action" "New research reveals who's targeted by email attacks" "New research: Understanding the root cause of account takeover" ""Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns" "Tales from the Trenches: Using AI for Gmail Security" (ep28)

Guest: Jared Atkinson, Adversary Detection Technical Director at SpecterOps Topics: What are bad/good/great detections? Is this all about the Bianco's pyramid? Is high good and low bad? How should we judge the quality of detections? Can there be a quality framework? Is that judgment going to be site specific? What should we do to build more good directions? Is this all about reducing false positives? Can we really measure false negatives? How can we approach this? How can we test for detection goodness in the real world? What are the methods that work? It can't be just about paper ATT&CK coverage, right? What are your top 3 tips for improving the detection practice at an organization? Resources: "The Pyramid of Pain" post by David Bianco "On Threat Detection Uncertainty" "Detection Coverage and Detection-in-Depth" "Detection in Depth" by SpecterOps "Philosophy of Science: Rationality Without Foundations" by Karl Popper (yes, really) Red Canary "2021 Threat Detection Report" "The Black Swan: The Impact of the Highly Improbable" by Nassim Nicholas Taleb John Piaget's theory of cognitive development

Guests: Stephanie Wong Vicente Diaz, Jerome McFarland Scott Ellis Patrick Faucher Il-Sung Lee, Anoosh Saboori Topics: What is your session about? Why would audience care? What is special about your security technology? Resources: Google Cloud Next 2021 SEC212 6 layers of GCP data center security SEC101 Ransomware and cyber resilience SEC204 Take charge of your sensitive data SEC207 Securing the software supply chain SEC300 Trust the cloud more by trusting it less: Ubiquitous data encryption

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: We are here to talk Google Cybersecurity Action Team, and this is your brainchild, so tell our audience the origin of this idea? How is Cybersecurity Action Team going to help secure GCP enterprise clients? Is there also a "improve the security of the internet" story? Many organizations seem stuck in the pre-cloud thinking and mental models, can Cybersecurity Action Team help them transform their security? How? When we sometimes present our security innovations to clients, they say "but we are not Google", so how does Cybersecurity Action Team help us bring more of Google Cybersecurity to the world? What else do we plan to do with Cybersecurity Action Team to help customers modernize their security? How should customers engage with Cybersecurity Action Team? Resources: Google Cybersecurity Action Team "Google Announces Cybersecurity Action Team to Support the Security Transformations of Public and Private Sector Organizations" "Site Reliability Engineering" book (free) "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper

Guest: Aditi Joshi, Manager in Cloud Security Team @ Google Cloud Topics: What is Allyship? How is it defined? What is its main goal? Why is allyship important in Cloud Security, specifically? Are there aspects of security that make allyship particularly important? What specifically has Google Cloud Security deployed and operationalized around Allyship? How does effective allyship look like? More personally, how can I be a better ally? How does it fit into Google Cloud Security's overarching DEI efforts?

Guest: Rob Sadowski, Trust and Security Lead @ Google Cloud Topics: What are the big security themes at NEXT? Is security still visible? What about invisible security vs autonomic security? Is that just "invisible security" with a neat name? This has got to be your fourth or fifth Next, right? What's new this year compared to last years, aside from being virtual? Anything particularly uniquely Google we're talking about? What to watch at NEXT, if you are a CISO? We secure not just GCP with our tools and approaches, so what to watch if not yet a GCP client? If you have only time for 3 security sessions, which 3 to watch? Resources: Google Cloud NEXT

Guest: Matt Svensson, Senior Security Engineer @ BetterCloud Topics: What are the approaches for monitoring serverless and other modern application architectures? What are the challenges with these new environments? What approaches don't work? What can go wrong with modern stack security monitoring? What should we watch for in a modern application stack? Most new architecture setups are predicated on identities so is identity the center of threat detection here or not?