Guests: No guests! Just Tim and Anton Topics: Hard to believe we've been doing these since 2022, is that right? What did we see this year at RSA, apart from AI? And more AI? And more AI? What framework can we use to understand the approaches vendors take to AI and security? Just saying "AI washing" is not enough! How to tell "AI washer" from "AI tourist"?  I sense that "securing AI" (and agents) is finally growing as fast as "using AI for security", do you agree? Is the AI vulnerability apocalypse coming? Soon? Have we seen any signs of AI backlash? Resource: Video version EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025 RSA 2025: AI's Promise vs. Security's Past — A Reality Check blog EP172 RSA 2024: Separating AI Signal from Noise, SecOps Evolves, XDR Declines? EP119 RSA 2023 - What We Saw, What We Learned, and What We're Excited About EP70 Special - RSA 2022 Reflections - Securing the Past vs Securing the Future EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking EP256 Rewiring Democracy & Hacking Trust: Bruce Schneier on the AI Offense-Defense Balance

Guests: Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant, Google Cloud Scott Runnels, Mandiant Incident Response, Google Cloud  Topics: Do we need to rethink "Mean Time to Respond" entirely, or are we just in deep trouble? Why are threat groups collaborating so well, and are there actual lessons for defenders in their "business" model? What is the scalable advice for teams worried about voice phishing and GenAI cloning? What does "weaponizing the administrative fabric" actually mean in a world where identity is the perimeter? Why is identity/SaaS compromise "news" in 2026 when cloud security folks have been shouting about it for years? What actually changed? What's the latest in supply chain compromise, particularly regarding malicious open-source packages? How do we defend against malware that is "lazy" enough to use the victim's own AI tools for reconnaissance? What is the specific advice for Detection and Response (D&R) teams to handle "living off the land" (or "living off the cloud")? How do you fix the situation when IT and Security departments genuinely hate each other? Besides reading the report, what is the one book or piece of advice for a CISO to survive this year? Resources: Video version M-Trends 2026 Report EP222 From Post-IR Lessons to Proactive Security: Deconstructing Mandiant M-Trends EP254 Escaping 1990s Vulnerability Management: From Unauthenticated Scans to AI-Driven Mitigation EP205 Cybersecurity Forecast 2025: Beyond the Hype and into the Reality EP147 Special: 2024 Security Forecast Report "The Evolution of Cooperation" book

Guest: Raffael Marty, Operating Advisor, a SIEM legend since 1999 Topics: You argue that declaring existing SIEM being obsolete is a "marketing slogan" rather than a true thesis. What is the real pain point and the actual gap in traditional SIEMs as opposed to the more sensational claims? You highlight that "correlation, state, timelines, and real-time detection require locality," making centralization a necessary trade-off. Can a truly federated or decoupled SIEM architecture achieve the same fidelity and real-time performance for complex, stateful detections as a centralized one? You call the rise of independent security data pipelines the "SIEM Trojan Horse." How quickly is this abstraction layer turning SIEM into a "swappable" component, and what should SIEM vendors have done differently years ago to prevent this market from existing? This "AI SOC" thing, is this even real? Is AI in a SOC a better label? Do you think major SIEM vendors will own this very soon, like they did with UEBA and SOAR? If volume-based pricing is flawed because it penalizes good security hygiene, what is a better SIEM pricing model that fairly addresses compute, enrichment, and retention costs without just shifting the volume cost to unpredictable query charges? You question the idea that startups can find a better way to release detection rules than large vendors with significant content teams. What metrics should security leaders use to evaluate the quality of a vendor's detection engineering (DE) output beyond just coverage numbers? Can AI fix DE?   Resources: Video version The SIEM Maturity Framework: A Practical Scoring Tool for Security Analytics Platforms and raffy.ch/SIEM/ The Gaps That Created the New Wave of SIEM and AI SOC Vendors How AI Impacts the Cyber Market and The Future of SIEM Why Venture Capital Is Betting Against Traditional SIEMs EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect EP125 Will SIEM Ever Die: SIEM Lessons from the Past for the Future Decoupled SIEM: Brilliant or Stupid? Decoupled SIEM: Where I Think We Are Now?

Guest: Allie Mellen, Principal Analyst @ Forrester, author of "Code War: How Nations Hack, Spy, and Shape the Digital Battlefield" Topics: Your book focuses on the US, China, and Russia. When you were planning the book did you also want to cover players like Israel, Iran, and North Korea? Most of our listeners are migrating to or operating heavily in the cloud. As nations refine their "digital battlefield" strategies, does the "shared responsibility model" actually hold up against a nation-state actor? How does a company's detection strategy need to change when the adversary isn't a teenager looking for a ransom, but a state-funded group whose goal might be long-term persistence or subtle data manipulation? How should people allocate their resources to defending against both of these threats?  How afraid are you of a "bad guy with AI" scenarios? Mild anxiety or apocalyptic fears?  Do you see AI primarily helping "Tier 2" nations close the capability gap with the "Big Three," or does it just further cement the dominance of the nations that own the underlying compute and models? You've spent a lot of time as an analyst looking at how enterprises buy and run security tech. For a CISO at (say) mid-tier logistics company, should 'nation-state cyberattacks' even be on their threat model? Or is worrying about the spies just a form of security theater when they haven't even solved basic credential theft yet? Resource: Video version "Code War: How Nations Hack, Spy, and Shape the Digital Battlefield" by Allie Mellen Allie Mellen substack The source for the original "air defense on the roof" argument (2008) EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking EP256 Rewiring Democracy & Hacking Trust: Bruce Schneier on the AI Offense-Defense Balance EP156 Living Off the Land and Attacking Critical Infrastructure: Mandiant Incident Deep Dive "Disrupting the first reported AI-orchestrated cyber espionage campaign" report

Guest: Alastair Paterson, CEO and co-founder @ Harmonic Security Topics: Harmonic Security focuses on securing generative AI in use. Can you walk us through a real, anonymized example of a data leak caused by employee AI usage that your platform has identified? AI governance gets thrown around a lot. What does this mean in the context of Shadow AI? How should organizations be thinking about governing AI in light of upcoming AI regulations in the US and in the EU? If we generally agree that employees are using AI tools before they are sanctioned, how can organizations control this? Network, API, endpoint? Many organizations struggle with the "ban vs. embrace" debate for generative AI. Based on your experience, what's a compelling argument for moving from a blanket ban to a managed, secure adoption model? Can you share a success story where this approach demonstrably reduced risk? The term "shadow AI" is often used interchangeably with "shadow IT" (but for AI-powered applications)  but you've highlighted that AI is a different beast. What is the single biggest distinction between managing the risk of unsanctioned AI tools versus unsanctioned IT applications? Looking forward, where do you see the biggest risks in the evolution of shadow AI? For instance, will the next threat be from highly specialized AI agents trained on proprietary data, or from the rapid proliferation of new, unmonitored open-source models? Given the speed of change in this space, what's one piece of advice you'd give to a CISO today who is just beginning to get a handle on their organization's shadow AI problem? Resources: Video version Harmonic Security research Shadow AI Strikes Back: Enterprise AI Absent Oversight in the Age of Gen AI blog Shadow Agents: A New Era of Shadow AI Risk in the Enterprise blog (RSA 2026 presentation coming!) Spotlighting 'shadow AI': How to protect against risky AI practices blog EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side (aka "dirty bomb episode") A Conversation with Alastair Paterson from Harmonic Security video

Guests: Alexander  Pabst, Global Deputy CISO, Allianz SE Michael Sinno, Director of D&R, Google Topics: We've spent decades obsessed with MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond). As AI agents begin to handle the bulk of triage at machine speed, do these metrics become "vanity metrics"? If an AI resolves an alert in seconds, does measuring the "mean" still tell us anything about the health of our security program, or should we be looking at "Time to Context" instead? You mentioned the Maturity Triangle. Can you walk us through that framework? Specifically, how does AI change the balance between the three points of that triangle—is it shifting us from a "People-heavy" model to something more "Engineering-led," and where does the "Measurement" piece sit? Google is famous for its "Engineering-led" approach to D&R. How is Google currently measuring the success of its own internal D&R program? Specifically, how are you quantifying "Toil Reduction"? Are we measuring how many hours we saved, or are we measuring the complexity of the threats our humans are now free to hunt? Toil reduction is a laudable goal for the team members, what are the metrics we track and report up to document the overall improvement in D&R for Google's board? When you talk to your board about the success of AI in your security program, what are the 2 or 3 "Golden Metrics" that actually move the needle for them? How do you prove that an AI-driven SOC is actually better, not just faster? We often talk about AI as an "assistant," but we're moving toward Agentic SOCs. How should organizations measure the "unit economics" of their SOC? Should we be tracking the ratio of AI-handled vs. Human-handled incidents, and at what point does a high AI-handle rate become a risk rather than a success? Resources: Video version EP252 The Agentic SOC Reality: Governing AI Agents, Data Fidelity, and Measuring Success EP238 Google Lessons for Using AI Agents for Securing Our Enterprise EP91 "Hacking Google", Op Aurora and Insider Threat at Google EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI EP189 How Google Does Security Programs at Scale: CISO Insights EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil The SOC Metrics that Matter…or Do They? blog An Actual Complete List Of SOC Metrics (And Your Path To DIY) blog Achieving Autonomic Security Operations: Why metrics matter (but not how you think) blog

Guest: Daniel Lyman, VP of Threat Detection and Response, Fiserv Topics: What is the right way for people to bridge the gap and translate executive dreams and board goals into the reality of life on the ground? How do we talk to people who think they have "transformed" their SOC simply by buying a better, shinier product (like a modern SIEM) while leaving their old processes intact? What are the specific challenges and advantages you've seen with a federated SOC versus a centralized one? What does a "federated" or "sub-SOC" model actually mean in practice? Why is the message that "EDR doesn't cover everything" so hard for some people to hear? Is this obsession with EDR a business decision or technology debt? How do you expect AI to change the calculus around data centralization versus data federation? What is your favorite example of telemetry that is useful, but usually excluded from a SIEM? What are the Detection and Response organizational metrics that you think are most valuable? Is the continued use of Excel an issue of tooling, laziness, or just because it is a fundamentally good way to interact with a small database? Resources: Video version "In My Time of Dying" book EP258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective The Gravity of Process: Why New Tech Never Fixes Broken Process and Can AI Change It? blog

Guest: Alex Shulman-Peleg, Global CISO at Kraken  Topics: You mentioned that centralized security can't work anymore. Can you elaborate on the key changes—driven by cloud, SaaS, and AI—that have made this traditional model unsustainable for a modern organization? Why do some persist at centralized, top down approach to security, despite that? What do you mean by "Freedom, Responsibility and distributed security"?  Can you explain the difference between "centralized security" and what you define as "security with distributed ownership"?  Is this the same "federated"? In our conversation you mentioned "cloud and AI- native", what do you mean by this (especially "AI-native") and how is this changing your approach to security?  You introduce the concept of "Security as quality" suggesting that a security-unaware developer is essentially a bad software developer. How do you shift the culture and internal metrics to make security an inherent quality standard, rather than a separate, compliance-driven checklist? You likened the central security team's new role to a "911 emergency service." Beyond incident response, what stays central no matter what, and how does the central team successfully influence the security posture of the entire organization without being directly responsible for the day-to-day work. Resources: Video version EP129 How CISO Cloud Dreams and Realities Collide EP258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen EP212 Securing the Cloud at Scale: Modern Bank CISO on Metrics, Challenges, and SecOps

Guest: Dennis Chow, Director of Detection Engineering at UKG  Topics: We ended our season talking about the AI apocalypse. In your opinion, are we living in the world that the guests describe in their apocalypse paper?  Do you think AI-powered attacks are really here, and if so, what is your plan to respond? Is it faster patching? Better D&R? Something else altogether?  Your team has a hybrid agent workflow: could you tell us what that means?  Also, define "AI agent" please. What are your production use cases for AI and AI agents in your SOC? What are your overall SOC metrics and how does the agentic AI part play into that? It's one thing to ask a team "hey what did y'all do last week" and get a good report - how are you measuring the agentic parts of your SOC? How are you thinking about what comes next once AI is automatically writing good (!) rules for your team out of research blog posts and TI papers?  Resources: Video version Agentic AI in the SOC: Build vs Buy Lessons EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking EP256 Rewiring Democracy & Hacking Trust: Bruce Schneier on the AI Offense-Defense Balance EP252 The Agentic SOC Reality: Governing AI Agents, Data Fidelity, and Measuring Success EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI EP242 The AI SOC: Is This The Automation We've Been Waiting For? Google Cloud Skill Boost

Guest: Vishwas Manral, CEO at Precize.ai Topic: Why is agent security so different from "just" LLM security? Why now? Agents are coming, sure, but they are - to put it mildly - not in wide use. Why create a top 10 list now and not wait for people to make the mistakes? It sounds like "agents + IAM" is a disaster waiting to happen. What should be our approach for solving this? Do we have one? Which one agentic AI risk keeps you up at night?  Is there an interesting AI shared responsibility angle here? Agent developer, operator, downstream system operator? We are having a lot of experimentation, but sometimes little value from Agents. What are the biggest challenges of secure agentic AI and AI agents adoption in enterprises? Resources: Top 10 threats and mitigation for AI Agents Past podcast AI episodes Cloud CISO Perspectives: How Google secures AI Agents (and paper) Top AI Risks from SAIF CoSAI From turnkey to custom: Tailor your AI risk governance to help build confidence

Guest: Elie Burstein,  Distinguished Scientist, Google Deepmind Topics:  What is Sec-Gemini, why are we building it? How does DeepMind decide when to create something like Sec-Gemini?  What motivates a decision to focus on something like this vs anything else we might build as a dedicated set of regular Gemini capabilities?  What is Sec-Gemini good at? How do we know it's good at those things?  Where and how is it better than a general LLM? Are we using Sec-Gemini internally?  Resources: Video version EP238 Google Lessons for Using AI Agents for Securing Our Enterprise EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side Big Sleep, CodeMender blogs

Guest: Royal Hansen, VP of Engineering at Google, former CISO of Alphabet Topics: The "God-Like Designer" Fallacy: You've argued that we need to move away from the "God-like designer" model of security—where we pre-calculate every risk like building a bridge—and towards a biological model. Can you explain why that old engineering mindset is becoming risky in today's cloud and AI environments? Resilience vs. Robustness: In your view, what is the practical difference between a robust system (like a fortress that eventually breaks) and a resilient system (like an immune system)? How does a CISO start shifting their team's focus from creating the former to nurturing the latter? Securing the Unknown: We're entering an era where AI agents will call other agents, creating pathways we never explicitly designed. If we can't predict these interactions, how can we possibly secure them? What does "emergent security" look like in practice? Primitives for Agents: You mentioned the need for new "biological primitives" for these agents—things like time-bound access or inherent throttling. Are these just new names for old concepts like Zero Trust, or is there something different about how we need to apply them to AI? The Compliance Friction: There's a massive tension between this dynamic, probabilistic reality and the static, checklist-based world of many compliance regimes. How do you, as a leader, bridge that gap? How do you convince an auditor or a board that a "probabilistic" approach doesn't just mean "we don't know for sure"?  "Safe" Failures: How can organizations get comfortable with the idea of designing for allowable failure in their subsystems, rather than striving for 100% uptime and security everywhere? Resources: Video version EP189 How Google Does Security Programs at Scale: CISO Insights BigSleep and CodeMender agents "Chasing the Rabbit" book   "How Life Works: A User's Guide to the New Biology" book

Guest: Chris Sistrunk, Technical Leader, OT Consulting, Mandiant Topics: When we hear "attacks on Operational Technology (OT)" some think of Stuxnet targeting PLCs or even backdoored pipeline control software plot in the 1980s. Is this space always so spectacular or are there less "kaboom" style attacks we are more concerned about in practice? Given the old "air-gapped" mindset of many OT environments, what are the most common security gaps or blind spots you see when organizations start to integrate cloud services for things like data analytics or remote monitoring? How is the shift to cloud connectivity - for things like data analytics, centralized management, and remote access -  changing the security posture of these systems? What's a real-world example of a positive security outcome you've seen as a direct result of this cloud adoption? How do the Tactics, Techniques, and Procedures outlined in the MITRE ATT&CK for ICS framework change or evolve when attackers can leverage cloud-based reconnaissance and command-and-control infrastructure to target OT networks? Can you provide an example? OT environments are generating vast amounts of operational data. What is interesting for OT Detection and Response (D&R)? Resources: Video version Cybersecurity Forecast 2026 report by Google Complex, hybrid manufacturing needs strong security. Here's how CISOs can get it done blog "Security Guidance for Cloud-Enabled Hybrid Operational Technology Networks" paper by Google Cloud Office of the CISO DEF CON 23 - Chris Sistrunk - NSM 101 for ICS  MITRE ATT&CK for ICS

Guest: Bruce Schneier Topics: Do you believe that AI is going to end up being a net improvement for defenders or attackers?  Is short term vs long term different? We're excited about the new book you have coming out with your co-author Nathan Sanders "Rewiring Democracy".  We want to ask the same question, but for society: do you think AI is going to end up helping the forces of liberal democracy, or the forces of corruption, illiberalism, and authoritarianism?  If exploitation is always cheaper than patching (and attackers don't follow as many rules and procedures), do we have a chance here?  If this requires pervasive and fast "humanless" automatic patching (kinda like what Chrome does for years), will this ever work for most organizations? Do defenders have to do the same and just discover and fix issues faster? Or can we use AI somehow differently? Does this make defense in depth more important? How do you see AI as changing how society develops and maintains trust?  Resources: "Rewiring Democracy" book "Informacracy Trilogy" book Agentic AI's OODA Loop Problem EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking AI and Trust AI and Data Integrity EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025 RSA 2025: AI's Promise vs. Security's Past — A Reality Check

Guest: Heather Adkins, VP of Security Engineering, Google Topic: The term "AI Hacking Singularity" sounds like pure sci-fi, yet you and some other very credible folks are using it to describe an imminent threat. How much of this is hyperbole to shock the complacent, and how much is based on actual, observed capabilities today?  Can autonomous AI agents really achieve that "exploit - at - machine - velocity" without human intervention for the zero-day discovery phase? On the other hand, why may it actually not happen? When we talk about autonomous AI attack platforms, are we talking about highly resourced nation-states and top-tier criminal groups, or will this capability truly be accessible to the average threat actor within the next 6-12 months? What's the "Metasploit" equivalent for AI-powered exploitation that will be ubiquitous?  Can you paint a realistic picture of the worst-case scenario that autonomous AI hacking enables? Is it a complete breakdown of patch cycles, a global infrastructure collapse, or something worse? If attackers are operating at "machine speed," the human defender is fundamentally outmatched. Is there a genuine "AI-to-AI" counter-tactic that doesn't just devolve into an infinite arms race? Or can we counter without AI at all? Given that AI can expedite vulnerability discovery, how does this amplified threat vector impact the software supply chain? If a dependency is compromised within minutes of a new vulnerability being created, does this force the industry to completely abandon the open-source model, or does it demand a radical, real-time security scanning and patching system that only a handful of tech giants can afford? Are current proposed regulations, like those focusing on model safety or disclosure, even targeting the right problem?  If the real danger is the combinatorial speed of autonomous attack agents, what simple, impactful policy change should world governments prioritize right now? Resources: "Autonomous AI hacking and the future of cybersecurity" article EP20 Security Operations, Reliability, and Securing Google with Heather Adkins Introducing CodeMender: an AI agent for code security EP251 Beyond Fancy Scripts: Can AI Red Teaming Find Truly Novel Attacks? Daniel Miessler site and podcast "How SAIF can accelerate secure AI experiments" blog "Staying on top of AI Developments" blog

Guest: Caleb Hoch, Consulting Manager on Security Transformation Team, Mandiant, Google Cloud Topics: How has vulnerability management (VM) evolved beyond basic scanning and reporting, and what are the biggest gaps between modern practices and what organizations are actually doing? Why are so many organizations stuck with 1990s VM practices? Why mitigation planning is still hard for so many? Why do many organizations, including large ones, still rely on unauthenticated scans despite the known importance of authenticated scanning for accurate results? What constitutes a "gold standard" vulnerability prioritization process in 2025 that moves beyond CVSS scores to incorporate threat intelligence, asset criticality, and other contextual factors? What are the primary human and organizational challenges in vulnerability management, and how can issues like unclear governance, lack of accountability, and fear of system crashes be overcome? How is AI impacting vulnerability management, and does the shift to cloud environments fundamentally change VM practices? Resources: EP109 How Google Does Vulnerability Management: The Not So Secret Secrets! EP246 From Scanners to AI: 25 Years of Vulnerability Management with Qualys CEO Sumedh Thakar EP248 Cloud IR Tabletop Wins: How to Stop Playing Security Theater and Start Practicing How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends Mandiant M Trends 2025 EP204 Beyond PCAST: Phil Venables on the Future of Resilience and Leading Indicators Mandiant Vulnerability Management

Guests: Sivanesh Ashok, bug bounty hunter Sreeram KL, bug bounty hunter Topics: We hear from the Cloud VRP team that you write excellent bugbounty reports - is there any advice you'd give to other researchers when they write reports? You are one of Cloud VRP's top researchers and won the MVH (most valuable hacker) award at their event in June - what do you think makes you so successful at finding issues?  What is a Bugswat? What do you find most enjoyable and least enjoyable about the VRP? What is the single best piece of advice you'd give an aspiring cloud bug hunter today?  Resources: EP220 Big Rewards for Cloud Security: Exploring the Google VRP Cloud Vulnerability Reward Program Rules Insights from BugSWAT Google Cloud's Vulnerability Reward Program Critical Thinking Podcast

Guests: Alexander Pabst, Deputy Group CISO, Allianz Lars Koenig,  Global Head of D&R, Allianz  Topics:  Moving from traditional SIEM to an agentic SOC model, especially in a heavily regulated insurer, is a massive undertaking. What did the collaboration model with your vendor look like?  Agentic AI introduces a new layer of risk - that of unconstrained or unintended autonomous action. In the context of Allianz, how did you establish the governance framework for the SOC alert triage agents? Where did you draw the line between fully automated action and the mandatory "human-in-the-loop" for investigation or response? Agentic triage is only as good as the data it analyzes. From your perspective, what were the biggest challenges - and wins - in ensuring the data fidelity, freshness, and completeness in your SIEM to fuel reliable agent decisions? We've been talking about SOC automation for years, but this agentic wave feels different. As a deputy CISO, what was your primary, non-negotiable goal for the agent? Was it purely Mean Time to Respond (MTTR) reduction, or was the bigger strategic prize to fundamentally re-skill and uplevel your Tier 2/3 analysts by removing the low-value alert noise? As you built this out, were there any surprises along the way that left you shaking your head or laughing at the unexpected AI behaviors? We felt a major lack of proof - Anton kept asking for pudding - that any of the agentic SOC vendors we saw at RSA had actually achieved anything beyond hype! When it comes to your org, how are you measuring agent success?  What are the key metrics you are using right now? Resources: EP238 Google Lessons for Using AI Agents for Securing Our Enterprise EP242 The AI SOC: Is This The Automation We've Been Waiting For? EP249 Data First: What Really Makes Your SOC 'AI Ready'? EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI "Simple to Ask: Is Your SOC AI Ready? Not Simple to Answer!" blog "How Google Does It: Building AI agents for cybersecurity and defense" blog Company annual report to look for risk "How to Win Friends and Influence People" by Dale Carnegie "Will It Make the Boat Go Faster?" book

Guest: Ari Herbert-Voss, CEO at RunSybil Topics: The market already has Breach and Attack Simulation (BAS), for testing known TTPs. You're calling this 'AI-powered' red teaming. Is this just a fancy LLM stringing together known attacks, or is there a genuine agent here that can discover a truly novel attack path that a human hasn't scripted for it? Let's talk about the 'so what?' problem. Pentest reports are famous for becoming shelf-ware. How do you turn a complex AI finding into an actionable ticket for a developer, and more importantly, how do you help a CISO decide which of the thousand 'criticals' to actually fix first? You're asking customers to unleash a 'hacker AI' in their production environment. That's terrifying. What are the 'do no harm' guardrails? How do you guarantee your AI won't accidentally rm -rf a critical server or cause a denial of service while it's 'exploring'? You mentioned the AI is particularly good at finding authentication bugs. Why that specific category? What's the secret sauce there, and what's the reaction from customers when you show them those types of flaws? Is this AI meant to replace a human red teamer, or make them better? Does it automate the boring stuff so experts can focus on creative business logic attacks, or is the ultimate goal to automate the entire red team function away? So, is this just about finding holes, or are you closing the loop for the blue team? Can the attack paths your AI finds be automatically translated into high-fidelity detection rules? Is the end goal a continuous purple team engine that's constantly training our defenses? Also, what about fixing? What makes your findings more fixable? What will happen to red team testing in 2-3 years if this technology gets better? Resource: Kim Zetter Zero Day blog EP230 AI Red Teaming: Surprises, Strategies, and Lessons from Google EP217 Red Teaming AI: Uncovering Surprises, Facing New Threats, and the Same Old Mistakes? EP68 How We Attack AI? Learn More at Our RSA Panel! EP71 Attacking Google to Defend Google: How Google Does Red Team

Guest: Balazs Scheidler, CEO at Axoflow, original founder of syslog-ng Topics: Are we really coming  to "access to security data" and away from "centralizing the data"? How to detect without the same storage for all logs? Is data pipeline a part of SIEM or is it standalone? Will this just collapse into SIEM soon? Tell us about the issues with log pipelines in the past? What about enrichment? Why do it in a pipeline, and not in a SIEM? We are unable to share enough practices between security teams. How are we fixing it? Is pipelines part of the answer? Do you have a piece of advice for people who want to do more than save on their SIEM costs? Resources: EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective EP190 Unraveling the Security Data Fabric: Need, Benefits, and Futures EP228 SIEM in 2025: Still Hard? Reimagining Detection at Cloud Scale and with More Pipelines Axoflow podcast and Anton on it "Decoupled SIEM: Where I Think We Are Now?" blog "Decoupled SIEM: Brilliant or Stupid?" blog "Output-driven SIEM — 13 years later" blog

Guest: Monzy Merza, co-founder and CEO at Crogl Topics: We often hear about the aspirational idea of an "IronMan suit" for the SOC—a system that empowers analysts to be faster and more effective. What does this ideal future of security operations look like from your perspective, and what are the primary obstacles preventing SOCs from achieving it today? You've also raised a metaphor of AI in the SOC as a "Dr. Jekyll and Mr. Hyde" situation. Could you walk us through what you see as the "Jekyll"—the noble, beneficial promise of AI—and what are the factors that can turn it into the dangerous "Mr. Hyde"? Let's drill down into the heart of the "Mr. Hyde" problem: the data. Many believe that AI can fix a team's messy data, but you've noted that "it's all about the data, duh." What's the story? "AI ready SOC" - What is the foundational work a SOC needs to do to ensure their data is AI-ready, and what happens when they skip this step?   And is there anything we can do to use AI to help with this foundational problem? How do we measure progress towards AI SOC? What gets better at what time? How would we know?  What SOC metrics will show improvement? Will anything get worse?  Resources: EP242 The AI SOC: Is This The Automation We've Been Waiting For? EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC EP227 AI-Native MDR: Betting on the Future of Security Operations? EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI EP238 Google Lessons for Using AI Agents for Securing Our Enterprise "Simple to Ask: Is Your SOC AI Ready? Not Simple to Answer!" blog Nassim Taleb "Antifragile" book "AI Superpowers" book "Attention Is All You Need" paper

Guest: Jibran Ilyas, Director for Incident Response at Google Cloud Topics: What is this tabletop thing, please tell us about running a good security incident tabletop?  Why are tabletops for incident response preparedness so amazingly effective yet rarely done well? This is cheap/easy/useful so why do so many fail to do it? Why are tabletops seen as kind of like elite pursuit? What's your favorite Cloud-centric scenario for tabletop exercises? Ransomware? But there is little ransomware in the cloud, no? What are other good cloud tabletop scenarios? Resources: EP60 Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM? EP179 Teamwork Under Stress: Expedition Behavior in Cybersecurity Incident Response EP222 From Post-IR Lessons to Proactive Security: Deconstructing Mandiant M-Trends EP177 Cloud Incident Confessions: Top 5 Mistakes Leading to Breaches from Mandiant EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

Guest:  David Gee, Board Risk Advisor, Non-Executive Director & Author, former CISO Topics: Drawing from the "Aspiring CIO and CISO" book's focus on continuous improvement, how have you seen the necessary skills, knowledge, experience, and behaviors for a CISO evolve, especially when guiding an organization through a transformation? Could you share lessons learned about leadership and organizational resilience during such a critical period, and how does that experience reshape your approach to future transformations? Many organizations are undergoing transformations, often heavily involving cloud technologies. From your perspective, what is the most crucial—and perhaps often overlooked—role a CISO plays in ensuring security is an enabler, not a roadblock, during such large-scale changes? Have you ever seen a CISO who is a cloud champion for the organization? Your best advice for a CISO meeting cloud for the first time? What is your best advice for a CISO meeting AI for the first time? How do you balance the continuous self-improvement and development with the day-to-day pressures and responsibilities? Resources: "A Day in the Life of a CISO: Personal Mentorship from 24+ Battle-Tested CISOs — Mentoring We Never Got" book "The Aspiring CIO and CISO: A career guide to developing leadership skills, knowledge, experience, and behavior" book EP201 Every CTO Should Be a CSTO (Or Else!) - Transformation Lessons from The Hoff EP101 Cloud Threat Detection Lessons from a CISO EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP129 How CISO Cloud Dreams and Realities Collide All CISO podcast episodes "Shadow Agents: A New Era of Shadow AI Risk in the Enterprise" blog "Blocking shadow agents won't work. Here's a more secure way forward" blog

Guest: Sumedh Thakar, President and CEO, Qualys Topics: How did vulnerability management (VM) change since Qualys was founded in 1999? What is different about VM today? Can we actually remediate vulnerabilities automatically at scale? Why did this work for you even though many expected it would not? Where does cloud fit into modern vulnerability management? How does AI help vulnerability management today? What is real? What is this Risk Operations Center (ROC) concept and how it helps in vulnerability management? Resources: 2025 DBIR Report  Qualys ROC concept defined Qualys ROC-on conference Shaping the Future of Cyber Risk Management blog  Qualys State of Cyber Risk Assessment Report EP109 How Google Does Vulnerability Management: The Not So Secret Secrets!

Guest: Rick Caccia, CEO and Co-Founder, Witness AI Topics: In what ways is the current wave of enterprise AI adoption different from previous technology shifts? If we say "but it is different this time", then why? What is your take on "consumer grade AI for business" vs enterprise AI? A lot of this sounds a bit like the CASB era circa 2014. How is this different with AI?  The concept of "routing prompts for risk and cost management" is intriguing. Can you elaborate on the architecture and specific AI engines Witness AI uses to achieve this, especially for large global corporations?  What are you seeing in the identity space for AI access? Can you give us a rundown of the different tradeoffs teams are making when it comes to managing identities for agents?  Resources: EP226 AI Supply Chain Security: Old Lessons, New Poisons, and Agentic Dreams EP173 SAIF in Focus: 5 AI Security Risks and SAIF Mitigations EP84 How to Secure Artificial Intelligence (AI): Threats, Approaches, Lessons So Far Witness AI blog Shadow Agents: A New Era of Shadow AI Risk in the Enterprise Blocking shadow agents won't work. Here's a more secure way forward Shadow AI Strikes Back: Enterprise AI Absent Oversight in the Age of Gen AI Cloud CISO Perspectives: How Google secures AI Agents "The Soul of a New Machine" book Emoji Attack: A Method for Misleading Judge LLMs in Safety Risk Detection

Guest: Jon Oltsik, security researcher, ex-ESG analyst Topics: You invented the concept of SOAPA – Security Operations & Analytics Platform Architecture. As we look towards SOAPA 2025, how do you see the ongoing debate between consolidating security around a single platform versus a more disaggregated, best-of-breed approach playing out?  What are the key drivers for either strategy in today's complex environments? How can we have both "decoupling" and platformization going at the same time? With all the buzz around Generative AI and Agentic AI, how do you envision these technologies changing the future of the Security Operations Center (and SOAPA of course)?  Where do you see AI really work today in the SOC and what is the proof of that actually happening? What does a realistic "AI SOC" look like in the next few years, and what are the practical implications for security teams? "Integration" is always a hot topic in security - and it has been for decades. Within the context of SOAPA and the adoption of advanced analytics, where do you see the most critical integration challenges today – whether it's vendor-centric ecosystems, strategic partnerships, or the push for open standards? Resources: Jon Oltsik "The Cybersecurity Bridge" podcast (Anton on it) EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI EP242 The AI SOC: Is This The Automation We've Been Waiting For? EP202 Beyond Tiered SOCs: Detection as Code and the Rise of Response Engineering EP180 SOC Crossroads: Optimization vs Transformation - Two Paths for Security Operations Center EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC EP73 Your SOC Is Dead? Evolve to Output-driven Detect and Respond! Daniel Suarez "Daemon" book and its sequel "Delta V"

Guest: Cy Khormaee, CEO, AegisAI Ryan Luo, CTO, AegisAI Topics: What is the state of email security in 2025? Why start an email security company now? Is it true that there are new and accelerating AI threats to email? It sounds cliche, but do you really have to use good AI to fight bad AI? What did you learn from your time fighting abuse at scale at Google that is helping you now How do you see the future of email security and what role will AI play? Resources: aegisai.ai  EP40 2021: Phishing is Solved? EP41 Beyond Phishing: Email Security Isn't Solved EP28 Tales from the Trenches: Using AI for Gmail Security EP50 The Epic Battle: Machine Learning vs Millions of Malicious Documents

Guest: Augusto Barros, Principal Product Manager, Prophet Security, ex-Gartner analyst Topics: What is your definition of "AI SOC"? What will AI change in a SOC? What will the post-AI SOC look like?  What are the primary mechanisms by which AI SOC tools reduce attacker dwell time, and what challenges do they face in maintaining signal fidelity? Why would this wave of SOC automation (namely, AI SOC)  work now, if it did not fully succeed before (SOAR)? How do we measure progress towards AI SOC? What gets better at what time? How would we know? What SOC metrics will show improvement? What common misconceptions or challenges have organizations encountered during the initial stages of AI SOC adoption, and how can they be overcome? Do you have a timeline for SOC AI adoption? Sure, everybody wants AI alerts triage? What's next? What's after that? Resources: "State of AI in Security Operations 2025" report LinkedIn SOAR vs AI SOC argument post  Are AI SOC Solutions the Real Deal or Just Hype? EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI EP238 Google Lessons for Using AI Agents for Securing Our Enterprise EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025 RSA 2025: AI's Promise vs. Security's Past — A Reality Check "Noise: A flaw in human judgement" book "Security Chaos Engineering" book (and Kelly episode) A Brief Guide for Dealing with 'Humanless SOC' Idiots

Guest: Rick Correa,Uber TL Google SecOps, Google Cloud Topics: On the 3rd anniversary of Curated Detections, you've grown from 70 rules to over 4700. Can you walk us through that journey? What were some of the key inflection points and what have been the biggest lessons learned in scaling a detection portfolio so massively? Historically the SecOps Curated Detection content was opaque, which led to, understandably, a bit of customer friction. We've recently made nearly all of that content transparent and editable by users. What were the challenges in that transition? You make a distinction between "Detection-as-Code" and a more mature "Software Engineering" paradigm. What gets better for a security team when they move beyond just version control and a CI/CD pipeline and start incorporating things like unit testing, readability reviews, and performance testing for their detections? The idea of a "Goldilocks Zone" for detections is intriguing – not too many, not too few. How do you find that balance, and what are the metrics that matter when measuring the effectiveness of a detection program? You mentioned customer feedback is important, but a confusion matrix isn't possible, why is that? You talk about enabling customers to use your "building blocks" to create their own detections. Can you give us a practical example of how a customer might use a building block for something like detecting VPN and Tor traffic to augment their security? You have started using LLMs for reviewing the explainability of human-generated metadata. Can you expand on that? What have you found are the ripe areas for AI in detection engineering, and can you share any anecdotes of where AI has succeeded and where it has failed?    Resources EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise EP181 Detection Engineering Deep Dive: From Career Paths to Scaling SOC Teams EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations EP123 The Good, the Bad, and the Epic of Threat Detection at Scale with Panther "Back to Cooking: Detection Engineer vs Detection Consumer, Again?" blog "On Trust and Transparency in Detection" blog "Detection Engineering Weekly" newsletter "Practical Threat Detection Engineering" book

Guest: Errol Weiss, Chief Security Officer (CSO) at Health-ISAC Topics: How adding digital resilience is crucial for enterprises? How to make the leaders shift from "just cybersecurity"  to "digital resilience"? How to be the most resilient you can be given the resources? How to be the most resilient with the least amount of money? How to make yourself a smaller target? Smaller target measures fit into what some call "basics."  But "Basic" hygiene is actually very hard for many. What are your top 3 hygiene tips for making it happen that actually work? We are talking about under-resources orgs, but some are much more under-resourced, what is your advice for those with extreme shortage of security resources? Assessing vendor security - what is most important to consider today in 2025?  How not to be hacked via your vendor? Resources: ISAC history (1998 PDD 63) CISA Known Exploited Vulnerabilities Catalog Brian Krebs blog Health-ISAC Annual Threat Report  Health-ISAC Home  Health Sector Coordinating Council Publications Health Industry Cybersecurity Practices 2023 HHS Cyber Performance Goals (CPGs)  10 ways to make cyber-physical systems more resilient EP193 Inherited a Cloud? Now What? How Do I Secure It? EP65 Is Your Healthcare Security Healthy? Mandiant Incident Response Insights EP49 Lifesaving Tradeoffs: CISO Considerations in Moving Healthcare to Cloud EP233 Product Security Engineering at Google: Resilience and Security EP204 Beyond PCAST: Phil Venables on the Future of Resilience and Leading Indicators

Guest: Craig H. Rowland, Founder and CEO, Sandfly Security Topics: When it comes to Linux environments – spanning on-prem, cloud, and even–gasp–hybrid setups – where are you seeing the most significant blind spots for security teams today?  There's sometimes a perception that Linux is inherently more secure or less of a malware target than Windows. Could you break down some of the fundamental differences in how malware behaves on Linux versus Windows, and why that matters for defenders in the cloud? 'Living off the Land' isn't a new concept, but on Linux, it feels like attackers have a particularly rich set of native tools at their disposal. What are some of the more subtly abused but legitimate Linux utilities you're seeing weaponized in cloud attacks, and how does that complicate detection? When you weigh agent-based versus agentless monitoring in cloud and containerized Linux environments, what are the operational trade-offs and outcome trade-offs security teams really need to consider?  SSH keys are the de facto keys to the kingdom in many Linux environments. Beyond just 'use strong passphrases,' what are the critical, often overlooked, risks associated with SSH key management, credential theft, and subsequent lateral movement that you see plaguing organizations, especially at scale in the cloud? What are the biggest operational hurdles teams face when trying to conduct incident response effectively and rapidly across such a distributed Linux environment, and what's key to overcoming them? Resources: EP194 Deep Dive into ADR - Application Detection and Response EP228 SIEM in 2025: Still Hard? Reimagining Detection at Cloud Scale and with More Pipelines

Guest: Dominik Swierad,  Senior PM D&R AI and Sec-Gemini Topics: When introducing AI agents to security teams at Google, what was your initial strategy to build trust and overcome the natural skepticism? Can you walk us through the very first conversations and the key concerns that were raised? With a vast array of applications, how did you identify and prioritize the initial use cases for AI agents within Google's enterprise security?  What specific criteria made a use case a good candidate for early evaluation? Were there any surprising 'no-go' areas you discovered?" Beyond simple efficiency gains, what were the key metrics and qualitative feedback mechanisms you used to evaluate the success of the initial AI agent deployments?  What were the most significant hurdles you faced in transitioning from successful pilots to broader adoption of AI agents? How do you manage the inherent risks of autonomous agents, such as potential for errors or adversarial manipulation, within a live and critical environment like Google's? How has the introduction of AI agents changed the day-to-day responsibilities and skill requirements for Google's security engineers?  From your unique vantage point of deploying defensive AI agents, what are your biggest concerns about how threat actors will inevitably leverage similar technologies? Resources: EP235 The Autonomous Frontier: Governing AI Agents from Code to Courtroom EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI EP224 Protecting the Learning Machines: From AI Agents to Provenance in MLSecOps EP227 AI-Native MDR: Betting on the Future of Security Operations? EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

Guest: Kim Albarella, Global Head of Security, TikTok Questions: Security is part of your DNA. In your day to day at TikTok, what are some tips you'd share with users about staying safe online? Many regulations were written with older technologies in mind. How do you bridge the gap between these legacy requirements and the realities of a modern, microservices-based tech stack like TikTok's, ensuring both compliance and agility? You have a background in compliance and risk management. How do you approach demonstrating the effectiveness of security controls, not just their existence, especially given the rapid pace of change in both technology and regulations?  TikTok operates on a global scale, facing a complex web of varying regulations and user expectations. How do you balance the need for localized compliance with the desire for a consistent global security posture? How do you avoid creating a fragmented and overly complex system, and what role does automation play in this balancing act? What strategies and metrics do you use to ensure auditability and provide confidence to stakeholders? We understand you've used TikTok videos for security training. Can you elaborate on how you've fostered a strong security culture internally, especially in such a dynamic environment?  What is in your TikTok feed? Resources: Kim on TikTok @securishe and TikTopTips EP214 Reconciling the Impossible: Engineering Cloud Systems for Diverging Regulations EP161 Cloud Compliance: A Lawyer - Turned Technologist! - Perspective on Navigating the Cloud EP14 Making Compliance Cloud-native

Guest: Manija Poulatova, Director of Security Engineering and Operations at Lloyd's Banking Group Topics: SIEM migration is hard, and it can take ages. Yours was - given the scale and the industry - on a relatively short side of 9 months. What's been your experience so far with that and what could have gone faster?  Anton might be a "reformed" analyst but I can't resist asking a three legged stool question: of the people/process/technology aspects, which are the hardest for this transformation? What helped the most in solving your big challenges?  Was there a process that people wanted to keep but it needed to go for the new tool? One thing we talked about was the plan to adopt composite alerting techniques and what we've been calling the "funnel model" for detection in Google SecOps. Could you share what that means and how your team is adopting?  There are a lot of moving parts in a D&R journey from a process and tooling perspective, how did you structure your plan and why? It wouldn't be our show in 2025 if I didn't ask at least one AI question!  What lessons do you have for other security leaders preparing their teams for the AI in SOC transition?  Resources: EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise EP184 One Week SIEM Migration: Fact or Fiction? EP125 Will SIEM Ever Die: SIEM Lessons from the Past for the Future EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025 "Maverick" — Scorched Earth SIEM Migration FTW! blog "Hack the box" site

Guest:  Anna Gressel, Partner at Paul, Weiss, one of the AI practice leads Episode co-host: Marina Kaganovich, Office of the CISO, Google Cloud Questions: Agentic AI and AI agents, with its promise of autonomous decision-making and learning capabilities, presents a unique set of risks across various domains. What are some of the key areas of concern for you? What frameworks are most relevant to the deployment of agentic AI, and where are the potential gaps?  What are you seeing in terms of how regulatory frameworks may need to be adapted to address the unique challenges posed by agentic AI? How about legal aspects - does traditional tort law or product liability apply? How does the autonomous nature of agentic AI challenge established legal concepts of liability and responsibility? The other related topic is knowing what agents "think" on the inside. So what are the key legal considerations for managing transparency and explainability in agentic AI decision-making? Resources: Paul, Weiss Waking Up With AI (Apple, Spotify) Cloud CISO Perspectives: How Google secures AI Agents Securing the Future of Agentic AI: Governance, Cybersecurity, and Privacy Considerations

Guest: Svetla Yankova, Founder and CEO, Citreno Topics: Why do so many organizations still collect logs yet don't detect threats? In other words, why is our industry spending more money than ever on SIEM tooling and still not "winning" against Tier 1 ... or even Tier 5 adversaries?  What are the hardest parts about getting the right context into a SOC analyst's face when they're triaging and investigating an alert? Is it integration? SOAR playbook development? Data enrichment? All of the above? What are the organizational problems that keep organizations from getting the full benefit of the security operations tools they're buying? Top SIEM mistakes? Is it trying to migrate too fast? Is it accepting a too slow migration? In other words, where are expectations tyrannical for customers? Have they changed much since 2015? Do you expect people to write their own detections? Detecting engineering seems popular with elite clients and nobody else, what can we do? Do you think AI will change how we SOC (Tim: "SOC" is not a verb?) in the next 1- 3 -5 years?  Do you think that AI SOC tech is repeating the mistakes SOAR vendors made 10 years ago? Are we making the same mistakes all over again? Are we making new mistakes?  Resources: EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025 EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise EP228 SIEM in 2025: Still Hard? Reimagining Detection at Cloud Scale and with More Pipelines EP202 Beyond Tiered SOCs: Detection as Code and the Rise of Response Engineering "RSA 2025: AI's Promise vs. Security's Past — A Reality Check" blog Citreno, The Backstory "Parenting Teens With Love And Logic" book (as a management book) "Security Correlation Then and Now: A Sad Truth About SIEM" blog (the classic from 2019)

Guest: Cristina Vintila, Product Security Engineering Manager, Google Cloud Topic: Could you share insights into how Product Security Engineering approaches at Google have evolved, particularly in response to emerging threats (like Log4j in 2021)? You mentioned applying SRE best practices in detection and response, and overall in securing the Google Cloud products. How does Google balance high reliability and operational excellence with the needs of detection and response (D&R)?  How does Google decide which data sources and tools are most critical for effective D&R? How do we deal with high volumes of data? Resources: EP215 Threat Modeling at Google: From Basics to AI-powered Magic EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity? Podcast episodes on how Google does security EP17 Modern Threat Detection at Google EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil Google SRE book Google SRS book

Guest: Sarah Aoun, Privacy Engineer, Google Topic: You have had a fascinating career since we [Tim] graduated from college together – you mentioned before we met that you've consulted with a literal world leader on his personal digital security footprint. Maybe tell us how you got into this field of helping organizations treat sensitive information securely and how that led to helping keep targeted individuals secure?  You also work as a privacy engineer on Fuschia, Google's new operating system kernel. How did you go from human rights and privacy to that?  What are the key privacy considerations when designing an operating system for "ambient computing"? How do you design privacy into something like that? More importantly, not only "how do you do it", but how do you convince people that you did do it? When we talk about "higher risk" individuals, the definition can be broad. How can an average person or someone working in a seemingly less sensitive role better assess if they might be a higher-risk target? What are the subtle indicators? Thinking about the advice you give for personal security beyond passwords and multi-factor auth, how much of effective personal digital hygiene comes down to behavioral changes versus purely technical solutions? Given your deep understanding of both individual security needs and large-scale OS design, what's one thing you wish developers building cloud services or applications would fundamentally prioritize about user privacy? Resources: Google privacy controls Advanced protection program

Guest: David French, Staff Adoption Engineer, Google Cloud Topic: Detection as code is one of those meme phrases I hear a lot, but I'm not sure everyone means the same thing when they say it. Could you tell us what you mean by it, and what upside it has for organizations in your model of it? What gets better for security teams and security outcomes when you start managing in a DAC world? What is primary, actual code or using SWE-style process for detection work? Not every SIEM has a good set of APIs for this, right? What's a team to do in a world of no or low API support for this model?  If we're talking about as-code models, one of the important parts of regular software development is testing. How should teams think about testing their detection corpus? Where do we even start? Smoke tests? Unit tests?  You talk about a rule schema–you might also think of it in code terms as a standard interface on the detection objects–how should organizations think about standardizing this, and why should they? If we're into a world of detection rules as code and detections as code, can we also think about alert handling via code? This is like SOAR but with more of a software engineering approach, right?  One more thing that stood out to me in your presentation was the call for sharing detection content. Is this between vendors, vendors and end users?  Resources: Can We Have "Detection as Code"? Testing in Detection Engineering (Part 8) "So Good They Can't Ignore You: Why Skills Trump Passion in the Quest for Work You Love" book EP202 Beyond Tiered SOCs: Detection as Code and the Rise of Response Engineering EP181 Detection Engineering Deep Dive: From Career Paths to Scaling SOC Teams EP123 The Good, the Bad, and the Epic of Threat Detection at Scale with Panther Getting Started with Detection-as-Code and Google SecOps Detection Engineering Demystified: Building Custom Detections for GitHub Enterprise From soup to nuts: Building a Detection-as-Code pipeline David French - Medium Blog Detection Engineering Maturity Matrix

Guest: Daniel Fabian, Principal Digital Arsonist, Google Topic: Your RSA talk highlights lessons learned from two years of AI red teaming at Google. Could you share one or two of the most surprising or counterintuitive findings you encountered during this process? What are some of the key differences or unique challenges you've observed when testing AI-powered applications compared to traditional software systems? Can you provide an example of a specific TTP that has proven effective against AI systems and discuss the implications for security teams looking to detect it? What practical advice would you give to organizations that are starting to incorporate AI red teaming into their security development lifecycle? What are some initial steps or resources you would recommend they explore to deepen their understanding of this evolving field? Resources: Video (LinkedIn, YouTube) Google's AI Red Team: the ethical hackers making AI safer EP217 Red Teaming AI: Uncovering Surprises, Facing New Threats, and the Same Old Mistakes? EP150 Taming the AI Beast: Threat Modeling for Modern AI Systems with Gary McGraw EP198 GenAI Security: Unseen Attack Surfaces & AI Pentesting Lessons Lessons from AI Red Teaming – And How to Apply Them Proactively  [RSA 2025]

Guest: Alex Pinto,  Associate Director of Threat Intelligence, Verizon Business, Lead the Verizon Data Breach Report Topics: How would you define "a cloud breach"? Is that a real (and different) thing?  Are cloud breaches just a result of leaked keys and creds? If customers are responsible for 99% of cloud security problems, is cloud breach really about a customer being breached? Are misconfigurations really responsible for so many cloud security breaches? How are we still failing at configuration? What parts of DBIR are not total "groundhog day"? Something about vuln exploitation vs credential abuse in today's breaches–what's driving the shifts we're seeing? DBIR Are we at peak ransomware? Will ransomware be here in 20 years? Will we be here in 20 years talking about it? How is AI changing the breach report, other than putting in hilarious footnotes about how the report is for humans to read and and is written by actual humans?  Resources: Video (LinkedIn, YouTube) Verizon DBIR 2025 EP222 From Post-IR Lessons to Proactive Security: Deconstructing Mandiant M-Trends EP205 Cybersecurity Forecast 2025: Beyond the Hype and into the Reality EP112 Threat Horizons - How Google Does Threat Intelligence EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025

Guest Alan Braithwaite, Co-founder and CTO @ RunReveal Topics: SIEM is hard, and many vendors have discovered this over the years. You need to get storage, security and integration complexity just right. You also need to be better than incumbents. How would you approach this now? Decoupled SIEM vs SIEM/EDR/XDR combo. These point in the opposite directions, which side do you think will win? In a world where data volumes are exploding, especially in cloud environments, you're building a SIEM with ClickHouse as its backend, focusing on both parsed and raw logs. What's the core advantage of this approach, and how does it address the limitations of traditional SIEMs in handling scale?  Cribl, Bindplane and "security pipeline vendors" are all the rage. Won't it be logical to just include this into a modern SIEM? You're envisioning a 'Pipeline QL' that compiles to SQL, enabling 'detection in SQL.' This sounds like a significant shift, and perhaps not to the better? (Anton is horrified, for once) How does this approach affect detection engineering? With Sigma HQ support out-of-the-box, and the ability to convert SPL to Sigma, you're clearly aiming for interoperability. How crucial is this approach in your vision, and how do you see it benefiting the security community? What is SIEM in 2025 and beyond?  What's the endgame for security telemetry data? Is this truly SIEM 3.0, 4.0 or whatever-oh? Resources: EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective EP123 The Good, the Bad, and the Epic of Threat Detection at Scale with Panther EP190 Unraveling the Security Data Fabric: Need, Benefits, and Futures "20 Years of SIEM: Celebrating My Dubious Anniversary" blog "RSA 2025: AI's Promise vs. Security's Past — A Reality Check" blog tl;dr security newsletter Introducing a RunReveal Model Context Protocol Server! MCP: Building Your SecOps AI Ecosystem AI Runbooks for Google SecOps: Security Operations with Model Context Protocol

Guests: Eric Foster, CEO of Tenex.AI Venkata Koppaka, CTO of Tenex.AI  Topics: Why is your AI-powered MDR special? Why start an MDR from scratch using AI? So why should users bet on an "AI-native" MDR instead of an MDR that has already got its act together and is now applying AI to an existing set of practices?  What's the current breakdown in labor between your human SOC analysts vs your AI SOC agents? How do you expect this to evolve and how will that change your unit economics?  What tasks are humans uniquely good at today's SOC? How do you expect that to change in the next 5 years? We hear concerns about SOC AI missing things –but we know humans miss things all the time too. So how do you manage buyer concerns about the AI agents missing things?  Let's talk about how you're helping customers measure your efficacy overall. What metrics should organizations prioritize when evaluating MDR?  Resources: Video EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025 (quote from Eric in the title!) EP10 SIEM Modernization? Is That a Thing? Tenex.AI blog "RSA 2025: AI's Promise vs. Security's Past — A Reality Check" blog The original ASO 10X SOC paper that started it all (2021) "Baby ASO: A Minimal Viable Transformation for Your SOC" blog "The Return of the Baby ASO: Why SOCs Still Suck?" blog "Learn Modern SOC and D&R Practices Using Autonomic Security Operations (ASO) Principles" blog

Guest: Christine Sizemore, Cloud Security Architect, Google Cloud  Topics: Can you describe the key components of an AI software supply chain, and how do they compare to those in a traditional software supply chain?  I hope folks listening have heard past episodes where we talked about poisoning training data. What are the other interesting and unexpected security challenges and threats associated with the AI software supply chain?  We like to say that history might not repeat itself but it does rhyme – what are the rhyming patterns in security practices people need to be aware of when it comes to securing their AI supply chains? We've talked a lot about technology and process–what are the organizational pitfalls to avoid when developing AI software? What organizational "smells" are associated with irresponsible AI development?  We are all hearing about agentic security – so can we just ask the AI to secure itself?  Top 3 things to do to secure AI software supply chain for a typical org?   Resources: Video "Securing AI Supply Chain: Like Software, Only Not" blog (and paper) "Securing the AI software supply chain" webcast EP210 Cloud Security Surprises: Real Stories, Real Lessons, Real "Oh No!" Moments Protect AI issue database "Staying on top of AI Developments"  "Office of the CISO 2024 Year in Review: AI Trust and Security" "Your Roadmap to Secure AI: A Recap" (2024) "RSA 2025: AI's Promise vs. Security's Past — A Reality Check" (references our "data as code" presentation)

Hosts: David Homovich, Customer Advocacy Lead, Office of the CISO, Google Cloud  Alicja Cade, Director, Office of the CISO, Google Cloud  Guest:  Christian Karam, Strategic Advisor and Investor Resources: EP2 Christian Karam on the Use of AI (as aired originally) The Cyber-Savvy Boardroom podcast site The Cyber-Savvy Boardroom podcast on Spotify The Cyber-Savvy Boardroom podcast on Apple Podcasts The Cyber-Savvy Boardroom podcast on YouTube Now hear this: A new podcast to help boards get cyber savvy (without the jargon) Board of Directors Insights Hub Guidance for Boards of Directors on How to Address AI Risk

Guest: Diana Kelley, CSO at Protect AI  Topics: Can you explain the concept of "MLSecOps" as an analogy with DevSecOps, with 'Dev' replaced by 'ML'? This has nothing to do with SecOps, right? What are the most critical steps a CISO should prioritize when implementing MLSecOps within their organization? What gets better  when you do it? How do we adapt traditional security testing, like vulnerability scanning, SAST, and DAST, to effectively assess the security of machine learning models? Can we? In the context of AI supply chain security, what is the essential role of third-party assessments, particularly regarding data provenance? How can organizations balance the need for security logging in AI systems with the imperative to protect privacy and sensitive data? Do we need to decouple security from safety or privacy? What are the primary security risks associated with overprivileged AI agents, and how can organizations mitigate these risks?  Top differences between LLM/chatbot AI security vs AI agent security?  Resources: "Airline held liable for its chatbot giving passenger bad advice - what this means for travellers" "ChatGPT Spit Out Sensitive Data When Told to Repeat 'Poem' Forever" Secure by Design for AI by Protect AI "Securing AI Supply Chain: Like Software, Only Not" OWASP Top 10 for Large Language Model Applications OWASP Top 10 for AI Agents  (draft) MITRE ATLAS "Demystifying AI Security: New Paper on Real-World SAIF Applications" (and paper) LinkedIn Course: Security Risks in AI and ML: Categorizing Attacks and Failure Modes

Guests:  no guests, just us in the studio Topics: At RSA 2025, did we see solid, measurably better outcomes from AI use in security, or mostly just "sizzle" and good ideas with potential? Are the promises of an "AI SOC" repeating the mistakes seen with SOAR in previous years regarding fully automated security operations? Does "AI SOC" work according to RSA floor? How realistic is the vision expressed by some [yes, really!] that AI progress could lead to technical teams, including IT and security, shrinking dramatically or even to zero in a few years? Why do companies continue to rely on decades-old or "non-leading" security technologies, and what role does the concept of a "organizational change budget" play in this inertia? Is being "AI Native" fundamentally better for security technologies compared to adding AI capabilities to existing platforms, or is the jury still out? Got "an AI-native SIEM"? Be ready to explain how is yours better! Resources: EP172 RSA 2024: Separating AI Signal from Noise, SecOps Evolves, XDR Declines? EP119 RSA 2023 - What We Saw, What We Learned, and What We're Excited About EP70 Special - RSA 2022 Reflections - Securing the Past vs Securing the Future RSA ("RSAI") Conference 2024 Powered by AI with AI on Top — AI Edition (Hey AI, Is This Enough AI?)  [Anton's RSA 2024 recap blog] New Paper: "Future of the SOC: Evolution or Optimization — Choose Your Path" (Paper 4 of 4.5) [talks about the change budget discussed]

Guests: Kirstie Failey @ Google Threat Intelligence Group Scott Runnels @ Mandiant Incident Response   Topics: What is the hardest thing about turning distinct incident reports into a fun to read and useful report like M-Trends? How much are the lessons and recommendations skewed by the fact that they are all "post-IR" stories? Are "IR-derived" security lessons the best way to improve security? Isn't this a bit like learning how to build safely from fires vs learning safety engineering? The report implies that F500 companies suffer from certain security issues despite their resources, does this automatically mean that smaller companies suffer from the same but more? "Dwell time" metrics sound obvious, but is there magic behind how this is done? Sometimes "dwell tie going down" is not automatically the defender's win, right? What is the expected minimum dwell time? If "it depends", then what does it  depend on? Impactful outliers vs general trends ("by the numbers"), what teaches us more about security? Why do we seem to repeat the mistakes so much in security? Do we think it is useful to give the same advice repeatedly if the data implies that it is correct advice but people clearly do not do it? Resources: M-Trends 2025 report Mandiant Attack Lifecycle EP205 Cybersecurity Forecast 2025: Beyond the Hype and into the Reality EP147 Special: 2024 Security Forecast Report

Guests: No guests [Tim in Vegas and Anton remote] Topics: So, another Next is done. Beyond the usual Vegas chaos, what was the overarching security theme or vibe you [Tim] felt dominated the conference this year? Thinking back to Next '24, what felt genuinely different this year versus just the next iteration of last year's trends? Last year, we pondered the 'Cloud Island' vs. 'Cloud Peninsula'. Based on Next 2025, is cloud security becoming more integrated with general cyber security, or is it still its own distinct domain? What wider trends did you observe, perhaps from the expo floor buzz or partner announcements, that security folks should be aware of? What was the biggest surprise for you at Next 2025? Something you absolutely didn't see coming? Putting on your prediction hats (however reluctantly): based on Next 2025, what do you foresee as the major cloud security focus or challenge for the industry in the next 12 months? If a busy podcast listener listening could only take one key message or action item away from everything announced and discussed at Next 2025, what should it be? Resources: EP169 Google Cloud Next 2024 Recap: Is Cloud an Island, So Much AI, Bots in SecOps

Guests: Michael Cote, Cloud VRP Lead, Google Cloud Aadarsh Karumathil, Security Engineer, Google Cloud Topics: Vulnerability response at cloud-scale sounds very hard! How do you triage vulnerability reports and make sure we're addressing the right ones in the underlying cloud infrastructure? How do you determine how much to pay for each vulnerability? What is the largest reward we paid? What was it for? What products get the most submissions? Is this driven by the actual product security or by trends and fashions like AI? What are the most likely rejection reasons?  What makes for a very good - and exceptional? - vulnerability report? We hear we pay more for "exceptional" reports, what does it mean? In college Tim had a roommate who would take us out drinking on his Google web app vulnerability rewards. Do we have something similar for people reporting vulnerabilities in our cloud infrastructure? Are people making real money off this?  How do we actually uniquely identify vulnerabilities in the cloud? CVE does not work well, right? What are the expected risk reduction benefits from Cloud VRP? Resources: Cloud VRP site Cloud VPR launch blog CVR: The Mines of Kakadûm

Guest: Steve Ledzian, APAC CTO, Mandiant at Google Cloud Topics: We've seen a shift in how boards engage with cybersecurity. From your perspective, what's the most significant misconception boards still hold about cyber risk, particularly in the Asia Pacific region, and how has that impacted their decision-making? Cybersecurity is rife with jargon. If you could eliminate or redefine one overused term, which would it be and why? How does this overloaded language specifically hinder effective communication and action in the region? The Mandiant Attack Lifecycle is a well-known model. How has your experience in the East Asia region challenged or refined this model? Are there unique attack patterns or actor behaviors that necessitate adjustments? Two years post-acquisition, what's been the most surprising or unexpected benefit of the Google-Mandiant combination? M-Trends data provides valuable insights, particularly regarding dwell time. Considering the Asia Pacific region, what are the most significant factors reducing dwell time, and how do these trends differ from global averages? Given your expertise in Asia Pacific, can you share an observation about a threat actor's behavior that is often overlooked in broader cybersecurity discussions? Looking ahead, what's the single biggest cybersecurity challenge you foresee for organizations in the Asia Pacific region over the next five years, and what proactive steps should they be taking now to prepare? Resources: EP177 Cloud Incident Confessions: Top 5 Mistakes Leading to Breaches from Mandiant EP156 Living Off the Land and Attacking Critical Infrastructure: Mandiant Incident Deep Dive EP191 Why Aren't More Defenders Winning? Defender's Advantage and How to Gain it!

Guest: Henrique Teixeira, Senior VP of Strategy, Saviynt, ex-Gartner analyst Topics: How have you seen IAM evolve over the years, especially with the shift to the cloud, and now AI? What are some of the biggest challenges and opportunities these two shifts present?  ITDR (Identity Threat Detection and Response) and ISPM (Identity Security Posture Management) are emerging areas in IAM. How do you see these fitting into the overall IAM landscape? Are they truly distinct categories or just extensions of existing IAM practices? Shouldn't ITDR just be part of your Cloud DR or maybe even your SecOps tool of choice? It seems goofy to try to stand ITDR on its own when the impact of an identity compromise is entirely a function of what that identity can access or do, no? Regarding workload vs. human identity, could you elaborate on the unique security considerations for each? How does the rise of machine identities and APIs impact IAM approaches? We had a whole episode around machine identity that involved turtles–what have you seen in the machine identity space and how have you seen users mess it up? The cybersecurity world is full of acronyms. Any tips on how to create a memorable and impactful acronym?  Resources: EP166 Workload Identity, Zero Trust and SPIFFE (Also Turtles!) EP182 ITDR: The Missing Piece in Your Security Puzzle or Yet Another Tool to Buy? EP127 Is IAM Really Fun and How to Stay Ahead of the Curve in Cloud IAM? EP94 Meet Cloud Security Acronyms with Anna Belak EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler EP199 Your Cloud IAM Top Pet Peeves (and How to Fix Them) EP188 Beyond the Buzzwords: Identity's True Role in Cloud and SaaS Security "Playing to Win: How Strategy Really Works" book "Open" book

Guest: Alex Polyakov, CEO at Adversa AI Topics: Adversa AI is known for its focus on AI red teaming and adversarial attacks. Can you share a particularly memorable red teaming exercise that exposed a surprising vulnerability in an AI system? What was the key takeaway for your team and the client? Beyond traditional adversarial attacks, what emerging threats in the AI security landscape are you most concerned about right now?  What trips most clients,  classic security mistakes in AI systems or AI-specific mistakes? Are there truly new mistakes in AI systems or are they old mistakes in new clothing? I know it is not your job to fix it, but much of this is unfixable, right? Is it a good idea to use AI to secure AI? Resources: EP84 How to Secure Artificial Intelligence (AI): Threats, Approaches, Lessons So Far AI Red Teaming Reasoning LLM US vs China: Jailbreak Deepseek, Qwen, O1, O3, Claude, Kimi Adversa AI blog Oops! 5 serious gen AI security mistakes to avoid Generative AI Fast Followership: Avoid These First Adopter Security Missteps

Guest: James Campbell, CEO, Cado Security Chris Doman, CTO, Cado Security Topics: Cloud Detection and Response (CDR) vs Cloud Investigation and Response Automation(CIRA) ... what's the story here? There is an "R" in CDR, right? Can't my (modern) SIEM/SOAR do that?  What about this becoming a part of modern SIEM/SOAR in the future? What gets better when you deploy a CIRA (a) and your CIRA in particular (b)? Ephemerality and security, what are the fun overlaps? Does "E" help "S" or hurts it? What about compliance? Ephemeral compliance sounds iffy… Cloud investigations, what is special about them? How does CSPM intersect with this? Is CIRA part of CNAPP?   A secret question, need to listen for it! Resources: EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win? EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics Cloud security incidents (Rami McCarthy) Cado resources

Guest: Meador Inge, Security Engineer, Google Cloud  Topics: Can you walk us through Google's typical threat modeling process? What are the key steps involved? Threat modeling can be applied to various areas. Where does Google utilize it the most? How do we apply this to huge and complex systems? How does Google keep its threat models updated? What triggers a reassessment? How does Google operationalize threat modeling information to prioritize security work and resource allocation? How does it influence your security posture? What are the biggest challenges Google faces in scaling and improving its threat modeling practices? Any stories where we got this wrong? How can LLMs like Gemini improve Google's threat modeling activities? Can you share examples of basic and more sophisticated techniques? What advice would you give to organizations just starting with threat modeling?  Resources: EP12 Threat Models and Cloud Security EP150 Taming the AI Beast: Threat Modeling for Modern AI Systems with Gary McGraw EP200 Zero Touch Prod, Security Rings, and Foundational Services: How Google Does Workload Security EP140 System Hardening at Google Scale: New Challenges, New Solutions Threat Modeling manifesto EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use Awesome Threat Modeling Adam Shostack "Threat Modeling: Designing for Security" book Ross Anderson "Security Engineering"  book "How to Solve It" book

Guest: Archana Ramamoorthy, Senior Director of Product Management, Google Cloud Topics: You are responsible for building systems that need to comply with laws that are often mutually contradictory. It seems technically impossible to do, how do you do this? Google is not alone in being a global company with local customers and local requirements. How are we building systems that provide local compliance with global consistency in their use for customers who are similar in scale to us?  Originally, Google had global systems synchronized around the entire planet–planet scale supercompute–with atomic clocks. How did we get to regionalized approach from there?  Engineering takes a long time. How do we bring enough agility to product definition and engineering design to give our users robust foundations in our systems that also let us keep up with changing and diverging regulatory goals? What are some of the biggest challenges you face working in the trusted cloud space? Is there something you would like to share about being a woman leader in technology?  How did you overcome the related challenges? Resources: Video "Compliance Without Compromise" by Jeanette Manfra (2020, still very relevant!) "Good to Great" book "Appreciative Leadership" book

Guest: Yigael Berger, Head of AI, Sweet Security Topic: Where do you see a gap between the "promise" of LLMs for security and how they are actually used in the field to solve customer pains? I know you use LLMs for anomaly detection. Explain how that "trick" works? What is it good for? How effective do you think it will be?  Can you compare this to other anomaly detection methods? Also, won't this be costly - how do you manage to keep inference costs under control at scale?  SOC teams often grapple with the tradeoff between "seeing everything" so that they never miss any attack, and handling too much noise. What are you seeing emerge in cloud D&R to address this challenge? We hear from folks who developed an automated approach to handle a reviews queue previously handled by people. Inevitably even if precision and recall can be shown to be superior, executive or customer backlash comes hard with a false negative (or a flood of false positives). Have you seen this phenomenon, and if so, what have you learned about handling it? What are other barriers that need to be overcome so that LLMs can push the envelope further for improving security? So from your perspective, LLMs are going to tip the scale in whose favor - cybercriminals or defenders?  Resource: EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud EP194 Deep Dive into ADR - Application Detection and Response EP135 AI and Security: The Good, the Bad, and the Magical Andrej Karpathy series on how LLMs work Sweet Security blog

Guest: Dave Hannigan, CISO at Nu Bank Topics: Tell us about the challenges you're facing as CISO at NuBank and how are they different from your past life at Spotify? You're a big cloud based operation  - what are the key challenges you're tracking in your cloud environments?  What lessons do you wish you knew back in your previous CISO run [at Spotify]? What metrics do your team report for you to understand the security posture of your cloud environments?  How do you know "your" cloud use is as secure as you want it to be? You're a former Googler, and I'm sure that's not why, so why did you choose to go with Google SecOps for your organization? Resources: "Moving shields into position: How you can organize security to boost digital transformation" blog and the paper. "For a successful cloud transformation, change your culture first" blog "Is your digital transformation secure? How to tell if your team is on the right path"' blog EP201 Every CTO Should Be a CSTO (Or Else!) - Transformation Lessons from The Hoff EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same? EP209 vCISO in the Cloud: Navigating the New Security Landscape (and Don't Forget Resilience!) "Thinking Fast and Slow" book "Turn the Ship Around" book

Guest: Kimberly Goody, Head of Intel Analysis and Production, Google Cloud Topics: Google's Threat Intelligence Group (GTIG) has a unique position, accessing both underground forum data and incident response information. How does this dual perspective enhance your ability to identify and attribute cybercriminal campaigns? Attributing cyberattacks with high confidence is important. Can you walk us through the process GTIG uses to connect an incident to specific threat actors, given the complexities of the threat landscape and the challenges of linking tools and actors?  There is a difficulty of correlating publicly known tool names with the aliases used by threat actors in underground forums. How does GTIG overcome this challenge to track the evolution and usage of malware and other tools? Can you give a specific example of how this "decoding" process works? How does GTIG collaborate with other teams within Google, such as incident response or product security, to share threat intelligence and improve Google's overall security posture? How does this work make Google more secure? What does Google (and specifically GTIG) do differently than other organizations focused on collecting and analyzing threat-intelligence? Is there AI involved? Resources: "Cybercrime: A Multifaceted National Security Threat" report EP112 Threat Horizons - How Google Does Threat Intelligence EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons EP178 Meet Brandon Wood: The Human Side of Threat Intelligence: From Bad IP to Trafficking Busts "Wild Swans: Three Daughters of China" book How Google Does It: Making threat detection high-quality, scalable, and modern How Google Does It: Finding, tracking, and fixing vulnerabilities "From Credit Cards to Crypto: The Evolution of Cybercrime" video

Guest: Or Brokman, Strategic Google Cloud Engineer, Security and Compliance, Google Cloud Topics: Can you tell us about one particular cloud consulting engagement that really sticks out in your memory? Maybe a time when you lifted the hood, so to speak, and were absolutely floored by what you found – good or bad! In your experience, what's that one thing – that common mistake – that just keeps popping up? That thing that makes you say 'Oh no, not this again!' 'Tools over process' mistake is one of the 'oldies.' What do you still think drives people to it, and how to fix it? If you could give just one piece of cloud security advice to every company out there, regardless of their size or industry, what would it be?  Resources: Video (YouTube) "Threat Modeling: Designing for Security" by Adam Shostack EP16 Modern Data Security Approaches: Is Cloud More Secure? EP142 Cloud Security Podcast Ask Me Anything #AMA 2023 "For a successful cloud transformation, change your culture first" (OOT vs TOO blog) https://www.linkedin.com/in/stephrwong/  New Paper: "Autonomic Security Operations — 10X Transformation of the Security Operations Center" (2021)

Guests:  Beth Cartier, former CISO, vCISO, founder of Initiative Security Guest host of the CISO mini-series: Marina Kaganovich, Executive Trust Lead, Office of the CISO @ Google Cloud Topics: How is that vCISO'ing going? What is special about vCISO and cloud? Is it easier or harder? AI, cyber, resilience - all are hot topics these days.  In the context of cloud security, how are you seeing organizations realistically address these trends? Are they being managed effectively (finally?) or is security always playing catch up? Recent events reminded us that cybersecurity may sometimes interfere with resilience. How have you looked to build resilience into your security program? The topic is perhaps 30+ years old, but security needs to have a seat at the table, and often still doesn't - why do you think this is the case?  What approaches or tips have you found to work well in elevating security within organizations? Any tips for how cyber professionals can stay up to date to keep up with the current threat landscape vs the threats that are around the corner? Resources: EP208 The Modern CISO: Balancing Risk, Innovation, and Business Strategy (And Where is Cloud?) EP189 How Google Does Security Programs at Scale: CISO Insights EP129 How CISO Cloud Dreams and Realities Collide EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP93 CISO Walks Into the Cloud: Frustrations, Successes, Lessons ... And Is My Data Secure?

Guest host: Marina Kaganovich, Executive Trust Lead, Office of the CISO @ Google Cloud Guest:  John Rogers, CISO @ MSCI Topics: Can you briefly walk us through your CISO career path? What are some of the key (cloud or otherwise) trends that CISOs should be keeping an eye on? What is the time frame for them? What are the biggest cloud security challenges CISOs are facing today, and how are those evolving? Given the rapid change of pace in emerging tech, such as what we've seen in the last year or so with gen AI, how do you balance the need to address short-term or imminent issues vs those that are long-term or emergent risks? What advice do you have for how CISOs can communicate the importance of anticipating threats to their boards and executives? So, how to be a forward looking and strategic yet not veer into dreaming, paranoia and imaginary risks? How to be futuristic yet realistic? The CISO role as an official title is a relatively new one, what steps have you taken to build credibility and position yourself for having a seat at the table? Resources: ATT&CK Framework EP189 How Google Does Security Programs at Scale: CISO Insights EP129 How CISO Cloud Dreams and Realities Collide EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP93 CISO Walks Into the Cloud: Frustrations, Successes, Lessons ... And Is My Data Secure?

Guest: Bob Blakley, Co-founder and Chief Product Officer of Mimic Topics: Tell us about the ransomware problem - isn't this a bit of old news? Circa 2015, right? What makes ransomware a unique security problem?  What's different about ransomware versus other kinds of malware? What do you make of the "RansomOps" take (aka "ransomware is not malware")? Are there new ways to solve it? Is this really a problem that a startup is positioned to solve? Aren't large infrastructure owners better positioned for this? In fact, why haven't existing solutions solved this?  Is this really a symptom of a bigger problem?  What is that problem? What made you personally want to get into this space, other than the potential upside of solving the problem?  Resources: EP206 Paying the Price: Ransomware's Rising Stakes in the Cloud EP89 Can We Escape Ransomware by Migrating to the Cloud? EP45 VirusTotal Insights on Ransomware Business and Technology EP204 Beyond PCAST: Phil Venables on the Future of Resilience and Leading Indicators EP7 No One Expects the Malware Inquisition Anderson Report (July 1972)  "The Innovator Dilemma" book "Odyssey" book (yes, really) Crowdstrike External Technical Root Cause Analysis — Channel File 291 (yes, that one)

Guest: Allan Liska, CSIRT at Recorded Future, now part of Mastercard  Topics: Ransomware has become a pervasive threat. Could you provide us with a brief overview of the current ransomware landscape? It's often said that ransomware is driven by pure profit. Can you remind us of  the business model of ransomware gangs, including how they operate, their organizational structures, and their financial motivations? Ransomware gangs are becoming increasingly aggressive in their extortion tactics. Can you shed some light on these new tactics, such as data leaks, DDoS attacks, and threats to contact victims' customers or partners? What specific challenges and considerations arise when dealing with ransomware in cloud environments, and how can organizations adapt their security strategies to mitigate these risks? What are the key factors to consider when deciding whether or not to pay the ransom? What is the single most important piece of advice you would give to organizations looking to bolster their defenses against ransomware?  Resources: Video (LinkedIn, YouTube) 2024 Data Breach Investigations Report EP89 Can We Escape Ransomware by Migrating to the Cloud? EP45 VirusTotal Insights on Ransomware Business and Technology EP29 Future of EDR: Is It Reason-able to Suggest XDR? EP204 Beyond PCAST: Phil Venables on the Future of Resilience and Leading Indicators

Guest: Andrew Kopcienski, Principal Intelligence Analyst, Google Threat Intelligence Group Questions: You have this new Cybersecurity Forecast 2025 report, what's up with that? We are getting a bit annoyed about the fear-mongering on "oh, but attackers will use AI." You are a threat analyst, realistically, how afraid are you of this? The report discusses the threat of compromised identities in hybrid environments (aka "no matter what you do, and where, you are hacked via AD"). What steps can organizations take to mitigate the risk of a single compromised identity leading to a significant security breach? Is this expected to continue? Is zero-day actually growing? The report seems to imply that, but aren't "oh-days" getting more expensive every day? Many organizations still lag with detection, in your expertise, what approaches to detection actually work today? It is OK to say "hire Managed Defense", BTW :-) We read the risk posed by the "Big Four" sections and they (to us) read like "hackers hack" and "APTs APT." What is genuinely new and interesting here?  Resources: Cybersecurity Forecast 2025 report Google Cloud Cybersecurity Forecast 2025 webinar EP147 Special: 2024 Security Forecast Report EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side EP153 Kevin Mandia on Cloud Breaches: New Threat Actors, Old Mistakes, and Lessons for All Staying a Step Ahead: Mitigating the DPRK IT Worker Threat

Guest: Phil Venables, Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics Why is our industry suddenly obsessed with resilience? Is this ransomware's doing? How did the PCAST report come to be?  Can you share the backstory and how it was created? The PCAST report emphasizes the importance of leading indicators for security and resilience. How can organizations effectively shift their focus from lagging indicators to these leading indicators? The report also emphasizes the importance of "Cyber-Physical Modularity" - this sounds mysterious to us, and probably our listeners! What is it and how does this concept contribute to enhancing the resilience of critical infrastructure? The report advocates for regular and rigorous stress testing. How can organizations effectively implement such stress testing to identify vulnerabilities and improve their resilience?  In your opinion, what are the most critical takeaways from our PCAST-related paper for organizations looking to improve their security and resilience posture today? What are some of the challenges organizations might face when implementing the PCAST recommendations, and how can they overcome these challenges?  Do organizations get resilience benefits "for free" by using Google Cloud? Resources: 10 ways to make cyber-physical systems more resilient "Cyber-Physical Resilience and the Cloud: Putting the White House PCAST report into practice" report Megatrends drive cloud adoption—and improve security for all EP163 Cloud Security Megatrends: Myths, Realities, Contentious Debates and Of Course AI Advising The President On Cyber-Physical Resilience - Philip Venables (at PSW) EP201 Every CTO Should Be a CSTO (Or Else!) - Transformation Lessons from The Hoff EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side

Guest: Rich Mogull, SVP of Cloud Security at Firemon and CEO at Securosis Topics: Let's talk about cloud security shared responsibility.  How to separate the blame? Is there a good framework for apportioning blame? You've introduced the Cloud Shared Irresponsibilities Model, stating cloud providers will be considered partially responsible for breaches even if due to customer misconfigurations. How do you see this impacting the relationship between cloud providers and their customers? Will it lead to more collaboration or more friction? We both know the Jay Heiser 2015 classic "cloud is secure, but you not using it securely." In your view, what does "use cloud securely" mean for various organizations today? Here is a very painful question: how to decide what cloud security should be free with cloud and what security can be paid?  You dealt with cloud security for a long time, what is your #1 lesson so far on how to make the cloud more secure or use the cloud more securely? What is the best way to learn how to cloud? What is this CloudSLAW thing? Resources: EP201 Every CTO Should Be a CSTO (Or Else!) - Transformation Lessons from The Hoff The Cloud Shared Irresponsibilities Model 2002 Trustworthy computing memo Use Cloud Securely? What Does This Even Mean?! EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith? No Snow, No Flakes: Pondering Cloud Security Shared Responsibility, Again! Cloud Security Lab a Week (S.L.A.W) Megatrends drive cloud adoption—and improve security for all Shared fate main page Defining the Journey—the Four Cloud Adoption Patterns Celebrating 200 Episodes of Cloud Security Podcast by Google and Thanks for all the Listens!

Guest: Amine Besson, Tech Lead on Detection Engineering, Behemoth Cyberdefence Topics: What is your best advice on detection engineering to organizations who don't want to engineer anything in security?  What is the state of art when it comes to SOC ? Who is doing well? What on Earth is a fusion center?  Why classic "tiered SOCs" fall flat when dealing with modern threats? Let's focus on a correct definition of detection as code. Can you provide yours? Detection x response engineering - is there a thing called "response engineering"? Should there be? What are your lessons learned to fuse intel, detections, and hunting ops? What is this SIEMless yet SOARful detection architecture? What's next with OpenTIDE 2.0? Resources: Guide your SOC Leaders to More Engineering Wisdom for Detection (Part 9) and other parts linked there Hack.lu 2023: TIDeMEC : A Detection Engineering Platform Homegrown At The EC video OpenTIDE · GitLab  OpenTIDE 1.0 Release blog SpectreOps blog series 'on detection' Does your SOC have  NOC DNA? presentation Kill SOC Toil, Do SOC Eng blog (tame version) The original ASO paper (2021, still epic!) Behind the Scenes with Red Canary's Detection Engineering Team The DFIR Report – Real Intrusions by Real Attackers, The Truth Behind the Intrusion Site Reliability Engineering (SRE) | Google Cloud

Guest: Chris Hoff, Chief Secure Technology Officer at Last Pass Topics: I learned that you have a really cool title that feels very "now" - Chief Secure Technology Officer? What's the story here? Weirdly, I now feel that every CTO better be a CSTO or quit their job :-) After, ahem, not-so-recent events you had a chance to rebuild a lot of your stack, and in the process improve security. Can you share how it went, and what security capabilities are now built in? How much of a culture change did that require? Was it purely a technological transformation or you had to change what people do and how they do it? Would you recommend this to others (not the "recent events experience", but the rebuild approach)? What benefits come from doing this before an incident occurs? Are there any? How are you handling telemetry collection and observability for security in the new stack? I am curious how this was modernized Cloud is simple, yet also complex, I think you called it "simplex." How does this concept work? Resources: Video (LinkedIn, YouTube) EP189 How Google Does Security Programs at Scale: CISO Insights EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP80 CISO Walks Into the Cloud: Frustrations, Successes, Lessons ... And Does the Risk Change? EP93 CISO Walks Into the Cloud: Frustrations, Successes, Lessons ... And Is My Data Secure?

Guest: Michael Czapinski, Security & Reliability Enthusiast, Google Topics: "How Google protects its production services" paper covers how Google's infrastructure balances several crucial aspects, including security, reliability, development speed, and maintainability. How do you prioritize these competing demands in a real-world setting? What attack vectors do you consider most critical in the production environment, and how has Google's defenses against these vectors improved over time? Can you elaborate on the concept of Foundational services and their significance in Google's security posture? How does your security approach adapt to this vast spectrum of sensitivity and purpose of our servers and services, actually? How do you implement this principle of zero touch prod for both human and service accounts within our complex infrastructure?  Can you talk us through the broader approach you take through Workload Security Rings and how this helps? Resources: "How Google protects its production services" paper (deep!) SLSA framework  EP189 How Google Does Security Programs at Scale: CISO Insights EP109 How Google Does Vulnerability Management: The Not So Secret Secrets! EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil SREcon presentation on zero touch prod.  The SRS book (free access)

Guests: Michele Chubirka, Staff Cloud Security Advocate, Google Cloud Sita Lakshmi Sangameswaran, Senior Developer Relations Engineer, Google Cloud Topics: What is your reaction to "in the cloud you are one IAM mistake away from a breach"? Do you like it or do you hate it? Or do you "it depends" it? :-) Everyone's talking about how "identity is the new perimeter" in the cloud. Can you break that down in simple terms? A lot of people say "in the cloud, you must do IAM 'right'". What do you think that means? What is the first or the main idea that comes to your mind when you hear it?  What's this stuff about  least-privilege and separation-of-duties being less relevant? Why do they matter in the cloud that changes rapidly?  What are your IAM Top Pet Peeves? Resources: Video  (LinkedIn, YouTube) EP127 Is IAM Really Fun and How to Stay Ahead of the Curve in Cloud IAM? EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler IAM: There and back again using resource hierarchies IAM so lost: A guide to identity in Google Cloud I Hate IAM: but I need it desperately EP33 Cloud Migrations: Security Perspectives from The Field EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use EP177 Cloud Incident Confessions: Top 5 Mistakes Leading to Breaches from Mandiant EP188 Beyond the Buzzwords: Identity's True Role in Cloud and SaaS Security "Identity Crisis: The Biggest Prize in Security" paper "Learn to love IAM: The most important step in securing your cloud infrastructure" Next presentation

Guests: Ante Gojsalic, Co-Founder & CTO at SplxAI Topics: What are some of the unique challenges in securing GenAI applications compared to traditional apps? What current attack surfaces are most concerning for GenAI apps, and how do you see these evolving in the future? Do you have your very own list of top 5 GenAI threats? Everybody seem to! What are the most common security mistakes you see clients make with GenAI? Can you explain the main goals when trying to add automation to pentesting for next-gen GenAI apps?  What are your AI testing lessons from clients so far? Resources: EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side EP135 AI and Security: The Good, the Bad, and the Magical EP185 SAIF-powered Collaboration to Secure AI: CoSAI and Why It Matters to You SAIF.google Next SAIF presentation with top 5 AI security issues Our Security of AI Papers and Blogs Explained

Guest:  Travis Lanham, Uber Tech Lead (UTL) for Security Operations Engineering, Google Cloud Topics: There's been a ton of discussion in the wake of the three SIEM week about the future of SIEM-like products. We saw a lot of takes on how this augurs the future of disassembled or decoupled SIEMs. Can you explain what these disassembled SIEMs are all about? What are the expected upsides of detaching your SIEM interface and security capabilities from your data backend? Tell us about the early days of SecOps (nee Chronicle) and why we didn't go with this approach? What are the upsides of a tightly coupled datastore + security experience for a SIEM? Are there more risks or negatives of the decoupled/decentralized approach?  Complexity and the need to assemble "at home" are on the list, right? One of the 50 things Google knew to be true back in the day was that product innovation comes from technical innovation, what's the technical innovation driving decoupled SIEMs? So what about those security data lakes? Any insights? Resources: EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations EP190 Unraveling the Security Data Fabric: Need, Benefits, and Futures EP184 One Week SIEM Migration: Fact or Fiction? Hacking Google video series Decoupled SIEM: Brilliant or …. Not :-) UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion So, Why Did I Join Chronicle Security? (2019)

Guest: Vijay Ganti, Director of Product Management, Google Cloud Security Topics: What have been the biggest pain points for organizations trying to use threat intelligence (TI)? Why has it been so difficult to convert threat knowledge into effective security measures in the past? In the realm of AI, there's often hype (and people who assume "it's all hype"). What's genuinely different about AI now, particularly in the context of threat intelligence? Can you explain the concept of "AI-driven operationalization" in Google TI? How does it work in practice? What's the balance between human expertise and AI in the TI process? Are there specific areas where you see the balance between human and AI involvement shifting in a few years? Google Threat Intelligence aims to be different. Why are we better from client PoV? Resources: Google Threat Intel website "Future of Brain" book by Gary Marcus et al Detection engineering blog (Part 9) and the series Detect engineering blogs by David French The pyramid of pain blog, the classic "Scaling Up Malware Analysis with Gemini 1.5 Flash" and "From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis" blogs on Gemini for security

Cross-over hosts: Kaslin Fields, co-host at Kubernetes Podcast Abdel Sghiouar, co-host at Kubernetes Podcast Guest: Michele Chubirka, Cloud Security Advocate, Google Cloud Topics: How would you approach answering the question "what is more secure, container or a virtual machine (VM)?" Could you elaborate on the real-world implications of this for security, and perhaps provide some examples of when one might be a more suitable choice than the other? While containers boast a smaller attack surface (what about the orchestrator though?), VMs present a full operating system. How should organizations weigh these factors against each other? The speed of patching and updates is a clear advantage of containers. How significant is this in the context of today's rapidly evolving threat landscape? Are there any strategies organizations can employ to mitigate the slower update cycles associated with VMs? Both containers and VMs can be susceptible to misconfigurations, but container orchestration systems introduce another layer of complexity. How can organizations address this complexity and minimize the risk of misconfigurations leading to security vulnerabilities? What about combining containers and VMs. Can you provide some concrete examples of how this might be implemented? What benefits can organizations expect from such an approach, and what challenges might they face? How do you envision the security landscape for containers and VMs evolving in the coming years? Are there any emerging trends or technologies that could significantly impact the way we approach security for these two technologies? Resources: Container Security, with Michele Chubrika (the same episode - with extras! - at our peer podcast, "Kubernetes Podcast from Google") EP105 Security Architect View: Cloud Migration Successes, Failures and Lessons EP54 Container Security: The Past or The Future? DORA 2024 report Container Security: It's All About the Supply Chain - Michele Chubirka Software composition analysis (SCA) DevSecOps Decisioning Principles Kubernetes CIS Benchmark Cloud-Native Consumption Principles State of WebAssembly outside the Browser - Abdel Sghiouar Why Perfect Compliance Is the Enemy of Good Kubernetes Security - Michele Chubirka - KubeCon NA 2024

Guest: Daniel Shechter, Co-Founder and CEO at Miggo Security Topics: Why do we need Application Detection and Response (ADR)? BTW, how do you define it? Isn't ADR a subset of CDR (for cloud)?  What is the key difference that sets ADR apart from traditional EDR and CDR tools? Why can't I just send my application data - or eBPF traces - to my SIEM and achieve the goals of ADR that way? We had RASP and it failed due to instrumentation complexities. How does an ADR solution address these challenges and make it easier for security teams to adopt and implement? What are the key inputs into an ADR tool? Can you explain how your ADR correlates cloud, container, and application contexts to provide a better  view of threats? Could you share real-world examples of types of badness solved for users? How would ADR work with other application security technologies like DAST/SAST, WAF and ASPM? What are your thoughts on the evolution of ADR? Resources: EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud EP143 Cloud Security Remediation: The Biggest Headache? Miggo research re: vulnerability ALBeast "WhatDR or What Detection Domain Needs Its Own Tools?" blog "Making Sense of the Application Security Product Market" blog "Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem" book

Guests: Taylor  Lehmann, Director at Office of the CISO, Google Cloud Luis Urena, Cloud Security Architect, Google Cloud Topics There is a common scenario where security teams are brought in after a cloud environment is already established. From your experience, how does this late involvement typically impact the organization's security posture and what are the immediate risks they face? Upon hearing this, many experts suggest that "burn the environment with fire" or "nuke it from orbit" are the only feasible approaches? What is your take on that suggestion? On the opposite side, what if business demands you don't  touch anything but "make it secure" regardless? Could you walk us through some of the first critical steps you do after "inheriting a cloud" and why they are prioritized in this way? Why not just say "add MFA everywhere"? What may or will blow up? We also say "address overly permissive users and roles" and this sounds valuable, but also tricky. How do we go about it? What are the chances that the environment is in fact compromised already? When is Compromise Assessment the right call, it does cost money, right? How do you balance your team's current priorities when you've just adopted an insecure cloud environment. How do you make tradeoffs among your existing stack and this new one? Resources: "Confetti cannons or fire extinguishers? Here's how to secure cloud surprises"  EP179 Teamwork Under Stress: Expedition Behavior in Cybersecurity Incident Response IAM Recommender "TM" book by Adam Shostack "Checklist Manifesto" book "Moving shields into position: How you can organize security to boost digital transformation" (with a new paper!)

Guest: Nelly Porter, Director of PM, Cloud Security at Google Cloud Topics: Share your story and how you ended here doing confidential AI at Google? What problem does confidential compute + AI solve and for what clients? What are some specific real-world applications or use cases where you see the combination of AI and confidential computing making the most significant impact? What about AI in confidential vs AI on prem? Should those people just do on-prem AI instead? Which parts of the AI lifecycle need to be run in Confidential AI: Training? Data curation? Operational workloads?  What are the performance (and thus cost) implications of running AI workloads in a confidential computing environment?  Are there new risks that arise out of confidential AI? Resources: Video EP48 Confidentially Speaking 2: Cloudful of Secrets EP1 Confidentially Speaking "To securely build AI on Google Cloud, follow these best practices" blog (paper)

Guest: Dan Nutting, Manager - Cyber Defense,  Google Cloud Topics: What is the Defender's Advantage and why did Mandiant decide to put this out there? This is the second edition. What is different about DA-II? Why do so few defenders actually realize their Defender's Advantage?  The book talks about the importance of being "intelligence-led" in cyber defense. Can you elaborate on what this means and how organizations can practically implement this approach? Detection engineering is presented as a continuous cycle of adaptation. How can organizations ensure their detection capabilities remain effective and avoid fatigue in their SOC?   Many organizations don't seem to want to make detections at all, what do we tell them? What is this thing called "Mission Control"- it sounds really cool, can you explain it? Resources: Defender's Advantage book The Defender's Advantage: Using Artificial Intelligence in Cyber Defense supplemental paper "Threat-informed Defense Is Hard, So We Are Still Not Doing It!" blog Mandiant blog

Guest: Josh Liburdi, Staff Security Engineer, Brex Topics: What is this "security data fabric"?  Can you explain the technology? Is there a market for this? Is this same as security data pipelines? Why is this really needed? Won't your SIEM vendor do it? Who should adopt it? Or, as Tim says, what gets better once you deploy it? Is reducing cost a big part of the security data fabric story? Does the data quality improve with the use of security data fabric tooling? For organizations considering a security data fabric solution, what key factors should they prioritize in their evaluation and selection process? What is the connection between this and federated security data search? What is the likely future for this technology? Resources: BSidesSF 2024 - Reinventing ETL for Detection and Response Teams (Josh Liburdi) "How to Build Your Own Security Data Pipeline (and why you shouldn't!)" blog "Decoupled SIEM: Brilliant or Stupid?" blog "Security Correlation Then and Now: A Sad Truth About SIEM" blog (my #1 popular post BTW) "Log Centralization: The End Is Nigh?"  blog "20 Years of SIEM: Celebrating My Dubious Anniversary" blog "Navigating the data current: Exploring Cribl.Cloud analytics and customer insights" report OCSF

Guest: Royal Hansen, CISO, Alphabet Topics: What were you thinking before you took that "Google CISO" job? Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations? Are there any specific challenges or advantages that arise from operating at such a massive scale? What has been most surprising about Google's internal security culture that you wish you could export to the world at large?  What have you learned about scaling teams in the Google context? How do you design effective metrics for your teams and programs? So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we've done this here? Resources: EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil CISA Secure by Design EP20 Security Operations, Reliability, and Securing Google with Heather Adkins EP91 "Hacking Google", Op Aurora and Insider Threat at Google "Delivering Security at Scale: From Artisanal to Industrial" SRE book: CHapter 5: Toil Elimination SRS book: Security as an Emergent Property What are Security Invariants? EP185 SAIF-powered Collaboration to Secure AI: CoSAI and Why It Matters to You "Against the Gods - Remarkable Story of Risk" book

Guest: Dor Fledel, Founder and CEO of Spera Security, now Sr Director of Product Management at Okta Topics: We say "identity is the new perimeter," but I think there's a lof of  nuance to it. Why and how does it matter specifically in cloud and SaaS security? How do you do IAM right in the cloud? Help us with the acronym soup - ITDR, CIEM also ISPM (ITSPM?), why are new products needed? What were the most important challenges you found users were struggling with when it comes to identity management?  What advice do you have for organizations with considerable identity management debt? How should they start paying that down and get to a better place?  Also: what is "identity management debt"? Can you answer this from both a technical and organizational change management perspective?  It's one thing to monitor how User identities, Service accounts and API keys are used, it's another to monitor how they're set up. When you were designing your startup, how did you pick which side of that coin to focus on first?  What's your advice for other founders thinking about the journey from zero to 1 and the journey from independent to acquisition?  Resources: EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler EP127 Is IAM Really Fun and How to Stay Ahead of the Curve in Cloud IAM? EP166 Workload Identity, Zero Trust and SPIFFE (Also Turtles!) EP182 ITDR: The Missing Piece in Your Security Puzzle or Yet Another Tool to Buy? "Secrets of power negotiating" book

Guest: Nicole Beckwith, Sr. Security Engineering Manager, Threat Operations @ Kroger Topics: What are the most important qualities of a successful SOC leader today? What is your approach to building and maintaining a high-functioning SOC team? How do you approach burnout in a SOC team? What are some of the biggest challenges facing SOC teams today? Can you share some specific examples of how you have built and - probably more importantly! - maintained a high-functioning SOC team? What are your thoughts on the current state of SIEM technology? Still a core of SOC or not? What advice would you give to someone who inherited a SOC? What should his/her 7/30/90 day plan include? Resources: EP180 SOC Crossroads: Optimization vs Transformation - Two Paths for Security Operations Center EP181 Detection Engineering Deep Dive: From Career Paths to Scaling SOC Teams EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond EP64 Security Operations Center: The People Side and How to Do it Right EP73 Your SOC Is Dead? Evolve to Output-driven Detect and Respond! EP26 SOC in a Large, Complex and Evolving Organization "The first 90 days" book

Guests: A debate between Tim and Anton, no guests Debate positions: You must buy the majority of cloud security tools from a cloud provider, here is why. You must buy the majority of cloud security tools from a 3rd party security vendor, here is why. Resources: EP74 Who Will Solve Cloud Security: A View from Google Investment Side EP22 Securing Multi-Cloud from a CISO Perspective, Part 3 EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use "The cloud trust paradox: To trust cloud computing more, you need the ability to trust it less" blog "Snowcrash" book VMTD

Guest:  David LaBianca, Senior Engineering Director, Google  Topics: The universe of AI risks is broad and deep. We've made a lot of headway with our SAIF framework: can you give us a) a 90 second tour of SAIF and b) share how it's gotten so much traction and c) talk about where we go next with it? The Coalition for Secure AI (CoSAI) is a collaborative effort to address AI security challenges. What are Google's specific goals and expectations for CoSAI, and how will its success be measured in the long term? Something we love about CoSAI is that we involved some unexpected folks, notably Microsoft and OpenAI. How did that come about? How do we plan to work with existing organizations, such as Frontier Model Forum (FMF) and Open Source Security Foundation (OpenSSF)? Does this also complement emerging AI security standards? AI is moving quickly. How do we intend to keep up with the pace of change when it comes to emerging threat techniques and actors in the landscape? What do we expect to see out of CoSAI work and when? What should people be looking forward to and what are you most looking forward to releasing from the group? We have proposed projects for CoSAI, including developing a defender's framework and addressing software supply chain security for AI systems. How can others use them?  In other words, if I am a mid-sized bank CISO, do I care? How do I benefit from it? An off-the-cuff question, how to do AI governance well?  Resources: CoSAI site, CoSAI 3 projects SAIF main site Gen AI governance: 10 tips to level up your AI program "Securing AI: Similar or Different?" paper Our Security of AI Papers and Blogs Explained

Guest: Manan Doshi, Senior Security Engineer  @ Etsy  Questions:  In your experience, what are the biggest challenges organizations face when migrating to a new SIEM platform? How did you solve them? Many SIEM projects have problems, but a decent chunk of these problems are not about the tool being broken. How did you decide to migrate? When is it time to go?  Specifically, how to avoid constant change from product to product, each time blaming the tool for what are essentially process failures? How did you handle detection content during migration? Was AI involved? How did you test for this: "Which platform will best enable our engineering team to build what we need?" Tell us more about the Detection as Code pipeline you use? "Completed SIEM migration in a single week!" Is this for real?  Resources: Google Cloud Security Summit (August 20, 2024) and "Etsy and the art of SIEM Migration" presentation "Ancillary Justice" book StreamAlert SIEM migration blog (spicy version / vanilla version / long detailed version) Can We Have "Detection as Code"? Google SecOps EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?

Guests:  Jaffa Edwards, Senior Security Manager @ Google Cloud  Lyka Segura, Cloud Security Engineer @ Google Cloud Topics: Security transformation is hard, do you have any secret tricks or methods that actually make it happen? Can you share a story about a time when you helped a customer transform their cloud security posture?  Not just improve, but actually transform! What is your process for understanding their needs and developing a security solution that is tailored to them? What to do if a customer does not want to share what is necessary or does not know themselves? What are some of the most common security mistakes that you see organizations make when they move to the cloud? What about the customers who insist on practicing in the cloud the same way they did on-premise? What do you tell the organizations that insist that "cloud is just somebody else's computer" and they insist on doing security the old-fashioned way? What advice would you give to organizations that are just starting out on their cloud security journey?  What are the first three cloud security steps you recommend that work for a cloud environment they inherited? References  EP86 How to Apply Lessons from Virtualization Transition to Make Cloud Transformation Better For a successful cloud transformation, change your culture first Building security guardrails for developers with Google Cloud Google Cloud Consulting

Guest: Adam Bateman, Co-founder and CEO, Push Security Topics: What is Identity Threat Detection and Response (ITDR)? How do you define it? What gets better at a client organization once ITDR is deployed? Do we also need  "ISPM" (parallel to CDR/CSPM), and what about CIEM? Workload identity ITDR vs human identity ITDR? Do we need both? Are these the same? What are the alternatives to using ITDR? Can't SIEM/UEBA help - perhaps with browser logs? What are some of the common types of identity-based threats that ITDR can help detect? What advice would you give to organizations that are considering implementing ITDR? Resources: ITDR Definition ITDR blog by Push / solve problem

Guest: Zack Allen, Senior Director of Detection & Research @ Datadog, creator of Detection Engineering Weekly Topics: What are the biggest challenges facing detection engineers today? What do you tell people who want to consume detections and not engineer them? What advice would you give to someone who is interested in becoming a detection engineer at her organization? So, what IS a detection engineer? Do you need software skills to be one? How much breadth and depth do you need? What should a SOC leader whose team totally lacks such skills do? You created Detection Engineering Weekly. What motivated you to start this publication, and what are your goals for it? What are the learnings so far? You work for a vendor, so how should customers think of vendor-made vs customer-made detections and their balance?  What goes into a backlog for detections and how do you inform it? Resources: Video (LinkedIn, YouTube) Zacks's newsletter: https://detectionengineering.net  EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity? The SRE book "Detection Spectrum" blog "Delivering Security at Scale: From Artisanal to Industrial" blog (and this too) "Detection Engineering is Painful — and It Shouldn't Be (Part 1)" blog series "Detection as Code? No, Detection as COOKING!" blog "Practical Threat Detection Engineering: A hands-on guide to planning, developing, and validating detection capabilities" book SpecterOps blog

Guests: Mitchell Rudoll, Specialist Master, Deloitte Alex Glowacki, Senior Consultant, Deloitte Topics: The paper outlines two paths for SOCs: optimization or transformation. Can you elaborate on the key differences between these two approaches and the factors that should influence an organization's decision on which path to pursue?  The paper also mentions that alert overload is still a major challenge for SOCs. What are some of the practices that work in 2024 for reducing alert fatigue and improving the signal-to-noise ratio in security signals? You also discuss the importance of automation for SOCs. What are some of the key areas where automation can be most beneficial, and what are some of the challenges of implementing automation in SOCs? Automation is often easier said than done… What specific skills and knowledge will be most important for SOC analysts in the future that people didn't think of 5-10 years ago? Looking ahead, what are your predictions for the future of SOCs? What emerging technologies do you see having the biggest impact on how SOCs operate?  Resources: "Future of the SOC: Evolution or Optimization —Choose Your Path" paper and highlights blog "Meet the Ghost of SecOps Future" video based on the paper EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond The original Autonomic Security Operations (ASO) paper (2021) "New Paper: "Future of the SOC: Forces shaping modern security operations" (Paper 1 of 4)" "New Paper: "Future of the SOC: SOC People — Skills, Not Tiers" (Paper 2 of 4)" "New Paper: "Future Of The SOC: Process Consistency and Creativity: a Delicate Balance" (Paper 3 of 4)"

Guests: Robin Shostack, Security Program Manager, Google Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud Topics: You talk about "teamwork under adverse conditions" to describe expedition behavior (EB). Could you tell us what it means? You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?   Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge? If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It's probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team? How do we create it in an existing team or an under-performing team?   Resources: EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster? "Take a few of these: Cybersecurity lessons for 21st century healthcare professionals" blog Getting More by Stuart Diamond book Who Moved My Cheese by Spencer Johnson  book

Guest: Brandon Wood, Product Manager for Google Threat Intelligence Topics: Threat intelligence is one of those terms that means different things to everyone–can you tell us what this term has meant in the different contexts of your career?  What do you tell people who assume that "TI = lists of bad IPs"? We heard while prepping for this show that you were involved in breaking up a human trafficking ring: tell us about that! In Anton's experience, a lot  of cyber TI is stuck in "1. Get more TI 2. ??? 3. Profit!" How do you move past that? One aspect of threat intelligence that's always struck me as goofy is the idea that we can "monitor the dark web" and provide something useful. Can you change my mind on this one? You told us your story of getting into sales, you recently did a successful rotation into the role of Product Manager,, can you tell us about what motivated you to do this and what the experience was like? Are there other parts of your background that inform the work you're doing and how you see yourself at Google?  How does that impact our go to market for threat intelligence, and what're we up to when it comes to keeping the Internet and broader world safe? Resources: Video EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons EP128 Building Enterprise Threat Intelligence: The Who, What, Where, and Why EP112 Threat Horizons - How Google Does Threat Intelligence Introducing Google Threat Intelligence: Actionable threat intelligence at Google scale A Requirements-Driven Approach to Cyber Threat Intelligence

Guests: Omar ElAhdan, Principal Consultant, Mandiant, Google Cloud Will Silverstone, Senior Consultant, Mandiant, Google Cloud Topics: Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments? You do IR so in your experience, what are top 5  mistakes organizations make that lead to cloud incidents? How and why do organizations get the attack surface wrong? Are there pillars of attack surface? We talk a lot about how IAM matters in the cloud.  Is that true that AD is what gets you in many cases even for other clouds? What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well? Resources: Next 2024 LIVE Video of this episode / LinkedIn version (sorry for the audio quality!) "Lessons Learned from Cloud Compromise" podcast at The Defender's Advantage "Cloud compromises: Lessons learned from Mandiant investigations" in 2023 from Next 2024 EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

Guest: Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google Topics: Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right? Where are we like other clients of GCP?  Where are we not like other cloud users? Do we have any unique cloud security technology that we use that others may benefit from? How does our cloud usage inform our cloud security products? So is our cloud use profile similar to cloud natives or traditional companies? What are some of the most interesting cloud security practices and controls that we use that are usable by others? How do we make them work at scale?  Resources: EP12 Threat Models and Cloud Security (previous episode with Seth) EP66 Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics IAM Deny Seth Vargo blog "Attention Is All You Need" paper (yes, that one)

Guest: Crystal Lister, Technical Program Manager, Google Cloud Security Topics: Your background can be sheepishly called "public sector", what's your experience been transitioning from public to private? How did you end up here doing what you are doing? We imagine you learned a lot from what you just described – how's that impacted your work at Google? How have you seen risk management practices and outcomes differ? You now lead Google Threat Horizons reports, do you have a vision for this? How does your past work inform it? Given the prevalence of ransomware attacks, many organizations are focused on external threats. In your experience, does the risk of insider threats still hold significant weight? What type of company needs a dedicated and separate insider threat program? Resources: Video on YouTube Google Cybersecurity Action Team Threat Horizons Report #9 Is Out! Google Cybersecurity Action Team site for previous Threat Horizons Reports EP112 Threat Horizons - How Google Does Threat Intelligence Psychology of Intelligence Analysis by Richards J. Heuer The Coming Wave by Mustafa Suleyman  Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects

Guest: Angelika Rohrer, Sr. Technical Program Manager , Cyber Security Response at Alphabet Topics: Incident response (IR) is by definition "reactive", but ultimately incident prep determines your IR success. What are the broad areas where one needs to prepare? You have created a new framework for measuring how ready you are for an incident, what is the approach you took to create it? Can you elaborate on the core principles behind the Continuous Improvement (CI) Framework for incident response? Why is continuous improvement crucial for effective incident response, especially in cloud environments? Can't you just make a playbook and use it? How to overcome the desire to focus on the easy metrics and go to more valuable ones? What do you think Google does best in this area? Can you share examples of how the CI Framework could have helped prevent or mitigate a real-world cloud security incident? How can other organizations practically implement the CI Framework to enhance their incident response capabilities after they read the paper? Resources: "How do you know you are "Ready  to Respond"? paper EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

Guest: Shan  Rao, Group Product Manager, Google  Topics: What are the unique challenges when securing AI for cloud environments, compared to traditional IT systems? Your talk covers 5 risks, why did you pick these five? What are the five, and are these the worst? Some of the mitigation seems the same for all risks. What are the popular SAIF mitigations that cover more of the risks? Can we move quickly and securely with AI? How? What future trends and developments do you foresee in the field of securing AI for cloud environments, and how can organizations prepare for them? Do you think in 2-3 years AI security will be a separate domain or a part of … application security? Data security? Cloud security?  Resource: Video (LinkedIn, YouTube)  [live audio is not great in these] "A cybersecurity expert's guide  to securing AI products with Google SAIF" presentation SAIF Site "To securely build AI on Google Cloud, follow these best practices" (paper) "Secure AI Framework (SAIF): A Conceptual Framework for Secure AI Systems" resources Corey Quinn on X (long story why this is here… listen to the episode)

Guests: None Topics: What have we seen at RSA 2024? Which buzzwords are rising (AI! AI! AI!) and which ones are falling (hi XDR)? Is this really all about AI? Is this all marketing? Security platforms or focused tools, who is winning at RSA? Anything fun going on with SecOps? Is cloud security still largely about CSPM? Any interesting presentations spotted? Resources: EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side (RSA 2024 episode 1 of 2) "From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis" blog "Decoupled SIEM: Brilliant or Stupid?" blog "Introducing Google Security Operations: Intel-driven, AI-powered SecOps" blog "Advancing the art of AI-driven security with Google Cloud" blog

Guest: Elie Bursztein, Google DeepMind Cybersecurity Research Lead, Google  Topics: Given your experience, how afraid or nervous are you about the use of GenAI by the criminals (PoisonGPT, WormGPT and such)? What can a top-tier state-sponsored threat actor do better with LLM? Are there "extra scary" examples, real or hypothetical? Do we really have to care about this "dangerous capabilities" stuff (CBRN)? Really really? Why do you think that AI favors the defenders? Is this a long term or a short term view? What about vulnerability discovery? Some people are freaking out that LLM will discover new zero days, is this a real risk?  Resources: "How Large Language Models Are Reshaping the Cybersecurity Landscape" RSA 2024 presentation by Elie (May 6 at 9:40AM) "Lessons Learned from Developing Secure AI Workflows" RSA 2024 presentation by Elie (May 8, 2:25PM) EP50 The Epic Battle: Machine Learning vs Millions of Malicious Documents EP40 2021: Phishing is Solved? EP135 AI and Security: The Good, the Bad, and the Magical EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It PyRIT LLM red-teaming tool Accelerating incident response using generative AI Threat Actors are Interested in Generative AI, but Use Remains Limited OpenAI's Approach to Frontier Risk

Guest: Payal Chakravarty, Director of Product Management, Google SecOps, Google Cloud Topics: What are the different use cases for GenAI in security operations and how can organizations  prioritize them for maximum impact to their organization? We've heard a lot of worries from people that GenAI will replace junior team members–how do you see GenAI enabling more people to be part of the security mission? What are the challenges and risks associated with using GenAI in security operations? We've been down the road of automation for SOCs before–UEBA and SOAR both claimed it–and AI looks a lot like those but with way more matrix math-what are we going to get right this time that we didn't quite live up to last time(s) around? Imagine a SOC or a D&R team of 2029. What AI-based magic is routine at this time? What new things are done by AI? What do humans do? Resources: Live video (LinkedIn, YouTube) [live audio is not great in these] Practical use cases for AI in security operations, Cloud Next 2024 session by Payal EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It EP169 Google Cloud Next 2024 Recap: Is Cloud an Island, So Much AI, Bots in SecOps 15 must-attend security sessions at Next '24

Guests:  no guests (just us!) Topics: What are some of the fun security-related launches from Next 2024 (sorry for our brief "marketing hat" moment!)? Any fun security vendors we spotted "in the clouds"? OK, what are our favorite sessions? Our own, right? Anything else we had time to go to? What are the new security ideas inspired by the event (you really want to listen to this part! Because "freatures"...) Any tricky questions at the end? Resources: Live video (LinkedIn, YouTube) [live audio is not great in these] 15 must-attend security sessions at Next '24 Cloud CISO Perspectives: 20 major security announcements from Next '24 EP137 Next 2023 Special: Conference Recap - AI, Cloud, Security, Magical Hallway Conversations (last year!) EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It? EP90 Next Special - Google Cybersecurity Action Team: One Year Later! A cybersecurity expert's guide to securing AI products with Google SAIF Next 2024 session How AI can transform your approach to security Next 2024 session

Guests:  Umesh Shankar, Distinguished Engineer, Chief Technologist for Google Cloud Security Scott Coull, Head of Data Science Research, Google Cloud Security Topics: What does it mean to "teach AI security"? How did we make SecLM? And also: why did we make SecLM? What can "security trained LLM" do better vs regular LLM? Does making it better at security make it worse at other things that we care about? What can a security team do with it today?  What are the "starter use cases" for SecLM? What has been the feedback so far in terms of impact - both from practitioners but also from team leaders? Are we seeing the limits of LLMs for our use cases? Is the "LLM is not magic" finally dawning? Resources: "How to tackle security tasks and workflows with generative AI" (Google Cloud Next 2024 session on SecLM) EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It? EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models Supercharging security with generative AI  Secure, Empower, Advance: How AI Can Reverse the Defender's Dilemma? Considerations for Evaluating Large Language Models for Cybersecurity Tasks Introducing Google's Secure AI Framework Deep Learning Security and Privacy Workshop  Security Architectures for Generative AI Systems ACM Workshop on Artificial Intelligence and Security Conference on Applied Machine Learning in Information Security

Speakers:  Maria Riaz, Cloud Counter-Abuse, Engineering Lead, Google Cloud Topics: What is "counter abuse"? Is this the same as security? What does counter-abuse look like for GCP? What are the popular abuse types we face?  Do people use stolen cards to get accounts to then violate the terms with? How do we deal with this, generally? Beyond core technical skills, what are some of the relevant competencies for working in this space that would appeal to a diverse set of audience? You have worked in academia and industry. What similarities or differences have you observed? Resources / reading: Video EP165 Your Cloud Is Not a Pet - Decoding 'Shifting Left' for Cloud Security P161 Cloud Compliance: A Lawyer - Turned Technologist! - Perspective on Navigating the Cloud "Art of War" by Sun Tzu "Dare to Lead" by Brene Brown "Multipliers" by Liz Wiseman

Guests: Evan Gilman, co-founder CEO of Spirl Eli Nesterov, co-founder CTO of Spril Topics: Today we have IAM,  zero trust and security made easy. With that intro, could you give us the 30 second version of what a workload identity is and why people need them?  What's so spiffy about SPIFFE anyway?  What's different between this and micro segmentation of your network–why is one better or worse?  You call your book "solving the bottom turtle" could you tell us what that means? What are the challenges you're seeing large organizations run into when adopting this approach at scale?  Of all the things a CISO could prioritize, why should this one get added to the list? What makes this, which is so core to our internal security model–ripe for the outside world? How people do it now, what gets thrown away when you deploy SPIFFE? Are there alternative? SPIFFE is interesting, yet can a startup really "solve for the bottom turtle"?  Resources: SPIFFE  and Spirl "Solving the Bottom Turtle" book [PDF, free] "Surely You're Joking, Mr. Feynman!" book [also, one of Anton's faves for years!] "Zero Trust Networks" book Workload Identity Federation in GCP

Guest: Ahmad Robinson,  Cloud Security Architect, Google Cloud Topics: You've done a BlackHat webinar where you discuss a Pets vs Cattle mentality when it comes to cloud operations. Can you explain this mentality and how it applies to security? What in your past led you to these insights?  Tell us more about your background and your journey to Google.  How did that background contribute to your team? One term that often comes up on the show and with our customers is 'shifting left.'  Could you explain what 'shifting left' means in the context of cloud security? What's hard about shift left, and where do orgs get stuck too far right? A lot of "cloud people" talk about IaC and PaC but the terms and the concepts are occasionally confusing to those new to cloud. Can you briefly explain Policy as Code  and its security implications? Does PaC help or hurt security? Resources: "No Pets Allowed - Mastering The Basics Of Cloud Infrastructure" webinar EP33 Cloud Migrations: Security Perspectives from The Field EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment? EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud

Guest: Jennifer Fernick, Senor Staff Security Engineer and UTL, Google Topics: Since one of us (!) doesn't have a PhD in quantum mechanics, could you explain what a quantum computer is and how do we know they are on a credible path towards being real threats to cryptography? How soon do we need to worry about this one? We've heard that quantum computers are more of a threat to asymmetric/public key crypto than symmetric crypto. First off, why? And second, what does this difference mean for defenders? Why (how) are we sure this is coming? Are we mitigating a threat that is perennially 10 years ahead and then vanishes due to some other broad technology change? What is a post-quantum algorithm anyway? If we're baking new key exchange crypto into our systems, how confident are we that we are going to be resistant to both quantum and traditional cryptanalysis?  Why does NIST think it's time to be doing the PQC thing now? Where is the rest of the industry on this evolution? How can a person tell the difference here between reality and snakeoil? I think Anton and I both responded to your initial email with a heavy dose of skepticism, and probably more skepticism than it deserved, so you get the rare on-air apology from both of us! Resources: Securing tomorrow today: Why Google now protects its internal communications from quantum threats How Google is preparing for a post-quantum world NIST PQC standards PQ Crypto conferences "Quantum Computation & Quantum Information" by Nielsen & Chuang book "Quantum Computing Since Democritus" by Scott Aaronson book EP154 Mike Schiffman: from Blueboxing to LLMs via Network Security at Google

Guest: Phil Venables, Vice President, Chief Information Security Officer (CISO) @ Google Cloud  Topics:  You had this epic 8 megatrends idea in 2021, where are we now with them? We now have 9 of them, what made you add this particular one (AI)? A lot of CISOs fear runaway AI. Hence good governance is key! What is your secret of success for AI governance?  What questions are CISOs asking you about AI? What questions about AI should they be asking that they are not asking? Which one of the megatrends is the most contentious based on your presenting them worldwide? Is cloud really making the world of IT simpler (megatrend #6)? Do most enterprise cloud users appreciate the software-defined nature of cloud (megatrend #5) or do they continue to fight it? Which megatrend is manifesting the most strongly in your experience? Resources: Megatrends drive cloud adoption—and improve security for all and infographic "Keynote | The Latest Cloud Security Megatrend: AI for Security" "Lessons from the future: Why shared fate shows us a better cloud roadmap" blog and shared fate page SAIF page "Spotlighting 'shadow AI': How to protect against risky AI practices" blog EP135 AI and Security: The Good, the Bad, and the Magical EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security Secure by Design by CISA

Guest: Kat Traxler, Security Researcher, TrustOnCloud Topics: What is your reaction to "in the cloud you are one IAM mistake away from a breach"? Do you like it or do you hate it? A lot of people say "in the cloud, you must do IAM 'right'". What do you think that means? What is the first or the main idea that comes to your mind when you hear it? How have you seen the CSPs take different approaches to IAM? What does it mean for the cloud users? Why do people still screw up IAM in the cloud so badly after years of trying? Deeper, why do people still screw up resource hierarchy and resource management?  Are the identity sins of cloud IAM users truly the sins of the creators? How did the "big 3" get it wrong and how does that continue to manifest today? Your best cloud IAM advice is "assign roles at the lowest resource-level possible", please explain this one? Where is the magic? Resources: Video (Linkedin, YouTube) Kat blog "Diving Deeply into IAM Policy Evaluation" blog "Complexity: a Guided Tour" book EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same? EP129 How CISO Cloud Dreams and Realities Collide

Guest: Victoria Geronimo, Cloud Security Architect, Google Cloud Topics: You work with technical folks at the intersection of compliance, security, and cloud. So  what do you do, and where do you find the biggest challenges in communicating across those boundaries? How does cloud make compliance easier? Does it ever make compliance harder?  What is your best advice to organizations that approach cloud compliance as they did for the 1990s data centers and classic IT? What has been the most surprising compliance challenge you've helped teams debug in your time here?  You also work on standards development –can you tell us about how you got into that and what's been surprising in that for you?  We often say on this show that an organization's ability to threat model is only as good as their team's perspectives are diverse: how has your background shaped your work here?   Resources: Video (YouTube) EP14 Making Compliance Cloud-native EP25 Beyond Compliance: Cloud Security in Europe  Fordham University Law and Technology site IAPP  site

Guest: Merritt Baer, Field CTO,  Lacework, ex-AWS, ex-USG Topics: How can organizations ensure that their security posture is maintained or improved during a cloud migration? Is cloud migration a risk reduction move? What are some of the common security challenges that organizations face during a cloud migration? Are there different gotchas between the three public clouds? What advice would you give to those security leaders who insist on lift/shift or on lift/shift first? How should security and compliance teams approach their engineering and DevOps colleagues to make sure things are starting on the right foot? In your view, what is the essence of a cloud-native approach to security? How can organizations ensure that their security posture scales as their cloud usage grows? Resources: Video (LinkedIn, YouTube) EP69 Cloud Threats and How to Observe Them EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win? 9 Megatrends drive cloud adoption—and improve security for all Darknet Diaries podcast

Guests: Emre Kanlikilicer, Senior Engineering Manager @ Google Sophia Gu, Engineering Manager at Google  Topics Workspace makes the claim that unlike other productivity suites available today, it's architectured for the modern threat landscape. That's a big claim! What gives Google the ability to make this claim? Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work?  What are some of the common mistakes you see customers making with Workspace security? What are some of the ways context aware access and DLP (now SDP) help with this? What are the cool future plans for DLP and CAA? Resources: Google Workspace blog & Workspace Update blog EP99 Google Workspace Security: from Threats to Zero Trust CISA Zero Trust Maturity Model 2.0

Guest: Jason Solomon, Security Engineer, Google Topics: Could you share a bit about when you get pulled into incidents and what are your goals when you are? How does that change in the cloud? How do you establish a chain of custody and prove it for law enforcement, if needed? What tooling do you rely on for cloud forensics and is that tooling available to "normal people"?  How do we at Google know when it's time to call for help, and how should our customers know that it's time?  Can I quote Ray Parker Jr and ask, who you gonna call? What's your advice to a security leader on how to "prepare for the inevitable" in this context?  Cloud forensics - is it easier or harder than the 1990s classic forensics?  Resource: EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster? EP103 Security Incident Response and Public Cloud - Exploring with Mandiant Google SRE Workbook (Ch 9) GRR Cloud Logging LibCloudForensics, Turbinia, Timesketch tools

Guest: Arie Zilberstein, CEO and Co-Founder at Gem Security Topics:  How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response? What are the key challenges of cloud detection and response? Often we lift and shift our teams to Cloud, and not always for bad reasons, so  what's your advice on how to teach the old dogs new tricks: "on-premise-trained" D&R teams and cloud D&R? What is this new CIRA thing that Gartner just cooked up?  Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps? What do you tell people who say that "SIEM is their CDR"? What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?  Resources: Video version of this episode Cloud breaches databases EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster? EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response? 9 Megatrends drive cloud adoption—and improve security for all "Emerging Tech: Security — Cloud Investigation and Response Automation (CIRA) Offers Transformation Opportunities" (Gartner access required) "Does the World Need Cloud Detection and Response (CDR)?" blog

Guest: Sandra Joyce, VP at Mandiant Intelligence Topics: Could you give us a brief overview of what this power disruption incident was about? This incident involved both Living Off the Land and attacks on operational technology (OT). Could you explain to our audience what these mean and what the attacker did here? We also saw a wiper used to hide forensics, is that common these days? Did the attacker risk tipping their hand about upcoming physical attacks? If we'd seen this intrusion earlier, might we have understood the attacker's next moves? How did your team establish robust attribution in this case, and how they do it in general? How sure are we, really?  Could you share how this came about and maybe some of the highlights in our relationship helping defend that country? Resources: Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Mandiant Andy Greenberg's book Sandworm  EP155 Cyber, Geopolitics, AI, Cloud - All in One Book?

Guests: Derek Reveron, Professor and Chair of National Security at the US Naval War College John Savage, An Wang Professor Emeritus of Computer Science of Brown University Topics: You wrote a book on cyber and war, how did this come about and what did you most enjoy learning from the other during the writing process? Is generative AI going to be a game changer in international relations and war, or is it just another tool? You also touch briefly on lethal autonomous weapons systems and ethics–that feels like the genie is right in the very neck of the bottle right now, is it too late? Aside from this book, and the awesome course you offered at Brown that sparked Tim's interest in this field, how can we democratize this space better?  How does the emergence and shift to Cloud impact security in the cyber age? What are your thoughts on the intersection of Cloud as a set of technologies and operating model and state security (like sovereignty)? Does Cloud make espionage harder or easier?  Resources: "Security in the Cyber Age" book (and their other books') "Thinking, Fast and Slow" book "No Shortcuts: Why States Struggle to Develop a Military Cyber-Force" book "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age" book "Active Cyber Defense: Applying Air Defense to the Cyber Domain" EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same? EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith?

Guest: Mike Schiffman, Network Security "UTL" Topics: Given your impressive and interesting history, tell us a few things about yourself? What are the biggest challenges facing network security today based on your experience? You came to Google to work on Network Security challenges. What are some of the surprising ones you've uncovered here? What lessons from Google's approach to network security absolutely don't apply to others? Which ones perhaps do? If you have to explain the difference between network security in the cloud and on-premise, what comes to mind first? How do we balance better encryption with better network security monitoring and detection? Speaking of challenges in cryptography, we're all getting fired up about post-quantum and network security. Could you give us the maybe 5 minute teaser version of this because we have an upcoming episode dedicated to this? I hear you have some interesting insight on LLMs, something to do with blueboxing or something. What is that about? Resources: Video EP113 Love it or Hate it, Network Security is Coming to the Cloud EP122 Firewalls in the Cloud: How to Implement Trust Boundaries for Access Control "A History of Fake Things on the Internet" by WALTER J. SCHEIRER Why Google now protects its internal communications from quantum threats How Google is preparing for a post-quantum world NIST on PQC "Smashing The Stack For Fun And Profit" (yes, really)

Guest: Kevin Mandia, CEO at Mandiant, part of Google Cloud Topics: When you look back, what were the most surprising cloud breaches in 2023, and what can we learn from them? How were they different from the "old world" of on-prem breaches?  For a long time it's felt like incident response has been an on-prem specialization, and that adversaries are primarily focused on compromising on-prem infrastructure. Who are we seeing go after cloud environments? The same threat actors or not? Could you share a bit about the mistakes and risks that you saw organizations make that made their cloud breaches possible or made them worse? Conversely, what ended up being helpful to organizations in limiting the blast radius or making response easier?  Tim's mother worked in a network disaster recovery team for a long time–their motto was "preparing for the inevitable." What advice do you have for helping security teams and IT teams get ready for cloud breaches? Especially for recent cloud entrants? Anton tells his "2000 IDS story" (need to listen for details!) and asks: what approaches for detecting threats actually detects threats today? Resources: EP148 Decoding SaaS Security: Demystifying Breaches, Vulnerabilities, and Vendor Responsibilities "Microsoft lost its keys, and the government got hacked" news article SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures  (must read by every CISO!)

Guest: Michee Smith, Director, Product Management for Global Affairs Works, Google Topics: What is Google Annual Transparency Report and how did we get started doing this?  Surely the challenge of a transparency report is that there are things we can't be transparent about, how do we balance this? What are those? Is it a safe question? What Access Transparency Logs are and if they are connected to the report –other than in Tim's mind and your career?  Beyond building the annual transparency report, you also work on our central risk data platform. Every business has a problem managing risk–what's special here? Do we have any Google magic here?  Could you tell us about your path in Product Management here? You have been here eight years, and recently became Director. Do you have any advice for the ambitious Google PMs listening to the show?   Resources: Google Annual Transparency report Access Transparency Logs "Digital Asset Valuation and Cyber Risk Measurement: Principles of Cybernomics" book Keyun Ruan "Trapped in a frame: Why leaders should avoid security framework traps"  blog

Guest: Monica Shokrai, Head Of Business Risk and Insurance For Google Cloud  Topics: Could you give us the 30 second run down of what cyber insurance is and isn't? Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks? What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it? We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security? Doesn't cyber insurance have a difficult reputation with clients? "Will they even pay?" "Will it be enough?" "Is this a cyberwar exception?" type stuff? How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers? How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many "non cyber" risks?   Resources: Video (LinkedIn, YouTube) Google Cloud Risk Protection program "Cyber Insurance Policy"  by Josephine Wolff  InsureSec

Guest: Dr Gary McGraw, founder of the Berryville Institute of Machine Learning Topics: Gary, you've been doing software security for many decades, so tell us: are we really behind on securing ML and AI systems?  If not SBOM for data or "DBOM", then what? Can data supply chain tools or just better data governance practices help? How would you threat model a system with ML in it or a new ML system you are building?  What are the key differences and similarities between securing AI and securing a traditional, complex enterprise system? What are the key differences between securing the AI you built and AI you buy or subscribe to? Which security tools and frameworks will solve all of these problems for us?  Resources: EP135 AI and Security: The Good, the Bad, and the Magical Gary McGraw books "An Architectural Risk Analysis Of Machine Learning Systems: Toward More Secure Machine Learning" paper "What to think about when you're thinking about securing AI" Annotated ML Security bibliography   Tay bot story (2016) "Can you melt eggs?" "Microsoft AI researchers accidentally leak 38TB of company data" "Random number generator attack" "Google's AI Red Team: the ethical hackers making AI safer" Introducing Google's Secure AI Framework

Guests: John Stoner, Principal Security Strategist, Google Cloud Security Dave Herrald, Head of Adopt Engineering, Google Cloud Security Topics: In your experience, past and present, what would make clients trust vendor detection content? Regarding "canned", default or "out-of-the-box" detections, how to make them more production quality and not merely educational samples to learn from? What is more important, seeing the detection or being able to change it, or both? If this is about seeing the detection code/content, what about ML and algorithms? What about the SOC analysts who don't read the code? What about "tuning" - is tuning detections a bad word now in 2023? Everybody is obsessed about "false positives," what about the false negatives? How are we supposed to eliminate them if we don't see detection logic? Resources: Video (Linkedin, YouTube) Github rules for Chronicle DetectionEngineering.net by Zack Allen "On Trust and Transparency in Detection" blog "Detection as Code? No, Detection as COOKING!" blog EP64 Security Operations Center: The People Side and How to Do it Right EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil Why is Threat Detection Hard? Detection Engineering is Painful — and It Shouldn't Be (Part 1, 2, 3, 4, 5)

Guest: Adrian Sanabria,  Director of Valence Threat Labs at Valence Security, ex-analyst Topics: When people talk about "cloud security" they often forget SaaS, what should be the structured approach to using SaaS securely or securing SaaS? What are the incidents telling us about the realistic threats to SaaS tools? Is the Microsoft 365 breach a SaaS breach, a cloud breach or something else? Do we really need CVEs for SaaS vulnerabilities? What are the least understood aspects of securing SaaS? What do you tell the organizations who assume that "SaaS vendor takes care of all SaaS security"? Isn't CASB the answer to all SaaS security issues? We also have SSPM now too? Do we really need more tools? Resources: VIdeo (LinkedIn, YouTube) EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response? Valence 2023 State of SaaS Security report DHS Launches First-Ever Cyber Safety Review Board Enterprise Security Weekly podcast CloudVulnDb and another cloud vulnerability list Cyber Safety Review Board (CSRB) by CISA

Guest:  Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant at Google Cloud Topics: Can you really forecast threats? Won't the threat actors ultimately do whatever they want? How can clients use the forecast? Or as Tim would say it, what gets better once you read it? What is the threat forecast for cloud environments? It says "Cyber attacks targeting hybrid and multi-cloud environments will mature and become more impactful" - what does it mean? Of course AI makes an appearance as well: "LLMs and other gen AI tools will likely be developed and offered as a service to assist attackers with target compromises." Do we really expect attacker-run LLM SaaS? What models will they use? Will it be good? There are a number of significant elections scheduled for 2024, are there implications for cloud security? Based on the threat information, tell me about something that is going well, what will get better in 2024? Resources: 2024 Google Cloud Security Forecast Report EP112 Threat Horizons - How Google Does Threat Intelligence EP135 AI and Security: The Good, the Bad, and the Magical How to Stop a Ransomware Attack Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto Miner

Guest: Wei Lien Dang, GP at Unusual Ventures  Topics:  We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you?  What are some of the security problems you're hearing from AI companies that are worth solving?  AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security? Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs?  What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?  Resources: "What to think about when you're thinking about securing AI" blog / paper EP135 AI and Security: The Good, the Bad, and the Magical EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It? EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models Introducing Google's Secure AI Framework OWASP Top 10 for Large Language Model Applications Unusual VC Startup Field Guide Demystifing LLMs and Threats by Caleb Sima

Guest: Jay Thoden van Velzen, Strategic Advisor to the CSO, SAP  Topics: What are the challenges with shared responsibility for cloud security? Can you explain "shared" vs "separated" responsibility? In your article, you mention "shared faith", we have "shared fate", but we never heard of shared faith. What is this? Can you explain? What about the cloud models (SaaS, PaaS, IaaS), how does this sharing model differ? While at it, what is cloud, really? [yes, we really did ask this!]  Resources: LinkedIn post and  Blog EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge "Security Chaos Engineering" book Shared responsibility failures blog Shared fate at Google Cloud (also see blogs one and two) National Cyber Security strategy

Guest: Kathryn Shih, Group Product Manager, LLM Lead in Google Cloud Security Topics: Could you give our audience the quick version of what is an LLM and what things can they do vs not do?  Is this "baby AGI" or is this a glorified "autocomplete"? Let's talk about the different ways to tune the models, and when we think about tuning what are the ways that attackers might influence or steal our data? Can you help our security listener leaders have the right vocabulary and concepts to reason about the risk of their information a) going into an LLM and b) getting regurgitated by one? How do I keep the output of a model safe, and what questions do I need to ask a vendor to understand if they're a) talking nonsense or b) actually keeping their output safe?  Are hallucinations inherent to LLMs and can they ever be fixed? So there are risks to data and new opportunities for attacks and hallucinations. How do we know good opportunities in the area given the risks?  Resources: Retrieval Augmented Generation (or go ask Bard about it) "New Paper: "Securing AI: Similar or Different?""  blog

Guests: Tomer Schwartz, Dazz CTO Topics: It seems that in many cases the challenge with cloud configuration weaknesses is not their detection, but remediation, is that true? As far as remediation scope, do we need to cover  traditional vulnerabilities (in stock and custom code), configuration weaknesses and other issues too? One of us used to cover vulnerability management at Gartner, and in many cases the remediation failures [on premise] were due to process, not technology, breakdowns. Is this the same in the cloud? If still true, how can any vendor technology help resolve it? Why is cloud security remediation such a headache for so many organizations? Is the friction real between security and engineering teams? Do they have any hope of ever becoming BFFs? Doesn't every CSPM (and now ASPM too?) vendor say they do automated remediation today? How should security pros evaluate solutions for prioritizing, triaging, and fixing issues? Resources: Video (YouTube, LinkedIn) Cloud Security Remediation for Dummies EP3 Automate and/or Die? EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?' EP54 Container Security: The Past or The Future? EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity? A Guide to Building a Secure SDLC 8 Megatrends drive cloud adoption—and improve security for all

Host: Stephanie Wong, Product Manager, Google Cloud Guests (yes, really, we are the guests!): Anton Chuvakin Tim Peacock Topics: Could you tell us how you ended up in security? What was the moment you realized that Cloud security was different from well, regular, security?   Anton is always asking this "3AM test", where did that come from? How do you source topics for the podcast? What advice would you give to folks who are interested in getting into security? … and other fun questions! Resources: Video (LinkedIn, YouTube) Cloud Security Podcast by Google / Twitter / LinkedIn

Guest:  Jeremiah Kung, Global Head of Information Security, AppLovin Topics: Before we dive into all of the awesome cloud migrations you've experienced and your learnings there, could we start with a topic of East vs West CISO mentality? We are talking to more and more CISOs who see the cloud as a net win for security. What's your take on whether the cloud improves security?  We talked about doing some "big" cloud migrations, could you talk about what you learned back in 2015 about the "right" way to do a cloud migration and how you've applied those lessons since?  How are you approaching securing clouds differently in 2023 (vs the dark past of 2015)? What advice would you give your peers to get out of the "saying no" mentality and into a better collaborative mode?  On the topic of giving advice to people who haven't asked for it, what advice would you give to teams who are stuck in 1990s thinking when it comes to lift and shifting their security technology stack to cloud?  Resources: EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP129 How CISO Cloud Dreams and Realities Collide EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP11 Preparing for Cloud Migrations from a CISO Perspective, Part 2 "How CISOs need to adapt their mental models for cloud security" blog "Superforecasting" book "American Generalship" book

Guest:  Andrew Hoying, Senior Security Engineering Manager @ Google Topics: What is different about system hardening today vs 20 years ago?  Also, what is special about hardening systems at Google massive scale? Can I just apply CIS templates and be done with it? Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity? A part of hardening has got to be responding to new regulation and compliance regimes, how do you incorporate new controls and stay responsive to the changing world around us? Are there cases where we have taken lessons from hardening at scale and converted those into product improvements? What metrics do you track to keep your teams moving, and what metrics do your leads look at to understand how you're doing? [Spoiler: the answer here is VERY fun!] Resources: "Why Shared Fate is a Better Way to Manage Cloud Risk" article (and this too) CIS for GCP GCP IAM Deny CloudSecList by Marco Lancini

Guest: Chris Corde, Sr Director of Product Management - Security Operations, Google Cloud Topics: You cover many products, but let's focus on Chronicle today. An easy question: Chronicle isn't an XDR, so what is it? Since you've joined the team, what're you most proud of shipping to clients? Could you share more about the Mandiant acquisition,  what's been a happy surprise and what are you looking forward to making available to customers? Some believe that good security operations success is mostly about process, yet we are also building these amazing products. What is your view of how much security ops success hinges on products vs practices? When it comes to building out Chronicle's position in the market, how are we leveraging the depth of expertise that people have with other SIEM tools compared to ours? What advice do you have for security professionals who want to transition into product management?  Resources: EP44 Evolving a SIEM for the Future While Learning from the Past EP82 Mega-confused by XDR? You Are Not Alone! This XDR Skeptic Clarifies!

Guest: Rosemary Wang, Developer Advocate at HashiCorp  Topics: Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams? How can Terraform be used for security automation? How should security teams work with DevOps teams to use it? What are some of the obvious and not so obvious security challenges of using Terraform? How can security best practices be applied to infrastructure instantiated via Terraform? What is the relationship between Terraform and policy as code (PaC)? How do you get started with all this? What do you tell the security teams who want to do cloud security the "old way" and not the cloud-native way?  Resources: Video (LinkedIn, YouTube) "EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?" Policy as Code with HashiCorp Sentinel or Open Policy Agent (OPA) for Terraform "Terraform Cloud adds Vault-backed dynamic credentials" blog Google Cloud Provider for Terraform Security & Authentication Providers for Terraform "Sloth's Guide to Mindfulness" book

Guests:  no guests, all banter, all very fun :-) Topics: How is Google Next this year? What is new in cloud security? Is Google finally a security vendor? What are some of the fun security presentations we've seen, including our own? Any impactful launches in security? What was the most interesting overall? Resources: "Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?" (ep136) "RSA 2023 - What We Saw, What We Learned, and What We're Excited About" (ep119) "Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?" (ep67) "Detecting, investigating, and responding to threats in your Google Cloud environment" at Cloud Next 2023 by Anton "Prevent cloud compromises: Learn how Uber discovers cyber risks and remediates threats" at Cloud Next 2023 by Tim "Generative AI for defenders with Sec-PaLM 2 and Duet AI" at Cloud Next 2023 by Eric Doerr (his episode) "A blueprint for modern security operations" at Cloud Next 2023 by our future guest, Chris… Kevin Mandia at Next keynote (start at 1:15:00) "New AI capabilities that can help address your security challenges" blog

Guest:  Eric Doerr, VP of Engineering, Google Cloud Security  Topics: You have a Next presentation on AI, what is the most exciting part for you? We care both about securing AI and using AI for security. How do you organize your thinking about it? Executive surveys imply that trusting an AI (for business) is still an issue. How can we trust AI for security? What does it mean to "trust AI" in this context?  How should defenders think about threat modeling AI systems?  Back to using AI for security, what are the absolute worst security use cases for GenAI? Think "generate code and run it on prod" or something like that? What does it mean to "teach AI security" like we did with Sec-PALM2? What is actually involved in this? What were some surprising challenges we ran into here?  Resources: "Generative AI for defenders with Sec-PaLM 2 and Duet AI" presentation at Google Cloud Next 2023 "The Prompt: What to think about when you're thinking about securing AI" and a new paper on securing AI "AI and Security: The Good, the Bad, and the Magical" (ep135) Monitor and secure Vertex AI "Introducing Google's Secure AI Framework" blog "Project Hail Mary" book

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: Why is AI a game-changer for security? Can we even have game-changers in cyber security? Is it more detection or is it more reducing toil and making humans more productuve? What are you favorite AI for security use cases? What "AI + security" issue makes you  - a classic CISO question  here - lose sleep at night? Does AI help defenders or attackers more? Won't attackers adopt faster because they don't have as many rules (but yes, they have bosses and budgets too)?  Aren't there cases where defenders benefit a lot more and gain a superpower with AI while attackers are faced with defeat? Is securing AI more similar or more different from securing other enterprise systems? Does shared fate apply to AI?  Resources: "Securing AI: Similar or Different?" paper by Office of the CISO at Google Cloud "Secure AI Framework Approach"  Supercharge security with AI Board of Directors Insights Hub "Lessons from the future: Why shared fate shows us a better cloud roadmap" blog "Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security" (ep47) "Securing Multi-Cloud from a CISO Perspective, Part 3" (ep22) "Google Cybersecurity Action Team: What's the Story?" (ep37) "Google Cybersecurity Action Team: One Year Later!" (ep90)

Guest:  Steph Hay , Director of UX, Google Cloud Security Topics: The importance of User Experience (UX) in security is so obvious – though it isn't to a lot of people! Could we talk about the importance of UX in security? UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this? How do you think about prioritizing your team's time between day zero vs day n experiences for users of security tools? Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security? Can you think of what single UX change in Cloud Security's portfolio made the biggest impact to actual security outcomes?  We have this new tool/approach for planning called Jobs To Be Done (JTBD)  - give us the value, and the history? In the world of JTBD planning, what gets better? Resources: JTBD Framework GCP IAM Recommender Recaptha Enterprise

Guest:  Steve McGhee, Reliability Advocate at Google Cloud  Aron Eidelman, Developer Relations Engineer at Google Cloud Topics: What is the shared problem for SRE and security when it comes to alerting? Why is there reluctance to reduce noise? How do SREs, security practitioners, and other stakeholders define "incident" and "risk"? How does involving an "adversary" change the way people think about an incident, even if the impact is identical? Which SRE alerting lessons do NOT apply at all for security? Resources: Video (LinkedIn, YouTube) "Deploy Security Capabilities at Scale: SRE Explains How" (ep85) Steve talk about probability and SLO math at SLOconf   Why Focus on Symptoms, Not Causes? Learning from incidents (LFI) science How to measure anything in cyber security risk book Security chaos engineering book The SRS Book Ch 1 The SRE book Ch 4

Guest: Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly Topics:  So what is Security Chaos Engineering? "Chapter 5. Operating and Observing" is Anton's favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection? How chaos engineering (or is it really about software resilience?)  intersects with Cloud security - is this peanut butter and chocolate or more like peanut butter and pickles? How can organizations get started with chaos engineering for software resilience and security? What is your favorite chaos engineering experiment that you have ever done? We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023? Resources: Video (LinkedIn, YouTube) "Security Chaos Engineering: Sustaining Resilience in Software and Systems" by Kelly Shortridge, Aaron Rinehart "Cybersecurity Myths and Misconceptions" book "Designing Data-Intensive Applications: The Big Ideas Behind Reliable, Scalable, and Maintainable Systems" book "Normal Accidents: Living with High-Risk Technologies" book "Deploy Security Capabilities at Scale: SRE Explains How" (ep85) "The Good, the Bad, and the Epic of Threat Detection at Scale with Panther" (ep123) "Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?" (ep117) IKEA Effect "Modernizing SOC ... Introducing Autonomic Security Operations" blog

Guests: Himanshu Khurana, Engineering Manager, Google Cloud Rahul Gupta, Product Manager for Assured OSS, Google Cloud Topics: For the software you're supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen?  So what is Assured Open Source? Do we really guarantee its security? What does "guarantee" here mean? What're users actually paying for here? What's the Google magic here and why are we doing this?  Do we really audit all code and fuzz for security issues? What's a supply chain attack and then we'll talk about how this is plugging into those gaps?  Resources: Assured Open Source Software page "SBOMs: A Step Towards a More Secure Software Supply Chain" (ep116) "Linking Up The Pieces: Software Supply Chain Security at Google and Beyond" (ep24) SLSA.dev blog Open Source Security Podcast Mandiant M-Trends 2023

Guest:  Steve Riley, Field CTO, Netskope, ex-Gartner Research VP Topics: Analysts (well, like Steve and Anton in the past?) say that "cloud is secure, but clients just aren't using it securely", what is your reaction to this today? When clients hear "use cloud securely", what do you think comes to their minds? How would you approach planning for secure use of the cloud or using cloud securely? What is your view of cloud defense in depth (DiD) or layered defenses? How do you suggest clients think about it? What about DiD for SaaS? What are your thoughts on the evolution of zero trust? How has it changed since its introduction back in 2010? Awareness of and interest in SSE and SASE is growing. But at the same time, plenty of folks seem deeply perplexed by these. How would you explain them to someone not deeply immersed in the details?  Resources: Video (LinkedIn, YouTube) Bruce Schneier books Netskope blog "Deploy Security Capabilities at Scale: SRE Explains How" (ep85) "Zero Trust: Fast Forward from 2010 to 2021" (ep8) "Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?" (ep76) "How to Approach Cloud in a Cloudy Way, not As Somebody Else's Computer?" (ep115) "Use Cloud Securely? What Does This Even Mean?!" "How to Solve the Mystery of Cloud Defense in Depth?"

Guest: Rick Doten, VP, Information Security at Centene Corporation, CISO Carolina Complete Health  Topics:  What are the realistic cloud risks today for an organization using public cloud?  Is the vendor lock-in on that list?  What other risks everybody thinks are real, but they are not? What do you tell people who in 2023 still think "they can host Exchange better themselves" and have silly cloud fears? What do you tell people who insist on "copy/pasting" all their security technology stack from data centers to the cloud? Cloud providers have greater opportunity not only to see issues, but to learn how to react well. Do you think this argument holds water?  What are the most challenging security issues for multi-cloud and hybrid cloud security? How does security chasm (between security haves and have-notes) affect cloud security? Your best cloud security advice for an organization with a security team of 0 FTEs and no CISO?  Resources: Video (LinkedIn, YouTube) Rick Doten on YouTube Defining Cloud Security by Rick Doten Cloud Security Alliance materials Mandiant M-Trends 2023

Guest:  John Doyle, Principle Intelligence Enablement Consultant at Mandiant / Google Cloud  Topics: You have created a new intelligence class focused on building enterprise threat intelligence capability, so what is the profile of an organization and profile for a person that benefits the most from the class? There are many places to learn threat intel (TI), what is special about your new class?  You talk about country cyber operations in the class, so what is the defender - relevant difference between, say, DPRK and Iran cyber doctrines? More generally, how do defenders benefit from such per country intel? Can you really predict what the state-affiliated attackers would do to your organization based on the country doctrine? In many minds, TI is connected to attribution. What is your best advice on attribution to CISOs of well-resourced organizations? What about mainstream organizations? Overall we see a lot of organizations still failing to operationalize TI, especially strategic TI, how does this help them? Resources: The new class "Inside the Mind of APT" "Navigating Tradeoffs of Attribution" paper Sands Casino hack 2014 "Threat Horizons - How Google Does Threat Intelligence" (ep112)

Guest: Ian Glazer, founder at Weave Identity, ex-Gartner, ex-SVP of Products at Salesforce, co-founder of IDPro Topics: OK, tell us why Identity and Access Management (IAM) is exciting (is it exciting?) Could you also explain why IAM is even more exciting in the cloud?  Are you really "one IAM mistake away from a breach" in the cloud?  What advice would you give to someone new to IAM? How to not just "learn IAM in the cloud" but to keep learning IAM? Is what I know about IAM in AWS the same as knowing IAM for GCP? What advice do you have for teams operating in a multi-cloud world? What are the top cloud IAM mistakes? How to avoid them? Resources: Video (LinkedIn, YouTube) IDPro association and BoK SCIM v2 standard EP60 Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM? EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response? EP94 Meet Cloud Security Acronyms with Anna Belak

Guests:  Dominik Richter, the founder and head of product at Mondoo Cooked questions: What is a policy, is that the same as a control, or is there a difference? And what's the gap between a policy and a guardrail?  We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud? Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now? Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams? How do organizations grow into safely rolling out new policy as code code?  You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance"  and this problem has been unsolved for as long as the cloud existed. Will your toolset change this?  There are other frameworks that exist for security testing like HashiCorp's sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework? What are some of the success metrics when adopting  Policy as Code?  Resources: Live video (LinkedIn, YouTube) "Why Infrastructure as Code Is Setting You up to Make Bad Things Faster" blog

Guest: David Swift, Security Strategist at Netenrich Topics: Which old Security Information and Event Management (SIEM) lessons apply today? Which old SIEM lessons absolutely do not apply today and will harm you? What are the benefits and costs of SIEM in 2023? What are the top cloud security use cases for SIEM in 2023? What are your favorite challenges with SIEM in 2023 special in the cloud? Are they different from, say, 2013 or perhaps 2003? Do you think SIEM can ever die?   Resources: Live video (LinkedIn, YouTube) "Debating SIEM in 2023, Part 1" and  "Debating SIEM in 2023, Part 2" blogs "Detection as Code? No, Detection as COOKING!" blog "A Process for Continuous Security Improvement Using Log Analysis" (old but good) "UEBA, It's Just a Use Case" blog "Situational Awareness Is Key to Faster, Better Threat Detection" blog and other SIEM reading MITRE 15 detection techniques paper

Guest: Panos Mavrommatis, Senior Engineering Director at Google Cloud Topics: Could you give us the 30 second overview of our favorite "billion user security product" - SafeBrowsing - and, since you were there, how did it get started? SafeBrowsing is a consumer and business product – are you mitigating the same threats and threat models on each side? Making this work at scale can't be easy, anytime we're talking about billion device protection, there are massive scale questions. How did we make it work at such a scale?  Talk to us about the engineering and scaling magic behind the low false positive rate for blocking? Resources: "Foundryside" book

Guest: Jack Naglieri, Founder and CEO at Panther Topics: What is good detection, defined at micro-level for a rule or a piece of detection content?  What is good detection, defined at macro-level for a program at a company?  How to reliably produce good detection content at scale? What is a detection content lifecycle that reliably produces good detections at scale? What is the purpose of a SIEM today? Where do you stand on a classic debate on vendor-written vs customer-created detection content? Resources: "Essentialism" book "The 5 AM Club"  book "Good to Great" book  "Why Is Threat Detection Hard" blog "Think Like a Detection Engineer, Pt. 2: Rule Writing" blog "Detection as Code? No, Detection as COOKING!"  blog Open Cybersecurity Schema Framework (OCSF)

Guest: Michele Chubirka, Senior Cloud Security Advocate, Google Cloud Topics: So, if somebody wakes you up at 3AM ("Anton's 3AM test") and asks "Do we need firewalls in the cloud?" what would you say? Firewalls (=virtual appliances in the cloud or routing cloud traffic through physical firewalls) vs firewalling (=controlling network access) in the cloud, do they match the cloud-native realities? How do you implement trust boundaries for access control with cloud-native options? Can you imagine a modern cloud native security architecture that includes a firewall? Can you imagine a modern cloud native security architecture that excludes any firewalling?  Firewall, NIDS, NIPS, NGFW …. How do these other concepts map to the cloud? How do you build a "traditional-like" network visibility layer in the cloud (and do we need to)? Resources: Video version of this episode: LinkedIn or YouTube "Security Architect View: Cloud Migration Successes, Failures and Lessons" (ep105) "Love it or Hate it, Network Security is Coming to the Cloud" with Martin Roesch (ep113) Gartner Bimodal IT definition Ross Anderson "Security Engineering" book The New Stack blog Trireme tool CNCF site security landscape Google Cloud Firewall

Guests:  Nelly Porter, Group Product Manager, Google Cloud Rene Kolga, Senior Product Manager, Google Cloud Topics: Could you remind our listeners what confidential computing is? What threats does this stop? Are these common at our clients?  Are there other use cases for this technology like compliance or sovereignty? We have a new addition to our Confidential Computing family - Confidential Space. Could you tell us how it came about? What new use cases does this bring for clients? Resources: "Confidentially Speaking" (ep1) "Confidentially Speaking 2: Cloudful of Secrets" (ep48) "Introducing Confidential Space to help unlock the value of secure data collaboration" Confidential Space security overview "The Is How They Tell Me The World Ends" by Nicole Perlroth NIST 800-233 "High-Performance Computing (HPC) Security: Architecture, Threat Analysis, and Security Posture"

Guest: Jeff Reed, VP of Product,  Cloud Security @ Google Cloud Topics: You've had a long career in software and security, what brought you to Google Cloud Security for this role? How do you balance the needs of huge global financials that often ask for esoteric controls (say EKM with KAJ) vs the needs of SMBs that want easy yet effective, invisibility security? We've got an interesting split within our security business: some of our focus is on making Google Cloud more secure, while some of our focus is on selling security products.  How are you thinking about the strategy and allocation between these functions for business growth? What aspects of Cloud security have you seen cloud customers struggle with the most? What's been the most surprising or unexpected security challenge you've seen with our users? "Google named a Leader in Forrester Wave™ IaaS Platform Native Security" - can you share a little bit about how this came to be and what was involved in this? Is cloud migration a risk reduction move?  Resources: "Google named a Leader in Forrester Wave™ IaaS Platform Native Security" "Sunil Potti on Building Cloud Security at Google" (ep102) Books by Haruki Murakami We are hiring product managers!

Guest: Connie Fan, Senior Product and Business Strategy Lead, Google Cloud Topics: We were at RSA 2023, what did we see that was notable and surprising? Cloud security showed up with three startups with big booths, and one big player with a small demo station. What have we learned here? What visitors might have seen at the Google Cloud booth that we're really excited about? Could you share why we chose these two AI cases - generation of code and summarization of complex content - out of all the possibilities and the sometimes zany things we saw elsewhere on the floor? Could you share a story or two that highlights how we came to this AI launch and what it looked like under the surface?  Resources: "RSA 2023 - How to Protect Your Organization from Cyberattacks in Time of Political Turmoil" (ep118) "RSA 2022 Reflections - Securing the Past vs Securing the Future" (ep70) "How We Attack AI? Learn More at Our RSA Panel!" (ep68) "Security Operations, Reliability, and Securing Google with Heather Adkins" (ep20)

Guests:   Shanyn Ronis, Head of the Mandiant Communication Center John Miller,   Head of Mandiant Intelligence Analysis Topics: It seems like we're seeing more cyber activity taking place in the context of geopolitical events. A lot of organizations struggle to figure out if/how to respond to these events and any related cyber activity.  What advice do you have for these organizations and their leadership? A  lot of threat intel (TI) suffers from "What does this event mean for threats to our organization?" - sort of how to connect CNN to your IDS? What is your best advice on this to a CISO?  TI also suffers from "1. Get TI 2. ??? 3. Profit!" - how does your model help organizations avoid this trap?  Surely there are different levels of granularity here to TI and its relevance. Is what a CISO needs different from what an IR member needs? Do you differentiate your feed along those axes? What does success look like? How will organizations know when they're successful? What are good KPIs for these types of threat intelligence? In other words, how would customers know they benefit from it? Is there anything unique that cloud providers can do in this process? Resources: RSA 2023 Session "Intelligently Managing the Geopolitics and Security Interplay" on Wed Apr 26 9:40AM "Sandworm" by Andy Greenberg "Reading Mandiant M-Trends 2023"

Guest: Maxime Lamothe-Brassard,  Founder @ LimaCharlie Topics: What does an engineering-centric approach to cybersecurity mean? What to tell people who want to "consume" rather than "engineer" security? Is "engineering-centric" approach the same as evidence-based or provable?  In practical terms, what does it mean to adopt an "engineering-centric approach" to cybersecurity for an organization?  How will it differ from what we have today? What will it enable? Can you practice this with a very small team? How about a very small team of "non engineers"? You seem to say that tomorrow's cybersecurity will look a lot like software engineering. Where do we draw the line between these two? Resources: Atomic Red Team Sigma rules/content LimaCharlie blog 8 Megatrends drive cloud adoption—and improve security for all The Cybersecurity Defenders Podcast

Guest: Isaac Hepworth, PM focused on Software Supply Chain Security @ Google Cooked questions: Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader? Some software vendors don't want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here? One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs than small independent and open source projects. Is that a risk? Is the SBOM requirement setting the government up to be overly reliant on megacorps and are we going to unintentionally ban open source from the government?  What is the relationship between SBOM and software liability? Is SBOM a step to this? Won't software liability kill open source? How does Google prepare for EO internally; how do we use SBOM and other related tools? To come back to the food analogy, SBOMs are all well and good, but the goal is not that consumers know they're eating lead, but rather that our food becomes healthier. Where are we heading in the next five years to improve software supply chain "health and safety"? Resources: Full video of this episode (YouTube / LinkedIn) "Executive Order on Improving the Nation's Cybersecurity" "M-22-18 Memorandum For The Heads of Executive Departments and Agencies" SLSA.dev  "How to SLSA Part 3 - Putting it all together" Assured Open Source Software NIST Secure Software Development Framework (SSDF) "Linking Up The Pieces: Software Supply Chain Security at Google and Beyond" (ep24) "2022 Accelerate State of DevOps Report and Software Supply Chain Security" (ep100)

Guest:  Rafal Los, Head of Services Strategy @ Extrahop and Founder of Down the Security Rabbit Hole podcast Topics: You had a very fun blog where you reminded the world that many organizations still approach cloud as a rented data center, do you still see it now? Do you think this will persist for 3, 5, 10 years? Other than microservices, what're the most important differences between public cloud and a rented data center for a CISO to keep in mind? Analysts say that "cloud is secure, but clients just aren't using it securely", what is your reaction to this?  Actually, how do you define "use cloud securely"? Have you met any CISOs who are active cloud fans who prefer cloud for security reasons? You also work for an NDR vendor, do you think NDR in the cloud has a future?  Resources: Full video of this episode (YouTube / LinkedIn) Down the Security Rabbithole Podcast (DtSR) podcast "A Little Truth About the Cloud" "Megatrends drive cloud adoption—and improve security for all" "CISO Walks Into the Cloud: And The Magic Starts to Happen!" (ep104) "Threat Models and Cloud Security" (ep12) "Security Architect View: Cloud Migration Successes, Failures and Lessons" (ep105)  "Patrolling Cyberspace" book (2006)

Guest: Chris John Riley, Senior Security Engineer and a Technical Debt Corrector  @ Google  Topics: We've heard of MVP, what is MVSP or Minimal Viable Secure Product? What problem is MVSP trying to solve for the industry, community, planet, etc? How does MVSP actually help anybody? Who is the MVSP checklist for? Leaders or engineers? How does MVSP differ from compliance standards like ISO 27001, or even SOC 2? How does Google use MVSP? Has it improved our security in some way? How to balance the dynamic nature of security with minimal security basics? The working group has recently completed a control refresh for 2022, what are some highlights?  Resources: Mvsp.dev  SLSA Levels MVSP (Minimum Viable Secure Product) Compliance "Phantoms in the Brain" book "Strengthen Basic Security Hygiene With a Two-Pronged Security Architecture Approach" FIRST Impressions podcast

Guest:  Martin Roesch, CEO at Netography, creator of Snort Topics: What is the role of network security in the public cloud? Networks used to be the perimeter, now we have an API and identity driven perimeter. Are networks still relevant as a layer of defense? We often joke that "you don't need to get your firewalls with you to the cloud", is this really true? How do you do network access control if not with firewalls? What about the NIDS? Does NIDS have a place in the cloud? So we agree that some network security things drop off in the cloud, but are there new network security threats and challenges? There's cloud architecture and then there's multi cloud and hybrid architectures–how does this story change if we open the aperture to network security for multi cloud and hybrid?  Should solutions that provide cloud network security be in the cloud themselves? Is this an obvious question? Resources: Book "Who: The A Method for Hiring" by Geoff Smart, Randy Street Netography resources Snort ""Hacking Google", Op Aurora and Insider Threat at Google" (ep91) "Zero Trust: Fast Forward from 2010 to 2021" (ep8) "Gathering Data for Zero Trust" (ep4)

Guest:  Charles DeBeck, Cyber Threat Intel Expert @ Google Cloud Topics: What is unique about Google Cloud approach to threat intelligence? Is it the sensor coverage? Size of the team? Other things? Why is Threat Horizons report unique among the threat reports released by other organizations? Based on your research, what are the realistic threats to cloud environments today? What threats are prevalent and what threats are most damaging? Where do you see things in 2023? What should companies look for?  What's one thing that surprised you when preparing the report? What do you think will surprise audiences? What is the most counter-intuitive hardening and operational advice can we glean from this Threat Horizons report?  What's most important to know when it comes to understanding OT and cloud? Resources: Google Threat Horizons Reports One, Two, Three, Four, Five "Demystifying 'shared Fate' - A New Approach To Understand Cybersecurity" Corey Quinn on cloud billing alerts

Guest:  Brandon Evans, Infosec Consultant and Certified Instructor and Course Author at SANS Topics: What got you interested in security and motivated you to make this your area of focus? You came from a developer background, right? Occasionally, we hear the sentiment that "developers don't care about security," how would you counter it (and would you?)? How do we encourage developers and operations to use the appropriate security controls and settings in the cloud? Is "encourage" the right word? Can we really do "secure by default" but for developers? What do you think are the main application security issues that developers need to deal with in the cloud? You mentioned software supply chain security, do you treat this as a part of application security? How important is this, realistically, for an average organization and its developers? Going to our favorite subject of threat detection, how do you think we can better encourage developers to supply the logs necessary for our detection and response teams to act upon? Resources: "Cloud Security: Making Cloud Environments a Safer Place" ebook by SANS SANS.org/cloud site "The Phoenix Project" book by Gene Kim et al "The Unicorn Project" book by Gene Kim "Next Special - Log4j Reflections, Software Dependencies and Open Source Security" (EP87) "2022 Accelerate State of DevOps Report and Software Supply Chain Security" (EP100) "Linking Up The Pieces: Software Supply Chain Security at Google and Beyond" (EP24)

Guest:  David Seidman, Head of Detection and Response @ Robinhood Toipics: Tell us about joining Robinhood and prioritizing focus areas for detection in your environment? Tim and Anton argue a lot about what kind of detection is best - fully bespoke and homemade, or scalable off-the-shelf. First, does our framework here make sense, and second, looking at your suite of detection capabilities, how have you chosen to prioritize detection development and detection triage? You're operating in AWS: there are a lot of vendors doing detection in AWS, including AWS themselves. How have you thought about choosing your detection approaches and data sources? Finding people with as much cloud expertise as you can't be easy: how are you structuring your organization to succeed despite cloud detection and response talent being hard to find? What matters more: detection skills or cloud skills? What has been effective in ramping up your D&R team in the cloud? What are your favorite data sources for detection in the cloud? Resources: "Detection as Code? No, Detection as COOKING!" "On Threat Detection Uncertainty" "Radical Candor" by Kim Scott "Daring Greatly" by Brene Brown "Extreme Ownership" by Jocko Willink "Drive" by Daniel Pink

Guest:  Ana Oprea, Staff Security Engineer, European Lead of Vulnerability Coordination Center @ Google Topics: What is the scope for the vulnerability management program at Google? Does it cover  OS, off-the-shelf applications, custom code we wrote … or all of the above? Our vulnerability prioritization includes a process called "impact assessment." What does our impact assessment for a vulnerability look like? How do we prioritize what to remediate? How do we decide on the speed of remediation needed? How do we know if we've done a good job? When we look backwards, what are our critical metrics (SLIs and SLOs) and how high up the security stack is the reporting on our progress? What of the "Google Approach" should other companies not try to emulate? Surely some things work because of Google being Google, so what are the weird or surprising things that only work for us? Resources: SRS Book, Chapter 20: Understanding Roles and Responsibilities and Chapter 21: Building a Culture of Security and Reliability  Why Google Stores Billions of Lines of Code in a Single Repository  SRE book and SRE Workbook "How Google Secures It's Google Cloud Usage at Massive Scale" (ep107) "Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance" (ep66) "How We Scale Detection and Response at Google: Automation, Metrics, Toil" (ep75)

Guest:  John Stoner, Principal Security Strategist @ Google Cloud Topics: Please define threat hunting  for us quickly, the term has been corrupted a bit What are your favorite beginner hunts to jump start the effort at a new team? How to incorporate hunting lessons in detection? What are the differences for hunting in the cloud? Are there specific data sources you prefer to have access to when threat hunting? In the cloud? Should every organization threat hunt? What are traits you might look for in a threat hunter? Resources: "The Who, What, Where, When, Why and How of Effective Threat Hunting" Awesome Threat Detection and Hunting  "My "Aha!" Moment - Methods, Tips, & Lessons Learned in Threat Hunting" video NIST Computer Security Incident Handling Guide 800-61 "Threat Hunting Is Not for Everyone" (2020) "Formulating An Intelligence-Driven Threat Hunting Methodology"  video

Guest: Karan Dwivedi, Security Engineering Manager, Enterprise Infrastructure Protection @ Google Cloud Topics: Google's use of Google Cloud is a massive cloud environment with wildly diverse use cases. Could you share, for our listeners, a few examples of the different kinds of things we're running in GCP? Given that we're doing these wildly different things in GCP, how do we think about scaling the right security guardrails to the right places in our GCP org? How do you work with application engineering teams and project owner teams to make sure the right controls are there but not getting in the way of business?  How do we scale this exemption management process? Are there things we do here that don't make sense at a smaller scale? Are there emergent challenges that only we would face? How do you correctly federate security responsibilities between the central team defining policy and the constituent user teams actually using the platform? Burnout is a perennial challenge for security teams–what're you doing to keep your people happy and engaged? Resources: "How We Scale Detection and Response at Google: Automation, Metrics, Toil" (ep75) ""Hacking Google", Op Aurora and Insider Threat at Google" (ep91) Google Cloud security foundations guide

Guest: Anoosh Saboori, former Product Manager at Google Cloud Topics: We had zero trust episodes before and definitions vary! When we say zero trust, what do we mean?   What about zero trust for workloads in production? When you say "workload," what do you mean? What is BeyondProd, for those that are unfamiliar with it? And how is this different from BeyondCorp?  How has BeyondProd actually been implemented at Google?   What threats does it help with? Is this real threats or compliance? Why is now a good time to be thinking about zero trust for production systems?  Companies have many security tools deployed, including microsegmentation and firewalls, how does this toolset fit? Does it replace anything they have deployed? Resources: BeyondProd papers "Zero Trust: Fast Forward from 2010 to 2021" (ep8) "Gathering Data for Zero Trust" (ep4) "Google Workspace Security: from Threats to Zero Trust" (ep99) "Zero Trust: So Easy Even a Government Can Do It?" (ep59) "Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance" (ep66)

Guest: Michele Chubirka, Senior Cloud Security Advocate, Google Cloud Topics: We are here to talk about cloud migrations and we are here to talk about failures. What are your favorites? What are your favorite cloud security process failures?  What are your favorite cloud security technical failures?  What are your favorite cloud security container and k8s failures? Is "lift and shift" always wrong from the security point of view?  Can it at least work as step 1 for a full cloud transformation?  Resources: "Automate and/or Die?" (ep3) "More Cloud Migration Security Lessons" (ep18) "The Magic of Cloud Migration: Learn Security Lessons from the Field" (ep55) "Preparing for Cloud Migrations from a CISO Perspective, Part 1" (ep5) "Cloud Migrations: Security Perspectives from The Field"  (ep33) "Dune" by Frank Herbert "The Science of Organizational Change"  by Paul Gibbons  "Servant Leadership: A Journey into the Nature of Legitimate Power and Greatness"  by Robert K. Greenleaf "Finding the Sweet Spot for Change" State of Devops (DORA) Report 2022

Guest:  Gary Hayslip, CISO at Softbank Topics:  "So we're talking about your journey as a CISO migrating to Cloud. Could you give us the 30 second overview of  What triggered your organization's migration to the cloud? When did you and the security organization get brought in? How did you plan your security  organization's journey to the cloud? Did you take going to cloud as an opportunity to change things beyond the tools you were using?  As you got going into the cloud, what was the hardest part for your organization? If that was hardest, what was most surprising? Good surprise and bad surprise? Let's shift to some tactical gears: How did you design security controls for the cloud? Did your data security practice change? Did your detection  / response practice change? How has the CISO role evolved and is evolving due to the cloud? Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be? Resources: "CISO Desk Reference Guide" book by Gary Hayslip "The Essential Guide to Cybersecurity for SMBs" book by Gary Hayslip "Develop Your Cybersecurity Career Path" book by Gary Hayslip

Guest:   Nader Zaveri, Senior Manager of IR and Remediation at Mandiant, now part of Google Cloud Topics: Could we start with a story of a cloud incident response (IR) failure and where things went wrong?  What should that team have done to get it right?  Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud? What 3 things an IR team leader needs to do to prepare his team for IR in the cloud? Are there on-premise tools that can stay on prem and not join us in the cloud? What processes should we leave behind? Keep with us? What logs and context should we prepare for cloud IR?  What access should we have behind "break glass"? While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation? Resources: "How to Cloud IR or Why Attackers Become Cloud Native Faster?" (ep98) "How to prepare for detection & response in the cloud" Google Cloud Next 2022 presentation "Security Incident Response in the Cloud: A Few Ideas" blog GCP Cloud Logging "Security at Scale: Logging in AWS" paper "AWS Security Incident Response Whitepaper" paper

Guest:  Sunil Potti, VP / GM, Google Cloud Topics: One of the biggest shifts we've noticed is the shift from building security because we think security is good, to building security as a business. How did you make that cultural shift happen in our organization?  With organizations migrating to cloud we have a set of tradeoffs between meeting security teams where they are with on-prem expectations of security vs cloud-native approaches. How do you think about investing in next generation products vs holding the hands of CISOs just stepping into the cloud? What matters more to you as a leader, secure cloud (GCP, Workspace) or security products (Chronicle SecOps, BCE, SCC, etc)? Is invisible security the same as "building security in"? Aren't there security controls where the value is derived from them being visible to users? Mandiant brings services expertise to Google Cloud, typically not our strong area and not our DNA, how do we plan to make the most of Mandiant within Google's culture? Resources: Simon Sinek "Start With Why" book

Guest:  Jim Higgins, CISO at Snap,  former CISO at Square Topics: You were at Google for a long time, and at Google you sat between Google security and Cloud. Now that you're leading security for a major company, how are you prioritizing your focus between your on-premise resources and your cloud resources?  How are you thinking about threat detection in the Cloud? In detection, how has your technology changed? How has your process changed? What threats do you mostly focus on? Why don't we talk about the role of automation in detection and response (D&R)? How do you approach automation and eliminating toil? As you're scaling teams, processes and technology for your cloud footprint, what has been easiest to get right and what's been hardest to get right? How do you approach measuring security? What cloud metrics are you sharing upwards to your board? Resources: BeyondCorp Enterprise "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker" book

Guests: John Speed Meyers, Security Data Scientist, Chainguard Todd Kulesza, User Experience Researcher, Google Topics: How did you get involved with this year's Accelerate State of DevOps Report (DORA report)? So what is DORA and why did you decide to focus on supply chain security for the 2022 report? What are the big learnings from this year's report? What's the difference between SLSA and SSDF? Is one spicy and the other savory? How're companies adopting these and how is adoption going?  Are there other areas that DevOps can be a contributor in the overall security landscape?  How can CISOs rope DevOps fully into their security gang? Operationally, how should security and developers and DevOps come together to keep vulnerabilities out in the first place? How should security and developers and DevOps come together to respond quickly to vulnerabilities when they're discovered? How do security and developers and DevOps come together to prove to their auditors and customers that they're doing a good job of the above? Resources: 2022 Accelerate State of DevOps Report "New insights for defending the software supply chain" blog (and new report) SLSA.dev site Secure Software Development Framework at NIST "Linking Up The Pieces: Software Supply Chain Security at Google and Beyond" (ep24) "Sharing The Mic In Cyber with STMIC Hosts Lauren and Christina: Representation, Psychological Safety, Security" (ep92) Go vulncheck tool  "Reflections on Trusting Trust" paper  (1984)

Guests: Nikhil Sinha, Group Product Manager, Workspace Security Kelly Anderson, Product Marketing Manager, Workspace Security Topics: We are talking about Google Workspace security today. What kinds of threats do we have to care about here? Are there compliance-related motivations for security here too? Is compliance in the cloud changing? How's adoption of hardware keys for MFA going for your users, and how are you helping them?  Is phishing finally solved because of that?  Can you explain why hardware security FIDO/WebAuthn is such a step function compared to, say, RSA number generator tokens?  Have there been assumptions in the Workspace security model we had to change because of WFH? And what changes with RTO and permanent hybrid? Resources: Google BeyondCorp Enterprise "Make zero trust a reality with Google Workspace security solutions" Next 2022 video "2021: Phishing is Solved?" (ep40) "Zero Trust: Fast Forward from 2010 to 2021" (ep8)

Guests: Matt Linton, Chaos Specialist @ Google John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud Topics: Let's talk about security incident response in the cloud.  Back in 2014 when I [Anton] first touched on this, the #1 challenge was getting the data to investigate as cloud providers had few logs available. What are the top 2022 cloud incident response challenges? Does cloud change the definition of a security incident? Is "exposed storage bucket" an incident? Is vulnerability an incident in the cloud? What should I have in my incident response plans for the cloud? Should I have a separate cloud IR plan? What is our advice on running incident response jointly with a CSP like us? How would 3rd party firms (like, well, Mandiant) work with a client and a CSP during an investigation? We all read the Threat Horizons reports, but can you remind us of the common causes for cloud incidents we observed recently? What goals do the attackers typically pursue there? Resources: "Building Secure and Reliable Systems" book (especially ch 14-16, and ch17) Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! (#3, #2, #1) "Incident Plan vs Incident Planning?" blog (2013)

Guest: Greg Sinclair, Security Engineer @ Google Cloud Topics: Could you tell us a bit about your background and how you ended up here at Google? Also, tell us about your team here? We're very excited about the release of the CobaltStrike rules. Could you share more about what they are looking for and second why this is so valuable? How did CobaltStrike come to be so widely used by bad guys? When you were doing this research what was the most surprising thing you uncovered? Could you tell us about the coordinated disclosure aspects of this work? In the past you've contributed research to our Threat Horizons reports, could you tell us about that? Resources: Making CobaltStike harder for threat actors to abuse blog CobaltStrike YARA-L rules CobaltStrike site "Cobalt Strike Usage Explodes Among Cybercrooks" Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! Detection as Code? No, Detection as COOKING!

Guest: Jeff Bollinger,  Director of Incident Response and Detection Engineering @ Linkedin  Topics: Observability sounds cool (please define it for us BTW), but relating it to security has been "hand-wavy" at best. What is your opinion on the relevance of observability data for security use cases? What use cases are those, apart from saving the data for IR just in case? How can we best approach observability in the cloud, particularly around network communications, so that we improve security as a result? Are there other areas of cloud where observability might be more relevant? Does the massive shift to TLS 1.3 impact this? If the Internet is shifting towards an end-user/device centric model with everything as a service (SaaS), how does security monitoring even work anymore?  Does it mean the end of both endpoint and network eras and the arrival of the application security monitoring era? Can we do deep monitoring of complex applications and app clusters for abuse or should we just focus on identity and profiling? Resources: "Instrumenting Modern Application Stack for Detection and Response" (ep34) "Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan" by Jeff Bollinger, Brandon Enright, Matthew Valites (book) RFC 7258  Pervasive Monitoring Is an Attack RFC 8890 Internet is for end users "(Re)building Threat Detection and Incident Response at LinkedIn" "Martian Chronicles" by Ray Bradberry (because migrating to cloud is like flying to Mars)

Guests: Alijca Cade, Director, Financial Services, Office of the CISO, Google Cloud Ken Westin, Director, Security Strategy, Cybereason Robert Wallace, Senior Director, Mandiant, now Google Cloud Topics: How are cloud environments attacked and compromised today? Is it still about the configuration mistakes? Do cryptominers represent a serious threat now that they are often mentioned as the most common threat in the cloud? Let's look at another popular threat - ransomware or, broadly, RansomOps. Based on your research, what can we say about its likely future, especially in the cloud? Are we getting better with detection in the cloud and are we doing it fast enough? Is cloud security a misnomer? Attackers are out to get into an organization, and cloud or on-premise matters less here, right? What does it say about the interdependence of security, on and off cloud? Resources: LIVE @ Security Talks: The Cloud Security Podcast at Cloud Security Talks Q3 2022 Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!

Guest:  Dr Anna Belak, Director of Thought Leadership at Sysdig, former Gartner analyst Questions: Analysts (and vendors) coined a log of "C-something acronyms" for cloud security, and two of the people on this episode were directly involved in some of them. What do you make of all the cloud security acronym proliferation? What is CSPM? What gets better when you deploy it? What is CWPP? Does anything get better when you deploy it? What is CNAPP? What gets better when you deploy it? What is CIEM, Anton's least fave acronym? Now, what about CDR?  Resources: Gartner acronym glossary "Container Security: The Past or The Future?" (ep54, with Anna as well) "Automate and/or Die?" (ep3) "Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM?" (ep60) "Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?" (ep76) "Does the World Need Cloud Detection and Response (CDR)?" "Announcing Virtual Machine Threat Detection now generally available to Cloud customers" Sysdig Threat Report Blog 2022 Sysdig Cloud-Native Threat Report  Anatomy of Cloud Attacks

Guest: Alicja Cade, Director for Financial Services, Office of the CISO, Google Cloud  Topics: We are talking about your journey as a CISO migrating to the cloud. Could you give us the overview of … What triggered your organization's migration to the cloud? When did you and the security team get brought in? Did you take going to the cloud as an opportunity to change things beyond the tools you were using?  As you got going into the cloud, what was the hardest part for your organization? If that was hardest, what was most surprising? Good surprise and bad surprise? How did you design security controls for the cloud? How do you validate and verify security controls in the cloud? How did you keep both security practitioners and the rest of your IT teams from lift-and-shift thinking? Did your data security practice change? Having covered all that tactical terrain, one final strategic question: is moving to the cloud a net risk reduction? Can it be? Resources: "CISO Walks Into the Cloud: Frustrations, Successes, Lessons ... And Does the Risk Change?" (ep80) "Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects" by Priyanka Vergadia "Cyberpolitics in International Relations" book CSA CCM v4 Cyber Risk Institute "Modernize Data Security with Autonomic Data Security Approach" (ep79) and the paper on autonomic data security. "Preparing for Cloud Migrations from a CISO Perspective, Part 1" (ep5) "Preparing for Cloud Migrations from a CISO Perspective, Part 2" (ep11) "How CISOs need to adapt their mental models for cloud security" blog

Guests: Lauren Zabierek (@lzxdc), Acting Executive Director of the Belfer Center at the Harvard Kennedy School Christina Morillo (@divinetechygirl), Principal Security Consultant at Trimark Security Topics: We are so excited to have you on the show today talking about your awesome effort, Share The Mic in Cyber. I love that we are Sharing our Mic with you today. Could you please introduce yourself to our listeners? Let's talk about representation and what that means, and why it's especially relevant in cyber security?  Psychological safety is super important for so many reasons, including  in cyber. Could you share a definition of what it is, and why it is important?  Can we talk about how psychological safety and representation intersect?  Let's bring things back to talk about the #ShareTheMicInCyber / #STMIC project. Could you tell us about one of your favorite things that's come from the project?  Any surprises? Lessons? Plans? Futures? How can our listeners help with #ShareTheMicInCyber? Where to learn more? Resources: #ShareTheMicInCyber site and @ShareInCyber on social Lauren Zabierek (@lzxdc), #ShareTheMic in Cyber co-founder Camille Stewart Gloster (@camilleesq), #ShareTheMic in Cyber co-founder "Missing Diversity Hurts Your Security" (ep42) NEXT Special - Cloud Security and DEI: Being an Ally! (ep36)

Guest: Mike Sinno, Security Engineering Director, Detection and Response  @ Google Topics: You recently were featured in "Hacking Google" videos, can you share a bit about this effort and what role you played? How long have you been at Google? What were you doing before, if you can remember after all your time here? What brought you to Google? We hear you now focus on insider threats. Insider threat is back in the news, do you find this surprising? A classic insider question is about "malicious vs well-meaning insiders" and which type is a bigger risk. What is your take here? Trust is the most important thing when people think about Google, we protect their correspondence, their photos, their private thoughts they search for. What role does detection and response play in protecting user trust? One fun thing about working at Google is our tech stack. Your team uses one of our favorite tools in the D&R org! Can you tell us about BrainAuth and how it finds useful things? We talked about Google D&R (ep 17 and ep 75) and the role of automation came up many times. And automation is a key topic for a lot of our cloud customers. What do you automate in your domain of D&R? Resources: "Hacking Google" videos  (EP00 with Mike) The Secure Reliable Systems book The CERT Guide to Insider Threats book Common Sense Guide to Mitigating Insider Threats book Insider Threats (Cornell Studies in Security Affairs) Foreign Espionage in Cyberspace from the NCSC "How We Scale Detection and Response at Google: Automation, Metrics, Toil" (ep75) "Modern Threat Detection at Google" (ep17)

Guest: Phil Venables, Vice President and CISO at Google Cloud Topics: Google Cybersecurity Action Team is your brainchild and it is 1 year old, what comes to mind first when we reflect on this anniversary? The team is primarily about helping clients with security, what did we learn doing this for a year? What challenges have we (Google Cybersecurity Action Team) faced in our first year? We released 4 Threat Horizons reports this year, what is the future for this research here? We often hear that in the cloud we need to move away from products towards solutions, how does that work in security? Your famous 8 megatrends post is several months old - any new thoughts or changes coming to this concept? Recently you had a very interesting blog "Crucial Questions from CISOs and Security Teams", with a list of questions, can you share some of your thinking here? Resources: Security at Google Cloud Next 2022 Next Special - Log4j Reflections, Software Dependencies and Open Source Security Next Special - Improving Browser Security in the New Era of Work Next Special - Can We Escape Ransomware by Migrating to the Cloud? NEXT Special - Google Cybersecurity Action Team: What's the Story? (Next 2021 special episode) Modernizing SOC ... Introducing Autonomic Security Operations  How autonomic data security can help define cloud's future Google Cloud Threat Horizons Report #1 #2 #3 #4 8 Megatrends drive cloud adoption—and improve security for all "Demystify Data Sovereignty and Sovereign Cloud Secrets at Google Cloud" (ep81) Crucial Questions from CISOs and Security Teams Google Cybersecurity Action Team

Guest:    Nelly Kassem, Security and Compliance Specialist @ Google Cloud Topics: Why did ransomware attacks become so popular? What type of organizations are targeted by ransomware?  Do these affect mostly the organizations with sub-par security? Ransomware has been raging since 2015 and shows few signs of subsiding. Why are these attacks still successful?  Do we see ransomware in the cloud?  Does migrating to the cloud protect you from ransomware? Which of Google Cloud tools are useful to fight ransomware? Resources: Security at Google Cloud Next 2022 Next Special - Log4j Reflections, Software Dependencies and Open Source Security Next Special - Improving Browser Security in the New Era of Work "Future of EDR: Is It Reason-able to Suggest XDR?" (ep29) "2021: Phishing is Solved?" (ep40) Mandiant M-Trends 2022 Google Cloud Threat Horizons Report #1 #2 #3 #4

Guest: Fletcher Oliver, Chrome Browser Customer Engineer, Google Topics: What is browser security? Isn't it just application security by another name?  Why is browser security more important now than ever?  Do we have statistical measures or data that tell us if we're succeeding at browser security? Do we know if we're doing a good job at making this better?  What are the components of modern browser security?  How does this work with an enterprise's existing stack?  In fact, how does this work with the rest of Google's tooling?  Resources: Security at Google Cloud Next 2022 NEXT Special - Log4j Reflections, Software Dependencies and Open Source Security Chrome releases blog Chrome Enterprise

Guest: Dr Nicky Ringland, Product Manager for Open Source Insights, Google Topics: Let's talk Open Source Software - are all these dependencies dependable? Why was log4j such a big thing - at a whole ecosystem level? Was it actually a Java / Maven problem? Are other languages "better" or more secure? Is another log4j inevitable? What can organizations to minimise their own risks?  Resources: Google Cloud Next 2022 Open Source Insights at deps.dev Blog at blog.deps.dev with posts on Understanding the Impact of Apache Log4j Vulnerability and what happens After the Advisory Assured Open Source Software service

Guest: Thiébaut Meyer, Director at Office of the CISO, Google Cloud Topics: Virtualization's arrival caused a major IT upheaval 20 years ago. What can we learn from that revolution for our current cloud transformation? We talk about our three legged security stool of people/process/technology. How do we balance the technical issues (new technology stack, etc.) with the new processes (agile, etc) and the skills? What are the cultural and people transformation differences between the virtualization and cloud revolutions? We do recall how PCI DSS was disrupted by virtualization.  So, how does regulation play into this change - back then and now with the cloud? How do we change the minds of regulators who still think that cloud is a risk to mitigate, rather than a way to mitigate others risks better? Resources: "8 Megatrends drive cloud adoption—and improve security for all" blog "Demystifying 'shared Fate' - A New Approach To Understand Cybersecurity" Transform with Google Cloud  Google Cybersecurity Action Team

Guest:  Steve McGhee, Reliability Advocate, Google Cloud Topics: What can security teams  learn from the Site Reliability Engineering (SRE) art of rapid and safe deployment? Is this all about the process or do SREs possess some magical technology to do this? What is SRE approach to automation? What are the pillars / components of SRE approach to deployment? SRE is also about scaling. Some security teams have to manage 1000s of detection rules, how can this be done in a manner that does not conflict or cause other problems? Resources: Google SRE book A companion Google SRE workbook "How We Scale Detection and Response at Google: Automation, Metrics, Toil" (ep75) "Achieving Autonomic Security Operations: Why metrics matter (but not how you think)" blog "Achieving Autonomic Security Operations: Reducing toil" blog.

Guest: Alex Polyakov, CEO of Adversa.ai Topics: You did research by analyzing 2000 papers on AI attacks released in the previous decade. What are the main insights? How do you approach discovering the relevant threat models for various AI systems and scenarios?  Which threats are real today vs in a few years? What are the common attack vectors? What do you see in the field of supply chain attacks on AI, software supply, data? All these reported cyberphysical attacks on computer vision, how real are they, and what are the possible examples of exploitation? Are they a real danger to people? What are the main differences between protecting AI vs protecting traditional enterprise applications? Who should be responsible for Securing AI? What about for building trustworthy AI? Given that the machinery of AI is often opaque, how to go about discovering vulnerabilities? Is there responsible disclosure for AI vulnerabilities, such as in open-source models and in public APIs?  What should companies do first, when embarking on an AI security program? Who should have such a program? Resources: "EP52 Securing AI with DeepMind CISO" (ep52) "EP68 How We Attack AI? Learn More at Our RSA Panel!" (ep68) Adversarial AI attacks work on Humans (!) "Maverick* Research: Your Smart Machine Has Been Conned! Now What?" (2015) "The Road to Secure and Trusted AI" by Adversa AI "Towards Trusted AI Week 37 – What are the security principles of AI and ML?"  Adversa AI blog AIAAIC Repository Machine Learning Security Evasion Competition at MLSec

Guest:  Badr Salmi, Product Manager for reCAPTCHA Topics: What is reCAPTCHA? Aren't you guys the super annoying 'click on the busses' thing? What is account defender? Why was this a natural next step for you? What are the actual threats that this handles - and handles well? Specific web attacks? Web fraud? Let's talk about account fraud, what do these attacks look like and how do bad guys monetize today? What about payment fraud? Could you score a payment session as well as a login session risk, or is that different?  How does this work with multi factor authentication? Recommended reading: "Code" book Recapcha page "Protect your users' accounts with reCAPTCHA Enterprise's account defender" blog "Double-clicking, but not on fire hydrants, with bot fighters" (ep19)

Guest: Dimitri McKay,  Principal Security Strategist @ Splunk Topics: How do you define that "XDR thing" that you are so skeptical about? So within that definition of XDR, you think it's not so great, why? If you have to argue pro-XDR, what would you say? Two main XDR camps are "XDR as EDR+" and "XDR as SIEM-", which camp do you think is more right? Are both wrong? What approach do you think is more useful as a lens to understand the potential upsides/downsides of XDR? What about the cloud? "Cloud XDR" seems a bit illogical, but what do you think is the future of D&R in the cloud? Resources: "Anton and The Great XDR Debate, Part 1" "Anton and The Great XDR Debate, Part 2" "Anton and The Great XDR Debate, Part 3" SURGe content on splunk blog "Today, You Really Want a SaaS SIEM!" Red Canary 2022 Threat Detection report Verizon DBIR 2022 report.

Guest:  Christopher "CJ" Johnson, retired Fire Chief, and Global Regulated Cloud Product Lead @ Google Cloud Topics: In political science, they define sovereignty as a local monopoly on the legitimate use of force. Why are we talking about "sovereignty" in IT? What is a sovereign cloud?  How much of the term is marketing vs engineering? Who cares or should care about sovereign cloud? Is this about technical controls or paper/policy controls? Or both? What is the role for encryption and key management and key access justifications (like say Google Cloud EKM with KAJ) for sovereign cloud? Is sovereign cloud automatically more secure or at least has better data security? What threat models are considered for sovereign cloud technologies? Resources: Google Cloud External Key Manager (EKM)  "Trust Google Cloud more with ubiquitous data encryption" blog "Software-Defined community cloud - a new way to "Government Cloud"" blog

Guest: David Stone,  Staff Consultant  at Office of the CISO, Google Cloud Topics: Speaking as a former CISO, what triggered your organization migration to the cloud? When did you and the security organization get brought in? How did you plan your security organization journey to the cloud? Did you take going to Cloud as an opportunity to change things beyond the tools you were using?  As you got going into the cloud, what was the hardest part for your organization ? What was most surprising? Good surprise and bad surprise? How did you design security controls for the cloud? How do you validate and verify security controls in the cloud?  How did you incorporate your cloud environment into your SOC's responsibility Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be? Resources: "How CISOs need to adapt their mental models for cloud security" "Megatrends drive cloud adoption—and improve security for all" "EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security" (ep47) "CISO's Guide to Cloud Security Transformation" paper [PDF] Google SRE book GCAT site

Guest:  John Stone,  Chaos Coordinator @ Office of the CISO, Google Cloud Topics: So what is Autonomic Data Security, described in our just released paper?  What are some notorious data security issues today? Perhaps common data security mistakes security leaders commit? What never worked in data security, like say manual data classification? How should organizations think about securing the data they migrated and the data that was created in the cloud? Do you really believe the cloud can make data security better than data security in traditional environments? Resources: "Modern Data Security: A path to autonomic data security" paper (NEW) "How autonomic data security can help define cloud's future" blog "Megatrends drive cloud adoption—and improve security for all" blog "Modernizing SOC ... Introducing Autonomic Security Operations" blog "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper "Zero Trust: Fast Forward from 2010 to 2021" (ep8) "Data Security in the Cloud" (ep2) and the resource. "Modern Data Security Approaches: Is Cloud More Secure?" (ep16) "Reflections on Trusting Trust" paper (1984).

Guest: Gorka Sadowski,  Chief Strategy Officer @ Exabeam Topics: How do we get a legacy SOC team to think about the cloud? How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same?  How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud? Do content/rules and detection engines need to be different to cover the cloud detection use cases? What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections? Resources: "11 Strategies of a World-Class Cybersecurity Operations Center" paper "Autonomic Security Operations: How to 10X Your SOC" paper "Indicators Of Compromise Vs. Tactics, Techniques, And Procedures" blog "How to Build and Operate a Modern Security Operations Center" (Gartner subscription required) "A SOC Tried To Detect Threats in the Cloud … You Won't Believe What Happened Next" blog

Guest: Cyrus Robinson, SOC Director and IR Team lead at Ingalls Information Security Topics: You've been using SOAR tools for years, so what do you think of the technology so far? What is driving SOAR adoption today? And what is inhibiting SOAR adoption? Realistically, how hard is SOAR to operationalize for a typical company? What are your favorite SOAR playbooks to start with? How to build, train and keep the SOAR team? Do they need to code to succeed? We like the SOAR maturity model approach. How would you imagine a SOAR adoption maturity model? How to implement SOAR from scratch in scaling operations? How to start? How to plan? How to not fail? Resources: "A Simple SOAR Adoption Maturity Model" blog  "Planning Is Paramount When Adopting SOAR" blog Siemplify community version

Guest: Ben Johnson, CTO/co-founder @ Obsidian Security Topics: Why is there so much attention lately on SaaS security? Doesn't this area date back to 2015 or so? What do you see as the primary challenges in securing SaaS? What does a SaaS threat model look like? What are the top threats you see? CASB has been the fastest growing security market and it has grown into a broad platform and many assume that "securing SaaS = using CASB", what are they missing? Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system? Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle? For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology? Resources: Obsidian Security blog and Resource Center Does the World Need Cloud Detection and Response (CDR)? blog Does the world need Cloud Detection and Response (CDR) as a new market segment? poll MITRE ATT&CK for SaaS matrix CISA SCUBA resource "Essentialism" book.

Guest: Tim Nguyen, Director of Detection and Response @ Google Topics: I know we don't like to say "SOC" here, so why don't we talk about the role of automation in detection and response (D&R) at Google? One SRE concept we found useful in security operations is "toil" - How do we squeeze toil out of D&R practice at Google? A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey? How do we automate security signal analysis, can you give us a few examples? D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our "not SOC"? How do we avoid falling into the "time to respond" trap that rewards fast response, sometimes at the cost of good? Resource: SRE book, Chapter 5 - Eliminating Toil SRE book, Chapter 4 - Service Level Objectives "Building Secure and Reliable Systems" book "Achieving Autonomic Security Operations: Automation as a Force Multiplier" "Achieving Autonomic Security Operations: Reducing toil" "Taking an autonomic approach to security operations" video "Modern Threat Detection at Google" (ep17)

Guest:  James Luo,   Partner @ CapitalG Topics: You've looked at hundreds of security startups at the growth stage - what is getting funded? What is not getting funded? What is the difference? What's your view on the current market environment for security companies? Is security "recession-proof", whatever that means? How do you think about what problems are worth solving with a new venture vs existing vendors (and/or CSPs) expanding to cover the new area? Why do many cloud security vendors get funded and get high valuations while there is a wide perception that CSP (like us at Google) are doing security really well? How do we solve the challenge that many organizations are barely moving off "antivirus and firewalls" security of the 1990s? What is your best advice to cloud security startups trying to get wider adoption? Resources: "Demystifying 'shared Fate' - A New Approach To Understand Cybersecurity" CapitalG blog

Guest: Erik Bloch,  Senior Director of Detection and Response at Sprinklr Topics: You recently coined a concept of "output-driven Detection and Response" and even perhaps broader "output-driven security." What is it and how does it work? Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that? You refer to a federated approach for Detection and Response"  ("route the outcomes to the teams that need them or can address them"), but is it workable for any organization?  What about the separation of duty concerns that some raise in response to this? What about the organizations that don't have any security talent in those teams? Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it? The model of "security team as a decision-maker, not an implementer" has a bit of a painful history, as this is what led to "GRC-only teams" who lack any technical knowledge. Why will this approach work this time? Resources: "RIP SOC. Hello D-IR" "Kill your SOC with a D-IR model" "Security De-Engineering: Solving the Problems in Information Risk Management" book "A SOCless Detection Team at Netflix"  "Achieving Autonomic Security Operations: Automation as a Force Multiplier"  "Start with Why: How Great Leaders Inspire Everyone to Take Action" book "Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now" book "On "Output-driven" SIEM" "SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond" (ep58)

Guests: Dave "Merk" Merkel, CEO @ Expel Peter Silberman,  CTO @ Expel Topics: Many MDRs claim to be "security from the cloud", but they actually don't know much about cloud security. What does good looks like for MDR in the cloud (cloud being a full range from IaaS to SaaS)? What are the key challenges for clients picking an MDR for their cloud environments?  What are the questions to ask your potential MDR? Do clients want the same security outcomes done in the cloud vs on-premise?   Does it mean that MSSP/MDR capabilities must be different for good coverage of the cloud?  Is MDR technology different for Cloud detection and response as opposed to on-prem D&R?  How do you communicate with clients about the importance and value of cloud specific detection vs detection for endpoints running in the cloud?  What are the top threats against client cloud environments that you see, detect and protect from? Which clouds (IaaS?) are easiest for MDR to protect? What makes them easier to handle than the other Clouds? Resources: Who Does What In Cloud Threat Detection? How to Think about Threat Detection in the Cloud Cattle vs Pets reminder Expel Blog - Incident report: Spotting an attacker in GCP  Expel Great eXpeltations 2022: Cybersecurity trends and predictions Expel Quarterly Threat Report: Q1 2022

Guest:  Stefan Friedli,  Senior Security Engineer @ Google Topics: What is our "red team" testing philosophy and approach at Google?  How did we evolve to this approach?  What is the path from testing to making Google and our users more secure? How does our testing power the improvements we make? What is unique about red teaming at Google? Care to share some fun testing stories or examples from your experience? Resources: "Building Secure & Reliable Systems" book (free) Threat Analysis Group (TAG) blog

Guests: none Topics: What have we seen at the RSA 2022 Conference? What was the most interesting and unexpected? What was missing? Resources: "RSA 2022 Musings: The Past and The Future of Security" Google Cloud Security at RSA 2022

Guest: James Condon,  Director of Security Research @  Lacework  Topics: What are realistic and actually observed cloud threats today? How did you observe them at Lacework? Cloud threats: are they on-premise  style threats to cloud assets? We hate the line "cloud is just somebody else's computer" but apparently threats actors seem to think so? What is the 2nd most dangerous cloud issue after configuration mistakes? Why is it so common for organizations to have insecure configurations in their cloud environments?  Give me a few examples of the most common mistakes organizations make, and what they can do to avoid those configurations. Cloud malware and  ransomware / RansomOps, are these real risks today? Are we finally seeing the rise of Linux malware at scale (in the cloud)? As multi cloud expands in popularity, what are threat actors doing in this area? Are actors customizing their attacks on a per-cloud basis (AWS, GCP, Azure)?  Resources: Lacework 2022 Cloud Threat Report "Securing DevOps: Security in the Cloud" book "Threat Models and Cloud Security" (ep12) Google Threat Horizons Report #1 Google Threat Horizons Report #2

Guest:  Nicholas Carlini, Research Scientist @ Google  Topics: What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks? How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical? Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025? What are the threat-derived lessons for securing AI? Do we practice the same or different approaches for secure AI and reliable AI? How does relative lack of transparency in AI helps (or hurts?) attackers and defenders? Resources: "Red Teaming AI Systems: The Path, the Prospect and the Perils" at RSA 2022 "Killed by AI Much? A Rise of Non-deterministic Security!" Books on Adversarial ML

Guest:  Sounil Yu, CISO and Head of Research at JupiterOne Topics: How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder? Cloud (at least the cloudy-cloud, also called cloud native) definitely supports "Distributed Immutable Ephemeral" (DIE) - your new creation, how does that change security and CDM? Cyber resilience generates a lot of confusion, how do you define and describe it?  BTW, is the cloud more or less cyber resilient based on your definition? Is invisible security a good thing? Can we ever have it? When should security be visible? Intuitively, security and safety are not the same. So, what is the difference between cyber safety and cyber security? What is cyber safety, really? Resources: Cyber Defense Matrix Security DIE Triad Container Security: The Past or The Future? (ep54) This Binary Legit? How Google Uses Binary Authorization and Code Provenance (ep66) What is the useful definition of "cyber resilience"? poll Is the cloud just somebody else's computer? Poll Cattle vs Pets - DevOps Explained Gartner CIA-PSR model The 2022 State of Cyber Assets Report Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape "Antifragile" book "Thinking, Fast and Slow" book "Security Chaos Engineering" book

Guest: Sandra Guo, Product Manager in Security, Google Cloud Topics: We have a really interesting problem here: if we make great investments in our use of trusted repositories, and great investments in doing code review on every change, and securing our build systems, and having reproducible builds, how do we know that all of what we did upstream is actually what gets deployed to production? What are the realistic threats that Binary Authorization handles? Are there specific organizations that are more at risk from those? What's the Google inspiration for this work, both development and adoption?  How do we make this work in practice at a real organization that is not Google?  Where do you see organizations "getting it wrong" and where do you see organizations "getting it right"? We've had a lot of conversations about rolling out zero-trust for enterprise applications, how do those lessons (start small, be visible, plan plan plan) translate into deploying Binauthz into blocking mode?  Resources: "Binary Authorization for Borg: how Google verifies code provenance and implements code identity" paper Binary Authorization for deploying trusted images DevOps & SRE at Google

Guests: Charles Carmakal, CTO at Mandiant  Taylor Lehmann, Director at Office of the CISO, Google Cloud Topics: What are the current "popular" incidents at healthcare providers that you handled? Any of them involve cloud?  Do healthcare CISOs have time for anything other than ransomware? Does insider threat matter? What can incident response teach us here? How do you think the threat actors benefit from the health data they steal?  Based on your IR experience, what are the more interesting ways in, other than phishing? Give us your IR-informed take on ransomware pay/not pay focused on healthcare, ideally?  Resources: "The key role 'visibility' plays in healthcare's cybersecurity resilience" "How healthcare can strengthen its own cybersecurity resilience" "M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines" "Future of EDR: Is It Reason-able to Suggest XDR?" (ep29) "MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications""VS21: A Playbook for Resiliency: Contain and Remediate Ransomware Before It Can Act" "FDA Announces Fix for Pacemaker Security Flaws"

Guest: Dave Herrald @ Principal Security Strategist, Google Cloud Topics: What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)? How do you make SOC training realistic? Should training be about the toolset or should it be about the analyst's skills? Should you primarily train for engineering skills or analysis skills? Do you need to code to succeed in a modern SOC? Are competitive events like CTFs effective for SOC training? What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity? Resources: Chris Sanders SOC classes SANS Holiday Hack Challenges SEC450: Blue Team Fundamentals: Security Operations and Analysis SANS NetWars "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper Boss of the SOC (BOTS) Dataset

Guests: Robert Herjavec, Founder and CEO of Herjavec Group Eric Foster, President of CYDERES  Iman Ghanizada, Global Head of Autonomic Security Operations at Google Cloud. Topics: It's been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about? How was the ASO story received by your customers? Any particular reactions? Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed? ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations? What else can we do to evolve SOC faster than the threats and assets grow? Resources: This episode is based on a panel from  This Google Cloud Security Talks Q1 2022 Panel "All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites." "All Organizations Should Pursue Autonomic Security Operations… A Fireside Chat with SOC Elites" on YouTube "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper "Modernizing the U.S. Federal Government's Approach to Cyber Threat Management with Autonomic Security Operations"  paper

Guest: Etienne De Burgh, Senior Security and Compliance Specialist, Office of the CISO @ Google Cloud Topics: Why is API security hot now? What happened that made it a priority for many?  Is API security different from application security? Doesn't the first "A" in API  stand for application?  What are the real threats to exposed APIs? APIs are designed for automated use, so how do you tell automated use from automated abuse / attack? What are the biggest challenges that companies are having with API security? What are the components of API security? Is there a "secure by default API"? API threat detection? Just like cloud in general, API misconfigurations seem to be leading to security problems, are APIs hard to configure securely for most organizations? Resources: Google Cloud Security Summit  - come see us on May 17, 2022 "Securing web applications and APIs anywhere" (at our Security Summit) OWASP Top 10 for API Security "Best practices for securing your applications and APIs using Apigee"

No guests - just Anton and Tim Topics: Why cloud security? What do we really think about our podcast name and topic, cloud security? Can you once again explain security for the cloud, in the cloud, from the cloud? What is one thing that we learned from doing a podcast? Favorite cloud security trend that we encountered on the podcast?  What did we learn about security from organization's migrating to the cloud? What are our favorite reading materials related to cloud security? What are our favorite tips from the guests on securing the cloud? Resources: "The Age of AI And Our Human Future" book "Practical Guide to Cloud Migration – Google - Site Reliability Engineering" (book, free) and other SRE books "Cloud Security podcast by Google turns 46 - Reflections and lessons!" "Cloud Security Podcast by Google — Popular Episodes by Topic" Our video trailer

Guest:  Dylan Ayrey, cofounder of Truffle Security Topics: Could you explain briefly why identity is so important in the cloud? A skeptic on cloud security once told us that "in the cloud, we are one identity mistake from a breach." Is this true? For listeners who aren't familiar with GCP, could you give us the 30 second story on "what is a service account." How is it different from a regular IAM account? What are service account impersonations? How can I see if my service accounts can be impersonated? How do I detect it? How can I better secure my organization from impersonation attacks? Resources: Truffle Security blog "GCP Lateral Movement And Privileged Escalation Spill Over And Updates From Google" by Dylan Ayrey "Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments"  blog  "Kat Traxler - Taste the IAM" blogs

Guest:  Sharon Goldberg, CEO and cofounder of BastionZero and a professor at Boston University Topics: What is your favorite definition of zero trust? You had posted a blog analyzing the whitehouse ZT a memo on the federal government's transition to "zero trust",  what caught your eye about the Zero Trust memo and why did you decide to write about it? What's behind the federal government's recommendations to deprecate VPNs and recommend users "authenticate to applications, not networks"? What do these recommendations mean for cloud security, today and in the future? What do you think would be the hardest things to implement in real US Federal IT environments? Are there other recommendations in the memo to think about as organizations design zero trust strategies for their infrastructure?  What are some of the challenges of implementing zero trust in general? Resources: "Zero Trust: Fast Forward from 2010 to 2021" (ep8) "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles" "I read the federal government's Zero-Trust Memo so you don't have to"  "F12 isn't hacking: Missouri governor threatens to prosecute local journalist for finding exposed state data"

New Audio Trailer: Cloud Security Podcast by Google

Guests:  Alexi Wiemer,  Senior Manager at Deloitte Cyber Detection and Response Practice Dan Lauritzen,  Senior Manager at Deloitte Cloud Security Practice. Topics: What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in?  What is your best advice to SOCs that are permanently and woefully understaffed?  Many SOC analysts are drowning in manual work, and it is easy to give advice that "they   need to automate." What does this actually entail, in real life? What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR?  What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats? Occasionally, we hear that "SOC is dead." What is your response to such dire SOCless predictions?  Resources: "New Paper: "Future Of The SOC: Process Consistency and Creativity: a Delicate Balance" (Paper 3 of 4)" "New Paper: "Future of the SOC: Forces shaping modern security operations"" "New Paper: "Future of the SOC: SOC People — Skills, Not Tiers"" "New Paper: "Autonomic Security Operations — 10X Transformation of the Security Operations Center"" "A SOC Tried To Detect Threats in the Cloud … You Won't Believe What Happened Next" "Why Your Security Data Lake Project Will FAIL!"

Guest: Maddie Stone, Security Researcher @ Google Topics: How do we judge the real risk of being attacked using an exploit for a zero day vulnerability? Does the zero day risk vary by company, industry, etc?  What does pricing for zero days tell us, if anything? Are prices more driven by supply or demand these days? What security controls or defenses are useful against zero days including against chained zero days? Where are the cloud zero days? We get lots of attention on iOS and Android, what about the cloud platforms?  So, how do we solve the paradox of zero days, are they more scary than risky or more risky than scary? Or both? Resources: Project Zero blog  A walk through Project Zero metrics Threat Analysis Group (TAG) blog

Guest:  Erlander Lo, Security and Compliance Specialist @ Google Cloud Topics: Imagine you are planning a data warehouse in the cloud, how do you think about security? What are the expected threats to a large data store in the cloud? How to create your security approach for a data warehouse project? Are there regulations that force your decisions about security controls or  approaches, no matter what the threats are? How do you approach data governance for this project? What controls are there to implement in Google Cloud for a secure data warehouse effort? Resources: Secure Data Warehouse blueprint (other blueprints) Creativity Inc book "Data Governance: The Definitive Guide" book

Guests: Brandie Anderson, Global Security Practice Lead @ Google Cloud Renzo Cuadros,  Regional Security Practice Lead @ Google Cloud Topics: What are your Cloud migration security lessons? Greatest hits? Near misses? What are the most common cloud security mistakes you see? Any practices or tricks to avoid or mitigate them? How do you talk people out of security "lift and shift"? Do clients understand how threat models change when they migrate to the cloud? How clients typically handle compliance in the cloud? What regulations are the most challenging in the cloud? What is the future for cloud migration security?  Do we foresee a future when most data is created in the cloud and there is no need to migrate anything? Resources: "Building Secure & Reliable Systems" book Google Cloud Architecture Framework "Threat Models and Cloud Security" (ep12) Modernizing compliance: Introducing Risk and Compliance as Code

Guest:  Anna Belak,  Director of Thought Leadership @ Sysdig Topics: One model for container security is "Infrastructure security  | build security | runtime security" -  which is most important to get right? Which is hardest to get right?  How are you helping users get their infrastructure security right, and what do they get wrong most often here? Your report states that "3⁄4 of running containers have at least one "high" or "critical" vulnerability" and it  sounds like pre-cloud IT, but this is about containers?  This was very true  before cloud, why is this still true in cloud native?  Aren't containers easy to "patch" and redeploy?  You say  "Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production." but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don't fix things?   "52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline." - isn't pipeline and repo scanning easier and cheaper? Why isn't this 90/10 but 40/50?  "62% detect shells in containers" sounds (to Anton) that "62% zoos have a dragon in them" i.e. kinda surreal. What's the real story? Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers?  Resources: Sysdig report Kubernetes podcast episode with Anna Belak  EP15 Scaling Google Kubernetes Engine Security Sysdig learning hub

Guest:  Amos Stern, CEO of SIEMplify, now part of Google Cloud Topics: SOAR is in the news again,  so what can we say about the state of SOAR in 2022? What have we learned trying to get SOAR adopted 2015-2022 (that's 7 years of SOAR-ing for you)? What are the top playbooks to start your SOC automation using SOAR?  What about the links between SOAR as security automation and general IT automation?  Does the level of consolidation in this market mean that SOAR really is a feature of SIEMs and not a product in its own right? Resources: Siemplify blog Google Cloud Security Talks Q1 2022

Guest: Vijay Bolina, CISO at DeepMind Topics: We spend a lot of time on Artificial Intelligence (AI) safety, but what about security?  What are some of the useful frameworks for thinking about AI security? What is different about securing AI vs securing another data-intensive, complex, enterprise application? What do we know about threat modeling for AI applications? What attacks against AI systems do we expect to see first in real life? What issues with AI security should we expect to face in 3-5 years? Resources: DeepMind Learning Resources DEFCON AI Village and videos CAMLIS

Guest:  Vandy Ramadurai, Product Manager at Google Cloud Topics: What is Cloud Organization Policy, and how is it different from IaC and Policy as code (PaC)? What does successful organization policy design look like from a business and human standpoint? From a technical standpoint? Granular policy work is always hard. How is Google helping users get org policy right?  What are the uniquely Google strengths here?  Is the AI involved real or is this marketing pixie dust AI? How do users know if something should be a proactive control like a guardrail or if something should be a reactive control like a detection? Resources: Policy Intelligence tools NEXT'21 SEC 203 - Governance guardrails Least privilege for Cloud Functions using Cloud IAM

Guest: Elie Bursztein, security, anti-abuse and privacy researcher @ Google Topics: This episode draws on a talk available in the podcast materials. Could you summarize the gist of your talk for the audience? What makes the malicious document problem a good candidate for machine learning (ML)? Could you have used rules? "Millions of documents in milliseconds," not sure how to even parse it - what is involved in making it work? Can you explain to the listeners the motivation for reanalyzing old samples, what ground truth means in ML/detection engineering, and how you are using this technique? How fast do the attackers evolve and does this throw ML logic off? Do our efforts at cat-and-mouse with attackers make the mice harder for other people to catch?  Does massive-scale ML detections accelerate the attacker's evolution? Resources: The RSA talk "Malicious Documents Emerging Trends: A Gmail Perspective" "EP40 2021: Phishing is Solved?" episode Elie's talks on his site

Guest: Taylor Lehmann, Director at the Office of the  CISO @ Google Cloud, member of Cybersecurity Action Team Topics: What's top of mind for healthcare organizations' CISOs now? What common advice do you find yourself giving most often to security leaders in healthcare? Is there a list of top 3 items or is this all "it depends"? What regulations are shaping the healthcare industry and its adoption of new technology? HIPAA is from 1996, how does it work for the cloud in the 2020s? Why do you think we aren't seeing more cloud ransomware? Healthcare orgs are sometimes seen as "IT laggards", what are the key security lessons from their cloud migrations? How do we convince some of these organizations that cloud is more secure as long as they use it securely?

Guest: Nelly Porter, Group Product Manager @ Google Cloud Topics In the past year, what has changed with Confidential Computing here at Google? Could we please talk about a user or two who has really nailed it with our Confidential Computing?  What have we learned about the threat models of clients who are choosing to deploy Confidential Computing? What are they solving for? Doing Confidential Computing "right" feels like a lot more than having some fancy CPUs with magic math. What challenges do customers face adopting it?  We finally "married" Confidential Computing with EKM. What types of clients are deploying this new technology? What threats are they mitigating? What's on the horizon for Confidential Computing?  Resources: "Trust Google Cloud more with ubiquitous data encryption" The Confidential Computing Consortium whitepapers Confidential Computing at Google EP12 Threat Models and Cloud Security

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: Explain the whole cloud security megatrend concept to us? How can we better explain that "yes, cloud is more secure than most client's data centers"? Can you please explain "shared fate" one more time? Shared fate seems to require shared incentives. Do we see the incentives to invest in security changing within organizations migrating to Cloud? Cloud as the Digital Immune System sounds really cool, what does it mean for a typical practitioner - security and developers both? What about the risk aggregation (eggs in one basket) argument against relying on CSP for all security? Does software sovereignty mean that Cloud providers are always going to be held to common standards and lose out on the opportunity to sell highly differentiated software on top? Resources: IT Leaders: Pay Attention To These 8 Security Megatrends In 2022 Megatrends drive cloud adoption—and improve security for all

Guests:  Alison Reyes, Director, Security Solutions, Google Cloud Iman Ghanizada, Solutions Manager for Security Operations & Analytics @ Google Cloud Topics: What is our thinking on solutions vs products for security? Sure, "security is a process, not a product," but where do solutions fit in? Security as an industry has too many vendors with little understanding of how users secure things, can solutions approach fix that? Google is sometimes known for writing code and just throwing it out there, do solutions change that dynamic for Google Cloud clients who come to us for security? Who are the target users for our security solutions? Why did we choose those solutions and not others? To me, solutions is how our products actually live in the real world. But can we really hope to transform customer operations with solutions? One of the solutions dear to my heart is Autonomic Security Operations that seeks to "10X the SOC", how was the experience so far? Is 10X real and what does it mean? How do we know if we succeeded, what are metrics for solutions? How do solutions fit with Google Cybersecurity  Action Team launch? Do we need more action figures now?  Resources: Google Cybersecurity Action Team NEXT Special - Google Cybersecurity Action Team: What's the Story? Google SRE books Autonomic Security Operations Web App and API Protection Achieving Autonomic Security Operations: Reducing toil Autonomic Security Operations: 10X Transformation of the Security Operations Center

Guests: Vlad Stolyarov, Security Engineer  @ Threat Analysis Group (TAG) Vicente Diaz,  Threat Intelligence Strategist @ VirusTotal Topics: Why GandCrab / REvil was the most popular ransomware  family in 2020? What is ransomware as a service? Is every scary article about ransomware essentially marketing for the criminals? Some ransomware payoffs are huge, how do you think they spend the money? How else do they profit off stolen data apart from double extortion schemes? Are there triple extortion schemes? What is the concept of a "trusted brand in ransomware", is it better for clients because they will return the data? Why did non-Windows ransomware fail as a business? Do we expect 0day exploits  to become more popular in ransomware? Based on this research, what is the key reason for ransomware's wild success? Resources: "Ransomware in a Global Context" report "Malware Hunting with VirusTotal" (ep30) Google TAG blog NoMoreRansom Org "Cybereason: 80% of orgs that paid the ransom were hit again" Google Cybersecurity Action Team Threat  Horizons Report (full, brief)

Guest: Mike Orosz, a Chief Information and Product Security Officer @ Vertiv Topics: What are your views on modern SIEM?  What should it do and what should it be? Should it even be called SIEM?  Is SaaS/cloud-native SIEM the only way to go? Can anybody build a SIEM in the cloud by installing the regular SIEM on IaaS? What are the top challenges for organizations deploying and operationalizing SIEM today? What are some hidden or commonly forgotten costs for a SIEM deployment? Is open source the answer to SIEM? SIEM today should deliver on detection, hunting and investigation use cases, so what does it mean in terms of practical data retention? Resources: "On "Output-driven" SIEM" "Fake Cloud: Now There Are Two Hands in Your Pocket"

Guests: Amber Shafi, Production Manager GSK Svetlin Zamfirov, Senior Platform Engineer at GSK Ivan Angelov, Principal Platform Engineer at GSK Topics: Tell us about your team, what are you responsible for and how is the team setup to make that happen? What components of cloud security do you cover? Tell us about cloud misconfigurations and why these are different from on- premise misconfiguration? How are you discovering these misconfigurations?  You've automated responses to misconfiguration. Beyond the obvious upsides of reducing team toil and time to response, what are the other benefits? Are there risk in this approach and how are they handled? How did this idea to automate come about, and what lessons did you learn along the way? How have you integrated with the cloud provider security tooling? Resources:  "Automate and/or Die?" (ep3) "Automating Response to Security Events on Google Cloud Platform" from GSK blog GCP security blog

Guest: MK Palmore, Director at Office of the CISO,  Google Cloud, member of Cybersecurity Action Team Topics: Why is there such a huge gap in security professionals who are women and people of color? How does the lack of women and people of color in tech impact the industry, cybersecurity & tech overall? Are diverse teams better performing, better morale, happier people? Are there kinds of threats that we miss in threat modeling exercises for lack of diverse team members? We've seen countless examples where AI/ML systems have had problems with laundering biases and having frankly appalling issues due to biased training data. What are security implications here?  Are there organizations helping to close the representation gap in the security workforce and the cloud workforce? Why do the big tech companies and even the smaller ones have trouble identifying diverse talent? Why is this hard even for people and organizations who clearly want to improve it? Why do companies have a hard time retaining diverse talent?  Resources: Cyversity Wicys

Guest: Ryan Noon, CEO @ Material Security Topics: When we think about traditional email security, we think anti-spam/phishing. Your company is doing other things, so what are they? In other words, isn't email security solved with legacy appliance vendors (SEG) and cloud email providers?  What was the combination of technology and security opportunities that really resonated with you and your investors that led to your focus on email security? Security has almost 2000 vendors and they are noisy, how do you get to clients without screaming too loud? How do you build a better security vendor? Related to being better vendors, but more broadly, what can we do as an industry to make it easier to buy and get value out of our investments in new security tooling and technology?  How can we build security tooling that requires less of our precious security team's time?

Guests Elie Bursztein, security, anti-abuse and privacy researcher @ Google Kurt Thomas, security, anti-abuse and privacy researcher @ Google Topics: Can we say that "Multi-Factor Authentication - if done well - fixes phishing for good" or is this too much to say? What are the realistic and seen-in-the-wild bypasses for MFA as a protection? How do you think these controls fare vs top tier attackers (clearly, they work vs commodity threats)? What do we know about burden vs value of MFA today? What can we realistically do to increase MFA/2FA adoption to the 90%s? Can we share anything about what we're seeing as industry benchmarks on MFA adoption so far?  We've seen a lot of ugly debates over the value of SMS as MFA, what is your research-based take on this? Resources: Google Titan Security Key "Malicious Documents Emerging Trends: A Gmail Perspective" (RSA 2020) "New research: How effective is basic account hygiene at preventing hijacking" "New Research: Lessons from Password Checkup in action" "New research reveals who's targeted by email attacks" "New research: Understanding the root cause of account takeover" ""Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns" "Tales from the Trenches: Using AI for Gmail Security" (ep28)

Guests Elie Bursztein, security, anti-abuse and privacy researcher @ Google Kurt Thomas, security, anti-abuse and privacy researcher @ Google Topics: Can we say that "Multi-Factor Authentication - if done well - fixes phishing for good" or is this too much to say? What are the realistic and seen-in-the-wild bypasses for MFA as a protection? How do you think these controls fare vs top tier attackers (clearly, they work vs commodity threats)? What do we know about burden vs value of MFA today? What can we realistically do to increase MFA/2FA adoption to the 90%s? Can we share anything about what we're seeing as industry benchmarks on MFA adoption so far?  We've seen a lot of ugly debates over the value of SMS as MFA, what is your research-based take on this? Resources: Google Titan Security Key "Malicious Documents Emerging Trends: A Gmail Perspective" (RSA 2020) "New research: How effective is basic account hygiene at preventing hijacking" "New Research: Lessons from Password Checkup in action" "New research reveals who's targeted by email attacks" "New research: Understanding the root cause of account takeover" ""Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns" "Tales from the Trenches: Using AI for Gmail Security" (ep28)

Guest: Jared Atkinson, Adversary Detection Technical Director at SpecterOps Topics: What are bad/good/great detections? Is this all about the Bianco's pyramid? Is high good and low bad? How should we judge the quality of detections? Can there be a quality framework? Is that judgment going to be site specific? What should we do to build more good directions? Is this all about reducing false positives? Can we really measure false negatives? How can we approach this? How can we test for detection goodness in the real world? What are the methods that work? It can't be just about paper ATT&CK coverage, right? What are your top 3 tips for improving the detection practice at an organization? Resources: "The Pyramid of Pain" post by David Bianco "On Threat Detection Uncertainty" "Detection Coverage and Detection-in-Depth"  "Detection in Depth" by SpecterOps "Philosophy of Science: Rationality Without Foundations" by Karl Popper (yes, really) Red Canary "2021 Threat Detection Report"  "The Black Swan: The Impact of the Highly Improbable" by Nassim Nicholas Taleb John Piaget's theory of cognitive development

Guests: Stephanie Wong Vicente Diaz, Jerome McFarland Scott Ellis Patrick Faucher Il-Sung Lee, Anoosh Saboori Topics: What is your session about? Why would audience care? What is special about your security technology? Resources: Google Cloud Next 2021 SEC212 6 layers of GCP data center security SEC101 Ransomware and cyber resilience SEC204 Take charge  of your sensitive data SEC207 Securing the software supply chain SEC300 Trust the cloud more by trusting it less: Ubiquitous data encryption

Guest: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: We are here to talk Google Cybersecurity Action Team, and this is your brainchild, so tell our audience the origin of this idea? How is Cybersecurity Action Team going to help secure GCP enterprise clients? Is there also a "improve the security of the internet" story? Many organizations seem stuck in the pre-cloud thinking and mental models, can Cybersecurity Action Team help them transform their security? How? When we sometimes present our security innovations to clients, they say "but we are not Google", so how does Cybersecurity Action Team help us bring more of Google Cybersecurity to the world? What else do we plan to do with Cybersecurity Action Team to help customers modernize their security? How should customers engage with Cybersecurity Action Team? Resources: Google Cybersecurity Action Team "Google Announces Cybersecurity Action Team to Support the Security Transformations of Public and Private Sector Organizations" "Site Reliability Engineering" book (free) "Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper

Guest: Aditi Joshi, Manager in Cloud Security Team @ Google Cloud Topics: What is Allyship? How is it defined? What is its main goal? Why is allyship important in Cloud Security, specifically? Are there aspects of security that make allyship particularly important? What specifically has Google Cloud Security deployed and operationalized around Allyship? How does effective allyship look like? More personally, how can I be a better ally? How does it fit into Google Cloud Security's overarching DEI efforts?

Guest: Rob Sadowski, Trust and Security Lead @  Google Cloud Topics: What are the big security themes at NEXT? Is security still visible? What about invisible security vs autonomic security? Is that just "invisible security" with a neat name? This has got to be your fourth or fifth Next, right? What's new this year compared to last years, aside from being virtual? Anything particularly uniquely Google we're talking about? What to watch at NEXT, if you are a CISO? We secure not just GCP with our tools and approaches, so what to watch if not yet a GCP client? If you have only time for 3 security sessions, which 3 to watch? Resources: Google Cloud NEXT

Guest: Matt Svensson, Senior Security Engineer @ BetterCloud Topics: What are the approaches for monitoring serverless and other modern application architectures? What are the challenges with these new environments? What approaches don't work? What can go wrong with modern stack security monitoring? What should we watch for in a modern application stack? Most new architecture setups are predicated on identities so is identity the center of threat detection here or not?

Guest: Elliott Abraham, Security and Compliance Specialist @ Google Cloud Topics: We talk about lift and shift vs cloud native, what are these and are they fair characterizations? Is lift and shift always negative? Does it always harm security? Are security planning needs different between them? What are the fundamentals with security during cloud migration that you have to get right regardless? What's your advice to a security team to help make a migration work well? How do you account for threat model differences in the cloud? Are cloud threats being more different or more the same to the classic ones? Resources: "Google Cloud security foundations guide" "The Phoenix Project" book "Threat Models and Cloud Security" (ep12) "Preparing for Cloud Migrations from a CISO Perspective"  Part 1 (ep5) and Part2 (ep11)

Guest: Derek Abdine, CTO @ Censys.io Topics: Attack Surface Management (ASM). Why do we need a new toolset and  a new category? Isn't this just 1980s asset management or CMDB? How do we find those assets that may have been misplaced by the organizations? How can any technology do this reliably? ASM seems to often rely on network layer 3 and 4. Can't bad guys just hit the app endpoints and all your network is irrelevant then? When you think about the threats organizations face due to unknown assets, is data theft at the top of the stack? What should organizations keep in mind as a priority here? Who at an organization is best set up to receive, triage, investigate, and respond to the  alerts about the attack surface? Are there proactive steps organizations can take to prevent shadow IT, or are we stuck responding to each new signal? Isn't preventing new assets the same as preventing business? Resources: "Cloud Misconfiguration Mayhem An Analysis of Service Exposure Across Cloud Providers" "Attack Surface Management Buyer's Guide"

Guest: Iman Ghanizada,   Solutions Manager for Security Operations & Analytics @ Google Cloud Topics: What is your book "Google Cloud Certified Professional Cloud Architect All-in-One Exam Guide" about?  What was your journey into writing this book, how long did it take? The book seems to be targeted towards Cloud Architects, but you come from a predominantly security background, how has that influenced your writing of this book? What does this have to do with The Certs Guy (14 certs!?)  and what's his mission? What's the intersectional thinking on certificates and making our industry more accessible and inclusive? Do certs help or hurt this? So what's your advice on certs for various career stages? What are some of the biggest architectural challenges you've seen in the field of Cloud Security? Resources: Book "Google Cloud Certified Professional Cloud Architect All-in-One Exam Guide" TheCertsGuy site

Guest: Vicente Diaz,  Threat Intelligence Strategist @ VirusTotal Topics: How would you describe modern threat hunting process? Share some of the more interesting examples of attacker activities or artifacts you've seen? Do we even hunt for malware? What gets you more concerned, malware or human attackers? How do you handle the risk of attackers knowing how you perform hunting? What is the role of threat research role for hunting? Do you need research to hunt well? Does threat research power attribution? How do you tell a good YARA rule from a bad one, and a great one? What's the evolutionary journey for a YARA rule? What is your view on the future of hunting? Resources: YARA documentation "Deep Thinking: Where Machine Intelligence Ends and Human Creativity Begins" by Gary Kasparov

Guest:  Sam Curry,  Chief Security Officer @ Cybereason and Visiting Fellow @ National Security Institute Topics: EDR was "invented" in 2013 and we are now in 2021. What do you consider to be modern EDR components and capabilities? Where has EDR fallen short on its initial hype? How focused are the attackers on bypassing EDR? How do you think EDR works in the cloud? In your view, how would future EDR work for containers, microservices, etc? Why aren't we winning the war against ransomware? XDR is an interesting concept, so how do you define XDR? Is XDR just EDR++ or is XDR SIEM 4.0? Resources: "The Pyramid of Pain" blog by David Bianco "Named: Endpoint Threat Detection & Response" "Dune" book "The Bomber Mafia" book

Guest: Andy Wen, Product Lead for Abuse & Security @ Google Cloud Topics: What are you doing with AI for security? What kinds of security problems are addressable with AI, and which ones are harder to address with ML techniques? Tell us where you've been surprised by AI's success? Do you expect a) AI use by adversaries and b) attacks focused on disrupting the AI use by defenders? What advice would you give a PM or technical lead starting out on thinking they want to use AI to solve a problem? Resources: Andy Wen presentation from Cloud Security Talks 2021 "The Future of Machine Learning and Cybersecurity"

Guest: Keith McCammon, Co-founder and Chief Security Officer, Red Canary Topics: What is Detection Engineering? How it differs from just building rules/analytics? How to convert threat intelligence into detections?  How to tell good detections from bad? And perhaps also good from great? How to test detections in the real world? Anything special about building detections for cloud environments? What do you think is the role of "rule-less" (such as ML) detections? Is "ML unicorn cavalry" coming? Resources: The Red Canary Blog 2021 Threat Detection Report Alerting and Detection Strategy Framework Atomic Red Team toolset

Guest: Johnathan Keith, Director of Information Security (CISO) @  ViacomCBS Streaming / Digital (at the time of the recording) Topics: What is the mission for your SOC? Has it evolved in recent years? How do you rate your state of maturity in security operations? I hear that your organization is complex and decentralized, how do you run a SOC in such a case? How do you approach the balance of people, process and technology in your SOC? What is the role of outsourcing in your SOC?  Is cloud included in your SOC mission scope? What are the immediate things you plan to improve? Resources: Security Summit Talk that this podcast episode is based on (all Google Cloud Security Summit 2021 talks)

Guest:  John Stone, Chaos Coordinator at the Office of the CISO @ Google Cloud Topics: What are the top European-specific cloud migration security challenges? Are there interesting cloud adoption barriers related to security in Europe? Are some of these challenges more compliance than security related? Do you think compliance still drives security in the cloud for European companies? Do you think Europe can ever "make their own cloud"? So, what do you make of this entire movement about "data sovereignty"?

Guests: Eric Brewer, VP of Infrastructure, and Google Fellow @ Google Aparna Sinha, Director of Product Management @ Google Cloud Topics: What is software supply chain security and how is it different from other kinds of supply chain security?  What types of organizations need to care about it? Is supply chain security a concern for large, elite enterprises only?  What's the relationship between what we're doing here, and what SBOM is? Can you talk us through a quick threat assessment of a supply chain security issue? What are the realistic threats here and who are the threat actors involved? How does Google try to solve these problems internally? Have we succeeded?  How does this translate into our products? By the way, what's SLSA? Resources: "Container Security: Building trust in your software supply chain" (live event on July 29, 2021) "Tracking The Trail Of Software: The Key To Boosting Security"  "Introducing SLSA, an End-to-End Framework for Supply Chain Integrity" DORA study

No guests. We interviewed each other! Topics: What would you say are the most things that Chronicle is trying to address today? What are the good ways to use threat intel to detect threats that do not ruin your SOC? What does "autonomic" security mean, anyway? Is this a fancy way of saying "automatic" or something more? For sure, "the Cloud is not JUST someone else's computer" - but how does this apply to threat detection? What makes threat detection "cloud-native"? What kinds of ML magic does your mini UEBA inside SCC use? Can you really do automated remediation in the cloud? Resources: Google Cloud Security Summit "Making Invisible Security a Reality with Google" keynote "Security Analytics at Google Speed and Scale" presentation by Anton "Managing Your Security Posture on Google Cloud" presentation by Tim "Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…" blog Chronicle main site Threat Detection in Logs in Google Cloud SCC video "Modern Threat Detection at Google" (episode 17)  "Automate and/or Die?" (episode 3)

Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud  Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud  Topics: As a CISO, would you ever decide to use multiple clouds, if it were in your hands?  How is security typically considered when companies go multi-cloud in their approach? Practically, or operationally, how does one think through securing multiple public cloud environments? What are the top challenges here? Different controls? Lack of tools? Confusing process? Skills on the team? Would you always buy security tools from a 3rd party (not a CSP) if you have to cover more than one cloud provider? Anything to add about compliance across multiple clouds? What is the best approach for securing multiple SaaS services that your company uses? Resources: "IDC: A multicloud strategy can mitigate regulatory, business risks" "Anthos security" SANS papers on securing multiple clouds (example)

Guest: Kelly Anderson, Head of Product Marketing, User Protection Services @ Google Cloud Topics: What is marketing, really? Why is it sometimes reviled by the technologists? What makes a great marketer in cloud security? What's different about cloud security marketing, as opposed to regular old on-premise security marketing? Is there still FUD in the cloud? Which things are the easiest or hardest to do in Google Cloud Security marketing? How do you talk about products so they stand out from the noise? How's Google Cloud marketing helping our users stay ahead of the adversaries? Resources: Security insights that help customers stay up to date Customer case studies on our security products Quarterly Google Cloud Security Talks  Cloud security webinars on BrightTALK and Cloud OnAir  Identity and security blogs on the Google Cloud blog

Guest: Heather Adkins, Sr Director, Information Security @ Google Topics: Your RSA presentation has 3 pillars: zero trust, microservices, automation/zero prod, is this all you need to be secure & reliable in the modern world? Let's drill down again into the "secure and reliable" concept, are you sure that they are interrelated? Is there a risk that microservices could actually increase attack surface? What are the practical security upsides of "no touch production"?  SRE and DevOps revolutionized IT, can we expect a similar revolution for security? Where would it come from? Resources: "Building Secure and Reliable Systems" RSA 2021 presentation by Heather Adkins  "Building Secure and Reliable Systems" book (free) "Modern Threat Detection at Google" (ep 17) Google BeyondCorp Google BeyondProd NIST 800-27 "Zero Trust Architecture"

Guest 1: Sparky Toews, Product Manager for Adobe identity @ Adobe Topics 1: Why are bots a problem to you? Give us a bit of your bot threat assessment? Can you tell us how you think about and practice securing the user experience? What kind of security products or best practices are involved? How do you see what security professionals do to secure the user experience evolving over time? Guests 2: Randy Gingeleski, Senior Staff Security Engineer @ HBO Max Brian Lozada, CISO @ HBO Max Topics 2: Can you tell us how you think about and practice securing the user experience at HBO? What kind of security products or best practices are involved? How does reCAPTCHA Enterprise fit into all of this? How do you see what security professionals do to secure the user experience evolving over time?

Guests: Jane Chung, VP of Cloud @ Palo Alto Joe Crawford, Director of Strategic Technology Partnerships for Google Cloud @ Palo Alto Topics: What are the top security mistakes you've seen during cloud migrations? What is your best advice to security leaders who want to go to the cloud using the on-premise playbook? What security technologies may no longer be needed in the cloud? Which are transformed by the cloud? Cloud often implies agility, but sometimes security slows things down, how to fix that? How do security needs change based on adoption architecture (cloud, hybrid with on-premise, multi-cloud, multi cloud with on-premise)? From a security perspective, is there really any such thing as "lift and shift"? How do we teach cloud to security leaders who "grew up" on-premise? Resources: Use "Move and Improve" Instead of "Lift an Shift" "Data Security in the Cloud" (Episode 2) "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age" book CSA CCM v4

Guest: Julien Vehent, Security Engineering Manager in the Detection and Response team @ Google Topics: What is special about detecting modern threats in modern environments? How does the Google team turn the knowledge of threats into detection logic? Run through an example of creating a detection for a new threat? How do we test our detection rules? We use the same people to write detections and to respond to resulting alerts, how is it working? What are the key skills of good security analysts to build cloud threat detection? Resources: "Site Reliability Engineering" book (free) "Building Secure & Reliable Systems" book (free) "Securing DevOps" by our very guest Julien Vehent

Guests: Tim Dierks, Engineering Director, Data Protection @ Google Cloud Topics: What are the key components of data security in the public cloud today? Why do companies need specific data security plans and products? Do you think Google Cloud today has enough controls for processing the most sensitive data? Many organizations seem to be unaware of where sensitive data exists in their cloud environments, how do you think this problem will be fixed? What is your view on encryption's role in future cloud security? Do organizations mostly encrypt for security or for compliance? How do we help companies navigate the tradeoffs between complying with nation-state regulations and best practices for availability? I hear you are involved with some interesting key management innovations like HYOK via Cloud EKM, why do these matter for clients today? Resources: Forrester report "The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021"  "New whitepaper: Designing and deploying a data security strategy with Google Cloud" "Hold your own key with Google Cloud External Key Manager" "Building Secure and Resilient Systems" book (free)

Guest: Greg Castle, Senior Staff Security Engineer at Google Topics: How is kubernetes security different from traditional host security? What's different about securing GKE vs security Kubernetes on-prem? Where does one start with security hardening for GKE? In your view, what are top realistic threats to container deployments? What do users get wrong most often? Did we manage to make containers both more secure and more usable?

Guest: Zeal Somani, Security Solutions Manager @ Google Cloud, former PCI QSA Topics: What are the usable recipes for thinking about compliance in the cloud? What regulations are more challenging for public cloud users? How do you see the client/provider responsibility split for compliance? What is this "shift left" for compliance? How do we educate auditors and regulators who insist on 1980s solutions to 2020s problems? What are the most popular mistakes and blind spots with trying to be compliant in the cloud? Resources: Whitepaper "Risk governance of digital transformation: guide for risk, compliance & audit teams"

Guest: Alyssa Miller,  BISO @ S&P Global Ratings Topics: How do application security practices change as organizations launch their cloud transformations? What bad things happen to you if you lift/shift your big applications to somebody's IaaS? What unique challenges do containers and serverless deployments create for application security? Is there good news here? How can cloud native technologies make application security easier than a traditional on-prem environment? What can organizations do to ensure the security of cloud-based SaaS solutions? How do DevOps and CI/CD impact the ability to secure cloud-based applications? What is your advice to security leaders who still want to practice appsec for cloud apps in the same manner as they did it for on-premise, the old way? What follow-up reading do you recommend on preparing for an application migration to Cloud? Resources: Cloud security trainings DevOps.com

Guest: Seth Vargo, Security Engineer @ Google Cloud Topics: How should security teams change their thinking about threats in the cloud? Where and when should an organization start in building their threat model for their cloud environment? What are the key changes of threat models after cloud migration? More specifically, when it comes to identity, credentials, lateral movement, what are the key ways in which cloud security differs from traditional or on-premises security? How should users who are leading the cloud migration help their colleagues think about security in the cloud? When am I "done" with cloud security planning?

Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud Topics: To continue on the theme from Part 1, is "cloud-native" about thinking? Security tools? Systems? Architecture? How do we practically help CISOs "speak cloud"? What are the first steps to cloud thinking for an "on-premise CISO"? What are the areas of security where it is easier to become a cloud-native? How do you see a CISO transition journey from the on-premise thinking and technologies to cloud thinking and technology? How are CISOs thinking about third party security controls vs native, cloud provider security controls? Resources: "Preparing for Cloud Migrations from a CISO Perspective, Part 1" "CISO's guide to Cloud Security Transformation"

Guest: Eric Foster, President at CYDERES, a Fishtech Group company Topics: How do you define "modern" SIEM? Does modern SIEM always imply SaaS SIEM? Is there a future for on-premises SIEM? What are your top 3 root causes for SIEM deployment failure today? Modern or not, does SIEM have a future? Can XDR or some other technology drive it off the rails? What features or inputs should SIEM have to detect modern threats such as those to cloud environments but also others? What's different about threat detection in Cloud? What is your view of the current frenzy about "AI"/ML for security? Resources: "Cyderes CNAP Makes SIEM Modernization a Snap"

Guest: Avi Shua, CEO and Co-founder @ Orca Security Topics: Where do you spend more efforts, on detection of pre-fail issues (like configuration errors) or post-fail issues (like incidents)? How do you prioritize the preventative and detective controls in your platform? When talking to CISOs, how do you explain that cloud threat detection is different from the on-premise type? In your opinion, are agents dead in the cloud? Do you think your customers care more about cloud-specific threats or traditional threats against cloud assets? How do you think about the tradeoff for security teams between using cloud native controls vs a 3rd party vendor like, say, you? Resources: "The Orca Security 2020 State of Public Cloud Security Report"

Guest:  John Kindervag, who is widely considered to be the creator of zero trust model in 2010 (currently works at ON2IT) Topics: What has changed in the world of zero trust since 2010? What must be trusted for a zero trust (ZT) system to work? What are key ZT project success pre-requisites? What is the first step in ZT implementation that increases the chance of its success? Is zero trust hard for most companies? What's the most spectacular failure you've seen in a ZT project? Where do you see ZT heading in the next 10+ years? Resource: John's original zero trust paper (2010)

Guest: Brandon Levene, Malware Inquisitor @ Google Cloud Topics covered: Which malware is scarier, state-sponsored or criminal? How do we approach cybercrime mitigation at Google? How do we actually track malware? Don't we need "attribution" for it? What are the most useful telemetry sources for study in modern malware? Does ransomware have a bright future? Where do you see threat actors making the biggest investments? Resource: "Crimeware In The Modern Era" paper by Brandon Levene

Guests: no guests, just Tim and Anton  Topics covered: Discussion of the interesting presentations from Cloud Security Talks Q1 2021 focused on trusted cloud, container security, cyber insurance, Chronicle, ML for network security, etc Resources: All Q1 2021 Cloud Security Talks "Cloud Risk Panel Discussion" video "A conversation on overcoming risk management challenges in the Cloud" video  "Better together - expanding the Confidential Computing ecosystem" video "Detect potential threats to your containers" video "Supercharge your security telemetry with Chronicle" video "Tales from the trenches: Using machine learning to create safer networks" video "Chrome Enterprise Security - A deep dive" video

Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud  Nick Godfrey, Director, Financial Services Security & Compliance and a member of Office of the CISO @ Google Cloud Topics covered: Why do you think so many CISOs of traditional organizations fear cloud migrations? What is your best advice to a CISO who wants to migrate to the cloud using the on-premise playbook, or lift and shift?  What are the real tradeoffs in this decision such as using familiar tools/practices vs cloud benefits/effectiveness?  What would you recommend reading for a CISO managing their first cloud migration Resources mentioned: Paper "CISO's guide to Cloud Security Transformation"  Book "Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems"  Book "Practical Guide to Cloud Migration"

Episode 4 "Gathering Data for Zero Trust" focuses on enabling zero trust access in the real world Guest: Max Saltonstall (@maxsaltonstall), Developer Advocate @ Google Cloud   Topics covered: What should be trusted for a zero trust system to work? What is the first thing you need to do to have a zero trust access project succeed? What data needs to be collected for zero trust system operation?

Episode 3 "Automate and/or Die?" focuses on automated remediation (or is it response!) in the cloud Guest: Joe Crawford, formerly in charge of cloud-native security at a large bank Topics covered: Can we automatically remediate vulnerabilities and threats in the cloud? Did you require humans to be in the loop for your automation? Is that still automation if we do? Does security fear of automation have a place in the cloud?

Episode 2 "Data Security in the Cloud" focuses on data security in the cloud  Guest: Andrew Lance, Sidechain Topics covered: What is special about data security in the cloud? How data security plays in the shift from perimeter and network security to identity-based security? Can I use detective data security controls and turn them into preventative controls? Resources: "Designing and deploying a data security strategy with Google Cloud" paper

"Confidentially Speaking" episode focuses on confidential computing Guest: Nelly Porter, Group Product Manager @ Google. Topics covered: What risks are mitigated by confidential computing? What types of organizations must adopt confidential computing? How and where the data is encrypted? Resources:  Confidential computing at Google Cloud