Cloud Security Podcast by Google

Guests:

• Robin Shostack, Security Program Manager, Google

• Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud

Topics:

• You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means?

• You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?  

• Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge?

• If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team?

• How do we create it in an existing team or an under-performing team?

Resources:

• EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• “Take a few of these: Cybersecurity lessons for 21st century healthcare professionals” blog

• Getting More by Stuart Diamond book

• Who Moved My Cheese by Spencer Johnson  book

Guest:

• Brandon Wood, Product Manager for Google Threat Intelligence

Topics:

• Threat intelligence is one of those terms that means different things to everyone–can you tell us what this term has meant in the different contexts of your career?  What do you tell people who assume that “TI = lists of bad IPs”?

• We heard while prepping for this show that you were involved in breaking up a human trafficking ring: tell us about that!

• In Anton’s experience, a lot  of cyber TI is stuck in “1. Get more TI 2. ??? 3. Profit!” How do you move past that?

• One aspect of threat intelligence that’s always struck me as goofy is the idea that we can “monitor the dark web” and provide something useful. Can you change my mind on this one?

• You told us your story of getting into sales, you recently did a successful rotation into the role of Product Manager,, can you tell us about what motivated you to do this and what the experience was like?

• Are there other parts of your background that inform the work you’re doing and how you see yourself at Google? 

• How does that impact our go to market for threat intelligence, and what’re we up to when it comes to keeping the Internet and broader world safe?

Resources:

• Video

• EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons

• EP128 Building Enterprise Threat Intelligence: The Who, What, Where, and Why

• EP112 Threat Horizons - How Google Does Threat Intelligence

• Introducing Google Threat Intelligence: Actionable threat intelligence at Google scale

• A Requirements-Driven Approach to Cyber Threat Intelligence

Guests:

• Omar ElAhdan, Principal Consultant, Mandiant, Google Cloud

• Will Silverstone, Senior Consultant, Mandiant, Google Cloud

Topics:

• Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments?

• You do IR so in your experience, what are top 5  mistakes organizations make that lead to cloud incidents?

• How and why do organizations get the attack surface wrong? Are there pillars of attack surface?

• We talk a lot about how IAM matters in the cloud.  Is that true that AD is what gets you in many cases even for other clouds?

• What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well?

Resources:

• Next 2024 LIVE Video of this episode / LinkedIn version (sorry for the audio quality!)

• “Lessons Learned from Cloud Compromise” podcast at The Defender’s Advantage

• “Cloud compromises: Lessons learned from Mandiant investigations” in 2023 from Next 2024

• EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

Guest:

• Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google

Topics:

• Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right?

• Where are we like other clients of GCP?  Where are we not like other cloud users?

• Do we have any unique cloud security technology that we use that others may benefit from?

• How does our cloud usage inform our cloud security products?

• So is our cloud use profile similar to cloud natives or traditional companies?

• What are some of the most interesting cloud security practices and controls that we use that are usable by others?

• How do we make them work at scale? 

Resources:

• EP12 Threat Models and Cloud Security (previous episode with Seth)

• EP66 Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

• IAM Deny

• Seth Vargo blog

• “Attention Is All You Need” paper (yes, that one)

Guest:

• Crystal Lister, Technical Program Manager, Google Cloud Security

Topics:

• Your background can be sheepishly called “public sector”, what’s your experience been transitioning from public to private? How did you end up here doing what you are doing?

• We imagine you learned a lot from what you just described – how’s that impacted your work at Google?

• How have you seen risk management practices and outcomes differ?

• You now lead Google Threat Horizons reports, do you have a vision for this? How does your past work inform it?

• Given the prevalence of ransomware attacks, many organizations are focused on external threats. In your experience, does the risk of insider threats still hold significant weight? What type of company needs a dedicated and separate insider threat program?

Resources:

• Video on YouTube

• Google Cybersecurity Action Team Threat Horizons Report #9 Is Out!

• Google Cybersecurity Action Team site for previous Threat Horizons Reports

• EP112 Threat Horizons - How Google Does Threat Intelligence

• Psychology of Intelligence Analysis by Richards J. Heuer

• The Coming Wave by Mustafa Suleyman 

• Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects

Guest:

• Angelika Rohrer, Sr. Technical Program Manager , Cyber Security Response at Alphabet

Topics:

• Incident response (IR) is by definition “reactive”, but ultimately incident prep determines your IR success. What are the broad areas where one needs to prepare?

• You have created a new framework for measuring how ready you are for an incident, what is the approach you took to create it?

• Can you elaborate on the core principles behind the Continuous Improvement (CI) Framework for incident response?

• Why is continuous improvement crucial for effective incident response, especially in cloud environments? Can’t you just make a playbook and use it?

• How to overcome the desire to focus on the easy metrics and go to more valuable ones?

• What do you think Google does best in this area?

• Can you share examples of how the CI Framework could have helped prevent or mitigate a real-world cloud security incident?

• How can other organizations practically implement the CI Framework to enhance their incident response capabilities after they read the paper?

Resources:

• “How do you know you are "Ready  to Respond"? paper

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

Guest:

• Shan  Rao, Group Product Manager, Google 

Topics:

• What are the unique challenges when securing AI for cloud environments, compared to traditional IT systems?

• Your talk covers 5 risks, why did you pick these five? What are the five, and are these the worst?

• Some of the mitigation seems the same for all risks. What are the popular SAIF mitigations that cover more of the risks?

• Can we move quickly and securely with AI? How?

• What future trends and developments do you foresee in the field of securing AI for cloud environments, and how can organizations prepare for them?

• Do you think in 2-3 years AI security will be a separate domain or a part of … application security? Data security? Cloud security? 

Resource:

• Video (LinkedIn, YouTube)  [live audio is not great in these]

• “A cybersecurity expert's guide  to securing AI products with Google SAIF“ presentation

• SAIF Site

• “To securely build AI on Google Cloud, follow these best practices” (paper)

• “Secure AI Framework (SAIF): A Conceptual Framework for Secure AI Systems” resources

• Corey Quinn on X (long story why this is here… listen to the episode)

Guests:

• None

Topics:

• What have we seen at RSA 2024?

• Which buzzwords are rising (AI! AI! AI!) and which ones are falling (hi XDR)?

• Is this really all about AI? Is this all marketing?

• Security platforms or focused tools, who is winning at RSA?

• Anything fun going on with SecOps?

• Is cloud security still largely about CSPM?

• Any interesting presentations spotted?

Resources:

• EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side (RSA 2024 episode 1 of 2)

• “From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis” blog

• “Decoupled SIEM: Brilliant or Stupid?” blog

• “Introducing Google Security Operations: Intel-driven, AI-powered SecOps” blog

• “Advancing the art of AI-driven security with Google Cloud” blog

Guest:

• Elie Bursztein, Google DeepMind Cybersecurity Research Lead, Google

 Topics:

• Given your experience, how afraid or nervous are you about the use of GenAI by the criminals (PoisonGPT, WormGPT and such)?

• What can a top-tier state-sponsored threat actor do better with LLM? Are there “extra scary” examples, real or hypothetical?

• Do we really have to care about this “dangerous capabilities” stuff (CBRN)? Really really?

• Why do you think that AI favors the defenders? Is this a long term or a short term view?

• What about vulnerability discovery? Some people are freaking out that LLM will discover new zero days, is this a real risk?

 Resources:

• “How Large Language Models Are Reshaping the Cybersecurity Landscape” RSA 2024 presentation by Elie (May 6 at 9:40AM)

• “Lessons Learned from Developing Secure AI Workflows” RSA 2024 presentation by Elie (May 8, 2:25PM)

• EP50 The Epic Battle: Machine Learning vs Millions of Malicious Documents

• EP40 2021: Phishing is Solved?

• EP135 AI and Security: The Good, the Bad, and the Magical

• EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC

• EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It

• PyRIT LLM red-teaming tool

• Accelerating incident response using generative AI

• Threat Actors are Interested in Generative AI, but Use Remains Limited

• OpenAI’s Approach to Frontier Risk

Guest:

• Payal Chakravarty, Director of Product Management, Google SecOps, Google Cloud

Topics:

• What are the different use cases for GenAI in security operations and how can organizations  prioritize them for maximum impact to their organization?

• We’ve heard a lot of worries from people that GenAI will replace junior team members–how do you see GenAI enabling more people to be part of the security mission?

• What are the challenges and risks associated with using GenAI in security operations?

• We’ve been down the road of automation for SOCs before–UEBA and SOAR both claimed it–and AI looks a lot like those but with way more matrix math-what are we going to get right this time that we didn’t quite live up to last time(s) around?

• Imagine a SOC or a D&R team of 2029. What AI-based magic is routine at this time? What new things are done by AI? What do humans do?

Resources:

• Live video (LinkedIn, YouTube) [live audio is not great in these]

• Practical use cases for AI in security operations, Cloud Next 2024 session by Payal

• EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It

• EP169 Google Cloud Next 2024 Recap: Is Cloud an Island, So Much AI, Bots in SecOps

• 15 must-attend security sessions at Next '24