Guest:

• Michee Smith, Director, Product Management for Global Affairs Works, Google

Topics:

• What is Google Annual Transparency Report and how did we get started doing this? 

• Surely the challenge of a transparency report is that there are things we can’t be transparent about, how do we balance this? What are those? Is it a safe question?

• What Access Transparency Logs are and if they are connected to the report –other than in Tim's mind and your career? 

• Beyond building the annual transparency report, you also work on our central risk data platform. Every business has a problem managing risk–what’s special here? Do we have any Google magic here? 

• Could you tell us about your path in Product Management here? You have been here eight years, and recently became Director. Do you have any advice for the ambitious Google PMs listening to the show? 

 Resources:

• Google Annual Transparency report

• Access Transparency Logs

• “Digital Asset Valuation and Cyber Risk Measurement: Principles of Cybernomics“ book Keyun Ruan

• “Trapped in a frame: Why leaders should avoid security framework traps”  blog

Guest:

• Monica Shokrai, Head Of Business Risk and Insurance For Google Cloud 

Topics:

• Could you give us the 30 second run down of what cyber insurance is and isn't?

• Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks?

• What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it?

• We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security?

• Doesn't cyber insurance have a difficult reputation with clients? “Will they even pay?” “Will it be enough?” “Is this a cyberwar exception?” type stuff?

• How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers?

• How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many “non cyber” risks?

Resources:

• Video (LinkedIn, YouTube)

• Google Cloud Risk Protection program

• “Cyber Insurance Policy”  by Josephine Wolff 

• InsureSec

Guest:

• Dr Gary McGraw, founder of the Berryville Institute of Machine Learning

Topics:

• Gary, you’ve been doing software security for many decades, so tell us: are we really behind on securing ML and AI systems? 

• If not SBOM for data or “DBOM”, then what? Can data supply chain tools or just better data governance practices help?

• How would you threat model a system with ML in it or a new ML system you are building? 

• What are the key differences and similarities between securing AI and securing a traditional, complex enterprise system?

• What are the key differences between securing the AI you built and AI you buy or subscribe to?

• Which security tools and frameworks will solve all of these problems for us? 

Resources:

• EP135 AI and Security: The Good, the Bad, and the Magical

• Gary McGraw books

• “An Architectural Risk Analysis Of Machine Learning Systems: Toward More Secure Machine Learning“ paper

• “What to think about when you’re thinking about securing AI”

• Annotated ML Security bibliography  

• Tay bot story (2016)

• “Can you melt eggs?”

• “Microsoft AI researchers accidentally leak 38TB of company data”

• “Random number generator attack”

• “Google's AI Red Team: the ethical hackers making AI safer”

• Introducing Google’s Secure AI Framework

Guests:

• John Stoner, Principal Security Strategist, Google Cloud Security

• Dave Herrald, Head of Adopt Engineering, Google Cloud Security

Topics:

• In your experience, past and present, what would make clients trust vendor detection content?

• Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?

• What is more important, seeing the detection or being able to change it, or both?

• If this is about seeing the detection code/content, what about ML and algorithms?

• What about the SOC analysts who don't read the code?

• What about “tuning” - is tuning detections a bad word now in 2023?

• Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?

Resources:

• Video (Linkedin, YouTube)

• Github rules for Chronicle

• DetectionEngineering.net by Zack Allen

• “On Trust and Transparency in Detection” blog

• “Detection as Code? No, Detection as COOKING!” blog

• EP64 Security Operations Center: The People Side and How to Do it Right

• EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• Why is Threat Detection Hard?

• Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)

Guest:

• Adrian Sanabria,  Director of Valence Threat Labs at Valence Security, ex-analyst

Topics:

• When people talk about “cloud security” they often forget SaaS, what should be the structured approach to using SaaS securely or securing SaaS?

• What are the incidents telling us about the realistic threats to SaaS tools?

• Is the Microsoft 365 breach a SaaS breach, a cloud breach or something else?

• Do we really need CVEs for SaaS vulnerabilities?

• What are the least understood aspects of securing SaaS?

• What do you tell the organizations who assume that “SaaS vendor takes care of all SaaS security”?

• Isn’t CASB the answer to all SaaS security issues? We also have SSPM now too? Do we really need more tools?

Resources:

• VIdeo (LinkedIn, YouTube)

• EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?

• Valence 2023 State of SaaS Security report

• DHS Launches First-Ever Cyber Safety Review Board

• Enterprise Security Weekly podcast

• CloudVulnDb and another cloud vulnerability list

• Cyber Safety Review Board (CSRB) by CISA

Guest: 

• Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant at Google Cloud

Topics:

• Can you really forecast threats? Won’t the threat actors ultimately do whatever they want?

• How can clients use the forecast? Or as Tim would say it, what gets better once you read it?

• What is the threat forecast for cloud environments? It says “Cyber attacks targeting hybrid and multi-cloud environments will mature and become more impactful“ - what does it mean?

• Of course AI makes an appearance as well: “LLMs and other gen AI tools will likely be developed and offered as a service to assist attackers with target compromises.” Do we really expect attacker-run LLM SaaS? What models will they use? Will it be good?

• There are a number of significant elections scheduled for 2024, are there implications for cloud security?

• Based on the threat information, tell me about something that is going well, what will get better in 2024?

Resources:

• 2024 Google Cloud Security Forecast Report

• EP112 Threat Horizons - How Google Does Threat Intelligence

• EP135 AI and Security: The Good, the Bad, and the Magical

• How to Stop a Ransomware Attack

• Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto Miner

Guest:

• Wei Lien Dang, GP at Unusual Ventures

 Topics: 

• We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you? 

• What are some of the security problems you're hearing from AI companies that are worth solving? 

• AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security?

• Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs? 

• What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?

 Resources:

• “What to think about when you’re thinking about securing AI” blog / paper

• EP135 AI and Security: The Good, the Bad, and the Magical

• EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?

• EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models

• Introducing Google’s Secure AI Framework

• OWASP Top 10 for Large Language Model Applications

• Unusual VC Startup Field Guide

• Demystifing LLMs and Threats by Caleb Sima

Guest:

• Jay Thoden van Velzen, Strategic Advisor to the CSO, SAP

 Topics:

• What are the challenges with shared responsibility for cloud security?

• Can you explain "shared" vs "separated" responsibility?

• In your article, you mention “shared faith”, we have “shared fate”, but we never heard of shared faith. What is this? Can you explain?

• What about the cloud models (SaaS, PaaS, IaaS), how does this sharing model differ?

• While at it, what is cloud, really? [yes, we really did ask this!]

 Resources:

• LinkedIn post and  Blog

• EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge

• “Security Chaos Engineering” book

• Shared responsibility failures blog

• Shared fate at Google Cloud (also see blogs one and two)

• National Cyber Security strategy

Guest:

• Kathryn Shih, Group Product Manager, LLM Lead in Google Cloud Security

Topics:

• Could you give our audience the quick version of what is an LLM and what things can they do vs not do?  Is this “baby AGI” or is this a glorified “autocomplete”?

• Let’s talk about the different ways to tune the models, and when we think about tuning what are the ways that attackers might influence or steal our data?

• Can you help our security listener leaders have the right vocabulary and concepts to reason about the risk of their information a) going into an LLM and b) getting regurgitated by one?

• How do I keep the output of a model safe, and what questions do I need to ask a vendor to understand if they’re a) talking nonsense or b) actually keeping their output safe? 

• Are hallucinations inherent to LLMs and can they ever be fixed?

• So there are risks to data and new opportunities for attacks and hallucinations. How do we know good opportunities in the area given the risks? 

Resources:

• Retrieval Augmented Generation (or go ask Bard about it)

• “New Paper: “Securing AI: Similar or Different?“”  blog

Guests:

• Tomer Schwartz, Dazz CTO

Topics:

• It seems that in many cases the challenge with cloud configuration weaknesses is not their detection, but remediation, is that true?

• As far as remediation scope, do we need to cover  traditional vulnerabilities (in stock and custom code), configuration weaknesses and other issues too?

• One of us used to cover vulnerability management at Gartner, and in many cases the remediation failures [on premise] were due to process, not technology, breakdowns. Is this the same in the cloud? If still true, how can any vendor technology help resolve it?

• Why is cloud security remediation such a headache for so many organizations?

• Is the friction real between security and engineering teams? Do they have any hope of ever becoming BFFs?

• Doesn’t every CSPM (and now ASPM too?) vendor say they do automated remediation today? How should security pros evaluate solutions for prioritizing, triaging, and fixing issues?

Resources:

• Video (YouTube, LinkedIn)

• Cloud Security Remediation for Dummies

• EP3 Automate and/or Die?

• EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?’

• EP54 Container Security: The Past or The Future?

• EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud

• EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?

• A Guide to Building a Secure SDLC

• 8 Megatrends drive cloud adoption—and improve security for all