Guest: Dimitri McKay , Principal Security Strategist @ Splunk Topics: How do you define that "XDR thing" that you are so skeptical about? So within that definition of XDR, you think it’s not so great, why? If you have to argue pro-XDR, what would you say? Two main XDR camps are “XDR as EDR+” and “XDR as SIEM-”, which camp do you think is more right? Are both wrong? What approach do you think is more useful as a lens to understand the potential upsides/downsides of XDR? What about the cloud? "Clo...
Sep 05, 2022•28 min•Season 1Ep. 82
Guest: Christopher “CJ” Johnson , retired Fire Chief, and Global Regulated Cloud Product Lead @ Google Cloud Topics: In political science, they define sovereignty as a local monopoly on the legitimate use of force. Why are we talking about “sovereignty” in IT? What is a sovereign cloud? How much of the term is marketing vs engineering? Who cares or should care about sovereign cloud? Is this about technical controls or paper/policy controls? Or both? What is the role for encryption and key manage...
Aug 29, 2022•26 min•Season 1Ep. 81
Guest: David Stone , Staff Consultant at Office of the CISO, Google Cloud Topics: Speaking as a former CISO, what triggered your organization migration to the cloud? When did you and the security organization get brought in? How did you plan your security organization journey to the cloud? Did you take going to Cloud as an opportunity to change things beyond the tools you were using? As you got going into the cloud, what was the hardest part for your organization ? What was most surprising? Good...
Aug 22, 2022•29 min•Season 1Ep. 80
Guest: John Stone , Chaos Coordinator @ Office of the CISO, Google Cloud Topics: So what is Autonomic Data Security, described in our just released paper? What are some notorious data security issues today? Perhaps common data security mistakes security leaders commit? What never worked in data security, like say manual data classification? How should organizations think about securing the data they migrated and the data that was created in the cloud? Do you really believe the cloud can make dat...
Aug 15, 2022•28 min•Season 1Ep. 79
Guest: Gorka Sadowski , Chief Strategy Officer @ Exabeam Topics: How do we get a legacy SOC team to think about the cloud? How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same? How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud? Do content/rules and detection engines need to be different to cover the cloud detection use cases? What cases are appropriate for machine learnin...
Aug 08, 2022•28 min•Season 1Ep. 78
Guest: Cyrus Robinson , SOC Director and IR Team lead at Ingalls Information Security Topics: You’ve been using SOAR tools for years, so what do you think of the technology so far? What is driving SOAR adoption today? And what is inhibiting SOAR adoption? Realistically, how hard is SOAR to operationalize for a typical company? What are your favorite SOAR playbooks to start with? How to build, train and keep the SOAR team? Do they need to code to succeed? We like the SOAR maturity model approach ...
Aug 01, 2022•25 min•Season 1Ep. 77
Guest: Ben Johnson , CTO/co-founder @ Obsidian Security Topics: Why is there so much attention lately on SaaS security? Doesn’t this area date back to 2015 or so ? What do you see as the primary challenges in securing SaaS? What does a SaaS threat model look like? What are the top threats you see? CASB has been the fastest growing security market and it has grown into a broad platform and many assume that “securing SaaS = using CASB”, what are they missing? Where would another technology to secu...
Jul 25, 2022•30 min•Season 1Ep. 76
Guest: Tim Nguyen , Director of Detection and Response @ Google Topics: I know we don’t like to say “SOC” here, so why don’t we talk about the role of automation in detection and response (D&R) at Google? One SRE concept we found useful in security operations is “toil” - How do we squeeze toil out of D&R practice at Google? A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell...
Jul 18, 2022•27 min•Season 1Ep. 75
Guest: James Luo , Partner @ CapitalG Topics: You've looked at hundreds of security startups at the growth stage - what is getting funded? What is not getting funded? What is the difference? What's your view on the current market environment for security companies? Is security "recession-proof", whatever that means? How do you think about what problems are worth solving with a new venture vs existing vendors (and/or CSPs) expanding to cover the new area? Why do many cloud security vendors get fu...
Jul 11, 2022•27 min•Season 1Ep. 74
Guest: Erik Bloch , Senior Director of Detection and Response at Sprinklr Topics: You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work? Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that? You refer to a federated approach for Detection and Response” (“route the outcomes to the teams that need them or can address them”), but is it workable for...
Jul 05, 2022•28 min•Season 1Ep. 73
Guests: Dave “Merk” Merkel , CEO @ Expel Peter Silberman , CTO @ Expel Topics: Many MDRs claim to be “security from the cloud”, but they actually don’t know much about cloud security. What does good looks like for MDR in the cloud (cloud being a full range from IaaS to SaaS)? What are the key challenges for clients picking an MDR for their cloud environments? What are the questions to ask your potential MDR? Do clients want the same security outcomes done in the cloud vs on-premise? Does it mean...
Jun 27, 2022•32 min•Season 1Ep. 72
Guest: Stefan Friedli , Senior Security Engineer @ Google Topics: What is our “red team” testing philosophy and approach at Google? How did we evolve to this approach? What is the path from testing to making Google and our users more secure? How does our testing power the improvements we make? What is unique about red teaming at Google? Care to share some fun testing stories or examples from your experience? Resources: “Building Secure & Reliable Systems” book (free) Threat Analysis Group (T...
Jun 21, 2022•23 min•Season 1Ep. 71
Guests: none Topics: What have we seen at the RSA 2022 Conference ? What was the most interesting and unexpected? What was missing? Resources: “RSA 2022 Musings: The Past and The Future of Security” Google Cloud Security at RSA 2022...
Jun 16, 2022•23 min•Season 1Ep. 70
Guest: James Condon , Director of Security Research @ Lacework Topics: What are realistic and actually observed cloud threats today? How did you observe them at Lacework? Cloud threats: are they on-premise style threats to cloud assets? We hate the line “cloud is just somebody else’s computer” but apparently threats actors seem to think so? What is the 2nd most dangerous cloud issue after configuration mistakes? Why is it so common for organizations to have insecure configurations in their cloud...
Jun 13, 2022•30 min•Season 1Ep. 69
Guest: Nicholas Carlini , Research Scientist @ Google Topics: What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks? How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical? Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025? What are the threat-derived lessons for securing AI? Do we practice the same or different approaches for secure AI and re...
Jun 06, 2022•28 min•Season 1Ep. 68
Guest: Sounil Yu , CISO and Head of Research at JupiterOne Topics: How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder? Cloud (at least the cloudy-cloud, also called cloud native) definitely supports “Distributed Immutable Ephemeral” (DIE) - your new creation, how does that change security and CDM? Cyber resilience generates a lot of confusion, how do you define and describe it? BTW, is the cloud more or less cyber resilient based on your definition? Is invisi...
May 31, 2022•26 min•Season 1Ep. 67
Guest: Sandra Guo , Product Manager in Security, Google Cloud Topics: We have a really interesting problem here: if we make great investments in our use of trusted repositories, and great investments in doing code review on every change, and securing our build systems, and having reproducible builds, how do we know that all of what we did upstream is actually what gets deployed to production? What are the realistic threats that Binary Authorization handles? Are there specific organizations that ...
May 23, 2022•25 min•Season 1Ep. 66
Guests: Charles Carmakal , CTO at Mandiant Taylor Lehmann , Director at Office of the CISO, Google Cloud Topics: What are the current “popular” incidents at healthcare providers that you handled? Any of them involve cloud? Do healthcare CISOs have time for anything other than ransomware? Does insider threat matter? What can incident response teach us here? How do you think the threat actors benefit from the health data they steal? Based on your IR experience, what are the more interesting ways i...
May 16, 2022•28 min•Season 1Ep. 65
Guest: Dave Herrald @ Principal Security Strategist, Google Cloud Topics: What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)? How do you make SOC training realistic? Should training be about the toolset or should it be about the analyst’s skills? Should you primarily train for engineering skills or analysis skills? Do you need to code to succeed in a modern SOC? Are competitive events like CTFs effective for SOC training? What ro...
May 09, 2022•29 min•Season 1Ep. 64
Guests: Robert Herjavec , Founder and CEO of Herjavec Group Eric Foster , President of CYDERES Iman Ghanizada , Global Head of Autonomic Security Operations at Google Cloud. Topics: It’s been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about? How was the ASO story received by your customers? Any particular reactions? Will the ASO narrative inspire the next generation of practitioners...
May 02, 2022•35 min•Season 1Ep. 63
Guest: Etienne De Burgh , Senior Security and Compliance Specialist, Office of the CISO @ Google Cloud Topics: Why is API security hot now? What happened that made it a priority for many? Is API security different from application security? Doesn't the first "A" in API stand for application? What are the real threats to exposed APIs? APIs are designed for automated use, so how do you tell automated use from automated abuse / attack? What are the biggest challenges that companies are having with ...
Apr 25, 2022•27 min•Season 1Ep. 62
No guests - just Anton and Tim Topics: Why cloud security? What do we really think about our podcast name and topic, cloud security? Can you once again explain security for the cloud, in the cloud, from the cloud? What is one thing that we learned from doing a podcast? Favorite cloud security trend that we encountered on the podcast? What did we learn about security from organization's migrating to the cloud? What are our favorite reading materials related to cloud security? What are our favorit...
Apr 18, 2022•27 min•Season 1Ep. 61
Guest: Dylan Ayrey , cofounder of Truffle Security Topics: Could you explain briefly why identity is so important in the cloud? A skeptic on cloud security once told us that “in the cloud, we are one identity mistake from a breach.” Is this true? For listeners who aren’t familiar with GCP, could you give us the 30 second story on “what is a service account.” How is it different from a regular IAM account? What are service account impersonations? How can I see if my service accounts can be impers...
Apr 11, 2022•31 min•Season 1Ep. 60
Guest: Sharon Goldberg , CEO and cofounder of BastionZero and a professor at Boston University Topics: What is your favorite definition of zero trust? You had posted a blog analyzing the whitehouse ZT a memo on the federal government’s transition to “zero trust”, what caught your eye about the Zero Trust memo and why did you decide to write about it? What’s behind the federal government’s recommendations to deprecate VPNs and recommend users “authenticate to applications, not networks”? What do ...
Apr 04, 2022•28 min•Season 1Ep. 59
New Audio Trailer: Cloud Security Podcast by Google
Mar 28, 2022•1 min
Guests: Alexi Wiemer, Senior Manager at Deloitte Cyber Detection and Response Practice Dan Lauritzen, Senior Manager at Deloitte Cloud Security Practice. Topics: What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in? What is your best advice to SOCs that are permanently and woefully understaffed? Many SOC analysts are drowning in manual work, and it is easy to give advice that “they need to automate.” What does this actually ent...
Mar 28, 2022•28 min•Season 1Ep. 58
Guest: Maddie Stone , Security Researcher @ Google Topics: How do we judge the real risk of being attacked using an exploit for a zero day vulnerability? Does the zero day risk vary by company, industry, etc? What does pricing for zero days tell us, if anything? Are prices more driven by supply or demand these days? What security controls or defenses are useful against zero days including against chained zero days? Where are the cloud zero days? We get lots of attention on iOS and Android, what ...
Mar 21, 2022•25 min•Season 1Ep. 57
Guest: Erlander Lo , Security and Compliance Specialist @ Google Cloud Topics: Imagine you are planning a data warehouse in the cloud, how do you think about security? What are the expected threats to a large data store in the cloud? How to create your security approach for a data warehouse project? Are there regulations that force your decisions about security controls or approaches, no matter what the threats are? How do you approach data governance for this project? What controls are there to...
Mar 14, 2022•26 min•Season 1Ep. 56
Guests: Brandie Anderson, Global Security Practice Lead @ Google Cloud Renzo Cuadros, Regional Security Practice Lead @ Google Cloud Topics: What are your Cloud migration security lessons? Greatest hits? Near misses? What are the most common cloud security mistakes you see? Any practices or tricks to avoid or mitigate them? How do you talk people out of security “lift and shift”? Do clients understand how threat models change when they migrate to the cloud? How clients typically handle complianc...
Mar 07, 2022•27 min•Season 1Ep. 55
Guest: Anna Belak , Director of Thought Leadership @ Sysdig Topics: One model for container security is “Infrastructure security | build security | runtime security” - which is most important to get right? Which is hardest to get right? How are you helping users get their infrastructure security right, and what do they get wrong most often here? Your report states that “3⁄4 of running containers have at least one "high" or "critical" vulnerability“ and it sounds like pre-cloud IT, but this is ab...
Feb 28, 2022•24 min•Season 1Ep. 54
