Host: Stephanie Wong , Product Manager, Google Cloud Guests (yes, really, we are the guests!): Anton Chuvakin Tim Peacock Topics: Could you tell us how you ended up in security? What was the moment you realized that Cloud security was different from well, regular, security? Anton is always asking this “3AM test”, where did that come from? How do you source topics for the podcast? What advice would you give to folks who are interested in getting into security? … and other fun questions! Resources...
Oct 09, 2023•33 min•Season 1Ep. 142
Guest: Jeremiah Kung , Global Head of Information Security, AppLovin Topics: Before we dive into all of the awesome cloud migrations you’ve experienced and your learnings there, could we start with a topic of East vs West CISO mentality? We are talking to more and more CISOs who see the cloud as a net win for security. What’s your take on whether the cloud improves security? We talked about doing some “big” cloud migrations, could you talk about what you learned back in 2015 about the “right” wa...
Oct 02, 2023•25 min•Season 1Ep. 141
Guest: Andrew Hoying , Senior Security Engineering Manager @ Google Topics: What is different about system hardening today vs 20 years ago? Also, what is special about hardening systems at Google massive scale? Can I just apply CIS templates and be done with it? Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity? A part of hardening has got to be responding to new...
Sep 25, 2023•27 min•Season 1Ep. 140
Guest: Chris Corde , Sr Director of Product Management - Security Operations, Google Cloud Topics: You cover many products, but let’s focus on Chronicle today. An easy question: Chronicle isn’t an XDR, so what is it? Since you’ve joined the team, what’re you most proud of shipping to clients? Could you share more about the Mandiant acquisition, what’s been a happy surprise and what are you looking forward to making available to customers? Some believe that good security operations success is mos...
Sep 18, 2023•24 min•Season 1Ep. 139
Guest: Rosemary Wang , Developer Advocate at HashiCorp Topics: Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams? How can Terraform be used for security automation? How should security teams work with DevOps teams to use it? What are some of the obvious and not so obvious security challenges of using Terraform? How can security best practices be applied to infrastructure instantiated via Ter...
Sep 11, 2023•30 min•Season 1Ep. 138
Guests: no guests, all banter, all very fun :-) Topics: How is Google Next this year? What is new in cloud security? Is Google finally a security vendor? What are some of the fun security presentations we've seen, including our own? Any impactful launches in security? What was the most interesting overall? Resources: “Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?” (ep136) “RSA 2023 - What We Saw, What We Learned, and What We're Excited About” (ep119) “Cyber Defense Mat...
Sep 05, 2023•24 min•Season 1Ep. 137
Guest: Eric Doerr , VP of Engineering, Google Cloud Security Topics: You have a Next presentation on AI , what is the most exciting part for you? We care both about securing AI and using AI for security. How do you organize your thinking about it? Executive surveys imply that trusting an AI (for business) is still an issue. How can we trust AI for security? What does it mean to “trust AI” in this context? How should defenders think about threat modeling AI systems? Back to using AI for security,...
Aug 28, 2023•22 min•Season 1Ep. 136
Guest: Phil Venables ( @philvenables ), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Topics: Why is AI a game-changer for security? Can we even have game-changers in cyber security? Is it more detection or is it more reducing toil and making humans more productuve? What are you favorite AI for security use cases? What “AI + security” issue makes you - a classic CISO question here - lose sleep at night? Does AI help defenders or attackers more? Won’t attackers adopt fa...
Aug 21, 2023•26 min•Season 1Ep. 135
Guest: Steph Hay , Director of UX, Google Cloud Security Topics: The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security? UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this? How do you think about prioritizing your team’s time between day zero vs day n experiences for users of securi...
Aug 14, 2023•26 min•Season 1Ep. 134
Guest: Steve McGhee , Reliability Advocate at Google Cloud Aron Eidelman , Developer Relations Engineer at Google Cloud Topics: What is the shared problem for SRE and security when it comes to alerting? Why is there reluctance to reduce noise? How do SREs, security practitioners, and other stakeholders define “incident” and “risk”? How does involving an “adversary” change the way people think about an incident, even if the impact is identical? Which SRE alerting lessons do NOT apply at all for s...
Aug 07, 2023•36 min•Season 1Ep. 133
Guest: Kelly Shortridge , Senior Principal Engineer in the Office of the CTO at Fastly Topics: So what is Security Chaos Engineering? “Chapter 5. Operating and Observing” is Anton’s favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection? How chaos engineering (or is it really about software resilience?) intersects w...
Jul 31, 2023•36 min•Season 1Ep. 132
Guests: Himanshu Khurana, Engineering Manager, Google Cloud Rahul Gupta, Product Manager for Assured OSS, Google Cloud Topics: For the software you’re supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen? So what is Assured Open Source ? Do we really guarantee its security? What does “guarantee” here mean? What’re users actually paying for here? What’s the Google magic here and why are we doing this? Do we really audit all code an...
Jul 24, 2023•26 min•Season 1Ep. 131
Guest: Steve Riley , Field CTO, Netskope, ex-Gartner Research VP Topics: Analysts (well, like Steve and Anton in the past?) say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this today? When clients hear “use cloud securely”, what do you think comes to their minds? How would you approach planning for secure use of the cloud or using cloud securely? What is your view of cloud defense in depth (DiD) or layered defenses? How do you suggest clients think...
Jul 17, 2023•34 min•Season 1Ep. 130
Guest: Rick Doten , VP, Information Security at Centene Corporation, CISO Carolina Complete Health Topics: What are the realistic cloud risks today for an organization using public cloud? Is the vendor lock-in on that list? What other risks everybody thinks are real, but they are not? What do you tell people who in 2023 still think “they can host Exchange better themselves” and have silly cloud fears? What do you tell people who insist on “copy/pasting” all their security technology stack from d...
Jul 10, 2023•31 min•Season 1Ep. 129
Guest: John Doyle , Principle Intelligence Enablement Consultant at Mandiant / Google Cloud Topics: You have created a new intelligence class focused on building enterprise threat intelligence capability , so what is the profile of an organization and profile for a person that benefits the most from the class? There are many places to learn threat intel (TI), what is special about your new class? You talk about country cyber operations in the class, so what is the defender - relevant difference ...
Jul 03, 2023•27 min•Season 1Ep. 128
Guest: Ian Glazer , founder at Weave Identity, ex-Gartner, ex-SVP of Products at Salesforce, co-founder of IDPro Topics: OK, tell us why Identity and Access Management (IAM) is exciting (is it exciting?) Could you also explain why IAM is even more exciting in the cloud? Are you really “one IAM mistake away from a breach” in the cloud? What advice would you give to someone new to IAM? How to not just “learn IAM in the cloud” but to keep learning IAM? Is what I know about IAM in AWS the same as kn...
Jun 26, 2023•30 min•Season 1Ep. 127
Guests: Dominik Richter , the founder and head of product at Mondoo Cooked questions: What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail? We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud? Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now? Who should own the implementation of Policy as Code? Is Policy as Code something that...
Jun 19, 2023•32 min•Season 1Ep. 126
Guest: David Swift, Security Strategist at Netenrich Topics: Which old Security Information and Event Management (SIEM) lessons apply today? Which old SIEM lessons absolutely do not apply today and will harm you? What are the benefits and costs of SIEM in 2023? What are the top cloud security use cases for SIEM in 2023? What are your favorite challenges with SIEM in 2023 special in the cloud? Are they different from, say, 2013 or perhaps 2003? Do you think SIEM can ever die? Resources: Live vide...
Jun 12, 2023•30 min•Season 1Ep. 125
Guest: Panos Mavrommatis , Senior Engineering Director at Google Cloud Topics: Could you give us the 30 second overview of our favorite “billion user security product” - SafeBrowsing - and, since you were there, how did it get started? SafeBrowsing is a consumer and business product – are you mitigating the same threats and threat models on each side? Making this work at scale can’t be easy, anytime we’re talking about billion device protection, there are massive scale questions. How did we make...
Jun 05, 2023•25 min•Season 1Ep. 124
Guest: Jack Naglieri , Founder and CEO at Panther Topics: What is good detection, defined at micro-level for a rule or a piece of detection content? What is good detection, defined at macro-level for a program at a company? How to reliably produce good detection content at scale? What is a detection content lifecycle that reliably produces good detections at scale? What is the purpose of a SIEM today? Where do you stand on a classic debate on vendor-written vs customer-created detection content?...
May 29, 2023•39 min•Season 1Ep. 123
Guest: Michele Chubirka , Senior Cloud Security Advocate, Google Cloud Topics: So, if somebody wakes you up at 3AM (“Anton’s 3AM test”) and asks “Do we need firewalls in the cloud?” what would you say? Firewalls (=virtual appliances in the cloud or routing cloud traffic through physical firewalls) vs firewalling (=controlling network access) in the cloud, do they match the cloud-native realities? How do you implement trust boundaries for access control with cloud-native options? Can you imagine ...
May 22, 2023•34 min•Season 1Ep. 122
Guests: Nelly Porter , Group Product Manager, Google Cloud Rene Kolga , Senior Product Manager, Google Cloud Topics: Could you remind our listeners what confidential computing is? What threats does this stop? Are these common at our clients? Are there other use cases for this technology like compliance or sovereignty? We have a new addition to our Confidential Computing family - Confidential Space . Could you tell us how it came about? What new use cases does this bring for clients? Resources: “...
May 15, 2023•31 min•Season 1Ep. 121
Guest: Jeff Reed, VP of Product, Cloud Security @ Google Cloud Topics: You’ve had a long career in software and security, what brought you to Google Cloud Security for this role? How do you balance the needs of huge global financials that often ask for esoteric controls (say EKM with KAJ ) vs the needs of SMBs that want easy yet effective, invisibility security ? We’ve got an interesting split within our security business: some of our focus is on making Google Cloud more secure, while some of ou...
May 08, 2023•26 min•Season 1Ep. 120
Guest: Connie Fan , Senior Product and Business Strategy Lead, Google Cloud Topics: We were at RSA 2023, what did we see that was notable and surprising? Cloud security showed up with three startups with big booths, and one big player with a small demo station. What have we learned here? What visitors might have seen at the Google Cloud booth that we're really excited about? Could you share why we chose these two AI cases - generation of code and summarization of complex content - out of all the...
May 01, 2023•25 min•Season 1Ep. 119
Guests: Shanyn Ronis , Head of the Mandiant Communication Center John Miller , Head of Mandiant Intelligence Analysis Topics: It seems like we’re seeing more cyber activity taking place in the context of geopolitical events. A lot of organizations struggle to figure out if/how to respond to these events and any related cyber activity. What advice do you have for these organizations and their leadership? A lot of threat intel (TI) suffers from “What does this event mean for threats to our organiz...
Apr 24, 2023•27 min•Season 1Ep. 118
Guest: Maxime Lamothe-Brassard , Founder @ LimaCharlie Topics: What does an engineering-centric approach to cybersecurity mean? What to tell people who want to "consume" rather than "engineer" security? Is “engineering-centric” approach the same as evidence-based or provable? In practical terms, what does it mean to adopt an "engineering-centric approach" to cybersecurity for an organization? How will it differ from what we have today? What will it enable? Can you practice this with a very small...
Apr 17, 2023•27 min•Season 1Ep. 117
Guest: Isaac Hepworth , PM focused on Software Supply Chain Security @ Google Cooked questions: Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader? Some software vendors don’t want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here? One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs tha...
Apr 10, 2023•30 min•Season 1Ep. 116
Guest: Rafal Los , Head of Services Strategy @ Extrahop and Founder of Down the Security Rabbit Hole podcast Topics: You had a very fun blog where you reminded the world that many organizations still approach cloud as a rented data center, do you still see it now? Do you think this will persist for 3, 5, 10 years? Other than microservices, what’re the most important differences between public cloud and a rented data center for a CISO to keep in mind? Analysts say that “cloud is secure, but clien...
Apr 03, 2023•35 min•Season 1Ep. 115
Guest: Chris John Riley , Senior Security Engineer and a Technical Debt Corrector @ Google Topics: We’ve heard of MVP, what is MVSP or Minimal Viable Secure Product? What problem is MVSP trying to solve for the industry, community, planet, etc? How does MVSP actually help anybody? Who is the MVSP checklist for? Leaders or engineers? How does MVSP differ from compliance standards like ISO 27001, or even SOC 2? How does Google use MVSP? Has it improved our security in some way? How to balance the ...
Mar 27, 2023•28 min•Season 1Ep. 114
Guest: Martin Roesch , CEO at Netography , creator of Snort Topics: What is the role of network security in the public cloud? Networks used to be the perimeter, now we have an API and identity driven perimeter. Are networks still relevant as a layer of defense? We often joke that “you don’t need to get your firewalls with you to the cloud”, is this really true? How do you do network access control if not with firewalls? What about the NIDS? Does NIDS have a place in the cloud? So we agree that s...
Mar 20, 2023•28 min•Season 1Ep. 113
