Cloud Security Podcast

Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!

cloud-security-podcast_high_res.png

Episode list

#85
September 26, 2022

EP85 Deploy Security Capabilities at Scale: SRE Explains How

Guest:

Steve McGhee, Reliability Advocate, Google Cloud

25:23

Topics covered:

  • What can security teams  learn from the Site Reliability Engineering (SRE) art of rapid and safe deployment?
  • Is this all about the process or do SREs possess some magical technology to do this?
  • What is SRE approach to automation?
  • What are the pillars / components of SRE approach to deployment?
  • SRE is also about scaling. Some security teams have to manage 1000s of detection rules, how can this be done in a manner that does not conflict or cause other problems?
Read more
#84
September 19, 2022

EP84 How to Secure Artificial Intelligence (AI): Threats, Approaches, Lessons So Far

Guest:

27:29

Topics covered:

  • You did research by analyzing 2000 papers on AI attacks released in the previous decade. What are the main insights?
  • How do you approach discovering the relevant threat models for various AI systems and scenarios? 
  • Which threats are real today vs in a few years?
  • What are the common attack vectors? What do you see in the field of supply chain attacks on AI, software supply, data?
  • All these reported cyberphysical attacks on computer vision, how real are they, and what are the possible examples of exploitation? Are they a real danger to people?
  • What are the main differences between protecting AI vs protecting traditional enterprise applications?
  • Who should be responsible for Securing AI? What about for building trustworthy AI?
  • Given that the machinery of AI is often opaque, how to go about discovering vulnerabilities? Is there responsible disclosure for AI vulnerabilities, such as in open-source models and in public APIs? 
  • What should companies do first, when embarking on an AI security program? Who should have such a program?
Read more
#83
September 12, 2022

EP83 What Does reCAPTCHA Actually Do and How Does It Do it? Product Manager Explains

Guest:

25:27

Topics covered:

  • What is reCAPTCHA? Aren’t you guys the super annoying 'click on the busses' thing?
  • What is account defender? Why was this a natural next step for you?
  • What are the actual threats that this handles - and handles well? Specific web attacks? Web fraud?
  • Let’s talk about account fraud, what do these attacks look like and how do bad guys monetize today?
  • What about payment fraud? Could you score a payment session as well as a login session risk, or is that different? 
  • How does this work with multi factor authentication?
Read more
#82
September 5, 2022

EP82 Mega-confused by XDR? You Are Not Alone! This XDR Skeptic Clarifies!

Guest:

23:23

Topics covered:

  • How do you define that "XDR thing" that you are so skeptical about?
  • So within that definition of XDR, you think it’s not so great, why?
  • If you have to argue pro-XDR, what would you say?
  • Two main XDR camps are “XDR as EDR+” and “XDR as SIEM-”, which camp do you think is more right? Are both wrong?
  • What approach do you think is more useful as a lens to understand the potential upsides/downsides of XDR?
  • What about the cloud? "Cloud XDR" seems a bit illogical, but what do you think is the future of D&R in the cloud?
Read more
#81
August 29, 2022

EP81 Demystify Data Sovereignty and Sovereign Cloud Secrets at Google Cloud

Guest:

25:25

Topics covered:

  • In political science, they define sovereignty as a local monopoly on the legitimate use of force. Why are we talking about “sovereignty” in IT?
  • What is a sovereign cloud?  How much of the term is marketing vs engineering?
  • Who cares or should care about sovereign cloud?
  • Is this about technical controls or paper/policy controls? Or both?
  • What is the role for encryption and key management and key access justifications (like say Google Cloud EKM with KAJ) for sovereign cloud?
  • Is sovereign cloud automatically more secure or at least has better data security?
  • What threat models are considered for sovereign cloud technologies?
Read more
#80
August 22, 2022

EP80 CISO Walks Into the Cloud: Frustrations, Successes, Lessons ... And Does the Risk Change?

Guest:

  • David Stone,  Staff Consultant at Office of the CISO, Google Cloud
27:27

Topics covered:

  • Speaking as a former CISO, what triggered your organization migration to the cloud?
  • When did you and the security team get brought in?
  • How did you plan your security team journey to the cloud?
  • Did you take going to cloud as an opportunity to change things beyond the tools you were using? 
  • As you got going into the cloud, what was the hardest part for your organization ?
  • What was most surprising? Good surprise and bad surprise?
  • How did you design security controls for the cloud?
  • How do you validate and verify security controls in the cloud? 
  • How did you incorporate your cloud environment into your SOC’s responsibility?
  • One final strategic question: is moving to Cloud a net risk reduction? Can it be?
Read more
#79
August 15, 2022

EP79 Modernize Data Security with Autonomic Data Security Approach

Guest:

  • John Stone,  Chaos Coordinator @ Office of the CISO, Google Cloud
23:23

Topics covered:

  • So what is Autonomic Data Security, described in our just released paper? 
  • What are some notorious data security issues today? Perhaps common data security mistakes security leaders commit?
  • What never worked in data security, like say manual data classification?
  • How should organizations think about securing the data they migrated and the data that was created in the cloud?
  • Do you really believe the cloud can make data security better than data security in traditional environments?
Read more
#78
August 8, 2022

EP78 Classic SOC Meets Cloud: What Changes? What Stays the Same?

Guest:

23:29

Topics covered:

  • How do we get a legacy SOC team to think about the cloud?
  • How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same? 
  • How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud?
  • Do content/rules and detection engines need to be different to cover the cloud detection use cases?
  • What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections?
Read more
#77
August 1, 2022

EP77 Operational Realities of SOAR: Automate and/or Enrich, Playbooks, Magic

Guest:

  • Cyrus Robinson, SOC Director and IR Team lead at Ingalls Information Security
25:25

Topics covered:

  • You’ve been using SOAR tools for years, so what do you think of the technology so far?
  • What is driving SOAR adoption today? And what is inhibiting SOAR adoption?
  • Realistically, how hard is SOAR to operationalize for a typical company?
  • What are your favorite SOAR playbooks to start with?
  • How to build, train and keep the SOAR team? Do they need to code to succeed?
  • We like the SOAR maturity model approach. How would you imagine a SOAR adoption maturity model?
  • How to implement SOAR from scratch in scaling operations? How to start? How to plan? How to not fail?
Read more
#76
July 25, 2022

EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?

Guest:

27:27

Topics covered:

  • Why is there so much attention lately on SaaS security? Doesn’t this area date back to 2015 or so?
  • What do you see as the primary challenges in securing SaaS?
  • What does a SaaS threat model look like? What are the top threats you see?
  • CASB has been the fastest growing security market and it has grown into a broad platform and many assume that “securing SaaS = using CASB”, what are they missing?
  • Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system?
  • Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle?
  • For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology?
Read more