Cloud Security Podcast

Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!

cloud-security-podcast_high_res.png

Episode list

#66
May 23, 2022

EP66 Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance

Guest:

  • Sandra Guo, Product Manager in Security, Google Cloud
25:23

Topics covered:

  • We have a really interesting problem here: if we make great investments in our use of trusted repositories, and great investments in doing code review on every change, and securing our build systems, and having reproducible builds, how do we know that all of what we did upstream is actually what gets deployed to production?
  • What are the realistic threats that Binary Authorization handles? Are there specific organizations that are more at risk from those?
  • What’s the Google inspiration for this work, both development and adoption? 
  • How do we make this work in practice at a real organization that is not Google? 
  • Where do you see organizations “getting it wrong” and where do you see organizations “getting it right”?
  • We’ve had a lot of conversations about rolling out zero-trust for enterprise applications, how do those lessons (start small, be visible, plan plan plan) translate into deploying Binauthz into blocking mode? 
Read more
#65
May 16, 2022

EP65 Is Your Healthcare Security Healthy? Mandiant Incident Response Insights

Guests:

27:27

Topics covered:

  • What are the current “popular” incidents at healthcare providers that you handled? Any of them involve cloud? 
  • Do healthcare CISOs have time for anything other than ransomware?
  • Does insider threat matter? What can incident response teach us here?
  • How do you think the threat actors benefit from the health data they steal? 
  • Based on your IR experience, what are the more interesting ways in, other than phishing?
  • Give us your IR-informed take on ransomware pay/not pay focused on healthcare, ideally? 
Read more
#64
May 9, 2022

EP64 Security Operations Center: The People Side and How to Do it Right

Guest:

25:25

Topics covered:

  • What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)?
  • How do you make SOC training realistic?
  • Should training be about the toolset or should it be about the analyst’s skills?
  • Should you primarily train for engineering skills or analysis skills?
  • Do you need to code to succeed in a modern SOC?
  • Are competitive events like CTFs effective for SOC training?
  • What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity?
Read more
#63
May 2, 2022

EP63 State of Autonomic Security Operations: Are There Sharks in Your SOC with Robert Herjavec

Guests:

34:57

Topics covered:

  • It’s been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about?
  • How was the ASO story received by your customers? Any particular reactions?
  • Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed?
  • ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations?
  • What else can we do to evolve SOC faster than the threats and assets grow?
Read more
#62
April 25, 2022

EP62 Protect Modern Applications in the Cloud: Union of API and Application Security

Guest:

  • Etienne De Burgh, Senior Security and Compliance Specialist, Office of the CISO @ Google Cloud
29:29

Topics covered:

  • Why is API security hot now? What happened that made it a priority for many? 
  • Is API security different from application security? Doesn't the first "A" in API  stand for application? 
  • What are the real threats to exposed APIs?
  • APIs are designed for automated use, so how do you tell automated use from automated abuse / attack?
  • What are the biggest challenges that companies are having with API security?
  • What are the components of API security? Is there a “secure by default API”? API threat detection?
  • Just like cloud in general, API misconfigurations seem to be leading to security problems, are APIs hard to configure securely for most organizations?
Read more
#61
April 18, 2022

EP61 Anniversary Episode - What Did We Learn So Far on Cloud Security Podcast?

Guest:

  • Anton Chuvakin
  • Timothy Peacock
23:23

Topics covered:

  • Why cloud security? What do we really think about our podcast name and topic, cloud security?
  • Can you once again explain security for the cloud, in the cloud, from the cloud?
  • What is one thing that we learned from doing a podcast?
  • Favorite cloud security trend that we encountered on the podcast? 
  • What did we learn about security from organization's migrating to the cloud?
  • What are our favorite reading materials related to cloud security?
  • What are our favorite tips from the guests on securing the cloud?
Read more
#60
April 11, 2022

EP60 Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM?

Guest:

23:23

Topics covered:

  • Could you explain briefly why identity is so important in the cloud?
  • A skeptic on cloud security once told us that “in the cloud, we are one identity mistake from a breach.” Is this true?
  • For listeners who aren’t familiar with GCP, could you give us the 30 second story on “what is a service account.” How is it different from a regular IAM account?
  • What are service account impersonations?
  • How can I see if my service accounts can be impersonated? How do I detect it?
  • How can I better secure my organization from impersonation attacks?
Read more
#59
April 4, 2022

EP59 Zero Trust: So Easy Even a Government Can Do It?

27:37

Topics covered:

  • What is your favorite definition of zero trust?
  • You had posted a blog analyzing the whitehouse ZT a memo on the federal government’s transition to “zero trust”,  what caught your eye about the Zero Trust memo and why did you decide to write about it?
  • What’s behind the federal government’s recommendations to deprecate VPNs and recommend users “authenticate to applications, not networks”?
  • What do these recommendations mean for cloud security, today and in the future?
  • What do you think would be the hardest things to implement in real US Federal IT environments?
  • Are there other recommendations in the memo to think about as organizations design zero trust strategies for their infrastructure? 
  • What are some of the challenges of implementing zero trust in general?
Read more
#58
March 28, 2022

EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond

Guests:

  • Alexi Wiemer,  Senior Manager at Deloitte Cyber Detection and Response Practice
  • Dan Lauritzen,  Senior Manager at Deloitte Cloud Security Practice.
25:25

Topics covered:

  • What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in? 
  • What is your best advice to SOCs that are permanently and woefully understaffed? 
  • Many SOC analysts are drowning in manual work, and it is easy to give advice that “they   need to automate.” What does this actually entail, in real life?
  • What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR? 
  • What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats?
  • Occasionally, we hear that “SOC is dead.” What is your response to such dire SOCless predictions? 
Read more
#57
March 21, 2022

EP57 Stop Zero Days, Save the World: Project Zero's Maddie Stone Speaks

Guest:

25:25

Topics covered:

  • How do we judge the real risk of being attacked using an exploit for a zero day vulnerability? Does the zero day risk vary by company, industry, etc? 
  • What does pricing for zero days tell us, if anything? Are prices more driven by supply or demand these days?
  • What security controls or defenses are useful against zero days including against chained zero days?
  • Where are the cloud zero days? We get lots of attention on iOS and Android, what about the cloud platforms? 
  • So, how do we solve the paradox of zero days, are they more scary than risky or more risky than scary? Or both?
Read more