Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!
EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations
Guest:
Chris Corde, Sr Director of Product Management - Security Operations, Google Cloud
27:29
Topics covered:
You cover many products, but let’s focus on Chronicle today. An easy question: Chronicle isn’t an XDR, so what is it?
Since you’ve joined the team, what’re you most proud of shipping to clients?
Could you share more about the Mandiant acquisition, what’s been a happy surprise and what are you looking forward to making available to customers?
Some believe that good security operations success is mostly about process, yet we are also building these amazing products. What is your view of how much security ops success hinges on products vs practices?
When it comes to building out Chronicle’s position in the market, how are we leveraging the depth of expertise that people have with other SIEM tools compared to ours?
What advice do you have for security professionals who want to transition into product management?
Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams?
How can Terraform be used for security automation? How should security teams work with DevOps teams to use it?
What are some of the obvious and not so obvious security challenges of using Terraform?
How can security best practices be applied to infrastructure instantiated via Terraform?
What is the relationship between Terraform and policy as code (PaC)?
How do you get started with all this?
What do you tell the security teams who want to do cloud security the “old way” and not the cloud-native way?
We care both about securing AI and using AI for security. How do you organize your thinking about it?
Executive surveys imply that trusting an AI (for business) is still an issue. How can we trust AI for security? What does it mean to “trust AI” in this context?
How should defenders think about threat modeling AI systems?
Back to using AI for security, what are the absolute worst security use cases for GenAI? Think “generate code and run it on prod” or something like that?
What does it mean to “teach AI security” like we did with Sec-PALM2? What is actually involved in this?
What were some surprising challenges we ran into here?
Why is AI a game-changer for security? Can we even have game-changers in cyber security?
Is it more detection or is it more reducing toil and making humans more productuve? What are you favorite AI for security use cases?
What “AI + security” issue makes you - a classic CISO question here - lose sleep at night?
Does AI help defenders or attackers more? Won’t attackers adopt faster because they don’t have as many rules (but yes, they have bosses and budgets too)?
Aren’t there cases where defenders benefit a lot more and gain a superpower with AI while attackers are faced with defeat?
The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security?
UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this?
How do you think about prioritizing your team’s time between day zero vs day n experiences for users of security tools?
Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security?
Can you think of what single UX change in Cloud Security’s portfolio made the biggest impact to actual security outcomes?
We have this new tool/approach for planning called Jobs To Be Done (JTBD) - give us the value, and the history? In the world of JTBD planning, what gets better?
EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge
Guest:
Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly
31:31
Topics covered:
So what is Security Chaos Engineering?
“Chapter 5. Operating and Observing” is Anton’s favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection?
How chaos engineering (or is it really about software resilience?) intersects with Cloud security--is this peanut butter and chocolate or more like peanut butter and pickles?
How can organizations get started with chaos engineering for software resilience and security?
What is your favorite chaos engineering experiment that you have ever done?
We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023
Analysts (well, like Steve and Anton in the past?) say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this today?
When clients hear “use cloud securely”, what do you think comes to their minds?
How would you approach planning for secure use of the cloud or using cloud securely?
What is your view of cloud defense in depth (DiD) or layered defenses? How do you suggest clients think about it? What about DiD for SaaS?
What are your thoughts on the evolution of zero trust? How has it changed since its introduction back in 2010?
Awareness of and interest in SSE and SASE is growing. But at the same time, plenty of folks seem deeply perplexed by these. How would you explain them to someone not deeply immersed in the details?
