Cloud Security Podcast

Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!

cloud-security-podcast_high_res.png

Episode list

#139
September 18, 2023

EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations

Guest:

  • Chris Corde, Sr Director of Product Management - Security Operations, Google Cloud
27:29

Topics covered:

  • You cover many products, but let’s focus on Chronicle today. An easy question: Chronicle isn’t an XDR, so what is it?
  • Since you’ve joined the team, what’re you most proud of shipping to clients?
  • Could you share more about the Mandiant acquisition,  what’s been a happy surprise and what are you looking forward to making available to customers?
  • Some believe that good security operations success is mostly about process, yet we are also building these amazing products. What is your view of how much security ops success hinges on products vs practices?
  • When it comes to building out Chronicle’s position in the market, how are we leveraging the depth of expertise that people have with other SIEM tools compared to ours?
  • What advice do you have for security professionals who want to transition into product management? 
Read more
#138
September 11, 2023

EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud

Guest:

27:23

Topics covered:

  • Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams?
  • How can Terraform be used for security automation? How should security teams work with DevOps teams to use it?
  • What are some of the obvious and not so obvious security challenges of using Terraform?
  • How can security best practices be applied to infrastructure instantiated via Terraform?
  • What is the relationship between Terraform and policy as code (PaC)?
  • How do you get started with all this?
  • What do you tell the security teams who want to do cloud security the “old way” and not the cloud-native way?
Read more
#137
September 5, 2023

EP137 Next 2023 Special: Conference Recap - AI, Cloud, Security, Magical Hallway Conversations

Guest:

  • no guests, all banter, all very fun :-)
25:25

Topics covered:

  • How is Google Cloud Next this year? What is new in cloud security?
  • Is Google finally a security vendor?
  • What are some of the fun security presentations we've seen, including our own?
  • Any impactful launches in security?
  • What was the most interesting overall?
Read more
#136
August 28, 2023

EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?

Guest:

  • Eric Doerr, VP of Engineering, Google Cloud Security
25:29

Topics covered:

  • You have a Next presentation on AI, what is the most exciting part for you?
  • We care both about securing AI and using AI for security. How do you organize your thinking about it?
  • Executive surveys imply that trusting an AI (for business) is still an issue. How can we trust AI for security? What does it mean to “trust AI” in this context? 
  • How should defenders think about threat modeling AI systems? 
  • Back to using AI for security, what are the absolute worst security use cases for GenAI? Think “generate code and run it on prod” or something like that?
  • What does it mean to “teach AI security” like we did with Sec-PALM2? What is actually involved in this?
  • What were some surprising challenges we ran into here?
Read more
#135
August 21, 2023

EP135 AI and Security: The Good, the Bad, and the Magical

Guest:

29:29

Topics covered:

  • Why is AI a game-changer for security? Can we even have game-changers in cyber security?
  • Is it more detection or is it more reducing toil and making humans more productuve? What are you favorite AI for security use cases?
  • What “AI + security” issue makes you  - a classic CISO question  here - lose sleep at night?
  • Does AI help defenders or attackers more? Won’t attackers adopt faster because they don’t have as many rules (but yes, they have bosses and budgets too)? 
  • Aren’t there cases where defenders benefit a lot more and gain a superpower with AI while attackers are faced with defeat?
  • Is securing AI more similar or more different from securing other enterprise systems?
  • Does shared fate apply to AI?
Read more
#134
August 14, 2023

EP134 How to Prioritize UX and Security in the Cloud: UX as a Security Capability

Guest:

  • Steph Hay , Director of UX, Google Cloud Security
23:23

Topics covered:

  • The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security?
  • UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this?
  • How do you think about prioritizing your team’s time between day zero vs day n experiences for users of security tools?
  • Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security?
  • Can you think of what single UX change in Cloud Security’s portfolio made the biggest impact to actual security outcomes?
  • We have this new tool/approach for planning called Jobs To Be Done (JTBD) - give us the value, and the history? In the world of JTBD planning, what gets better?
Read more
#133
August 7, 2023

EP133 The Shared Problem of Alerting: More SRE Lessons for Security

Guest:

29:29

Topics covered:

  • What is the shared problem for SRE and security when it comes to alerting?
  • Why is there reluctance to reduce noise?
  • How do SREs, security practitioners, and other stakeholders define “incident” and “risk”?
  • How does involving an “adversary” change the way people think about an incident, even if the impact is identical?
  • Which SRE alerting lessons do NOT apply at all for security?
Read more
#132
July 31, 2023

EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge

Guest:

31:31

Topics covered:

  • So what is Security Chaos Engineering?
  • “Chapter 5. Operating and Observing” is Anton’s favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection?
  • How chaos engineering (or is it really about software resilience?)  intersects with Cloud security--is this peanut butter and chocolate or more like peanut butter and pickles?
  • How can organizations get started with chaos engineering for software resilience and security?
  • What is your favorite chaos engineering experiment that you have ever done?
  • We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023
Read more
#131
July 24, 2023

EP131 A Deep Dive into Google's Assured OSS: How Google Secures the Software You Use

Guests:

  • Himanshu Khurana, Engineering Manager, Google Cloud
  • Rahul Gupta, Product Manager for Assured OSS, Google Cloud
27:23

Topics covered:

  • For the software you’re supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen? 
  • So what is Assured Open Source?
  • Do we really guarantee its security? What does “guarantee” here mean?
  • What’re users actually paying for here?
  • What’s the Google magic here and why are we doing this? 
  • Do we really audit all code and fuzz for security issues?
  • What’s a supply chain attack and then we’ll talk about how this is plugging into those gaps?
Read more
#130
July 17, 2023

EP130 Cloud is Secure: Are you Using It Securely - True or False? And What about SaaS?

Guest:

29:29

Topics covered:

  • Analysts (well, like Steve and Anton in the past?) say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this today?
  • When clients hear “use cloud securely”, what do you think comes to their minds?
  • How would you approach planning for secure use of the cloud or using cloud securely?
  • What is your view of cloud defense in depth (DiD) or layered defenses? How do you suggest clients think about it? What about DiD for SaaS?
  • What are your thoughts on the evolution of zero trust? How has it changed since its introduction back in 2010?
  • Awareness of and interest in SSE and SASE is growing. But at the same time, plenty of folks seem deeply perplexed by these. How would you explain them to someone not deeply immersed in the details? 
Read more