Cloud Security Podcast

Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!

cloud-security-podcast_high_res.png

Episode list

#173
May 17, 2024

EP173 SAIF in Focus: 5 AI Security Risks and SAIF Mitigations

Guest:

27:23

Topics covered:

  • What are the unique challenges when securing AI for cloud environments, compared to traditional IT systems?
  • Your talk covers 5 AI risks, why did you pick these five? What are the five, and are these the worst?
  • Some of the mitigation seem the same for all risks. What are the popular SAIF mitigations that cover more of the risks?
  • Can we move quickly and securely with AI? How?
  • What future trends and developments do you foresee in the field of securing AI for cloud environments, and how can organizations prepare for them?
  • Do you think in 2-3 years AI security will be a separate domain or a part of … application security? Data security? Cloud security?
#172
May 13, 2024

EP172 RSA 2024: Separating AI Signal from Noise, SecOps Evolves, XDR Declines?

Guest:

none

27:23

Topics covered:

  • What have we seen at RSA 2024?
  • Which buzzwords are rising (AI! AI! AI!) and which ones are falling (hi XDR)?
  • Is this really all about AI? Is this all marketing?
  • Security platforms or focused tools, who is winning at RSA?
  • Anything fun going on with SecOps?
  • Is cloud security still largely about CSPM?
  • Any interesting presentations spotted?
#171
May 6, 2024

EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side

Guest:

29:29

Topics covered:

  • Given your experience, how afraid or nervous are you about the use of GenAI by the criminals (PoisonGPT, WormGPT and such)?
  • What can a top-tier state-sponsored threat actor do better with LLM? Are there “extra scary” examples, real or hypothetical?
  • Do we really have to care about this “dangerous capabilities” stuff (CBRN)? Really really?
  • Why do you think that AI favors the defenders? Is this a long term or a short term view?
  • What about vulnerability discovery? Some people are freaking out that LLM will discover new zero days, is this a real risk?
#170
April 29, 2024

EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC

Guest:

Topics:

SIEM and SOC
29:29

Topics covered:

  • What are the different use cases for GenAI in security operations and how can organizations  prioritize them for maximum impact to their organization?
  • We’ve heard a lot of worries from people that GenAI will replace junior team members–how do you see GenAI enabling more people to be part of the security mission?
  • What are the challenges and risks associated with using GenAI in security operations?
  • We’ve been down the road of automation for SOCs before–UEBA and SOAR both claimed it–and AI looks a lot like those but with way more matrix math-what are we going to get right this time that we didn’t quite live up to last time(s) around?
  • Imagine a SOC or a D&R team of 2029. What AI-based magic is routine at this time? What new things are done by AI? What do humans do?
#169
April 22, 2024

EP169 Google Cloud Next 2024 Recap: Is Cloud an Island, So Much AI, Bots in SecOps

Guest:

29:29

Topics covered:

  • What are some of the fun security-related launches from Next 2024 (sorry for our brief “marketing hat” moment!)?
  • Any fun security vendors we spotted “in the clouds”?
  • OK, what are our favorite sessions? Our own, right? Anything else we had time to go to?
  • What are the new security ideas inspired by the event (you really want to listen to this part! Because “freatures”...)
  • Any tricky questions at the end?
#168
April 15, 2024

EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It

Guests:

  • Umesh Shankar, Distinguished Engineer, Chief Technologist for Google Cloud Security
  • Scott Coull, Head of Data Science Research, Google Cloud Security
27:23

Topics covered:

  • What does it mean to “teach AI security”? How did we make SecLM? And also: why did we make SecLM?
  • What can “security trained LLM” do better vs regular LLM?
  • Does making it better at security make it worse at other things that we care about?
  • What can a security team do with it today?  What are the “starter use cases” for SecLM?
  • What has been the feedback so far in terms of impact - both from practitioners but also from team leaders?
  • Are we seeing the limits of LLMs for our use cases? Is the “LLM is not magic” finally dawning?
#167
April 8, 2024

EP167 Stolen Cards and Fake Accounts: Defending Google Cloud Against Abuse

Guest:

  • Maria Riaz, Cloud Counter-Abuse, Engineering Lead, Google Cloud
27:23

Topics covered:

  • What is “counter abuse”? Is this the same as security?
  • What does counter-abuse look like for GCP?
  • What are the popular abuse types we face? 
  • Do people use stolen cards to get accounts to then violate the terms with?
  • How do we deal with this, generally?
  • Beyond core technical skills, what are some of the relevant competencies for working in this space that would appeal to a diverse set of audience?
  • You have worked in academia and industry. What similarities or differences have you observed?
#166
April 1, 2024

EP166 Workload Identity, Zero Trust and SPIFFE (Also Turtles!)

Guests:

27:27

Topics covered:

  • Today we have IAM,  zero trust and security made easy. With that intro, could you give us the 30 second version of what a workload identity is and why people need them? 
  • What’s so spiffy about SPIFFE anyway? 
  • What’s different between this and micro segmentation of your network–why is one better or worse? 
  • You call your book “solving the bottom turtle” could you tell us what that means?
  • What are the challenges you’re seeing large organizations run into when adopting this approach at scale? 
  • Of all the things a CISO could prioritize, why should this one get added to the list? What makes this, which is so core to our internal security model–ripe for the outside world?
  • How people do it now, what gets thrown away when you deploy SPIFFE? Are there alternative?
  • SPIFFE is interesting, yet can a startup really “solve for the bottom turtle”? 
#165
March 25, 2024

EP165 Your Cloud Is Not a Pet - Decoding 'Shifting Left' for Cloud Security

Guest:

  • Ahmad Robinson,  Cloud Security Architect, Google Cloud
25:25

Topics covered:

  • You’ve done a BlackHat webinar where you discuss a Pets vs Cattle mentality when it comes to cloud operations. Can you explain this mentality and how it applies to security?
  • What in your past led you to these insights?  Tell us more about your background and your journey to Google.  How did that background contribute to your team?
  • One term that often comes up on the show and with our customers is 'shifting left.'  Could you explain what 'shifting left' means in the context of cloud security? What’s hard about shift left, and where do orgs get stuck too far right?
  • A lot of “cloud people” talk about IaC and PaC but the terms and the concepts are occasionally confusing to those new to cloud. Can you briefly explain Policy as Code  and its security implications? Does PaC help or hurt security?
#164
March 18, 2024

EP164 Quantum Computing: Understanding the (very serious) Threat and Post-Quantum Cryptography

Guest:

27:27

Topics covered:

  • Since one of us (!) doesn't have a PhD in quantum mechanics, could you explain what a quantum computer is and how do we know they are on a credible path towards being real threats to cryptography? How soon do we need to worry about this one?
  • We’ve heard that quantum computers are more of a threat to asymmetric/public key crypto than symmetric crypto. First off, why? And second, what does this difference mean for defenders?
  • Why (how) are we sure this is coming? Are we mitigating a threat that is perennially 10 years ahead and then vanishes due to some other broad technology change?
  • What is a post-quantum algorithm anyway? If we’re baking new key exchange crypto into our systems, how confident are we that we are going to be resistant to both quantum and traditional cryptanalysis? 
  • Why does NIST think it's time to be doing the PQC thing now? Where is the rest of the industry on this evolution?
  • How can a person tell the difference here between reality and snakeoil? I think Anton and I both responded to your initial email with a heavy dose of skepticism, and probably more skepticism than it deserved, so you get the rare on-air apology from both of us!