Showing 7 episodes for Cloud Threat Detection
#213
March 3, 2025
EP213 From Promise to Practice: LLMs for Anomaly Detection and Real-World Cloud Security
Topics covered:
- Where do you see a gap between the “promise” of LLMs for security and how they are actually used in the field to solve customer pains?
- I know you use LLMs for anomaly detection. Explain how that “trick” works? What is it good for? How effective do you think it will be?
- Can you compare this to other anomaly detection methods? Also, won’t this be costly - how do you manage to keep inference costs under control at scale?
- SOC teams often grapple with the tradeoff between “seeing everything” so that they never miss any attack, and handling too much noise. What are you seeing emerge in cloud D&R to address this challenge?
- We hear from folks who developed an automated approach to handle a reviews queue previously handled by people. Inevitably even if precision and recall can be shown to be superior, executive or customer backlash comes hard with a false negative (or a flood of false positives). Have you seen this phenomenon, and if so, what have you learned about handling it?
- What are other barriers that need to be overcome so that LLMs can push the envelope further for improving security?
- So from your perspective, LLMs are going to tip the scale in whose favor - cybercriminals or defenders?
#182
July 22, 2024
EP182 ITDR: The Missing Piece in Your Security Puzzle or Yet Another Tool to Buy?
Topics covered:
- What is Identity Threat Detection and Response (ITDR)? How do you define it?
- What gets better at a client organization once ITDR is deployed?
- Do we also need “ISPM” (parallel to CDR/CSPM), and what about CIEM?
- Workload identity ITDR vs human identity ITDR? Do we need both? Are these the same?
- What are the alternatives to using ITDR? Can’t SIEM/UEBA help - perhaps with browser logs?
- What are some of the common types of identity-based threats that ITDR can help detect?
- What advice would you give to organizations that are considering implementing ITDR?
#157
January 29, 2024
EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud
Topics covered:
- How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response?
- What are the key challenges of cloud detection and response?
- Often we lift and shift our teams to Cloud, and not always for bad reasons, so what’s your advice on how to teach the old dogs new tricks: “on-premise-trained” D&R teams and cloud D&R?
- What is this new CIRA thing that Gartner just cooked up? Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps?
- What do you tell people who say that “SIEM is their CDR”?
- What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?
#153
December 18, 2023
EP153 Kevin Mandia on Cloud Breaches: New Threat Actors, Old Mistakes, and Lessons for All
Topics covered:
- When you look back, what were the most surprising cloud breaches in 2023, and what can we learn from them? How were they different from the “old world” of on-prem breaches?
- For a long time it’s felt like incident response has been an on-prem specialization, and that adversaries are primarily focused on compromising on-prem infrastructure. Who are we seeing go after cloud environments? The same threat actors or not?
- Could you share a bit about the mistakes and risks that you saw organizations make that made their cloud breaches possible or made them worse? Conversely, what ended up being helpful to organizations in limiting the blast radius or making response easier?
- Tim’s mother worked in a network disaster recovery team for a long time–their motto was “preparing for the inevitable.” What advice do you have for helping security teams and IT teams get ready for cloud breaches? Especially for recent cloud entrants?
#149
November 20, 2023
EP149 Canned Detections: From Educational Samples to Production-Ready Code
Guest:
- John Stoner, Principal Security Strategist, Google Cloud Security
- Dave Herrald, Head of Adopt Engineering, Google Cloud Security
Topics covered:
- In your experience, past and present, what would make clients trust vendor detection content?
- Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?
- What is more important, seeing the detection or being able to change it, or both?
- If this is about seeing the detection code/content, what about ML and algorithms?
- What about the SOC analysts who don't read the code?
- What about “tuning” - is tuning detections a bad word now in 2023?
- Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?
#147
November 8, 2023
EP147 Special: 2024 Security Forecast Report
Topics covered:
- Can you really forecast threats? Won’t the threat actors ultimately do whatever they want?
- How can clients use the forecast? Or as Tim would say it, what gets better once you read it?
- What is the threat forecast for cloud environments? “Cyber attacks targeting hybrid and multi-cloud environments will mature and become more impactful“ - what does it mean?
- Of course AI makes an appearance as well: “LLMs and other gen AI tools will likely be developed and offered as a service to assist attackers with target compromises.” Do we really expect attacker-run LLM SaaS? What model will they use? Will it be good?
- There are a number of significant elections scheduled for 2024, are there implications for cloud security?
- Based on the threat information, tell me about something that is going well, what will get better in 2024?
#78
August 8, 2022
EP78 Classic SOC Meets Cloud: What Changes? What Stays the Same?
Topics covered:
- How do we get a legacy SOC team to think about the cloud?
- How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same?
- How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud?
- Do content/rules and detection engines need to be different to cover the cloud detection use cases?
- What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections?
