Showing 5 episodes for Cloud Threat Detection
#182
July 22, 2024
EP182 ITDR: The Missing Piece in Your Security Puzzle or Yet Another Tool to Buy?
Topics covered:
- What is Identity Threat Detection and Response (ITDR)? How do you define it?
- What gets better at a client organization once ITDR is deployed?
- Do we also need “ISPM” (parallel to CDR/CSPM), and what about CIEM?
- Workload identity ITDR vs human identity ITDR? Do we need both? Are these the same?
- What are the alternatives to using ITDR? Can’t SIEM/UEBA help - perhaps with browser logs?
- What are some of the common types of identity-based threats that ITDR can help detect?
- What advice would you give to organizations that are considering implementing ITDR?
#157
January 29, 2024
EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud
Topics covered:
- How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response?
- What are the key challenges of cloud detection and response?
- Often we lift and shift our teams to Cloud, and not always for bad reasons, so what’s your advice on how to teach the old dogs new tricks: “on-premise-trained” D&R teams and cloud D&R?
- What is this new CIRA thing that Gartner just cooked up? Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps?
- What do you tell people who say that “SIEM is their CDR”?
- What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?
#153
December 18, 2023
EP153 Kevin Mandia on Cloud Breaches: New Threat Actors, Old Mistakes, and Lessons for All
Topics covered:
- When you look back, what were the most surprising cloud breaches in 2023, and what can we learn from them? How were they different from the “old world” of on-prem breaches?
- For a long time it’s felt like incident response has been an on-prem specialization, and that adversaries are primarily focused on compromising on-prem infrastructure. Who are we seeing go after cloud environments? The same threat actors or not?
- Could you share a bit about the mistakes and risks that you saw organizations make that made their cloud breaches possible or made them worse? Conversely, what ended up being helpful to organizations in limiting the blast radius or making response easier?
- Tim’s mother worked in a network disaster recovery team for a long time–their motto was “preparing for the inevitable.” What advice do you have for helping security teams and IT teams get ready for cloud breaches? Especially for recent cloud entrants?
#149
November 20, 2023
EP149 Canned Detections: From Educational Samples to Production-Ready Code
Guest:
- John Stoner, Principal Security Strategist, Google Cloud Security
- Dave Herrald, Head of Adopt Engineering, Google Cloud Security
Topics covered:
- In your experience, past and present, what would make clients trust vendor detection content?
- Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?
- What is more important, seeing the detection or being able to change it, or both?
- If this is about seeing the detection code/content, what about ML and algorithms?
- What about the SOC analysts who don't read the code?
- What about “tuning” - is tuning detections a bad word now in 2023?
- Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?
#147
November 8, 2023
EP147 Special: 2024 Security Forecast Report
Topics covered:
- Can you really forecast threats? Won’t the threat actors ultimately do whatever they want?
- How can clients use the forecast? Or as Tim would say it, what gets better once you read it?
- What is the threat forecast for cloud environments? “Cyber attacks targeting hybrid and multi-cloud environments will mature and become more impactful“ - what does it mean?
- Of course AI makes an appearance as well: “LLMs and other gen AI tools will likely be developed and offered as a service to assist attackers with target compromises.” Do we really expect attacker-run LLM SaaS? What model will they use? Will it be good?
- There are a number of significant elections scheduled for 2024, are there implications for cloud security?
- Based on the threat information, tell me about something that is going well, what will get better in 2024?