Back

Showing 14 episodes for How Google Does

#189
September 9, 2024

EP189 How Google Does Security Programs at Scale: CISO Insights

Guest:

29:29

Topics covered:

  • What were you thinking before you took that “Google CISO” job?
  • Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations?
  • Are there any specific challenges or advantages that arise from operating at such a massive scale?
  • What has been most surprising about Google’s internal security culture that you wish you could export to the world at large? 
  • What have you learned about scaling teams in the Google context?
  • How do you design effective metrics for your teams and programs?
  • So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we’ve done this here?
#179
July 1, 2024

EP179 Teamwork Under Stress: Expedition Behavior in Cybersecurity Incident Response

Guest:

Topics:

How Google Does
27:27

Topics covered:

  • You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means?
  • You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?  
  • Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge?
  • If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team?
  • How do we create it in an existing team or an under-performing team?
#176
June 10, 2024

EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use

Guest:

  • Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google
23:29

Topics covered:

  • Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right?
  • Where are we like other clients of GCP?  Where are we not like other cloud users?
  • Do we have any unique cloud security technology that we use that others may benefit from?
  • How does our cloud usage inform our cloud security products?
  • So is our cloud use profile similar to cloud natives or traditional companies?
  • What are some of the most interesting cloud security practices and controls that we use that are usable by others?
  • How do we make them work at scale? 
#174
May 27, 2024

EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

Guest:

Angelika Rohrer, Sr. Technical Program Manager, Cyber Security Response at Alphabet

29:29

Topics covered:

  • Incident response (IR) is by definition “reactive”, but ultimately incident prep determines your IR success. What are the broad areas where one needs to prepare?
  • You have created a new framework for measuring how ready you are for an incident, what is the approach you took to create it?
  • Can you elaborate on the core principles behind the Continuous Improvement (CI) Framework for incident response?
  • Why is continuous improvement crucial for effective incident response, especially in cloud environments? Can’t you just make a playbook and use it?
  • How to overcome the desire to focus on the easy metrics and go to more valuable ones?
  • What do you think Google does best in this area?
  • Can you share examples of how the CI Framework could have helped prevent or mitigate a real-world cloud security incident?
  • How can other organizations practically implement the CI Framework to enhance their incident response capabilities after they read the paper?
#173
May 17, 2024

EP173 SAIF in Focus: 5 AI Security Risks and SAIF Mitigations

Guest:

27:23

Topics covered:

  • What are the unique challenges when securing AI for cloud environments, compared to traditional IT systems?
  • Your talk covers 5 AI risks, why did you pick these five? What are the five, and are these the worst?
  • Some of the mitigation seem the same for all risks. What are the popular SAIF mitigations that cover more of the risks?
  • Can we move quickly and securely with AI? How?
  • What future trends and developments do you foresee in the field of securing AI for cloud environments, and how can organizations prepare for them?
  • Do you think in 2-3 years AI security will be a separate domain or a part of … application security? Data security? Cloud security?
#169
April 22, 2024

EP169 Google Cloud Next 2024 Recap: Is Cloud an Island, So Much AI, Bots in SecOps

Guest:

29:29

Topics covered:

  • What are some of the fun security-related launches from Next 2024 (sorry for our brief “marketing hat” moment!)?
  • Any fun security vendors we spotted “in the clouds”?
  • OK, what are our favorite sessions? Our own, right? Anything else we had time to go to?
  • What are the new security ideas inspired by the event (you really want to listen to this part! Because “freatures”...)
  • Any tricky questions at the end?
#168
April 15, 2024

EP168 Beyond Regular LLMs: How SecLM Enhances Security and What Teams Can Do With It

Guest:

  • Umesh Shankar, Distinguished Engineer, Chief Technologist for Google Cloud Security
  • Scott Coull, Head of Data Science Research, Google Cloud Security
27:23

Topics covered:

  • What does it mean to “teach AI security”? How did we make SecLM? And also: why did we make SecLM?
  • What can “security trained LLM” do better vs regular LLM?
  • Does making it better at security make it worse at other things that we care about?
  • What can a security team do with it today?  What are the “starter use cases” for SecLM?
  • What has been the feedback so far in terms of impact - both from practitioners but also from team leaders?
  • Are we seeing the limits of LLMs for our use cases? Is the “LLM is not magic” finally dawning?
#167
April 8, 2024

EP167 Stolen Cards and Fake Accounts: Defending Google Cloud Against Abuse

Guest:

  • Maria Riaz, Cloud Counter-Abuse, Engineering Lead, Google Cloud
27:23

Topics covered:

  • What is “counter abuse”? Is this the same as security?
  • What does counter-abuse look like for GCP?
  • What are the popular abuse types we face? 
  • Do people use stolen cards to get accounts to then violate the terms with?
  • How do we deal with this, generally?
  • Beyond core technical skills, what are some of the relevant competencies for working in this space that would appeal to a diverse set of audience?
  • You have worked in academia and industry. What similarities or differences have you observed?
#164
March 18, 2024

EP164 Quantum Computing: Understanding the (very serious) Threat and Post-Quantum Cryptography

Guest:

27:27

Topics covered:

  • Since one of us (!) doesn't have a PhD in quantum mechanics, could you explain what a quantum computer is and how do we know they are on a credible path towards being real threats to cryptography? How soon do we need to worry about this one?
  • We’ve heard that quantum computers are more of a threat to asymmetric/public key crypto than symmetric crypto. First off, why? And second, what does this difference mean for defenders?
  • Why (how) are we sure this is coming? Are we mitigating a threat that is perennially 10 years ahead and then vanishes due to some other broad technology change?
  • What is a post-quantum algorithm anyway? If we’re baking new key exchange crypto into our systems, how confident are we that we are going to be resistant to both quantum and traditional cryptanalysis? 
  • Why does NIST think it's time to be doing the PQC thing now? Where is the rest of the industry on this evolution?
  • How can a person tell the difference here between reality and snakeoil? I think Anton and I both responded to your initial email with a heavy dose of skepticism, and probably more skepticism than it deserved, so you get the rare on-air apology from both of us!
#159
February 12, 2024

EP159 Workspace Security: Built for the Modern Threat. But How?

Guest:

27:27

Topics covered:

  • Workspace makes the claim that unlike other productivity suites available today, it’s architectured for the modern threat landscape. That’s a big claim! What gives Google the ability to make this claim?
  • Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work? 
  • What are some of the common mistakes you see customers making with Workspace security?
  • What are some of the ways context aware access and DLP (now SDP) help with this?
  • What are the cool future plans for DLP and CAA?
#158
February 5, 2024

EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

Guest:

29:29

Topics covered:

  • Could you share a bit about when you get pulled into incidents and what are your goals when you are?
  • How does that change in the cloud? How do you establish a chain of custody and prove it for law enforcement, if needed?
  • What tooling do you rely on for cloud forensics and is that tooling available to "normal people"? 
  • How do we at Google know when it’s time to call for help, and how should our customers know that it’s time? 
  • Can I quote Ray Parker Jr and ask, who you gonna call?
  • What’s your advice to a security leader on how to “prepare for the inevitable” in this context? 
  • Cloud forensics - is it easier or harder than the 1990s classic forensics?
#154
January 8, 2024

EP154 Mike Schiffman: from Blueboxing to LLMs via Network Security at Google

Guest:

29:29

Topics covered:

  • Given your impressive and interesting history, tell us a few things about yourself?
  • What are the biggest challenges facing network security today based on your experience?
  • You came to Google to work on Network Security challenges. What are some of the surprising ones you’ve uncovered here?
  • What lessons from Google's approach to network security absolutely don’t apply to others? Which ones perhaps do?
  • If you have to explain the difference between network security in the cloud and on-premise, what comes to mind first?
  • How do we balance better encryption with better network security monitoring and detection?
  • Speaking of challenges in cryptography, we’re all getting fired up about post-quantum and network security. Could you give us the maybe 5 minute teaser version of this because we have an upcoming episode dedicated to this?
  • We hear you have some interesting insight on LLMs, something to do with blueboxing or something. What is that about?
#152
December 11, 2023

EP152 Trust, Security and Google's Annual Transparency Report

Guest:

  • Michee Smith, Director, Product Management for Global Affairs Works, Google
27:27

Topics covered:

  • What is Google Annual Transparency Report and how did we get started doing this? 
  • Surely the challenge of a transparency report is that there are things we can’t be transparent about, how do we balance this? What are those? Is it a safe question?
  • What Access Transparency Logs are and if they are connected to the report –other than in Tim's mind and your career? 
  • Beyond building the annual transparency report, you also work on our central risk data platform. Every business has a problem managing risk–what’s special here? Do we have any Google magic here? 
  • Could you tell us about your path in Product Management here? You have been here eight years, and recently became Director. Do you have any advice for the ambitious Google PMs listening to the show? 
#151
December 4, 2023

EP151 Cyber Insurance in the Cloud Era: Balancing Protection, Data and Risks

Guest:

  • Monica Shokrai, Head of Business Risk and Insurance for Google Cloud 
29:29

Topics covered:

  • Could you give us the 30 second run down of what cyber insurance is and isn't?
  • Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks?
  • What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it?
  • We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security?
  • Doesn't cyber insurance have a difficult reputation with clients? “Will they even pay?” “Will it be enough?” “Is this a cyberwar exception?” type stuff?
  • How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers?
  • How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many “non cyber” risks?