Cloud Security Podcast
Episodes About Subscribe Voices Topics

Cloud Security Podcast

Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!

cloud-security-podcast_high_res.png

Episode list

#183
July 29, 2024

EP183 Cloud Security Journeys: Improve, Evolve, Transform with Cloud Customers

Guests:

Topics:

Voices Cloud Migration
27:27

Topics covered:

  • Security transformation is hard, do you have any secret tricks or methods that actually make it happen?
  • Can you share a story about a time when you helped a customer transform their cloud security posture?  Not just improve, but actually transform!
  • What is your process for understanding their needs and developing a security solution that is tailored to them? What to do if a customer does not want to share what is necessary or does not know themselves?
  • What are some of the most common security mistakes that you see organizations make when they move to the cloud?
  • What about the customers who insist on practicing in the cloud the same way they did on-premise? What do you tell the organizations that insist that “cloud is just somebody else’s computer” and they insist on doing security the old-fashioned way?
  • What advice would you give to organizations that are just starting out on their cloud security journey? 
  • What are the first three cloud security steps you recommend that work for a cloud environment they inherited?

Resources:

Read More
#182
July 22, 2024

EP182 ITDR: The Missing Piece in Your Security Puzzle or Yet Another Tool to Buy?

Guest:

Topics:

Cloud Threat Detection Identity and Access
27:27

Topics covered:

  • What is Identity Threat Detection and Response (ITDR)? How do you define it?
  • What gets better at a client organization once ITDR is deployed?
  • Do we also need  “ISPM” (parallel to CDR/CSPM), and what about CIEM?
  • Workload identity ITDR vs human identity ITDR? Do we need both? Are these the same?
  • What are the alternatives to using ITDR? Can’t SIEM/UEBA help - perhaps with browser logs?
  • What are some of the common types of identity-based threats that ITDR can help detect?
  • What advice would you give to organizations that are considering implementing ITDR?

Resources:

Read More
#181
July 15, 2024

EP181 Detection Engineering Deep Dive: From Career Paths to Scaling SOC Teams

Guest:

Topics:

SIEM and SOC
29:29

Topics covered:

  • What are the biggest challenges facing detection engineers today?
  • What do you tell people who want to consume detections and not engineer them?
  • What advice would you give to someone who is interested in becoming a detection engineer at her organization?
  • So, what IS a detection engineer? Do you need software skills to be one? How much breadth and depth do you need?
  • What should a SOC leader whose team totally lacks such skills do?
  • You created Detection Engineering Weekly. What motivated you to start this publication, and what are your goals for it? What are the learnings so far?
  • You work for a vendor, so how should customers think of vendor-made vs customer-made detections and their balance? 
  • What goes into a backlog for detections and how do you inform it?

Resources:

Read More
#180
July 8, 2024

EP180 SOC Crossroads: Optimization vs Transformation - Two Paths for Security Operations Center

Guests:

Topics:

SIEM and SOC
29:29

Topics covered:

  • The paper outlines two paths for SOCs: optimization or transformation. Can you elaborate on the key differences between these two approaches and the factors that should influence an organization's decision on which path to pursue?
  • The paper also mentions that alert overload is still a major challenge for SOCs. What are some of the practices that work in 2024 for reducing alert fatigue and improving the signal-to-noise ratio in security signals?
  • You also discuss the importance of automation for SOCs. What are some of the key areas where automation can be most beneficial, and what are some of the challenges of implementing automation in SOCs? Automation is often easier said than done…
  • What specific skills and knowledge will be most important for SOC analysts in the future that people didn’t think of 5-10 years ago?
  • Looking ahead, what are your predictions for the future of SOCs? What emerging technologies do you see having the biggest impact on how SOCs operate?

Resources:

Read More
#179
July 1, 2024

EP179 Teamwork Under Stress: Expedition Behavior in Cybersecurity Incident Response

Guest:

Topics:

How Google Does
27:27

Topics covered:

  • You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means?
  • You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?  
  • Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge?
  • If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team?
  • How do we create it in an existing team or an under-performing team?

Resources:

Read More
#178
June 24, 2024

EP178 Meet Brandon Wood: The Human Side of Threat Intelligence: From Bad IP to Trafficking Busts

Guest:

Topics:

Voices Threat Intelligence
32:31

Topics covered:

  • Threat intelligence is one of those terms that means different things to everyone–can you tell us what this term has meant in the different contexts of your career?  What do you tell people who assume that “TI = lists of bad IPs”?
  • We heard while prepping for this show that you were involved in breaking up a human trafficking ring: tell us about that!
  • In Anton’s experience, a lot  of cyber TI is stuck in “1. Get more TI 2. ??? 3. Profit!” How do you move past that?
  • One aspect of threat intelligence that’s always struck me as goofy is the idea that we can “monitor the dark web” and provide something useful. Can you change my mind on this one?
  • You told us your story of getting into sales, you recently did a successful rotation into the role of Product Manager,, can you tell us about what motivated you to do this and what the experience was like?
  • Are there other parts of your background that inform the work you’re doing and how you see yourself at Google? 
  • How does that impact our go to market for threat intelligence, and what’re we up to when it comes to keeping the Internet and broader world safe?

Resources:

Read More
#177
June 17, 2024

EP177 Cloud Incident Confessions: Top 5 Mistakes Leading to Breaches from Mandiant

Guest:

Topics:

Cloud IR and Forensics
29:29

Topics covered:

  • Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments?
  • You do IR so in your experience, what are top 5  mistakes organizations make that lead to cloud incidents?
  • How and why do organizations get the attack surface wrong? Are there pillars of attack surface?
  • We talk a lot about how IAM matters in the cloud.  Is that true that AD is what gets you in many cases even for other clouds?
  • What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well?

Resources:

Read More
#176
June 10, 2024

EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use

Guest:

  • Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google

Topics:

Cloud Posture and Hygiene Cloud Security Practices How Google Does
23:29

Topics covered:

  • Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right?
  • Where are we like other clients of GCP?  Where are we not like other cloud users?
  • Do we have any unique cloud security technology that we use that others may benefit from?
  • How does our cloud usage inform our cloud security products?
  • So is our cloud use profile similar to cloud natives or traditional companies?
  • What are some of the most interesting cloud security practices and controls that we use that are usable by others?
  • How do we make them work at scale? 

Resources:

Read More
#175
June 3, 2024

EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons

Guest:

Topics:

Voices Threat Intelligence
29:29

Topics covered:

  • Your background can be sheepishly called “public sector”, what’s your experience been transitioning from public to private? How did you end up here doing what you are doing?
  • We imagine you learned a lot from what you just described – how’s that impacted your work at Google?
  • How have you seen risk management practices and outcomes differ?
  • You now lead Google Threat Horizons reports, do you have a vision for this? How does your past work inform it?
  • Given the prevalence of ransomware attacks, many organizations are focused on external threats. In your experience, does the risk of insider threats still hold significant weight? What type of company needs a dedicated and separate insider threat program?

Resources:

Read More
#174
May 27, 2024

EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

Guest:

Angelika Rohrer, Sr. Technical Program Manager, Cyber Security Response at Alphabet

Topics:

Cloud IR and Forensics How Google Does
29:29

Topics covered:

  • Incident response (IR) is by definition “reactive”, but ultimately incident prep determines your IR success. What are the broad areas where one needs to prepare?
  • You have created a new framework for measuring how ready you are for an incident, what is the approach you took to create it?
  • Can you elaborate on the core principles behind the Continuous Improvement (CI) Framework for incident response?
  • Why is continuous improvement crucial for effective incident response, especially in cloud environments? Can’t you just make a playbook and use it?
  • How to overcome the desire to focus on the easy metrics and go to more valuable ones?
  • What do you think Google does best in this area?
  • Can you share examples of how the CI Framework could have helped prevent or mitigate a real-world cloud security incident?
  • How can other organizations practically implement the CI Framework to enhance their incident response capabilities after they read the paper?

Resources:

Read More