Cloud Security Podcast by Google Anton Chuvakin

Guest:
Monica Shokrai, Head Of Business Risk and Insurance For Google Cloud 
Topics:
Could you give us the 30 second run down of what cyber insurance is and isn't?
Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks?
What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it?
We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security?
Doesn't cyber insurance have a difficult reputation with clients? “Will they even pay?” “Will it be enough?” “Is this a cyberwar exception?” type stuff?
How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers?
How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many “non cyber” risks?
 
Resources:
Video (LinkedIn, YouTube)
Google Cloud Risk Protection program
“Cyber Insurance Policy”  by Josephine Wolff 
InsureSec

Guest:
Dr Gary McGraw, founder of the Berryville Institute of Machine Learning
Topics:
Gary, you’ve been doing software security for many decades, so tell us: are we really behind on securing ML and AI systems? 
If not SBOM for data or “DBOM”, then what? Can data supply chain tools or just better data governance practices help?
How would you threat model a system with ML in it or a new ML system you are building? 
What are the key differences and similarities between securing AI and securing a traditional, complex enterprise system?
What are the key differences between securing the AI you built and AI you buy or subscribe to?
Which security tools and frameworks will solve all of these problems for us?  Resources:
EP135 AI and Security: The Good, the Bad, and the Magical Gary McGraw books
“An Architectural Risk Analysis Of Machine Learning Systems: Toward More Secure Machine Learning“ paper
“What to think about when you’re thinking about securing AI”
Annotated ML Security bibliography  
Tay bot story (2016)
“Can you melt eggs?”
“Microsoft AI researchers accidentally leak 38TB of company data”
“Random number generator attack”
“Google's AI Red Team: the ethical hackers making AI safer”
Introducing Google’s Secure AI Framework

Guests:
John Stoner, Principal Security Strategist, Google Cloud Security
Dave Herrald, Head of Adopt Engineering, Google Cloud Security
Topics:
In your experience, past and present, what would make clients trust vendor detection content?
Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?
What is more important, seeing the detection or being able to change it, or both?
If this is about seeing the detection code/content, what about ML and algorithms?
What about the SOC analysts who don't read the code?
What about “tuning” - is tuning detections a bad word now in 2023?
Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?
Resources:
Video (Linkedin, YouTube)
Github rules for Chronicle
DetectionEngineering.net by Zack Allen
“On Trust and Transparency in Detection” blog
“Detection as Code? No, Detection as COOKING!” blog
EP64 Security Operations Center: The People Side and How to Do it Right
EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting
EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
Why is Threat Detection Hard?
Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)
 

Guest:
Adrian Sanabria,  Director of Valence Threat Labs at Valence Security, ex-analyst
Topics:
When people talk about “cloud security” they often forget SaaS, what should be the structured approach to using SaaS securely or securing SaaS?
What are the incidents telling us about the realistic threats to SaaS tools?
Is the Microsoft 365 breach a SaaS breach, a cloud breach or something else?
Do we really need CVEs for SaaS vulnerabilities?
What are the least understood aspects of securing SaaS?
What do you tell the organizations who assume that “SaaS vendor takes care of all SaaS security”?
Isn’t CASB the answer to all SaaS security issues? We also have SSPM now too? Do we really need more tools?
Resources:
VIdeo (LinkedIn, YouTube)
EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?
Valence 2023 State of SaaS Security report
DHS Launches First-Ever Cyber Safety Review Board
Enterprise Security Weekly podcast
CloudVulnDb and another cloud vulnerability list
Cyber Safety Review Board (CSRB) by CISA

Guest: 
Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant at Google Cloud
Topics:
Can you really forecast threats? Won’t the threat actors ultimately do whatever they want?
How can clients use the forecast? Or as Tim would say it, what gets better once you read it?
What is the threat forecast for cloud environments? It says “Cyber attacks targeting hybrid and multi-cloud environments will mature and become more impactful“ - what does it mean?
Of course AI makes an appearance as well: “LLMs and other gen AI tools will likely be developed and offered as a service to assist attackers with target compromises.” Do we really expect attacker-run LLM SaaS? What models will they use? Will it be good?
There are a number of significant elections scheduled for 2024, are there implications for cloud security?
Based on the threat information, tell me about something that is going well, what will get better in 2024?
Resources:
2024 Google Cloud Security Forecast Report
EP112 Threat Horizons - How Google Does Threat Intelligence
EP135 AI and Security: The Good, the Bad, and the Magical
How to Stop a Ransomware Attack
Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto Miner
 

Guest:
Wei Lien Dang, GP at Unusual Ventures
 Topics: 
We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you? 
What are some of the security problems you're hearing from AI companies that are worth solving? 
AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security?
Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs? 
What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?
 Resources:
“What to think about when you’re thinking about securing AI” blog / paper
EP135 AI and Security: The Good, the Bad, and the Magical
EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?
EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models
Introducing Google’s Secure AI Framework
OWASP Top 10 for Large Language Model Applications
Unusual VC Startup Field Guide
Demystifing LLMs and Threats by Caleb Sima