Guest:  Andrew Hoying, Senior Security Engineering Manager @ Google Topics: What is different about system hardening today vs 20 years ago?  Also, what is special about hardening systems at Google massive scale? Can I just apply CIS templates and be done with it? Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity? A part of hardening has got to be responding to new regulation and compliance regimes, how do you incorporate new controls and stay responsive to the changing world around us? Are there cases where we have taken lessons from hardening at scale and converted those into product improvements? What metrics do you track to keep your teams moving, and what metrics do your leads look at to understand how you’re doing? [Spoiler: the answer here is VERY fun!] Resources: “Why Shared Fate is a Better Way to Manage Cloud Risk” article (and this too) CIS for GCP GCP IAM Deny CloudSecList by Marco Lancini

Guest: Chris Corde, Sr Director of Product Management - Security Operations, Google Cloud Topics: You cover many products, but let’s focus on Chronicle today. An easy question: Chronicle isn’t an XDR, so what is it? Since you’ve joined the team, what’re you most proud of shipping to clients? Could you share more about the Mandiant acquisition,  what’s been a happy surprise and what are you looking forward to making available to customers? Some believe that good security operations success is mostly about process, yet we are also building these amazing products. What is your view of how much security ops success hinges on products vs practices? When it comes to building out Chronicle’s position in the market, how are we leveraging the depth of expertise that people have with other SIEM tools compared to ours? What advice do you have for security professionals who want to transition into product management?  Resources: EP44 Evolving a SIEM for the Future While Learning from the Past EP82 Mega-confused by XDR? You Are Not Alone! This XDR Skeptic Clarifies!  

Guest: Rosemary Wang, Developer Advocate at HashiCorp  Topics: Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams? How can Terraform be used for security automation? How should security teams work with DevOps teams to use it? What are some of the obvious and not so obvious security challenges of using Terraform? How can security best practices be applied to infrastructure instantiated via Terraform? What is the relationship between Terraform and policy as code (PaC)? How do you get started with all this? What do you tell the security teams who want to do cloud security the “old way” and not the cloud-native way?  Resources: Video (LinkedIn, YouTube) “EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?” Policy as Code with HashiCorp Sentinel or Open Policy Agent (OPA) for Terraform “Terraform Cloud adds Vault-backed dynamic credentials” blog Google Cloud Provider for Terraform Security & Authentication Providers for Terraform “Sloth’s Guide to Mindfulness” book

Guests:  no guests, all banter, all very fun :-) Topics: How is Google Next this year? What is new in cloud security? Is Google finally a security vendor? What are some of the fun security presentations we've seen, including our own? Any impactful launches in security? What was the most interesting overall? Resources: “Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?” (ep136) “RSA 2023 - What We Saw, What We Learned, and What We're Excited About” (ep119) “Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?” (ep67) “Detecting, investigating, and responding to threats in your Google Cloud environment” at Cloud Next 2023 by Anton “Prevent cloud compromises: Learn how Uber discovers cyber risks and remediates threats” at Cloud Next 2023 by Tim “Generative AI for defenders with Sec-PaLM 2 and Duet AI” at Cloud Next 2023 by Eric Doerr (his episode) “A blueprint for modern security operations” at Cloud Next 2023 by our future guest, Chris… Kevin Mandia at Next keynote (start at 1:15:00) “New AI capabilities that can help address your security challenges” blog

Guest:  Eric Doerr, VP of Engineering, Google Cloud Security  Topics: You have a Next presentation on AI, what is the most exciting part for you? We care both about securing AI and using AI for security. How do you organize your thinking about it? Executive surveys imply that trusting an AI (for business) is still an issue. How can we trust AI for security? What does it mean to “trust AI” in this context?  How should defenders think about threat modeling AI systems?  Back to using AI for security, what are the absolute worst security use cases for GenAI? Think “generate code and run it on prod” or something like that? What does it mean to “teach AI security” like we did with Sec-PALM2? What is actually involved in this? What were some surprising challenges we ran into here?  Resources: “Generative AI for defenders with Sec-PaLM 2 and Duet AI” presentation at Google Cloud Next 2023 “The Prompt: What to think about when you’re thinking about securing AI” and a new paper on securing AI “AI and Security: The Good, the Bad, and the Magical” (ep135) Monitor and secure Vertex AI “Introducing Google’s Secure AI Framework” blog “Project Hail Mary” book