New Cloud Security Podcast Episode Featuring David French from Google Cloud

In this episode of the Cloud Security podcast, guest David French, a security engineer at Google Cloud, discusses threat detection in cloud environments, particularly Google Cloud. David shares his professional journey, starting as a SOC (Security Operations Center) analyst and evolving into detection engineering and threat hunting for financial institutions and large software development companies. He also explains his current role at Google Cloud, where he focuses on improving detection practices for Google SEC Ops users.One of the key topics discussed is the concept of "detection as code." David explains that this involves applying software development practices to the creation and management of detection content. In other words, it means treating detection rules with the same rigor as preventive controls, using software development platforms like GitHub and CI/CD (Continuous Integration/Continuous Deployment) tools to manage changes and approvals.David compares this approach to the traditional method where security teams manually connect to security tools to create and manage detection rules. He emphasizes that this method can lead to errors, false positives, or false negatives, especially if changes are made without testing or approvals. He stresses the importance of centralizing detection content in a single repository, defining a change control scheme, and testing for regressions before deploying changes.For those starting with Google Cloud or integrating Google Cloud into a multi-cloud environment, David recommends beginning by understanding the logs available in Google Cloud, such as audit logs, DNS logs, DDoS events, and Cloud Armor logs. He also mentions Google SEC Ops, an operational security platform that uses Google's threat intelligence to detect suspicious or malicious behavior.David also discusses the skills needed to build effective detection capabilities. He highlights the importance of collaboration between detection engineers and system administrators to identify cloud-specific anomalous behaviors. He also mentions the importance of data quality and data pipeline management to ensure detection rules work correctly.In terms of maturity, David suggests starting by inventorying existing detection content, centralizing this content in a single repository, and understanding current coverage. He also recommends measuring metrics such as the average time to detection and the speed at which new detections can be created and deployed.For security teams, David advises hiring individuals with a defender mindset, capable of analyzing logs and triaging alerts. He also mentions the importance of software engineering and DevOps skills for writing effective detection rules and managing data pipelines.In conclusion, David French provides valuable insights into building robust detection capabilities in cloud environments, particularly Google Cloud. He emphasizes the importance of treating detection rules with the same rigor as preventive controls and effectively centralizing and managing detection content.To learn more, watch the full video at the following address: https://www.youtube.com/watch?v=L2zjc1MPuRM