L’Usine Digitale: What are your tasks within Google Cloud, as Security Strategy Manager?
Thibaut Meyer : I am the French representative of Google’s CISO clouds. We have two main tasks. The first is to coordinate certain internal working groups for the security of our solutions in certain aspects, in particular everything that is considered security by default in our cloud services, and security by design.
The second is to support our clients in their strategy Cyber security To help them understand what they need to change from the way they used to do security within the company. The idea is that the public cloud is not just a risk, but a way to raise the bar on security. Just as IT teams must transform, customer security teams must modernize.
What do you offer your customers who are coming to the cloud and want to ensure they are in a secure environment?
We provide our customers with a secure cloud infrastructure by default. This is about security that you don’t have to worry about, such as physical security Data centers Or the encryption that we will apply to all of our customers’ data whether it is stored or passing through our network. Hence, not all of our clients have the same security needs, the same regulatory context, and the same risk appetite. They must be able to adapt to the security level of the solutions they will use.
We provide them with actionable controls, that is, basic controls on identity management, on the log level that they will have, on IoT management, so that they can take into account their policy requirements and their internal requirements and be able to move them to the cloud. Our customers often have a hybrid mode, with part on-premises and part cloud. This cloud part needs to be integrated into their security thinking, and into their cybersecurity strategy. These controls allow them to see, set security measures, understand what’s happening, and detect incidents.
How do these controls work so that customers can adapt?
These controls may look the same as they did before. For example, in identity management, the customer is not required to use our cloud identity management. It can have an identity federation and use its own identity provider. On the other hand, regarding firewalls for example, we will have to think differently, because they are native to cloud technology. Each cloud resource will have its own network security, its own segmentation, and this must be integrated. This is usually an example in which we support our clients. Also, in the cloud, everything is defined in software, which means you can automate almost everything. We can automate the process of creating resources and testing, and we can automate the entertainment process to start from a healthy version.
At the beginning of 2022, Google has acquired cybersecurity company Mandiant. How do your tasks fit into what Mandiant does?
Mandiant is a leader in two areas, first and foremost, incident response. When a company is the victim of an attack, in order for it to respond, understand what happened and move forward, it can contact Mandiant teams who will help it deal with the crisis. This is a service we didn’t have before.
The other aspect is cyber threat analysis threat intel. The idea is to understand how attacker groups operate, where they are coming from, the tools they use, and the vulnerabilities they will exploit depending on the country and industry, and provide this information to our clients. This will help us to be more attentive and prioritize certain security measures and controls, depending on the threat facing us. We already had an internal team at Google, the Threat Analysis Group (TAG). With the acquisition of Mandiant, 300 dedicated engineers have joined us in this mission.
Are you, for your part, noticing certain trends regarding cyberattacks in the cloud?
We see several trends. The first, on the cloud or its infrastructure, is that attacks are often linked to geopolitical issues. We noticed this in the war UkraineOr at this moment with what is happening in the Middle East. Depending on events beyond the civilian context, we have support for cyberattacks that target specific regions, specific companies, and specific actors. When NATO countries announced one-time support to Ukraine, such as arms deliveries, we, for example, launched attacks within an hour targeting companies or companies. government For the country that has just issued this declaration.
Then, in terms of threat classification, there are the four “usual suspects,” namely Russia, China, North Korea, and Iran, which do not have exclusivity in attacks but concentrate a lot of attacks. We also see attacks that focus on peripheral elements of the infrastructure, such as routers, network load balancers, VPN gateways, or even identity managers for remote workers. On the one hand, this equipment is very exposed, and on the other hand it has very high rights and privileges on the infrastructure. Once an attacker gains a foothold in this, they can compromise the system more easily.
The last, and important, trend is what we call a “supply chain attack.” If attackers cannot target a company with a high level of cyber maturity, they will target one of its suppliers. It can be a targeted attack on a very specific resource, but also a resource shared by many customers, e.g SolarWinds For example, or what we’ve seen recently in open source code libraries.
What is your opinion on the development of generative AI tools in relation to cybersecurity? Do you think they work mostly for or against you?
This is a discussion we’re having, there are two sides. Attackers will use challenging AI techniques. What we see concretely on the ground is that they are using it to move faster, to scale, to be more relevant. But fully autonomous AI that can carry out attacks without human intervention remains science fiction. It’s a tool to create more adaptive, better-translating phishing emails, perhaps using deepfakes and deepfakes to phishing, but it’s a tool that’s available. It’s not a threat in itself yet, it’s completely independent.
On the other hand, it’s a great tool for security teams, and it won’t replace them. We won’t have AI defending us, but it allows them to move faster, to be more relevant. For example, we can understand malicious code more easily. When you have code, you can quickly translate it into natural language, which is what we do with VirusTotal. Which means that an analyst from the detection center who does not know the language well can quickly understand whether a script is malicious or not, and can initially clear any doubts. We can also query the AI tool to automatically translate detection rules. When it is necessary to respond to an incident, we are able to provide the most appropriate answers to the analyst.
Then it’s a race that starts from every side…
How will the balance work? We are somewhat optimistic. Defense teams have an advantage: they know their infrastructure and data. We will be able to train these models in a way that is very specific to our environment. The attacker will act blindly. What could tip the balance is this detailed knowledge and the fact that we can train these models, or make them run on our own data, which is even more important. While the attacker will send general attacks.
The race will remain to the right, because technologies will be adopted by both sides. Therefore we must continue to invest and continue training. As providers of AI models and AI applications, we have a role to play. But AI is one tool among others in the toolkit of people who work in cybersecurity. Above all, you have to know how to use it. So you have to know how to query AI, and you have to use it optimally to gain efficiency.
How exactly do you improve corporate training?
We have different types of training. We have training specific to our platform and are working to raise awareness. In particular, we have a partnership with GIP Acyma (Cybermalveillance.gouv.fp). We also work with the Villes de France association to provide more local outreach, whether that involves local elected officials, economic actors and local authorities to train agents. Our goal is not to turn all the clients of the local authority or all the traders in the city into experts in cybersecurity, but to be aware of these issues, and that with very small and simple gestures we can, at least, avoid the most obvious defects.