Google is officially expanding its Chronicle cybersecurity platform into the threat detection realm, with the promise to bring “Google-scale threat analysis” to enterprises.
Chronicle was initially developed as an internal project inside Alphabet’s secretive X unit before rolling out as a standalone cybersecurity company in 2018. Last June, Chronicle was swallowed by Google Cloud, serving as a potential carrot-on-a-stick to attract enterprise customers from cloud rivals with the promise of more comprehensive cybersecurity smarts.
At Chronicle’s core are machine learning algorithms that analyze vast swathes of data to identify security threats more quickly. Initially, Chronicle was focused more on threat hunting and investigations, and assumed that the customer was receiving alerts from elsewhere that would initiate their investigations. Back in February, however, Google set the wheels in motion for proactive threat detection and alert functionality.
“The plan was always to add the ability to offer advanced detections — i.e. create our own alerts — in addition to investigations,” Rick Caccia, head of marketing for cloud security at Google Cloud, told VentureBeat.
This included the launch of intelligent data fusion, combining a new data model with the ability to link multiple “events” into a single unified timeline automatically. Moreover, Google also announced that Chronicle would detect threats using Yara-L, a new rules-based language for describing complex threat behaviors and which was “inspired” by Yara — Yara was created by a malware-scanning company called VirusTotal, which was acquired by Google in 2012.
Fast forward to today, and Google is now officially unveiling Chronicle Detect, touted as a solution for enterprises to “identify threats at unprecedented speed and scale.” Building on what Google unveiled previously, Google said that its rules engine can now handle more complex event analytics, while it has also expanded the scope of Yara-L’s behavioral descriptions and “tuned it” for modern threat types as outlined in the Mitre ATT&CK knowledge base.
By way of an example provided by Caccia, Chronicle allows cybersecurity professionals to configure their threat alerts based on more general rules, along the lines of:
If you ever see a file that has never been sent into our network before and then after opening it, the user’s machine opens up a connection to an IP address that no one here has ever connected to before, then fire an alert, and also show any users that also received the same file.
So rather than having to specify a specific file hash to look out for or domain, for example, Chronicle’s approach to describing “risky behavior” covers more bases in terms of threats and potential targets. However, there is a trade-off in terms of the power required to identify general behaviors, as the system has to constantly analyze the company’s security telemetry — and this is why being built directly atop of Google Cloud helps.
“This behavioral description approach enables much more powerful detections,” Caccia said. “It is difficult to do without serious computational power, but Chronicle has that.”
Although Chronicle is very much pitched as a core component of Google Cloud, the platform actually allows customers to aggregate and analyze data stored anywhere else, either on third-party cloud providers or through on-premises datacenters.
Elsewhere, Chronicle Detect also now taps an additional feed of data from its research team Uppercase, including detection rules and indicators of compromise (IoC), which may include high-risk IPs or registry keys, which are compared against the security telemetry in each company’s system.