Google Cloud Debuts Chronicle Detect For Threat Detection

‘Most analytics tools use a data-query language, making it difficult to write detection rules described in scenarios such as the MITRE ATT&CK framework,’ Rick Caccia, Google Cloud’s head of marketing for cloud security, and Sunil Potti, general manager and vice president of engineering for cloud security, says in a blog post. ‘Detections often require threat intelligence on attacker activity that many vendors simply don’t have. As a result, security tools are unable to detect many modern threats.’

Google Cloud today took the wraps off Chronicle Detect, a new threat-detection solution built on its infrastructure to help enterprises move from legacy security tools to a modern system that can quickly identify threats at scale.

Available at no additional cost to Chronicle customers, Chronicle Detect is slated to become generally available in the fourth quarter.

Its unveiling comes as enterprise IT environments face increasingly complex challenges with growing data volumes and more sophisticated attacker tactics, while existing detection and analytics tools can’t keep up, according to Rick Caccia, Google Cloud’s head of marketing for cloud security, and Sunil Potti, general manager and vice president of engineering for cloud security.

“In legacy security systems, it’s difficult to run many rules in parallel and at scale, so even if detection is possible, it may be too late,” Caccia and Potti wrote in a blog post published today. “Most analytics tools use a data-query language, making it difficult to write detection rules described in scenarios such as the MITRE ATT&CK framework. Detections often require threat intelligence on attacker activity that many vendors simply don’t have. As a result, security tools are unable to detect many modern threats.”

Chronicle previously was a separate cybersecurity startup in the portfolio of Google parent company Alphabet. It became part of Google Cloud almost 15 months ago, and its threat-detection technology was integrated into the cloud provider’s offerings.

Google Cloud had announced the “building blocks” for Chronicle Detect at the RSA Conference in San Francisco in February: an intelligent data fusion model that automatically links events into a timeline, its next-generation rules engine that operates at the speed of search to handle common threat events, and YARA-L, a specialized threat-detection language for log data.

“Using our Google-scale platform, security teams can send their security telemetry to Chronicle at a fixed cost, so that diverse, high-value security data can be taken into account for detections,” Caccia and Potti wrote. “We automatically make that security data useful by mapping it to a common data model across machines, users and threat indicators, so that you can quickly apply powerful detection rules to a unified set of data.”

New advanced detection rules and threat indicators built by Uppercase, Chronicle’s dedicated threat research team, are part of the solution. Uppercase researchers use tools and data sources such as Google Threat Intelligence and industry feeds to provide indicators covering the latest crimeware, advanced persistent threats and malicious programs. Those indicators of compromise, which include high-risk IPs, file hashes, domains and registry keys, are analyzed against the security telemetry in a customer’s Chronicle system, and they’re immediately alerted when high-risk threat indicators are present.

In addition to using advanced rules out-of-the-box, Chronicle Detect allows users to build their own rules or migrate existing rules from their legacy tools.

“The rules engine incorporates one of the most flexible and widely-used detection languages in the world, YARA, which makes it easy to build detections for tactics and techniques found in the commonly used MITRE ATT&CK security framework,” Caccia and Potti said. “Many organizations are also integrating Sigma-based rules that work across systems or converting their legacy rules to Sigma for portability. Chronicle Detect includes a Sigma-YARA converter so that customers can port their rules to and from our platform.”

Google Cloud’s announcement of Chronicle Detect coincides with the cloud provider’s third-quarter Google Cloud Security Talks, a live online event taking place today.

“It‘s quite fascinating to see how Google keeps pushing the envelope and inducing the gravitational forces towards data-driven security operations,” said Gadi Naor, the founder and chief technology officer at Alcide, a Tel Aviv, Israel-based Kubernetes security company and Google Cloud Technology Partner.

Workforce mobility and the ever-increasing use of cloud-based applications clearly keep challenging and stretching the capabilities and capacity of traditional security systems, he said.

“User and machine activity as well as systems audit logs are a well-known gold mine for security,” Naor said. “Combine that with the scale available in cloud and harvesting technologies in the form and shape of a novel threat detection-focused, log query language may redefine how enterprises think about IT security. It is, however, unclear how such technology can be adapted or even be applied to cloud-native applications and SaaS applications that enterprises are constantly building and improving as part of their digital transformation and presence.”