Available at no additional cost to Chronicle customers, Chronicle Detect is slated to become generally available in the fourth quarter.
Its unveiling comes as enterprise IT environments face increasingly complex challenges with growing data volumes and more sophisticated attacker tactics, while existing detection and analytics tools can’t keep up, according to Rick Caccia, Google Cloud’s head of marketing for cloud security, and Sunil Potti, general manager and vice president of engineering for cloud security.
“In legacy security systems, it’s difficult to run many rules in parallel and at scale, so even if detection is possible, it may be too late,” Caccia and Potti wrote in a blog post published today. “Most analytics tools use a data-query language, making it difficult to write detection rules described in scenarios such as the MITRE ATT&CK framework. Detections often require threat intelligence on attacker activity that many vendors simply don’t have. As a result, security tools are unable to detect many modern threats.”
Chronicle previously was a separate cybersecurity startup in the portfolio of Google parent company Alphabet. It became part of Google Cloud almost 15 months ago, and its threat-detection technology was integrated into the cloud provider’s offerings.
Google Cloud had announced the “building blocks” for Chronicle Detect at the RSA Conference in San Francisco in February: an intelligent data fusion model that automatically links events into a timeline, its next-generation rules engine that operates at the speed of search to handle common threat events, and YARA-L, a specialised threat-detection language for log data.
“Using our Google-scale platform, security teams can send their security telemetry to Chronicle at a fixed cost, so that diverse, high-value security data can be taken into account for detections,” Caccia and Potti wrote. “We automatically make that security data useful by mapping it to a common data model across machines, users and threat indicators, so that you can quickly apply powerful detection rules to a unified set of data.”
New advanced detection rules and threat indicators built by Uppercase, Chronicle’s dedicated threat research team, are part of the solution. Uppercase researchers use tools and data sources such as Google Threat Intelligence and industry feeds to provide indicators covering the latest crimeware, advanced persistent threats and malicious programs. Those indicators of compromise, which include high-risk IPs, file hashes, domains and registry keys, are analyzed against the security telemetry in a customer’s Chronicle system, and they’re immediately alerted when high-risk threat indicators are present.
In addition to using advanced rules out-of-the-box, Chronicle Detect allows users to build their own rules or migrate existing rules from their legacy tools.
“The rules engine incorporates one of the most flexible and widely-used detection languages in the world, YARA, which makes it easy to build detections for tactics and techniques found in the commonly used MITRE ATT&CK security framework,” Caccia and Potti said. “Many organizations are also integrating Sigma-based rules that work across systems or converting their legacy rules to Sigma for portability. Chronicle Detect includes a Sigma-YARA converter so that customers can port their rules to and from our platform.”
Google Cloud’s announcement of Chronicle Detect coincides with the cloud provider’s third-quarter Google Cloud Security Talks, a live online event taking place today.