Google and its subsidiary Chronicle are rolling out new automated threat detection capabilities for its Google Cloud platform to help companies scale up security monitoring for their legacy systems.
The product – called Chronicle Detect – has been in the works for some time and Google unveiled some details around certain components earlier this year at RSA, like a data fusion model to create timelines, a rules engine for common events and incorporated YARA malware threat behavior language.
Often, log data or telemetry from a company’s older, off-the-shelf or internal applications aren’t set up to integrate with or port to modern threat detection and response platforms. That can make consistent, continuous security monitoring harder and create visibility gaps for huge chunks of enterprise.
In a release, Sunil Potti, Google’s general manager and vice president of engineering, and Rick Caccia, head of marketing for Google’s Cloud Security team, said the new capabilities were designed to address the gap that many organizations face in setting up threat detection protocols for older or legacy systems.
“In legacy security systems, it’s difficult to run many rules in parallel and at scale — so even if detection is possible, it may be too late,” Potti and Caccia said. “Most analytics tools use a data query language, making it difficult to write detection rules described in scenarios such as the Mitre ATT&CK framework. Finally, detections often require threat intelligence on attacker activity that many vendors simply don’t have.”
Chronicle Detect works like this: customers will use Google’s platform to send their telemetry for a fee, and Chronicle’s automaton will map it to a data model for devices, users and threat indicators to develop new detection rules. Users can migrate their rules over from legacy systems, build new ones or use Google’s standardized version. They can also leverage threat indicators from Uppercase, Chronicle’s threat research team around the latest malware, APTs and other threats.
Chronicle was first established by Google’s parent company, Alphabet, in 2018, as a quasi-independent security automation service that would combine Google’s infrastructure, analytic tools and vast oceans of data with customer-specific information to automatically ingest and crunch security data into actionable intelligence. Alphabet later scaled back those plans and the organization was eventually folded into Google’s cloud security team.