Google rolls out new automated threat detection tool

Google’s staff won’t return to work until the summer of 2021. Today’s columnist, Aron Brand of CTERA, explains why companies preparing for a long work-from-home period because of the pandemic need to embrace data distancing: the ability to ensure that remote workers can work on their data with the same performance and security they had at the main ...
Google logo seen at Googleplex, the corporate headquarters complex of Google and its parent company Alphabet Inc. Google and its subsidiary Chronicle are rolling out new automated threat detection capabilities for its Google Cloud platform. (Photo by Alex Tai/SOPA Images/LightRocket via Getty Images)

Google and its subsidiary Chronicle are rolling out new automated threat detection capabilities for its Google Cloud platform to help companies scale up security monitoring for their legacy systems.

The product – called Chronicle Detect – has been in the works for some time and Google unveiled some details around certain components earlier this year at RSA, like a data fusion model to create timelines, a rules engine for common events and incorporated YARA malware threat behavior language.

Often, log data or telemetry from a company’s older, off-the-shelf or internal applications aren’t set up to integrate with or port to modern threat detection and response platforms. That can make consistent, continuous security monitoring harder and create visibility gaps for huge chunks of enterprise.

In a release, Sunil Potti, Google’s general manager and vice president of engineering, and Rick Caccia, head of marketing for Google’s Cloud Security team, said the new capabilities were designed to address the gap that many organizations face in setting up threat detection protocols for older or legacy systems.

“In legacy security systems, it’s difficult to run many rules in parallel and at scale — so even if detection is possible, it may be too late,” Potti and Caccia said. “Most analytics tools use a data query language, making it difficult to write detection rules described in scenarios such as the Mitre ATT&CK framework. Finally, detections often require threat intelligence on attacker activity that many vendors simply don’t have.”

Chronicle Detect works like this: customers will use Google’s platform to send their telemetry for a fee, and Chronicle’s automaton will map it to a data model for devices, users and threat indicators to develop new detection rules. Users can migrate their rules over from legacy systems, build new ones or use Google’s standardized version. They can also leverage threat indicators from Uppercase, Chronicle’s threat research team around the latest malware, APTs and other threats.

Chronicle was first established by Google’s parent company, Alphabet, in 2018, as a quasi-independent security automation service that would combine Google’s infrastructure, analytic tools and vast oceans of data with customer-specific information to automatically ingest and crunch security data into actionable intelligence. Alphabet later scaled back those plans and the organization was eventually folded into Google’s cloud security team.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.