In legacy security systems, it’s difficult to run many rules in parallel and at scale—so even if detection is possible, it may be too late. Most analytics tools use a data query language, making it difficult to write detection rules described in scenarios such as the Mitre ATT&CK framework. Finally, detections often require threat intelligence on attacker activity that many vendors simply don’t have. As a result, security tools are unable to detect many modern threats.
To address these needs, today at Google Cloud Security Talks we're announcing Chronicle Detect, a threat detection solution built on the power of Google’s infrastructure to help enterprises identify threats at unprecedented speed and scale. Earlier this year at RSA, we introduced the building blocks for Chronicle Detect: a data fusion model that stitches events into a unified timeline, a rules engine to handle common events, and a language for describing complex threat behaviors. With today’s announcement, we complete the rest of the solution.
"The scale and SaaS deployment model of Google Chronicle drove NCR's initial interest and investment. Their speed to deliver new features and integration have kept us productive and continued to impress. By operationalizing Chronicle for threat investigations, we have significantly improved our detection metrics. As an early design partner with Chronicle around its rules engine, Chronicle Detect, we see a clear opportunity to extend its benefits and impact to advanced threat detection."—Bob Varnadoe, CISO at NCR Corporation
Introducing Chronicle’s next generation rules engine
Chronicle Detect brings modern threat detection to enterprises with the next generation of our rules engine that operates at the speed of search, a widely-used language designed specifically for describing threat behaviors, and a regular stream of new rules and indicators, built by our research team.Chronicle Detect makes it easy for enterprises to move from legacy security tools to a modern threat detection system. Using our Google-scale platform, security teams can send their security telemetry to Chronicle at a fixed cost so that diverse, high value security data can be taken into account for detections. We automatically make that security data useful by mapping it to a common data model across machines, users, and threat indicators, so that you can quickly apply powerful detection rules to a unified set of data.
Detection rules trigger based on high value security telemetry sent to the Chronicle platform.
With Chronicle Detect, you can use advanced rules out-of-the-box, build your own, or migrate rules over from legacy tools. The rules engine incorporates one of the most flexible and widely-used detection languages in the world, YARA, which makes it easy to build detections for tactics and techniques found in the commonly used MITRE ATT&CK security framework. YARA-L, a language for describing threat behaviors, is the foundation of the Chronicle Detect rules engine. Many organizations are also integrating Sigma-based rules that work across systems, or converting their legacy rules to Sigma for portability. Chronicle Detect includes a Sigma-YARA converter so that customers can port their rules to and from our platform.
Using the YARA-L language, it's easy to edit and build detection rules in the Chronicle interface.
Get real-time threat indicators and automatic rules from Uppercase
Chronicle customers can also take advantage of detection rules and threat indicators from Uppercase, Chronicle’s dedicated threat research team. Uppercase researchers leverage a variety of novel tools, techniques, and data sources (including Google threat intelligence and a number of industry feeds) to provide Chronicle customers with indicators spanning the latest crimeware, APTs, and unwanted malicious programs. The Uppercase-provided IOCs—such as high-risk IPs, hashes, domains, registry keys—are analyzed against all security telemetry in your Chronicle system, and let you know right away when high-risk threat indicators are present in your environment.“As an early adopter, Quanta has benefited from Chronicle’s scale, performance and economic benefits in security investigations and threat hunting. We are excited to see Chronicle extend the Google advantage to threat detection with the launch of Chronicle Detect backed by the Chronicle Uppercase research team.” —James Stinson, VP IT at Quanta Services, Inc
The combination of these capabilities helps enterprises uncover multi-event attacks in their systems such as a new email sender followed by an HTTP post to a rare domain, or a suspiciously long powershell script accessing a low prevalence domain.
Since joining Google Cloud over a year ago, the Chronicle team has been innovating on our investigation and hunting platform to bring a new set of capabilities to the security market—and we won’t stop here. Chronicle has also added new global availability and data localization options, including data center support for all capabilities in Europe and the Asia Pacific region.
We’ll continue to build out integrations and help enterprises uncover threats with Chronicle wherever their data and applications reside, on-premises, in Google Cloud, and even in other cloud environments. To learn more about Chronicle Detect, read the Chronicle blog or contact the Chronicle sales team.
