24
Jan 18

Chronicle: A Meteor Aimed At Planet Threat Intel?

Alphabet Inc., the parent company of Google, said today it is in the process of rolling out a new service designed to help companies more quickly make sense of and act on the mountains of threat data produced each day by cybersecurity tools.

Countless organizations rely on a hodgepodge of security software, hardware and services to find and detect cybersecurity intrusions before an incursion by malicious software or hackers has the chance to metastasize into a full-blown data breach.

The problem is that the sheer volume of data produced by these tools is staggering and increasing each day, meaning already-stretched IT staff often miss key signs of an intrusion until it’s too late.

Enter “Chronicle,” a nascent platform that graduated from the tech giant’s “X” division, which is a separate entity tasked with tackling hard-to-solve problems with an eye toward leveraging the company’s core strengths: Massive data analytics and storage capabilities, machine learning and custom search capabilities.

“We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find,” wrote Stephen Gillett, CEO of the new venture.

Few details have been released yet about how exactly Chronicle will work, although the company did say it would draw in part on data from VirusTotal, a free service acquired by Google in 2012 that allows users to scan suspicious files against dozens of commercial antivirus tools simultaneously.

Gillett said his division is already trialing the service with several Fortune 500 firms to test the preview release of Chronicle, but the company declined to name any of those participating.

ANALYSIS

It’s not terribly clear from Gillett’s post or another blog post from Alphabet’s X division by Astro Teller how exactly Chronicle will differentiate itself in such a crowded market for cybersecurity offerings. But it’s worth considering the impact that VirusTotal has had over the years.

Currently, VirusTotal handles approximately one million submissions each day. The results of each submission get shared back with the entire community of antivirus vendors who lend their tools to the service — which allows each vendor to benefit by adding malware signatures for new variants that their tools missed but that a preponderance of other tools flagged as malicious.

Naturally, cybercriminals have responded by creating their own criminal versions of VirusTotal: So-called “no distribute” scanners. These services cater to malware authors, and use the same stable of antivirus tools, except they prevent these tools from phoning home to the antivirus companies about new, unknown variants.

On balance, it’s difficult to know whether the benefit that antivirus companies — and by extension their customers — gain by partnering with VirusTotal outweighs the mayhem enabled by these no-distribute scanners. But it seems clear that VirusTotal has helped antivirus companies and their customers do a better job focusing on threats that really matter, as opposed to chasing after (or cleaning up after) so-called “false positives,” — benign files that erroneously get flagged as malicious.

And this is precisely the signal-to-noise challenge created by the proliferation of security tools used in a typical organization today: How to spend more of your scarce cybersecurity workforce, budget and time identifying and stopping the threats that matter and less time sifting through noisy but otherwise time-wasting alerts triggered by non-threats.

I’m not a big listener of podcasts, but I do find myself increasingly making time to listen to Risky Business, a podcast produced by Australian cybersecurity journalist Patrick Gray. Responding to today’s announcement on Chronicle, Gray said he likewise had few details about it but was looking forward to learning more.

“Google has so much data and so many amazing internal resources that my gut reaction is to think this new company could be a meteor aimed at planet Threat Intel™️,” Gray quipped on Twitter, referring to the burgeoning industry of companies competing to help companies trying to identify new threats and attack trends. “Imagine if other companies spin out their tools…Netflix, Amazon, Facebook etc. That could be a fundamentally reshaped industry.”

Well said. I also look forward to hearing more about how Chronicle works and, more importantly, if it works.

Full disclosure: Since September 2016, KrebsOnSecurity has received protection against massive online attacks from Project Shield, a free anti-distributed denial-of-service (DDoS) offering provided by Jigsaw — another subsidiary of Google’s parent company. Project Shield provides DDoS protection for news, human rights, and elections monitoring Web sites.

Tags: , , , , , , ,

34 comments

  1. This news isn’t too surprising to me, as I’ve predicted AI enhanced services for security for a while now. I’m surely not the only one saying that. Machine learning is the new wave taking on entire industries, not just data farms. I was hoping an anti-virus company would come up with their own home brew for something like this, and base it in the cloud to take processing power off the networks of the customers, who not all may have that kind of infrastructure, or be able to afford the hardware and personnel requirements.

    My hope is that some day I can buy a fairly reasonably priced UTM appliance that can be the loggerhead against intrusion and other malicious activity. Why should large corporations be the only benefactor if this new rush to capability? Would it be too much to dream it could interact with the customer like Amazon’s Echo?

    • You can get a free UTM from Sophos – you just need an old laptop to run the free UTM software on.

      • I use the free sophos UTM for protecting my home and it works very well….once you get it configured. It is most likely not something a non tech person would be able to setup, but it is the full UTM for free. Once it is configured, it is amazing the data you can see with regards to what device/app is communicating where.

        • Thanks for posting – I can imagine an Artificial Intelligence design could help even the most inept at setting up some pretty good network security. Even if it were machine learning, I figure an amateur could do some good, providing they could decipher the alerts properly.

  2. Nice plug for Patrick Gray’s podcast.
    I am in complete agreement as I find his podcast one of the few I make time to listen to.
    In a similar way I also make time to read your articles Brian.

  3. Excellent , very good write-up.
    Interesting, applying AI to reshape traffic. Sounds interesting. But how do you shield it, from the traffic. If it is actually AI, it must have rules for learning to differentiate “good from bad” traffic. So it would have to have a built in latency, see data, run data, judgement, response. That would involve every line going in and doubling, and phase shifting, doubling of the maintance personnel, more coffee pots, and potato chips. You would have to triple the revenue…

  4. Thanks, Brian. The biggest payoff will be to process security and event logs and correlate them with identified threats. The main problem with virus scans is they identify the malware, but not the vector. Being able to identify the holes in the security framework so they can be fixed (automatically?) will be a major advance.

  5. In my experience you get these terms machine learning and AI thrown at you by assholes trying to make a sale. You can sit at conferences with your buzzword bingo card. Not so with Alphabet. When I’m told they are rolling out an AI-driven platform and that it has the potential to shatter an entire industry, I’m inclined to believe it. How long will it take, I wonder, before Alphabet releases a general AI that does everything that any human can do, and better? Even write entertaining and informative blogs o.0

  6. Great news!

    This is a market with a lot of snake oil, and much of the problem (much like web search) is not getting the information, but understanding it and presenting the most relevant information depending on the user.

    If this is a free, or charged to the user through the Google Compute Platform ‘client pays’ model, this could really change the threat intel and threat response world – like VirusTotal has.

    We’ll have to wait and see…..

  7. I think Alphabet is aiming to take over at least 2 big industries; Threat Intel and SIEM. So many organizations are going the way of Splunk because it is the industry leader only to have to redo their budgets once they use up their 3 year budget in less than a year. Add on top of that, a single organization can’t adequately aggregate and see patterns in their own data. Take EVERYONE’s data and you get a much better picture of what is happening on the internet. Seemingly the only group that has that kind of view might be Akamai.

    I think Chronicle is about to rewrite the playbooks on Threat Intel and SIEM.

  8. Better security is always welcome, but I wonder what Alphabet’s (Google’s) angle is on this, especially if it’s free. An excuse they wouldn’t otherwise have to to parse and store massive amounts of data which might somehow be commercially valuable?

  9. The “good” AV companies are/have been doing something like this in their own, less-budgeted way for a while now: with machine learning, taking advantage of their users as data points, and combining information from multiple sources via the “cloud” to produce threat intelligence. I think Google’s venture is just another effort like that. The AVs have not entirely changed the game, but they do have better, faster protection The malware guys are responding in a like manner, however, so I think the status quo remains.

    Regards,

  10. On first reading the headline I thought this was yet another Spectre and Meltdown article and was calling out Intel as a planet(ary) threat… 🙂

    • HA! HA! – for a split second, so did I. It is just too hard for me to think conspiracy theory when ALL the companies building CPU architecture are vulnerable in some way or another. It is just an industry wide design problem, and that is it. Gloomy though it is, for sure!

  11. MS already does this for Office 365 customers. Google is probably the only other company with the scale to be able to use the AI to do this across an enourmous dataset.

    We are about 2/3 of the way through it and the insights we are seeing are eye opening.

  12. Randy Clairmont

    Isn’t IBM already doing this with their SIEM, QRadar with Watson?

    https://www.ibm.com/us-en/marketplace/cognitive-security-analytics

    It’s an obvious application for machine learning, so glad to see some products on the market. The next era will be AI vs. AI as the “bad guys” start leveraging it to analyze and find holes in our networks.

    Beyond analysis and alerting, this gets more useful when we can create AI systems that can take action without human interaction, such as shutting down a connection, locking an account, etc. Could cut incident response time from days or hours to milliseconds.

    • Watson’s analytics are horrible. They are truly less not worth the 200k+ they are wanting to charge for it. Seriously bad.

      • Watson is probably only as good as the team training it; but after a while, you would think the experience would add up. Watson may just not be too good at recognizing a new pattern of the same old bad network behavior. I have a feeling it would always be at least one step behind the black hats.

  13. “We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find”

    The key words Im seeing here which intrigue me the most “cost-effective” and “expensive”.

    Anyone whos ever dealt with a SIEM that licenses based on event per second should know how expensive even small increases to the license can be. If Google can make collecting ALL logs a reality for companies unable or unwilling to pay what some of the major vendors currently charge, they could really undercut the market and gain huge marketshare very fast.

    • Collecting all logs is something that AristotleInsight (aristotleinsight.com) already does as just one piece of the all-in-one solution. The best part is that the entire solution is less than half of what you would pay for a traditional SIEM.

  14. Neither Kreb’s post, nor the two posts from Alphabet that he cites mention AI.

  15. Brian,

    I make sure I read your writings on my RSS feed and Facebook so I do not miss anything. Thank you for what you do for us in I.T. and consumers!- Earlwallace

  16. Captain Speculation here! If this service is about gathering data for cyber security, that is fairly easy. The hard part is making sense of the data along with human analysis. Once you get an alert from Google, then what? Is Google going to call you and step you thru the problem and remedy?

    Additionally, this Google data might have latency and thus have no real-time threat intel (Good SIEMs have real-time alerting).

    I would be concerned that data leaving your private network and headed to Google is no longer private. If you are willing to give Google all of your log/event data in exchange for inexpensive cyber security, that’s an interesting barter.

    How would Google produce a huge security data lake and monetize it? And it seems expensive if they have to store this data long-term.

  17. This project sounds a lot like AristotleInsight (https://www.aristotleinsight.com).

  18. Is this a cure or caution ⚠

Leave a comment