Modern detection for modern threats
By Carrie McDaniel, Product Marketing Manager, Google Cloud Security
At Chronicle, we believe it's time for a better way to do detection. As the IT landscape becomes more complex and attackers continue to evade current security tools, it's clear that attempts at prevention fall short. The rapid adoption of the ATT&CK framework also highlights the expanding threat attack surface and advancement of modern threats.
Recently we announced the availability of Chronicle's threat detection capabilities. Since joining Google Cloud, the Chronicle team has been innovating on our investigation and hunting platform to bring you Chronicle Detect, a set of modern detection capabilities built on Google infrastructure to help you identify threats at unparalleled speed and scale.
For accurate threat detection, some important components are needed — the first is diverse, high value security telemetry to run detections on. High volume, rich data such as EDR or XDR data is tough to use effectively for investigation or detection due to limitations around scale, performance, and cost. Using our Google-scale platform, security teams can send their security telemetry to Chronicle at a fixed cost so that the full picture can be taken into account.
Data sent to Chronicle is incorporated into its Unified Data Model (UDM), a data model built for security telemetry relevant to threat detection such as EDR, NDR, DNS, proxy, and SaaS. Data in Chronicle's UDM is enriched with context (e.g. asset or threat intelligence) and correlation (e.g. IP to host), creating a platform that is broader than SIEM and builds toward the vision of XDR.
With Chronicle Detect, you can use rules out-of-the-box, build your own, or migrate from legacy tools. Our next generation rules engine enables analysts to easily build detection rules to detect complex threat behavior by operating on abstracted and enriched UDM data. The capabilities of the rules engine are accessed using the YARA-L threat detection language which was designed by and for security practitioners to express complex threat behavior, not merely to query the data in order to eventually use it for detection.
Customers can also take advantage of detection rules and threat indicators from Uppercase, Chronicle's dedicated threat research team. Uppercase intelligence spans the latest crimeware, APTs, and unwanted malicious programs and includes detection rules pre-mapped to emerging ATT&CK threat techniques and sequences. Uppercase-provided IOCs — such as high-risk IPs, hashes, domains, registry keys — are analyzed against all security telemetry in your Chronicle system, and let you know when high-risk threat indicators are present.
To help with incident response, Chronicle now offers SOC playbook and orchestration- ready APIs and integrations with leading vendors such as Palo Alto Cortex XSOAR, D3 SOAR, SIEMplify, and Splunk Phantom. Chronicle instances, APIs and search parameters are accessible directly within SOAR platforms which enables customers to combine real-time threat detection and investigation with SOAR playbooks.
We're also excited to let you know about new global availability and data localization options. Chronicle now has expanded data center support for all capabilities, including Chronicle Detect, in Europe and the Asia Pacific region.