Chronicle, a cybersecurity company within Google Cloud, announced a new real-time threat detection tool on Wednesday called Chronicle Detect.
The tool is the culmination of Chronicle’s efforts to build a rules engine that can handle complex analytic events, flesh out a new threat detection language tuned for modern attacks and take advantage of the security advantages offered by Google’s scale. Additionally, Chronicle Detect is designed to make it easy for enterprises to move from legacy security tools, or to better analyze data collected with endpoint security solutions like CrowdStrike.
“We see this as giving customers the tools they need not only investigate things at Google scale but also to attack those things early enough in ways they couldn’t do before,” Rick Caccia, head of marketing for Google Cloud Security, said to ZDNet. “It allows our customers to write rules that describe behaviors of attackers, and we can detect those things at massive scale, and do it in real-time.”
Chronicle Detect customers can use advanced out-of-the-box rules or build their own, or migrate rules over from legacy tools. The rules engine incorporates YARA, a widely used, open-source language for writing rules to detect malware.
YARA-L, a language for describing threat behaviors, is the foundation of the Chronicle Detect rules engine. The Chronicle team created YARA-L and debuted it earlier this year to apply to security logs and other telemetry, like EDR data and network traffic. YARA-L (L for logs) allows security analysts to write rules better suited for detecting the types of modern threats described in Mitre ATT&CK (a platform that organizes and categorizes the types of tactics and techniques used by bad actors).
Chronicle Detect also includes a Sigma-YARA converter, so customers can port their Sigma-based rules to the platform.
The new tool also includes threat intelligence and detection rules from Uppercase, Chronicle’s dedicated threat research team. Uppercase researchers have access to a variety of novel tools, techniques, and data sources (including Google Threat Intelligence and a number of industry feeds) that help them uncover the latest crimeware, APTs, and unwanted malicious programs.
Meanwhile, security teams can send their security telemetry to Chronicle at a fixed cost, giving them a way to leverage the reams of data collected by tools like CrowdStrike. Chronicle Detect maps that data to a common data model across machines, users, and threat indicators so that users can quickly apply powerful detection rules to a unified data set.
Enterprises have more data than ever before to analyze and help them understand threats, Caccia said. “The bad news is, most can’t make sense of terabytes of information flowing at them. And a lot of these attacks are pretty complex.”