Chronicle, the Google Cloud security unit that reportedly has struggled in recent months, has expanded its firepower.
Last week at the RSA cybersecurity conference in San Francisco, Google Cloud announced among other additions integration between Chronicle and Palo Alto Networks’ brand-new Cortex XSOAR, a threat intelligence management platform with playbook-driven automation.
The partnership with Palo Alto "is a vote of confidence from a highly respected security industry heavyweight," Kenneth G. Hartman, security consultant and instructor at the SANS Institute, told DCK.
Chronicle came out of Google parent Alphabet’s X R&D lab, which works on moonshot ideas and operates in secret. Chronicle ran as an independent company since early 2018 until last year becoming part of Google Cloud. Its core product used to be called Backstory, but the company is now referring to it simply as Chronicle.
The solution collects a customer’s security-related log data and applies to it the might of Google’s machine learning capabilities and massive internet footprint to fight cyberattacks. One big problem it has faced in the enterprise market, however, is trust.
"I think many established enterprises may not trust it sufficiently to send a Google company all of that data to mine," Hartman said.
Another part of the problem, experts say, is that Google isn't as good as its biggest competitors in the cloud market at selling enterprise-class services to large corporations.
According to the market research firm Canalys, Google currently trails far behind Amazon Web Services and Microsoft Azure in market share. In a report last month, Canalysis said that AWS had 32 percent of the market as of the end of 2019, Azure 18 percent, and Google was in third place with just 6 percent.
Google’s other RSA announcements included new fraud prevention, threat detection, and timeline capabilities in Chronicle. The cloud provider had beefed up its security offerings with several announcements in the run-up to RSA as well.
Some of its new security features are designed to go beyond Google's own platform, said Rick Caccia, head of security marketing for Google Cloud. Security products like Chronicle can run wherever a customer needs to use them, he said, including in other clouds or in their own data centers.
"Our sales team can sell these security solutions directly to enterprise buyers with their own budgets like the CISO or the chief risk officer," he said. Google can even sell these products to companies that aren't its cloud-platform customers, he added.
"They can still benefit from the scale and advanced protections that Chronicle’s security analytics and our user protection services like reCAPTCHA Enterprise or Web Risk API offer," he said.
Why would anyone want to use Google's security tools without being a Google cloud customer? According to Caccia, it's because they can get all the capabilities of Google infrastructure and threat intelligence.
"In the case of data center managers, it means they can apply the scale and speed of cloud-native security analytics to their data center apps, without migrating those apps to the cloud," he explained. "For example, Chronicle’s new detection capabilities can be applied to logs and telemetry from systems running in data centers, but at cloud scale."
That makes it easier to find, verify, and respond to new threats, Caccia said. "For example, quickly discovering a new piece of malware on a server, communicating with a bad domain, and then pivoting to find every machine in the data center that has also communicated with that domain enables the security team to respond to that malware before it might cause damage."
This could be a good tool for data center managers, “but there are many other tools out there that they can use today to solve similar problems," Thomas Hatch, CTO and co-founder at SaltStack, a cybersecurity automation company, told us.
Google does enable enterprises to combine data from multiple sources into a high-level dashboard of threats while also allowing for specific threats to be detected, he said. "But it is also difficult to tell how deep the product goes given that the announcement is somewhat vague."
SANS Institute's Hartman suggested that Google’s announcements were less a direct answer to AWS Guard Duty or Azure Threat Protection and more a pitch of alternatives to some smaller players in the management security services provider space.
There were two security announcements last week where Google had something unique to offer: the general release of reCAPTCHA Enterprise and Web Risk API.
"To me this makes lots of sense," Hartman said. "reCAPTCHA is something that Google does very well and has great adoption. Doing CAPTCHA correctly is hard, because it has to be easy for humans but hard for bots."
With attackers increasingly using AI to mimic human behavior to, say, abuse online sign-up forms, this challenge is only getting harder, he said.
"The nice thing about reCAPTCHA Enterprise is that there are no obfuscated characters to decipher," he said. "Instead, they use various other signals from your browsing session to determine that the user is not a bot.
The tool leverages Google's depth of experience with online user behavior.
Similarly, its Web Risk API takes advantage of the fact that Google has spent years amassing large amounts of data about unsafe web domains. "It makes sense that Google would commercialize it and offer it for the enterprise," Hartman said.
