Google's sister security firm Chronicle launches ‘Backstory’

  • Liam Tung (CSO Online)
  • 05 March, 2019 07:47

A year after Google parent company Alphabet unveiled the security company, Chronicle, it has launched its first product called Backstory. 

The service, announced on Monday at the RSA security conference, allows companies to privately upload petabytes of internal security telemetry data to a private container within Google’s cloud infrastructure in order to detect and investigate new security threats. It’s based on services and tools that Google built to protect its network.  

Companies would upload data such as DNS traffic, netflow, security information and event management (SIEM) tools, device logs, proxy logs and so on that gets analyzed and indexed by Chronicle’s analytics engine. 

The idea behind the service is to allow companies to store more security data for longer than they previously may have done due to budget constraints. This should allow security analysts to go back further to pinpoint a particular malware attack and dig up potential indicator of compromise (IOCs).  

Backstory is integrated with VirusTotal, the malware intelligence service that Google acquired in 2012 and became part of Chronicle when it was announced. The service is also integrated with threat intelligence services from security firms Avast and Proofpoint. 

Chronicle’s “fixed pricing” for Backstory's licensing model is meant to challenge rivals that charge customers based on the amount of information they process and should address the problem of organizations choosing to sacrificing data to keep within budget.

The example it uses is the hack of the Democratic National Committee (DNC) which resulted in the 2016 leak of thousands of emails from Hillary Clinton’s campaign. The DNC and a security vendor missed a piece of Linux malware that communicated with that domain “".    

Analysts would then search for the domain using Chronicle’s VirusTotal Private Graph, which would return all the IP addresses and domains names related to the suspect domain.   

The Chronicle service will go head-to-head with Microsoft’s just announced security analytics services, Threat Hunter and Azure Sentinel, which Microsoft is pitching as the “first native SIEM within a major cloud platform”.  

The two cloud giants will take on SIEM market leaders, including Splunk, IBM. LogRhythm and AT&T-owned AlienVault, some of which now offer SIEM services via Amazon Web Services.