Chronicle: One Year Later — Anton’s Reflections
RSA 2020 is a good time to reflect upon trends and evolution of our industry, and the players. This post is about our own evolution.
Chronicle launched its security analytics platform at RSA 2019. While I was not there at launch, I feel that perhaps I can do the reflecting anyway, even if some of it would be as an outsider, and now as an insider.
I learned of Chronicle a bit before RSA 2019, when I was first briefed on the technology and introduced to the team. It was definitely a case of “love at first sight.” As I stated in my original post in June 2019, “what I see in Chronicle is an amazing technology platform, transparent business model, stellar team and huge potential for changing how we do security.” Now, as I am writing this in February 2020, much of the above is still here, though admittedly not all. However, the changes that happened since that day brought new and exciting opportunities to change the world of security in more ways than before.
So, after that initial meeting, I was observing Chronicle progress from my analyst vantage point. Let me reveal a secret here: Chronicle launch at RSA 2019 was the one for the history books. I don’t mean that as a marketing exaggeration, but in terms of the measurable impact on the industry.
Here, let me quantify this. If you’re an analyst, a new vendor launch gets reflected in your inbound client inquiry flow. In essence, do clients ask about the new company and their technology? In many cases, successful vendors appear in inbound inquiry activity within 1 to 2 years, when enough analyst firm clients hear about them and want to know if this new technology applies to their environments.
Chronicle was different. Clients’ questions flooded the inquiry inboxes within days of the launch, and the flood continued for months. Dozens of organizations were asking about Chronicle and that created a perfect storm of interest. Later on, I learned that the inbound pipeline generated by Chronicle looked like the one that a healthy 3 year-old security start-up may have.
Admittedly, not everybody was happy (no link, sorry!). As with every acquisition, there was a period of uncertainty and stress. Some code that should have been written perhaps wasn’t. However, a new exciting mission has emerged from this period of uncertainty!
To be sure, the new mission does not have a cool catchphrase like “Give Good The Advantage,” but it has the breadth beyond threat detection/response and the depth of Google experiences and resources behind it.
First, some great things stayed pretty much the same. Many customers and partners continue to love the Chronicle Backstory product. Note that they do so both because we save them money compared to alternatives (due to our per-user pricing model and one year data retention) and also because we help solve real problems they have today.
We are expanding to Europe, Australia and Asia this year. New partners are coming online too — if you are an MSSP or an MDR with an outdated or expensive back-end platform (and yes, even “free” can be expensive if done wrong), come use Chronicle.
We can still search any/all structured telemetry data we have in 0.25 seconds. We can still match threat indicators to massive log piles. The UI keeps getting better and new data sources are being integrated all the time.
Second, some things changed for the better. We are now part of the security unit of Google Cloud, with more fun products on the way. These products will leverage the assets only Google has — our scale, our experience, our engineering resources, our leading web browser, etc. Some of the products are already out, while others are being built as we speak.
The new unit has responsibilities for security of our cloud, security of customer resources in our cloud and — with Chronicle and other products — for security beyond our cloud.
Chronicle platform itself is getting a huge value boost due to our detection engine that runs YARA-L, a new detection language. The language is aimed at changing how we — and hopefully later others — do detection engineering and detect new threats. Our rules scale massively, run over enriched data, cover a broad range of security telemetry (beyond logs) and enable detection of advanced threats with minimal threat analysis and with no need to train any algorithm. These detection features are backed by a clear event schema that works across logs, endpoint telemetry and traffic data. More posts on YARA-L are coming this week.
Other things are not finished yet, but they are very exciting — and may or may not involve machine learning…
To conclude, the future is bright! Admittedly, it’s a different future that most of us envisioned, but it is bright. Google can and will change how organizations practice cyber security and will enable more organizations to secure themselves with the same tools and approaches Google has successfully applied to its own security…
*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/chronicle-one-year-later-antons-reflections-10386491f3cd?source=rss-11065c9e943e——2