Exploit This

Security News, Exploits, and Vulnerabilities.

Chronicle: A Meteor Aimed At Planet Threat Intel?

Alphabet Inc., the parent company of Google, said today it is in the process of rolling out a new service designed to help companies more quickly make sense of and act on the mountains of threat data produced each day by cybersecurity tools.

Countless organizations rely on a hodgepodge of security software, hardware and services to find and detect cybersecurity intrusions before an incursion by malicious software or hackers has the chance to metastasize into a full-blown data breach.

The problem is that the sheer volume of data produced by these tools is staggering and increasing each day, meaning already-stretched IT staff often miss key signs of an intrusion until it’s too late.

Enter “Chronicle,” a nascent platform being developed by the tech giant’s “X” division, which is a separate entity tasked with tackling hard-to-solve problems with an eye toward leveraging the company’s core strengths: Massive data analytics and storage capabilities, machine learning and custom search capabilities.

“We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find,” wrote Stephen Gillett, CEO of the new venture.

Few details have been released yet about how exactly Chronicle will work, although the company did say it would draw in part on data from Virustotal, a free service acquired by Google in 2012 that allows users to scan suspicious files against dozens of commercial antivirus tools simultaneously.

Gillett said his division is already trialing the service with several Fortune 500 firms to test the preview release of Chronicle, but the company declined to name any of those participating.

ANALYSIS

It’s not terribly clear from Gillett’s post or another blog post from Alphabet’s X division by Astro Teller how exactly Chronicle will differentiate itself in such a crowded market for cybersecurity offerings. But it’s worth considering the impact that Virustotal has had over the years.

Currently, Virustotal handles approximately one million submissions each day. The results of each submission get shared back with the entire community of antivirus vendors who lend their tools to the service — which allows each vendor to benefit by adding malware signatures for new variants that their tools missed but that a preponderance of other tools flagged as malicious.

Naturally, cybercriminals have responded by creating their own criminal versions of Virustotal: So-called “no distribute” scanners. These services cater to malware authors, and use the same stable of antivirus tools, except they prevent these tools from phoning home to the antivirus companies about new, unknown variants.

On balance, it’s difficult to know whether the benefit that antivirus companies — and by extension their customers — gain by partnering with Virustotal outweighs the mayhem enabled by these no-distribute scanners. But it seems clear that Virustotal has helped antivirus companies and their customers do a better job focusing on threats that really matter, as opposed to chasing after (or cleaning up after) so-called “false positives,” — benign files that erroneously get flagged as malicious.

And this is precisely the signal-to-noise challenge created by the proliferation of security tools used in a typical organization today: How to spend more of your scarce cybersecurity workforce, budget and time identifying and stopping the threats that matter and less time sifting through noisy but otherwise time-wasting alerts triggered by non-threats.

I’m not a big listener of podcasts, but I do find myself increasingly making time to listen to Risky Business, a podcast produced by Australian cybersecurity journalist Patrick Gray. Responding to today’s announcement on Chronicle, Gray said he likewise had few details about it but was looking forward to learning more.

“Google has so much data and so many amazing internal resources that my gut reaction is to think this new company could be a meteor aimed at planet Threat Intel™️,” Gray quipped on Twitter, referring to the burgeoning industry of companies competing to help companies trying to identify new threats and attack trends. “Imagine if other companies spin out their tools…Netflix, Amazon, Facebook etc. That could be a fundamentally reshaped industry.”

Well said. I also look forward to hearing more about how Chronicle works and, more importantly, if it works.

Full disclosure: Since September 2016, KrebsOnSecurity has received protection against massive online attacks from Project Shield, a free anti-distributed denial-of-service (DDoS) offering provided by Jigsaw — another subsidiary of Google’s parent company. Project Shield provides DDoS protection for news, human rights, and elections monitoring Web sites.

Leave a Reply

%d bloggers like this: