Google Chronicle: The forward-thinking solution for threat hunting

Chronicle is a new threat hunting platform, developed by Google. Leveraging Google, Cloud and Threat Feed technologies it provides analysts the ability to deep dive into accessible and enriched logs.

It gives companies 12 months of hot storage with sub-second search ability. It takes what Google Search does and gives it to the security industry. “How many devices accessed this IP address in the past 12 months” can be answered in the click of your fingers and this is something the cybersecurity industry hasn’t really seen before.

Nowhere to hide for malicious actors

While that is a feat in itself Chronicle takes this further; it takes IOC (Indicator of Compromise) feeds from multiple sources (including Government agencies and VirusTotal) and can apply this to data it ingests.

All ingested data gets indexed so Chronicle will automatically retro-search the indexed data every time it sees a new IOC.

This means there’s truly nowhere to hide for malicious actors; the moment they are on the radar an analyst can quickly pivot off this information to provide a detailed timeline of when an environment became first infected and all the other devices involved.

This provides you 100% coverage from those ‘low and slow’ type of infections. Chronicle presents this data in such a way that the analyst gets a comprehensive view of what happened before and after, from all log sources ingested into the platform. 

Well thought out visualisation of this data makes is easy to identify interesting patterns of behaviours:

Chronicle screenshot

In the screenshot above it’s clear to see all that in action. In one simple view, we can see a rare domain, the process that interacted with it and then clear beaconing activity; streamlining an analyst workflow. As for what data can be consumed by the platform, Chronicle made it clear there are not really any limits. 

All Chronicle needs to do is index the data and if it can’t do that straight away the Chronicle team will support the end user to get their data ingested on to the platform; this functionality is then added to the product meaning everybody gets the benefit. Even in its infancy Chronicle can take in DHCP, DNS, Proxy and EDR – with most of the major players already supported.

The impressive speed capability isn’t just limited to data search but extends to the ingestion too as Chronicle can rapidly scale out dynamically. Log collection is simple too, adopting a containerised approach with multiple ingestion methods. 

If you’ve already got existing solutions, Chronicle can also consume feeds from these giving businesses the freedom to migrate to the cloud or augment with their existing SIEMs.

What does this mean?

Unlimited log collection and storage, sub-second query responses across entire log data sets, clean informative presentation of data will all associated contextual data on hand. All scalable and readily available in the cloud.