By Anton Chuvakin, Head of Solutions Strategy at Google Cloud

It is with much excitement that we release a new paper about transforming your security operations, published under the Office of the CISO at Google Cloud.

This work is focused on our vision and lessons learned in building effective security operations for the future. We spent a lot of time thinking about what to call the new model. We decided on “Autonomic Security Operations” for the vision (the previous contender was “10X SOC”).

Now, when we say “autonomic” here, we do not mean “without people” or “fully automated.” All of…


By Rajesh Gwalani, Chronicle Product Manager

Chronicle is purpose-built on the power of Google’s infrastructure to help security teams run security operations at unprecedented speed and scale. Today, we’re excited to announce that we’re bringing more industry-leading Google technology to security teams by integrating Chronicle with Looker and BigQuery. Backed by this powerful toolset, security analysts can create brand new visual workflows that increase efficiency and improve outcomes in the Security Operations Center (SOC).

New Looker visualizations in Chronicle

Chronicle’s new visualizations — powered by Looker, Google Cloud’s business intelligence (BI) and analytics platform — enables a multitude of new…


By Matthew Svensson, Senior Security Engineer at BetterCloud

If you read the prior blog post, How to dynamically correlate Google Cloud Compute Engine instance network traffic using Chronicle, you understand how we can dynamically correlate IP addresses in network traffic logs, like Zeek, to the cloud compute instance hostname.

The next problem we have to solve is how we can create alerts on these data to identify when a cloud instance reaches out to a new domain.

To get a list of unique domains, you COULD take all of the Zeek http.log and ssl.log files, put them into a SIEM…


Following up from last week’s blog post on why network security telemetry matters today, our guest author Matt Svensson, a Senior Security Engineer at BetterCloud, discusses how you can use Chronicle to dynamically correlate IP addresses in network traffic logs — like Zeek — to events on Compute Engine instances.

By Matthew Svensson, Senior Security Engineer at BetterCloud

Cloud infrastructure has made it operationally simple to scale your application and run rolling updates to instances with no downtime.

This has also made network visibility a seemingly unsolvable headache. Even if you are doing traffic mirroring and creating Zeek logs, cloud…


By Anton Chuvakin — Head of Solutions Strategy at Chronicle

Chronicle recently hosted a very well-attended webinar with ISACA focused on the characteristics of a modern SOC (see “Trend for the Modern SOC” for a replay link). We got a lot of great questions, and would like to follow up on these and highlight some of the answers.

Q: You mentioned that SOC is first a team: which skills are expected to distinguish the “basic” SOC from the modern SOC?

A: Skills such as threat hunting, threat intelligence, and data analytics are key characteristics of a modern SOC. While these…


By Anton Chuvakin (originally posted at Anton on Security)

While we may live in an endpoint security era, the need for network data analysis today has not vanished. As we discussed during a recent webinar with Chronicle partner Corelight, this is not about competing with endpoint or arguing about what security telemetry is “better” — this is about reminding the security leaders and professionals that your network telemetry matters. This was not only the case in the 1980s (when tcpdump was born), 1990s, 2000s, 2010s, but also today in the 2020s.

To summarize, network security monitoring still matters because you…


Today we’re excited to announce Google Cloud Threat Intelligence for Chronicle, a new applied threat intelligence service available to Chronicle customers. This new service surfaces highly actionable threats in Chronicle environments based on Google’s collective insight and research into Internet-based threats. Using Threat Intelligence for Chronicle, security teams can take advantage of a curated, high fidelity threat intelligence service that allows you to focus on real threats in the environment and accelerate your response time.

See high fidelity threat indicators in your environment, validated hands-on by threat researchers

Threat Intel for Chronicle is exclusively curated for enterprise customers by Uppercase…


The Chronicle team is excited to release new SOC Prime detection rules, now available to use in the Chronicle Detect rules engine. SOC Prime Threat Detection Marketplace is the industry standard one-stop shop for Detection as Code operations and practices, offering access to detection signatures across multiple languages. This new set of detection content makes it simple for security teams to incorporate and build new threat detection rules, and apply them across all the security telemetry stored in Chronicle.

The capabilities of the Chronicle Detect rules engine are accessed using the YARA-L threat detection language which was designed by and…


(By Anton Chuvakin and originally posted at Anton on Security)

One thing I did not expect to see in 2021 is a lot of people complaining about how difficult their SIEM is to operate.
Let’s explore this topic for the (n+1)-th time. And let me tell you … that “n” is pretty damn large since my first involvement with SIEM in January 2002 (!) — examples, examples, examples.

Anton’s old SIEM presentation from 2012 (source, date: 2012)

Before we go, we need to separate the SIEM tool operation difficulties from the SIEM mission difficulties. To remind, the mission that the…


As more organizations embrace hybrid, multi-cloud environments and a work-from-anywhere model, security teams are realizing they operate in the “age of expansion.” More technology and data assets to secure, more telemetry data to analyze, more security tools to manage, more alerts to sort, and — in turn — more threats to defend against. This compounding threat environment has security teams asking, how do we focus on the threats that matter the most?

To position security teams to better handle their security posture and make faster security decisions across multiple layers of the organization, we’re excited to announce that Google Cloud…

Chronicle

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store