By Anton Chuvakin — Head of Solutions Strategy at Chronicle

Chronicle recently hosted a very well-attended webinar with ISACA focused on the characteristics of a modern SOC (see “Trend for the Modern SOC” for a replay link). We got a lot of great questions, and would like to follow up on these and highlight some of the answers.

Q: You mentioned that SOC is first a team: which skills are expected to distinguish the “basic” SOC from the modern SOC?

A: Skills such as threat hunting, threat intelligence, and data analytics are key characteristics of a modern SOC. While these…


By Anton Chuvakin (originally posted at Anton on Security)

While we may live in an endpoint security era, the need for network data analysis today has not vanished. As we discussed during a recent webinar with Chronicle partner Corelight, this is not about competing with endpoint or arguing about what security telemetry is “better” — this is about reminding the security leaders and professionals that your network telemetry matters. This was not only the case in the 1980s (when tcpdump was born), 1990s, 2000s, 2010s, but also today in the 2020s.

To summarize, network security monitoring still matters because you…


Today we’re excited to announce Google Cloud Threat Intelligence for Chronicle, a new applied threat intelligence service available to Chronicle customers. This new service surfaces highly actionable threats in Chronicle environments based on Google’s collective insight and research into Internet-based threats. Using Threat Intelligence for Chronicle, security teams can take advantage of a curated, high fidelity threat intelligence service that allows you to focus on real threats in the environment and accelerate your response time.

See high fidelity threat indicators in your environment, validated hands-on by threat researchers

Threat Intel for Chronicle is exclusively curated for enterprise customers by Uppercase…


The Chronicle team is excited to release new SOC Prime detection rules, now available to use in the Chronicle Detect rules engine. SOC Prime Threat Detection Marketplace is the industry standard one-stop shop for Detection as Code operations and practices, offering access to detection signatures across multiple languages. This new set of detection content makes it simple for security teams to incorporate and build new threat detection rules, and apply them across all the security telemetry stored in Chronicle.

The capabilities of the Chronicle Detect rules engine are accessed using the YARA-L threat detection language which was designed by and…


(By Anton Chuvakin and originally posted at Anton on Security)

One thing I did not expect to see in 2021 is a lot of people complaining about how difficult their SIEM is to operate.
Let’s explore this topic for the (n+1)-th time. And let me tell you … that “n” is pretty damn large since my first involvement with SIEM in January 2002 (!) — examples, examples, examples.

Anton’s old SIEM presentation from 2012 (source, date: 2012)

Before we go, we need to separate the SIEM tool operation difficulties from the SIEM mission difficulties. To remind, the mission that the…


As more organizations embrace hybrid, multi-cloud environments and a work-from-anywhere model, security teams are realizing they operate in the “age of expansion.” More technology and data assets to secure, more telemetry data to analyze, more security tools to manage, more alerts to sort, and — in turn — more threats to defend against. This compounding threat environment has security teams asking, how do we focus on the threats that matter the most?

To position security teams to better handle their security posture and make faster security decisions across multiple layers of the organization, we’re excited to announce that Google Cloud…


As enterprises look to more efficiently manage the incident response process, Security Orchestration, Automation, and Response (SOAR) platforms have steadily gained traction. These tools help SOC teams speed up security operations and create consistency when it comes to responding to security threats.

To help customers take advantage of their incident response toolkit, Chronicle now offers SOC playbook and orchestration-ready APIs and integrations with leading SOAR vendors such as D3 Security, IBM, Palo Alto Networks, ServiceNow, Siemplify, Splunk, and Swimlane. …


By Anton Chuvakin (originally posted at Anton on Security)

Back in August, we released our first Google/Chronicle — Deloitte Security Operations Center (SOC) paper titled “Future of the SOC: Forces shaping modern security operations” (launch blog, paper PDF) and promised a series of three more papers covering SOC people, process and technology.

Here is the next paper “Future of the SOC: SOC People — Skills, Not Tiers” (PDF) and you can easily guess it focuses on the PEOPLE aspect of the SOC. …


By Anton Chuvakin
(Originally posted at Anton on Security)

Security continues to be a top concern for cloud customers, and therefore continues to be a driver of our business at Google Cloud. However, specific security priorities vary wildly by vertical, by organization size, and by many other factors.

In fact, many “CISO priorities lists” are floating out there online and many people claim to know “what CISOs want.” My analyst years taught me to be skeptical about such claims, if only because there are vast differences between CISOs of different organizations, in terms of security maturity, for example. …


(By Anton Chuvakin and originally posted at Anton on Security)

While creating a recent presentation, I needed a slide on “threat detection is hard.” And it got me thinking, why is threat detection so hard for so many organizations today? We can trace the “cyber” threat detection to 1986 (“Cuckoo’s Egg”) and 1987 (first IDS) and perhaps even earlier events (like viruses of the early 1980s). This means we are “celebrating” ~35 years of cyber threat detection.

However, many organizations would gladly tell you today, in 2020, that “detection is hard” for them. But why? …

Chronicle

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store