SAN FRANCISCO — Alphabet’s Chronicle looks to give enterprises an advantage with a new service called Backstory that can parse and analyze vast amounts of security telemetry.
Chronicle, which Alphabet launched as a security startup in 2018, said the Backstory cloud service can assist organizations that produce large amounts of security telemetry but don’t have the internal staff or resources to put all of the data into context. The data includes everything from endpoint and network proxy logs to DNS traffic. Chronicle claims the service can handle 50 petabytes of information in about a second.
During a press event here at RSA Conference 2019 Monday, Chronicle CSO and co-founder Mike Wiacek used the Democratic National Committee (DNC) breach in 2016 as an example of how Backstory can pick up signs in security telemetry that might otherwise be missed. The DNC hack saw Linux malware called X-Agent lurk on the DNC’s network for several months after the breach was first detected.
The X-Agent malware communicated with a specific domain, linuxkrnl.net. Wiacek said a simple check of that domain with Backstory would have revealed suspicious activity with the URL and informed the organization of every one of its devices that connected to that URL. But most organizations only keep “a few weeks of network traffic,” so many enterprises and security analysts are essentially blind, the company said in a blog post.
Potential users like the sound of the service, but want more information.
“There’s nothing out there like this right now, which makes it interesting,” said Adam Kujawa, director of malware intelligence at Malwarebytes. “But you’re essentially paying Chronicle to give them your data.”
Backstory promises intelligence and privacy
Chronicle said enterprises’ data “remains private – it isn’t scanned by or available to anyone for other purposes.” Organizations can upload telemetry data to Backstory and store it in a private cloud instance built on Google’s core infrastructure. The Backstory cloud service scans the security telemetry and runs it through Chronicle’s analytics engine to normalize, correlate and index the data to give organizations actionable intelligence that’s easy for organizations to understand.
In addition, several third-party cybersecurity vendors have partnered with the company around Backstory. Antivirus vendor Avast and email security vendor Proofpoint have embedded their threat intelligence feeds directly into the Backstory analytics engine and dashboard. Endpoint security vendor Carbon Black also integrated its endpoint detection and response data with Backstory.
The Backstory service serves as the first official product launch from Chronicle. In September, Chronicle introduced VirusTotal Enterprise, a new version of the free security scanner that allows users and organizations to submit files and URLs for analysis. Alphabet subsidiary Google acquired VirusTotal in 2012, and Chronicle began operating the scanning service after the company was launched last year.
Chronicle’s blog post said other services that allow organizations to upload their security data often charge based on the volume of data uploaded by customers. Chronicle said Backstory is “licensed differently” than other services, but the company didn’t offer specific details on how the licensing plans work.