Security continues to be a top concern for cloud customers, and therefore continues to be a driver of our business at Google Cloud. However, specific security priorities vary wildly by vertical, by organization size, and by many other factors.

In fact, many “CISO priorities lists” are floating out there online and many people claim to know “what CISOs want.” My analyst years taught me to be skeptical about such claims, if only because there are vast differences between CISOs of different organizations, in terms of security maturity, for example. …

My post “Why is Threat Detection Hard?” proved to be one of the most popular in recent history of my new blog. In this post, I wanted to explore a seemingly obvious, while surprisingly fascinating aspect of detection: uncertainty.

Uncertainty? Are you sure, Anton? :-)

Well, maybe!

Let’s start our journey with exploring the classic fallacy, “if you can detect [the threat], why can’t you prevent it?” Back in 2016, I hit this point really hard here, and notice the first argument I made there. Threat detection, if done well, carries uncertainty, inherently and by design.

OK, you want to argue? Sure! Suppose you are one of those people who only wants to deploy rules / signatures that have exactly ZERO “false positives” hence removing a big chunk of the uncertainty, if not all of it. In some cases, this may be a hangover from having opaque vendor detections where a team couldn’t actually determine the logic of a signature beyond a cryptic string message. …

So, I’ve been doing some blogging at Google Cloud blog with most posts connected to products, launches, etc. However, I am also doing a fun blog series on DLP in the cloud. Blog 1 is here, and blog 2 is here — you can also see a long quote from the second one below.

Note that our DLP (called Cloud DLP because we loooove creative product names here) can do a lot of very cool “tricks” related to data transformation, data de-identification and even re-identification risk analysis (due to its privacy origins). These cool capabilities will be covered in the next blogs in the series, because, frankly, they are quite magical and deserve to be more known and used. …

While creating a recent presentation, I needed a slide on “threat detection is hard.” And it got me thinking, why is threat detection so hard for so many organizations today? We can trace the “cyber” threat detection to 1986 (“Cuckoo’s Egg”) and 1987 (first IDS) and perhaps even earlier events (like viruses of the early 1980s). This means we are “celebrating” ~35 years of cyber threat detection.

However, many organizations would gladly tell you today, in 2020, that “detection is hard” for them. But why? Naturally, I posted my draft slide on Twitter and lively discussion ensued.

As I result, I updated my slide to…

My old $employer blog has vanished and a lot of content of value to the community went down with it. Naturally, I do not own the IP and I cannot go to archive.org and bring it back to life.

However, I will make an exception for this post. Because it (and this is my ego talking, natch) exudes pure awesomeness!

— — — — — — — — — start repost — — — — — — — — -

About a year ago, I crowdsourced a collection of best/worst tips for Vendor Briefings (a one hour presentations from a technology vendor to a Gartner analyst) from other analysts, and now I finally found time to blog it, thanks for some motivation from the Twitterverse. …

A lot of people ask me how Chronicle is doing inside Google Cloud (TLDR: doing well), and I wanted to share some good news. I also wanted to reveal some of our lessons building our threat detection capabilities (that we just released).

If you recall, we announced our YARA-L detection language at RSA 2020. Naturally, many people loved it, and our capabilities have grown since then. Here is what we learned and then built as a result:

• Our initial YARA-L implementation laid the foundation for Detect, with the data foundation (where we stitch events together into a stateful timelines) and of course the scale for historical and real-time detections. …

One more idea that has been bugging me for years is an idea of “detection as code.” Why is it bugging me and why should anybody else care?

First, is “detection as code” just a glamorous term for what you did when you loaded your Snort rules in cvs in, say, 1999? Well, not exactly.

What I mean by “detection as code” is a more systematic, flexible and comprehensive approach to threat detection that is somewhat inspired by software development (hence the “as code” tag). …

Back in 2015, while working on a Gartner SOC paper, I coined the concept of “SOC nuclear triad” which later morphed into “SOC visibility triad” or even “security visibility triad.” The thing then became very popular with some security vendors, especially with the NDR variety (example, example).

The model was originally built to demonstrate the necessary security visibility via three pillars:

1. Logs (such as via SIEM)
2. Network data (such as via NTA/NDR)
3. Endpoint data (such as via EDR)

The model referred to “security visibility” as something that is broader than detection or investigation (response) alone. In fact, one can detect in any of the channels separately, or run detection content on a platform that has more than one type of data. Same for investigations: having all three security visibility pillars means that you won’t miss anything big during the incident response process. …