Chronicle: Can I Get The Backstory?

Get the backstory…instantly

Chronicle is launching Backstory today. In a nutshell, Backstory is the first global security telemetry platform designed for a world that thinks in petabytes. It’s a big milestone for us and one we hope will give enterprises a major leap over the current data storage and compute systems holding back their security.

Before going deeper into our new Backstory product, it’s first important to understand Chronicle’s own backstory to this point.

Just over a year ago we announced Chronicle, a new Alphabet company, focused entirely on enterprise cybersecurity. Our mission, Give Good the Advantage, is fueled by our ability to leverage significant resources to give security professionals an entirely new class of tools, perspectives, and abilities that aim to counter, and even leap ahead of, the capabilities of our antagonists.

We believe the power of the security community is our best defense against aggressive and determined attackers. By offering a global platform with the ability to apply massive computational capacity to an ever-growing set of enterprise security data, our goal is for Chronicle to help enterprise customers, as well as other vendors, to better protect what matters most. Many of us came to Chronicle from Google and had deep experience protecting Google’s own infrastructure, as well as developing core building blocks of that infrastructure. Others have spent years in the security industry at leading product firms. Chronicle combines these experiences — Google and Industry — to deliver new solutions to a significant problem.

In late January 2019, the Wall Street Journal profiled how Google’s Threat Analysis Group (TAG) protects Google’s own infrastructure. The article describes specific capabilities: global threat intelligence via VirusTotal, a unified dashboard called Nirvana that ties multiple tools together, and TAG itself, a team of threat analysis experts who make sense of the information flowing through these tools. The capabilities described in the WSJ article are extremely powerful, and many organizations would love to have these abilities within their own cyber teams.

Chronicle’s products were inspired by these tools and techniques, and are now available for other organizations to use.

VirusTotal is part of Chronicle, and we spent last year releasing new VT features and products. Two of Chronicle’s founders were also founders of Google’s TAG, and the Chronicle insights team applies those skills to find new threats. In December, some of those analysts discovered the return of the Shamoon malware targeting oil and gas companies. The missing piece is a powerful investigation, analytics, and hunting system to tie together a customer’s internal network activity, external threat intelligence, and curated internal threat signals. Such a system would give analysts the context they need to protect their organizations…i.e. the backstory.

Enter Backstory.

Introducing Backstory

Backstory is a global cloud service where companies can privately upload, store, and analyze their internal security telemetry to detect and investigate potential cyber threats.

How does it work? Chronicle built a new layer over core Google infrastructure where you can upload your security telemetry, including high-volume data such as DNS traffic, netflow, endpoint logs, proxy logs, etc., so that it can be indexed and automatically analyzed by our analytics engine. Your data remains private — it isn’t scanned by or available to anyone for other purposes.

Backstory compares your network activity against a continuous stream of threat intelligence signals, curated from a variety of sources, to detect potential threats instantly. It also continuously compares any new piece of information against your company’s historical activity, to notify you of any historical access to known-bad web domains, malware-infected files, and other threats. Backstory was designed for a world where companies generate massive amounts of security telemetry and struggle to hire enough trained analysts to make sense of it.

Building a system that can analyze large amounts of telemetry for you won’t be useful if you are penalized for actually loading all of that information. Too often, vendors charge customers based on the amount of information they process. Since most organizations generate more data every year, their security bills keep rising, but they aren’t more secure. Backstory is licensed differently, making it easy for you to get value from your own data.

As ESG cybersecurity analyst Jon Oltsik recently wrote, it’s not unusual for CISOs to complain about burning through a three-year security intelligence budget in a year. Backstory’s licensing model can fix that problem.

We’ve spent the past year testing it with organizations ranging in size from 500 to 500,000 employees, some with large security teams and others whose security team is the IT manager. Backstory helps all of these companies get insights about threats and attacks on their networks.

A Real World Example: The DNC Hack

Let’s make this more concrete with an example you may have heard about recently.

In July 2018, the U.S. Department of Justice filed an indictment against 12 Russians for the hack of DNC/DCCC confidential information. The indictment describes how the DNC retained the services of a security vendor to help eradicate the intrusion, but because the vendor missed a Linux-based piece of malware, the intrusion continued and eventually resulted in the leak of DNC emails and other materials.

The U.S. DOJ “DNC Hack” indictment identifies linuxkrnl.net as the malicious domain

Specifically, the Linux malware was programmed to communicate with the web domain linuxkrnl.net. The DNC and its vendor missed this and the breach continued (page 12, paragraph 32).

Upon reading this indictment, the first thing a security analyst at a company (for example, a global bank) might ask himself is “Has any machine at our company ever communicated with linuxkrnl.net?”

Seems simple, but since most organizations retain — at best — only a few weeks of network traffic, if the leak happened before that, the analyst is blind.

Now let’s take a short detour: web domains link to IP addresses, a domain can have different IP addresses over time, and to compound the challenge, multiple domains can resolve to a particular IP address. So, which IP addresses has linuxkrnl.net linked to since it was created, and do any other domains link to any of those IPs? If so, then our analyst would need to search for communication to any and all of those domains, back to the point of their creation. How would our analyst do that?

VirusTotal Graph Shows Relationships Between Malware, Domains, IP Addresses, etc.

A savvy analyst who’s been following Chronicle’s announcements this past year would start with VirusTotal Private Graph, part of VirusTotal Enterprise. Type linuxkrnl.net into Private Graph and from its billions of files it returns all IP addresses and domain names related to linuxkrnl.net. We quickly see that there are dozens of domain names related to linuxkrnl.net: updatepc.org, mswordupdate17.com, softwaresupportsv.com, etc. Did anyone in our company access any of these domains — or any of the IP addresses they linked to — at any time? If so, we may have already lost confidential information. Most companies simply have no way to answer this. They don’t collect the right telemetry and they don’t retain it for more than a week or two even when they do collect it.

Enter Backstory. Backstory gives organizations a private and secure cloud instance, built on core Google infrastructure, to store all of their telemetry. Backstory normalizes, indexes, and correlates the data, against itself and against third party and curated threat signals, to provide instant analysis and context regarding risky activity. With Backstory, our analyst would know, in less than a second, every device in the company that communicated with any of these domains or IP addresses, ever. Put differently, when this company’s CEO asked “could our bank have been hit by the same attack as the DNC?” our analyst could immediately answer “no, we’re safe” or “yes, we’d better take action.”

Can your security team do the same?

Launch Week: RSA San Francisco

From day one, we have talked about working with the security community to help our customers protect themselves. At RSA 2019 we announced our Index Partner program, including other security companies that have committed to integrate their products with Backstory, so that our mutual customers can automatically get insights about attacks from all of their security products. We also introduced our special Insight Partners, who have embedded their threat intelligence into the Backstory dashboard and analytics engine to offer insights about threats to any endpoint. Security companies Avast and Proofpoint are our inaugural Insight Partners. Finally, we demonstrated our integration with Carbon Black, an endpoint security company, where Backstory correlates Carbon Black’s telemetry with data from other products, over a much longer time horizon than is possible otherwise. Our channel partners will be offering the joint solution shortly.

To learn more, please visit https://chronicle.security/products/backstory/ or register for a Backstory webinar at: https://go.chronicle.security/webinar-introducing-backstory