Long before Phil Venables got to Google Cloud, he had it on his mind that someone needed to fix the technology that powers security operations, the day-to-day work of monitoring and responding to alerts that is the heart of cyberdefense for many organizations. Ideally, they’d create a new security operations platform that would require less time spent managing data and setting up “plumbing” between tools.
At Google Cloud, Venables is helping to lead the initiative to do just that with Chronicle Security Operations, the cloud platform’s most ambitious foray into the cybersecurity tools market so far. Venables, formerly the longtime chief information security officer at Goldman Sachs, is now the CISO at Google Cloud, which he joined in late 2020.
The successor to Google Cloud’s Chronicle security analytics platform, Chronicle Security Operations is “a great boon for security teams in enterprises, because they don’t want to have to do plumbing. They just want to see the output and actually protect their enterprises,” Venables told Protocol in an interview. “And so I think that’s going to be an immense change.”
Today, Google Cloud announced the launch of Chronicle Security Operations in conjunction with its Next 2022 conference. The platform integrates Chronicle’s pre-existing security analytics with new capabilities for automated response to detected issues, such as remediation of a compromise, from its acquisition of Siemplify. Chronicle Security Operations is now in preview.
According to Google Cloud executives, the usefulness of the updated Chronicle product for security operations teams will get a further boost from the integration of expertise and threat intelligence from Mandiant, which Google acquired for $5.4 billion in a deal that closed last month.
Mandiant “gives us early access to the types of cyberthreats that are emerging,” Google Cloud CEO Thomas Kurian said in an interview with Protocol. “We want to take that information and feed it into our [Chronicle] security operations platform, which lets people analyze if they have been compromised by a new threat.”
As Google Cloud seeks to become a bigger player in the cybersecurity tools market, Chronicle is proving to be its most promising opportunity. Specifically, Chronicle is aiming to be a cloud-native replacement for the security information and event management, or SIEM, tools that countless security teams rely upon, often in on-premises data centers.
In addition to enabling improved threat detection, response, and remediation, Chronicle aims to solve some of the most vexing problems faced by security teams.
Chronicle, for example, leverages Google Cloud’s infrastructure-as-a-service to sharply reduce the cost and scalability constraints associated with using event logs — the data that is necessary for security teams to spot threats and attacks — in on-premises infrastructure, according to Google Cloud executives.
Chronicle can ingest data from all clouds and on-premises environments, and a customer doesn’t need to run any of its workloads on Google Cloud in order to use Chronicle, as is the case for a number of existing Chronicle customers, Venables said.
Chronicle also addresses the difficulties around acquiring and plugging in threat intelligence, crucial for keeping up with ever-intensifying and evolving cyberthreats, in a few ways. Google’s own visibility into digital threats is among the broadest in the industry thanks to the size of its operation, and the company’s acquisition of Mandiant will fill out the picture substantially — all of which will feed into Chronicle’s threat-detection capabilities, the executives said.
Ultimately, “we want to both identify the new flavors of threats that are emerging and speed up the automation of how you protect against threats,” said Kurian, a former Oracle executive who’s been leading Google Cloud’s charge into the enterprise market as a whole.
Industry analysts told Protocol that Google Cloud has a lot of potential to meet the needs of security teams with Chronicle, but it still has a lot to prove.
A new market for Google
All three of the major U.S. public cloud platforms are expanding their own portfolios of cybersecurity tools, each with a distinct strategy.
Microsoft sells a broad set of tools covering just about all of the core areas of enterprise security, spanning endpoint, cloud, identity, and security operations. The latter category includes Microsoft’s cloud-native SIEM, Sentinel, which is a direct competitor with Chronicle.
AWS has a growing selection of tools as well, though its focus is mainly on helping customers securely use the AWS cloud itself.
Google Cloud’s strategy falls somewhere in between those of the two larger public clouds: It’s not trying to do everything, but it’s also looking well beyond its own platform by supporting hybrid and multicloud environments.
“I view this as Google entering a whole new market, which is that every corporation in the world needs good security. And every corporation in the world is struggling,” said Peter Firstbrook, vice president and analyst at Gartner. The thinking at Google Cloud, he said, would seem to be that security is actually a data problem — “‘and we’re good at data problems.’”
SIEM software can aggregate, monitor, and search the log data that’s generated by security tools, infrastructure, and applications. The aim is to spot the irregularities and flag them for a closer look by the security operations staff. As it became clear there was no way a human could keep tabs on the never-ending stream of events that need to be logged for security purposes, SIEM emerged in the early 2000s as the technology to do that. It was a great idea, at the time.
I view this as Google entering a whole new market, which is that every corporation in the world needs good security. And every corporation in the world is struggling.”
Fast-forward two decades, and the explosion of log data created by the heavily digitized workplace has thrown SIEM off-kilter. One of the chief challenges, as Venables noted, has been ingesting and managing all this data. And the scarcity of talent has made the challenge even more pronounced.
That’s one place where Chronicle Security Operations, as a cloud-native SIEM from a major infrastructure-as-a-service platform, aims to set itself apart. On-premises data centers are limited by how much physical storage they’ve got at any given moment; and if there’s a spike in log data, something else will have to be purged. Significant staff has to be allocated toward all this managing of the log data as its quantity fluctuates.
The public cloud doesn’t have these limits, which, of course, has been its pitch from the beginning. Chronicle customers benefit from the fact that “on a platform like Google that has this huge scale, there’s essentially no limit to how much data we can put through this,” Venables said.
Google Cloud has sought to distinguish Chronicle from other SIEM products, both on-premises and cloud-based, when it comes to pricing for data ingestion. SIEMs have traditionally charged customers based on how much data needed to be ingested, which became unsustainable with the growth in log data, said Allie Mellen, senior analyst at Forrester.
Chronicle, on the other hand, abandons ingest-based pricing in favor of charging based on the number of employees that a customer has, Mellen noted. This type of cost model is great for the customer but creates unpredictability for the vendor, because it’s tough to know how much data will need to be ingested. That has made it “very difficult for other vendors to maintain this” when they’ve tried, she said.
On the other hand, a well-endowed company that operates its own cloud, like Google, “can handle a bit of unpredictability,” Mellen said. “They own the infrastructure, so they can charge a lot less for having customers who use it."
For customers, that simplifies the licensing of Chronicle and allows them to “bring in whatever logs you want, and be able to query those logs quite quickly, without spending a ton of money,” she said.
Integrating Mandiant
The acquisition of Mandiant, which closed on Sept. 12, brings a variety of upsides for Google Cloud’s push into the security market, analysts and partners said.
In the world of incident-response services, which provide investigation and remediation after a breach, Mandiant is the marquee name. Without a doubt, linking up Google Cloud’s security business with Mandiant “adds a level of credibility” with customers, said Benny Henderson, cloud practice manager at IT services provider World Wide Technology.
The acquisition of Mandiant, which has about 2,500 employees, also brings Google Cloud a huge influx of security talent. The acquisition shows that at Google Cloud, “they understand that [security] is not just a technical problem, it’s also a people problem,” Firstbrook said.
While Google has significant threat intelligence capabilities from what it sees happening on the internet, Mandiant’s widely respected threat intelligence “comes from actual incidents,” Venables said. In some cases, this can provide details on an earlier phase of an attack observed on the internet, he said.
As a result, by taking Mandiant’s threat intelligence and feeding it into Chronicle, “you get proactive alerting” on cyberthreats, Venables said.
Kevin Mandia (left), the founder and CEO of Mandiant, told Protocol the goal is “to make sure we automate as much as we possibly can, to better defend our customers.”
Photo: Drew Angerer/POOL/AFP via Getty Images
Kevin Mandia, the founder and CEO of Mandiant, told Protocol in an interview that the opportunity to pair Mandiant’s cyberthreat expertise with Google Cloud’s software and security is to “automate this hard-to-find security expertise.”
The goal is “to make sure we automate as much as we possibly can, to better defend our customers,” Mandia said.
Competitive market
Leveraging the cloud to fix security operations is a relatively recent idea, but given the dissatisfaction with traditional SIEM tools, the opportunity is enormous, Gartner’s Firstbrook said.
And thanks to Google Cloud’s differentiators in SIEM, “they’re in a good position to take over” the market, he said. “The market share leaders in the SIEM market are very vulnerable. They’re perceived as legacy vendors, there’s not a lot of love from their customers,” Firstbrook said.
Linking up Google Cloud’s security business with Mandiant “adds a level of credibility” with customers.
The other vendor that’s in a prime position is Microsoft with its Sentinel cloud-native SIEM, he said, “and they have a bit of a head start over Google, because they already have a pretty large install base of Sentinel customers.”
Chronicle customers that have been disclosed to date include Vertiv, Morgan Sindall Group, Groupon, BBVA, BetterCloud, and Telepass.
Certainly, Google Cloud is making the case that it’s serious about providing security tools through moves such as the acquisition of Mandiant, according to George Burns, senior consultant for cloud operations at custom software developer SPR. But he wants to see Google Cloud stick with the effort for a while before he’s ready to view the company as a real player in the market.
Microsoft, on the other hand, already has a “killer security product” in SIEM, Burns said. “I think Sentinel is amazing for what it is.”
Chronicle Security Operations is also competing with startups in cloud-native SIEM such as Devo, which achieved a $2 billion valuation in June and counts AT&T, Sonos, and Unisys among its customers. Like Chronicle, Devo’s pitch to customers includes an emphasis on enabling the use of far more security data and a significantly lower cost.
Additionally, “I think what we offer is independence — in terms of, a lot of people don’t want their cloud provider also being their security eyes and ears,” said Devo CEO Marc van Zadelhoff.
Hybrid and multicloud
Notably, Chronicle treats data from the other public cloud platforms, including AWS and Microsoft Azure, and from on-premises systems, no differently than data from Google Cloud.
By comparison, Microsoft Sentinel encourages the use of Azure and other Microsoft products by not charging for ingestion of data from those sources, Mellen said. Pricing for using data from outside Microsoft’s cloud services with Microsoft Sentinel is based on the amount of data ingested, she said.
“It’s definitely a big differentiator for [Google Cloud] that we can ingest so many things from multiple platforms,” Venables said.
“We recognize that we’re living in a multicloud, hybrid environment, and that any reasonably sized customer isn’t just running on GCP or they’re not just running on AWS or Azure,” he said. “They’re running on many different platforms, including SaaS platforms, including on-premises. And we’ve got to meet them where they are with our security solutions.”
In contrast to Microsoft’s preferential treatment for data from its own products in security tools, and AWS’ focus on providing tools to secure and govern workloads on its own platform, Google Cloud seems genuinely interested in providing products to help customers with security across their cloud environments, said Anshu Sharma, co-founder and CEO of data privacy technology vendor Skyflow.
[W]e’ve got to meet them where they are with our security solutions.”
“Google is the most aggressive in positioning themselves as a cloud security vendor that’s multicloud-friendly,” Sharma said.
Ultimately, Venables said he believes the fact that Chronicle addresses so many of the woes associated with security operations will resonate widely. Instead of security teams spending “half of their day doing plumbing between tools,” this part of the process “is just a flick of the switch” with Chronicle Security Operations, he said.
And with Chronicle getting infused with Mandiant’s threat intelligence and expertise, Venables said, “I don’t think there’s anything like it.”