Google Cloud wants cybersecurity market share. Chronicle is its way in.

Executives including Thomas Kurian, Phil Venables, and Kevin Mandia told Protocol that Google Cloud’s Chronicle Security Operations platform offers numerous advantages over the competition, including unique threat intelligence from Mandiant.

Thomas Kurian, chief executive officer of cloud services at Google, speaks during the Google Cloud Next '19 event in San Francisco

“We want to both identify the new flavors of threats that are emerging and speed up the automation of how you protect against threats,” Google Cloud CEO Thomas Kurian told Protocol.

Photo: Michael Short/Bloomberg via Getty Images

Long before Phil Venables got to Google Cloud, he had it on his mind that someone needed to fix the technology that powers security operations, the day-to-day work of monitoring and responding to alerts that is the heart of cyberdefense for many organizations. Ideally, they’d create a new security operations platform that would require less time spent managing data and setting up “plumbing” between tools.

At Google Cloud, Venables is helping to lead the initiative to do just that with Chronicle Security Operations, the cloud platform’s most ambitious foray into the cybersecurity tools market so far. Venables, formerly the longtime chief information security officer at Goldman Sachs, is now the CISO at Google Cloud, which he joined in late 2020.

The successor to Google Cloud’s Chronicle security analytics platform, Chronicle Security Operations is “a great boon for security teams in enterprises, because they don’t want to have to do plumbing. They just want to see the output and actually protect their enterprises,” Venables told Protocol in an interview. “And so I think that’s going to be an immense change.”

Today, Google Cloud announced the launch of Chronicle Security Operations in conjunction with its Next 2022 conference. The platform integrates Chronicle’s pre-existing security analytics with new capabilities for automated response to detected issues, such as remediation of a compromise, from its acquisition of Siemplify. Chronicle Security Operations is now in preview.

According to Google Cloud executives, the usefulness of the updated Chronicle product for security operations teams will get a further boost from the integration of expertise and threat intelligence from Mandiant, which Google acquired for $5.4 billion in a deal that closed last month.

Mandiant “gives us early access to the types of cyberthreats that are emerging,” Google Cloud CEO Thomas Kurian said in an interview with Protocol. “We want to take that information and feed it into our [Chronicle] security operations platform, which lets people analyze if they have been compromised by a new threat.”

As Google Cloud seeks to become a bigger player in the cybersecurity tools market, Chronicle is proving to be its most promising opportunity. Specifically, Chronicle is aiming to be a cloud-native replacement for the security information and event management, or SIEM, tools that countless security teams rely upon, often in on-premises data centers.

In addition to enabling improved threat detection, response, and remediation, Chronicle aims to solve some of the most vexing problems faced by security teams.

Chronicle, for example, leverages Google Cloud’s infrastructure-as-a-service to sharply reduce the cost and scalability constraints associated with using event logs — the data that is necessary for security teams to spot threats and attacks — in on-premises infrastructure, according to Google Cloud executives.

Chronicle can ingest data from all clouds and on-premises environments, and a customer doesn’t need to run any of its workloads on Google Cloud in order to use Chronicle, as is the case for a number of existing Chronicle customers, Venables said.

Chronicle also addresses the difficulties around acquiring and plugging in threat intelligence, crucial for keeping up with ever-intensifying and evolving cyberthreats, in a few ways. Google’s own visibility into digital threats is among the broadest in the industry thanks to the size of its operation, and the company’s acquisition of Mandiant will fill out the picture substantially — all of which will feed into Chronicle’s threat-detection capabilities, the executives said.

Ultimately, “we want to both identify the new flavors of threats that are emerging and speed up the automation of how you protect against threats,” said Kurian, a former Oracle executive who’s been leading Google Cloud’s charge into the enterprise market as a whole.

Industry analysts told Protocol that Google Cloud has a lot of potential to meet the needs of security teams with Chronicle, but it still has a lot to prove.

A new market for Google

All three of the major U.S. public cloud platforms are expanding their own portfolios of cybersecurity tools, each with a distinct strategy.

Microsoft sells a broad set of tools covering just about all of the core areas of enterprise security, spanning endpoint, cloud, identity, and security operations. The latter category includes Microsoft’s cloud-native SIEM, Sentinel, which is a direct competitor with Chronicle.

AWS has a growing selection of tools as well, though its focus is mainly on helping customers securely use the AWS cloud itself.

Google Cloud’s strategy falls somewhere in between those of the two larger public clouds: It’s not trying to do everything, but it’s also looking well beyond its own platform by supporting hybrid and multicloud environments.

“I view this as Google entering a whole new market, which is that every corporation in the world needs good security. And every corporation in the world is struggling,” said Peter Firstbrook, vice president and analyst at Gartner. The thinking at Google Cloud, he said, would seem to be that security is actually a data problem — “‘and we’re good at data problems.’”

SIEM software can aggregate, monitor, and search the log data that’s generated by security tools, infrastructure, and applications. The aim is to spot the irregularities and flag them for a closer look by the security operations staff. As it became clear there was no way a human could keep tabs on the never-ending stream of events that need to be logged for security purposes, SIEM emerged in the early 2000s as the technology to do that. It was a great idea, at the time.

I view this as Google entering a whole new market, which is that every corporation in the world needs good security. And every corporation in the world is struggling.”

Fast-forward two decades, and the explosion of log data created by the heavily digitized workplace has thrown SIEM off-kilter. One of the chief challenges, as Venables noted, has been ingesting and managing all this data. And the scarcity of talent has made the challenge even more pronounced.

That’s one place where Chronicle Security Operations, as a cloud-native SIEM from a major infrastructure-as-a-service platform, aims to set itself apart. On-premises data centers are limited by how much physical storage they’ve got at any given moment; and if there’s a spike in log data, something else will have to be purged. Significant staff has to be allocated toward all this managing of the log data as its quantity fluctuates.

The public cloud doesn’t have these limits, which, of course, has been its pitch from the beginning. Chronicle customers benefit from the fact that “on a platform like Google that has this huge scale, there’s essentially no limit to how much data we can put through this,” Venables said.

Google Cloud has sought to distinguish Chronicle from other SIEM products, both on-premises and cloud-based, when it comes to pricing for data ingestion. SIEMs have traditionally charged customers based on how much data needed to be ingested, which became unsustainable with the growth in log data, said Allie Mellen, senior analyst at Forrester.

Chronicle, on the other hand, abandons ingest-based pricing in favor of charging based on the number of employees that a customer has, Mellen noted. This type of cost model is great for the customer but creates unpredictability for the vendor, because it’s tough to know how much data will need to be ingested. That has made it “very difficult for other vendors to maintain this” when they’ve tried, she said.

On the other hand, a well-endowed company that operates its own cloud, like Google, “can handle a bit of unpredictability,” Mellen said. “They own the infrastructure, so they can charge a lot less for having customers who use it."

For customers, that simplifies the licensing of Chronicle and allows them to “bring in whatever logs you want, and be able to query those logs quite quickly, without spending a ton of money,” she said.

Integrating Mandiant

The acquisition of Mandiant, which closed on Sept. 12, brings a variety of upsides for Google Cloud’s push into the security market, analysts and partners said.

In the world of incident-response services, which provide investigation and remediation after a breach, Mandiant is the marquee name. Without a doubt, linking up Google Cloud’s security business with Mandiant “adds a level of credibility” with customers, said Benny Henderson, cloud practice manager at IT services provider World Wide Technology.

The acquisition of Mandiant, which has about 2,500 employees, also brings Google Cloud a huge influx of security talent. The acquisition shows that at Google Cloud, “they understand that [security] is not just a technical problem, it’s also a people problem,” Firstbrook said.

While Google has significant threat intelligence capabilities from what it sees happening on the internet, Mandiant’s widely respected threat intelligence “comes from actual incidents,” Venables said. In some cases, this can provide details on an earlier phase of an attack observed on the internet, he said.

As a result, by taking Mandiant’s threat intelligence and feeding it into Chronicle, “you get proactive alerting” on cyberthreats, Venables said.

Kevin Mandia, with SolarWinds CEO Sudhakar Ramakrishna, and Microsoft president Brad Smith during the Senate Intelligence Committee hearing on February 23, 2021.Kevin Mandia (left), the founder and CEO of Mandiant, told Protocol the goal is “to make sure we automate as much as we possibly can, to better defend our customers.” Photo: Drew Angerer/POOL/AFP via Getty Images

Kevin Mandia, the founder and CEO of Mandiant, told Protocol in an interview that the opportunity to pair Mandiant’s cyberthreat expertise with Google Cloud’s software and security is to “automate this hard-to-find security expertise.”

The goal is “to make sure we automate as much as we possibly can, to better defend our customers,” Mandia said.

Competitive market

Leveraging the cloud to fix security operations is a relatively recent idea, but given the dissatisfaction with traditional SIEM tools, the opportunity is enormous, Gartner’s Firstbrook said.

And thanks to Google Cloud’s differentiators in SIEM, “they’re in a good position to take over” the market, he said. “The market share leaders in the SIEM market are very vulnerable. They’re perceived as legacy vendors, there’s not a lot of love from their customers,” Firstbrook said.

Linking up Google Cloud’s security business with Mandiant “adds a level of credibility” with customers.

The other vendor that’s in a prime position is Microsoft with its Sentinel cloud-native SIEM, he said, “and they have a bit of a head start over Google, because they already have a pretty large install base of Sentinel customers.”

Chronicle customers that have been disclosed to date include Vertiv, Morgan Sindall Group, Groupon, BBVA, BetterCloud, and Telepass.

Certainly, Google Cloud is making the case that it’s serious about providing security tools through moves such as the acquisition of Mandiant, according to George Burns, senior consultant for cloud operations at custom software developer SPR. But he wants to see Google Cloud stick with the effort for a while before he’s ready to view the company as a real player in the market.

Microsoft, on the other hand, already has a “killer security product” in SIEM, Burns said. “I think Sentinel is amazing for what it is.”

Chronicle Security Operations is also competing with startups in cloud-native SIEM such as Devo, which achieved a $2 billion valuation in June and counts AT&T, Sonos, and Unisys among its customers. Like Chronicle, Devo’s pitch to customers includes an emphasis on enabling the use of far more security data and a significantly lower cost.

Additionally, “I think what we offer is independence — in terms of, a lot of people don’t want their cloud provider also being their security eyes and ears,” said Devo CEO Marc van Zadelhoff.

Hybrid and multicloud

Notably, Chronicle treats data from the other public cloud platforms, including AWS and Microsoft Azure, and from on-premises systems, no differently than data from Google Cloud.

By comparison, Microsoft Sentinel encourages the use of Azure and other Microsoft products by not charging for ingestion of data from those sources, Mellen said. Pricing for using data from outside Microsoft’s cloud services with Microsoft Sentinel is based on the amount of data ingested, she said.

“It’s definitely a big differentiator for [Google Cloud] that we can ingest so many things from multiple platforms,” Venables said.

“We recognize that we’re living in a multicloud, hybrid environment, and that any reasonably sized customer isn’t just running on GCP or they’re not just running on AWS or Azure,” he said. “They’re running on many different platforms, including SaaS platforms, including on-premises. And we’ve got to meet them where they are with our security solutions.”

In contrast to Microsoft’s preferential treatment for data from its own products in security tools, and AWS’ focus on providing tools to secure and govern workloads on its own platform, Google Cloud seems genuinely interested in providing products to help customers with security across their cloud environments, said Anshu Sharma, co-founder and CEO of data privacy technology vendor Skyflow.

[W]e’ve got to meet them where they are with our security solutions.”

“Google is the most aggressive in positioning themselves as a cloud security vendor that’s multicloud-friendly,” Sharma said.

Ultimately, Venables said he believes the fact that Chronicle addresses so many of the woes associated with security operations will resonate widely. Instead of security teams spending “half of their day doing plumbing between tools,” this part of the process “is just a flick of the switch” with Chronicle Security Operations, he said.

And with Chronicle getting infused with Mandiant’s threat intelligence and expertise, Venables said, “I don’t think there’s anything like it.”


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories