RSA CONFERENCE 2019 – San Francisco – Chronicle, the division that spun out of Alphabet's X, rocked the cybersecurity industry today with a new security data platform that ultimately could whittle down the number of security tools organizations run today to monitor and manage incidents.
The new Backstory cloud-based service works with Chronicle's VirusTotal malware intelligence platform and lets organizations view previous security data over time and more quickly spot and pinpoint details on malicious activity. "It gives security teams insight into what's happening in the enterprise right now, with the same level of visibility into what happened yesterday, a month ago, even a year ago," for example, Stephen Gillett, Chronicle's CEO and co-founder said today in a media event for the rollout.
What makes Backstory unique among other security offerings, not surprisingly, is its Google-esque approach to drilling down into activity on the network and devices and its ability to store, index, and search mass amounts of data. Most enterprises are constrained by the amount of data they can store and manage over a long period of time.
Backstory, however, could prompt some housecleaning for security teams and security operations centers that for years have been amassing multiple, and sometimes redundant, security tools and threat intelligence feeds. The platform is Chronicle's first commercially developed product.
Rick Caccia, chief marketing officer at Chronicle, told Dark Reading that among the tools that Backstory ultimately could replace or streamline are network monitoring, network traffic analysis, log monitoring, security information event management (SIEM) tools, and even threat intelligence feeds. Tool overload has become a chronic problem for organizations: The average company runs dozens of security tools and often doesn't have the people power to properly employ or even stay on top of the tools and the data they generate.
Several companies already are using Backstory, including manufacturing firm Paccar, Quanta Services, and Oscar Health, and several security vendors today announced partnerships to integrate with Backstory — Carbon Black, Avast, CriticalSTART, and others.
Chuck Markarian, CISO at Paccar, which builds trucks, said his company expects Backstory to replace anywhere from three to six of its existing security tools in the next year.
"In general, managing our costs is huge, [and] managing our spend in security, and figuring out how we can use less feeds," he said during a customer panel during the media event. Managing multiple security tools is challenging, he said, so whittling down the number of tools is key.
"I can't find the people to manage it, and I keep going back to our board and saying 'I need another tool, I need another tool,'" Markarian said. "I want to get that number [of tools] dramatically down."
Backstory initially provides a tool for threat hunting and security investigations, said Jon Oltsik, senior principal analyst for Enterprise Security Group. "In its current iteration, I think Chronicle [Backstory] assumes a role for threat hunting and security investigations. Its pricing, data capacity, and query speed are built for this," he said.
Oltsik also predicted that Backstory will streamline and also eliminate the need for some point security tools.
"In the future, I could see Chronicle becoming an aggregation hub for other security analytics tools [such as endpoint detection and response, network traffic analysis, and threat intelligence, for example] and then subsuming some of these standalone technologies over time," depending on Chronicle's road map for the platform, he told Dark Reading.
Many large companies already have multiple security products for the same function, Chronicle's Caccia said. "They have three network monitoring tools and multiple SIEMs," for example, he said. Chronicle is pricing Backstory by customer, he said, hoping to target the pricing below its potential competitors. Some companies already spend a half-million dollars per year on tools, including subscribing to cloud-based capacity for storage and computing power for cloud services like that of Amazon, he said.
"Operation Aurora" Roots
Backstory grew out of the Google's firsthand experience in 2009 when the company was hacked by Chinese nation-state actors, during the so-called Operation Aurora. Former Google security engineers who used big data analytics to build internal security tools for the search engine giant in the wake of the attacks. That work influenced Chronicle's development of Backstory, led by former Google engineers and Chronicle co-founders Gillett and Mike Wiaceck, CSO at Chronicle.
During a demonstration of Backstory at the media event today, Wiaceck said the more data you add to Backstory, the more detailed a picture and story it provides of a threat or attack. "Attackers can't hide" in Backstory, he said.
Meanwhile, ICS/SCADA vendor Siemens, plans to offer Backstory as part of its managed security service for ICS customers, according to Leo Simonovich, global head of industrial cyber and digital security at Siemens, which partnered with Chronicle on Backstory.
"For us, it's providing our customers the understanding of what's happening in their environment," Simonovich said in an interview. "We're hoping one day [Backstory] will become the backbone of [our] managed security service."
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.