A highlight from EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations


Hi there, welcome to the Cloud Security Podcast by Google. Thanks for joining us today. Your host here, actually recorded in person today, are myself, Tim Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and sitting next to me, unusually, Anton Juvakin, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts, as well as at our website, cloud .google .com slash podcast. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit the subscribe button in your podcasting app of choice. You can follow the show and argue with us and the rest of the Cloud Security Podcast listeners on LinkedIn. Anton, this is a fun episode because we have a former manager of mine, the head of Chronicle, a great guy from New Jersey, and worst of all, a Mets fan, join us for a really interesting conversation about Sim and Chronicle and EDR somehow. What did you think? I thought this was great. It felt like we did briefly hover over a precipice of discussing XDR. We did. In fact, we started there. We leapt off into space to start the episode. Yes. So I think I felt like we had this moment when the whole conversation could have fallen into the chasm of, oh, no, XDR, no, no, no, not again. But ended up, we ended up in a very useful place. Moreover, I would say that Chris, oh, I did say the guest name, but again, that's fine. Yes. That's good. I extracted some of the useful lessons that led him to the XDR discussion. So it's kind of interesting that XDR was mentioned in a very positive context. Yes. I think the other maybe most interesting tidbit in this episode listeners to listen for is the conversation around process versus tooling and where Chris sees the role of vendors in that equation. And so maybe with that teaser on what I thought was a shockingly interesting insight from Chris, let's turn things over to today's guest. Today we're joined by Chris Cord, senior director here at Google Cloud. Chris, it's been a wild time for you and me working at Google together. I'm delighted to finally have you on the show after countless jibes about the show. It's fantastic. It's hard first to believe that you're here, but harder still to believe we haven't done a proper Chronicle episode yet. So here we are to do a Chronicle episode. I want to start off with an easy question. Chronicle's not XDR, right? So what is it? Right. Yeah. The great XDR debate. I mean, we started this when I first started and Anton has definitely been a good foe in the debate. You did say good, right? You did say good, right? But listen, he said foe, not foiled. There's degrees here. Exactly. Anton has never been on the same side that I've been on. Yeah. I mean, look, I've always stated that XDR to me is a use case. I don't believe that XDR is some magical category where it's going to redefine the way we're doing security operations or anything to that degree. But I do think it's reflective of people's desire to want to have their SIM platforms do more than just log collection. Sure. Right? So in my point of view, the industry evolved to be just a log collection platform. Everything else was do it yourself. You had to build all of these dashboards and your own rules on top of it. And I think the gravity that people have at least started with XDR, and it seems to have teared off now, kind of began with this notion of, can you just give me more value in this thing I'm spending so much money on? It should provide me with more actual security value, outcome -oriented value. Is that what Chronicle is then? That's what Chronicle does. Our primarily strategy is about delivering quality outcomes through detection and response, built into a scalable data platform. And I think to me XDR is a use case that Chronicle can deliver, but ultimately we're fighting against the SIM vendors on a regular basis. So it's a SIM that delivers security outcomes that produce value because it's smarter than the other SIMs. Absolutely. Okay. Easy. So that was an easy question, right? Yeah. And so I guess the second one is kind of in the same ballpark, rightly. Roughly Tim occasionally makes fun of me for only using faint praise, like, yeah, I guess it's pretty good. That's actually an okay idea. That's one of his favorite things to say. That's actually an okay idea. Yes. I've said this several times on air. But ultimately I loved Chronicle so much that I left the safety of Gartner and joined it in 2019, right? So in that sense, and I think I've posted a very like excited awesome plus blog about like, oh my God, my dream has come true. I'm at Chronicle. So, so this was 2019, this is 2023. So since you joined the team, what is your, oh my God, it's such a happy place. It's the proudest thing I've done. Like what are you the most proud of shipping? Yeah. I mean like putting aside the love fist, you're okay with it. I was going to say, aside from shipping me out of his org chart, what are you most proud of shipping me? Right. Right. But putting aside like the acquisition stuff, which we'll touch on, you know, maybe later in this conversation, I think from a pure Chronicle feature perspective, you know, I joined the team in 2021, like mid 2021. And, you know, I had this firm vision, like I talked about just now of like Sims needed to do more than just simple blog collection and aggregation and dashboarding. And so we shipped a curated detection feature in early 2022, I think Q2 2022, which basically provided out of the box detections out of the box analytics and things that were curated and managed by our own Google cloud threat Intel team. And like, I, to me, that was a seminal moment for the product. Like it moved it from really being this like data platform that was just doing log collection and doing it well because we were very scalable, but really kind of started to deliver on this vision of having an outcome oriented tool. And we've been able to build on it ever since like, and so I was super proud that we were able to get that out the door when we did. I think that was a great launch and I really liked the degree to which it made you more opinionated about the data you were ingesting. But to add to this, funny enough, and this was like a case where I think we've pretty virtually argued a little bit because when we started doing curated detections, at least on the market inside, the perception was, wait a second, everything had canned detections and every SIM going back to 1998 would say, here, customer, here's a rule, bye. They're not really curated. They're kind of canned rules and customers developed a bit of a disdainful attitude about canned rules. Do they work? Do they not work? But curated detections in our case, we stand behind them. We give them to a customer and we almost, I think of them in my mind and that's when I flipped the switch towards loving them is that they're sort of guaranteed. They're sort of like, we say, do these work? If they don't work slightly, here's how to make them work. So unlike other teams having canned detections that are kind of more like samples or like, here, you tried, but the results outcomes are in your hands. In our case, we shipped something that we stand behind. Curated means they're going to work. You hit the nail on the head. That's the magic. That is legit magic. Most other SIMs, they're delivering a set of safe searches basically that they're giving you as templates and then you have to operate over those templates and they're not actually managing the effectiveness of those detections over the course of their lifecycle. That's the big difference for us is the fact that these things are managed from an effectiveness perspective. Again, the analogy I always like to use is how the EDR market evolved and how it went from being this forensic platform where you had to do a bunch of stuff yourself and then you had to maybe grab a bunch of saved queries from the vendor to being in this place that had a lot of out -of -the -box value, like detection value, and they actually kept tuning that over time with additional cloud oversight and managed defense oversight and IR engagements and that just made those detections that much better. That's the kind of experience that we have in Chronicle, which is, I agree with you, very game -changing over traditional SIMs. What I love about that story there is, listeners, I was a political science major and the story of how it became a PM we'll talk about on the AMA episode, but what I love about that is it presents an asymmetry where Chronicle gets better at detecting bad guys across its whole pool of users and then every user benefits from that. It's unlike a traditional SIM because you keep learning and getting better. I want to shift gears and speaking about catching bad guys, you were part of Google's second largest acquisition in history. How does it feel, first of all, to be number two to an acquisition that I would bet, one pure bonus most listeners couldn't name, and then now that we're a year into it, what's been a happy surprise about all of it and what are you looking forward to still with it? What is the biggest one? There's Motorola. Oh, yeah. It was when we purchased Motorola. Got it. That was actually more than twice the size of what you purchased. I think Mandarin is the happiest story, though. It's already very clear. It's very clear at this point. I don't think there's anything wrong with the Motorola acquisition. I just think it might have been forgotten in the sands of time. Well, that's a good tidbit. I didn't even think of that one. Because you're 5X bigger than YouTube by purchase size. Exactly. Yeah, and for 5X more important, clearly. I think, to me, it shows a lot of commitment in the space. As a security practitioner joining Google, when I did, there was obviously a lot of momentum and a lot of desire to get more serious about security, but it was still a very nascent business in 2021 when I joined and, in some ways, still very nascent business now in terms of its profile in the industry. But the desire for our organization to get serious about it was real. I felt it at the time that I joined, and I think the opportunity when Mandarin came along as an acquisition opportunity, that the fact that we were able to jump on it and we had so much support going up through the leadership chain was pretty shocking to me. So I think it was a great signal that we're serious about security and that we'll continue to be serious about security and that we're willing to invest in it pretty aggressively. We also got some decent products with it as well. Apart from, obviously, the world -class IR services, we got some decent products. My personal opinion is the reputational bump that we got immediately out of the gate has been game -changing. There's been so many different opportunities that we're in now with Chronicle, maybe not even with Mandiant standalone products, but with Chronicle. But we're in those opportunities specifically because of the Mandiant acquisition. Because number one, people say, oh, Google's serious about this. Number two, they have a higher degree of trust that all those detection capabilities that we just talked about are going to be way higher fidelity because now you're pulling in all of that advanced Intel and IR engagements that Mandiant is doing, and you're feeding those into the product to create value. And then they just have great relationships with CISOs. And so I think when you combine all of those things, it's created a huge amount of momentum for us in the business. And I think the products themselves, while we're in the process of integrating a lot of those in different parts of the portfolio, they do give us a lot of interesting functionality that we wouldn't have had otherwise. In fact, even merging ASM into the SOC, into the detection response function, to me is kind of interesting because it makes SOC look kind of to the left from the incident. To me, this is kind of, I mean, from all the Mandiant products, I felt like ASM, bringing ASM into the SOC vision is kind of a strong argument that we are unique. I mean, we're not like pretty unique. We aren't that unique by doing it. I agree. I agree. I think like, you know, we're referring to that as the addition of contexts, right? And so the more context you can bring into a log event, the better off you are. And making decisions and being proactive in terms of how you determine risk and not only ASM, but also security validation with Mandiant helps bring in and introduce that context, which I agree is a very unique point of view. So to sort of briefly go on a short tangent here, of course you are a senior product leader, but some people would say that security operations success at a company connects to how mature their processes are and of course what products they use. So what's your take on kind of the balance of tools versus practices at the company if I'm building a DNR team or SOC. Or refactoring. Or refactoring one. That's right. Right. Right. That's a good point. How should I think about buying the absolute best products, but keeping the mature practices or boosting the practices, but maybe keeping the products? Like what's the best route here? Don't say both. Both is the right answer though. Well, don't tell him what the right answer is. Chris, what's your answer? You're right. I might be a little biased, but I think that the emphasis on people needing to solve problems themselves through practices is a manifestation of our inability of delivering the right level of value in SIEM in particular or security operations. Hang on. Say that again. Say what you just said. The overemphasis that we're placing on like, hey, improve your overall security processes, include your manual kind of playbooks for how you handle certain types of events or incidents. All those types of things that we overemphasize is only there because SIEM products have not delivered on the type of value that they should be creating. So they are covering holes in broken products by trying to polish practice. This is actually - It's a good answer. Kind of profound. It's better than your answer. It's not profound. It's actually kind of profound. See, that's the Slavic phrase right there. That's what we were talking about. But that's a great answer and way better than I thought. I like that a lot. And so my point of view is like, look, our promise as vendors needs to be to make the products better so that people are better at doing their job. And again, I think, not to keep using this analogy, but Endpoint did that super well. I don't think anyone would have said like, hey, once you had just data collection and Endpoint, job done because everything else is process oriented. But instead, the ball had to keep moving forward in terms of making sure that we're stopping bad guys consistently, making sure that we're doing that with higher degrees of fidelity and expertise and capability and accuracy and all those types of things kept moving that market forward. And to me, we're on the early stages of SIEM doing the same thing. So SIEM is going to go through the same transformation and reputation that we had of AV, dirty disgusting product to EDR, cool useful product. We'll have that for SIEM. I think even beyond just AB to EDR, but AB to EDR to like what I would refer to as the Endpoint protection suite or platform. Like that iteration is the way SIEM is moving, right? So I think it's going from this kind of like checkbox compliance thing to, okay, collecting a bunch of forensic data. And then now I think hopefully to this outcome oriented security focused platform. So to me that the logic is that you would want, it's not like you want to make SIEM look like AV, but you want to focus on kind of like outcomes that you get right after you deploy the product. Not deploy the product and then start your journey that takes you through 14 months of hard work to a value, but you want something that you deploy the product and you see the outcomes soon without doing any hard labor. That's the short version of that. You should be able to get value immediately. Like as soon as I start ingesting event data, especially event data from high fidelity sources, immediately I should start getting some understanding. Is there anything indicative of an active breach? Is there any behavior that's going on that I should be aware of or alerted of that might be, you know, attacker driven behavior like these kind of things should be out of the box value. And it shouldn't require hiring a team of ex NSA guys to make it work. Absolutely. It should be easy process, not crazy process. Because if it does require a team of people from the NSA, then like zero chance that most organizations are going to be able to do it. Right. The fortune five will win and everybody else will suffer. That's not a good outcome for anyone. But for a lot of SIEM products, they're still stuck in the old mentality where they give you the tool and they give you some sample content and ultimately people and then give you some good luck, you know, charms to succeed. And even large, highly visible SIEM competitors are doing that. So in essence, we are doing something different, but many of the customers seem to be stuck in the, Oh, SIEM, yeah, I got to write my own rules because canned rules are probably bad. There's a lot of work. I can't handle it. How are we changing the minds? Like if somebody is trained on certain logs or changing that wants to be a SIEM or some other products, how are we changing their minds? How are we making them actually, if you get Chronicle, you're going to get results and you wouldn't have to suffer for 12 months or for 14 months to get the results. So what is the secret to change in their minds, if it makes sense? It's probably a little too philosophical, but I think it's a good question. I wanted to ask you slightly differently, which is how do you convince people they don't need to port over and invest in porting over 18 years worth of rules written in another language? To be honest, like this is the hardest part. Like if you're going to look at tactically when we are in the middle of trying to switch out incumbent vendors, the hardest part is convincing them that maybe a one for one, like for like type comparison is not necessarily what they should be doing. And then after even we've convinced them to switch, trying not to just simply port over all the old stuff. You know, I used to work in a virtual firewall business and like there was a joke where like no one ever wanted to touch a firewall rule that was in there because it's like a game of Jenga and no one ever wanted to pull anything out because you're concerned that whole thing is going to topple over. That's kind of the way people feel like they're sim rules. They may have a thousand of them, 2000 of them. They have no idea if they're valuable, but they refuse to want to touch them because if they try to cut them down at all, they're concerned they'll miss something. And so it is extremely hard to get them to just say, let's use this opportunity to slim down the rule set. The whole vendor is trying to do analytics of that, funny enough. Like there's a whole little segment of a market when people deploy tech to kind of like go through sim rules and see if they're good, which is amazing, right? People will pay money for it to actually have the tool do that. Sounds like somebody's buying a dowsing rod to me. That doesn't sound easy. No, it's based on real quote unquote machine learning. Okay. Okay. So back to dowsing rods. This is one area where I actually think Mandiant helps a lot, right? So Mandiant has a product called security validation that can be run like in a managed version or can be run in a product driven version. But that product does help people go through breach and attack simulations with real world examples of like, look, these are 10 or 12 different attack vectors. These are different types of threat actors. These are campaigns and you can run those simulations against your environment. You can see in my tools catching them are my sim tools like alerting on me or detecting these kind of events. And so we're, the plan right now is for us to use a lot of that breach and attack simulation to showcase, okay, if you care about these parts of the MITRE ATT &CK matrix, then we'll be able to validate that the rules that we have in place with Chronicle are able to catch them. That's really cool. So that product effectively turns somebody's organization in its current state into a bit of a cyber test range for their own stuff. That's a fancy way of saying it, but like that was the old VeriDIN stack that Mandiant acquired. So I remember it from the Gartner days and it's kind of impressive in terms of what they would simulate and how deep they would integrate to the detection stack. So it's genuinely cool and it genuinely delivers that type of insight about are your detections any good or are you only pretending you're collecting and then pretending you're detecting. And then we want to keep using that over time. This goes into the context thing, like not only you want to do that at a point in time, but if we can continuously validate and then let's say we see that, okay, this portion of your environment is susceptible to ransomware or some other attack vector, we can adjust the alerting risk score associated with those events or we can highlight certain areas because the events should matter more because we know that you're susceptible to an attack. So that's kind of the context part, which Peter pointed out before, I think are things that only we're doing really versus any other event. That's really interesting. I want to switch gears one more time before we get to our traditional closing questions. We have a lot of people listening to the show who are interested in careers in security, interested in careers in security PM. You've been doing PM for security products for a long time, not to call you old. You've been called worse things by fancier people than me lately. What advice do you have for people who are thinking about security PM as a path? Well, yeah, I mean, I think security is one of those tough areas to break in from a product perspective, mostly because the domain knowledge is not super relevant to a lot of folks, meaning that it's, you know, you can put yourself in the shoes of a, of a user of a product that's very open and visible in many cases. I can imagine using the Uber app, like if you want to be, you know, a PM in maps or a PM in Gmail, it's like in that context, you're at least a user on a regular basis and it's much easier for to put your mind into it. I think security is harder, right? Because it's even a step removed from traditional it. And most people don't have that necessarily that depth of knowledge to be able to be a domain expert. Personally, I think a lot of people can get a ton of value at being tier one analysts right out of the gate. Right. And so there are so many organizations that I know that are looking for younger talent, people coming into organizations to act as tier one analysts and the amount of information that you can gather about the domain and about the problem is huge. You know, for people that are still in school, like there's a number of schools that are now focused on cybersecurity programs in school, like Carnegie Mellon has been kind of the forefront of having a cyber shop or a cyber program in school. Then absent of that, like sometimes people can just basically switch domains and just spend the time and focus and energy on learning some of the individuality of security, but just bring really good PM discipline to the, to the equation. Like I think one thing that security in general hasn't done well is we haven't been really good at actually building products with simplicity, right? And so like, under statement of the episode, other disciplines are good at that. And so if you can bring that kind of discipline into security, even as a relative novice in the domain, you might actually be better off. We might bring some beginners versus someone who's done it for years. Usually at the very end of the episode, we ask two questions. Any give the audience one tip in this case on improving security operations would assume and give us some recommended reading. And of course it's fine to say Chronicle website or whatever else. And it's not okay to say Anton's blog. And please don't say, but don't say anything about New York Mets because that's too depressing right now. Yeah. That's way too depressing. Yeah. I recommended reading. I mean like, you know, I think there's a number of SIM books out there, right? Like if you really wanted to go deeper into how SIMs operate, like I think there's one called the infosec playbook, right? Which kind of walks you through how you operate and manage a SIM or our SOC, sorry. And kind of build a security operations playbook. Yeah. There's a number of really good books about malware in general. Like I think I forget the root kid book, but it's like the root kid Bible or something like that that I read early on in my career, which is another good one. Listeners just so you know, nothing from Chris's early career is still technologically relevant. Exactly. Yeah. So that might be that. That might be that. Yeah. I think like any type of those kind of protect practitioner level books that you can read about, like how people operate in the SOC would be great starting points. And then one tip to improve security operations outcomes, maybe. In general, like as a user? Yeah. As somebody operationally responsible. Or as a director. Or as a CISO. Whatever. Yeah. I mean, whatever you're feeling. I think in most cases, people don't put enough emphasis on trying to build proactive controls in the right spots. And so like, this is an area where laziness is somewhat taken over to a certain degree. And we know that there's good best practices out there around zero trust around, you know, locking down policies and procedures more so than what we have done. And we've just been too lazy to deliver that. And so we default into a, you know, operational detection and response mode versus trying to be more proactive in terms of how we control things. And so I would say that lean in a little bit more into having the right protective controls in place from the ground up. Well, Chris, I think that's a surprisingly left -leaning answer for somebody who builds a SIM product. I really like that it was not a self -serving answer. So Chris, thank you so much for joining us today. It's my pleasure. Thank you both. And now we are at time. Thank you very much for listening, and of course for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify, or wherever else you get your podcasts. Also, you can find us at our website cloud .withgoogle .com slash cloud security slash podcast. Please subscribe so that you don't miss episodes. You can follow us on Twitter, twitter .com slash cloud sec podcast. Your hosts are also on Twitter at Anton underscore Chiwaki and N underscore Tim Pico. Tweet at us, email us, argue with us. And if you like or hate what we hear, we can invite you to the next episode. See you on the next cloud security podcast episode. Bye.

Coming up next