This week at RSA, the cybersecurity industry’s biggest annual conference, Alphabet and its subsidiary Google made a splash with a series of announcements, the biggest one being a new service called Backstory.
Backstory is a product by Alphabet’s new cybersecurity arm, Chronicle. A cloud-based system similar to a SIEM (security information and event management), it collects all of a company’s security-related log data and protects it with the same security systems that protect the rest of its operations.
Unlike other platforms, which charge based on how much information companies are collecting, Backstory is licensed based on how many employees a company has, a Chronicle spokesperson told us. According to the company, the platform will also be much faster than alternatives. For example, a search of 50 petabytes of logs by “current industry solutions” might take 12 hours, while Backstory would only take a second.
“We don’t believe there is anything similar to Backstory available today in terms of the scale of our data management and computation capabilities,” Chronicle said in its press kit.
The company spelled out the competitive market it’s intending to take on, which includes the entire on-premises data security market, such as SIEMs, Hadoop, and Elasticsearch, as well as security for all the related infrastructure, including servers, networking, and storage. “We really compete with doing security intelligence on your own to try to stop cyberattacks,” Alphabet said.
That gives Alphabet a potential edge against other cloud competitors, such as Amazon, that mostly provide cybersecurity for their own cloud infrastructure. The company currently has much smaller cloud market share than Amazon and Microsoft. But companies don’t just use one cloud vendor. The largest ones use multiple cloud vendors and colocation facilities in addition to managing their own on-premises data centers.
Backstory will be able to ingest data from Google Cloud, from on-premises systems, and also from other cloud providers, including Amazon Web Services and Microsoft Azure, the Chronicle spokesperson said.
“The multi-cloud infrastructure is quickly becoming the new normal for large organizations,” said Philip Casesa, director of IT and service operations at the International Information Systems Security Certification Consortium, also known as ISC(2). “Google counts on this trend to fuel their growth and make up ground on the competition.”
With Backstory, Alphabet is leveraging its decades of experience, its vast infrastructure, and its core capability of collecting and analyzing data, he said. The service will also pull in data from third-party intelligence sources and cybersecurity vendor partners. “It will be a disrupting force for organizations drowning in security telemetry data,” he said.
Mike Jordan, senior director at Santa Fe Group, a security consulting firm, said Alphabet’s new product was a game-changer. Security products it’s been offering to date are standard cloud security tools that all the big cloud vendors have, but Backstory is different and addresses a real need in the industry, according to him.
Even storing security data from various logs was a real challenge at cybersecurity group he used to run for a large company, he said. “Then you had to find or outsource a staff with a broad skillset to configure the storage, integrate with the various systems that gathered security data, find the right security threat information from diverse sources, constantly write rules to alert analysts if a known issue appears, and ignore all the other noise.”
In addition to virtually unlimited storage and nearly instantaneous speed, Backstory allows customers to pull security data from various sources, such as their antivirus solutions. Most companies will choose a couple of solutions, said Jordan, but Chronicle’s VirusTotal is basically all the antivirus solutions in one. Then there’s Chronicle’s Uppercase service, which collects threat signals.
“This wouldn’t be too different than what you get from other providers if it weren’t that this is the company that catalogs everything and lives everywhere on the internet,” Jordan said. “Why write a ton of your own rules if you can just use what the company that sees the world’s most web traffic uses? This is a massive advantage over the patchwork of other security services that you’d need to buy and security personnel you’d need to staff to do something similar.”
Microsoft last week announced its own SIEM product, Azure Sentinel, but it doesn’t have VirusTotal or the scale of Google’s internet presence, he said. And Amazon has GuardDuty, a cloud-based SIEM, but it’s focused on Amazon’s own cloud services.
The downside of everyone switching to Google for cybersecurity would be that that everyone would be defending everything the same exact way. “That makes it easier to find a crack in the armor that affects too many people at once,” Jordan warned. “But even in that situation, Chronicle intends to have interfaces to as many security companies’ services as they can negotiate.”
Will Alphabet drive other security vendors out of business? Maybe not.
“Google, like the other cloud providers, isn’t really competing against the security vendors,” said John Pescatore, director of emerging trends at SANS Institute. “In fact, they are partnering with them so that they can sell more cloud services.”
Other Google Security News Out This Week
Alphabet followed Monday’s Backstory launch with several Google Cloud security announcements at RSA Wednesday morning.
The first one was the beta release of its Web Risk API. Google scans billions of websites for malicious content, including phishing sites, and keeps a list of the unsafe URLs. This has been used in Google’s own services and now enterprises can access the same list with an API call.
“The Web Risk API is powered by the same technology that underpins Google Safe Browsing,” Cy Khoramee, product manager for Google Safe Browsing, told us. But instead of just filtering inbound traffic, or the links that employees click on, this technology can also be used in other contexts, he said, such as checking links posted by users on company websites or applications. “Examples of this include a social media comment field or a website where Internet users leave restaurant or tech reviews,” he said.
Second, Google Cloud Armor, a DDoS protection service, is now officially out of beta. The general release also includes a new dashboard for security admins. The same global infrastructure leveraged to guard things like Gmail, YouTube, and Google’s search engine itself against DDoS is now available to enterprises for the same purpose.
The most successful DDoS protection services, such as Akamai, Neustar, and CloudFlare, are all cloud-based, said Pescatore. “That allows them to scale the horsepower up when the volume of DDoS attacks increase,” he said. Given the scale of its global platform, it’s natural for Google to have a cloud-based DDoS protection service as well.
Both Amazon Web Services and Microsoft Azure also offer cloud-based DDoS mitigation.
Typically, by getting DDoS protection from the same place they get their other cloud services, enterprises can benefit from lower pricing, less forwarding of traffic, and easier integration, according to Pescatore.
Finally, the availability of Google’s hardware security module (HSM), used to protect cryptographic keys, is being expanded. In addition to the several US locations where it’s been available to date, it will now also be available to Google’s cloud users in Europe.
Many government agencies and financial institutions require their cloud service providers to offer HSMs, said Pescatore, and Azure and AWS both offer them.
With more and more security tools becoming available natively on the cloud platforms enterprises use, the standard advice of defense in depth is still valid. That means using different security vendors and technologies to protect infrastructure, applications, endpoints, and networks, he said. “The better the layered approach, the more effective the security program.”