Google Chronicle solves the three main security data challenges that enterprises face today. Those of scalability, visibility and cost. With a multitude of security solutions being deployed within an enterprise, the rich security telemetry data from these devices are ingested by a SIEM which should then provide a single source of truth for the enterprise.
Most SIEMs have a pricing model based on the amount of data ingested. Although this model initially worked decades ago, the amount of event data that can be generated from services such as IaaS, PaaS, and SaaS through to the rich telemetry from EDR makes this consumption model prohibitively expensive.
Existing solutions designed for terabytes don’t have the ability to scale to today’s petabyte world. With this legacy consumption model, most customers have to limit the number of data sources and make do with short retention timeframes. This results in limited incident investigations as you only have limited history and visibility.
Handle your security telemetry in seconds
Chronicle overcomes this by allowing customers to store a year’s worth of data that is immediately searchable. When an incident occurs, you are no longer limited to searching back through a week's or month’s worth of data.
You now have a year’s worth of rich security data to search through, allowing you to ingest unlimited amounts of high-volume telemetry data from sources such as web proxies, EDR and firewall logs, without the need to worry about which logs to filter or drop.
It is often the case when responding to an incident it is the data you don’t have that you actually need, with Chronicle you will have this rich data immediately available.
Speed, smarts, and scale.
Chronicle uses Google core infrastructure to perform searches, meaning that even though a year’s worth of data has been stored, Chronicle is able to quickly search through petabytes of data in milliseconds.
As part of the searching process, Chronicle reduces the amount of pivoting that analysts have to do as part of an investigation by stitching events together into a timeline, meaning that analysts can quickly review the information and make an informed decision.
Google Chronicle utilises the threat intelligence feeds of third parties as well as Google. Every day 25 – 40% of all internet traffic transits Google's backbone. This enables Google to gain incredible insights into the malware landscape. This information and intelligence is fed back into the platform and made available through threat detection rules using YARA-L.
As well as advanced security analytics searching, Chronicle also continuously applies this threat intel to both real-time telemetry and historical telemetry. Meaning that your data can be retrospectively searched automatically for newly published IOCs and incidents investigated quickly as most released IOCs are often a result of historical campaigns.
Providing this unlimited scale and visibility doesn’t come at an unobtainable cost. In fact, Google Chronicle is licensed per head which means your cost is fixed no matter how much data is stored. And because it’s SaaS, there are no management costs associated with the infrastructure either.