I recently sat down and interviewed Sharat Ganesh, Google Security product marketing leader, and Jonas Kelley, head of Americas MSSP partnerships for Google Cloud, to get their thoughts on recent cybersecurity trends and priorities. Here’s a recap of our conversations.
Looking back at 2022, what did you see as some key challenges and trends?
Sharat:
Number one: Security as a data problem has never been more true. Security is no longer a controls issue; it’s a visibility issue. You can only control what you know exists in your threat landscape.
Companies are realizing they need complete data ingest — and retention — across all telemetry. They need to break down silos between IT and security to gain context to drive security use cases. This has become the norm not only with digital-native companies, but also those companies with traditional architectures who are evolving to more modern, cloud-first architectures.
Looking back, Log4j was a wake-up call to the importance of data retention. Companies wanted to find the first instance of the attack in their environment. But not many were able to do so in near-real time because they hadn’t retained data for long enough, whether due to cost challenges, an inability to manage data at scale, or difficulty transitioning between cold and hot storage.
At Google, we don’t have a concept of hot or cold data. We offer customers a year’s worth of data availability — and it’s been a game changer. Customers can go back in time to find the first point of an attack. They can understand what happened, where it happened, and have complete context to accelerate threat response and remediation for the next potential vulnerability. More and more, we are seeing customers retain data for longer not just for compliance purposes, but for active threat hunting.
So, that’s all the data problem.
Second, I’ve seen that attacks are having a greater impact, whether these are the ongoing nation-state attacks or the financially motivated threats like ransomware.
Third, I think companies are expecting much more from CISOs today. Theirs is a critical field that requires a high level of expertise, thoughtfulness, and intentionality. The bar has been set higher and that’s why partnerships are crucial. By partnering with companies like Netenrich, CISOs and SOCs can gain more expertise to drive predictable outcomes for customers.
Jonas:
I completely agree about the data problem.
If you ask the Google security team their philosophy on security, they’ll say: Trust nothing, detect everything. Google Chronicle is the detect everything piece — and when they say detect everything, they mean detect everything.
When an incident occurs, you want as much information as possible to find, contain, and remediate it as quickly as possible. We’ve all heard the stories about when a breach happens that an attacker has likely been in the environment for 60, 90, 120 days. If you’re only keeping security telemetry for a short period, you’ll never know how the attacker got in — and that makes remediation really difficult.
This data problem was, in fact, the genesis of Chronicle. If you think about the Google search engine, it’s solving a big data problem. From a world of information, it’s getting you to the good stuff fast. Chronicle does the same thing for security telemetry.
For the past decade, organizations have been trying to limit the amount of data they keep, thinking they’ll get to actionable insights more quickly. But now, the trend is to bring more data into the platform and put more context around security alerts to increase efficiency and effectiveness.
John Pirc:
When I look at the data problem today, it's about having the ability to scale, to move quickly, and to understand what you're chasing. Current threat incidents have analysts spending twenty to thirty minutes chasing each alert or potential threat while missing the critical issues that need immediate attention. So as technology has evolved from on premise to hybrid cloud and now multicloud, data analytics and automation become integral for accurate insights and context to drive faster response.
Looking forward, any predictions for 2023? What main concerns will continue to impact organizations?
Jonas:
Unfortunately, I see a lot of really simple attacks still coming through. For example, credential theft, phishing, and social-engineering attacks.
Attackers are smart. They’re not going to try to break through your fancy, million-dollar, next-generation firewall. They’re going to go after your weakest link, which in many cases is the user. I don’t see that changing. However, if you’re using your tool sets and staff effectively, when something does happen, you’ll be able to respond quickly to mitigate damage.
Sharat:
I see an increasing shift left with cybersecurity. In the near-term, traditional DevSecOps — where people were doing rapid development and release of continuous integration and continuous deployment (CI/CD) pipelines — will move towards continuous detection and continuous response.
Google is driving towards having a living, breathing module of all telemetry, and analyzing, indexing, normalizing, and detecting in an automated, near-real-time way. To help, we’re using machine learning models, behavioral analytics, and our recent release of curated detections, where we’ve codified all Google intelligence into actionable outcomes within the Chronicle console. More native, out-of-band capability is going to be super crucial.
With Chronicle security operations, we are fulfilling key pieces of this puzzle, but we can’t do it alone. Security is a team sport, and we are relying heavily on our ecosystem and technology partners like Netenrich to fulfill this vision.
We talked about breaking down silos for better data telemetry. Any other thoughts on bringing SecOps and ITOps closer together in 2023?
Sharat:
The boundaries are not just blurring, they’re going completely away. Traditional identity and asset management (IAM) is a key part of security that’s driving a lot of data analytics around use cases today.
For example, let’s say you, John, have a laptop with a Lightweight Directory Access Protocol (LDAP) app account. It’s got provisioned credentials and a set of permissions that determine what’s allowed and not allowed for you at Netenrich.
If there are any odd behaviors — for instance, you’re seen accessing financial information or reaching out to your CEO with a spear-phishing link — alarm bells should go off. But to detect these behaviors in real time, security teams need visibility into IT data as well as the ability to stitch together and correlate the context, which is crucial for these threat detection and response use cases.
With Chronicle SecOps, you’re able to consume all IT operations data, configuration management database (CMDB) data, IAM data, data loss prevention (DLP) data, all within the context of your security telemetry. Then, you build an entity context for John. This is John. This is his laptop. This is his risk score. This is what John is provisioned for and yet, I see him sending spear-phishing emails to his CEO. That’s where you need end-to-end data visibility so you can act on your security use cases.
John Pirc:
With Resolution Intelligence Cloud, the platform takes all Chronicle security telemetry and ops data from multiple sources, correlates, and searches for critical situations to gain deeper context and intelligence. We’re handling the heavy data engineering and analytics around security and digital operations that most teams are not equipped nor trained to do. Not only do our customers optimize their operations more effectively, they’re converging operations across their entire infrastructure and cloud applications.
What is on the 2023 horizon for Chronicle and Netenrich?
Jonas:
Chronicle SecOps is advancing SIEM and SOAR beyond traditional point solutions. As we see it, a SIEM without an automated response system isn’t the best; and neither is a SOAR without a data feed. So, we’re integrating Chronicle SOAR and Chronicle SIEM even more tightly under the common name of Chronicle to deliver the best outcomes.
I also see bigger and better things for Google and Netenrich in the coming year. We’ll be integrating more security telemetry, more pieces of the Google ecosystem into the Security Command Center. And as we weave in technology from recent acquisitions, for example, Mandiant, we’ll also have opportunities to grow threat intelligence, incident response, and prevention capabilities.
Watch our companion videos and join us for more security discussions in 2023.
Rakesh Krishnan: Wed, Apr 03, 2024 @ 09:32 AM
This is a preliminary report based only on the data leak site (DLS), listed victims, and other observed patterns. A detailed investigation will...
Netenrich: Tue, Feb 06, 2024 @ 12:25 AM
As the first, exclusive pure-play Google Chronicle SecOps partner, Netenrich is 100% committed to the Chronicle SecOps and Mandiant technology stacks...
Rakesh Krishnan: Mon, Feb 05, 2024 @ 05:00 AM
This article focuses on my research to uncoverthe identity of Hunters International ransomware group’s (Surface Web) Dedicated Leak Site (DLS). It...
%201.png?width=400&height=176&name=MicrosoftTeams-image%20(1)%201.png)
John Pirc