Google Reveals Combined SIEM and SOAR Update for Chronicle Security Operations Platform

Users of the SecOps platform can preview Duet AI’s natural language questions and summarization capabilities.

Google Cloud announced today that an updated version of its Chronicle Security Operations platform is available in preview. The update unifies security information and event management and security orchestration, automation and response, plus adds an Applied Threat Intelligence tool. The preview includes the chatbot Duet AI. At the same time, a new attack surface management service for Chronicle Security Operations from Mandiant was added.

Chronicle Security Operations is a subscription service, with pricing available on request.

Jump to:

What’s new in the Chronicle Security Operations update?

Google has combined SIEM and SOAR in Chronicle Security Operations to help security operations teams parse the massive amounts of data they receive. Software companies have been trying since the advent of modern big data collection to go beyond collection into effectively utilizing data. Security teams need to be able to see unified data connected in intuitive and practical ways and to know what data or alert to act on first.

See also  Easy methods to add units to watch with ManageEngine OpManager

In the version of Chronicle now in preview, the application automatically groups alerts into cases; each case includes related alerts and enrichment. Ideally, this will help security teams make faster decisions, Google said.

SEE: What is DevSecOps? (TechRepublic)

“We have advanced capabilities around threat intelligence that are highly integrated into the Chronicle platform,” said Bashar Abouseido, chief information security officer at Charles Schwab, in the Google post about the news. “We like the orchestration capabilities that enable us to enrich the data and provide additional context to it, so our SOC and analysts are able to prioritize that work and respond with the attention that is needed.”

Applied Threat Intelligence tool collects information about threats

Applied Threat Intelligence is a new capability in Chronicle Security Operations, and it is now available in preview alongside the SIEM/SOAR unification update. It pulls threat intelligence from Google Cloud, Mandiant and VirusTotal, then applies that threat intelligence to the events listed in Chronicle Security Operations to enrich and contextualize each event. Artificial intelligence and machine learning decide how threats should be prioritized based on the specific needs of each security team.

See also  Tech information you'll have missed: July 28 - Aug. 4

If an event matches a known threat indicator, Applied Threat Intelligence will add the threat actor, threat campaign or malware family context. Then, security researchers can use custom searches or detections to find out more about the information Applied Threat Intelligence provides. Essentially, Google wants to use its search engine prowess to make active security events equally searchable.

Duet AI chats with Chronicle Security Operations

Built on the Vertex AI platform, the Duet AI chatbot assistant allows security researchers to ask questions in natural language and can summarize cases and guidance. (Figure A.) With Duet AI, SecOps workers will be able to search Chronicle Security Operations for threats, responses and the status of cases. The Duet AI integration is now in preview.

Figure A 

The Google Chronicle Security Operations dashboard with natural language suggestions from Duet AI.
The Google Chronicle Security Operations dashboard with natural language suggestions from Duet AI. Image: Google

“Duet AI in Chronicle instantly turns natural language queries into complex searches, which helps people new to security ramp up faster and makes experts even more productive,” Eric Doerr, vice president of engineering, cloud security at Google Cloud, told TechRepublic in an email.

See also  The fundamental ideas of information governance in e-commerce

Google’s Mandiant offerings expand with Attack Surface Management

Starting now, Google has added Mandiant Attack Surface Management to Chronicle Security Operations. Mandiant Attack Surface Management identifies and validates exploitable entry points. Like the other Chronicle Security Operations updates, it is designed to help the SecOps team decide which risks are most impactful and therefore should be mitigated first. Google acquired Mandiant in September 2022.

Competitors to Google Cloud Chronicle Security Operations

Alternatives to Chronicle Security Operations include Microsoft Sentinel, Splunk Enterprise (for data analysis and searching), IBM Security QRadar, Datadog (for SIEM), Devo Technology and Oracle Security Monitoring and Analytics from Oracle Cloud.