Worked in the space of using ML for security analysis. My experience of it was that it was a race for novel applications for now-standard toolkits.
The kinds of problems I encountered require you have an org where you can lose a top shelf researcher/architect for 4-5 months while they train up on new tools and then use them to run down rabbit holes. This requires both vision and direction, and a moonshot culture to support it.
Chronicle's focus on their customers' problem in the article is sound, the next step is that each customer, or class of customer is going to be defined by their own specific ROC curve, relative to their business. Some just want raw data, others the world ends over a missed alert (false negative), still others have costs associated with false positives.
When you are doing a deterministic rules based system, it's straight forward, but when you get into dynamic and scoring based systems like ML, the responses to it are going to be polarized between customers, and you need top a level vision to tie the whole product narrative together. It's not a thing you stand up that everyone uses, and few people want to buy a framework with a bunch of gigo based trade-offs.
Something I discovered in my own work was that the threat model is the business model, both for products and surprisingly for customers as well. I'm really interested in what Chronicle comes up with, as these are truly Hard problems.
We use ELK (Elasticsearch, Logstash, Kibana) quite heavily for this at my company. It works, and it works well. We feed massive amounts of data into it--it's not unusual for our indices to grow by 50 GiB in a single day, which is quite a bit for a small company running a niche website.
It's expensive. Very expensive. Not just in terms of money, but also time: the countless hours spent maintaining it, upgrading it, expanding it, securing it, and actually using it.
And then, of course, there's the cost of actually knowing what's going on within your infrastructure. It's stressful: attacks are happening constantly. Most of them aren't worth investigating; the firewalls do their job and the attacks fail. But which ones are worth worrying about? Which bugs are actually worth patching? Is it really an issue if a small part of our site goes down for a few minutes--especially when it might cost us 80 hours of work to patch?
I doubt these problems can be solved by collecting and analyzing more data. Lack of data isn't a problem--there are already plenty of systems for collecting, analyzing, and storing data. The trouble is using that data in a cost-effective manner. Similarly, I have zero faith in anyone's ability to solve these problems by simply throwing more computing power at them, for much the same reason.
I really hope that's not what they're planning to do, but this is Google we're talking about, so I'm not holding my breath.
The article is very light on product details. Reading between the lines, it sounds like the tool plugs into a bunch of existing tools (firewall, AV, etc) and then watches for certain heuristic patterns.
A clever approach, but I wonder how noisy it will be at the start.
That's exactly what existing SIEM tools like Splunk [1] have been doing for years. I've been following Chronicle since I heard about their initial project at X and I'm eager to see what their actual product is, but I'll be pretty disappointed if it's just yet another SIEM with yet another "powered by machine learning™" label slapped on.
I don't expect that Google will find it difficult to procure some large training sets. The article's author seem to think that Google is likely to be leveraging the VirusTotal malware repositories.
That's the problem that most SIEM implementation have.
Splunk have been doing behavioral anomaly detection for a while, but its still up to the employee/business to determine what the baseline is.
This is an extremely interesting product they’re providing. My company would definitely be able to utilize this to great effect. Is this currently available to anyone for use?
I’m not sure how the exact details currently work, but if you go on to their website, they do have a contact form [1] which I assume you can use to make any interested inquiries!
they held a webinar a few months ago. the invitation and view system sucked -- couldn't remember my invite and other problems. didn't work with tracking disabled on the browser. and so on. at that time i decided to ignore for another year.
What is with these horrible company names now? "Alphabet". "Chronicle". "Oath". Fuck. None of these names mean anything within the context of their business. Epitomizing mediocrity, this new generation of names waft aimlessly by and inspire exactly nothing.
Alphabet, at least, is a holding company that has no central competence (it has a subsidiary that dwarfs all the others, which also has what would be a terrible name except for the fact that it has attached meaning to that name by absolutely dominating key markets starting with search, so it's name conveys meaning but only because of the firm’s own history.)
After Levandowski got into a car accident with a self-driving car and bragged about it to his coworkers, I think machine learning won’t solve everything.
I don't think the article says that machine learning will solve everything... It's just talking about a new product in this space that uses machine learning.
The kinds of problems I encountered require you have an org where you can lose a top shelf researcher/architect for 4-5 months while they train up on new tools and then use them to run down rabbit holes. This requires both vision and direction, and a moonshot culture to support it.
Chronicle's focus on their customers' problem in the article is sound, the next step is that each customer, or class of customer is going to be defined by their own specific ROC curve, relative to their business. Some just want raw data, others the world ends over a missed alert (false negative), still others have costs associated with false positives.
When you are doing a deterministic rules based system, it's straight forward, but when you get into dynamic and scoring based systems like ML, the responses to it are going to be polarized between customers, and you need top a level vision to tie the whole product narrative together. It's not a thing you stand up that everyone uses, and few people want to buy a framework with a bunch of gigo based trade-offs.
Something I discovered in my own work was that the threat model is the business model, both for products and surprisingly for customers as well. I'm really interested in what Chronicle comes up with, as these are truly Hard problems.