When moonshots don't leave orbit: Going to Google Cloud doesn't make Chronicle less disruptive

July 17 2019
by Scott Crawford


Chronicle, the security company launched by Alphabet's X 'moonshot factory,' has announced that it is joining Google Cloud. This news may be a bit confusing to anyone who assumed that Chronicle already was part of Google, but the company was launched through X effectively as a startup, to tackle some of security's difficulties in taking action on vast amounts of data. Chronicle's initial customers will doubtlessly wonder what the move means for them, but what does it portend for the security industry, as well?

The 451 Take

Using Google infrastructure, and assuming control of VirusTotal from Google, Chronicle was launched to be an independent company serving the needs of enterprise security analysts seeking insight into activity throughout their environments, whether on-premises, in cloud or both. The transfer of Chronicle to Google Cloud raises questions as to whether Chronicle will maintain this independence or priorities will be shifted toward more of a Google Cloud focus. While we would expect that the move would tend to increase visibility for Google's cloud properties, Chronicle's appeal is much broader – intentionally so. We think this potential is not lost on Google strategists. To be sure, near-term pragmatic advantages may be much of the story here. Leveraging an established Google Cloud sales force may help Chronicle gain traction more quickly than building one from scratch. In the long run, success in becoming an anchor for enterprise security operations would reflect the aims evident in Google Cloud initiatives, such as the cross-platform container management potential of Anthos, which gives Google footing for multi-cloud and hybrid IT management leveraging container technologies.

Chronicle, however, could give Google Cloud an edge against Amazon's security offerings focused on AWS environments while heightening competition against Microsoft's security ambitions beyond Azure. It has the potential to disrupt other incumbents in information security, highlighting once again the innovator's dilemma for those legacy leaders facing the hyperscalers' advantages in forcing change on existing security markets.

Exit... sort of

After months of speculation following the announcement of its conception as an X initiative, Chronicle released its first offering, Backstory, at this year's RSA Conference. This first release of Backstory gives security analysts a scalable and responsive platform for quickly discovering and correlating findings from large data sets and multiple sources that would indicate malicious activity or a possible attack. Legacy tools often require organizations to deploy – and maintain – architectures for data gathering and analysis from multiple sources. Analysis can be time-consuming, particularly when handling large data sets, and may require multiple tools or integration across such tools. Neither task may be well adapted to the sheer scale of security data, which can overwhelm investigators with raw insight that otherwise might go undiscovered.

Backstory aims to leverage cloud scale and access to cloud-native analytics to help speed these processes and improve the ability of security teams to find and understand meaningful data about threats in their environments. It can help investigators more quickly pinpoint malicious activity, accelerate response and make that response more precise – and it can call upon VirusTotal, which became part of Chronicle from the outset, as a source of primary threat intelligence.

Chronicle was conceived to tap the power of a major cloud platform to achieve these objectives. Its technology is built on top of core Google infrastructure, but Chronicle was not itself a part of Google Cloud. Rather, it uses Google capabilities to gather and manage data at scale – capabilities that, in more than a few cases, Google helped to pioneer in providing internet services to billions – as well as Google analytics that enable automation, analysis and machine learning for a variety of use cases.

This change in Chronicle's status is not exactly an exit in the traditional sense; ultimately, all roads lead to Alphabet. What it does mean, however, is that Chronicle will now formally become part of the Google Cloud. Will this dampen its potential to disrupt existing security plays?

Moonshot or no, cloud is a disruptive launching pad

Our expectation is that it likely will not. Competing technologies that gather and analyze security data often run into issues such as sizing (and pricing) storage, which can become problematic for customers over long periods of time. Yet the long-term storage of such data is often necessary to identify adversary tactics and sources of attack that might often go unrecognized as previously compromised without long-term data to support analysis. Cloud-scale storage and elasticity help alleviate some of these problems – as do many of the hyperscalers' tools for analytics and machine learning. Google Cloud has the ability to place capabilities such as TensorFlow and many other analytic toolkits at the disposal of Chronicle as needed, which would give Chronicle a leg up against competitors that would have to employ such technology either organically, through acquisition or by engaging similar services themselves.

These are all among the reasons why the hyperscalers have targeted segments such as security analytics and operations platforms such as security information and event management. Microsoft, for example, introduced Azure Sentinel at this year's RSA Conference and positioned it to compete against SIEM, while Amazon Web Services released its Security Hub offering to general availability at re:Inforce, for gathering and acting on data on security activity in AWS collected from a variety of sources. It should be remembered that Amazon also acquired Sqrrl in 2018. At its exit, Sqrrl had become a threat-hunting platform used by analysts to identify malicious activity not previously (or not always) recognized in an environment. Although Amazon stated at acquisition that it intended Sqrrl to be used primarily for internal consumption, Chronicle's release of Backstory may be expected to spur Google's direct competitors to bring similar capability to market, and Sqrrl could very likely be a key contributor to helping Amazon fit such a bill.

The continued emergence of such offerings throws down a gauntlet to the likes of Splunk, IBM, Micro Focus, and others with a strong current or legacy position in markets such as SIEM, security analytics and (by extension) security automation, considering how much cloud functionality is based on automation. It frames a substantial aspect of the 'innovator's dilemma' faced by security incumbents: adapt to the cloud revolution at the risk of cannibalizing existing success, or double down on current success at the risk of missing the opportunity to participate in what IT is fast becoming?

Those that seem to be navigating this dilemma most successfully are either adding value to cloud provider offerings or are succeeding based on what the hyperscalers cannot or choose not to do themselves. The cloud isn't the personal device used to interact with information, nor are cloud providers typically OEMs for operational technologies, although cloud applications often power much of what those systems do. Many cloud providers do not provide the network infrastructure organizations require to connect, but some do have their own extensive infrastructure for interconnecting cloud resources and linking them with the enterprise, its partners and customers. Furthermore, the hyperscalers compete among themselves. For some organizations, a multi-cloud/hybrid strategy may be required to weave together both cloud and legacy enterprise investments.

Security goes beyond parochial concerns about cloud platforms and providers and distinctions of cloud from noncloud resources. The real value that hyperscalers offer to security operations is the ability to find the most meaningful data in large volumes of noise throughout an environment, which may include partners and suppliers, and to power automation that can create insight and turn it into action. Automation can be key to immediacy of response for cloud platforms themselves, but it can also be an enabler in extending the ability to automate defenses and controls throughout an environment. All these demands require a scope larger than any one cloud platform per se.

It's therefore ironic that the breadth of the security challenge is reflected among organizations that will continue to seek out third parties, as well as invest in their own efforts to secure their cloud resources, as illustrated in our most recent 451 Research Information Security: Budgets and Outlook study.

Figure 1
Figure 1: Which of the following does your organization do to secure hosted data or applications at your cloud provider? 451 Research Information Security: Budgets and Outlook 2019

In our view, Chronicle – and Google Cloud – would be missing an opportunity to speak to all these enterprise needs if Chronicle were to focus too much on Google Cloud Platform alone. We recognize that a typical customer reaction to the acquisition of a preferred independent supplier is to be concerned about what it will become under new ownership. In Chronicle's unique case, this concern should be mitigated by Chronicle's Alphabet roots, and Alphabet's recognition of how and why it created Chronicle to begin with: to improve the visibility and actionability of security insight, regardless of where or what assets may be affected by malicious activity.

Sometimes, a moonshot doesn't have to get all the way to the moon to realize benefits and introduce disruption here on earth.