At RSA 2019 Google’s Venture Chronicle announces their commercial Cyber Security tool – Backstory.
Backstory is a cloud service based tool, built as a specialized layer on top of core Google infrastructure.
It is designed in a way that enterprises could privately retain, analyze and search their massive amounts of security and network telemetry they generate day to today.
Backstory normalizes, indexes, correlates, and analyzes the data – against itself and against third party and curated threat signals — to provide instant analysis and context regarding any risky activity.
Key Features of Backstory:
- Data Ingestion and Processing: Backstory can ingest a variety of telemetry types, through a variety of methods. Backstory software can be deployed in customer’s environment, that supports syslog, packet capture, and existing log management / SIEM solutions. Customers can also send telemetry via a secure API directly to the Backstory platform. Backstory can also pull telemetry from other cloud services such as Amazon S3. As compared to other SIEM tools present in market Backstory parses, normalizes, indexes, correlates, and displays incoming telemetry in approximately one second. Once DNS, netflow, Endpoint and other traffic is forwarded to the customers’ private Backstory cloud, the data is fully usable essentially instantly, regardless of volume.
- Visualizing at scale: The Backstory UI is designed for visualization of high-volume telemetry, such as DNS records, endpoint logs, network flows, and similar “noisy” information. It analyzes and processes large sets of telemetry to make effective visualization easier for the analyst. Backstory design goal is to use the power of the underlying platform to organize large telemetry sets so that insights from the data are obvious to users and easy for analyst.
- Investigation and Hunting: In today’s SOC environment a security analyst collects various information from different platforms, “co-relates the signs of attacks and compromise” across relevant information as accurately and quickly as possible, to begin analyzing links to and from the activity. Backstory is a game changing tool and will reduce the manual efforts, Backstory will automatically tracks these connections and will presents the information to the analyst instantly. In short for an IP, mac or Endpoint device an analyst would be able to see all network traffic, DNS traffic, files downloaded or and process loaded and executed in just seconds with the help of Backstory.
- Embedded intelligence: Backstory automatically and instantly re-calculates any customer activity to that now-bad indicator which may be good reputed in past, but now host malware or have bad reputation due to any factor and alerts analysts about all machines that have ever communicated with this domain. This level of intelligence derives from the underlying core Google infrastructure capabilities, where continuous correlation of changing data feeds against petabytes of telemetry is standard operating procedure.
- Volume neutral Licensing: Chronicle wants customers to collect and upload as much data as possible. Unlike log management or SIEM products, Backstory license will be based on organization size, not on data volume.
“Building a system that can analyze large amounts of telemetry for you won’t be useful if you are penalized for actually loading all of that information. Too often, vendors charge customers based on the amount of information they process,” Chronicle explained.
“Since most organizations generate more data every year, their security bills keep rising, but they aren’t more secure.”
Tool Architecture and Infrastructure :
Benefits of Backstory as per Chronicle Whitepaper:
- Visibility and Context: Gain instant context related to alerts or threat hunting
- Disruptive Economics: Dramatically reduce the cost and management of a security analytics platform
- Scale and Speed: Upload petabytes of telemetry and search it within milliseconds
- Ease of Management: Forget about buying hardware, tuning networks, resizing memory, and any other IT tasks that an on-premise solution requires.
- Intelligence on day one: Backstory is pre-loaded with signals, and gets smarter as you add your own telemetry
For more Information – References: