Back on March 6th, I wrote a blog article introducing our readers to Backstory, a new security offering from Chronicle.
I promised when more information was available we'd update you accordingly. And that time, dear reader, is now.
First off, I recommend you watch Backstory's introductory webinar. I've embedded it below. It's about an hour long, and it's very informative. They do a better job explaining their product than I'll ever be able to:
Now that's out of the way (or if you don't have the time to watch the video and you're looking for more of an overview) let's look at a few of Backstory's highlights and what we think about it overall.*
Who is Chronicle?
Lifted directly from their website:
"Chronicle was born in 2016 as a project within X, Alphabet’s moonshot factory. As an Alphabet company, we bring unique resources and talent to the goal of giving enterprises, and the people within them, the tools to win the fight against cybercrime."
Mike Wiacek (Chronicle's Chief Security Officer) and Shapor Naghibzadeh (Chronicle's Senior Engineer) both grew up in the Google ecosystem. They were founders of Google's Threat Analysis Group. They've got an excellent pedigree when it comes to hunting cybercriminals and state-sponsored hackers.
What is Backstory?
Again, I can't compete with Continuity on how they pitch their product so here's how they describe it:
"Backstory is a global security telemetry platform
for investigation and threat hunting within an enterprise network. It
makes security analytics instant, easy, and cost-effective.
Backstory is built on core Google infrastructure and brings unmatched speed and scalability to analyzing massive amounts of security telemetry. As a cloud service, it requires zero customer hardware, maintenance, tuning, or ongoing management. Built for a world that thinks in petabytes,
Backstory can support security analytics against the largest customer
networks with ease."
Who is Backstory designed for?
Everybody. If you're using a firewall, EDR solution, SIEM (or SOAPA if you're ahead of the game), or any security product worth its weight, you're collecting logs and loads of them at that.
There's just too much information to go through. If you decide to go through that information to look for evidence of an attack, it can take hours, days or even months to find it.
Backstory helps rectify that problem. Backstory is built using the same technology Google leverages for its search engine. That means users can search through vast amounts of data at blazing fast speeds.
What does Backstory do?
Because it leverages Google's data architecture, Backstory natively gains all the computing power and economic efficiency its parent company can offer.
Backstory's capable of automatically breaking down queries across hundreds of thousands of servers and assemble results in milliseconds and with zero administration on the analyst's part.
Customers upload their security data (Backstory calls it "telemetry") to a private cloud within Backstory's platform. From there it's automatically correlated and compared to known threats based on proprietary and 3rd-party signals embedded in each customer's private dashboard.
If you've ever wanted to analyze petabytes (PETABYTES holy moly) in seconds and get meaningful and insightful results, Backstory's your product.
What does Backstory's architecture look like?
What are Backstory's key features?
• Continuous IoC evaluation - Real-time and retroactive instant indicator matching across
all logs (e.g., if a domain flips from good to bad, Backstory instantly shows all devices
that have ever communicated with that domain)
• Smart queries - Prebuilt search results explicitly designed for security use cases
• Smart filters - Preconfigured and dynamic data filters designed for security use cases
• Powerful visualization - Graphically display data in real time to support investigations
• Incident context - VirusTotal, WHOIS, and third-party vendor context on IoCs
• Activity correlation - Alerts, network activity, and rich EDR telemetry in a single view
• Integrated use cases - Pivot between investigation and hunting
• Automatic insights - Intelligent analytics to derive insights in support of investigations
• Global scale - Infinitely elastic, with a pricing model that supports analysis of massive
How much does Backstory cost?
I'm unsure. As with most of these platforms, pricing is going to depend on the customer.
What does Backstory compare to?
At first glance, you might think Backstory is relatively similar to SumoLogic (who happen to be a fantastic partner of ours), but ultimately that's an unfair comparison.
While both platforms handle security logs and data, SumoLogic does so primarily in real-time, producing unified metrics and allowing a member of your SOC to monitor apps and infrastructure conveniently and securely.
Backstory is about searching logs and security telemetry (darn it, they've got me calling it telemetry now) posthumously. It's more of a forensics tool for events after the fact than a unified dashboarding tool like SumoLogic.
Does Security7 Networks recommend using Backstory?
Hard to say. I can't give you an answer yet. From what we've seen of it, it looks promising. However, any of us here would be doing you a disservice if we recommended it to you without getting hands-on with it ourselves.
If we get a chance to dive into Chronicle's new pool, we'll let you know ASAP via a post on our blog and social media.
If you haven't subscribed to our blog use the CTA in the top right-hand corner of the page.
*DISCLAIMER: No one at Security7 Networks has had a chance to get hands-on with Backstory. We're contemplating our options.