While attacks are being detected by security operations faster than ever before, today's median dwell time for attackers of 16 days is still too long for most organizations. Most security teams need to know immediately if and when headline breach activity exists in their environments.
To help security teams rapidly identify active threat campaigns posing risk to their environment, Chronicle Security Operations has announced new Applied Threat Intelligence capabilities, available in preview. Applied Threat Intelligence throughout your SecOps processes tackles one of the biggest challenges in SecOps - the relevance of intelligence and speed.
Chronicle's Applied Threat Intelligence uses AI and machine learning to prioritize threats based on each customer's unique environment, and then automatically enrich and contextualize every event with the latest, market-leading threat intelligence from Google Cloud, Mandiant, and VirusTotal.
Applied Threat Intelligence uniquely includes Breach Analytics, which matches your data against both known public tactics and techniques from threat actors, as well as unpublished tactics identified and qualified in Mandiant active Incident Response and Google internal engagements. With Breach Analytics for Chronicle, you can proactively take action in near real-time and minimize the impact of a breach.
So, how does this work?
Chronicle automates the aggregation of intelligence to your events by sweeping your entire corpus of threat intelligence data, either from our first-party Google sources (Mandiant, VirusTotal, Google Cloud Threat Intelligence) or other 3rd party vendors that you bring. Chronicle then combines it with your environmental events data from all your security devices (EDR, Network, Cloud, etc.), and automates the aggregation of all of your matches.
In addition, Chronicle analyzes your data against our latest IOCs and quickly distills and prioritizes the results - a process that would have taken hours for analysts to triage and analyze.
As threat actors and adversaries evolve with their attacks and techniques, systems that were once considered "safe" can be presented with new threats. Chronicle continuously analyzes historical data, enabling you to uncover past compromises or past data that has become compromised using newer IOCs. With Chronicle's 12-month retention for all ingest, including high-volume data sources, your team can run retroactive hunts to identify the first point of breach in a cost-effective way.
Breach Analytics for Chronicle does not stop there. Once Chronicle catches it in your environment, it will then prioritize it based on not only our latest threat intelligence information, but also your environmental landscape and activities. This way, Chronicle decreases the noise of false alarms and surfaces what is most relevant for you to make decisions on.
Chronicle also provides Mandiant's expert-based confidence score for millions of officially known indicators, plus the latest unpublished insights for vulnerabilities. The "prevalence" indicator helps with understanding the immediate impact on similar geography or industry customers that Mandiant has already identified. Lastly, visibility into vulnerabilities identified in current Mandiant investigations within active breaches is essential for quickly understanding the risk at hand.
For deeper insights about the specifics of a compromise and the attack source, Mandiant Threat Intelligence is a click away. Your analysts can dig into details of known threats such as "APT31", which is sourced in China with an "espionage" motivation and targets specific industries in specific regions - all indicated in this view.
This is only the beginning. In our next iteration, Chronicle will provide not only real-time IOC matching and prioritization, but will automate retro hunting for you. The impact of manual or automated retro hunting is significant when you recall that the SolarWinds use-case from Mandiant was discovered through manually checking historical events for impact on leads discovered today.
Interested in seeing more? Schedule a demo today to see how you can leverage Chronicle's Applied Threat Intelligence.