There’s an intriguing new player on the cybersecurity block, and it’s called Chronicle. Notable because it’s part of Google’s parent company, it emerged out of Alphabet’s “moonshot” incubator, known as X. Announced last week in two different blog posts on Medium, Chronicle will focus on helping companies comprehend their own security data and, according to the company’s CEO, “stop cyber attacks before they cause harm.”
In an era of global computer infections like WannaCry, or vulnerabilities in computer processors like Meltdown and Spectre, a Google-like company turning its focus and resources to cybersecurity is a good thing. But there’s limited information available about how it might function.
In a blog post, the company’s cofounder and CEO, Stephen Gillett, wrote that one prong of the firm will be “a new cybersecurity intelligence and analytics platform that we hope can help enterprises better manage and understand their own security-related data.” Some companies, he added, have been trying out an initial version of that platform already. Their system will also use machine learning, a type of artificial intelligence.
While the company isn’t sharing details besides what’s already public, machine learning represents a powerful tool for making sense of the droves of cybersecurity data that a company gathers.
“I think that the idea of using Google’s data to be able to improve cybersecurity across the ecosystem is a very direct application of information that only Google has,” says Shuman Ghosemajumder, the CTO of Shape Security and the former click-fraud chief at Google.
Drowning in data
Chronicle will help companies make sense of the “security alerts” that their internal defenses produce—alerts that can number in the tens of thousands every day, according to Gillett’s explanation of the company. “The proliferation of data from the dozens of security products that a typical large organization deploys is paradoxically making it harder, not easier, for teams to detect and investigate threats,” he wrote. And all that data is pricey to store, too.
Data about a company’s network activity can come in the form of event logs, says Bryan Parno, an associate professor of computer science at Carnegie Mellon University. On a computer network, an event can be as simple as someone logging onto their machine in the morning, the communications between computers, or files that people download. Those event logs can also include security alerts, like failed login attempts. Antivirus software also produces notifications, as do other security devices. It’s data like this in general that Chronicle might want to crunch, Parno speculates.
The next step is to do “anomaly detection,” Parno says, a process of looking at that data and figuring out the difference between normal and abnormal traffic.
Set loose the AI
That’s where machine learning can come into play, which can glean insight from oodles of data. “Security analysts often spend a lot of their time, saying, ‘Well, we got all these alerts, we need to somehow triage them,’” Parno says. The goal is to separate a real threat from just normal traffic.
Machine learning excels at learning from data—a classic example is to teach a learning algorithm what a cat looks like by giving it tons of pictures of felines and then letting it decipher its own rules about cat appearances, instead of trying to program those rules explicitly in. That software can then recognize what it thinks are bewhiskered animals in new images.
In this case, the data isn’t furry pets. It’s information like security alerts, as Gillett said in his blog item, or perhaps those event logs. Engineers tend to train their system on “the good stuff,” Parno says—showing it what the normal traffic looks like so it can learn from that, because most traffic is the benign kind.
“You’re mostly training for good, and saying, ‘Anything I don’t recognize as good is probably bad,'” Parno says. Chronicle could be training its algorithms to recognize the signals from good traffic, bad traffic, or both. (Part of the company includes a 2012 Google acquisition called VirusTotal, which focuses on malware detection.) In short, Chronicle is a platform that is designed to give speedy analysis of a company’s own cyber-security situation. (In a similiar vein, another new company has created an AI system designed to help CIA-type intelligence analysts make sense of reports and other data.)
Parno says that the system could also speed up the painstaking process of piecing together what happened even after something goes wrong, like a computer getting infected with malware.
But Parno, who focuses on computer security and cryptography, strikes a note of caution. “Historically, it’s been a challenge to apply machine learning very effectively to security problems,” he adds. That’s because it’s good at identifying what he calls the “average case.” If Siri or Alexa understands what you say 99 percent of the time, that’s basically acceptable. But in the realm of security, he says, 99 percent doesn’t cut it. “The Achilles Heel of anomaly detection has always been that attackers just say, ‘“Well, I’m just going to very carefully craft my attack so it looks like normal activity.”