In January 2018, Google parent Alphabet formed an enterprise security company named Chronicle. The big bet was on machine learning analyzing massive amounts of data, detecting cyber threats more quickly and precisely than traditional methods. But less than a year and a half later, Google Cloud swallowed Chronicle. Google completed the “acquisition” on October 1.
So much for building a separate security company. So what would Chronicle’s purpose be inside Google? The company wouldn’t tell us when the news first dropped in June. After the merger, however, we were able to interview Rick Caccia, previously Chronicle’s CMO and now Google Cloud Security Products marketing lead, and Sunil Potti, who joined Google from Nutanix in June as VP of Google Cloud Security.
Chronicle has seen a few high-profile departures recently, several of which Potti downplayed as “not unexpected.” Chronicle cofounder and chief security officer Mike Wiacek left Google after more than 13 years. Chronicle CTO Will Robinson is leaving too. Former Chronicle CEO Stephen Gillett is still at Google, but no longer heading Chronicle.
Why not start at Google Cloud — was the whole Chronicle exercise really necessary? “We announced the company two years ago, but it was a project longer before that inside of X,” Caccia explained. “So if you roll back, four years, the notion of using Google infrastructure to help secure and analyze on-premise datacenter data was not something that was in the cloud purview. It just wasn’t something they were looking at. We saw value there, and we wanted to do it. We stayed in touch — I talked to my counterpart over in cloud security product management regularly. It became clear over time, in the past months, that the trajectories were going to overlap. We all made the decision to … make that happen sooner rather than later.”
Three security priorities
So what exactly happened in the past few months? The team reorganized into “a security products group to go after security on the platform and beyond the platform,” Caccia told VentureBeat. “Chronicle is really the focus for Google Cloud going after security off the platform, which at the time of announcement, we didn’t talk about … that way. We’ve gone away and made our plans and done our analysis and have our strategy.”
Google is turning security into a Google Cloud Platform (GCP) business line. Along with that, “Chronicle is essentially becoming a foundation for this business line,” Potti told VentureBeat. “We’ve [taken] the last few months to truly integrate the team, while keeping it independent, if anything, fueling it with more investment in engineering and go-to-market to become the role model for other products going forward.”
Integrated, independent, and investment — duh, false, and duh. But Chronicle inside Google Cloud is apparently changing the team’s focus from one priority to three.
“We’ve generally focused, as you know, on … protecting customers coming to GCP,” Potti said. “And that continues to be a top priority.” The second priority is “next-generation cloud native security, services, and controls” for customers moving their workloads to GCP. The third is building an enterprise-grade multi-cloud security offering.
“And then the last category, the third prong … this is where Chronicle sets the agenda frankly for GCP security going forward. To take the best in-class technology that powers Google — in this particular case, Google security analytics. So, whether they’re from on-premise environments, or other clouds, including GCP … we have a bunch of ‘fast security services’ that can bundle some of those best-in-class capabilities of Google and bring them to customers where they are in a multi-cloud fashion.”
Securing multi-cloud and on-premise
The bigger picture here is Google embracing multi-cloud. Anthos, formerly Google’s Cloud Services Platform, works with AWS and Azure. Google sees Chronicle as another piece in the same puzzle.
“Google Cloud in general is doubling down on multi-cloud services,” Potti emphasized. “Anthos was one of those anchor services. And Chronicle offers a similar new multi-cloud offering, but in the world of security. Chronicle has now enabled Google Cloud to play in a multi-cloud world with respect to security.”
There is also an obvious sales story here. Chronicle and Google Cloud used “the same back-end infrastructure to bring security value to buyers,” Caccia said. Previously, a client would have to talk to Google Cloud and to Chronicle separately. From the GCP side, the customer was CIOs moving to GCP, looking for encryption and so on. From the Chronicle side, it was the CSO looking to modernize his or her company’s security infrastructure.
Google has now merged those accounts, which was a “pretty smooth” process, thanks to the common infrastructure, Potti said. Bonus: Customers are now asking to use Chronicle as part of their existing Google contracts. There is special interest in Backstory, Chronicle’s telemetry that the company has previously described as “Google Photos for network security.”
“We have offerings and solutions for both of those buyers from one organization,” Caccia noted. “If you say, ‘I’ve got a lot of my stuff on-premise. I want Google to help me analyze and protect it on-premise. I’m going to have some it over in some other cloud, AWS, and I’m going to move some of it to Google Cloud. How’s it going to work?’ Well, now we say we have modules that work in all those places, take data from all those places, and help you protect it. Over time, where it makes sense, we can start to use the same pieces in the back. For example, on top of GCP, you have capabilities for doing log threat detection. In Backstory, you have the ability to do investigations of on-premise logs. We probably want to share rules across those things.”
“Having something like Chronicle in the multi-product portfolio enables us now to engage with the CSO as a first-class buyer, not just as a supporting check mark,” Potti added. “Even if the customer is completely on-premise or a big Amazon or Azure customer, Google now still has an enterprise offering that [sales] can now engage with another buyer inside the company. So that’s the, if I can call it ‘cross-sell synergy’ that we’re trying to basically feed into our 2020 go-to-market plans now that Chronicle is in the mix.”
“Whether you call it public security or even enterprise security, we have a significant shortfall of security talent everywhere,” Potti added. “And it’s even more profound in the segment around security analysts — the folks that hunt, investigate threats, and then triage them, and so forth. Ultimately, the vision around Chronicle within Google Cloud is to become a mechanism for us to essentially do what we did for any customer to just run their own datacenters. To do the same with security, which is ‘Could you lower the bar significantly with respect to any reasonable IT shop becoming a high-end security analyst shop without having to build a world-class security team?’ That’s really the ultimate endgame of using data at scale to provide this turnkey solution that can help us democratize security analysis.”
Where’s the AI and machine learning?
Chronicle’s original mission statement was to “give good the advantage” by leveraging Google infrastructure. Security analytics was the focus because it relied on big data. Security telemetry was becoming a petabyte-level problem, which meant big compute was required to make sense of that data. “That in my mind is still completely there,” Caccia declared.
What about all the talk of AI and machine learning in the security space? Where does Chronicle inside Google Cloud fit in?
“A lot of these companies start with the algorithms and talk about AI,” Caccia said. “And our view, based on what the founders of Chronicle had learned in their own jobs and security engineering at Google, was to start with the data first. If you have all the data first, you can make the algorithms more effective. So our strategy was step one, fundamentally build a platform that is comfortable ingesting, normalizing, massive amounts of data. Once we have that, step two, find ways to use machine learning to make more sense and value of it for customers.”
When Chronicle launched Backstory at RSA in March, that was phase one. “We’re still in phase one,” Caccia told VentureBeat. “Our expectation of adding the algorithms comes sort of after the data. We think that is unique in this market and it’s probably tied to our Alphabet heritage.”
“To create good models you need good data to create the model,” Potti added. “And if you focus on building great models without an ability to actually get this massive scalable training data available, then that’s one of the reasons why you’re not seeing any security companies break out on an AI-first model, even though there’s a lot of marketing there. To Rick’s point, I think this is the area that Backstory has done really well. We can crunch petabytes of data at scale, index and search them like Google Search does on websites. Based on that foundation, obviously Google is a company that does AI reasonably well, so then it becomes easier to layer that on.”
But first, the Backstory road map is being accelerated, Caccia told VentureBeat. “We are moving along the road map we have, and we continue to expand that product to do full-blown security analytics.”
We’ll hear more about that piece at Google Cloud Next 2019 UK later this week.