Updated: Dec 28, 2022
Before I start taking you on my technical evaluation journey of Google provided SIEM solution named Chronicle, I want to say that this is not Google's endorsed write up rather my own experience.
Since there's a huge development made in modern digital infrastructure ever since and is still going, cyber security solution providers must also keep up the pace with technological advancements. Since the adoption of Cloud as IAAS by a huge number of business across the globe, everyone prefers their #Cybersecurity solution needs to be fulfilled by their cloud service providers. And so, here's Google that offers their own #SIEM (Security Incident and Event Management) as a service named as Chronicle. I have got a chance to evaluate this product, so I thought of writing a few highlights that would help security professionals to understand more technical of this solution.
Chronicle platform is built on Google's core components making it easier for organizations that runs #applications on Google Cloud Platform #gcp. The data ingestion of all the google provides services could be easily #ingested on this platform for security analytics. However when it comes to #thirdparty integrations it doesn't seem much promising as it must be. Think of any log management solution that needs to collect logs form a #windows operating system. Since #microsoft windows doesn't have an inbuilt feature to forward logs to a remote #snmp or #syslog server, Google also did not ensure that this data collection should also be considered. Google, instead recommends #nxlog for this event forwarding deployment. Now if I subscribe to Chronicle service, I must manage a parallel setup of Nxlog to ensure the forwarding of windows events to their chronicle forwarder. Sounds like a double or even triple work since the example is just for one type of data source.
Log Source and Type Identification
Now, here's a very important point to note that if an particular system is not sending the logs due to some error out of agent malfunctioning or connection issues, Chronicle won't be able to notify the #administrators or #operators about this event. A data source may go unnoticed for a long period of time whereas an engineer is expected to make use of historical logs or to show up during cyber security #audits and #compliance assessment, that may trouble a bit. Another important point is to Tag your data sources which means windows events is windows events and not as per you wish to categorize them. As an example, If I want to classify or tag events received from a Windows system which is a part of Tier1 Finance group, I could not tag as 'Tier1-Finance-Windows' but just Windows. It is completely my observation, I welcome #Google to correct me.
Unstructured Rule base
Grouping and knowing every single source, asset and data plays a vital role for security analytics. In the rules section of Chronicles console, there's no way we could group the rules created for specific purposes. For example, can I just structure the rules, the custom rules in such a way that #Ransomware detection can be structured in under one parent name and #dataleakage rules under the other. Apart from this type of arrangement, we have a long list of rules with yes!, just one search box. Name your rules wisely so they become easy for you to remember during your search which are not even piled up in an alphabetical order.
Chronicle Forwarder Issues
I have faced this multiple times and so may you. I was told to restart chronicle forwarder docker instance every time there's an update in the configuration file, which interrupts the current on going log flow from other existing data sources. In this case, you may miss that one line in million which was the actual job an SIEM does, analytics and #forensics. Also, upon every change, more than half of the attempts the new configuration doesn't take effect which requires you to repeat the whole process of pulling chronicle forwarder docker image from wherever and start it, configure it all over again.
I know Google is known to be best at handling data and processing, a little extra work towards 'Out security' will help them to rise even more in competition with other players.
So far I have only these four highlights, I am sure there would be many while I am on my way on production deployment. I will keep adding on to this list.
Thank you so much for reading