cloud, Cyber Security, Digital, Innovation, Network Behavior Management, SOC, Threat Hunting, Transformation
by Irfan

Revolutionary threat hunting platform for massive data


A global platform for analyzing enterprise security telemetry

Enterprises today has security systems in place, often including network security devices such as firewalls, SIEMs, IDS, secure web gateways, network anomaly behavior, deception, packet capture, and endpoint security devices such as EDR technologies, email security, encryption technologies, etc.. Together, these solutions generate massive amount of telemetry than most enterprise can store, let their threat hunting teams or security operational analysts analyze in near real time or over months. When an incident occurs, most security teams lack the current or historical telemetry they need to investigate and respond. Even with partial data, searches can take hours or days to run against months of data

Norwegian aluminium producer and renewable energy provider Norsk Hydro has been hit by a major cyber attack which has partially shut down the company’s operations on 19th Mar 2019. ‘IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation’ said in their statement.

Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within enterprise network. Backstory makes security analytics instant, easy, and, cost-effective. Backstory is a global cloud service where companies can privately upload, store, and analyze their internal security telemetry to detect and investigate potential cyber threats.

Platform’s key capabilities

  • Continuous IoC evaluation – Real time and retroactive instant indicator matching across all logs (e.g. if a domain flips from good to bad, Backstory instantly shows all devices that have ever communicated with that domain)
  • Smart queries – Prebuilt search results designed specifically for security use cases
  • Smart filters – Preconfigured and dynamic data filters designed for security use cases
  • Powerful visualization – Graphically display data in real time to support investigations and hunts
  • Incident context – VirusTotal, WHOIS, and third party vendor context on IoCs
  • Activity correlation – Alerts, network activity, and rich EDR telemetry in a single view
  • Integrated use cases – Pivot between investigation and hunting
  • Automatic insights – Intelligent analytics to derive insights in support of investigations
  • Global scale – Infinitely elastic, with a pricing model that supports analysis of massive data sets

With initial launch of this product at RSA2019, the built-in use-cases are phishing investigations, asset based investigations, domain/IP/URL hunting, partial indicator hunting, file hunting, raw log search, IoC matching

MITRE ATT&CK

Purpose of threat hunting platform

Backstory was designed for a world where companies generate massive amounts of security telemetry and struggle to hire enough trained analysts to make sense of it. Backstory is to give analysts a way, when they see a potential threat, to determine what it is, what it’s doing, whether it matters, and how best to respond:

  • What is the threat? Backstory can show, instantly, all related process and activity around a point in time. For example, Backstory can show the analyst that a user clicked on a webpage link and shortly afterward, a new process began running on the machine.
  • What is it doing? When the analyst pivots to look at the user’s machine after the new process began running, Backstory can show the follow-on beaconing activity from this new process, to an external domain.
  • Does it matter? While displaying the beaconing pattern, Backstory can also show threat scores for this domain from embedded third party feeds, such as Proofpoint’s Emerging Threats feed, verdicts from Avast’s 400 million consumer AV endpoint agents, and ESET’s AV results — as well as embedded VirusTotal metadata.
  • How to respond? With a single click, the analyst can pivot from this particular user machine to find every other machine that is running or has ever run this process or communicated with the bad domain.

We’re hoping one day Backstory will become the backbone of many managed security service providers.