ESG's Jon Oltsik and Anton Chuvakin of Google Chronicle discuss SOAPA, part 1 of 2
Watch more in this series:
Read the related ESG Blog(s):
- SOAPA Interview with Dr. Anton Chuvakin of Google Chronicle, Part 1
- SOAPA Interview with Dr. Anton Chuvakin of Google Chronicle, Part 2
Jon: Welcome to another edition of SOAPA videos. I'm Jon Oltsik, your host. And I'm here with Anton Chuvakin, head of solution strategy at Google Chronicle and the guy who I've run around in the same neighborhood with for years. So welcome, Anton.
Dr. Chuvakin: Thank you very much.
Jon: You wrote a blog recently about detection as code, which I found very intriguing, but can you talk about that a little bit?
Dr. Chuvakin: I've been trying to think about how we do detection for a good number of years, and in that blog post, I tried to outline maybe a bit of a vision for how we can crack some of the problems we've been stuck, frankly, for many, many years. My blog is an attempt to kind of outline a slightly different vision that possibly can help solve some of the problems.
Jon: Yeah. Well, I'm all for it. It is a 30-year problem. But one of the solutions that you've posed, and I think this is going back a ways too, is that you talked about the SOC nuclear triad, which was kind of your analog to what I was thinking about at SOAPA. So what's your thoughts now? It's 2020, is it still relevant?
Dr. Chuvakin: My impression was that it's still relevant, but let me quickly clarify what's going on here. So when I described the triad, I described log analysis, traffic analysis, and endpoint telemetry analysis, which is usually done using EDR. And one thing that bothered me back in 2015 when I made it up was that deeper application visibility doesn't really get its own pillar, and admittedly, what I saw in real life kind of indicated that it doesn't.
It's either logs or people just don't do it. So for 2020, I was trying to figure out whether this deserves a separate pillar, and I still feel like perhaps, next time, when we are looking at it, it may get a separate visibility, end goal of visibility line, or a visibility pillar. Today, I still think traffic, endpoint, and logs may cover some of the application stuff.
Jon: And when you talk about application visibility, are you looking at application behavior, are you looking at at vulnerabilities of apps? What specifically are you looking at?
Dr. Chuvakin: You can say that this is the same as logs, but it's not really the same, because it's a separate module inside the app that gives you a type of telemetry that's useful for security and perhaps for other purposes. So to me, this is... I shouldn't call it EDR for apps. It would haunt me forever. But it's kind of a deeper security-relevant visibility inside the application.
I don't think we have enough of that. I don't know we know what to do with it, frankly. And except for people who instrument the application well, like, well, us here at Google Cloud, it's really uncommon.
Jon: You've got the Triad. When I came up with SOAPA, it was an integration layer. Are there any new technologies or new data sources that you think are really important to add?
Dr. Chuvakin: The only big bucket that's possibly missing is application visibility. Certainly, things have changed in recent years. For example, people were quite obsessed about full packet capture many years ago, and I think that's mostly died off. People do layer-7 decoding, like the Zeek/Bro style decoding, and I think layer-7 has won over both flows and full packet capture. I haven't seen people do full packet capture for years.
I would say, on the endpoint side, EDR has spread, and there are many more elements that EDR fix up today. And then logging evolved. So I would say, maybe there are different log sources, like for example, I don't know, CASB logs. In 2015, it's kind of uncommon, and in fact, CASB itself was kind of uncommon. Today, we have a lot more cloud log sources to consider.
So no huge changes except for this one possible future pillar for application visibility.
Jon: Yeah. One thing I'm looking at is the inclusion of deception technology as another data source, sort of an adjunct to what we have, but kind of honing in attacker behavior, giving you better cyber threat intelligence telemetry, things like that.
Dr. Chuvakin: Deception is listed as an auxiliary. In the original, well, now gone, blog post on the SOC nuclear triad, I do mention deception as an auxiliary, but I don't think it's its own pillar. I think it's just auxiliary to the three.
Jon: Okay. Anton, my colleague Dave Gruber and I are right in the midst of some research on XDR. So I'm wondering what you think about XDR as a possibility in this space.
Dr. Chuvakin: I now see XDR as a kind of alternative vision to the SIEM-centric monitoring. I would see people starting from SIEM and then add in endpoint, add in network, and then add in compliance. And to me, this made sense for many years, and I have remained a big fan of that. So now, somebody showed up and said, "Hey, why don't we start from EDR and then add logs where needed, add traffic analysis where needed," and my initiali mpression was, "No, that's wrong. You should do logs first."
This is more broad, more effective coverage area, and you can do more. And then it remained mostly true, but now I started seeing examples where people do start from EDR, and they're successful, where logs become an auxiliary, where EDR becomes a primary. So I see this line of thinking as XDR vision. It's basically endpoint primacy or endpoint centrality of monitoring, with other things being auxiliaries, like logs and traffic.
And I think, to me, it makes sense. It has the right to live and it has value to clients.
Jon: Yeah. And from my perspective, XDR has to learn how to play with SIEM, because a lot of the vendors there have the mentality that they want to take over the world. So maybe that's a long-term vision, but in the meantime, if I've spent millions of dollars and a lot of resources on Splunk, I want to make these things coexist.
So to me, that's kind of the short-term problem.
Dr. Chuvakin: Short term, yes, but there would be friction. Because ultimately, the XDR visions from different vendors that are now from Gartner and Forrester, they all imply that it's kind of a complete monitoring paradigm. And so I'm not sure. I think that SIEM, XDR would remain to be a bit of a fight and truce for some time.
Jon: Yes. Short term, I think you're right, but long term, I totally agree. Anton, I could talk to you about this stuff all day. Can you stick around for part two of this SOAPA video?
Dr. Chuvakin: Oh yes, absolutely.
Jon: Okay, thanks so much. And we'll be back with part two soon.