Unique Features of Google SecOps SIEM compared with Other SIEM tools

Hello, 

Maybe some other customers will want to respond here but as for comparison between other SIEM’s maybe you can reach out to your sales team and setup a call to discuss competitive parity between products.  

Hi Dnehoda,

Thanks for replying. I am currently working on Google SecOps SIEM as part of our BAU activities. I've observed the positives I mentioned in Google SecOps and wanted to know if any existing customers have found additional valuable features. We aim to highlight these to our clients to demonstrate the exceptional options available in Google SecOps, ensuring they feel confident in their investment.

Additionally, if there are any exceptional features we might be missing that could be useful in our daily activities, it would be beneficial to learn about them. That's why I posted this query in the forum.

I accept your suggestion to reach out to the Google team and will do so soon. However, I am very much inclined to learn from people who are using Google SecOps in their daily activities in real-time, as this practical experience would be immensely helpful.

Any insights or experiences you or others can share would be greatly appreciated.

Regards,
Surya.

Cloud native security is great in general to have as it keeps it "all-in-one-place" for an all encompassing security product. I think that also the integration with SCC if you are implementing google cloud infrastructure is great because you can protect endpoints and link that data / any findings into the SIEM directly very easily and create alerts based on that. I find that to be an advantage compared to other SIEMs because it seems easy to implement that type of security from a cloud platform into a siem using both products: scc & secops.

Hi Surya,

A few months back analyst firm IDC interviewed Google SecOps customers to understand the business value they're deriving from the platform. Here is a blog you can check out that summarizes IDC's findings and also links to the full report. 

Other helpful resources would be Google SecOps sessions from Google Cloud Next where customers share their experiences using the platform. Here are two you can reference:

• Fiserv
• Charles Schwab

Please let me know if this helps or if you have any questions!

Best,
Ahnna

Great question! Here's my point of view of the features and capabilities that I find truly unique. They come as a paradigm shift to some customers, but when done correctly can really transform security operations. The list below focuses on unique features/differentiators that come to mind, not some of the SIEM tablestakes like ingestion etc:

• Stitching/Aliasing: The very sadly deprecated name Chronicle described it best, a big goal for the product was to take a hodge podge of logs and make them into a story. A large portion of that is done out of the box (for instance if you ingest AZURE_AD_CONTEXT alongside AZURE_AD), and some of it requires tuning based on your organization's view of identies, privileged accounts, assets, critical assets. But in Chronicle you know when a user is a user, and an asset is an asset, regardless of the underlying identifiers (IPs, macs, hostnames, proprietary ids, sids, employee ids, usernames, emails, UPNs, etc). As a result when you click on an alert you get everything that happened to this user/asset in a nicely stitched together timeframe with enrichments such as job titles etc directly within the data model. In a traditional SIEM an analyst will conduct searches across multiple indices and the burden of the completeness of the search goes to the analyst - and guess what, they don't really do it often because it's hard. In Chronicle you get everything in one timeline, and an extra feature is that the alerts are interlaced in the same timeline, so unrelated alerts can come together properly. I think this blog post starts highlighting the ideas fairly well.
• Entity Data Model :When coming to the idea of stitching/aliasing, they didn't just do a couple of UEBA tricks on standard datasets, but instead made it fully customizable through the Entity Data Model, which means you can parse any context and it goes into an entity graph. Now, it's probably not the easiest thing in the world to use, because it's a mind shift, but once again one of those really powerful things and are fully customizable, as opposed to "magic black box".
• Enrichment: I really like the out of the box enrichments and they are quite unique and powerful analytics - things like prevalence, first seen, and then if you're fortunate enough to have Enterprise+ some of the VirusTotal and other enrichments. Most product alerts are mediocre at best, and can be quite volumous and the sheer fact that you can filter them based on things like "prevalence" or how new they are is great because those are signals that an attacker simply can't fake. 
• Correlation - there's a lot of subtle things in the SIEM that as a SIEM nerd i really like. The first thing is that it forces a data model and therefore transcends a little bit of the "Glorified Grep" that most SIEMs enjoy. The truth is parsing is hard and very few solutions decided to invest in that, but Chronicle takes a point of view of "one data model to rule them all" vs the multi-index views. There's a lot of google magic behind the scenes to make that data model performant across any field, including high cardinality fields and for use cases like regex searching etc. Then you add the very correlation focused detection language where you can correlate against events and context easily. But these technical details matter for one reason, your detections can easily transcend multiple products. Chances are a single vendor is way better at building alerts then you are so if all your alerts look at single vendor or dataset sources, then the SIEM is just a glorified alert aggregator and you're not taking the biggest value out of it. Yes, there's forensic value, but you can't go upstream and filter detections or highlight suspicious behaviors or toxic combinations very well. 
• Risk - I really love how Chronicle models risk and risk scores and puts that into an overall UEBA philosophy. The practical reality is that there's too many alerts even just looking at product alerts. Humans couldn't possibly look into that. Yes there's ideas of "automation" but I don't find a lot of them practical as they open doors to attackers, (i.e. you can't just ignore something because it doesn't have virustotal detection, this is very easy for an attacker to circumvent). But a better idea i like is that in the entity graph chronicle adds up risk scores for each detection and out of the box detections also honor that. The idea is that even if you don't alert on some low fidelity detections, when they aggregate and increase in risk, that entity itself can be highlighted. Once again this is a feature that needs to be used properly and carefully of course, but when done well it can draw value from alerts that were previously likely ignored. 
• Case management: I know your question is about SIEM but the built in SOAR in general and it's Case Management centric philosophy in specific is awesome. Tie that with the extensibility of the SOAR, the lack of user limits of SOAR in the SecOps license etc. and you  really get to build a central collaboration space for operations. When you start putting metrics around that that creates a lot of positive feedback loops that build out a healthy operations discipline.

There's some other ones I'm sure, I really like the idea of parser extensions. I also like the fact that there's a maintained parser dataset - Chronicle makes much bigger investments in parsing then every other vendor, probably more then more of them combined, which will pay dividends in the future. The baked in Mandiant intel is fantastic. There''s some cool new features coming in, but hope this is a good starting point.