Chronicle’s Backstory marks Google’s first foray into the SIEM industry by introducing a SIEM that claims full data retention “forever.” Organizations must weigh the benefits of Backstory’s cloud-based SIEM against their perceptions of Google’s data collection practices.
Backstory will use the data it collects from customers to make more sophisticated analytics that may affect the privacy of data users and complicate data ownership.
Rather than store a company’s logs on-premises, Backstory enables users to store their security telemetry via a cloud service built as a specialized layer on top of Google’s core infrastructure. While not necessarily a part of Google, as Chronicle is subject to separate legal and privacy agreements, organizations may still remain suspicious of storing corporate data with Chronicle.
While Chronicle claims that it improves an analyst’s capabilities to find and respond to threats by providing petabytes of their own data without requiring them to write rules or queries, the decision to store all of an organization’s data that was ever created might raise concerns over data ownership and data retention. Nevertheless, the massive amount of data that Backstory can collect represents an impressive development in what current SIEM storage and machine learning may be capable of, and could very well be a game-changer for the SIEM market.
Organizations should do their due diligence whenever they commit to any SIEM platform, and Chronicle’s Backstory should be no different. While Backstory’s link to Google offers significant advantages to organizations such as speed and a massive amount of historical data on security threats, it may or not may not be right for an organization’s level of acceptable risk around how its data is stored and used.
Further, organizations should keep in mind current and upcoming regulations such as GDPR and CCPA that generally require specific data retention policies that might complicate Backstory’s claims that it can retain data forever.