Inside Chronicle, Alphabet’s cybersecurity moonshot

What exactly is Project Lantern?

Fifteen years ago, cybersecurity could be boiled down to a simple strategy: Secure the perimeter. Experts fought against malware and other nefarious code by implementing firewalls and other point-of-entry defenses. Since then, however, companies have moved their operations online and allowed employees to bring their own devices (BYOD) to work. The so-called perimeter has dissolved in the process, forcing security practitioners to prioritize tracking, understanding and ultimately making judgments about the information flowing both inside and outside of their company.

Many businesses use 10, 20 or 30 different security products to protect their systems. They all have advantages, and security practitioners will use different combinations to investigate a potential threat. If a team has access to 15 tools, for instance, one engineer might think to use three of them while another tries a completely different subset. There isn't enough time to try them all, so experts pick products based on their experience and what they believe will be best suited to the task.

It's a messy problem that doesn't have a simple answer. "Companies are paying for all these tools, but they're not actually getting the combined value," Mike Wiacek, CSO and co-founder of Chronicle, said. "Because ultimately they're relying on a human to try and piece all this together. And that doesn't really solve the problem."

Chronicle started as a project inside X, the semi-secretive "moonshot factory" owned by Google parent Alphabet. It was announced last January and immediately spun out into a standalone business underneath the Alphabet umbrella. The reveal confused some people who associate "moonshot" with head-turning hardware like self-driving cars, delivery drones and high-altitude balloons that provide internet service to rural areas. Cybersecurity, while undeniably important, seemed tame by comparison. What exactly had Chronicle built, and why did it need the moonshot treatment to exist?

The answer is complicated.

Mike Wiacek

Chronicle's chief security officer started his career in high school, working six-hour evenings at an internet service provider (ISP) on system administration, security and basic programming tasks. He then studied computer science at La Salle University in Philadelphia while working at various ISPs and hosting companies. Wiacek clearly had a knack for security and quickly landed a summer internship at the Department of Defense. He graduated in 2003 and joined the department full time as a global network exploitation and vulnerability analyst. "It was a job where I felt I was able to do some good for the world," he said.

Three years later, the internet had radically changed. The user-friendly Web 2.0 movement was in full swing, and Google had launched a wave of transformative services including Google Maps and Gmail. The company was still relatively small, but Wiacek knew it would grow and face some unique security challenges. In the summer of 2006, Wiacek moved to California and joined Google's Information Security Engineering Team. The differences in size, structure and culture were stark.

"In one day I might have been looking at code or trying to audit some security functionality in Gmail," Wiacek said. "And that same day, I would be looking at stuff for Google Search. Or looking at a compiler. In one day I would literally be covering entire chunks of the company, because it was still small enough that you weren't specialized in one particular thing." It would be many years before Google set up product-specific security teams.

After Operation Aurora, a sophisticated cyberattack that targeted Google, Adobe and many other technology companies in 2009, Wiacek created an intelligence task force called the Threat Analysis Group (TAG). Google was already expanding its security team for day-to-day maintenance and operations. Wiacek felt the company should also have a group dedicated to more-innovative and forward-thinking solutions. "So understanding if any country in the world has a hacking program for espionage, intellectual property or simply spying on dissidents and political activists," he said. "We shouldn't have to say, 'We'll deal with that when we find out about it.' I wanted to understand how that was happening and make sure that information and intelligence could be applied [at the company]."

It's a search problem

Wiacek quickly built out a team that included Shapor Naghibzadeh, a Linux systems administrator who had helped investigate and diagnose Project Aurora. "Getting ahead of these threats was something that was really interesting to me," Naghibzadeh said.

TAG's founding members knew they would never have the legal freedom or technical capabilities of a government outfit like the FBI. The group could, however, leverage two of Google's key strengths: storage and raw computing. "That was the big hammer I had," Wiacek said. "Let's view this problem through the lens of data mining." The team used tools like Bigtable, a distributed storage system for structured data, and MapReduce, a framework for running large-scale parallel computations, in conjunction with its own search algorithms and techniques for detecting malware.

The unique blend allowed TAG to quickly spot patterns and reinforce Google's defenses. In June 2011, for instance, the team spotted a spear-phishing attack aimed at hundreds of Gmail users, including US government officials, Chinese political activists, military personnel and journalists. "We were able to actively disrupt that," Wiacek said.

TAG was making a difference. But the group's efforts were only protecting Google and its users.

"That planted the seed in my head."

One day, Wiacek was in a meeting with 20 other security experts, each representing a different company, at a Department of Homeland Security office in Virginia. A representative of the US government was explaining an ongoing hack that Wiacek suspected had originated in China. "They passed out a list of host names and said to everyone in the room, 'Hey, if you have traffic to any of those host names from your network, you probably have an active infection,'" TAG's manager recalled. Within a few seconds, Wiacek had pulled out his laptop, typed in the host names and confirmed that Google's systems were secure.

The other companies were dumbfounded. Some asked how they could possibly check that their companies were secure. Another queried how long ago the hack probably took place. The government spokesperson explained that it was likely six to nine months ago. "That person almost threw up their hands and said, 'You know, if you told me this was something that happened in the last 48 hours, maybe 72, we could do something. But I have no idea what happened there,'" Wiacek recalled. Google had made search a core part of its systems and approach to cybersecurity. In that moment, he realized few others had developed and integrated the same capabilities.

"That planted the seed in my head," Wiacek said. A seed that would eventually blossom into Chronicle.

Pitching Alphabet

TAG's manager took a sabbatical during the summer of 2015. He had worked at Google for nine years and seen the company grow from roughly 3,000 to 70,000 people globally. "I needed a break," Wiacek recalled, "and I was trying to figure out what I wanted to do [next]."

He thought back to the meeting in Virginia and started devising an "engineer's version of a business plan" with Naghibzadeh. Two months later, Google announced Alphabet, a major restructuring that separated Google, the X moonshot factory and various "other bets" including Life Services (later renamed Verily) and the health-focused Calico. "It didn't change our plans though," Wiacek explained. "X was still the logical place to try and incubate something. The only other real option was to quit Google altogether and try to talk to Google Ventures or something like that. We wanted to stay in the family."

Within two weeks, Alphabet's leadership had approved the project. Wiacek switched roles straight away; Naghibzadeh followed a little later.


X is a strange melting pot of talent. Walk through its facility and you might bump into a chemical engineer, a geothermal expert, a robotics technician or all three. That breadth of experience, coupled with some radical thinking and a seemingly infinite budget, is why X has been able to pursue such a wide range of radical ideas. It can also be a little daunting if you've spent the past decade surrounded almost exclusively by software engineers.

"I'm sitting at this desk by myself," Wiacek said, "Gmail's up, and I'm staring at the screen. I look around, and I'm just sitting there in a sea of empty desks. I thought to myself, 'What have I gotten myself into?'"

He wasn't truly alone, however. Wiacek had included VirusTotal, a small team based in Malaga, Spain, as part of his moonshot pitch.

The security company, created by cybersecurity developer Bernardo Quintero in 2004 and acquired by Google in 2012, runs a hugely popular file-and-URL-inspection service. The free-to-use platform is unique because it leverages more than 70 different antivirus scanners, including Symantec, Kaspersky and F-Secure, alongside various website-blacklisting services provided by Bitdefender, Yandex, Opera and others. "It's like the Switzerland of malware research," Wiacek said.

VirusTotal shares its aggregated findings with the user and all of its antivirus partners. That means everyone in the community is able to learn from one another and continuously improve their own systems. A premium service also allows approved customers, including independent cybersecurity professionals, to search for and access harmful file samples for research purposes. "I often will say that they're the CDC or World Health Organization of malware," Wiacek said. "In Atlanta, the Center for Disease Control has Ebola and smallpox in some cryogenic vault. VirusTotal has some of the world's scariest malware in their repository."

Wiacek knew that VirusTotal would be critical to his work at X. The company had a massive and constantly evolving data set for the team to test its search capabilities on. It also provided a unique perspective into what was happening beyond Google's borders. "One of the greater advantages of having VirusTotal to collaborate with," Naghibzadeh said, "was being able to open that aperture up and see the different threats and things that happen in the world more broadly."

Stephen Gillett

One month into his new job, Wiacek was introduced to Stephen Gillett, an executive in residence helping startups at Google Ventures (now known as GV). They immediately clicked. "The guy is like, openly genuine and caring," Wiacek said, "And he's not a tyrant. Or a 'my way is the only way.' He actually has a lot of humility. But he also has a lot of bold ambition."

Gillett was a great fit for Wiacek's yet-to-be-named X project. He studied political science at the University of Oregon while working part-time at Office Depot and later, after impressing a regular customer, a full-time help desk and networking job at a nearby hospital. After graduation, he held a number of high-level roles at CNET Networks, Yahoo, Starbucks and Best Buy, among others. Along the way, he learned a bunch about IT, infrastructure and cybersecurity.

In 2011, Gillett joined the board of directors at Symantec. He was later appointed COO and worked with the company as it split into two independent companies, focused on security and information management, in late 2014. The latter portion, named Veritas Technologies, was sold to the Carlyle Group in August 2015. "They were investing in a lot of the assets that were not related to cybersecurity," Gillett said. "When we sold the majority of those assets to private equity in 2015, I left, as did much of the executive team, because [Symantec] was a different company focused on a much smaller part of the market."

He was then asked by David Krane, the CEO and managing partner at GV, to join Google as a startup advisor. The former Symantec executive was about to turn 40, however, and have a seventh child with his wife. "I was kind of reluctant," he said. "But they convinced me that I would get free food, I would get to ride the Google bike and I would also get to work with great entrepreneurs. And so I joined."

"I'm looking under the tinted part of the conference-room glass saying, 'I hope that's not Astro.'"

He was paired up with roughly 30 companies and helped them with hiring, product decisions and other basic issues, such as how to negotiate a new office lease. Soon after, he was invited to meet the Alphabet leadership team, including Google CEO Sundar Pichai, the head of Google Fiber and Astro Teller, the jovial Captain of Moonshots at X. Gillett agreed to the meetings but knew he wasn't interested in running a large company or department again. The meeting with Teller, however, changed everything.

"I wasn't really trying to sell myself," Gillett said. "So I didn't do a lot of homework on him. I didn't do a lot of research. Then I went down to the conference room on the first floor of our building, and I'm sitting in there, kind of waiting for Astro to walk in, and I see this guy coming toward me with rollerblades on and a ponytail in kind of a flannel T-shirt thing. I'm looking under the tinted part of the conference-room glass saying, 'I hope that's not Astro.'" It was Astro. The meeting was a great success, however, and by the end Gillett knew Teller was one of the smartest people he had ever met.

By January 2016, Gillett had joined Wiacek's team inside X. "Then I wasn't alone here anymore," Wiacek said. "Eventually it was Shapor [Naghibzadeh], me and Stephen [Gillett], which was great. But then from there we said, 'You know, how do we actually -- what do we do next? Who do we hire? What's our plan?'"

Life under X

The moonshot factory gave Wiacek, Gillett and Naghibzadeh the time to do some high-level thinking about the future of cybersecurity. They felt, unsurprisingly, that it would be software-based, unlike most X moonshots. The group also agreed that it would revolve around Alphabet and Google's core strengths: huge amounts of data stored in well-protected data centers, paired with enormous computing power and smart analysis of logs.

"We believed, and do believe, that the future looks like that," Gillett said. "Less like an on-premise [solution] or appliance or a particular endpoint product and more about giving organizations and companies the ability to understand the security-relevant information that exists in their company today." Every company in the world, in short, needed to be strong in so-called big data storage and analysis.

The question, then, was how to give other organizations the same capabilities as Google.

With fewer than five employees, the still-unnamed project inside X started talking to other companies. The group wasn't pitching a product yet: They just wanted to chat with other cybersecurity professionals about their problems. "We tried to validate our idea," Wiacek said. "We spent a lot of 2016 doing this, actually. We knew what we thought we wanted to build, but we didn't want to rush out and just build it in a sense of arrogance to say, 'This will solve your problems.' We thought it would, we knew it would, but we also knew that a lot of security teams and a lot of enterprises had tool overload."

Project Lantern

So what exactly did the team build, and how does it differ from every other AI-equipped cybersecurity product? Chronicle's co-founders are staying tight-lipped on the details for now. It was once called Project Lantern, though, and it's clearly inspired by the systems Wiacek and Naghibzadeh developed at TAG.

It's also obvious that the platform provides some kind of overview, or continuous monitoring, of a company. And that it can spot patterns, or links, related to vulnerabilities and cyberattacks. "We will give you unprecedented capabilities to understand that information and, in particular, your [company] environment," Gillett said. "When bad things are interacting with your environment, [it will] give you an understanding of how those things are connected, what the relationships are over time, to help you make judgements and verdicts."

Search and data mining are only effective, however, if companies can store information for long periods of time. Server space, of course, is relatively expensive, so the product will somehow address this too. "You'll see [Chronicle] directly address this economic issue and try very hard to remove the barriers of a lot of companies to store that information in cost effective and economic ways," Gillett said. Otherwise, companies won't be able to investigate breaches properly and understand how bad actors penetrated their defenses.

The pattern spotting also relies on a unique blend of artificial intelligence and machine learning. It's not clear, however, if the data collected and analyzed by VirusTotal is being used to train these algorithms. "That's actually quite the data set to train an algorithm," Gillett hinted. "Because if you have human beings that have said, 'This is good, this is not good,' across hundreds of millions of artifacts, that becomes quite a powerful training algorithm, or data set, for an algorithm to help make those verdicts themselves over time."


The team worked under X for almost two years, refining the product and, eventually, providing Alpha access to some carefully selected companies.

By the end of 2017, however, it was clear that the project needed a new identity. Gillett, for instance, was meeting with clients who couldn't find the product or any mention of the team on Alphabet's and X's websites. They weren't sure, therefore, if the project was going to mature into a distinct business like Waymo and Wing or wither away like Project Foghorn, an ambitious attempt to turn seawater into carbon-neutral fuel. "That forced us to really announce to the world that we existed," Gillett explained, "even if we weren't ready for full general availability of the product."

First, though, the team needed a new name. Wiacek's only demand was that it didn't sound macho or like something from a sci-fi movie. "I didn't want to have an identity that resonates with military attitudes or 'my computer will eat me if I don't do this' or any of that," he explained. "I wanted something that's basically 'you can sit down and trust these people.'" By this point, the core leadership structure was solidified, with Gillett as CEO, Wiacek as chief security officer and Naghibzadeh as the team's senior engineering lead. And one day, in a design meeting, Wiacek saw their names on a mock-up slide with the name Chronicle.

"It just made the hair on the back of my neck stand up a little bit," Wiacek said. "Because it just sounds like it stands for something good. It sounds like it's there with some principles."

On January 24th, 2018, Chronicle was announced to the world as an Alphabet business and former X project. The move allowed the team to set its own corporate structure and governance, branding (almost everything it does is yellow and black), and sales and marketing strategies. The company was distinct but, being under the Alphabet umbrella, could still leverage the talent and resources of other divisions, such as the AI-focused DeepMind and Google Brain. It was, and still is, the best of both worlds.

"We know exactly when and where and how we will go live."

Chronicle has kept a low profile over the past 11 months. The team has been rapidly hiring, however, and expanding the pool of companies that has access to its "intelligence and analytics platform." In September, it also announced VirusTotal Enterprise, an update for premium customers that includes high-speed searching and YARA (it stands for Yet Another Ridiculous Acronym) threat hunting.

"We continue to leverage the power of Google infrastructure to expand the search and analysis capabilities of VirusTotal," the team says in a blog post. "As part of Chronicle, we also continue to add features to make VirusTotal more useful for enterprise security analysts. VirusTotal Enterprise will give those analysts new ability to search more data, faster, and to visualize it in new ways. We believe this will help you understand threats better and improve your own security."

Two months ago, Chronicle moved into a new office next to the X moonshot factory. The VirusTotal team, which had been working together in a leased house, now has a proper base of operations in Malaga too. They're separated geographically but united by Project Lantern, which aims to "bring light to the darkness," Wiacek explained.

As for the grand reveal of its search-focused cybersecurity platform? That's still a mystery, for now. "We know exactly when and where and how we will go live," Gillett said.

2019, hopefully?

Images: Chronicle