How Google and Mandiant are forging synergies in cyber security

Just over a month after Google completed its purchase of Mandiant, the cloud provider has demonstrated its synergies with its latest acquisition, baking threat intelligence capabilities into its Chronicle security operations platform.

Called Mandiant Breach Analytics for Chronicle, the offering combines Mandiant’s threat intelligence with Chronicle’s threat detection capabilities.

“We’re taking the very latest observed indicators of compromise and making them available to Chronicle customers through detection capabilities,” said Steve Ledzian, Mandiant’s chief technology officer in Asia-Pacific.

“It’s a brand new offering and it’s something we’ve never had before at Mandiant – and it’s now realised through this partnership between Mandiant and Google,” he added.

Google’s $5.4bn buyout of Mandiant was seen by industry analysts as a move to raise its competitive bar in the red-hot cyber security and cloud computing markets.

The acquisition was also expected to bolster Google’s already-strong security pedigree that it had built since 2009, when its systems were compromised by nation-state actors. The incident was recently documented in a new YouTube series, Hacking Google.

Daryl Pereira, Asia-Pacific lead in Google Cloud’s office of the chief information security officer, said the attack at the time was premised on phishing, spurring the company to rethink its security paradigm and embrace the zero-trust architecture to minimise human errors.

That paradigm now includes mandatory encryption, implementing two-factor authentication with hardware security tokens for employees, as well as conducting code reviews, red-teaming exercises and bug bounty programmes to secure its software supply chain, among other measures, he said.

“We’re really good at securing what we know about,” added Pereira. “The question, though, is how do we secure what we don’t know yet, and with zero-day attacks and advanced persistent threats among the biggest issues, how do we have a full vision of the cyber attacks to come?”

If you could build a tool that could anticipate the attack vector, entry point or modus operandi, and stop that before it occurs using the knowhow of Mandiant, then I think that’s the future of proactive security

With “frontline experience” in fending off threat actors, Mandiant was a natural fit for Google to get a better grasp of threat actors, their motivations and their tactics, techniques and procedures. Ledzian said: “Together with Google’s capabilities, we can look for things that Mandiant knows how to look for at scale, and in efficient ways.”

Achieving scale and efficiency in threat detection and response inevitably invokes the use of automation, artificial intelligence (AI) and machine learning, capabilities which Google has honed for years.

“Imagine a situation where we can use the Google search engine we’re famous for with prioritisation and relevancy for everyday searches,” said Pereira.

“If you apply that in the Chronicle SIEM [security information and event management], for example, you can search out indicators of compromise very quickly with Mandiant, which knows what actual security threats look like,” he added.

“And getting Mandiant to fine-tune the search algorithm – and coupling that with AI and the number-crunching capability of Google Cloud – you can imagine the future where you can search out indicators of compromise in hours, not days, while avoiding many of the false positives we typically see today.”

Quizzed on how Google is managing its relationships with partners that may compete with Mandiant, Pereira said Mandiant will continue to conduct incident response for its customers as before, and that Google will not compete in the incident response market.

“But what we’re really interested in is the future capabilities,” he said. “Google is an engineering company, and so we are going to build stuff that’s automated and change the security paradigm to be more proactive, because a lot of security tools are reactive currently.

“If you could build a tool that could anticipate the attack vector, entry point or modus operandi, and stop that before it occurs using the knowhow of Mandiant, then I think that’s the future of proactive security.”

In Asia-Pacific, a diverse region comprising countries with varying maturities and investments in cyber security, ransomware attacks have been rampant, making threat intelligence critical in understanding how ransomware is being propagated in the attack life cycle.

“All of that information is what Mandiant deals with every day, and can be used to power Google’s security controls as well,” said Ledzian. Such information, noted Pereira, could also enable Google’s engineering teams to stay abreast of cyber threats and reduce the time to mitigate zero-day attacks.

On joint go-to-market plans to engage Google and Mandiant customers to invest more in their offerings, Pereira said the matter is being discussed and that “our leadership is still looking into different ways of doing it”.

For example, Pereira said Google could pitch Mandiant’s expertise to existing clients, while Mandiant could tap Google’s security capabilities to secure critical systems and data hosted on Google Cloud.