If you're wondering why Google blew $5b on Mandiant, this may shed some light

GCN Mandiant, now officially owned by Google, has the scale (not to mention the deep pockets) to be the "brain" across organizations' myriad security products and automate protection on top of these controls, according to the security shop's CEO Kevin Mandia.

Mandia spoke with reporters for the first time about his threat-intel-slash-incident-response company's new owner during a press briefing ahead of Google Cloud Next, which kicked off today in San Francisco and virtually. A key component of the $5.4 billion deal, he said, is that Google will allow Mandiant to remain "controls agnostic."

Endpoint security products feed "telemetry to the brain," Mandia said. "Network security monitoring tools give telemetry, and firewalls give telemetry to the brain. One of the things we can do best at Mandiant, combined with Google, is be that brain, be the hub for all the spokes."

Mandiant likes to position itself as one of the preeminent intelligence and incident response firms that's called in by governments and major private organizations alike to clean up the mess after really bad breaches. 

"We are the emergency room doctors when you need them most," Mandia boasted. "Mandiant doesn't get calls for the breaches that are simple. We get called when breaches that we all read about around a scale and scope and complexity where folks need help."

Google Cloud, meanwhile, brings expertise in big data, analytics, and artificial intelligence, he added. It can, apparently, pull telemetry from multiple sources and analyze that data at Google speed.

'Proactive offense'

With its latest multi-billion-dollar purchase, Google Cloud security will soon be able to combine offense with defense, according to Phil Venables, chief information security officer at Google Cloud.

"Chronicle, for example, and some of our other monitoring tools, they're more reactive defense," he told reporters during a briefing with Mandia and Google Cloud Security VP and GM Sunil Potti. 

The company's security analytics platform "looks through data, you look at events, you figure out what went wrong, and you respond to it," Venables said. 

"Whereas with Mandiant, we get to this place of proactive offense, so using validation to see how well your security tools are working, looking at the attack surface, figuring out what incidents and how you're responding to them," he added. "And joining those together, you get to do what we think is really important to get security right, which is to join the offense and the defense together." 

To hear Mandia describe it, Mandiant's in-the-trenches experience combined with Google's big data and automation technologies will produce the holy grail of security operations.

"If we can take that Mandiant expertise of finding the needle in the haystack, every day, and automate it, that's what everybody wants," he said. "And that's what we can do with Google Cloud."

Of course, much of the hard work of integrating the two companies remains to be done, and that doesn't always go well. The acquisition closed only a month ago, and while the companies joining forces makes for interesting discussions in the leadup to the cloud giant's annual conference, much of it is — at this point — still just talk.

First up: Chronicle

Google did unveil a piece of this broader vision today, however, with its Chronicle Security Operations software suite, available in preview. This takes the company's existing Chronicle security information and event management (SIEM) tech and adds in security orchestration, automation, and response (SOAR) from Siemplify, another 2022 Google Cloud purchase.

Additionally, Chronicle pulls threat data from two in-house sources, VirusTotal and Google Cloud Threat Intelligence, integrates alert management between the SIEM and SOAR components, and provides pre-packaged response playbooks to alerts.

• Google Cloud closes $5.4b Mandiant acquisition
• Google's plan to win the cloud war hinges on its security aspirations
• What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm
• Google assuring open-source code to secure software supply chains

In the future, according to Google Cloud execs, Chronicle will also include Mandiant's incident and exposure management plus threat intelligence capabilities.

"We will be integrating, as core foundational capabilities, starting with the threat intelligence that's world-class from Mandiant — ongoing frontline intel, and creating an automated pipeline from that into the workflows," Potti told reporters. 

Then, further down the road, Chronicle will integrate Mandiant's products such as its attack surface management, red team-as-a-service, and security validation service.

This echoes Potti's earlier comments, when he told The Register that Google plans to use its internally developed tech combined with acquisitions to move customers to "self-driving" operations in the security operations center (SOC).

Combined with Mandiant's capabilities, "a SOC can transform into not just being a modern SOC, but becoming a proactive cyber defense," Potti claimed.

Confidential computing and supply-chain security

Also at Next, Google announced a new confidential computing service called Confidential Space. The idea behind confidential computing is to process encrypted data in memory without exposing it to the rest of the system. All of the major cloud providers have their own flavor of this, and Google introduced its Confidential Virtual Machines in 2020.

Its new Confidential Space service runs workloads in a Trusted Execution Environment (TEE) and uses a hardened version of Container-Optimized OS (COS) so organizations can collaborate in a secure, private space.

For example, banks can work together to identify fraud or money laundering activity while limiting access to the private customer information involved. Similarly, healthcare organizations can securely share MRI images and collaborate on diagnosis while locking down that data.

And finally, Google announced a fully managed software supply chain security product called Software Delivery Shield (SDS). It aims to secure code across its entire lifecycle, from development to production, and spans a ton of Google Cloud services from developer tooling to runtimes like Google Kubernetes Engine (GKE) and its Cloud Run serverless platform. 

SDS also includes Google's new Assured Open Source Software service it announced in May, which is currently in preview. It currently verifies the security of about 250 curated packages across Java and Python, and auto-generates Software Bill of Materials (SBOM). Also under the SDS umbrella: Cloud Build, Google's fully managed CI platform, now supports SLSA Level 3 builds to implement SLSA level 3 best practices by default. 

SLSA, or Supply chain Levels for Software Artifacts, is Google's framework for ensuring the integrity of software artifacts throughout the software supply chain. 

Moving to the production side of things, the supply-chain managed security service includes new security posture management capabilities for GKE, available in preview, which identifies and fixes security flaws in GKE clusters and workloads. ®