The Gately Report: Google, Threat Intelligence Provider Mandiant 'Powerful' Force Against Cybercriminals
Plus, SentinelOne's CEO shoots down rumors of its potential acquisition.
![The Gately Report: Google, Threat Intelligence Provider Mandiant 'Powerful' Force Against Cybercriminals The Gately Report: Google, Threat Intelligence Provider Mandiant 'Powerful' Force Against Cybercriminals](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blte256ae1c63b2b3d9/6537c9e19ea812782404543c/Protection-against-cybercriminal.jpg?width=700&auto=webp&quality=80&disable=upscale)
Ole.CNX/Shutterstock
Channel Futures: Several generative AI enhancements to Google’s security products were announced during Google Cloud Next. What prompted the need for these?
Eric Doerr: So we talk a lot about this framework of threats, toil and talent as the big problems that most organizations are struggling with, the rise and velocity of threats and the threat landscape, the drudgery and the average security job in toil and then talent, the well publicized shortage of security talent. So the things that we announced go right at the heart of each of that for each of the products.
CF: Can you give some examples of how these enhancements will help organizations fend off cybercriminals?
ED: The Mandiant Threat Intel product is for someone who’s in an organization whose job is to do research on threat actors and help the organization prepare. Let’s say you’re in oil and gas, and you ask who’s targeting oil and gas? What are their tactics? What should I be worried about? How are they evolving, etc. So it’s a lot of research and then turning that into action for an organization. The great thing about our product lineup is we have tremendous amounts of content from this awesome group of people who do all this research at Mandiant, and they’re now part of Google Cloud, but it can be overwhelming at times. So if you search oil and gas threat actors, you’ll get a lot of information. And so what we’re doing with generative AI, Duet AI, is auto summarizing the information that’s there, making it easier for you to pick out the nuggets that are most important. It’s really a productivity boost for these people in this example.
Another example is our Chronicle product, which is about bringing all of the event data, the security logs that are generated in an organization from your infrastructure, from the desktops and mobile devices that your employees have, all the way up to your cloud infrastructure, bringing it in and then running powerful detections and looking for bad activities. What this does is it helps people who are maybe early in their career who are still kind of ramping up on all the syntax, all the techniques, etc., be more productive. And then the third example is a product called Security Command Center, which helps you secure your Google Cloud Platform (GCP) workloads that are built on top. This technology is amazing to analyze everybody’s unique infrastructure in real time and say here’s an attack path analysis you should think about. So those are a few of the things where infusing Duet AI in these security products helps people just protect their organizations better.
CF: How will Google Cloud partners benefit from these generative AI enhancements?
ED: Everything we’re doing in our first-party security products is built on top of this open platform we’re building. And we announced a number of partners in June. There are two categories of people who are also now using it. Some are other security companies, folks like Broadcom and Accenture, who does a lot of security work, a number of others like SentinelOne, and a few others who are now working very closely with us and who will build their own deep security generative AI solutions on top of the same platform, on top of that same security large language model (LLM).
And then the other one is we’re working with a set of end customers, think average Fortune 500 companies who license a lot of security technology, but their environments are complicated enough that they also end up building some custom solutions that connect things together or bring in proprietary information they have. And so we’re giving them the tools to take the work that we’ve done and use it, but also to then further fine-tune it with their own proprietary.
CF: Tell me about your role with Google. Is it a constant race to stay ahead of cybercriminals?
ED: Yes, it’s a constant race. I lead the engineering team for our security operations work. Think broadly about what does it take to defend a company 24/7/365, I’m responsible for the team that builds all the tooling that we use to help people do their jobs. That includes a bunch of things Google has been working on for a number of years, things like the Chronicle product, as well as a few acquisitions we’ve made over the last few years, like a company called Siemplify, as well as Mandiant. And we’ve been fusing all of that great technology and all that great information into a coherent and holistic solution that helps these poor people that sit in security operations centers (SOCs) do their job. And it is a race. The transformation that we’re doing is if you look at the norm today, a bad actor figures out a new technique that’s effective against normal setups, whether that’s a vulnerability in a piece of software that’s widely deployed or some other clever technique. Companies don’t talk to each other very much. There’s all sorts of reasons why it’s hard to be public about I just had a breach and here’s what I learned from it. So the norm today is a bad actor will use a technique, literally hundreds if not thousands of times over months or in some cases years, before enough of the industry has heard about it to then get the right countermeasures built into security products and adopted by enterprises around the world. This is deeply frustrating as someone who’s trying to make the world a safer place. The one thing the defenders have going for them is we outnumber the bad guys. And yet it’s hard to work together. So this is a place where generative AI actually helps quite a bit. We get to see a lot of those early techniques before anybody else.
And so what we’re really focused on is how can we very quickly get that in our pipeline and inoculate the whole population? There’s a set of people who directly use our security controls. Those people we can inoculate literally in close to real time. It’s under 30 minutes from when we see a threat to when we’re actually blocking that threat automatically in customers who’ve deployed our security products. But of course, the other side of it is broadly educating defenders around the world. So we do a lot through blogs that we publish about threat actor techniques, information we send out to defender networks around the world. So we’re trying to protect everybody as fast as we can. You can’t promise there will be no patient zeros, but if we can shrink the time from a patient zero and the number of people that then get further infected from that same technique, you start to change the dynamics of the chase and start to have the benefit of we outnumber the bad guys.
CF: Are cybercriminals constantly changing tactics and techniques? What are their latest go-to tactics?
ED: It’s a multifaceted answer given the diversity of cybercriminals. Cybercrime is big business these days so there’s billions and billions of dollars to be made in cyber crime. And so it attracts lots of people who maybe don’t start very sophisticated. And organized crime has moved to cybercrime. So there are well-funded, organized crime groups that are just in it to profit, it’s not personal. And then you, of course, have the nation-state actors that have different motives and they do different things. But in general, I would say the one thing that’s reasonably consistent is it is a job for everyone. And they’re quite incented to do as little work as possible to achieve their objective. There’s a set of commodity attacks. The more sophisticated actors will have a set of tools in their portfolio and they’re very good about using the simplest, cheapest tool possible that will be effective. And a lot of times they’ll try the cheapest, and if that doesn’t work they’ll try the next cheapest and they’re just systematic about it. They know that every time they use it, the odds go up that people will figure it out and then start to broadly protect against it. And then that thing that costs them a bunch of money to develop is now less useful. So you do see constant new threats and new attacks, but you also see just a lot of stuff that as a security professional, you say why is that still effective? Well, it’s still effective because there’s enterprises who just haven’t deployed the basics, and a lot of these basics are free.
The other thing we’re trying to do is make anybody who builds their infrastructure on Google Cloud have the infrastructure be secure by default and have the easy path be the most secure path, which is not the norm. The easy path has to be the secure path. And we can’t make security a thing that’s an afterthought because you’re just pushing the complexity to the customer. The right place for that complexity to live as a cloud provider is for us to work through that complexity and make it easy for other people.
CF: Is Google’s security strategy evolving along with the evolving threat landscape? If so, how?
ED: Yes, for sure. You do have to understand how tactics and techniques are changing. And different actors do different things, they’re selective based on the target. So if they’re going after a mom-and-pop corner grocery store chain, they’re probably not going to bring out their best, their toughest thing. If they’re going after a Google or a U.S. government agency or a Wells Fargo, or any of the big companies that spend more on internal security and things like that, they’re going to tend to bring out their more novel attacks to try to be more successful. That’s a place where Google has invested a lot for many years. And bringing Mandiant in, we brought in a whole bunch of expertise and experts. One of the beautiful things about about Mandiant is they’re really the first call for most of the Fortune 500 when something bad has happened. So it’s the privilege of helping those companies in their time of greatest need, and also we get to see those attacks firsthand. So then we use that to protect our broad customer base, and of course we take that information and also use it to better protect Google as well.
CF: A lot of organizations are having budget challenges. How can Google help partners meet these organizations’ cybersecurity needs on a tight budget?
ED: We’re very focused on delivering outcomes at scale with incredibly high automation and at very reasonable costs. In a lot of cases, what we find when we work with a customer is they’ve got six different tools that are kind of wired together. They’re not very happy about the outcomes and they’re spending a pretty big chunk of money. So it’s rare that we show up and say hey, we want to be your seventh tool. It’s much more often that a customer brings us in and says, look, here’s my situation, and we say let us replace three of those or five of those, and we can do it actually for the same or lower, in a lot of cases significantly lower cost and better outcomes, better automation, etc. In addition, this is a place where generative AI is helping us even more. In a lot of cases, you’ve got a team of security personnel, maybe you’ve got a team of 10 people and you wish you had a team of 20 people, and you probably don’t have budget to have a team of 20 people. You probably would have a hard time finding 10 more trained security people in the cybersecurity market. And so if we can get those 10 people to be more productive, or if we can make it so that 10 people can do the work of 12 or whatever, the total cost of ownership overall is really advantageous.
We’re trying to shift both the reality and the narrative, and say that’s not OK, we can help you, but you need to think differently. It’s not about bolt another piece of technology on. It’s really rethink how you’re approaching some of these problems. Bring in the really modern cloud-powered technology. And that sometimes takes a mindset shift. Sometimes that’s our biggest blocker, helping people kind of realize you can do it, it is work, but it’s doable.
CF: In terms of cybersecurity, what can partners expect from Google for the remainder of 2023?
ED: We obviously are very excited about the generative AI work that we announced. We’re broadening the preview right now and we expect that to go generally available later in the year. We announced Managed Hunt for Chronicle. This is really bringing Mandiant‘s experts looking over your data and helping you look for bad activity. A lot of customers have said I could really use someone watching over my shoulder and maybe helping, and so that’s something we announced at preview that will get more customers and move towards general availability. Hopefully you’ll hear more from us on how we’re protecting more governments with these extreme solutions. So I think that’s a few of the things that are on our mind for the rest of 2023.
Last week, speculation swirled that cloud security startup Wiz is interested in acquiring SentinelOne, a publicly traded cybersecurity provider worth more than $4.8 billion.
During SentinelOne’s latest earnings call for the second quarter of its fiscal 2024, Tomer Weingarten, SentinelOne’s CEO, clarified that his company isn’t for sale.
“We don’t comment on rumors or speculation, but let me be clear … our focus is on building an independent company for the long term,” he said. “We’re delivering substantial growth and margin improvement. And most importantly, we have the best technology and a clear strategic roadmap to disrupt a $100 billion market with the potential to multiply our current market share in the coming years. I think also our teams are executing well. Competitive positioning remains incredibly strong.”
SentinelOne is “laser-focused” on delivering the best innovation it can, the best protection it can for its customers and maximizing its business potential, Weingarten said.
“We believe we can do that the best as possible as a public independent, transparent company.,” he said. “And I think that is as clear as I can be. On the Wiz thing, if you kind of bundle it on the acquisition rumors and all that stuff, I mean, again, I’m not going to comment on that, but it’s all pure speculation on their part and far from fact. So it’s, again, a head scratcher to me. If we kind of pivot to the partnership, we did not terminate the partnership. I think that’s again misconstrued. We actually canceled a reseller agreement. So we still partner with Wiz, we still work with them on the field level. We still think there’s some form of complementary technology there, and we’re focused on delivering customer outcomes.”
When customers want to use Wiz, SentnelOne will support that, Weingarten said.
“The technical integration is still there,” he said. “Wiz is a nice little startup, we like working with them. But again, in terms of the reselling agreement, we didn’t see any contribution from that. We didn’t feel like that’s something that is fulfilled on their end, so we decided to terminate that. Our cloud-native application platform is growing, I think, in a stellar pace. We’re definitely ahead of our targets. We just announced cloud data security. That’s a major expansion to our workload protection platform. Obviously, triple-digit growth for our cloud business year over year for a few good quarters now and a couple of years now is obviously giving us a lot of confidence that we can continue and grow that, and we’ll continue to develop our own native capabilities alongside that.”
Last week, the U.S. Justice Department announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania and Latvia to disrupt the botnet and malware known as Qakbot and take down its infrastructure.
The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm. The department also announced the seizure of about $8.6 million in cryptocurrency in illicit profits.
The action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud and other cyber-enabled criminal activity.
John Hammond, principal security researcher at Huntress, said this is “phenomenal news and incredible strides for our industry.”
“There’s no better word for it, it is just awesome to see the international collaboration and a huge effort that makes a massive impact to not only the Qakbot botnet strain, but also the ransomware syndicates that make use of it,” he said. “Historically, Huntress has seen firsthand an egregious amount of Qakbot infections, running rampant across the MSP/SMB space, so much so that the wider MSP community took note and we worked to address it. With that said, none of our past work compares to the monumental effort by FBI Los Angeles and the partnered agencies — they shared a great message that it is the work that we do together that successfully combats today’s threats. In my mind, this is another great foundation for our industry’s need to defend forward and bring the fight to cybercrime on a global scale.”
Jess Parnell, vice president of security operations at threat intelligence firm Centripetal, said this worldwide attack shows that no cyber threat is too small to pay attention to.
“Some might think that a simple spam email or SMS message is harmless, but, as we are constantly seeing, organizations all over the globe are getting hit daily by major cyberattacks that are oftentimes disguised as something else,” he said. “The dismantling of the QakBot infrastructure serves as a stark reminder that cyber threats are persistent and evolving. Implementing a comprehensive cybersecurity strategy, supported by intelligence-powered tools and proactive measures, is essential for organizations to maintain a healthy cybersecurity posture, and effectively safeguard their sensitive data and digital assets. By staying informed, proactive and collaborative, organizations can significantly reduce their risk of falling victim to cyberattacks.”
A new Claroty survey shows health care organizations are facing myriad cybersecurity challenges that require them to increasingly prioritize cybersecurity and compliance.
Claroty polled 1,100 cybersecurity, engineering, IT and networking professionals from health care organizations.
According to the study:
Seventy-eight percent of respondents experienced a minimum of one cybersecurity incident over the last year.
Forty-seven percent cited at least one incident that affected cyber-physical systems such as medical devices and building management systems.
Thirty percent said sensitive data like protected health information (PHI) was affected.
More than 60% reported that incidents caused a moderate or substantial impact on care delivery, and another 15% reported a severe impact that compromised patient health and/or safety
Of the respondents that were victims of ransomware attacks, more than a quarter made ransom payments. More than a third experiencing incidents in the past year incurred costs from the attack of more than $1 million.
“The health care industry has a lot working against it on the cybersecurity front—a rapidly expanding attack surface, outdated legacy technology, budget constraints and a global cyber talent shortage,” said Yaniv Vardi, Claroty‘s CEO. “Our research shows that health care organizations need the full support of the cyber industry and regulatory bodies in order to defend medical devices from mounting threats and protect patient safety.”
Additional findings show that increased standards and regulations fuel stronger cybersecurity. However, there’s more work to be done:
Nearly 30% said current government policies and regulations require improvement or do nothing to prevent threats
National Institute of Standards and Technology (NIST) and HITRUST cybersecurity frameworks were selected by the most respondents as important to their organizations.
Forty-four percent cited regulatory developments such as mandated incident reporting as the most influential external factor to an organization’s overall security strategy.
The survey also found the cyber skills shortage is still a top challenge. More than 70% of health care organizations are looking to hire in cybersecurity roles, and 80% of those hiring said it’s difficult to find qualified candidates that have the skills and experience required to properly manage a health care network’s cybersecurity.
A new Claroty survey shows health care organizations are facing myriad cybersecurity challenges that require them to increasingly prioritize cybersecurity and compliance.
Claroty polled 1,100 cybersecurity, engineering, IT and networking professionals from health care organizations.
According to the study:
Seventy-eight percent of respondents experienced a minimum of one cybersecurity incident over the last year.
Forty-seven percent cited at least one incident that affected cyber-physical systems such as medical devices and building management systems.
Thirty percent said sensitive data like protected health information (PHI) was affected.
More than 60% reported that incidents caused a moderate or substantial impact on care delivery, and another 15% reported a severe impact that compromised patient health and/or safety
Of the respondents that were victims of ransomware attacks, more than a quarter made ransom payments. More than a third experiencing incidents in the past year incurred costs from the attack of more than $1 million.
“The health care industry has a lot working against it on the cybersecurity front—a rapidly expanding attack surface, outdated legacy technology, budget constraints and a global cyber talent shortage,” said Yaniv Vardi, Claroty‘s CEO. “Our research shows that health care organizations need the full support of the cyber industry and regulatory bodies in order to defend medical devices from mounting threats and protect patient safety.”
Additional findings show that increased standards and regulations fuel stronger cybersecurity. However, there’s more work to be done:
Nearly 30% said current government policies and regulations require improvement or do nothing to prevent threats
National Institute of Standards and Technology (NIST) and HITRUST cybersecurity frameworks were selected by the most respondents as important to their organizations.
Forty-four percent cited regulatory developments such as mandated incident reporting as the most influential external factor to an organization’s overall security strategy.
The survey also found the cyber skills shortage is still a top challenge. More than 70% of health care organizations are looking to hire in cybersecurity roles, and 80% of those hiring said it’s difficult to find qualified candidates that have the skills and experience required to properly manage a health care network’s cybersecurity.
It’s nearly a year since Google completed its acquisition of cyber threat intelligence provider Mandiant, and it’s already proving to be a “powerful” combination in the fight against cybercriminals.
That’s according to Eric Doerr, Google’s vice president of engineering for cloud security. We spoke with him at last week’s massive Google Cloud Next in San Francisco.
Google’s Eric Doerr
During the conference, Google announced numerous security enhancements, including Duet AI in Mandiant Threat Intelligence, Mandiant Hunt for Chronicle, and more.
“I think we’ve made a lot of great progress bringing together the two companies,” Doerr said. “The thesis was quite simple that the combination of amazing expertise and threat intelligence, and some of the tremendous technology that Mandiant had built, combined with the resources and technology, and systems that Google had, would be a powerful combination together. There’s a lot that we’ve done in the last year and of course, a lot more we’ll do in the next year.”
Frontline Threat Intelligence
When Google sees a new threat, it can automatically block that inside of a customer’s environment within 30 minutes, Doerr said.
“That’s a Mandiant piece of technology that started with the frontline intelligence,” he said. “I’m on the ground at some customer site. I see something scary. I reverse engineer it, figure out what it is, put it in our database, and now we pipe it over and start seeing if it matches against customers. That is an integrated scenario. That’s something Mandiant couldn’t have done standalone, and it’s something Google couldn’t have done standalone. It made sense for that to be together. We bring together this mix of the breadth and depth of visibility that Google has across the whole internet, and the depth and breadth of visibility that Mandiant brings from helping customers in the worst of the worst breaches, and it really comes together into a powerful connection that can really help people protect themselves.”
Chronicle CyberShield is another fusion of “everything that makes Google great and everything that makes Mandiant great,” Doerr said.
“We built this originally with the the Israeli National Cyber Security Directorate,” he said. “These are the people who are in charge of defending Israel and the private sector in Israel. It has been a great collaboration. It’s now running, defending Israel, and we packaged that up now as a solution. So now we’re in talks with a number of other governments around the world who are saying hey, I have the same problem, I need the same kind of thing. And so it’s really another powerful example where you can take the special sauce of Mandiant, and the scale and power of Google, and bring it together into something that’s holistic. We’re giving you something that works end to end, that is designed to work end to end, but is still customizable to you because everybody’s a little different and everybody’s needs are a little bit different.”
Scroll through our slideshow above for more from Doerr and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like