Google has announced its intent to buy incident response (IR) firm Mandiant for $5.4 billion, with the goal of broadening its portfolio of cybersecurity services with a company known for its IR investigations. That includes its response to the massive 2009 Aurora attacks, which compromised hundreds of companies — Google among them.

The acquisition will expand Google's revenue from cybersecurity services, give the company access to more real-time threat intelligence, and more tightly integrate those services into the Google Cloud Platform (GCP). In addition, Google will benefit from Mandiant's plans to expand its automation of detection and response services to help companies cope with the unmet demand for cybersecurity professionals, said Kevin Mandia, CEO of Mandiant, during a press briefing.

"We have been on a mission to automate security and secure the cloud," he said. "Even though many look at Mandiant as an incident response company, we are not in business to be solely an incident company. ... By coming together with Google, we get the investment we need to continue automating incident response."

The planned purchase of Mandiant is the latest move by Google to bolster its cybersecurity products and services. In August, the company pledged to spend $10 billion to boost software security, including investments in bug bounties and donations to open source software projects. Mandiant will join other recent Google acquisitions — such as security orchestration, automation, and response (SOAR) firm Siemplify, which the company acquired in January — to deliver additional capabilities.

Google Cloud Platform
Integrating Mandiant into GCP gives Google a stronger revenue stream linked to IR as well as other services that can be integrated into the platform, such as threat intelligence, testing and validation of security controls, and risk management. The full suite of capabilities provided by Google, many of which come from recently acquired companies, should be attractive to enterprises, says Phil Venables, vice president at Google and chief information security officer at Google Cloud.

"We are clearly going to spend time thinking about how the integration will work in the right way," he says. "But when you look at the elements of this, it is a pretty compelling set of technologies and services that can really benefit enterprises and all organizations in their end-to-end security mission. It brings a lot of fresh competition to the marketplace and really responds to what customers are asking for."

While Google is not willing to discuss plans for the final form of the integrated companies, Mandiant will still support its customers and work with companies that are not Google customers. The integration of Mandiant into Google should help businesses because the broad base of threat intelligence should provide better information to customers of either company, says Neil MacDonald, distinguished research VP at business analysis firm Gartner.

"The deal benefits customers even if they don't run on the Google Cloud Platform because there will be a halo effect," he says. "Google's security will be improved by Mandiant, so customers benefit from that expertise and data from its services."

The halo effect will not just help businesses but all of Google's consumer customers as well, said Alberto Yépez, co-founder and managing director at Forgepoint Capital, in a statement sent to Dark Reading.

"Everyday Internet users will benefit from this deal because Gmail and Google Apps — plus all of the other Google business applications — will now be armed with Mandiant’s insights on threat vectors and cyber criminal organizations around the world," he said. "This context is critical for attack prevention. Layering that context with the use of big data and AI allows Google to be significantly more effective in preventing attacks."

The acquisition ends eight months of reportedly competitive talks to purchase Mandiant following the sale of its FireEye security products business to Symphony Technology Group for $1.2 billion in June 2021. Symphony had previously bought McAfee's enterprise security business and renamed the McAfee and FireEye enterprise businesses as Trellix. The company formerly known as FireEye rebranded itself as Mandiant during the divestiture of its FireEye products business at the beginning of October.

First It Was Microsoft 
Until recently, Microsoft had been rumored as the favored purchaser of the company, but talks ended earlier in March. GCP needs the capabilities more than Microsoft's Azure, which already has Active Directory and the Defender endpoint detection and response (EDR) service, said Jeff Pollard, vice president and principal analyst at Forrester Research, in a statement sent to Dark Reading.

"GCP is playing catchup to Microsoft in cybersecurity and lacks its competitors’ inherent advantages in the enterprise: endpoint and active directory," he said. "That forces [Google] to pay a premium and be more aggressive, which it's signaled a willingness to do."

The focus on automation is unsurprising. The US and other developed countries face significant cybersecurity threats but continue to have far too few cybersecurity professionals to deal with the problems. Currently, US companies have open requests for almost 598,000 cybersecurity positions, which is 57% of the total employed cybersecurity workers in the US, according to CyberSeek, a collaboration between Emsi Burning Glass, CompTIA, and the National Initiative for Cybersecurity Education (NICE).

However, much of the basic cybersecurity work is repetitive and can be automated, says Mandiant's Mandia.

"As we are having the conversation, Mandiant is responding to 150 breaches, and I would say 85% to 90% of what our folks are doing, we have done it before," he says. "If we can automate that capability to go through all the data that people are harvesting to secure their networks to find the needles in the haystacks — if we can automate what we do, the need for people will decrease."

Mandiant found a suitor with deep pockets in Google, which helps as the company reinvents its business, Pollard said, pointing out that there are still gaps in Google's cybersecurity capabilities. Most pressing is the lack of an endpoint detection and response (EDR) platform to compete with standalone offerings and Microsoft's Defender for Endpoint.

"We expect an EDR tool is next on its shopping list," he said.

Google has agreed to pay $23 per share in the all-cash deal. The acquisition still has to be approved by regulators and stockholders. Mandiant investigated the 2009 Aurora attacks that compromised at least two dozen companies — but later reports estimated hundreds — including Google.