The Mirage of Mandiant: Post-Acquisition Follow-Up

Revisiting the strategic implications of Google Cloud and Mandiant following the Google Cloud Next conference.
The Mirage of Mandiant: Post-Acquisition Follow-Up

Shortly after Google Cloud's acquisition of Mandiant was announced, I wrote an in-depth analysis of the strategy and impact to both companies. The analysis was highly speculative because very little information was public at the time.

The deal has closed, and Google is talking now. After a barrage of articles, interviews, and a full-on conference (Google Next) this month, now feels like an opportune time to revisit the topic, tie up any loose ends in my analysis, and highlight any areas that remain undetermined.

The purpose of today's article isn't to keep score on what I got right or wrong. Google's acquisition of Mandiant is a big and evolving topic in cybersecurity. It's important to stay on top of the evolution and how it impacts strategy — both directly to Google and Mandiant, as well as the second order consequences to others within the industry.

There's no need to revisit every section of the original article. Some of it was context and background that's still a good read if you're trying to get your mind around this acquisition. Today, we're going to focus on specific (and interesting) topics based on the new information we have.

A quick note: this article has a few more long block quotes than usual. I did that to save you from having to jump back and forth between this article and the original analysis. For newer readers, it's also enough background for this article to be useful even if you haven't had time to read the original one yet.

On to the updated analysis.

What’s Going To Happen to Mandiant?

When the acquisition was announced in March 2022, a lot of big and existential questions came up. I summarized the sense of uncertainty like this:

Big picture, an acquisition changes the equation for Mandiant in a different way than going private and remaining an independent company. There is more uncertainty about what the future holds for Mandiant as we know it and how the company fits within the vast Alphabet (Google) empire. People have a lot of questions and concerns about what's going to happen next.

Questions about where and how Mandiant was going to fit within Google Cloud were valid, especially at the time. They're still valid now, but we'll get to that in detail later.

I felt some uneasiness when I first heard the acquisition news, but I quickly realized this was something Google was going to put its full resources behind:

Right on cue, the skeptics started talking about how Mandiant is (eventually) going to end up in Google's notorious product graveyard after the news was announced. There are a lot of valid questions surrounding the acquisition, but this isn't one of them. Mandiant is absolutely not headed for Google's product graveyard.

...

Alphabet employs some of the smartest people on the planet. They are absolutely not going to make a multi-billion dollar acquisition without a plan for making it successful. We should expect Alphabet to make the same level of commitment for Mandiant.

Google (Alphabet) and Mandiant kept us wondering for over six months. It was essentially radio silence from both companies as the acquisition completed diligence, regulatory review, and closing. That's par for the course with large acquisitions like this.

However, concerns about Mandiant being dismantled were summarily dismissed in the wave of post-acquisition media appearances:

...and also the important little details like employee swag:

The employee swag part might not seem like an important detail, but it's more symbolic than you might think. If Google was playing lip service with keeping the Mandiant brand, you'd see a media blitz and no employee appreciation or perks behind the scenes. The fact that Google went as far as customizing swag for 2,000+ Mandiant team members is a small indicator about the importance they're placing on integration and retention.

Why was keeping the Mandiant brand a no-brainer? Instant credibility. From Kyle Alspach in Protocol:

In the world of incident-response services, which provide investigation and remediation after a breach, Mandiant is the marquee name. Without a doubt, linking up Google Cloud’s security business with Mandiant “adds a level of credibility” with customers, said Benny Henderson, cloud practice manager at IT services provider World Wide Technology.

The Google Cloud leadership team was definitive about continuing to use the Mandiant brand going forward. This shows the respect, value, and power of the brand Mandiant has developed. Mandiant's annual revenue is less than 1% of Alphabet's annual revenue, yet the intangible value of Mandiant's brand was worth keeping.

What About Mandiant's Professional Services?

Aside from what Google Cloud would do with Mandiant in general, the elephant in the room was the fate of Mandiant's professional services business:

Perhaps the biggest open question about Alphabet's acquisition of Mandiant is what will happen with their well-known professional services business. It's a valid question with the potential for significant impact depending on what Alphabet decides to do.

The starting point couldn't be further apart. As I quipped in the original article, Alphabet literally calls Google's products "services" in earnings reports. It's no stretch to question whether a company with product so deeply engrained into its DNA has the long-term appetite for cybersecurity professional services.

Productized services was the direction Mandiant was headed as a company when they divested FireEye — long before Google came around. Once Google entered the picture, the mutual alignment with moving away from pure services was obvious:

Google's idea of "services = products" seems to align well with Kevin Mandia's recent "we're not a services company" declaration...except that professional services makes up roughly half of Mandiant's annual revenue. It's even more nuanced than that, though — mainly because the other half of Mandiant's business also includes services sold via subscriptions. Mandiant is a professional services business that's actively trying not to be. And Google would be glad to help with that.

I may have taken this prediction a little too far by floating the idea that Google could end Mandiant's consulting business entirely:

In the long run, subscription-based services revenue is likely to be much more appealing to Google than one-off, non-recurring professional services projects. I wouldn't be surprised if Google ends Mandiant's consulting business entirely. That statement may sound heretical, but it's definitely in the realm of possibility.

Recent public comments have made it clear that's not going to happen. From Jeff Reed, VP of Product for Cloud Security in CRN:

Mandiant is a step function in terms of capabilities, both from a security operations perspective and the product side, but also the incident response and the consulting capabilities.

Also, the relationships that they have throughout the world with both enterprises and government institutions is really amazing.

However, my observation about subscription-based revenue being more appealing looks pretty accurate. I specifically called out the value of Mandiant's threat intelligence business:

Within the recurring, subscription-based services, Mandiant's Threat Intelligence and Managed/Automated Defense services should both be highly appealing to Google and its Google Cloud customers. Especially the world-famous threat intelligence services.

...

At an abstract level, threat intelligence is information. And great threat intelligence is highly valuable information. It's also notoriously difficult to organize and make universally accessible and useful — exactly the part Google specializes in.

...

The same concept applies for threat intelligence. Combined with tech, it gives customers information about cybersecurity threats. Mandiant is the best at sourcing this information. Google is the best at providing it. The combination is potentially a winning strategy.

That's exactly where this is headed with Google. From Jeff Reed in CRN:

We know that Mandiant had excellent threat intelligence, so it’s about how do we bring that threat intel on Chronicle as soon as possible? They do a bunch of things in a proactive perspective, so how do we do that now [at Google]?

My takeaway for Mandiant's professional service is "let's wait and see." The Google Cloud team clearly isn't going to abolish services on Day 1. Reading between the lines, their commentary implies some of Mandiant's services and subscription offerings are more valuable than others.

What happens to specific service offerings within Mandiant depends a lot on how much autonomy they retain. If Mandiant is truly a standalone business operating within Google Cloud, there's a higher probability they will continue offering their full range of services. If Mandiant gets partly or wholly integrated into Google Cloud, I expect we'll see the core incident response and threat intelligence service maintained and non-core services retired.

How Will Mandiant Advantage Fit Into Google Cloud?

The fate of Mandiant Advantage is complicated. Google Cloud's portfolio of security products — Chronicle, in particular — has a checkered past. They're at an interesting crossroads with the re-vitalization of Chronicle, acquisition of Siemplify, and the addition of the Mandiant Advantage platform.

The death of Google Chronicle was greatly exaggerated — or, so it appears in hindsight. Mandiant's data and technology platform is clearly being viewed as a breath of fresh air into the current iteration living within Google Cloud.

The Chronicle project has had its share of issues, no doubt. The vision has shifted from the astronomical moonshot expectations Chronicle was born into nearly seven years ago within X. From former Chronicle CEO Stephen Gillett:

We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find. We are building our intelligence and analytics platform to solve this problem.

The announcement went on to (ominously) predict:

We know this mission is going to take years, but we’re committed to seeing it through.

The first part was right — Chronicle's mission is going to take years. The second part, not so much. As lofty internal projects often go, the project's leadership stepped down as the formerly standalone company was acquired and folded into Google Cloud.

Five years later, Google Cloud is still holding up the commitment of seeing it through. As Chronicle Co-Founder and Chief Security Officer Mike Wiacek wrote when announcing his departure:

Chronicle is in good hands with the brilliant folks at GCP, and I hope to see amazing things continue to happen. I may not be a custodian of it anymore, but I sincerely want to see it thrive! We had only just started to scratch the surface of what could be, and the future potential is so very high.

He also left a clue that's much more clear in hindsight:

What’s next? Well, that’s easy, “Second star to the right, and straight on ‘til morning.”

"Second star to the right, and straight on ‘til morning" is a quote from Peter Pan about finding Neverland. In this story, it translates to keeping a sense of curiosity and pursuing your dreams. For Wiacek, that meant founding Stairwell — a startup that, in some ways, is the spiritual successor of Chronicle's original vision.

With the acquisition of Mandiant, Chronicle itself is undergoing a major transformation. This month at Google Next, the next iteration of Chronicle was unveiled. Google summarized both the current and planned changes in their announcement:

Chronicle Security Operations brings together the capabilities that many security teams depend on to more quickly identify threats and rapidly respond to them. It unifies Chronicle’s security information and event management (SIEM) tech, with the security orchestration, automation, and response (SOAR) solutions from our Siemplify acquisition and threat intelligence from Google Cloud. The recently-completed Mandiant acquisition will add even more incident and exposure management and threat intelligence capabilities in the future.

Moving forward, all security operations software will come under the Chronicle brand. The Siemplify brand will be replaced with Chronicle SOAR, and security analytics capabilities of the suite will be named Chronicle SIEM.

A couple things stand out:

  • This answers the question about where the $500 million Siemplify acquisition fits into Google Cloud's product equation.

  • The announcement itself was more about the future than the present. It made clear that any of Mandiant's tech and data that Google chooses to keep will be part of the Chronicle brand and platform.

From a product and engineering standpoint, it's too early to expect much (or any) of Mandiant's threat intelligence data or the Mandiant Advantage platform to be integrated. There's a lot of product planning and rationalization to do.

Jeff Reed outlined the initial planning and rationalization to CRN:

Think of the security operations space and what we’ve done with Chronicle. We’ve been focused on the analytics, the SIEM [Security Information and Event Management] market, we acquired Siemplify and integrated orchestration, automation and response to that.

What Mandiant adds is capabilities like validation and attack service mitigation. Chronicle in that world is more of a reactive defense—so looking for data, trying to find what might be going on in your environment, threat hunting and all that.

...

One of the big things we’re talking about is how we’re bringing those capabilities together with what we’re doing with Chronicle and the SecOps [security operations] space.

So you’re going to see a set of new offerings come out over the coming quarters that are tying together what we’re doing in Chronicle with what Mandiant has done in validation, attack surface mitigation and threat intelligence.

Google has already given us an early glimpse. Part of the Mandiant Advantage automated defense platform has been branded "Breach Analytics for Chronicle." Re-platforming other Mandiant tools is also underway. From Jeff Reed via CRN:

Another good example is the Mandiant incident response teams are rebasing the tools that they use when they’re called in to investigate a breach, so it runs on top of Chronicle.

Consider these examples a placeholder for now — I'm sure there will be many more changes and, eventually, a lot more clarity to come.

Mandiant's Threat Intelligence

Mandiant's threat intelligence offering turned out to be a far more important part of the deal than I originally discussed. I raised the question about whether it would continue at all:

A topic the information security community is particularly interested in is whether Mandiant's public research and threat intelligence information sharing is going to continue.

Financially, it's a valid question — threat intelligence and public research is expensive to maintain. Along with incident response services, threat intelligence is Mandiant's bread and butter. Strategically, it makes a lot more sense for Google to invest in growing and integrating Mandiant's threat intelligence than doing away with it.

The Google Cloud leadership team has had nothing but high praise for Mandiant's threat intelligence. From Jeff Reed:

They also bring amazing threat intelligence. They are there in the world’s worst breaches. So they have some of the absolute freshest threat intelligence that we’ll also complement.

As it turns out, integrating Mandiant's threat intelligence is one of the first major areas of investment for Google Cloud. Again from Jeff Reed:

"...threat intelligence integration, their proactive controls and bringing those together—that is already off and running."

Unsurprisingly, these comments and priorities are slanted towards Mandiant's paid threat intelligence offerings; however, it's safe to assume the public research and reporting is likely to continue as well.

Antitrust? Nah.

At the time of the acquisition, many people (including me) pointed out the potential antitrust implications:

First, it's not completely certain this deal is actually going to close. There is already speculation and demands for the transaction to be struck down because of antitrust. Alphabet is already facing significant antitrust scrutiny from regulators. Tech regulation in general is en vogue with governments across the globe.

From the outside, antitrust seems to have been a non-issue for Alphabet with this acquisition. The real headline was how quickly the United States Department of Justice (DOJ) came to a favorable decision and put investor concerns to rest.

The DOJ did conduct a probe starting in April. It was effectively over by mid-July after the DOJ granted an early termination of the waiting period for the transaction.

I didn't try to predict the timeline, but I did expect this deal would eventually be approved and move forward:

Antitrust is a fluid topic, and I'm certainly not an antitrust lawyer. However, it seems unlikely this acquisition is going to be blocked. Despite the likely drama and rhetoric, reasonableness should enter the picture at some point in the process. The case against this being an antitrust concern is relatively strong.

Ironically, there was a lot of post-acquisition discussion about how the deal could help create competition. As Google Cloud CISO Phil Venables told Axios:

There's a little bit of a sigh of relief that there is going to be some competition to the other company [Microsoft] that typically serves government.

Longer term, I expect the deal actually will create competition — just not exactly how Google's leadership team is predicting. There is already an emerging class of technology-enabled companies in Managed Detection and Response (MDR), Incident Response, Threat Intelligence, and other areas of the cybersecurity ecosystem where Mandiant operates.

Mandiant’s Future Within Google Cloud

After my original analysis, I felt pretty optimistic about Mandiant's chances of success within Google:

...I feel a lot more positive and optimistic about the combined future of Mandiant and Google. The new Mandiant may have been a mirage, but I'm hopeful the best parts of their vision can still be carried out — and maybe even improved and accelerated — under Google.

I still feel that way now — even more so with commentary and details that have emerged in the past month.

This acquisition is clearly a priority for Alphabet. From Phil Venables via Axios:

It's not this kind of little acquisition. It's this big part of our ongoing security transformation in terms of building a much bigger security business.

Alphabet takes big acquisitions seriously. If the historical track record of other large acquisitions is an indicator, that's great news for Mandiant.

If we zoom out and look at the vision behind Mandiant's productized services model, it's exactly what Google is world class at — information. From Jeff Reed in CRN:

...we at Google love trying to solve really hard problems. In a place like security operations, it’s based on Google’s expertise in large data, search and analytics.

So that really works well in the sense that we are able to ingest and index amazing amounts of data.

We can search them with other tools—which would take others minutes or sometimes hours—in less than a second.

So that’s just something that we’re just really good at from my core engineering technology perspective. We’ve applied that expertise to the security operations.

Both of those are really based on things that Google broadly is uniquely capable of.

Google's decision to put its full resources behind security operations is a big deal. As I previously discussed in An Intro to Consolidation and Aggregation in Cybersecurity, cloud providers like Google Cloud are driving aggregation in the industry:

Cybersecurity companies aren't the ones doing the aggregating; they are being aggregated. Aggregators (cloud providers) are modularizing suppliers (cybersecurity product companies) and using control of customer demand (businesses using their cloud services) to control distribution of products and services (via marketplaces).

When aggregators enter the picture, existing demand and distribution models can change entirely. Operating at the scale of an aggregator makes new things possible, usually in favor of the aggregator (Google Cloud, in this example). Here's one example, again from Jeff Reed in CRN:

...we’re able to take these amazing economies of scale around [the fact that] we produce our own security chips at Google, we custom-build hardware to reduce the number of peripherals, we are able to do things that any single organization is not going to have because of our large IT budget.

But because we’re servicing tens of thousands of customers and our own Alphabet stuff, we can make these additional investments in security that wouldn’t make sense for anybody else. It makes sense for us.

It's still too early to tell all of the possibilities that will be unlocked for Google by owning Mandiant. Similarly, we can't know for sure what every downstream impact will be on the rest of the industry, positive or negative.

Most of the challenges that come with acquisitions are still likely to happen here: mistakes will be made, people will move on to new opportunities, and some of the lofty expectations and goals may not be achieved. However, it can still be a huge success for both companies, even if everything doesn't go quite as planned.

Mergers and Acquisitions
You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.