Kevin Mandia was always incredible at finding a grade A talent pipeline of IR professionals that enabled Mandiant to always be the folks that responded to the incidents "that mattered" (his words).
As someone who worked there in the early days (a little over 100+ employees) as an entry-level peon, I always felt I had the ability to walk into Kevin's office at anytime and tell him something I thought was important and get attention and respect back.
While much of the organization has changed in the last 3 years, the constant has always been Kevin and the amount of work they put in to recover from the disastrous FireEye acquisition, preserve the brand's integrity, and to parlay that into such a positive acquisition for the employees and shareholders is an incredible outcome.
When I was a FireEye intern, I got to meet Kevin Mandia and it really left an impression on me. He came up to me unprompted after an all hands and introduced himself, and seemed genuinely interested in me and what I was working on. Then, my co-intern came up, and Mandia actually remembered his name and everything from his previous internship at the company. I remember thinking, this is a great and highly motivating CEO. It's awesome to see that his hard work has paid off, I hope I get to work with him directly someday.
Interesting. A month back Microsoft was exploring this acquisition.
Microsoft Corp. is in talks to acquire cybersecurity research and incident response company Mandiant Inc... Mandiant shares surged 18% in New York, bringing its market value to almost $4.3 billion.. A deal might also push cloud rivals Amazon.com Inc. and Alphabet Inc.’s Google to pursue their own similar acquisitions
> Nearly all the value is in the staff who are all free to walk if they feel inclined.
That hasn't been my experience with security services companies. Sure, people matter, but the processes, technology, and leadership can keep a good one on track regardless of who leaves.
Google is well known for the acquihire. They aren't Berkshire Hathaway, they aren't just assembling a portfolio of companies. They have their own product plans, and generally buy out other companies as a way to get pre-built teams with the right specialties to accomplish that.
Also, it's very unlikely Google wants to be in the incident response consulting space: Google entirely hates any line of business that can't be automated into a smooth profit paste. Flying security professionals out to clients isn't in their DNA.
Is it just me, or does it seem crazy that we all just accept that private businesses are obligated to protect themselves from state-sponsored hacking?
Imagine if Wal-Mart had to fund a private air force and patrol over their stores in order to combat foreign bombers coming in and everyone was like, "Yeah, that's just how it goes."
Isn't a primary responsibility of government to protect its citizens and businesses from other states' militaries?
I think that the closer metaphor would be if an American business was having to hire private security resources because it was on some resource finding expedition in an unsavory part of the world, which is exactly what happens all the time. Exposing your business to the internet is like opening up an infinite number of storefronts everywhere, and a good number of those places are not where you want to be.
Exactly - the internet is a hostile place, because of its openness, which is (was?) a core design trait. As much as it hurts, you can't have the freedom of the internet without allowing bad actors some degree of freedom, too.
it isn't really a great comparison because while land borders are clearly defined and the military can easily march up and repel some invader, that's not the case for digital attack surfaces.
Every company's IT looks different, it's hard to tell whether an attack is private or state sponsored, often where or who it is originating from, and how to defend against it varies from case to case.
So it's hard to imagine what exactly it is that the government is supposed to do at a company level. Of course at an ISP level or when it comes to national infrastructure the government can do things, but I don't see how the government protects a middle-sized business from cyber attacks.
The government could probably do a lot of preventative things like sponsoring and funding security audits of open source software, but when some hackers exploits my broken config or some API it's not clear to me how the government is supposed to prevent that. They can't read every line of source code in the country.
Realistically, I'd like to see the government develop software and tooling to mitigate these concerns. They already do at a low level for cryptographic primitives (like SHA and RSA). Maybe they do the next couple abstraction layers up, a secure OS image that's regularly patched, a web server, a programming framework, etc.
Currently those layers are roughly provided by the big tech companies, and the government's involvement in making those more secure is PhD students and curious professors from (public) universities. It would be nice if that was a more directly employed org in the government.
I could see this happening as the processes mature. The Air Force already has hardened repositories for containers etc and "Factory in a Box" type configurations that the Defense Industry is supposed to start adopting for new programs. It is really neat, though it's so low-level at this point that it won't make sense for small businesses to use it unless their underlying platforms like Shopify, Instagram, and Blogger do.
I think we take for granted that they are clearly defined now because nation-states worked very hard to define, create, and enforce that concept. As I understand it, for most of human history there was no real notion of a well-bounded state and even today sovereignty is hotly debated in some areas.
So, it's not that enforcing land borders is intrinsically easy. It's that it appears easy because nations adopted it as their responsibility and do the work. Look at how much political energy was expended around Trump's wall between the US and Mexico to get a sense of how complex and effortful land borders are.
I don't see any reason that Internet sovereignty couldn't be equally well-defined and defended... except countries simply aren't doing it.
The difference is that the geographical boundaries of nations are (to a large extent) found, not made. So the lines of defense run along natural ones. If you're talking about building one on the internet you're talking effectively about creating the equivalent of the Chinese firewall.
The inter-net as the name suggests is a network, not a perimeter and runs across boundaries. If you want Trump's border wall on the internet you're talking about handing the government sole access and control to all information going in and out.
That's way beyond cyber defense of private business. And looking at some countries engaging in this right now you better be careful what you ask for.
Boundaries are established, they are not "found". Algeria, Angola and Namibia. Check the borders of those 3 countries, there is nothing natural about those borders.
Countries try to enforce their borders. And they normally regulate traffic through a custom, the rest is deemed unlawful.
More on the point: the current internet is a mess. Hopefully it collapses and a new network is built, with security in mind this time.
This feels a bit reductionist. Parent post specifically calls out state-sponsored actors. It's fine to expect and require doors, windows, and locks. It is not fine to expect a commercial business or individual to have their own tanks and military on hand.
Organizations do bear responsibility for their security posture--and many have spectacularly failed in this responsibility--but let's not pretend that an employee being phished is equivalent to something on the level of the SolarWinds hack or any one of the many nasty bits of malware coming out of Russia.
State sponsored attacks are well funded and leverage one more or 0-days, which by definition cannot be defended against. The only way to stay ahead of a 0-day is to find it first, and that requires resources and expertise even large organizations are hard pressed to find in the numbers required.
World’s smallest fiddle. All the cyber talent is going to industry already because the popular mythology says government employees are shit and shouldn’t make a dollar. I’ll bet there are some politicians (and voters) who would go so far as to say government employees should pay the government for the privilege of working.
Meanwhile, the high risk basic R&D spend that underpins many US businesses (including most grad student salaries and research grants) is from the US Government. Every time one of those fails (Solyndra) the press points it out as a failure of government. Every time it succeeds (SpaceX) it’s attributed to the scrappy entrepreneur and the government subsidy be damned.
The risk is socialized onto the taxpayer and the gains are privatized to the very rich. Look at the iPhone: internet (DARPA), cellular (developed to Army requirements based on Vietnam radio problems), GPS (DoD), multitouch (University of Delaware on an NSF grant). How about the Sand Hill boys spend some of that money on security instead of inflating Atherton real estate prices and laundering money through modern art auctions?
I tend to agree. And it does seem like US Gov has stepped up more and doing tighter industry cooperation (see Ukraine MSFT).
But there's also a perverse incentive. Offensive capabilities hidden and not patched.
And there's also issues with responding on US soil or assets.
Like would it be legal for NSA to proactively go into Google's networks or some internet infrastructure device without permission or court order? Even to do something good?
If we accept that philosophically, how does it work in practice? Does the government provide a Cloudflare-like service that we all put our sites behind?
Are you suggesting the NSA should spend most of it's budget on ensuring domestic businesses have better security (even if that means foreign businesses do too), instead of ensuring that foreign businesses have bad security (even if it means domestic do too, and that's being overly charitable and thinking US-based businesses being hackable by them isn't one of their goals too).
I spent a few years there, FireEye messed Mandiant up something fierce, but Mandiant was never able to get its product going (with or without FireEye). Maybe Google can figure that part out.
I wonder what will happen to the engineers; there is definitely a lot of expertise at that company, specifically in the IR/security side.
I feel like this is an informal announcement that the product has been killed. Where would it live in the GCP portfolio?
As an engineer I would be stoked. The resources that Google can bring in terms of data, compute and depth of analytical skills would be very appealing. It’s probably going to be a disaster for the product folks but i think the engineers will be happy. At least for a little bit.
My experience having gone through an acquisition @ Google (albeit 10 years ago and in a different space) is you might go in with the thoughts like yours expressed here: "wow, cool, think of all the resources Google has to make our product even better."
In reality: your product will be sunsetteded and replaced with a Google-created version of the same thing within two years; your key management (and other) talent will pace around for 3-4 years in frustration waiting for their stocks and acquisition bonuses to fully vest, and eventually most of the talent that can get a competing offer that is close to Google's proverbial buckets of cash will take that and leave.
That said, it might be different in Google Cloud where more of the infrastructure is closer to industry standard infrastructure instead of Google's bespoke creations. And there's a focus on the needs of what people outside of Google do and how they do it.
I did a short stint at Google and I saw this very thing. I think the one thing that’s a little bit different with Mandiant is that it’s largely a services organization. If they pigeonhole it as Google Cloud security then folks will bail very quickly. If they find a way to also extend it into their enterprise customer case as a value added service then I could see it being pretty interesting.
In an acquisition of this size, it’s not typical to interview. HTC engineers did not have to interview AFAIK and having been at Fitbit I can say for sure that no engineers had to interview.
Interviewing happens with startups. When there aren’t interviews the assumption is that Perf will take care of non-performers.
Of course they should be interviewed back, what's the alternative?
Hey team, so this is Steve from another department in another company. He's been assigned to our team, so. Of course we're handling text in the Chromium engine and Steve's backgound is in threat analysis, but I guess we'll figure something along the way. Welcome, Steve
Especially since they likely have 2-3 years of services contracts to burn through and don’t really have an org they directly overlay with inside Google. Enterprise security to an extent but also not.
that is already how google works. you get hired as a generic software engineer, and you pick up domain skills on the job every time you join a new team. someone working in threat analysis within google could absolutely put in for a transfer to the chromium engine team, and they would be expected to spend the first month or two getting up to speed on the codebase and specialised algorithms it entailed.
Well, it seems that the Google Chronicle was a semi-failure from all the signals that were coming out. I hope i'm wrong about Chronicle. Maybe this is a future replacement/iteration / improvement.
This could be a way to improve their offering and remove the "security argument" showstopper for cloud migrations.
Having used Chronicle, it felt like an underwhelming paper thin demo product compared to what the industry offers. May as well scrap it and lean on Mandiant's experience for a replacement.
There’s not a huge overlap between Chronicle and Mandiant. Mandiant makes most of its money off intel and incident response. Chronicle sells tools to do those.
For others who hadn't heard of this company, quoting from the link:
> Mandiant’s more than 600 consultants currently respond to thousands of security breaches each year. Paired with research from more than 300 intelligence analysts, these resulting insights are what power Mandiant’s dynamic cyber defense solutions – delivered through the managed multi-vendor XDR platform, Mandiant Advantage.
They perform incident response and forensics for organizations that are compromised. Incident response is the highest bill rate infosec consulting you can do. It requires travel (used to, still does some today) and decently high technical skills. They are big and can combine the data their consultants collect into an intelligence platform that they sell as well.
> Incident response is the highest bill rate infosec consulting you can do. It requires travel (used to, still does some today) and decently high technical skills
I take a tiny bit of issue with that.
Cryptography consulting is a higher labor rate, and higher end pen-testing w TS SCI+full poly, and application security gurus are above, or equal to IR.
There are currently poaching wars going on around talented IR folks. A fortune 500 recently hired away an IR colleague with whom I collaborated around tap & agg with a FAANG type offer, RSUs, the whole shebang
By volume. Cryptography consulting is a very lucrative niche but there is an order of magnitude less of it happening based on my wild guesses. I have run a high end boutique for 9 years and been doing infosec consulting for 15 years tho, so my guess is somewhat informed, I hope.
Even high end appsec, seceng, and legit reversing pays below crypto and IR. We just can’t charge as much for it for all but the most niche and demanding environments, which is not the bulk of what’s out there.
I am thinking averages here. I know there is high paying work in each domain, but the skills used are also highly developed, etc. If you wanted to build a high end consultancy with a lot of work IR is a great choice. I know ToB has done awesome in crypto (blockchain/contracts) space, etc. but I think IR work is a little easier to get into and build a business on without having really advanced and niche skills.
This is like saying that Walmart cashiers have a higher bill rate than M&A attorneys, because there are so many more of them --- they're higher "by volume".
Difficult or "gated" specialties (like automotive) command higher bill rates --- so hardware, automotive, cryptography, maybe some kernel work (I don't know anyone that has a formal specialty practice in "kernel", it bleeds into other stuff).
IR is a huge practice area, lots and lots of people do it, and the line-level consulting work here is stuff that isn't at all difficult or specialized (log file analysis, imaging). There's specialty work in IR too, of course (there are firms that specialize in memory forensics, for instance), and that bills higher.
Mandiant is like the PwC of IR firms; Mandiant can get contracts that bill basic log file analysis out at $3k/day, because they're Mandiant. That doesn't mean the person doing that work is seeing proportionally more income themselves, or that a team of people striking out on their own from Mandiant are going to be able to bill comparably.
On the other hand, a team of cryptographers or hardware reversers at a big firm probably could expect to see comparable bill rates after starting up their own firm.
They do the IR retainer work for companies that are serious about security with real threats.
In other words, it is the company that detected a breach of its own systems via dogfooding, that turned out to be the only detection that occurred of a breach of the entire US govt more or less - Solarwinds.
Mandiant got the jump on every US govt agency in detecting arguably the largest espionage event of the digital age.
(security) incident response. most companies have in-house security teams to do a portion or a lot of the IR process. If a serious breach occurs, a security team usually will call in a specialized team of consultants from an IR firm like Mandiant.
I spent 5 years at Mandiant on the “proactive” team that performed penetration testing and similar services. The divestiture of the FireEye product was the best thing to happen to Mandiant since the acquisition by FireEye. The two business units were constantly at odds.
I’m genuinely surprised by this acquisition, however. Mandiant’s business model (consulting services) was successful despite the pressures and operational dissonance from the product side. When I left, they were well-poised for natural growth and to capture a larger market share of managed security services. I’m sure there is a model for success under Google, but I doubt many of the employees below the C-level wanted to go this direction.
The issue is that not every team remembers to test incognito from time-to-time.
Those popups are all cookie-hidden if the cookies are set. Easy for an engineer working regularly on the product to accrete the cookies necessary to hide most of them over time.
(Concretely in this case, I bet 99% of the engineers on that site have forgotten GDPR is a thing, especially since their compliance is being handled by third-party provider TrustArc. Easy for a frequent visitor to forget that every new visitor will get asked about the cookie use permission on the first visit).
They're likely prescribed by PR people who think of everyone in bulk and less intelligent than themselves. The people actually building the site probably hate it.
Yeah, but now I have to manage on a per site basis about half a dozen different settings. I find it a necessary evil on mobile to control bandwidth usage, but on desktop I find it easier to just not visit or immediately leave low quality websites.
If I was a customer of Mandiant, I'm not sure how I'd feel about this. Plenty of potential resources both financial and manpower to improve services, but somewhere in the back of my mind would be "is Google going to hoover up all my data during an incident response?"
I don't really understand the basis for this comment/thought. I know it's a fairly common one, but I just don't think it tracks reality in any way.
Google has a reputation for taking in a lot of data about user behaviour for targeting ads. That's pretty well defined data though, from well-defined sources, with well-defined semantics. Things like page views.
How would Google ever be able to "hover up all your data" and get any benefit from it? What is the data? Where did it come from? What are the semantics? How are users identified? How is that mapped to users Google knows about?
It's just entirely impractical to do anything with it, and that's leaving aside the fact that I imagine it would violate the terms of service, the contracts Google may have with businesses, and may constitute a significant legal issue with regards to data misuse.
How exactly do you imagine that Google could do this, and what exactly would their motivation be to do so?
Mandatory disclaimer: I work at Google, but not on any of the above and I only just started. My feelings on this are only informed by my previous time as a customer of Google Cloud.
This is quite a lot of money and Kevin Mandia obviouly made some right decisions in his life. But what is Google really after here? The employees (must be quite flutering to be valued at 10 million on average), the products, the marketshare?
A typical consulting acquisition for someone like Accenture could be $250-500k per head. I realize this firm is deeply specialized and at the top of their industry, but it is a massive premium.
Google is coming from ~last place on enterprise+gov security relative to Microsoft and Amazon, which is maybe 75% of the market (and ignoring the Splunks of the world), and the ability to grow there requires real skills in services. Mandiant, in turn, is in a league of their own here, in brand if not practice. More about amazing IR/hunt/etc, vs say SIEM configuration, so a lot of line blurring & potential skillset clash for achieving their value, but still. Google+MS internal security teams are likewise trusted, but only Microsoft's are considered collaborative, so Google's are ~useless from a services gap perspective. So from a strategic view, this jumps them from last place to ~first. (And Microsoft's main value in buying would have been just to prevent AWS/Google from doing so.)
So as long as they have amazing handcuffs on the CEO, it's probably more like $1M per employee and $100M+ for the CEO (if real handcuffs) + brand.
An independent Mandiant is amazing for the ecosystem, but so goes. Over all though, probably still net win for folks involved + community - Google getting even more serious here is great!
It’s funny / depressing that Microsoft is not in last place given the frequency, severity and rank embarrassment-level of the slew of recent Azure vulnerabilities that have turned up.
Smart, even if it's just to scale TAG and secure that capability in a period of global instability with a heavy cyber component. As another commenter calculated $10M/employee is pretty good - especially if Google had excess cash on its balance sheet. That $10M/employee in cash is going to be worth maybe $8M in purchasing power in 3-5 years, less after, and getting cash into productive assets is a bit of a scramble right now. Regardless of what some folks in security think of FireEye, strategically it seems pretty smart.
Maybe we should bet on a wave of other big acquisitions by companies with big cash reserves as well?
This is less of an acquisition and more of a marketing expense for GCP. A stellar Rolodex and a great way to meet new clients, especially if they succeed in the breach.
Clash of cultures for sure. High turnover at GCP security (Or so I am told) and Google consultants? Wow. My experience has been they are very tech/innovation focused, holding a customer's hands and spoonfeeding them is not their style at all. Lots of medium/large businesses have Mandiant as a retainer so when They get pwned due to whatever mess, Mandiant comes in and cleans up.
Their APT-1 report (https://www.mandiant.com/resources/apt1-exposing-one-of-chin... they released in 2013 was at the time unprecedented and brought awareness to nation-state sponsored hacking to a much broader audience than ever before.
As someone who worked there in the early days (a little over 100+ employees) as an entry-level peon, I always felt I had the ability to walk into Kevin's office at anytime and tell him something I thought was important and get attention and respect back.
While much of the organization has changed in the last 3 years, the constant has always been Kevin and the amount of work they put in to recover from the disastrous FireEye acquisition, preserve the brand's integrity, and to parlay that into such a positive acquisition for the employees and shareholders is an incredible outcome.
Congratulations to both Google and Mandiant.