Full Report
At Google Cloud, our mission is to help organizations transform cybersecurity with frontline intelligence, expertise, and AI-powered innovation. Nowhere is this needed more than in security operations (SecOps), where understaffed and overwhelmed security teams struggle to defend against a threat landscape that is growing in volume and sophistication, often with tools that were designed in the pre-cloud era. We believe that successfully defending against modern threats requires modern thinking and modern solutions, which is why we’ve taken a fresh look at what threat detection, investigation, and response (TDIR) can be with Chronicle Security Operations. Following our Duet AI and threat-hunting announcements at Google Cloud Next, today we are excited to announce Chronicle’s latest update, which unifies our SOAR and SIEM solutions, integrates attack surface management technology from Mandiant, and offers more robust application of threat intelligence to help defenders get ahead of the latest threats. aside_block ), ('btn_text', 'Subscribe today'), ('href', 'https://inthecloud.withgoogle.com/google-cloud-ciso-newsletter/signup.html'), ('image', )])]> “We have advanced capabilities around threat intelligence that are highly integrated into the Chronicle SecOps platform. We like the orchestration capabilities that enable us to enrich the data and provide additional context to it, so our SOC and analysts are able to prioritize that work and respond with the attention that is needed.” said Bashar Abouseido, CISO, Charles Schwab. ”We look at Google as a critical partner that will help us bring quite a bit of advantage in the fight that we have against the type of threats that we deal with that continue to expand on a regular basis.” A unified cloud-born platformChronicle Security Operations is designed to allow organizations to retain and analyze unfiltered data at Google scale and speed, enabling security teams to more quickly detect and investigate threats faster. We recognize that for organizations to remain ahead of threats, they must go beyond just collecting data, as it can take security teams far too long to find what’s truly relevant, or they face gaps in the information that’s available to search and analyze. With our new consolidated experience for Chronicle SIEM and Chronicle SOAR, we can better provide rich context and easy pivoting between alerts, cases, investigations, and playbooks in a single console, for a more streamlined and integrated TDIR experience. Every alert in Chronicle SecOps is now grouped into a case to consolidate related alerts and provide access to relevant enrichment to help security teams make quicker decisions. Detecting threats proactively with applied threat intelligenceTo defend against modern threats, a modern security operations platform needs to be infused with a deep understanding of the latest threats, and possess the ability to apply this intelligence to each customer’s unique environment. We are adding even more powerful capabilities and risk-based outcomes to Chronicle Security Operations, enabling SecOps teams to become more proactive and get ahead of potential threats. Our new Applied Threat Intelligence, available in preview, leverages Chronicle’s scalability to automatically enrich and contextualize every event with the latest, market-leading threat intelligence from Google Cloud, Mandiant, and VirusTotal, to help eliminate blindspots and ultimately detect more threats. It uses AI and machine learning to prioritize threats based on each customer’s unique environment, which can help security teams focus on addressing the most critical threats. In addition, every relevant event in Chronicle SecOps that matches a threat indicator will be instantly enriched with threat actor, threat campaign, or malware family associations that can be used for custom searches or detections.We have also made breach analytics findings viewable directly in the Chronicle SecOps console. Breach analytics continuously analyzes customers’ Chronicle SecOps data and notifies them of new and novel attacker techniques discovered by Mandiant Incident Response engagements within minutes. This enables organizations to proactively take action in near real-time and minimize the impact of a breach. Breach analytics in Chronicle SecOps is now available in public preview. Our integration with Mandiant Attack Surface Management (ASM), now generally available to all Chronicle SecOps customers, can enable customers to continuously identify and validate exploitable entry points into their organization. ASM integration can help correlate and enrich investigations with context and an understanding of business risk, and allows the SecOps team to prioritize investigation and remediation efforts based on the exposures that have the most potential impact. AI-augmented productivityChronicle Security Operations can help usher in a new era of productivity for security teams, removing the toil created by complex, disparate tools. Leveraging Google’s continuous innovations in generative AI and security-specific foundation models, Duet AI in Chronicle SecOps can help transform threat detection, investigation, and response for cyber defenders by simplifying search, complex data analysis, and threat detection engineering, to help reduce toil and elevate the effectiveness of each defender. With Duet AI, Chronicle SecOps can automatically provide a clear summary of what’s happening in cases, give context and guidance on important threats, and offer recommendations for how to respond. Duet AI also powers Chronicle’s new natural language search. Defenders can enter questions in natural language, and Chronicle SecOps will generate the query from their statement, present a fully mapped syntax for search, and make it possible for you to quickly refine and iterate on results. AI presents a huge opportunity to elevate talent, but we understand that many organizations will still require help when it comes to advanced skill sets. We recently announced the addition of Mandiant Hunt for Chronicle, which can provide continuous threat hunting by Mandiant experts. It integrates the latest insights into attacker behavior from Mandiant’s frontline experts with Chronicle’s powerful ability to quickly analyze and search security data. Mandiant Hunt for Chronicle SecOps can help organizations close the skills gap and gain elite-level support without the burden of hiring, tooling, and training. Mandiant also offers a rich portfolio of Chronicle-ready services to assist customers before, during, and after a cyber incident including purple teaming and cyberdefense transformation.We’re excited about the new capabilities in the unified Chronicle Security Operations platform and the outcomes they can help deliver to cyber defense teams across every industry. To learn more, visit Chornicle.Security or contact us to schedule time with one of our experts.
Analysis Summary
# Industry News: Google Cloud Unifies Chronicle SecOps with Mandiant Intelligence and Generative AI
## Summary
Google Cloud has announced a major evolution of its security operations portfolio by unifying Chronicle SIEM and SOAR into a single, cohesive platform. This update formally integrates Mandiant’s threat intelligence and Attack Surface Management (ASM) capabilities, while introducing Duet AI to automate complex security tasks through natural language.
## Key Details
- **Date:** September 18, 2023
- **Companies Involved:** Google Cloud, Mandiant (a Google Cloud company), VirusTotal
- **Category:** Product Launch / Platform Integration
## The Story
Google Cloud is addressing the fragmentation and talent shortage in the Security Operations Center (SOC) by consolidating its disparate security tools. The "new" Chronicle Security Operations platform removes the silos between Detection (SIEM) and Response (SOAR), providing a unified console where every alert is automatically grouped into a context-rich "case."
A central pillar of this announcement is the deep technical integration of Mandiant following its $5.4 billion acquisition. The platform now features:
1. **Applied Threat Intelligence:** Automatically enriches every event with data from Mandiant and VirusTotal.
2. **Mandiant Breach Analytics:** Alerts customers if their logs match novel attacker techniques discovered by Mandiant’s incident response teams in the field.
3. **Mandiant Hunt:** A managed service for continuous proactive hunting within Chronicle data.
4. **Generative AI (Duet AI):** Enables "natural language search," allowing analysts to ask questions rather than writing complex queries, and provides automated summaries of security cases.
## Business Impact
### For the Companies Involved
- **Google Cloud:** Strengthens its "Security Cloud" proposition against Microsoft and AWS by moving beyond infrastructure to high-value security outcomes.
- **Mandiant:** Successfully transitions from a services-heavy firm to the primary "intelligence engine" fueling Google’s scalable SaaS products.
### For Competitors
- **Legacy SIEM/SOAR Vendors (Splunk, Palo Alto Networks):** Faces increased pressure as Google shifts the value proposition from data ingestion/storage to "applied intelligence" and AI-driven automation at "Google scale."
- **Niche ASM Players:** Standalone Attack Surface Management vendors may face commoditization as Google rolls this capability directly into the SecOps workflow.
### For Customers
- **Operational Efficiency:** Consolidating SIEM and SOAR into one interface reduces "swivel-chair" fatigue for analysts.
- **Skill Gap Mitigation:** Duet AI and natural language queries lower the barrier to entry for junior analysts, helping understaffed teams perform more complex investigations.
### For the Market
- This signals a market-wide shift toward **"Autonomic Security Operations,"** where the focus is no longer on collecting logs but on the automated application of frontline intelligence to those logs.
## Technical Implications
Chronicle’s architecture allows for the retention and analysis of unfiltered data at massive scale. The integration of **Applied Threat Intelligence** means lookups against billions of indicators happen in near real-time without the "enrichment lag" typical of older platforms. The use of **security-specific foundation models (LLMs)** to translate natural language into query syntax (and vice versa) represents a significant leap in security interface design.
## Strategic Analysis
- **Market Positioning:** Google is positioning itself as the "intelligent" cloud provider, prioritizing the *application* of expert knowledge (Mandiant) over the mere *provision* of security tools.
- **Competitive Advantage:** The vertical integration of VirusTotal (crowdsourced intelligence), Mandiant (expert intelligence), and Google’s global telemetry creates a data moat that is difficult for competitors to replicate.
- **Challenges:** Organizations heavily invested in multi-cloud or on-premise legacy systems may find the "Google-centric" nature of the unified platform a hurdle for full adoption.
## Industry Reactions
- **Analyst Opinions:** Analysts generally view this as a necessary step for Google to realize the full value of the Mandiant acquisition.
- **Expert Commentary:** Bashar Abouseido (CISO, Charles Schwab) highlighted that the orchestration and enrichment capabilities are critical for prioritizing modern, expanding threats.
## Future Outlook
- **Predictions:** Expect further integration of generative AI across the entire Google Cloud Security portfolio, likely moving toward autonomous "self-healing" playbooks.
- **What to watch for:** How quickly Google can migrate legacy Chronicle customers to the "unified" experience and the performance of Mandiant Hunt as a standalone managed service.
## For Security Professionals
Practitioners should note the shift toward natural language interfaces. The ability to pivot from an Attack Surface exposure (ASM) directly into a search (SIEM) and a playbook (SOAR) within one console suggests a more "threat-centric" workflow. Professionals should evaluate Mandiant Breach Analytics as a way to benefit from global incident response insights without needing an internal research team.