[HN Gopher] Google to Acquire Mandiant ___________________________________________________________________ Google to Acquire Mandiant Author : ideksec Score : 312 points Date : 2022-03-08 11:39 UTC (11 hours ago) (HTM) web link (www.mandiant.com) (TXT) w3m dump (www.mandiant.com) | jansan wrote: | This is quite a lot of money and Kevin Mandia obviouly made some | right decisions in his life. But what is Google really after | here? The employees (must be quite flutering to be valued at 10 | million on average), the products, the marketshare? | mellavora wrote: | a 10m average could indeed cause a heart to flutter. | tims33 wrote: | A typical consulting acquisition for someone like Accenture | could be $250-500k per head. I realize this firm is deeply | specialized and at the top of their industry, but it is a | massive premium. | lmeyerov wrote: | Google is coming from ~last place on enterprise+gov security | relative to Microsoft and Amazon, which is maybe 75% of the | market (and ignoring the Splunks of the world), and the | ability to grow there requires real skills in services. | Mandiant, in turn, is in a league of their own here, in brand | if not practice. More about amazing IR/hunt/etc, vs say SIEM | configuration, so a lot of line blurring & potential skillset | clash for achieving their value, but still. Google+MS | internal security teams are likewise trusted, but only | Microsoft's are considered collaborative, so Google's are | ~useless from a services gap perspective. So from a strategic | view, this jumps them from last place to ~first. (And | Microsoft's main value in buying would have been just to | prevent AWS/Google from doing so.) | | So as long as they have amazing handcuffs on the CEO, it's | probably more like $1M per employee and $100M+ for the CEO | (if real handcuffs) + brand. | | An independent Mandiant is amazing for the ecosystem, but so | goes. Over all though, probably still net win for folks | involved + community - Google getting even more serious here | is great! | tediousdemise wrote: | I find it interesting that this acquisition is allowed... but | when Lockheed Martin tried to acquire Aerojet Rocketdyne, it was | shot down by the FTC. | | Why does Big Tech get a pass? Is it because they feed the | government free data on every single American and foreign | national? | octagons wrote: | I spent 5 years at Mandiant on the "proactive" team that | performed penetration testing and similar services. The | divestiture of the FireEye product was the best thing to happen | to Mandiant since the acquisition by FireEye. The two business | units were constantly at odds. | | I'm genuinely surprised by this acquisition, however. Mandiant's | business model (consulting services) was successful despite the | pressures and operational dissonance from the product side. When | I left, they were well-poised for natural growth and to capture a | larger market share of managed security services. I'm sure there | is a model for success under Google, but I doubt many of the | employees below the C-level wanted to go this direction. | frozenice wrote: | OT: popups and banners managed to cover the whole page... :/ | https://photos.app.goo.gl/PqV9FpqyPCujtFTJ6 | _joel wrote: | Most of the HN crowd use adblockers | frozenice wrote: | I use them on my desktop, too. There are none in this WebView | embedded in this mobile app, though. | tjpnz wrote: | That's more of an annoyance than an ad. | swarnie wrote: | Two clicks after OS install is annoying? | | We really are a privileged bunch aren't we =) | _joel wrote: | That's just untrue. Takes 2 seconds to install uBlock | origin. | SquareWheel wrote: | I think you misinterpreted the parent comment. The banner | being shown in the screenshot is being described as an | annoyance, not an ad. | stonemetal12 wrote: | Yeah, but now I have to manage on a per site basis about | half a dozen different settings. I find it a necessary | evil on mobile to control bandwidth usage, but on desktop | I find it easier to just not visit or immediately leave | low quality websites. | ezekg wrote: | Sometimes I wonder if the people who work on such websites even | occasionally visit their own site. I just don't understand. | moltke wrote: | They're likely prescribed by PR people who think of everyone | in bulk and less intelligent than themselves. The people | actually building the site probably hate it. | shadowgovt wrote: | The issue is that not every team remembers to test incognito | from time-to-time. | | Those popups are all cookie-hidden if the cookies are set. | Easy for an engineer working regularly on the product to | accrete the cookies necessary to hide most of them over time. | | (Concretely in this case, I bet 99% of the engineers on that | site have forgotten GDPR is a thing, especially since their | compliance is being handled by third-party provider TrustArc. | Easy for a frequent visitor to forget that every new visitor | will get asked about the cookie use permission on the first | visit). | afrcnc wrote: | It's like that on almost any site these days. | mmaunder wrote: | What is with the massive dive in Revenue post 2018? | | https://imgur.com/a/GvulfLe | munificent wrote: | COVID-19? I imagine a hell of a lot of revenue charts look | similar around that timeframe. | motohagiography wrote: | Smart, even if it's just to scale TAG and secure that capability | in a period of global instability with a heavy cyber component. | As another commenter calculated $10M/employee is pretty good - | especially if Google had excess cash on its balance sheet. That | $10M/employee in cash is going to be worth maybe $8M in | purchasing power in 3-5 years, less after, and getting cash into | productive assets is a bit of a scramble right now. Regardless of | what some folks in security think of FireEye, strategically it | seems pretty smart. | | Maybe we should bet on a wave of other big acquisitions by | companies with big cash reserves as well? | rattray wrote: | For others who hadn't heard of this company, quoting from the | link: | | > Mandiant's more than 600 consultants currently respond to | thousands of security breaches each year. Paired with research | from more than 300 intelligence analysts, these resulting | insights are what power Mandiant's dynamic cyber defense | solutions - delivered through the managed multi-vendor XDR | platform, Mandiant Advantage. | dna_polymerase wrote: | So, if you'd unbullshit this description, what are they doing? | | This reads like they are a PR company covering everything | computer. | dogman144 wrote: | They do the IR retainer work for companies that are serious | about security with real threats. | | In other words, it is the company that detected a breach of | its own systems via dogfooding, that turned out to be the | only detection that occurred of a breach of the entire US | govt more or less - Solarwinds. | | Mandiant got the jump on every US govt agency in detecting | arguably the largest espionage event of the digital age. | hexo wrote: | What is IR? | dogman144 wrote: | (security) incident response. most companies have in- | house security teams to do a portion or a lot of the IR | process. If a serious breach occurs, a security team | usually will call in a specialized team of consultants | from an IR firm like Mandiant. | bitexploder wrote: | They perform incident response and forensics for | organizations that are compromised. Incident response is the | highest bill rate infosec consulting you can do. It requires | travel (used to, still does some today) and decently high | technical skills. They are big and can combine the data their | consultants collect into an intelligence platform that they | sell as well. | OrvalWintermute wrote: | > Incident response is the highest bill rate infosec | consulting you can do. It requires travel (used to, still | does some today) and decently high technical skills | | I take a tiny bit of issue with that. | | Cryptography consulting is a higher labor rate, and higher | end pen-testing w TS SCI+full poly, and application | security gurus are above, or equal to IR. | | There are currently poaching wars going on around talented | IR folks. A fortune 500 recently hired away an IR colleague | with whom I collaborated around tap & agg with a FAANG type | offer, RSUs, the whole shebang | dogman144 wrote: | Ya would also add smart contract auditing as possibly the | highest billing right now. Pushes $400/hr for freelancing | and similar w2 comp. | sumdude1847 wrote: | IR/forensics consulting is definitely more than $400/hr. | tptacek wrote: | It is not my experience that IR people bill $3k days --- | though Mandiant definitely has billed out projects that | high. | OrvalWintermute wrote: | Nope. | | Have seen labor rates across Fireye, and a host of | others. | sumdude1847 wrote: | Then the rates you have seen are incorrect, old, or the | result of special circumstances. | dogman144 wrote: | Hm would like to see JDs for that, unless you're | referring to the really white glove stuff (ex-whatever, | no name consultancies with incredible reps). | bitexploder wrote: | By volume. Cryptography consulting is a very lucrative | niche but there is an order of magnitude less of it | happening based on my wild guesses. I have run a high end | boutique for 9 years and been doing infosec consulting | for 15 years tho, so my guess is somewhat informed, I | hope. | | Even high end appsec, seceng, and legit reversing pays | below crypto and IR. We just can't charge as much for it | for all but the most niche and demanding environments, | which is not the bulk of what's out there. | | I am thinking averages here. I know there is high paying | work in each domain, but the skills used are also highly | developed, etc. If you wanted to build a high end | consultancy with a lot of work IR is a great choice. I | know ToB has done awesome in crypto | (blockchain/contracts) space, etc. but I think IR work is | a little easier to get into and build a business on | without having really advanced and niche skills. | tptacek wrote: | This is like saying that Walmart cashiers have a higher | bill rate than M&A attorneys, because there are so many | more of them --- they're higher "by volume". | tptacek wrote: | IR is nowhere close to the highest bill rate infosec | consulting you can do. Not even in the ballpark of it. | Jabbles wrote: | Do you have a rough ranking? Nothing formal, just your | best guess. | tptacek wrote: | Difficult or "gated" specialties (like automotive) | command higher bill rates --- so hardware, automotive, | cryptography, maybe some kernel work (I don't know anyone | that has a formal specialty practice in "kernel", it | bleeds into other stuff). | | IR is a huge practice area, lots and lots of people do | it, and the line-level consulting work here is stuff that | isn't at all difficult or specialized (log file analysis, | imaging). There's specialty work in IR too, of course | (there are firms that specialize in memory forensics, for | instance), and that bills higher. | | Mandiant is like the PwC of IR firms; Mandiant can get | contracts that bill basic log file analysis out at | $3k/day, because they're Mandiant. That doesn't mean the | person doing that work is seeing proportionally more | income themselves, or that a team of people striking out | on their own from Mandiant are going to be able to bill | comparably. | | On the other hand, a team of cryptographers or hardware | reversers at a big firm probably could expect to see | comparable bill rates after starting up their own firm. | terracatta wrote: | Kevin Mandia was always incredible at finding a grade A talent | pipeline of IR professionals that enabled Mandiant to always be | the folks that responded to the incidents "that mattered" (his | words). | | Their APT-1 report | (https://www.mandiant.com/resources/apt1-exposing-one-of-chin... | they released in 2013 was at the time unprecedented and brought | awareness to nation-state sponsored hacking to a much broader | audience than ever before. | | As someone who worked there in the early days (a little over 100+ | employees) as an entry-level peon, I always felt I had the | ability to walk into Kevin's office at anytime and tell him | something I thought was important and get attention and respect | back. | | While much of the organization has changed in the last 3 years, | the constant has always been Kevin and the amount of work they | put in to recover from the disastrous FireEye acquisition, | preserve the brand's integrity, and to parlay that into such a | positive acquisition for the employees and shareholders is an | incredible outcome. | | Congratulations to both Google and Mandiant. | uejfiweun wrote: | When I was a FireEye intern, I got to meet Kevin Mandia and it | really left an impression on me. He came up to me unprompted | after an all hands and introduced himself, and seemed genuinely | interested in me and what I was working on. Then, my co-intern | came up, and Mandia actually remembered his name and everything | from his previous internship at the company. I remember | thinking, _this_ is a great and highly motivating CEO. It 's | awesome to see that his hard work has paid off, I hope I get to | work with him directly someday. | Folcon wrote: | The link above has a typo, here's the corrected link: | https://www.mandiant.com/resources/apt1-exposing-one-of-chin... | orf wrote: | What happened with the FireEye acquisition? | dmhmr wrote: | FireEye was nowhere on the same level as Mandiant and the two | companies split and FE was purchased by STG for $1.2 billion. | _rfdu wrote: | The core Mandiant infrastructure on cloud is run by 3 people | _rfdu wrote: | It's run on aws | TameAntelope wrote: | Holy shit they're going to have to migrate again, that's | mildly hilarious considering the clusterfuck the first | migration was. | brlebtag wrote: | So Google can close it later. | johndfsgdgdfg wrote: | HN should have a policy that stops any threads promoting | Google. Evil company like Google shouldn't be promoted on HN. | badrabbit wrote: | Clash of cultures for sure. High turnover at GCP security (Or so | I am told) and Google consultants? Wow. My experience has been | they are very tech/innovation focused, holding a customer's hands | and spoonfeeding them is not their style at all. Lots of | medium/large businesses have Mandiant as a retainer so when They | get pwned due to whatever mess, Mandiant comes in and cleans up. | munificent wrote: | Is it just me, or does it seem crazy that we all just accept that | private businesses are obligated to protect themselves from | state-sponsored hacking? | | Imagine if Wal-Mart had to fund a private air force and patrol | over their stores in order to combat foreign bombers coming in | and everyone was like, "Yeah, that's just how it goes." | | Isn't a primary responsibility of government to protect its | citizens and businesses from other states' militaries? | JohnHaugeland wrote: | Businesses also need to protect themselves from burglary, | despite that we have the police; fire, despite the fire | department; et cetera. | | Government is not an abdication of responsibility. | Gelob wrote: | good point but the government/FAA controls the skies and not | the internet which may or may not be a good thing | jrochkind1 wrote: | Are you suggesting the NSA should spend most of it's budget on | ensuring domestic businesses have better security (even if that | means foreign businesses do too), instead of ensuring that | foreign businesses have bad security (even if it means domestic | do too, and that's being overly charitable and thinking US- | based businesses being hackable by them isn't one of their | goals too). | | What a shocking idea! | hadlock wrote: | The same could be said for buying door and window locks vs the | responsibility of local police to guard your home. | d4mi3n wrote: | This feels a bit reductionist. Parent post specifically calls | out state-sponsored actors. It's fine to expect and require | doors, windows, and locks. It is _not_ fine to expect a | commercial business or individual to have their own tanks and | military on hand. | | Organizations do bear responsibility for their security | posture--and many have spectacularly failed in this | responsibility--but let's not pretend that an employee being | phished is equivalent to something on the level of the | SolarWinds hack or any one of the many nasty bits of malware | coming out of Russia. | | State sponsored attacks are well funded and leverage one more | or 0-days, which by definition cannot be defended against. | The only way to stay ahead of a 0-day is to find it first, | and that requires resources and expertise even large | organizations are hard pressed to find in the numbers | required. | fuzzylightbulb wrote: | I think that the closer metaphor would be if an American | business was having to hire private security resources because | it was on some resource finding expedition in an unsavory part | of the world, which is exactly what happens all the time. | Exposing your business to the internet is like opening up an | infinite number of storefronts everywhere, and a good number of | those places are not where you want to be. | throw10920 wrote: | Exactly - the internet is a hostile place, because of its | openness, which is (was?) a core design trait. As much as it | hurts, you can't have the freedom of the internet without | allowing bad actors some degree of freedom, too. | Godel_unicode wrote: | I wish people would think this through, think about the federal | government protecting you from state-sponsored terrorism. | | Do you really want the TSA on the internet? Because that's what | you're asking for... | throwoutway wrote: | Congrats to Mandiant! I really hope they don't go the same way as | the spinout/reorg of Chronicle... | sklargh wrote: | This is less of an acquisition and more of a marketing expense | for GCP. A stellar Rolodex and a great way to meet new clients, | especially if they succeed in the breach. | [deleted] | mysterydip wrote: | If I was a customer of Mandiant, I'm not sure how I'd feel about | this. Plenty of potential resources both financial and manpower | to improve services, but somewhere in the back of my mind would | be "is Google going to hoover up all my data during an incident | response?" | danpalmer wrote: | I don't really understand the basis for this comment/thought. I | know it's a fairly common one, but I just don't think it tracks | reality in any way. | | Google has a reputation for taking in a lot of data about user | behaviour for targeting ads. That's pretty well defined data | though, from well-defined sources, with well-defined semantics. | Things like page views. | | How would Google ever be able to "hover up all your data" and | get any benefit from it? What is the data? Where did it come | from? What are the semantics? How are users identified? How is | that mapped to users Google knows about? | | It's just entirely impractical to do anything with it, and | that's leaving aside the fact that I imagine it would violate | the terms of service, the contracts Google may have with | businesses, and may constitute a significant legal issue with | regards to data misuse. | | How exactly do you imagine that Google could do this, and what | exactly would their motivation be to do so? | | Mandatory disclaimer: I work at Google, but not on any of the | above and I only just started. My feelings on this are only | informed by my previous time as a customer of Google Cloud. | mupuff1234 wrote: | Or maybe they would think something like "Google has the best | reputation and track record in terms of security than almost | any other corporation". | TameAntelope wrote: | I spent a few years there, FireEye messed Mandiant up something | fierce, but Mandiant was never able to get its product going | (with or without FireEye). Maybe Google can figure that part out. | | I wonder what will happen to the engineers; there is definitely a | lot of expertise at that company, specifically in the IR/security | side. | mmaunder wrote: | What is their main source of revenue? They did about $483M in | 2021. | syshum wrote: | Unlikely, google is good at Killing the products they | acquire... not much else | 0xbadc0de5 wrote: | Possible acqui-hire - perhaps it's not the product they're | after... | speed_spread wrote: | 10 million per head is a hell of a sign-in bonus | jcims wrote: | I feel like this is an informal announcement that the product | has been killed. Where would it live in the GCP portfolio? | | As an engineer I would be stoked. The resources that Google can | bring in terms of data, compute and depth of analytical skills | would be very appealing. It's probably going to be a disaster | for the product folks but i think the engineers will be happy. | At least for a little bit. | philprx wrote: | Well, it seems that the Google Chronicle was a semi-failure | from all the signals that were coming out. I hope i'm wrong | about Chronicle. Maybe this is a future replacement/iteration | / improvement. | | This could be a way to improve their offering and remove the | "security argument" showstopper for cloud migrations. | jnwatson wrote: | There's not a huge overlap between Chronicle and Mandiant. | Mandiant makes most of its money off intel and incident | response. Chronicle sells tools to do those. | late2part wrote: | Most everyone I know says that Chronicle was a failure. | dogman144 wrote: | Mandiant ending up as a glorified GuardDuty and Detective | for GCP would be a travesty although I doubt that would be | the outcome. | dmhmr wrote: | Having used Chronicle, it felt like an underwhelming paper | thin demo product compared to what the industry offers. May | as well scrap it and lean on Mandiant's experience for a | replacement. | cmrdporcupine wrote: | My experience having gone through an acquisition @ Google | (albeit 10 years ago and in a different space) is you might | go in with the thoughts like yours expressed here: "wow, | cool, think of all the resources Google has to make our | product even better." | | In reality: your product will be sunsetteded and replaced | with a Google-created version of the same thing within two | years; your key management (and other) talent will pace | around for 3-4 years in frustration waiting for their stocks | and acquisition bonuses to fully vest, and eventually most of | the talent that can get a competing offer that is close to | Google's proverbial buckets of cash will take that and leave. | | That said, it might be different in Google Cloud where more | of the infrastructure is closer to industry standard | infrastructure instead of Google's bespoke creations. And | there's a focus on the needs of what people outside of Google | do and how they do it. | jcims wrote: | I did a short stint at Google and I saw this very thing. I | think the one thing that's a little bit different with | Mandiant is that it's largely a services organization. If | they pigeonhole it as Google Cloud security then folks will | bail very quickly. If they find a way to also extend it | into their enterprise customer case as a value added | service then I could see it being pretty interesting. | pinewurst wrote: | Assuming the engineers aren't forced to re-interview for | their own jobs in the common Google acquisition fashion. | vntok wrote: | Of course they should be interviewed back, what's the | alternative? | | _Hey team, so this is Steve from another department in | another company. He 's been assigned to our team, so. Of | course we're handling text in the Chromium engine and | Steve's backgound is in threat analysis, but I guess we'll | figure something along the way. Welcome, Steve_ | jacobr1 wrote: | The alternative is that they basically keep working on | the same things. Maybe now there is some integration | project. | jcims wrote: | Especially since they likely have 2-3 years of services | contracts to burn through and don't really have an org | they directly overlay with inside Google. Enterprise | security to an extent but also not. | sulam wrote: | In an acquisition of this size, it's not typical to | interview. HTC engineers did not have to interview AFAIK | and having been at Fitbit I can say for sure that no | engineers had to interview. | | Interviewing happens with startups. When there aren't | interviews the assumption is that Perf will take care of | non-performers. | TameAntelope wrote: | The domain experts are best-in-class. | | The engineers probably would need to be re-interviewed. | Heh. | achow wrote: | Interesting. A month back Microsoft was exploring this | acquisition. | | _Microsoft Corp. is in talks to acquire cybersecurity research | and incident response company Mandiant Inc... Mandiant shares | surged 18% in New York, bringing its market value to almost $4.3 | billion.. A deal might also push cloud rivals Amazon.com Inc. and | Alphabet Inc.'s Google to pursue their own similar acquisitions_ | | https://www.bloomberg.com/news/articles/2022-02-08/microsoft... | | And from the current event: | | _..acquired by Google LLC for $23.00 per share in an all-cash | transaction valued at approximately $5.4 billion_ | qzw wrote: | Seems like they have ~500 employees, so the price is over | $10M/employee. Obviously a good time to sell a security company | right now. | htrp wrote: | its also 10mn per employee for a services company (afaik | their saas revenue streams are secondary) | tonyedgecombe wrote: | It's an interesting concept buying a services business like | that. Nearly all the value is in the staff who are all free | to walk if they feel inclined. | djrogers wrote: | > Nearly all the value is in the staff who are all free | to walk if they feel inclined. | | That hasn't been my experience with security services | companies. Sure, people matter, but the processes, | technology, and leadership can keep a good one on track | regardless of who leaves. | moneywoes wrote: | Wouldn't the better comparison be based on revenue? | ocdtrekkie wrote: | Google doesn't buy revenue, they buy employees. | ISL wrote: | and in this case, an organization. | RC_ITR wrote: | Likely MS made the offer, and Mandiant's bankers shopped it | around to Google. | | As much as Investment Bankers maybe be a drain on society, they | DO provide value to certain capital-holders. ___________________________________________________________________ (page generated 2022-03-08 23:01 UTC)