Discover how companies are responsibly integrating AI in production. This invite-only event in SF will explore the intersection of technology and business. Find out how you can attend here.
Threat intelligence can be difficult in the modern enterprise landscape: Attackers are working at all levels, data and tools are scattered and observability is blurred.
Security teams are left to pick and choose which alerts to take action on, and they’re not always apprised of the latest research around vulnerabilities and attacker behaviors and campaigns.
With its launch today of Google Threat Intelligence, Google Cloud aims to empower even the smallest teams with the latest knowledge on the threatscape. The new platform, announced today at the RSA conference, integrates Gemini AI and combines data from Google with VirusTotal and Mandiant.
With threat intelligence, “you have to have the right breadth and depth,” Eric Doerr, VP of engineering for cloud security at Google Cloud, told VentureBeat.
VB Event
The AI Impact Tour – San Francisco
Join us as we navigate the complexities of responsibly integrating AI in business at the next stop of VB’s AI Impact Tour in San Francisco. Don’t miss out on the chance to gain insights from industry experts, network with like-minded innovators, and explore the future of GenAI with customer experiences and optimize business processes.
Request an invite
Typically, providers have only offered one or the other, he noted. Until this point, “a lot of companies have felt compelled to cobble together their own breadth and depth.”
Bringing together ‘two of the most important pillars of threat intelligence’
VirusTotal’s global community of more than 1 million users crowdsources intelligence around threat indicators including files and URLs. Mandiant’s researchers continually investigate threat actors’ behavior.
The two “very logically” come together, said Doerr, and their capabilities are further bolstered by Google’s deep visibility: The company protects 4 billion devices and 1.5 billion email accounts and blocks 100 million phishing attempts a day. This gives Google a “vast sensor array” on internet and email-based threats that allows them to connect the dots back to malicious campaigns, the company says.
Google also uses open-source threat intelligence shared amongst the security community.
This all allows Google Threat Intelligence to help customers when it comes to indicators of compromise (IoC) analysis, external threat monitoring, attack surface management and digital risk protection.
“While there is no shortage of threat intelligence available, the challenge for most is to contextualize and operationalize intelligence relevant to their specific organization,” said Dave Gruber, principal analyst with TechTarget’s Enterprise Strategy Group.
VirusTotal and Mandiant are “two of the most important pillars of threat intelligence” today, he said. Integrating them with Google and AI “offers security teams a new means to operationalize actionable threat intelligence to better protect their organizations.”
Gemini-powered search
Google’s Gemini 1.5 is an important part of the new threat intelligence platform, Doerr said. Users can ask the model questions that it answers based on a search across Google, Mandiant and VirusTotal’s vast repository of threat intelligence.
Gemini-driven entity extraction also automatically crawls the web for open-source intelligence (OSINT) and classifies online industry threat reporting. This is then converted to knowledge collections with corresponding hunting and response packs pulled from various motivations and targets, tactics, techniques, and procedures (TTPs), threat actor profiles, toolkits and IoCs.
Doerr pointed out that Gemini 1.5 has a long context window with support for up to 1 million tokens. This can help simplify the often labor-intensive process of reverse engineering malware (which takes specific skills that can be especially hard to come by in the midst of a worldwide cybersecurity talent shortage).
Remarkably, the model processed the entire decompiled code of the malware file for the WannaCry crypto ransomware attack in May 2017. In a single, 34-second pass, Gemini provided analysis of the malware and even identified its killswitch (a process that, in 2017, took 7 hours to complete, Doerr recalled).
Previously small context windows required slicing up prominent pieces of malware — but that made it difficult for gen AI to analyze it because, naturally, it didn’t have all the pieces.
When engineers achieved the 1 million token window, the question was, “Is that just a cool science thing or does it actually matter?”
Both turned out to be true. “This context window is actually a really important advance,” said Doerr. “It opens up this whole category of use cases that just weren’t possible before.”
He noted that more than 99% of malware samples can now be analyzed with Gemini. “It performs extremely well across a wide variety of malware,” said Doerr.
Simplifying threat intelligence
From ransomware, to Scattered Spider, “every month there’s another highly publicized attack,” said Doerr. Security analysts are bombarded with detections, some of which are real, and also some of which are false positives.
Now with Google Threat Intelligence, users can quickly condense large datasets, analyze suspicious files and simplify manual tasks. New threats are automatically piped through based on VirusTotal and Mandiant intelligence and connected into workflows so security teams have more than just a “theoretical understanding” of threats, Doerr explained.
The differentiator of the platform is that “when there’s an emerging threat, really high priority, ‘pay attention to this right now,’” Google is automatically enriching everything they know about it, he said.
“It’s taking a lot of the busy work of ‘I see an alert, now I have to do a bunch of research to decide whether it’s important.’”
The majority of Google customers don’t have dedicated threat intelligence teams, Doerr pointed out. Some have small teams — but they are ingesting data feeds from numerous providers and then doing a bunch of manual work.
“It could be days or weeks from when a new threat is detected to when they can say definitively ‘It is or is not present in our environment,’ ‘we are safe or we’re not safe,’” said Doerr. “Whatever research they’re doing, they can do it faster, get to the outcome faster.”
For large enterprises with dedicated threat teams, the platform can automate much of their work so they can “go deeper on the unique threats to them.”
Doerr pointed out that there is a “pyramid of threats,” ranging from ransomware groups who spray and pray, to threat actors who target specific verticals such as telecom or healthcare. Much of security teams’ time is spent at the “bottom of the pyramid versus the top of the pyramid,” (or the point where threats are most specific to their company or vertical).
“Nobody’s got enough highly trained people,” said Doerr. “It’s getting through the work to protect the company.”
