Modern security teams need to be on the top of their games if they want to keep up with the latest threats. With research showing that the number of data breaches organizations suffered rose 20.5% between 2020 to 2021, analysts are under increasing pressure to work smarter. 

In an attempt to support security teams, today, Mandiant announced the general availability of Mandiant Breach Analytics for Google Cloud Chronicle Security Operations. 

The new solution combines Mandiant’s proprietary information and threat intelligence on the latest Indicators of Compromise (IoCs) taken from past security incidents and information curated by internal analysts to help organizations unlock real-time threat detection capabilities. 

More detailed threat intelligence combined with ML-driven prioritization of threats helps human analysts to identify and respond to threats faster than traditional SIEM solutions with less extensive intelligence capabilities. 

The need to detect cyber attacks faster 

The announcement comes shortly after Google Cloud announced its acquisition of Mandiant, and rebranded Siemplify to release Chronicle Security Operations, a cloud native solution set that combines SIEM and SOAR capabilities to help security teams detect and respond to threats. 

Adding breach analytics to the Google security ecosystem will enable the vendor to help organizations process the high volumes of data generated in cloud environments and maintain transparency over security incidents even if they don’t have the internal resources or expertise to do so. 

“Security teams are faced with ever increasing volumes of data that need to be reviewed and analyzed to reduce risk, leading to the potential of attackers “dwelling” in their IT environment for significant amounts of time,” said Head of Mandiant Advantage Products at Mandiant, Michael Armistead.  

“Connecting the dots amongst silos of security data and threat intelligence information is typically beyond the capacity and/or skill set of most security teams — and often those teams only have access to old or irrelevant threat intelligence data (for example, threat intelligence on actors targeting industries unrelated to a customers’),” Armistead said. 

By automating manual intelligence analysis and threat hunting, Breach Analytics essentially reduces the need for human analysts to triage alerts and security events. The solution simply highlights discovered IoCs that suggest there’s an active breach so that the user can respond to get the incident under control. 

At the same time, to address alert sprawl, Mandiant, priorities IOC real-time matches against alert-based contextual information and the Mandiant IC-Score, a data-science-based confidence scoring algorithm that attempts to ignore benign indicators and false positive alerts that human users can focus on high-priority IOCs. 

Reevaluating the SIEM market 

Fundamentally, Mandiant Breach analytics looks to build on the traditional SIEM experience and provide access to greater automated intelligence capabilities. In this sense, the vendor is competing against organizations within the security information and event management (SIEM) market, which researchers anticipate will reach $6.24 billion by 2027. 

One of the main providers in this space is Splunk with Splunk Enterprise, which collects data from the cloud, apps, services, on-premises infrastructure and edge devices and compiles it so the user can monitor it and search it in a single location. 

A combination of machine learning, AI and over 700 default detection for frameworks including MITRE, ATT&CK, NIST, CIS 20, and Kill Chain, can be used to identify security incidents and high-fidelity alerts, while intelligence and analytics capabilities designed to increase transparency over incidents. 

Splunk recently announced raising $2.67 billion in revenue over the course of the 2022 financial year. 

Another competitor is LogRhythm, a challenger in the Gartner Magic Quadrant for SIEM and a next-generation SIEM platform, which offers over 950 integrations with third party and cloud services, over 1,100 out-of-the-box correlation rules, threat analytics and service feeds, playbooks and automated response capabilities. 

The key differentiator between Mandiant and other vendors is that it’s using its own proprietary data set. 

“In addition to known public tactics and techniques from threat actors against specific profiles, Breach Analytics also matches tactics that may be unpublished, yet identified and qualified through Mandiant’s Incident Response (IR) engagements and threat intelligence research. This ensures customers will always have the most current information from real, active breach investigations as they happen,” Armistead said.