Google is combining multiple streams of threat intelligence with a Gemini generative AI model to create a new cloud service. The Google Threat Intelligence service is designed to help security teams to quickly and accurately sort through massive amounts of data so they can better protect their organizations against cyberattacks.

Introduced this week at the RSA Conference in San Francisco, the Google Threat Intelligence service pulls in capabilities from its Mandiant threat intelligence group, the VirusTotal online malware detection and analysis service, and the visibility Google gains from protecting billions of devices and email accounts from threats.

At the same time, the service leverages open source intelligence from security communities. It then integrates Google’s Gemini 1.5 Pro generative AI model to help security experts make sense of all the information, allowing them to more quickly identify and analyze threats like suspicious files, automate time-consuming manual tasks, and address question via natural language processing.

The service, which is available now and is part of Google Cloud’s larger security portfolio, aims to reduce the time, energy, and costs associated with processing threat intelligence while giving teams a more comprehensive view of the security landscape, according to Sunil Potti, vice president and general manager of Google Cloud Security, and Sandra Joyce, vice president of Google Threat Intelligence.

“By combining our comprehensive view of the threat landscape with Gemini, we have supercharged the threat research processes, augmented defense capabilities, and reduced the time it takes to identify and protect against novel threats,” Potti and Joyce wrote in a blog post. “Customers now have the ability to condense large data sets in seconds, quickly analyze suspicious files, and simplify challenging manual threat intelligence tasks.”

Combining AI and Cybersecurity

Google Threat Intelligence also puts Google Cloud’s security capabilities into closer competition with Microsoft’s Copilot for Security and is part of a larger industry trend of infusing cybersecurity tools with generative AI capabilities. It’s also a booming market. According to market research firm Statista, the market for AI in cybersecurity was $10.5 billion in 2020 and is projected to hit $46.3 billion in 2027.

In a report, Morgan Stanley noted that “cybersecurity organizations increasingly rely on AI in conjunction with more traditional tools such as antivirus protection, data-loss prevention, fraud detection, identity and access management, intrusion detection, risk management and other core security areas.’

The technology’s ability to crunch huge amounts of data and find patterns makes it capable of more quickly detecting and analyzing actual threats than humans. With few false positives, it can prioritize responses, identify and flag suspicious emails used in phishing campaigns, and simulate social engineering attacks. Doing so should help security teams find potential flaws before the cybercriminals do, the global investment bank wrote.

It also important for organizations to use AI given the fact that threat groups are doing the same to hone their attacks, Morgan Stanley wrote.

Multiple Intelligence Streams

For Google, the amount of threat intelligence it has access to is key for the new service. The insights it gathers itself comes from protecting 4 billion devices and 1.5 billion email accounts are a key part. The vendor blocks 100 million phishing attempts every day, providing Google with a “vast sensor array and a unique perspective on internet and email-borne threats that allow us to connect the dots back to attack campaigns,” Potti and Joyce wrote.

There also are the incident response specialists and threat intelligence analysts at Mandiant, which Google bought in 2022 for $5.4 billion. When the deal closed, Google Cloud CEO Thomas Kurian wrote that the addition of Mandiant allowed the company to “offer proven global expertise in comprehensive incident response, strategic readiness and technical assurance to help organizations mitigate threats and reduce business risk before, during and after an incident.”

Mandiant investigates more than 1,100 incidents a year.

Google’s VirusTotal has more than 1 million users who contribute potential indicators of threats to provide real-time insights into emerging attacks, Potti and Joyce wrote.

Adding in Generative AI

Gemini 1.5 Pro AI model can support up to 1 million tokens, wrote Potti and Joyce, giving it the longest context window and enabling it to more quickly run processes to reverse engineer malware than humans can. According to Potti and Joyce, the model was able to process the decompiled code of the malware file for the WannaCry ransomware worm – which in 2017 targeted systems around the world running Windows – and created an analysis in 34 seconds. It also identified the killswitch for the malware.

“We also offer a Gemini-driven entity extraction tool to automate data fusion and enrichment,” they wrote. “It can automatically crawl the web for relevant open source intelligence (OSINT), and classify online industry threat reporting. It then converts this information to knowledge collections, with corresponding hunting and response packs pulled from motivations, targets, tactics, techniques, and procedures (TTPs), actors, toolkits, and Indicators of Compromise (IoCs).”

In total, Google Threat Intelligence can run through more than a decade of threat reports and product comprehensive summaries in seconds.