For the past few years, they've been working on an engine called VxClass that uses control flaw graph analysis to automatically classify malware. One presumes this is what motivates the acquisition. Google already scans content on the Internet for malware.
Or it could be mostly a talent thing. Google's been on a hiring tear. Extremely strong software security talent isn't easy to come by. Lord knows Halvar's got it. Zynamics is hugely well-known and respected in the software security world.
BinNavi always seemed like it was priced the way that IDA should have been (considering that for what IDA does it's way under-priced).
Curiously, we always saw HBGary as one of our main competitors. However, we were focused on tech, not shady deals. :)
HBGary have a tool called FastDump Pro for imaging memory. What Responder does is it takes (or acquires) a memory image and reconstructs the processes and left over memory modules. It also reconstructs details of open files, sockets, registry entries etc. at the time of the snapshot.
Responder Pro has a thing called Digital DNA (which backs up nearly all of HBGary's enterprise products) - it's a mechanism that looks for potentially malicious code (I say potentially because it's easily triggered by things like McAfee because it has a load of strings in memory at any one point in time). Digital DNA uses known indicators to look for specific signs of things like keyloggers. It's not 100% but it usually reduces analysis time by a lot.
There's a fairly straight forward disassembler, you can look at strings tied to processes and memory modules, check for hooked SSDT, IDT entries etc. and there's a canvas type function for mapping out a processes' structure. There's a C# interpreter for scripting but it's not well documented so most of our guys don't use it much for other than basic scans for specific things.
Recon comes with responder pro and is used to test potentially malicious code pulled off disk in a VM. You define how long it's going to run for then it runs the code under the VM. You can then go back to responder and there's an actual slider that shows you all the changes from registry, files, even cpu registers over time so you can zoom in on your process and see the encryption algorithm in the malware decrypting and flip back and forth, which makes it really cool for basic malware cryptanalysis when you're me and not you :) - it's also handy for extracting 0day from exploit code because you get to see what's being exploited and how, so you can quickly write a cheeky canvas/metasploit module.
There's another tool called flypaper that stops the process in recon from exiting, which can be quite handy.
Although the company's in a bit of disarray at the moment the products are really great for malware analysis, and could be used for exploit dev (but I wouldn't).
That said, the individual employees are typically subject to all kinds of agreements as part of the acquisition, including NDAs.
Kudos to him and his team. BinDiff is a great product.
And kudos to Google -- a great investment in technology and people. Acquisitions aren't easy, so let's hope they can make it work!