As more enterprise computing workloads move to the cloud, so do attackers. Virtual servers have been the target of cryptomining and ransomware groups over the past few years and typically do not benefit from the same level of protection as endpoints. Google has decided to change this with VM-based threat detection for its cloud computing platform.
When it comes to cloud computing, efficiency and flexibility are very important. Servers scale according to the workloads they are expected to run on. Additional security scans and monitoring, which require software agents running inside virtual machines, add overhead and consume CPU cycles and memory.
This is what Google is new Virtual Machine Threat Detection (VMTD) functionality is provided by Computer Engine as part of the Security Command Center.
Timothy Peacock, Product Manager at Google Cloud, said, “For Compute Engine, we wanted to make sure that our customers could collect signals to help detect threats without running any additional software.” in a blog post. “Not running agents within an instance means less performance impact, less operational burden on deploying and managing agents, and less exposure to potential adversaries.”
How does VMTD work?
VMTD runs at the hypervisor level and has direct access to the memory of virtual machines instrumented by that hypervisor. This provides another advantage to this technology. Even if the malware has administrative rights, it cannot be tampered with by malware running inside the VM. Many malware programs have built-in routines to disable known security scanners running on the same system to avoid detection.
VMTD works as a managed service that periodically scans the live memory of Compute Engine projects and VM instances using Google’s threat detection rules. During the technology preview phase, detection mainly targets cryptomining programs, one of the most common malware threats that attackers deploy to infected servers. According to Latest Threat Reports According to a study by the Google Cybersecurity Action Team, cryptocurrency mining programs were observed in 86% of all compromised cloud instances.
VMTD uses information about a list of application names, CPU usage per process, memory page hashes, CPU hardware performance counters, and machine code executed to analyze the software running inside the VM to find matches to known cryptocurrency signatures. Moving forward, as the general launch approaches, the service will get new detections for other types of threats, such as ransomware and data exfiltration Trojans, and will integrate with other parts of Google Cloud.
Currently, VMTD is offered as an opt-in service for Security Command Center Premium subscribers. Customers can define the scope of the scan, but the technology does not address the memory of confidential compute nodes., Encrypt memory to protect sensitive workloads.
“VMTD Event threat detection “Container Threat Detection is a built-in service in SCC Premium,” said Peacock. “These three advanced defense layers together provide holistic protection for your workloads running on Google Cloud.”
Event Threat Detection is a service that monitors Google Cloud and Google Workspace logs for signs of malicious threats. Container Threat Detection allows users to detect runtime attacks inside containers instead of virtual machines, such as the contents of executed shell scripts, reverse shell indicators, etc. there is. , new binaries and newly loaded libraries.
Copyright © 2022 IDG Communications, Inc.