Virtual Machine Threat Detection at first will target cryptominers running on virtual servers. Detecting ransomware, Trojans, and other malware is coming. Credit: Natali Mis / Getty Images As more enterprise computing workloads are moving to the cloud, so are the attackers. Virtual servers have been targeted by cryptomining and ransomware groups over the past few years, and they typically don’t benefit from the same levels of protection as endpoints. Google has set to change that with VM-based threat detection for its cloud computing platform.When it comes to cloud computing, efficiency and flexibility are very important. Servers are scaled based on the workloads they are expected to run. Any additional security scanning and monitoring that requires a software agent running inside the virtual machines would add overhead and consume CPU cycles and memory.That’s the problem that Google tries to solve with its new Virtual Machine Threat Detection (VMTD) feature offered as part of the Security Command Center on its Computer Engine.“For Compute Engine, we wanted to see if we could collect signals to aid in threat detection without requiring our customers to run additional software,” Timothy Peacock, product manager with Google Cloud said in a blog post. “Not running an agent inside of their instance means less performance impact, lowered operational burden for agent deployment and management, and exposing less attack surface to potential adversaries.” How does VMTD work?VMTD runs at the hypervisor level and has direct access to the memory of virtual machines instrumented by that hypervisor. This gives the technology another benefit: It cannot be tampered with by malware running inside the VM, even if the malicious program has administrative privileges. Many malware programs have built-in routines that try to disable known security scanners running on the same system to evade detection.VMTD works as a managed service that will run periodic scans of Compute Engine projects and the live memory of VM instances using Google’s threat detection rules. During the technology preview stage, the detection is aimed primarily at cryptomining programs, which are one of the most common malware threats deployed by attackers on compromised servers. According to the latest threat report from Google’s Cybersecurity Action Team, cryptocurrency mining programs were observed on 86% of all compromised cloud instances. VMTD will analyze software running inside VMs using a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters and information about executed machine code to find matches to known cryptomining signatures. In the future, as it approaches general availability release, the service will gain new detection capabilities for other types of threats, such as ransomware and data exfiltration Trojans, and will be integrated with other parts of Google Cloud.For now, VMTD is available as an opt-in service for Security Command Center Premium subscribers. Customers can define a scope for the scans, but the technology does not process the memory of confidential computing nodes, which encrypt memory to protect sensitive workloads.“VMTD complements the existing threat detection capabilities enabled by the Event Threat Detection and Container Threat Detection built-in services in SCC Premium,” Peacock said. “Together, these three layers of advanced defense provide holistic protection for workloads running in Google Cloud.”Event Threat Detection is a service that monitors the Google Cloud and Google Workspace logs for signs of malicious threats and Container Threat Detection allows users to detect runtime attacks inside containers instead of virtual machines, such as the contents of executed shell scripts, indicators of reverse shells, new binaries and newly loaded libraries. Related content news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe