Google Cloud adds agentless threat detection to virtual machine workloads

As more enterprise computing workloads are moving to the cloud, so are the attackers. Virtual servers have been targeted by cryptomining and ransomware groups over the past few years, and they typically don’t benefit from the same levels of protection as endpoints. Google has set to change that with VM-based threat detection for its cloud computing platform.

When it comes to cloud computing, efficiency and flexibility are very important. Servers are scaled based on the workloads they are expected to run. Any additional security scanning and monitoring that requires a software agent running inside the virtual machines would add overhead and consume CPU cycles and memory.

That’s the problem that Google tries to solve with its new Virtual Machine Threat Detection (VMTD) feature offered as part of the Security Command Center on its Computer Engine.

“For Compute Engine, we wanted to see if we could collect signals to aid in threat detection without requiring our customers to run additional software,” Timothy Peacock, product manager with Google Cloud said in a blog post. “Not running an agent inside of their instance means less performance impact, lowered operational burden for agent deployment and management, and exposing less attack surface to potential adversaries.”

How does VMTD work?

VMTD runs at the hypervisor level and has direct access to the memory of virtual machines instrumented by that hypervisor. This gives the technology another benefit: It cannot be tampered with by malware running inside the VM, even if the malicious program has administrative privileges. Many malware programs have built-in routines that try to disable known security scanners running on the same system to evade detection.

VMTD works as a managed service that will run periodic scans of Compute Engine projects and the live memory of VM instances using Google’s threat detection rules. During the technology preview stage, the detection is aimed primarily at cryptomining programs, which are one of the most common malware threats deployed by attackers on compromised servers. According to the latest threat report from Google’s Cybersecurity Action Team, cryptocurrency mining programs were observed on 86% of all compromised cloud instances.

VMTD will analyze software running inside VMs using a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters and information about executed machine code to find matches to known cryptomining signatures. In the future, as it approaches general availability release, the service will gain new detection capabilities for other types of threats, such as ransomware and data exfiltration Trojans, and will be integrated with other parts of Google Cloud.

For now, VMTD is available as an opt-in service for Security Command Center Premium subscribers. Customers can define a scope for the scans, but the technology does not process the memory of confidential computing nodes, which encrypt memory to protect sensitive workloads.

“VMTD complements the existing threat detection capabilities enabled by the Event Threat Detection and Container Threat Detection built-in services in SCC Premium,” Peacock said. “Together, these three layers of advanced defense provide holistic protection for workloads running in Google Cloud.”

Event Threat Detection is a service that monitors the Google Cloud and Google Workspace logs for signs of malicious threats and Container Threat Detection allows users to detect runtime attacks inside containers instead of virtual machines, such as the contents of executed shell scripts, indicators of reverse shells, new binaries and newly loaded libraries.