Virtual Machine Threat Detection at first will target cryptominers running on virtual servers. Detecting ransomware, Trojans, and other malware is coming. Credit: Natali Mis / Getty Images As more enterprise computing workloads are moving to the cloud, so are the attackers. Virtual servers have been targeted by cryptomining and ransomware groups over the past few years, and they typically don’t benefit from the same levels of protection as endpoints. Google has set to change that with VM-based threat detection for its cloud computing platform.When it comes to cloud computing, efficiency and flexibility are very important. Servers are scaled based on the workloads they are expected to run. Any additional security scanning and monitoring that requires a software agent running inside the virtual machines would add overhead and consume CPU cycles and memory.That’s the problem that Google tries to solve with its new Virtual Machine Threat Detection (VMTD) feature offered as part of the Security Command Center on its Computer Engine.“For Compute Engine, we wanted to see if we could collect signals to aid in threat detection without requiring our customers to run additional software,” Timothy Peacock, product manager with Google Cloud said in a blog post. “Not running an agent inside of their instance means less performance impact, lowered operational burden for agent deployment and management, and exposing less attack surface to potential adversaries.” How does VMTD work?VMTD runs at the hypervisor level and has direct access to the memory of virtual machines instrumented by that hypervisor. This gives the technology another benefit: It cannot be tampered with by malware running inside the VM, even if the malicious program has administrative privileges. Many malware programs have built-in routines that try to disable known security scanners running on the same system to evade detection.VMTD works as a managed service that will run periodic scans of Compute Engine projects and the live memory of VM instances using Google’s threat detection rules. During the technology preview stage, the detection is aimed primarily at cryptomining programs, which are one of the most common malware threats deployed by attackers on compromised servers. According to the latest threat report from Google’s Cybersecurity Action Team, cryptocurrency mining programs were observed on 86% of all compromised cloud instances. VMTD will analyze software running inside VMs using a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters and information about executed machine code to find matches to known cryptomining signatures. In the future, as it approaches general availability release, the service will gain new detection capabilities for other types of threats, such as ransomware and data exfiltration Trojans, and will be integrated with other parts of Google Cloud.For now, VMTD is available as an opt-in service for Security Command Center Premium subscribers. Customers can define a scope for the scans, but the technology does not process the memory of confidential computing nodes, which encrypt memory to protect sensitive workloads.“VMTD complements the existing threat detection capabilities enabled by the Event Threat Detection and Container Threat Detection built-in services in SCC Premium,” Peacock said. “Together, these three layers of advanced defense provide holistic protection for workloads running in Google Cloud.”Event Threat Detection is a service that monitors the Google Cloud and Google Workspace logs for signs of malicious threats and Container Threat Detection allows users to detect runtime attacks inside containers instead of virtual machines, such as the contents of executed shell scripts, indicators of reverse shells, new binaries and newly loaded libraries. Related content news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Botnets Botnets news Hackers book profit by scamming Booking.com customers Malicious elements are using Vidar infostealer to gain access to Booking.com’s management portal and defraud customers. By Gagandeep Kaur Dec 04, 2023 4 mins Cyberattacks Cybercrime Security opinion Proactive, not reactive: the path to ensuring operational resilience in cybersecurity The experience of the financial sector in dealing with threats is instructive to anyone in the cybersecurity space — there’s no substitute for getting out ahead of potential risks and problems. By Cameron Dicker Dec 04, 2023 6 mins Financial Services Industry Financial Services Industry Financial Services Industry feature 4 budget-savvy strategies for building an effective purple team Building a purple team is not only for organizations with a generous budget. From the shoestring one-person operation harnessing open-source power to the well-oiled machine of a comprehensive team, organizations of all sizes have a pathway to heighte By Maril Vernon Dec 04, 2023 14 mins Threat and Vulnerability Management IT Training Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe