Cloud security threats are always evolving. While many focus on the network layer, insidious threats like cryptocurrency miners, rootkits, and sophisticated malware target the heart of your virtual machines (VMs). Google Cloud's Security Command Center (SCC) offers a powerful solution: VM Threat Detection.
VM Threat Detection findings are high-severity threats that we recommend you fix immediately
What is VM Threat Detection?
How VM Threat Detection Works
Powered by Google Cloud's threat detection rules, VM Threat Detection analyzes information about software running on VMs, including a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters, and information about executed machine code to determine whether any application matches known cryptocurrency mining signatures. When possible, VM Threat Detection then determines the running process associated with the detected signature matches and includes information about that process in the finding.
New Preview Features: Rootkits and Malware on Disk
The power of VM Threat Detection is expanding! Now in preview, it can detect kernel-mode rootkits and scan your VMโs persistent disk for malware.
VM Threat Detection infers the type of operating system running on the VM and uses that information to determine the kernel code, read-only data regions, and other kernel data structures in memory. VM Threat Detection applies various techniques to determine if those regions are tampered with, by comparing them to precomputed hashes that are expected for the kernel image and verifying the integrity of important kernel data structures.
VM Threat Detection takes short-lived clones of your VM's persistent disk, without disrupting your workloads, and scans the disk clones. This service analyzes executable files on the VM to determine whether any files match known malware signatures. The generated finding contains information about the file and the malware signatures detected.
Benefits of VM Threat Detection
If you activate the Premium tier of Security Command Center, VM Threat Detection scans are automatically enabled. If needed, you can disable the service and/or enable the service at the project level.
https://cloud.google.com/security-command-center/docs/concepts-vm-threat-detection-overview
Are you using VM Threat Detection? Share your experiences in the comments!
Remember, this exciting rootkit and disk scanning feature is in preview. Your feedback is valuable to make VM Threat Detection even better!