Today we are delighted to announce that our unique, first-to-market detection capability with Virtual Machine Threat Detection (VMTD) in Security Command Center is now generally available for all Google Cloud customers. We launched this service six months ago in public preview and have seen a lot of enthusiasm from our customers. We’ve seen adoption from users around the world and in every industry. For years, we have said security must be engineered in, not bolted on. By baking this capability into our virtualization stack we are living up to our promise of delivering invisible security.
Our team has been busy scaling the service, refining our detection capabilities, and preparing our next major feature set. VMTD in general availability has been scaled to support significantly more frequent scanning across a tremendously large number of instances. Scaling the scanning of memory from the Google Cloud Compute Engine (GCE) fleet has posed unique challenges, and we’ve invested in caching scan results to enable more frequent scans of smaller – but more important – sections of memory.
For customers, enabling VMTD is as easy as checking a box in their Security Command Center Premium settings. They consistently report that this is a game-changer compared to the challenges associated with third-party agent deployment. Because VMTD is deployed from the hypervisor, rather than inside the instance, our instrumentation is not as exposed to adversaries as are traditional endpoint detection and response technology (EDR) agents. This is an invisible-to-adversaries approach: they can not detect when we scan. By enabling VMTD, our customers have activated protection against millions of compute instances with a few simple checkboxes, and without using compute overhead.
Deploying VMTD to Cloud customers has uncovered multiple attacks, and a few surprising false positives. In one example, our YARA rules detected a customer’s antivirus agent as mining cryptocurrency because that nameless agent happened to resolve a lot of mining pool domains as part of its protection scheme. Our YARA rules are developed in collaboration with the best of Google’s threat intelligence community, drawing on expertise from Google’s Threat Analysis Group as well as Google Cloud Threat Intelligence. As a cloud-native managed service, we’re always on the lookout for these cases and work hard to improve our service for all customers.
With this release we are thrilled to announce that in addition to detecting mining on a particular instance, we now can–in the vast majority of instances–identify and report on the specific process that is engaged in mining activity. VMTD is now able to deeply understand the Linux kernel to report specific details about the threat execution we’ve observed without an agent inside the instance. This can enable easier triage, investigation, and response to our detection.
In the academic literature of virtual machine introspection, understanding kernel data structure meaning from hardware contents is known as “bridging the semantic gap.” With this release, VMTD can bridge this gap and prove that insights useful to security teams can be pulled from the contents of memory for any given virtual machine.
In the future, we plan on further improving VMTDs understanding of Linux kernels to detect additional advanced attacks and report live telemetry to our customers. With its unique position as an outside-the-instance observer, VMTD can detect rootkits and bootkits, attacks that tamper with kernel integrity and otherwise blind the kernel and EDR to their presence.
We are delighted with the progress we’ve made on detecting the most common threats in Cloud computing environments. If you’re interested in trying out our service, navigate to the settings page of Security Command Center Premium and turn on Virtual Machine Threat Detection. You can read more about Security Command Center Premium and Virtual Machine Threat Detection at our docs pages.
By: Timothy Peacock (Senior Product Manager)
Source: Google Cloud Blog