Join today’s leading executives online at the Data Summit on March 9th. Register here.
Google Cloud today announced an expansion of its security capabilities to include detection for cryptocurrency mining in virtual machines (VMs) — addressing a common but difficult-to-spot threat for customers, Google Cloud executive, Sunil Potti, told VentureBeat.
Attacks that exploit compute resources to mine cryptocurrencies such as Bitcoin continue to be a popular form of malicious cyber activity: A November report from Google Cloud found that 86% of compromised instances on the public cloud platform included crypto mining activities. But traditionally, “it’s very hard to detect that unless you really instrument your app,” said Potti, vice president and general manager for Google Cloud’s security business, in an interview.
Leveraging Google security
Today’s announcement brings Virtual Machine Threat Detection (VMTD) to customers of Google Cloud’s Security Command Center Premium offering, as a public preview. Like other security solutions that Google Cloud has introduced, VMTD leverages technology that was originally developed to stop threats in Google’s own properties, Potti said.
“We’re just bringing all that knowledge, with a little bit of enterprise consumption, to any enterprise customer who wants to move their VMs over,” he said.
When it comes to crypto mining, attackers can quickly run up a customer’s compute bill. Crypto mining can also end up being the first stage of a broader attack, according to Roger Koehler, vice president of threat ops at managed detection and response firm Huntress.
“They can go and sell that access on the black market. And somebody bigger and badder may buy that, and do something more detrimental,” Koehler said in a previous comment to VentureBeat.
In its November report, Google Cloud said that “data theft did not appear to be the objective” of compromises for crypto mining — but that “in some instances, multiple malicious actions were performed from within a single compromised instance.” Thus, data theft “remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse,” Google Cloud said.
Google Cloud’s Virtual Machine Threat Detection will be expanded to include other capabilities during the next few months “as we move VMTD towards general availability,” Google Cloud said in a blog post today.
(While containerization is surging in popularity, “VM-based architectures continue to make up a significant portion of compute-centric workloads,” Google Cloud said).
Crucially, in terms of detecting crypto mining activities in virtual machines, VMTD will work without the need for an additional software agent, according to Google Cloud.
This agentless approach results in “less performance impact, lowered operational burden for agent deployment and management, and exposing less attack surface to potential adversaries,” Google Cloud said in its blog post.
Rather than using an agent, VMTD instruments the underlying VM orchestration software — the hypervisor — “to include nearly universal and hard-to-tamper-with threat detection,” the cloud platform said.
“What we’ve done is found a way to look under the cover for signatures and patterns that are very suspicious in the way that [attackers] use infrastructure,” Potti told VentureBeat.
Using heuristics, Google Cloud is “able to identify that this is actually a suspicious activity — so you can just quickly pinpoint it and take action,” he said.
This action could involve simply throttling capacity while an investigation takes place, rather than shutting it off entirely, he said.
Ultimately, “we want to make sure that your environment is protected from threats associated with someone actually hacking into an account and spinning up other services,” Potti said.
Google Cloud’s aim is to make security “invisible,” he said — to “automatically provide a lot of good hygiene under the cover, and only tell you things that you need to pay attention to.” The cloud platform is investing heavily in cybersecurity as it seeks to compete with its larger rivals in the public cloud space, Amazon Web Services (AWS) and Microsoft Azure.
The launch of VMTD follows other major expansions of security capabilities by Google Cloud, including Cloud IDS, which went into general availability in December. The cloud-native network security offering aims to provide simplified deployment and use compared to existing options.
Cloud IDS offers protections against malware and spyware, command and control attacks, and other vulnerabilities, including illegal code execution and buffer overflow, the company said.
Meanwhile, in January, Google announced the acquisition of Siemplify to bolster security operations and enhance threat response for customers of Google Cloud.
A recent survey of cloud engineering professionals found that 36% of organizations suffered a serious cloud security data leak or a breach in the past 12 months. And 64% said they expect the problem to get worse or remain the same over the next year, according to the report from Fugue and Sonatype.
More updates planned
For VMTD, Google Cloud said that it’s planning a “steady release” of new detection capabilities in the lead up to general availability. Google Cloud also plans to roll out integrations for VMTD with other parts of the cloud platform in the coming months, according to the blog post.
In the platform’s Security Command Center (SCC), VMTD “complements the existing threat detection capabilities enabled by the Event Threat Detection and Container Threat Detection built-in services in SCC Premium,” Google Cloud said.
The premium version of SCC is a “comprehensive” platform for security and risk management, featuring built-in services to provide visibility into cloud assets, discovery for vulnerabilities and misconfigurations, and assistance with meeting compliance requirements, Google Cloud said.