Cloud IDS

Cloud IDS manages detecting and alerting on network-based threats in cloud environments, such as intrusions, malware, spyware, and command-and-control attacks. The technical architecture of Cloud IDS involves creating a Google-managed peered network that mirrors traffic from virtual machine (VM) instances. This mirrored traffic is then inspected by Palo Alto Networks' threat protection technologies, which provide advanced threat detection capabilities.

The deployment process is streamlined, allowing for setup in just a few clicks using the UI, CLI, or APIs. Cloud IDS automatically scales to meet the organization's traffic inspection needs, eliminating the need for manual architecture and performance tuning. It leverages Google Cloud Packet Mirroring to copy network traffic, which is then analyzed using Palo Alto Networks' threat detection engine. This approach provides full visibility into both north-south and east-west traffic, enabling the detection of lateral movement and other intra-subnet threats.

Key operational considerations include the fact that Cloud IDS is a detection-only service and does not block threats; instead, it generates alerts that can be integrated with other Google Cloud services like Cloud Armor for remediation actions. The service updates its threat signatures daily, ensuring users have the latest protections without manual intervention. However, this also means that there can be up to a 48-hour latency in updating signatures across all IDS endpoints.

Technically, Cloud IDS uses Application-ID (App-ID) from Palo Alto Networks to identify applications running on the network, regardless of port, protocol, or encryption. It also employs a default set of threat signatures that can be customized based on the minimum alert severity level, ranging from Critical to Informational. These signatures detect vulnerabilities, spyware, and other malicious activities such as buffer overflows and remote code execution.