Data is collected from host IDSes (agents) or physical IDS appliances depending on the provider environment.
The agent is a hook driver that captures network traffic. This agent is only network focused.
Most important factor for the types of attacks depends more on workload than industry.
Risk score based on all pieces of collected information.
Know what and where your high risk data is. How it's accessed. Make some intelligence about the access of these data points. Attack plans.
Cloud environment is dynamic, attack response should be dynamic.
A report gives a good idea about the rate of attacks that are known. Unknown attacks are not counted. SQL injection is number one.
You can find the general report here: http://www.alertlogic.com/csr/
Hear more about this in the latest Cloud Virtualization Roundtable episode:
Audio: Virtualization Security Roundtable, episode 88