How Traffic Mirroring in the Cloud Works
By Tyson Supasatit, Sr. Product Marketing Manage, ExtraHop
Learn how Amazon traffic mirroring and the Azure vTAP fulfill the SOC visibility triad
After years of traffic mirroring not being available in the cloud, between Amazon VPC traffic mirroring and the Azure vTAP, it's finally here! In this lightboard video, we'll explain what traffic mirroring is and why the availability of traffic mirroring for the cloud is so significant.
Traffic mirroring is required for any type of product that wants to passively listen or analyze network traffic, such as IDS, DLP, packet capture solutions, and network detection and response (NDR) products like ExtraHop Reveal(x). The advantages for security is that this method of analysis is virtually undetectable by attackers and cannot be turned off. Rob Joyce, director of the NSA's hacking unit, called passive network monitoring his team's "worst nightmare" for these reasons.
Previously, traffic mirroring in the cloud was challenging. To get packets to analysis tools, vendors would either have to route traffic through an in-line virtual appliance or install packet-forwarding agents on cloud instances. These workarounds added complexity and overhead. With native traffic mirroring capabilities—vTAP in Azure and VPC traffic mirroring in AWS—organizations can easily route copies of traffic from specific instances or entire VPCs to analysis tools with the click of a button. As you would expect, the cloud providers take care of all the "plumbing." This will actually be a huge relief to many Security teams who have to go through arduous processes to get copies of traffic in on-premises environments.
The introduction of native traffic mirroring for AWS and Azure means that the public cloud is growing in technical maturity with more of the capabilities that were available on-premises now available in the cloud. This shows that Azure and AWS are focusing on production enterprise workloads. The cloud is not just for developers any more!
With vTap in Azure and VPC traffic mirroring in AWS, Security Operations teams can nap "tap" into the three key data sources for security visibility: logs, endpoint data, and network data. Gartner calls this the "SOC visibility triad."
Finally, traffic mirroring enables new ways to package and deliver products in order to build cloud-first network detection and response products.