back caretBlog

How Traffic Mirroring in the Cloud Works

Learn how Amazon traffic mirroring and the Azure vTAP fulfill the SOC visibility triad

After years of traffic mirroring not being available in the cloud, between Amazon VPC traffic mirroring and the Azure vTAP, it's finally here! In this lightboard video, we'll explain what traffic mirroring is and why the availability of traffic mirroring for the cloud is so significant.

 

Traffic mirroring is required for any type of product that wants to passively listen or analyze network traffic, such as IDS, DLP, packet capture solutions, and network detection and response (NDR) products like ExtraHop Reveal(x). The advantages for security is that this method of analysis is virtually undetectable by attackers and cannot be turned off. Rob Joyce, director of the NSA's hacking unit, called passive network monitoring his team's "worst nightmare" for these reasons.

Previously, traffic mirroring in the cloud was challenging. To get packets to analysis tools, vendors would either have to route traffic through an in-line virtual appliance or install packet-forwarding agents on cloud instances. These workarounds added complexity and overhead. With native traffic mirroring capabilities—vTAP in Azure and VPC traffic mirroring in AWS—organizations can easily route copies of traffic from specific instances or entire VPCs to analysis tools with the click of a button. As you would expect, the cloud providers take care of all the "plumbing." This will actually be a huge relief to many Security teams who have to go through arduous processes to get copies of traffic in on-premises environments.

The introduction of native traffic mirroring for AWS and Azure means that the public cloud is growing in technical maturity with more of the capabilities that were available on-premises now available in the cloud. This shows that Azure and AWS are focusing on production enterprise workloads. The cloud is not just for developers any more!

With vTap in Azure and VPC traffic mirroring in AWS, Security Operations teams can "tap" into the three key data sources for security visibility: logs, endpoint data, and network data. Gartner calls this the "SOC visibility triad."

Finally, traffic mirroring also enables vendors like ExtraHop to come up with new ways to package and deliver our product. For example, we've worked with AWS to use the new Amazon traffic mirroring capability to build a cloud-first network detection and response product. Reveal(x) Cloud is Network Detection and Response (NDR) as a service, where ExtraHop takes care of the provisioning and management for you. NDR has never been so easy to get started with!

Related Blogs

Sign Up to Stay Informed