What Traffic Mirroring Means for Cloud Security

Today's cloud services providers are all about enterprise IT. They're adding features that are taken for granted in on-premises data centers, such as traffic mirroring, and removing the last remaining barriers to enterprise cloud adoption. In the past year, both AWS and Microsoft Azure have announced traffic mirroring capabilities (Amazon VPC Traffic Mirroring and the Azure vTAP, respectively) that every cloud security architect should take interest in. In this blog post, I'll explain why traffic mirroring is such a big deal for enterprise security teams.

The SOC Visibility Triad

Security teams are notorious for purchasing point solutions, and it's not uncommon for large enterprises to have dozens of security tools deployed in production. With enterprise workloads increasingly spanning on-premises and cloud environments, CISOs and security architects have an opportunity to impose some order on their toolbox. (Alternately, the danger is that they end up with double the number of tools—one set for on-premises and another for the cloud.)

Gartner came up with the concept of a SOC Visibility Triad for this very purpose. The triad is composed of SIEM, network detection and response (NDR), and endpoint detection and response (EDR) tools, respectively providing visibility into logs, network traffic, and activity on endpoint devices. Each of these data sources has its own strengths and weaknesses, but together they provide complete visibility and decrease the chance that an attacker can operate in your environment undetected.

The SOC Visibility Triad concept is applicable to cloud environments as well:

Log data gathered in SIEM. Logs are a mainstay of Security Operations and can be thought of as short-hand notes of actions performed on a system, taken by the system itself. One drawback is that attackers can turn off logging and erase or modify logs. In the cloud, AWS CloudTrail and Azure Monitor simplify logging, which is a pain-point in on-premises environments where IT Operations and Applications teams sometimes prefer to not log certain performance-sensitive systems such as databases, or at least not turn on verbose logging.

Endpoint data provided by EDR. Endpoint visibility is needed in any layered defense and provides valuable insight into what users and software are doing on machines. This visibility into internal processes cannot be obtained any other way. The downside is that agents can be disabled and also do not provide context about the broader attack campaign. Again, the cloud makes deployment easier as cloud automation and containerization simplify deployment and management of EDR agents.

Network data (wire data) analyzed by NDR. Network packets are recognized as the ground truth. There is a saying in Security, "Packets or it didn't happen," meaning that packet capture is required to prove that an exploit or attack behaved in a certain way. This is still true in the cloud. As it happens, cloud workloads still use TCP and other network protocols to communicate. The network is still the most objective source of truth in the cloud, just as it is on-premises.

Network data acquisition has been a problem in the cloud. VPC flow logs in AWS and network security group (NSG) flow logs in Azure met some of this need, but did not include the transaction payload. In general, flow data is similar to what you see on the outside of an envelope, but you can't read the contents of what's inside. Traffic mirroring enables access to actual packet streams, a vastly richer vein of analytics than flow logs.

Now Is Your Chance to Do It Right

Now, with the introduction of traffic mirroring in the cloud, the SOC Visibility Triad is finally complete. The introduction of traffic mirroring capabilities for AWS and Azure signal that cloud service providers recognize the requirements of enterprise SOCs. Cloud security architects have an opportunity to do things right in the cloud as they build out their visibility architecture.

Ideally, you'll have a single combination of SIEM, EDR, and NDR that can cover both your on-premises and cloud environments. Using the SOC Visibility Triad concept, evaluate how well they have each of the basic data sources covered. By evaluating capabilities according to data sources, you can assess your current toolset to identify and eliminate redundancies, address technology gaps, and evaluate new solutions.

Learn more about Reveal(x) Cloud, the NDR solution for the cloud that takes advantage of Amazon VPC traffic mirroring.