FireEye Stories Blog

I Can See Clearly Now: AWS Traffic Mirroring Enables FireEye to Provide Equal Visibility in the Cloud and On-Premises

Network security combined with forensics has given customers an incredibly powerful solution: end-to-end prevention, detection and investigation capabilities. This combination helps ensure that organizations are safe from attacks as they happen and as they are discovered. However, things are changing. Organizations are now moving data, applications and resources to the cloud, and as a result they are struggling with the disparity between data they have access to on-premises and the data provided by cloud providers.

Cloud providers abstract address schemes and packet data. Typically, full packet data information is hidden, which may be fine for gathering common diagnostics, but not for deep dive forensics. In the modern, regulated world, investigators need to know exactly what is included in packets. The current model of providing investigators a limited view into cloud workloads ultimately hinders an investigation, prevents proper disclosure of a breach and allows attackers to remain hidden during a cloud attack.

A New Approach

Amazon Web Services (AWS) recently made significant strides to address this issue. By partnering with AWS and integrating with their AWS VPC Traffic Mirroring, FireEye Network Security and Forensics customers can access the right virtual traffic and network metadata from AWS environments. AWS VPC Traffic Mirroring allows users to capture and inspect network traffic directly from AWS. The solution provides insight and access to network traffic across VPC infrastructure.

As FireEye announced at our recent Cyber Defense Summit, packets can now be inspected, captured, retained, analyzed and stored in the AWS cloud bringing additional visibility and security. With this agent-less packet capture capability, we’re able to provide analysts the context they need to understand the threats they’re investigating. Combining network visibility with other sources such as logs, endpoints and traditional netflow, SOC analysts and investigators gain a more complete picture of what is happening on the network and in the cloud.

When investigating alerts and incidents, analysts need to ensure they are looking all the data traversing the network. They need an investigation tool that provides rapid search capabilities, answering queries in minutes instead of days. FireEye Network Forensics provides a suite of tools that leverages extremely fast, lossless packet capture in addition to an investigation console designed to get analysts the answers they need quickly. Used in conjunction with FireEye Network Security, organizations get to leverage FireEye’s proprietary detection engines along with our industry-leading threat intelligence, all applied to any historical traffic.